Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Panel
borderColor#ccc
bgColor#FFFFCE
titleBGColor#F7D6C1
borderStyledashed
titleNote

This page has been superceded by https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide and will eventually be removed.

CAS Server requires SSL. Newcomers to deploying secure web applications (and even old hands) sometimes have difficulty configuring the SSL certificates. This page is intended to provide links and help with troubleshooting SSL in the context of deploying an instance of the Central Authentication Service server.

Generating a certificate

I am guessing that you have a certificate that is either not properly generated or is not installed in your jks keystore.

I am assuming you are using 1.4.x, otherwise you'd have to install JSSE separately.

To generate the certificate you could do this (substitute argument values as it suits your system).

No Format

%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit  -file server.crt

%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

%JAVA_HOME%\bin\keytool -import -file server.crt -keystore %JAVA_HOME%\jre\lib\security\cacerts

Expiration Date of Certificate

If you want the certificate to be valid for longer than the default amount of time, you can provide an option parameter in the following format:

No Format

-validity numberOfDays

which allows you specify the number of days a certificate is valid for. So in the above example you would use the following command to create the certificate and have it valid for 365 days:

No Format

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -validity 365

World-readability

Public certificate files must be world-readable, as noted in the README.

Some good threads

...

How do I use a self-signed certificate?

...

DummyTrustManager for development

Joakim Recht suggested on the CAS list that in development you can avoid the need to install your self-signed CAS server certificate on your CAS clients (and your CAS client certificate on your CAS server when the clients need to be securely accessed for CAS to give them Proxy Tickets) by using the DummyTrustManager from here .. (See this JavaWorld article.)

This accepts all certificates, including self-signed.

...

URLConnection uc = u.openConnection();Thanks to Joakim Rect for originally suggesting DummyTrustManager on the CAS list

Where can I learn more about the keytool?

At the keytool page.

A readme

You could try the readme included in this zip, which accompanies this article about CAS.

When all else fails

More than one CAS deployer has suggested: When all else fails, start over again with a clean Tomcat and JDK.