Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

CAS Server requires SSL. Newcomers to deploying secure web applications (and even old hands) sometimes have difficulty configuring the SSL certificates. This page is intended to provide links and help with troubleshooting SSL in the context of deploying an instance of the Central Authentication Service server.

Generating a certificate

I am gussing that you have a certificate that is either not properly generated or is not installed in your jks keystore.

I am assuming you are using 1.4.x, otherwise you'd have to install JSSE separately.

To generate the certificate you could do this (substitute argument values as it suits your system).

%JAVA_HOME%\bin\keytool -delete -alias tomcat -keypass changeit

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA

%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit  -file
%FILE_NAME%

%JAVA_HOME%\bin\keytool -import -file server.crt -keypass changeit
-keystore %JAVA_HOME%/jre/lib/security/cacerts

%JAVA_HOME%\bin\keytool -import -file server.crt -keystore
%JAVA_HOME%\jre\lib\security\cacert

World-readability

K.C. Baltz reminded the List that the public cert files must be world-readable, as noted in the README.

Some good threads

How do I configure Tomcat to use SSL?

Try these instructions.

How do I use a self-signed certificate?

A: Trusting the Self-Signed Certificate
DummyTrustManager for development
Joakim Recht suggested on the CAS list that in development you can avoid the need to install your self-signed CAS server certificate on your CAS clients (and your CAS client certificate on your CAS server when the clients need to be securely accessed for CAS to give them Proxy Tickets) by using the DummyTrustManager from here .

This accepts all certificates, including self-signed.

This would be neither secure nor appropriate in production, but it may be just the thing to get off the ground in development.

To use the DummyTrustManager, put the files DummySSLSocketFactory.java and DummyTrustManager.java into src/edu/yale/its/tp/cas/util and add

((HttpsURLConnection)uc).setSSLSocketFactory(new DummySSLSocketFactory());

to SecureURL.java just after

URLConnection uc = u.openConnection();

Where can I learn more about the keytool?

At the keytool page.

Thanks to Joakim Rect for originally suggesting DummyTrustManager on the CAS list.

A readme

You could try the readme included in this zip, which accompanies this article about CAS.

When all else fails

More than one CAS deployer has suggested: When all else fails, start over again with a clean Tomcat and JDK.

  • No labels