Discussion:
SSL on Tomcat
Loai Abdallatif
2018-09-27 14:50:21 UTC
Permalink
Hello,

I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120
(Webserver01.epsilon.test) which forward the traffic to tomcat server
.(192.168.1.111 (appserver01.epsilon.test)

each tomcat server has three workers ( 0,1,2)

I deployed *Central Authentication Service* (CAS) on Worker0 and its is
working with warning related to ssl Certificate, I have another Application
on this worker0 called ServiceCatalog unfortunatly it didnt work and gave
error as below






ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building
failed
: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to
requested
target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio
n.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A
bstractCasProtocolUrlBasedTicketValidator.java:41)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato
r.java:193)
at
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica
tionProvider.java:157)
at
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio
nProvider.java:142)
Loai Abdallatif
2018-09-27 14:52:02 UTC
Permalink
hello, shall I add the certificate to server.xml on tomcat server or just
on Webserver
Post by Loai Abdallatif
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120
(Webserver01.epsilon.test) which forward the traffic to tomcat server
.(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed *Central Authentication Service* (CAS) on Worker0 and its
is working with warning related to ssl Certificate, I have another
Application on this worker0 called ServiceCatalog unfortunatly it didnt
work and gave error as below
PKIX path building failed
unable to find valid certification path to requested
target
PKIX path building failed: sun.sec
unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(
ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(
ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(
SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(
SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(
SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(
SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(
HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnec
tion.connect(AbstractDelegateHttpsURLConnectio
n.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(
HttpURLConnection.java:1564)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(
HttpURLConnection.java:1492)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.
getInputStream(HttpsURLConnectionImpl.java:263)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(
CommonUtils.java:429)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTic
ketValidator.retrieveResponseFromServer(A
bstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidato
r.validate(AbstractUrlBasedTicketValidato
r.java:193)
at org.springframework.security.cas.authentication.
CasAuthenticationProvider.authenticateNow(CasAuthentica
tionProvider.java:157)
at org.springframework.security.cas.authentication.
CasAuthenticationProvider.authenticate(CasAuthenticatio
nProvider.java:142)
Jäkel, Guido
2018-09-28 08:39:49 UTC
Permalink
Dear Loai,

Your client can't very (don't trust) the certificate (chain) of the target. Either target's certificate is not an "official" one (e.g. self signed) or your clients JVM certificate trust chain is not up to date.

I you like I may send you a small java commandline tool to check the verification chain and/or add exceptions to the local trust store in case of self-signed certificates.

Guido
-----Original Message-----
Sent: Thursday, September 27, 2018 4:52 PM
Subject: Re: SSL on Tomcat
hello, shall I add the certificate to server.xml on tomcat server or just on Webserver
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP 192.168.1.120 (Webserver01.epsilon.test) which forward the
traffic to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed Central Authentication Service (CAS) on Worker0 and its is working with warning related to ssl
Certificate, I have another Application on this worker0 called ServiceCatalog unfortunatly it didnt work and gave error as below
ERROR org.jasig.cas.client.util.CommonUtils - sun.security.validator.ValidatorException: PKIX path building failed
: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested
target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio
n.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A
bstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato
r.java:193)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica
tionProvider.java:157)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio
nProvider.java:142)
B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[
Loai Abdallatif
2018-09-28 16:50:24 UTC
Permalink
Thank you Guido

appreciate your assistance , and if possible send me any tutorial related
to my case ( apache server different than Tomcat , CAS app need SSL )
Post by Jäkel, Guido
Dear Loai,
Your client can't very (don't trust) the certificate (chain) of the
target. Either target's certificate is not an "official" one (e.g. self
signed) or your clients JVM certificate trust chain is not up to date.
I you like I may send you a small java commandline tool to check the
verification chain and/or add exceptions to the local trust store in case
of self-signed certificates.
Guido
-----Original Message-----
Sent: Thursday, September 27, 2018 4:52 PM
Subject: Re: SSL on Tomcat
hello, shall I add the certificate to server.xml on tomcat server or just
on Webserver
On Thu, Sep 27, 2018 at 5:50 PM, Loai Abdallatif <
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP
192.168.1.120 (Webserver01.epsilon.test) which forward the
traffic to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed Central Authentication Service (CAS) on Worker0 and
its is working with warning related to ssl
Certificate, I have another Application on this worker0 called
ServiceCatalog unfortunatly it didnt work and gave error as below
ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building failed
: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested
target
sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at
sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at
sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnectio
n.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(A
bstractCasProtocolUrlBasedTicketValidator.java:41)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidato
r.java:193)
at
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthentica
tionProvider.java:157)
at
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticatio
nProvider.java:142)
Christopher Schultz
2018-09-28 22:35:55 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Loai,
Post by Loai Abdallatif
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP
192.168.1.120 (Webserver01.epsilon.test) which forward the traffic
to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed *Central Authentication Service* (CAS) on Worker0 and
its is working with warning related to ssl Certificate, I have
another Application on this worker0 called ServiceCatalog
unfortunatly it didnt work and gave error as below
ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building
failed
unable to find valid certification path to requested
sun.security.validator.ValidatorException: PKIX path building
failed: sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
As Guido says, your client (org.jasig.cas.client) does not trust the
server it's trying to connect to.

Is the server in this case the one you set up above? It's not clear
exactly what you are trying to do.

There is nothing you can change with Tomcat to fix this error... you
must configure your client to trust the server.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
/v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
/Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
=Bjfw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Loai Abdallatif
2018-09-29 10:04:41 UTC
Permalink
Thanks Chris, but how to do it, should I copy the ssl certificate from
Webserver 192.168.1.120 to my tomcat container (worker0) in 192.168.1.111
in server.xml .
any idea please

On Sat, Sep 29, 2018 at 1:35 AM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Loai,
Post by Loai Abdallatif
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP
192.168.1.120 (Webserver01.epsilon.test) which forward the traffic
to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed *Central Authentication Service* (CAS) on Worker0 and
its is working with warning related to ssl Certificate, I have
another Application on this worker0 called ServiceCatalog
unfortunatly it didnt work and gave error as below
ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building
failed
unable to find valid certification path to requested
sun.security.validator.ValidatorException: PKIX path building
failed: sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
As Guido says, your client (org.jasig.cas.client) does not trust the
server it's trying to connect to.
Is the server in this case the one you set up above? It's not clear
exactly what you are trying to do.
There is nothing you can change with Tomcat to fix this error... you
must configure your client to trust the server.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
/v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
/Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
=Bjfw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
Luis Rodríguez Fernández
2018-10-01 15:06:53 UTC
Permalink
Hello Loai,

Agree with Christopher, you have to fix your client. Just get the root
Certificate Authority public key and import it in your client truststore.
If you did not change it the client (java) the default keystore is located
in $JAVA_HOME/jre/lib/security/cacerts. Something like:

keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass
trust_store_password_here -alias Root -import -file the_downloaded_ca.crt

The default password for cacerts is changeit

Hopeit helps,

Luis




El sáb., 29 sept. 2018 a las 12:05, Loai Abdallatif (<
Post by Loai Abdallatif
Thanks Chris, but how to do it, should I copy the ssl certificate from
Webserver 192.168.1.120 to my tomcat container (worker0) in 192.168.1.111
in server.xml .
any idea please
On Sat, Sep 29, 2018 at 1:35 AM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Loai,
Post by Loai Abdallatif
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP
192.168.1.120 (Webserver01.epsilon.test) which forward the traffic
to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed *Central Authentication Service* (CAS) on Worker0 and
its is working with warning related to ssl Certificate, I have
another Application on this worker0 called ServiceCatalog
unfortunatly it didnt work and gave error as below
ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building
failed
unable to find valid certification path to requested
sun.security.validator.ValidatorException: PKIX path building
failed: sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
As Guido says, your client (org.jasig.cas.client) does not trust the
server it's trying to connect to.
Is the server in this case the one you set up above? It's not clear
exactly what you are trying to do.
There is nothing you can change with Tomcat to fix this error... you
must configure your client to trust the server.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
/v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
/Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
=Bjfw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
Christopher Schultz
2018-10-01 18:39:47 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Luis,
Post by Luis Rodríguez Fernández
Agree with Christopher, you have to fix your client. Just get the
root Certificate Authority public key and import it in your client
truststore.
I'd recommend trusting the finest-grained cert you can get away with.
That might not always be the root CA cert. It might be the server's
cert directly.
Post by Luis Rodríguez Fernández
If you did not change it the client (java) the default keystore is
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
-storepass trust_store_password_here -alias Root -import -file
the_downloaded_ca.crt
The default password for cacerts is changeit
FWIW, I wouldn't recommend changing the JVM's trust store. I say so
for two reasons:

1. You will be trusting that certificate for ALL JVMS LAUNCHED
AFTERWARD. Perhaps you don't want some other service to trust your
192.168.1.120 certificate when it's only supposed to be used with a
single client service.

2. You will have to remember to update the trust store every time you
change your Java installation. That means upgrades, downgrades, etc.

The best way to do this IMO is to create a trust store specific for
that service (client) and use it EXPLICITLY.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
=okQm
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
Luis Rodríguez Fernández
2018-10-02 06:59:57 UTC
Permalink
Hello Christopher,

It makes sense, thank you very much for your advice!

Cheers,

Luis

El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luis,
Post by Luis Rodríguez Fernández
Agree with Christopher, you have to fix your client. Just get the
root Certificate Authority public key and import it in your client
truststore.
I'd recommend trusting the finest-grained cert you can get away with.
That might not always be the root CA cert. It might be the server's
cert directly.
Post by Luis Rodríguez Fernández
If you did not change it the client (java) the default keystore is
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
-storepass trust_store_password_here -alias Root -import -file
the_downloaded_ca.crt
The default password for cacerts is changeit
FWIW, I wouldn't recommend changing the JVM's trust store. I say so
1. You will be trusting that certificate for ALL JVMS LAUNCHED
AFTERWARD. Perhaps you don't want some other service to trust your
192.168.1.120 certificate when it's only supposed to be used with a
single client service.
2. You will have to remember to update the trust store every time you
change your Java installation. That means upgrades, downgrades, etc.
The best way to do this IMO is to create a trust store specific for
that service (client) and use it EXPLICITLY.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
=okQm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett
Loai Abdallatif
2018-10-02 07:06:46 UTC
Permalink
Thanks Chris, Luis
Post by Luis Rodríguez Fernández
Hello Christopher,
It makes sense, thank you very much for your advice!
Cheers,
Luis
El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luis,
Post by Luis Rodríguez Fernández
Agree with Christopher, you have to fix your client. Just get the
root Certificate Authority public key and import it in your client
truststore.
I'd recommend trusting the finest-grained cert you can get away with.
That might not always be the root CA cert. It might be the server's
cert directly.
Post by Luis Rodríguez Fernández
If you did not change it the client (java) the default keystore is
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
-storepass trust_store_password_here -alias Root -import -file
the_downloaded_ca.crt
The default password for cacerts is changeit
FWIW, I wouldn't recommend changing the JVM's trust store. I say so
1. You will be trusting that certificate for ALL JVMS LAUNCHED
AFTERWARD. Perhaps you don't want some other service to trust your
192.168.1.120 certificate when it's only supposed to be used with a
single client service.
2. You will have to remember to update the trust store every time you
change your Java installation. That means upgrades, downgrades, etc.
The best way to do this IMO is to create a trust store specific for
that service (client) and use it EXPLICITLY.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
=okQm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
Mario Schmitz
2018-10-02 11:06:29 UTC
Permalink
Hey,

arbeitet ihr gerade irgendwo?

Hier hier gerade alle Anwendungen von außen nicht erreichbar gewesen. Über intern ging ...

LG
Mario

-----Ursprüngliche Nachricht-----
Von: Loai Abdallatif [mailto:***@gmail.com]
Gesendet: Dienstag, 2. Oktober 2018 09:07
An: Tomcat Users List <***@tomcat.apache.org>
Betreff: [bulk] Re: SSL on Tomcat

Thanks Chris, Luis
Post by Luis Rodríguez Fernández
Hello Christopher,
It makes sense, thank you very much for your advice!
Cheers,
Luis
El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (<
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luis,
Post by Luis Rodríguez Fernández
Agree with Christopher, you have to fix your client. Just get the
root Certificate Authority public key and import it in your client
truststore.
I'd recommend trusting the finest-grained cert you can get away with.
That might not always be the root CA cert. It might be the server's
cert directly.
Post by Luis Rodríguez Fernández
If you did not change it the client (java) the default keystore is
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
-storepass trust_store_password_here -alias Root -import -file
the_downloaded_ca.crt
The default password for cacerts is changeit
FWIW, I wouldn't recommend changing the JVM's trust store. I say so
1. You will be trusting that certificate for ALL JVMS LAUNCHED
AFTERWARD. Perhaps you don't want some other service to trust your
192.168.1.120 certificate when it's only supposed to be used with a
single client service.
2. You will have to remember to update the trust store every time
you change your Java installation. That means upgrades, downgrades, etc.
The best way to do this IMO is to create a trust store specific for
that service (client) and use it EXPLICITLY.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8
pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb
w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc
fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/
lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT
TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC
YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4
xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr
SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz
MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z
C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff
KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4=
=okQm
-----END PGP SIGNATURE-----
--------------------------------------------------------------------
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
Т���������������������������������������������������������������������ХF�V�7V'67&�&R�R���âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F����6����G2�R
Loai Abdallatif
2018-10-02 05:49:19 UTC
Permalink
thanks very much , I did it and it works
Post by Luis Rodríguez Fernández
Hello Loai,
Agree with Christopher, you have to fix your client. Just get the root
Certificate Authority public key and import it in your client truststore.
If you did not change it the client (java) the default keystore is located
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass
trust_store_password_here -alias Root -import -file the_downloaded_ca.crt
The default password for cacerts is changeit
Hopeit helps,
Luis
El sáb., 29 sept. 2018 a las 12:05, Loai Abdallatif (<
Post by Loai Abdallatif
Thanks Chris, but how to do it, should I copy the ssl certificate from
Webserver 192.168.1.120 to my tomcat container (worker0) in 192.168.1.111
in server.xml .
any idea please
On Sat, Sep 29, 2018 at 1:35 AM Christopher Schultz <
Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Loai,
Post by Loai Abdallatif
Hello,
I have Set Apache Load Balancer ( ModJK) with Server IP
192.168.1.120 (Webserver01.epsilon.test) which forward the traffic
to tomcat server .(192.168.1.111 (appserver01.epsilon.test)
each tomcat server has three workers ( 0,1,2)
I deployed *Central Authentication Service* (CAS) on Worker0 and
its is working with warning related to ssl Certificate, I have
another Application on this worker0 called ServiceCatalog
unfortunatly it didnt work and gave error as below
ERROR org.jasig.cas.client.util.CommonUtils -
sun.security.validator.ValidatorException: PKIX path building
failed
unable to find valid certification path to requested
sun.security.validator.ValidatorException: PKIX path building
failed: sun.sec
urity.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
As Guido says, your client (org.jasig.cas.client) does not trust the
server it's trying to connect to.
Is the server in this case the one you set up above? It's not clear
exactly what you are trying to do.
There is nothing you can change with Tomcat to fix this error... you
must configure your client to trust the server.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluurMsACgkQHPApP6U8
pFiGARAAk5GnoU7+3tk16yh+cCme1mzPZiEUf0y1uE8CK74zaNB4OXbeF6iuNOEm
9OP5MV6zyQC/NxI+DSlUzN32ZUEDLKSw7OUcMmhBfrZs690NEChHTJV9p/EpC7NS
8LwMU/r3MFrvpkaLuPQsq+DbzbNRefh6+eOEhGTT3WtwW6SYtXxNUbBz4WmCSTrz
LHPYGTpUT19CX2BE5sNQeV5F4/ul3fLSMuVp4RryVo4BLQKBwh/rexb1fUbsdxyn
/v3HyCgreuhFV7DVMF+BuA46sccOm6kScMf7r9LrDioMswZvn79dFGgo9qMDgCWE
37j7Dnv72GdtlkkNAkP9sKm413B4LzAhuL56bAyK+3SRRKuiqDPgq+4tcEOsIb4u
j6j3ZtJbpoojibAuNZWcvR3kjEPfCDUnRa6JSKXu1Y7Bekr3kLYbiGtOVWXi0ozs
9zzq8D7lqSDD7b0UhuZ22yuR0OBZMlxn0/ELH0GNikyLuwAd3UrrcNXfL7kpl5P9
BFSEnpZ8uD7bhXrkVCBdM+ktXrCYS8StEIFNwXe5WeUbLdXoCDNKvlKgZKq2/IkD
/Zjh44ecYr8TNdfvyNJxL2YGTUZcfwyZETrMX/1ont7VfFU/xHuh1DE6R60vAtfB
8nEsqNc+FFocsKlEwQbVyt0XP54DPfPGzXX544NLfbaIr2/2JOk=
=Bjfw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
Loading...