yale cas异常问题总结(2)unable to validate proxyticketvalidator之unable to find valid certification path to requested target -凯发k8网页登录

 
edu.yale.its.tp.cas.client.casauthenticationexception: unable to validate proxyticketvalidator
[[edu.yale.its.tp.cas.client.proxyticketvalidator proxylist = [ null ]
[edu.yale.its.tp.cas.client.serviceticketvalidator casvalidateurl =
[https: // sourcesite:8443/cas/proxyvalidate] ticket=[st-0-umjsi0yohf15rhutnkhw]
service=[http://destsite:8080/servlets-examples/servlet/helloworldexample]
renew=false]]]
     at edu.yale.its.tp.cas.client.casreceipt.getreceipt(casreceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.casfilter.getauthenticateduser(casfilter.java: 455 )
    at edu.yale.its.tp.cas.client.filter.casfilter.dofilter(casfilter.java: 378 )
    at org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java: 202 )
    at org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java: 173 )
    at filters.examplefilter.dofilter(examplefilter.java: 101 )
    at org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java: 202 )
    at org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java: 173 )
    at org.apache.catalina.core.standardwrappervalve.invoke(standardwrappervalve.java: 213 )
    at org.apache.catalina.core.standardcontextvalve.invoke(standardcontextvalve.java: 178 )
    at org.apache.catalina.authenticator.authenticatorbase.invoke(authenticatorbase.java: 432 )
    at org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java: 126 )
    at org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java: 105 )
    at org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java: 107 )
    at org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java: 148 )
    at org.apache.coyote.http11.http11processor.process(http11processor.java: 869 )
    at org.apache.coyote.http11.http11baseprotocol$http11connectionhandler.processconnection(http11baseprotocol.java: 664 )
    at org.apache.tomcat.util.net.pooltcpendpoint.processsocket(pooltcpendpoint.java: 527 )
    at org.apache.tomcat.util.net.leaderfollowerworkerthread.runit(leaderfollowerworkerthread.java: 80 )
    at org.apache.tomcat.util.threads.threadpool$controlrunnable.run(threadpool.java: 684 )
    at java.lang.thread.run(thread.java: 595 )
caused by: javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: pkix path building failed:
sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.alerts.getsslexception(alerts.java: 150 )
    at com.sun.net.ssl.internal.ssl.sslsocketimpl.fatal(sslsocketimpl.java: 1476 )
    at com.sun.net.ssl.internal.ssl.handshaker.fatalse(handshaker.java: 174 )
    at com.sun.net.ssl.internal.ssl.handshaker.fatalse(handshaker.java: 168 )
    at com.sun.net.ssl.internal.ssl.clienthandshaker.servercertificate(clienthandshaker.java: 843 )
    at com.sun.net.ssl.internal.ssl.clienthandshaker.processmessage(clienthandshaker.java: 106 )
    at com.sun.net.ssl.internal.ssl.handshaker.processloop(handshaker.java: 495 )
    at com.sun.net.ssl.internal.ssl.handshaker.process_record(handshaker.java: 433 )
    at com.sun.net.ssl.internal.ssl.sslsocketimpl.readrecord(sslsocketimpl.java: 815 )
    at com.sun.net.ssl.internal.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java: 1025 )
    at com.sun.net.ssl.internal.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java: 1038 )
    at sun.net.www.protocol.https.httpsclient.afterconnect(httpsclient.java: 405 )
    at sun.net.www.protocol.https.abstractdelegatehttpsurlconnection.connect(abstractdelegatehttpsurlconnection.java: 170 )
    at sun.net.www.protocol.http.httpurlconnection.getinputstream(httpurlconnection.java: 905 )
    at sun.net.www.protocol.https.httpsurlconnectionimpl.getinputstream(httpsurlconnectionimpl.java: 234 )
    at edu.yale.its.tp.cas.util.secureurl.retrieve(secureurl.java: 84 )
    at edu.yale.its.tp.cas.client.serviceticketvalidator.validate(serviceticketvalidator.java: 212 )
    at edu.yale.its.tp.cas.client.casreceipt.getreceipt(casreceipt.java: 50 )
      20  more
caused by: sun.security.validator.validatorexception:
pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception:
 unable to find valid certification path to requested target
    at sun.security.validator.pkixvalidator.dobuild(pkixvalidator.java: 221 )
    at sun.security.validator.pkixvalidator.enginevalidate(pkixvalidator.java: 145 )
    at sun.security.validator.validator.validate(validator.java: 203 )
    at com.sun.net.ssl.internal.ssl.x509trustmanagerimpl.checkservertrusted(x509trustmanagerimpl.java: 172 )
    at com.sun.net.ssl.internal.ssl.jssex509trustmanager.checkservertrusted(sslcontextimpl.java: 320 )
    at com.sun.net.ssl.internal.ssl.clienthandshaker.servercertificate(clienthandshaker.java: 836 )
      33  more
caused by: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.suncertpathbuilder.enginebuild(suncertpathbuilder.java: 236 )
    at java.security.cert.certpathbuilder.build(certpathbuilder.java: 194 )
    at sun.security.validator.pkixvalidator.dobuild(pkixvalidator.java: 216 )
      38  more

这个原因发生在:在ssl握手中,cas client无法识别cas server的证书(x),即无法建立一条从cacerts信任证书到x的信任路径,
读者可以看一个叫做pkix规范。解决办法是检查tomcat使用的信任证书路径,通常是jre/lib/security/cacerts文件,看是否已经
导入了所需信任证书。

posted on 2006-09-06 09:08 david.turing 阅读(11214) 评论(5)     所属分类: security异常问题

# re: yale cas异常问题总结(2)unable to validate proxyticketvalidator之unable to find valid certification path to requested target 2007-02-08 15:54

keytool -list -v -keystore d:\jdk1.5.0_06\.keystore

我导入了证书,怎么还是有错误啊!

keystore type: jks
keystore provider: sun

your keystore contains 1 entry

alias name: tomcat
creation date: feb 8, 2007
entry type: keyentry
certificate chain length: 1
certificate[1]:
owner: cn=localhost, ou=onepoint, o=unknown, l=unknown, st=unknown, c=unknown
issuer: cn=localhost, ou=onepoint, o=unknown, l=unknown, st=unknown, c=unknown
serial number: 45cad5a6
valid from: thu feb 08 15:47:50 cst 2007 until: wed may 09 15:47:50 cst 2007
certificate fingerprints:
md5: ef:89:d1:5e:0e:59:ac:fb:1a:7c:08:1e:c0:2a:3d:b5
sha1: 32:59:93:24:06:a9:23:e4:c6:6e:94:d9:09:ca:b6:0a:ac:c2:c9:45


  回复     

# re: yale cas异常问题总结(2)unable to validate proxyticketvalidator之unable to find valid certification path to requested target[未登录] 2007-02-08 20:10

this is a trustcert entry but you need to import it into %java_home%\jre\lib\security\cacerts where your cas can't locate it. make sure you do that, and the password for cacerts has a lot of un-useful trustcert, remove all of them and importyour "tomcat" entry into cacerts(through securercp)  回复     

# re: yale cas异常问题总结(2)unable to validate proxyticketvalidator之unable to find valid certification path to requested target 2007-06-13 11:02

good~  回复     

# re: yale cas异常问题总结(2)unable to validate proxyticketvalidator之unable to find valid certification path to requested target 2010-06-26 17:19

@yongyuan.jiang
经验总结,需要将cas服务器的证书文件,不是crt文件,而是用keytool生成的数据文件拷贝到应用服务器上,用keytool -import 导入到已在应用服务上自己生成的证书文件中(cacerts),用 -list 命令查看变成了2条,一条是自己的,一条是cas服务器的,将这个文件拷贝到jvm环境中,就好用了。  回复     

# re: yale cas异常问题总结(2)unable to validate proxyticketvalidator之unable to find valid certification path to requested target[未登录] 2010-06-30 15:22

@oldman

你看看你是不是显示声明了 truststore的位置,如果是的话,看看那个位置对不对  回复     


只有注册用户后才能发表评论。
网站导航:
              
 

导航

统计

常用链接

留言簿(109)

我参与的团队

随笔分类(126)

随笔档案(155)

文章分类(9)

文章档案(19)

相册

搜索

积分与排名

最新随笔

最新评论

阅读排行榜

评论排行榜

网站地图