1, configure the Tomcat SSL, if the correct access to https://localhost:8443/, that is, the SSL configuration is successful
One, generate server key:
To switch to directory%tomcat_home% as a command line, enter the command command line as follows (jdk1.4 with tools above):
Keytool-genkey-alias tomcat-keyalg rsa-keypass changeit-storepass changeit-keystore server.keystore-validity 3600
Username input domain name, such as localhost (dev or test) or hostname.domainname (user owned domain name), all others are skipped with enter, last confirmed, this will be generated under%tomcat_home% Server.keystore File.
Note: The parameter-validity refers to the certificate's validity period (days), the default validity period is very short, only 90 days.
Second, import the certificate into the certificate Truststore of the JDK:
This step is not required for Tomcat SSL configuration, but is required for CAS SSO, otherwise the following error will occur: Edu.yale.its.tp.cas.client.CASAuthenticationException:Unable to Validate Proxyticketvalidator ...
The import process is divided into 2 steps, the first step is to export the certificate, the second step is to import to the certificate Truststore, the command is as follows:
Keytool-export-trustcacerts-alias tomcat-file Server.cer-keystore Server.keystore-storepass Changeit
Keytool-import-trustcacerts-alias Tomcat-file server.cer-keystore c:/jdk15/jre/lib/security/cacerts-storepass Changeit
[Linux:] < import certificate > Keytool- Import-trustcacerts-alias tomcat-file server.cer-keystore /usr/jdk15/jre/lib/security/cacerts-storepass Changeit
< Delete existing certificate >keytool-delete-trustcacerts-alias tomcat -keystore /usr/ Jdk15/jre/lib/security/cacerts-storepass Changeit
If you are prompted, enter Y.
Other useful keytool commands (list all existing certificates in the trust certificate store and delete a certificate in the library):
keytool-list-v-keystore c:/jdk15/jre/lib/security/cacerts (lists certificates that already exist in the Truststore)
Keytool-delete-trustcacerts-alias tomcat -keystore C:/jdk15/jre/lib/security/cacerts-storepass Changeit
(delete a certificate)
2, modify the SSL service in Server.xml
<connector port= "8443" maxhttpheadersize= "8192"
maxthreads= "minsparethreads=" 25 " Maxsparethreads= "" "
Enablelookups= "false" disableuploadtimeout= "true"
acceptcount= "scheme=" "https" secure= "true"
clientauth= "false" sslprotocol= "TLS" keystorefile= " Server.keystore "keystorepass=" Changeit "/>
3, cas-server-3.2.1-release/ The Cas-server-webapp-3.2.1.war in Cas-server-3.2.1/modules is renamed to Cas.war and copied to Tomcat.
Access to https://localhost:8443/cas/, the CAs login page indicates a successful configuration
4. Client modifies web. XML to use filter to protect restricted resources
<context-param>
<param-name>serverName</param-name>
<param-value>https://192.168.1.179:8443</param-value>
</context-param>
<filter>
<filter-name>cas Authentication filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://192.168.1.179:8443/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>cas Validation filter</filter-name>
<filter-class>org.jasig.cas.client.validation.cas20proxyreceivingticketvalidationfilter</filter-class >
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://192.168.1.179:8443/cas</param-value>
</init-param>
</filter>
<filter>
<filter-name>cas HttpServletRequest Wrapper filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cas Authentication filter</filter-name>
<url-pattern>/casTest2/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>cas Validation filter</filter-name>
<url-pattern>/casTest2/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>cas HttpServletRequest Wrapper filter</filter-name>
<url-pattern>/casTest2/*</url-pattern>
</filter-mapping>
5.Unable to validate proxyticketvalidator of https hostname wrong:should be .... (The cause of the exception and how to resolve it: Re-import the certificate)
Yale CAs Exception issues summary (1) Unable to validate Proxyticketvalidator https hostname wrong:should is ...
Severity: edu.yale.its.tp.cas.client.CASAuthenticationException:Unable to validate Proxyticketvalidator [[ Edu.yale.its.tp.cas.client.ProxyTicketValidator ProX
Ylist=[null] [Edu.yale.its.tp.cas.client.ServiceTicketValidator casvalidateurl=[https://192.168.1.111:8443/cas/ Proxyvalidate] Ticket=[st-0-9h7mx5hk3pfsdxrv
MD3Y] service=[http%3a%2f%2f192.168.1.222%3a8080%2fservlets-examples%2fservlet%2fhelloworldexample] renew=false] ]]
This CAs exception is thrown from the CAS client, when we do not use the certificate of the CN to access the domain name (for example, the following is the IP access and the certificate CN is the IP corresponding domain name, not the IP), casclient cannot be trusted, Because the CN name of your certificate says abc.com,192.168.1.111 This IP is not recognized by CAS client.
Edu.yale.its.tp.cas.client.CASAuthenticationException:Unable to validate Proxyticketvalidator [[ Edu.yale.its.tp.cas.client.ProxyTicketValidator proxylist = [NULL] [ Edu.yale.its.tp.cas.client.ServiceTicketValidator Casvalidateurl = [https://192.168.1.111:8443/cas/proxyvalidate] TICKET=[ST-0-9H7MX5HK3PFSDXRVMD3Y] service=[http%3a%2f%2f192.168.1.222%3a8080%2fservlets-examples%2fservlet% 2FHelloWorldExample] [Renew=false]]
At Edu.yale.its.tp.cas.client.CASReceipt.getReceipt (casreceipt.java:52)
At Edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser (casfilter.java:455)
At Edu.yale.its.tp.cas.client.filter.CASFilter.doFilter (casfilter.java:378)
At Org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (applicationfilterchain.java:202)
At Org.apache.catalina.core.ApplicationFilterChain.doFilter (applicationfilterchain.java:173)
At filters. Examplefilter.dofilter (examplefilter.java:101)
At Org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (applicationfilterchain.java:202)
At Org.apache.catalina.core.ApplicationFilterChain.doFilter (applicationfilterchain.java:173)
At Org.apache.catalina.core.StandardWrapperValve.invoke (standardwrappervalve.java:213)
At Org.apache.catalina.core.StandardContextValve.invoke (standardcontextvalve.java:178)
At Org.apache.catalina.authenticator.AuthenticatorBase.invoke (authenticatorbase.java:432)
At Org.apache.catalina.core.StandardHostValve.invoke (standardhostvalve.java:126)
At Org.apache.catalina.valves.ErrorReportValve.invoke (errorreportvalve.java:105)
At Org.apache.catalina.core.StandardEngineValve.invoke (standardenginevalve.java:107)
At Org.apache.catalina.connector.CoyoteAdapter.service (coyoteadapter.java:148)
At Org.apache.coyote.http11.Http11Processor.process (http11processor.java:869)
At Org.apache.coyote.http11.http11baseprotocol$http11connectionhandler.processconnection ( http11baseprotocol.java:664)
At Org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket (pooltcpendpoint.java:527)
At Org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt (leaderfollowerworkerthread.java:80)
At Org.apache.tomcat.util.threads.threadpool$controlrunnable.run (threadpool.java:684)
At Java.lang.Thread.run (thread.java:595)
caused By:java.io.IOException:HTTPS hostname wrong:should be < 192.168. 1.111 >
At Sun.net.www.protocol.https.HttpsClient.checkURLSpoofing (httpsclient.java:493)
At Sun.net.www.protocol.https.HttpsClient.afterConnect (httpsclient.java:418)
At Sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect ( abstractdelegatehttpsurlconnection.java:170)
At Sun.net.www.protocol.http.HttpURLConnection.getInputStream (httpurlconnection.java:905)
At Sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream (httpsurlconnectionimpl.java:234)
At Edu.yale.its.tp.cas.util.SecureURL.retrieve (secureurl.java:84)
At Edu.yale.its.tp.cas.client.ServiceTicketValidator.validate (serviceticketvalidator.java:212)
At Edu.yale.its.tp.cas.client.CASReceipt.getReceipt (casreceipt.java:50)
Workaround:
With domain name access, the domain name is the CN certificate.
5. If a kylix error occurs, the server-side certificate needs to be directed to the client's c:/jdk15/jre/lib/security/xxx.