David.Turing's blog

 

Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator
[[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList
= [ null ]
[edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl
=
[https:
// sourcesite:8443/cas/proxyValidate] ticket=[ST-0-UMjsI0YOhF15RhutnkHW]
service=[http%3A%2F%2Fdestsite%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample]
renew=false]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:
455 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:
378 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173 )
    at filters.ExampleFilter.doFilter(ExampleFilter.java:
101 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:
173 )
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
213 )
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
178 )
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:
432 )
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
126 )
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
105 )
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
107 )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
148 )
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
869 )
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:
664 )
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:
527 )
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:
80 )
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:
684 )
    at java.lang.Thread.run(Thread.java:
595 )
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:
150 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:
1476 )
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:
174 )
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:
168 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:
843 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:
106 )
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:
495 )
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:
433 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:
815 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:
1025 )
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1038 )
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:
405 )
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:
170 )
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:
905 )
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:
234 )
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:
84 )
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:
212 )
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:
50 )
     
20  more
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:
221 )
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:
145 )
    at sun.security.validator.Validator.validate(Validator.java:
203 )
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:
172 )
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:
320 )
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:
836 )
     
33  more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:
236 )
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:
194 )
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:
216 )
     
38  more

这个原因发生在:在SSL握手中,CAS Client无法识别CAS Server的证书(X),即无法建立一条从cacerts信任证书到X的信任路径,
读者可以看一个叫做PKIX规范。解决办法是检查tomcat使用的信任证书路径,通常是jre/lib/security/cacerts文件,看是否已经
导入了所需信任证书。

posted on 2006-09-06 09:08 david.turing 阅读(11333) 评论(5)  编辑  收藏 所属分类: Security异常问题

评论

# re: Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target 2007-02-08 15:54 oldman

keytool -list -v -keystore D:\jdk1.5.0_06\.keystore

我导入了证书,怎么还是有错误啊!

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Feb 8, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=onepoint, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=localhost, OU=onepoint, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 45cad5a6
Valid from: Thu Feb 08 15:47:50 CST 2007 until: Wed May 09 15:47:50 CST 2007
Certificate fingerprints:
MD5: EF:89:D1:5E:0E:59:AC:FB:1A:7C:08:1E:C0:2A:3D:B5
SHA1: 32:59:93:24:06:A9:23:E4:C6:6E:94:D9:09:CA:B6:0A:AC:C2:C9:45


  回复  更多评论   

# re: Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target[未登录] 2007-02-08 20:10 david.turing

This is a trustcert entry but you need to import it into %JAVA_HOME%\jre\lib\security\cacerts where your CAS can't locate it. Make sure you do that, and the password for cacerts has a lot of un-useful trustcert, remove all of them and importyour "tomcat" entry into cacerts(through SecureRCP)  回复  更多评论   

# re: Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target 2007-06-13 11:02 yongyuan.jiang

good~  回复  更多评论   

# re: Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target 2010-06-26 17:19 zhaoyanh

@yongyuan.jiang
经验总结,需要将CAS服务器的证书文件,不是CRT文件,而是用KEYTOOL生成的数据文件拷贝到应用服务器上,用keytool -import 导入到已在应用服务上自己生成的证书文件中(cacerts),用 -list 命令查看变成了2条,一条是自己的,一条是CAS服务器的,将这个文件拷贝到JVM环境中,就好用了。  回复  更多评论   

# re: Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested target[未登录] 2010-06-30 15:22 堕落佛

@oldman

你看看你是不是显示声明了 trustStore的位置,如果是的话,看看那个位置对不对  回复  更多评论   


只有注册用户登录后才能发表评论。


网站导航:
 

导航

统计

常用链接

留言簿(110)

我参与的团队

随笔分类(126)

随笔档案(155)

文章分类(9)

文章档案(19)

相册

搜索

积分与排名

最新随笔

最新评论

阅读排行榜

评论排行榜