[Dspace-tech] Dspace and CAS problem (SSL)

138 views
Skip to first unread message

revskill

unread,
Aug 26, 2015, 9:57:48 AM8/26/15
to dspac...@lists.sourceforge.net, <dspace-devel@lists.sourceforge.net>
Hi everyone.
I'm running Dspace behind Apache Proxy (listen in port 443) with servername https://dspace
My CAS server is running as https://casserver
When i submit login form from CAS server, the client returned the error below in log file:

012-10-13 08:57:21,500 ERROR org.dspace.authenticate.CASAuthentication @ Unexpected exception caught
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)


As i see, this is problem with Dspace when it must verify the server certificate in order to process service ticket from CAS server.
Do you know how to fix this problem ?

Thank you very much.
--
TRUONG HOANG DUNG
Librarian Researcher
Information and Library Centre
Mobile: 0121.411.5322
Email: dun...@hpu.edu.vn

Hai Phong Private University

bollini

unread,
Aug 26, 2015, 9:57:49 AM8/26/15
to revskill, dspac...@lists.sourceforge.net, <dspace-devel@lists.sourceforge.net>
Probably you are using a selfsigned certificate. You need to trust the cas ssl certificate in the jvm that is used to run dspace (tomcat). Look to the keytool help to check the exact parameter.
The truststore is usually stored in a file named cacerts in the lib/security of your jre.
Hope this help,
Andrea


Inviato da Samsung Mobile

revskill <revsk...@gmail.com> ha scritto:

bollini

unread,
Aug 26, 2015, 9:57:50 AM8/26/15
to revskill, dspac...@lists.sourceforge.net, <dspace-devel@lists.sourceforge.net>
Hi revskill,
the most simple thing to do is access the casserver url from your browser and download the shown certificate.
I have not a pc here so I can't check the command myself...

Be sure to indicate your cacerts as trustore file.

revskill

unread,
Aug 26, 2015, 9:57:50 AM8/26/15
to bollini, dspac...@lists.sourceforge.net, <dspace-devel@lists.sourceforge.net>
I see. Now i had 2 files casserver.crt and casserver.key from CAS server (signed from my own CA.crt and CA.key)
I had dspace.crt and dspace.key (signed from those CA.crt and CA.key, too), can you point me specifically how to trust that CA.crt from JVM truststore ? Thank you very much.

2012/10/13 bollini <bol...@cilea.it>
Reply all
Reply to author
Forward
0 new messages