Enabling TLS between ticket database (REDIS) and CAS difficulties

497 views
Skip to first unread message

Rod B

unread,
Nov 17, 2021, 1:49:32 PM11/17/21
to CAS Community
Hello,

We have a confirmed working installation of CAS and are attempting to add TLS between the database, REDIS and CAS.

This is what I've done:

I've enabled TLS in the redis.conf

port 0
tls-port 6379
tls-cert-file /etc/redis/tls/tls-cert-file.crt
tls-key-file /etc/redis/tls/tls-key-file.key
tls-ca-cert-file /etc/redis/tls/CACert.crt
tls-auth-clients no

The tls-cert-file.crt and tls-key-file.key were generated by this command:

openssl req -nodes -x509 -newkey rsa:4096 -subj "/C=CA/ST=Province Name/L=City/O=School/CN=cas.servername.edu" -days 365 -keyout /etc/redis/tls/tls-key-file.key -out /etc/redis/tls/tls-cert-file.crt

The CACert.crt key was made by this command:
openssl genrsa 4096 > CACert.pem
openssl req -new -x509 -nodes -days 365 \ -key CACert.pem \ -out CACert.crt

I then converted the CACert.crt to a DER format as the Troubleshooting Guide for SSL connections part of the CAS docs state.
https://apereo.github.io/cas/6.4.x/installation/Troubleshooting-Guide.html#ssl--certificates

And imported the cert into the java key store:
keytool -import -keystore

/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64/lib/security/cacerts -file tmp/cert.der -alias CACert

To be sure that tomcat is using that key store, I added these options to the catalina.sh script in .../tomcat9/bin:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64/lib/security/cacerts"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=********"

in /etc/cas/config/cas.properties set this flag:
cas.ticket.registry.redis.useSsl=true

Restarted REDIS and Tomcat.

Now when I attempt to authenticate, the catalina.out log indicates that CAS can't connect to localhost:6379 (This is the REDIS port) and that there is what the troubleshooting guide calls the most common SSL error:

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

I believe I've done all of the steps correctly. Anyone know what I'm missing?

Below is the log snippet from the authentication attempt.

Thanks for any help,

Rod


Caused by: io.lettuce.core.RedisConnectionException: Unable to connect to localhost:6379

at io.lettuce.core.RedisConnectionException.create(RedisConnectionException.java:78) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at io.lettuce.core.RedisConnectionException.create(RedisConnectionException.java:56) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at io.lettuce.core.AbstractRedisClient.getConnection(AbstractRedisClient.java:234) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at io.lettuce.core.RedisClient.connect(RedisClient.java:207) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at org.springframework.data.redis.connection.lettuce.StandaloneConnectionProvider.lambda$getConnection$1(StandaloneConnectionProvider.java:115) ~[spring-data-redis-2.2.0.RELEASE.jar:2.2.0.RELEASE]

at java.util.Optional.orElseGet(Optional.java:369) ~[?:?]

at org.springframework.data.redis.connection.lettuce.StandaloneConnectionProvider.getConnection(StandaloneConnectionProvider.java:115) ~[spring-data-redis-2.2.0.RELEASE.jar:2.2.0.RELEASE]

at org.springframework.data.redis.connection.lettuce.LettucePoolingConnectionProvider.lambda$null$0(LettucePoolingConnectionProvider.java:97) ~[spring-data-redis-2.2.0.RELEASE.jar:2.2.0.RELEASE]

at io.lettuce.core.support.ConnectionPoolSupport$RedisPooledObjectFactory.create(ConnectionPoolSupport.java:209) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at io.lettuce.core.support.ConnectionPoolSupport$RedisPooledObjectFactory.create(ConnectionPoolSupport.java:199) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at org.apache.commons.pool2.BasePooledObjectFactory.makeObject(BasePooledObjectFactory.java:58) ~[commons-pool2-2.7.0.jar:2.7.0]

at org.apache.commons.pool2.impl.GenericObjectPool.create(GenericObjectPool.java:889) ~[commons-pool2-2.7.0.jar:2.7.0]

at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:424) ~[commons-pool2-2.7.0.jar:2.7.0]

at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:349) ~[commons-pool2-2.7.0.jar:2.7.0]

at io.lettuce.core.support.ConnectionPoolSupport$1.borrowObject(ConnectionPoolSupport.java:122) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at io.lettuce.core.support.ConnectionPoolSupport$1.borrowObject(ConnectionPoolSupport.java:117) ~[lettuce-core-5.2.0.RELEASE.jar:5.2.0.RELEASE]

at org.springframework.data.redis.connection.lettuce.LettucePoolingConnectionProvider.getConnection(LettucePoolingConnectionProvider.java:103) ~[spring-data-redis-2.2.0.RELEASE.jar:2.2.0.RELEASE]

... 209 more

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:292) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:287) ~[?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]

at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]

at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1499) ~[netty-handler-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1513) ~[netty-handler-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1397) ~[netty-handler-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1224) ~[netty-handler-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1271) ~[netty-handler-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:505) ~[netty-codec-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:444) ~[netty-codec-4.1.42.Final.jar:4.1.42.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:283) ~[netty-codec-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1422) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:931) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:700) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:635) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:552) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514) ~[netty-transport-4.1.42.Final.jar:4.1.42.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1044) ~[netty-common-4.1.42.Final.jar:4.1.42.Final]

at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.42.Final.jar:4.1.42.Final]

at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.42.Final.jar:4.1.42.Final]

... 1 more

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Rod B

unread,
Nov 17, 2021, 2:54:02 PM11/17/21
to CAS Community, Rod B
Hi!

I'm happy to report that I found my logic error. In this case I didn't need to import the /etc/redis/tls/CACrt.crt file into the keystore. REDIS uses it but not for the tls handshake. I needed to import the tls-cert-file into the keystore.

1. Create the tls-cert-file.crt file like this:

openssl req -nodes -x509 -newkey rsa:4096 -subj "/C=CA/ST=Province Name/L=City/O=School/CN=localhost" -days 365 -keyout /etc/redis/tls/tls-key-file.key -out /etc/redis/tls/tls-cert-file.crt

The CN must be localhost because the REDIS server announces itself as localhost in our case (we bind to localhost).

2. Make the tls-cert-file.crt into DER format
openssl x509 -outform der -in ./tls-cert-file.crt -out tls-cert-file.der

3. Import the tls-cert-file.der into the keystore:

/usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64/bin/keytool -import -keystore /usr/lib/jvm/java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64/lib/security/cacerts -file /etc/redis/tls/tls-cert-file.der -alias redis-tls-cert

...and remember to restart REDIS and TOMCAT.

Whew!

Rod

Reply all
Reply to author
Forward
0 new messages