日期:2014-05-17  浏览次数:20782 次

CAS(SSO) tomcat ssl 配置出错 PKIX path building failed
项目中要用到YALE 的CAS,

Server端 Tomcat
  https://localhost:8443/cas/login 输入nike/nike 提示登录成功

Client端,也是在同一台机器的tomcat下
  http://localhost:8080/MyTest/index.jsp页面会出现安全提示警告,确认后跳转到https://localhost:8443/cas/login 
  输入nike/nike,返回错误提示
Java code

exception 

javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:254)
    edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)


root cause 

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
    com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
    com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
    edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
    edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
    edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:219)
    edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:184)


下面是我证书生成的过程
Java code


D:\Tomcat 5.5>keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
      Enter keystore password:  changeit
      What is your first and last name?
          [Unknown]:  localhost
      What is the name of your organizational unit?
          [Unknown]:  dev
      What is the name of your organization?
          [Unknown]:  ghl
      What is the name of your City or Locality?
          [Unknown]:  sz
      What is the name of your State or Province?
          [Unknown]:  js
      What is the two-letter country code for this unit?
          [Unknown]:  ch
      Is CN=localhost, OU=dev, O=ghl, L=sz, ST=js, C=ch correct?
          [no]:  y


D:\Tomcat 5.5>keytool -export -ali