In the past, I heard people say that an IP address can be used to generate a certificate. Today, the example shows that IP addresses cannot be used.
Scenario 1:
The name specified when the certificate is generated is IP Address
The example is an example of single-point logon. The configuration in Web. XML is as follows:
<! -- This filter is used for user authentication and must be enabled --> <filter-Name> casfilter </filter-Name> <filter-class> Org. JASIG. CAS. client. authentication. authenticationfilter </filter-class> <init-param> <param-Name> casserverloginurl </param-Name> <param-value> https: // 172.18.113.78: 8443/casserver/login </param-value> <! -- The server here is the server's IP --> </init-param> <param-Name> servername </param-Name> <param-value> HTTP: // 127.0.0.1: 8080/</param-value> </init-param> </filter> <filter-mapping> <filter-Name> casfilter </filter-Name> <URL-pattern> /* </url-pattern </filter-mapping> <! -- This filter is used to verify ticket. You must enable it. --> <! -- Validationfilter: the filter is used to verify the request parameter ticket (the ticket parameter is the credential used to verify the interaction between the subsystem and CAS). casserverurlprefix: CAS service access address servername: host Name of the current application --> <filter-Name> CAS validation filter </filter-Name> <filter-class> Org. JASIG. CAS. client. validation. cas20proxypolicingticketvalidationfilter </filter-class> <init-param> <param-Name> casserverurlprefix </param-Name> <param-value> https: // 172.18.113.78: 8443/casserver </param-value> </init-param> <param-Name> servername </param-Name> <param-value> HTTP: // 127.0.0.1: 8080 </param-value> </init-param> <param-Name> encoding </param-Name> <param-value> UTF-8 </param- value> </init-param> </filter> <filter-mapping> <filter-Name> CAS validation filter </filter-Name> <URL-pattern>/* </ URL-pattern> </filter-mapping>
If the HTTPS protocol is specified in the above configuration and the name specified during certificate generation is 172.18.113.78, an error occurred while accessing the certificate. The result is as follows:
Severe: servlet. service () for servlet [JSP] in context with path [/uum] threw exceptionjava. lang. runtimeexception: javax.net. SSL. sslhandshakeexception: Java. security. cert. certificateexception: no subject alternative names presentat Org. JASIG. CAS. client. util. commonutils. getresponsefromserver (commonutils. java: 341) at Org. JASIG. CAS. client. util. commonutils. getresponsefromserver (commonutils. java: 305) at Org. JASIG. CAS. client. validation. abstractcasprotocolurlbasedticketvalidator. retrieveresponsefromserver (abstractcasprotocolurlbasedticketvalidator. java: 50) at Org. JASIG. CAS. client. validation. abstracturlbasedticketvalidator. validate (abstracturlbasedticketvalidator. java: 207) at Org. JASIG. CAS. client. validation. abstractticketvalidationfilter. dofilter (veriactticketvalidationfilter. java: 169) at Org. apache. catalina. core. applicationfilterchain. internaldofilter (applicationfilterchain. java: 243) at Org. apache. catalina. core. applicationfilterchain. dofilter (applicationfilterchain. java: 210) at Org. JASIG. CAS. client. authentication. authenticationfilter. dofilter (authenticationfilter. java: 116) at Org. apache. catalina. core. applicationfilterchain. internaldofilter (applicationfilterchain. java: 243) at Org. apache. catalina. core. applicationfilterchain. dofilter (applicationfilterchain. java: 210) at Org. JASIG. CAS. client. session. singlesignoutfilter. dofilter (singlesignoutfilter. java: 76) at Org. apache. catalina. core. applicationfilterchain. internaldofilter (applicationfilterchain. java: 243) at Org. apache. catalina. core. applicationfilterchain. dofilter (applicationfilterchain. java: 210) at fi. common. filter. setcharacterencodingfilter. dofilter (setcharacterencodingfilter. java: 125) at Org. apache. catalina. core. applicationfilterchain. internaldofilter (applicationfilterchain. java: 243) at Org. apache. catalina. core. applicationfilterchain. dofilter (applicationfilterchain. java: 210) at Org. apache. catalina. core. standardwrappervalve. invoke (standardwrappervalve. java: 240) at Org. apache. catalina. core. standardcontextvalve. invoke (standardcontextvalve. java: 164) at Org. apache. catalina. authenticator. authenticatorbase. invoke (authenticatorbase. java: 462) at Org. apache. catalina. core. standardhostvalve. invoke (standardhostvalve. java: 164) at Org. apache. catalina. valves. errorreportvalve. invoke (errorreportvalve. java: 100) at Org. apache. catalina. valves. accesslogvalve. invoke (accesslogvalve. java: 562) at Org. apache. catalina. core. standardenginevalve. invoke (standardenginevalve. java: 118) at Org. apache. catalina. connector. coyoteadapter. service (coyoteadapter. java: 395) at Org. apache. coyote. http11.http11processor. process (http11processor. java: 250) at Org. apache. coyote. http11.http11protocol $ http11connectionhandler. process (http11protocol. java: 188) at Org. apache. coyote. http11.http11protocol $ http11connectionhandler. process (http11protocol. java: 166) at org.apache.tomcat.util.net. jioendpoint $ socketprocessor. run (jioendpoint. java: 302) at java. util. concurrent. threadpoolexecutor $ worker. runtask (threadpoolexecutor. java: 886) at java. util. concurrent. threadpoolexecutor $ worker. run (threadpoolexecutor. java: 908) at java. lang. thread. run (thread. java: 619) caused by: javax.net. SSL. sslhandshakeexception: Java. security. cert. certificateexception: no subject alternative names presentat com.sun.net. SSL. internal. SSL. alerts. getsslexception (alerts. java: 174) at com.sun.net. SSL. internal. SSL. sslsocketimpl. fatal (sslsocketimpl. java: 1591) at com.sun.net. SSL. internal. SSL. handshaker. fatalse (handshaker. java: 187) at com.sun.net. SSL. internal. SSL. handshaker. fatalse (handshaker. java: 181) at com.sun.net. SSL. internal. SSL. clienthandshaker. servercertificate (clienthandshaker. java: 1035) at com.sun.net. SSL. internal. SSL. clienthandshaker. processmessage (clienthandshaker. java: 124) at com.sun.net. SSL. internal. SSL. handshaker. processloop (handshaker. java: 516) at com.sun.net. SSL. internal. SSL. handshaker. process_record (handshaker. java: 454) at com.sun.net. SSL. internal. SSL. sslsocketimpl. readrecord (sslsocketimpl. java: 884) at com.sun.net. SSL. internal. SSL. sslsocketimpl. performinitialhandshake (sslsocketimpl. java: 1096) at com.sun.net. SSL. internal. SSL. sslsocketimpl. starthandshake (sslsocketimpl. java: 1123) at com.sun.net. SSL. internal. SSL. sslsocketimpl. starthandshake (sslsocketimpl. java: 1107) at sun.net. www. protocol. HTTPS. httpsclient. afterconnect (httpsclient. java: 415) at sun.net. www. protocol. HTTPS. abstractdelegatehttpsurlconnection. connect (abstractdelegatehttpsurlconnection. java: 166) at sun.net. www. protocol. HTTP. httpurlconnection. getinputstream (httpurlconnection. java: 1026) at sun.net. www. protocol. HTTPS. httpsurlconnectionimpl. getinputstream (httpsurlconnectionimpl. java: 234) at Org. JASIG. CAS. client. util. commonutils. getresponsefromserver (commonutils. java: 328 )... 30 morecaused by: Java. security. cert. certificateexception: no subject alternative names presentat sun. security. util. hostnamechecker. matchip (hostnamechecker. java: 142) at Sun. security. util. hostnamechecker. match (hostnamechecker. java: 75) at com.sun.net. SSL. internal. SSL. x509trustmanagerimpl. checkidentity (x509trustmanagerimpl. java: 264) at com.sun.net. SSL. internal. SSL. x509trustmanagerimpl. checkservertrusted (x509trustmanagerimpl. java: 250) at com.sun.net. SSL. internal. SSL. clienthandshaker. servercertificate (clienthandshaker. java: 1014 )... 42 more
Scenario 2:
Specify the name as a domain name when generating the certificate (for test purposes, the local host file is modified)
The example in scenario 1 is just to change the IP address in Web. XML to a domain name, and the test result is pass.
If the following error occurs during client access:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error is often caused by incorrect certificate path.
Possible cause 1: The JDK used by Tomcat and the JDK imported by the certificate are not the same
Possible cause 2: restart (static import) is required after the import is complete. Restart once is not supported. We recommend that you restart the second time.
Possible cause 3: Certificate import error in JDK
Conclusion
Therefore, it is concluded that the domain name instead of the IP address must be specified when the certificate is generated.