Pre Requisites for CAS

Now before going on to the discussion on Custom Credential To Principal Resolver which requires attribute Repository for fetching user attributes from the underlying repository, In this post I will take up the issue of configuring CAS to use over HTTPS.

While configuring CAS over Https I faced the exception
Error javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Though I have configured custom HostNameverifier still I was facing the above error.

The reason behind the above error i found out is that the certificate which i was using was not added to the truststore.

This issue can be resolved with the following steps:
1) Locate the cacerts file from the JDK, which the server is using.
    The usual path is jdk1.6.0_05\jre\lib\security\cacerts
  
2) Run the following command from the command promt: 
    keytool -list -v -keystore /path/to/cacerts  > java_cacerts.txt
    Enter keystore password:  changeit

In this example, /path/to/cacerts is the location of your cacerts file, and the output of the command will be saved in java_cacerts.txt.
Take a look at java_cacerts.txt. See if it includes the same certificate that is present in the browser by searching for a matching serial number. In the java_cacerts.txt file, the serial number will be in lowercase and without the ":" colon character. If it is not present, then this could be the reason for the error, and we can fix this by adding the certificate found in the browser.


3) Back in the browser, export the Root CA. Choose the "X.509 Certificate (DER)" type, so the exported file has a der extension.
Assuming the file is called example.der, pick the alias 'example' for this certificate.

4) Next import the file.

   keytool -import -alias example -keystore  /path/to/cacerts -file example.derYou will be prompted for a password, use 'changeit'
and response "yes" on whether to trust this key.

5) Dump the contents again to verify it contains your new certificate(By checking the Serial number). Restart the JVM and check that it can now access the HTTPS URL. Also remove the java_cacerts.txt dump file.
        

Comments

Post a Comment

Popular posts from this blog

Use of @Configurable annotation.

Not, all types(beans) used in a Spring Based Application are Spring managed. Sometimes, we need to inject some dependency into some Types which are not Spring Managed. The most common example being, injection of Service or DAO layer within the Entity class. Now the instances of Entity classes are being created using the new operator, i.e. they are not Spring Managed. Now we want to inject the corresponding Service or DAO Type which is Spring Managed within these Entity Types, and these can be performed with the help of @Configurable . It is the Aspects, which performs all the underlying engineering and ,makes this thing possible. Let's see an example. @Configurable public class Person { @Autowired ResourceBundleThemeSource themeSource; private String firstName; private String lastName; private int age; private Address address; @CustomDateFormat Date birthDate; MultipartFile profile; public String getFirstName() { return firstName; } public voi...
Read more

Spring WS - Part 5

Spring WS provides an easy integration with various WS-Security features with the help of interceptors like Wss4jSecurityInterceptor, XwsjSecurityInterceptor. We are going to explore here very basic feature of WS-SECURITY i.e. implementing Security using with UserNameTokenAuthentication We are going to use Wss4jSecurityInterceptor as it is very easy to configure. We are going to use configure two interceptors: 1) One for the Server End. 2) Other for the Client End. For Server End The configuration for Wss4jSecurityInterceptor is as follows: @Bean public Wss4jSecurityInterceptor wss4jSecurityInterceptor() { /** * The SecurementActions for UsernameToken is commented, as the * UsernameToken is to be added by the client, the server-side * interceptor would only validate that. * */ Wss4jSecurityInterceptor wss4jSecurityInterceptor = new Wss4jSecurityInterceptor(); wss4jSecurityInterceptor.setValidationActions("UsernameToken"); ...
Read more

Spring WS - Part 4

Another interesting and essential feature is the attachment part. Now I found two things out here. The attachment can be inline within the SOAP message body (suitable as long as the attachment size is not too long) or we can enable MTOM feature within the marshaller and leverage the MTOM-XOP feature. For the attachment to be inline with the SOAP message body, no actual configuration are required, everything is being taken care by the Spring WS framework, except the following: &ltxs:element name="getCountryRequest"&gt &ltxs:complexType&gt &ltxs:sequence&gt &ltxs:element name="name" type="xs:string"/&gt &ltxs:element name="file" type="xs:base64Binary" xmime:expectedContentTypes="application/octet-stream"&gt&lt/xs:element&gt &lt/xs:sequence&gt &lt/xs:complexType&gt &lt/xs:e...
Read more