You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by /U <um...@comcast.net> on 2009/11/12 02:22:16 UTC
AprHttp11 Connector - unable to locate certificates
I am unable to get APR connector working. I have build Apr, configured the
conenctor, generated certificates, updated the environment (LD_LIBRARY_PATH)
and it cannot find the certificates when an authentication is required.
I have supplied all the relevant details below. I would appreciate
any insights into why its unable to find the certificates.
Environment:
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
#
#
# java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Server VM (build 1.6.0_01-b06, mixed mode)
#
#
# uname -srvompi
Linux 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 i386
GNU/Linux
# Tomcat version: 6.0.14
#APR version (built from source on RHEL5): 1.3.8
Configuration:
* APR is build and installed in /usr/local/apr:
# ls -l /usr/local/apr/lib
total 3212
-rwxr-xr-x 1 root root 8130 Nov 2 09:48 apr.exp
-rwxr-xr-x 1 root root 806678 Nov 2 09:48 libapr-1.a
-rwxr-xr-x 1 root root 838 Nov 2 09:48 libapr-1.la
lrwxrwxrwx 1 root root 17 Nov 10 12:07 libapr-1.so ->
libapr-1.so.0.3.8
lrwxrwxrwx 1 root root 17 Nov 10 12:07 libapr-1.so.0 ->
libapr-1.so.0.3.8
-rwxr-xr-x 1 root root 549998 Nov 2 09:48 libapr-1.so.0.3.8
-rwxr-xr-x 1 root root 1113618 Nov 2 10:52 libtcnative-1.a
-rwxr-xr-x 1 root root 921 Nov 2 10:52 libtcnative-1.la
lrwxrwxrwx 1 root root 23 Nov 10 12:07 libtcnative-1.so ->
libtcnative-1.so.0.1.16
lrwxrwxrwx 1 root root 23 Nov 10 12:07 libtcnative-1.so.0 ->
libtcnative-1.so.0.1.16
-rwxr-xr-x 1 root root 777409 Nov 2 10:52 libtcnative-1.so.0.1.16
drwxr-xr-x 2 root root 4096 Nov 2 10:52 pkgconfig
* Standalone Tomcat with an HTTP and an APR connector.
* Relevant excerpts from ${catalina.home}/conf/server.xml:
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
//...
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLCertificateFile="${catalina.home}/conf/server.cert"
SSLCertificateKeyFile="${catalina.home}/conf/server.key"
/>
//...
* LD_LIBRARY_PATH is set in ${catalina.home}/bin/setenv.sh as follows:
export LD_LIBRARY_PATH=/usr/local/apr/lib:${LD_LIBRARY_PATH}
Key/Certificate Generation:
# export CATALINA_HOME=/usr/local/apache-tomcat
# export CATALINA_CONF=${CATALINA_HOME}/conf
# rm -fr ${CATALINA_CONF}/server.cert
# rm -fr ${CATALINA_CONF}/server.key
# openssl genrsa -out $CATALINA_CONF/server.key 2048
openssl req -new -x509 -days 1095 -key $CATALINA_CONF/server.key -out
$CATALINA_CONF/server.cert < $CATALINA_CONF/cert.input
where $CATALINA_CONF/cert.input contains:
US
CA
MyCity
MyCompany Inc
My Dept.
myhost.mycompany.com
nobody@mycompany.com
Logs:
APR connector is initialized (seemingly) correctly:
Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener
init
INFO: Loaded Apache Tomcat Native library 1.1.16.
Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener
init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol
init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol
init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Nov 10, 2009 1:54:22 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Nov 10, 2009 1:54:22 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1440 ms
Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardService
start
INFO: Starting service Catalina
Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.14
//...
... but it fails to find the certificate when an authentication is
required:
2009-11-10 16:18:59,622 INFO [http-8443-1]
cas.CentralAuthenticationServiceImpl:229 - Granted service ticket
[ST-1-QnrXKg6DAe4RTxUsSexs-cas] for service
[http://myhost.mycompany.com:8080/myapp] for user [johndoe]
2009-11-10 16:18:59,720 ERROR [http-8443-1]
validation.Cas20ProxyTicketValidator:49 -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1056)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1040)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:981)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:852)
at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:584)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1508)
at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
at sun.security.validator.Validator.validate(Validator.java:218)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 34 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
... 40 more
Thanx!
/U
--
View this message in context: http://old.nabble.com/AprHttp11-Connector---unable-to-locate-certificates-tp26311889p26311889.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: AprHttp11 Connector - unable to locate certificates
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: /U [mailto:uma_rk@comcast.net]
> Subject: AprHttp11 Connector - unable to locate certificates
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream
> (HttpsURLConnectionImpl.java:234)
> at
> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.
> retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35)
> at
> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.
> validate(AbstractUrlBasedTicketValidator.java:178)
> at
> org.jasig.cas.client.validation.AbstractTicketValidationFilter.
> doFilter(AbstractTicketValidationFilter.java:132)
The error is coming from one of your webapp's filters, not Tomcat's connector. Looks like your filter is making its own connections and will need its own set of JSSE-based certificates.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org