[cas-user] SSL errors occurring even after following all troubleshooting steps
326 views
Skip to first unread message
Venkatesh Babu KR
Apr 7, 2015, 3:08:17 AM4/7/15
to cas-...@lists.jasig.org
Hi,
We are working to setup CAS server version - 3.5.2 to work with our secure LDAP server. However, running into issues with the SSL handshake. We get exception:sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
========
Is initial handshake: true
Is secure renegotiation: false
http-bio-8443-exec-5, setSoTimeout(3000) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1428389663 bytes = { 107, 68, 168, 45, 221, 151, 251, 41, 43
, 169, 18, 242, 142, 0, 79, 93, 30, 204, 181, 254, 173, 49, 156, 242, 99, 224, 2
07, 2 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128
_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS
_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WI
TH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128
_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WI
TH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_E
DE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_
DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INF
O_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp19
2r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1
, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, s
ect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
http-bio-8443-exec-5, WRITE: TLSv1 Handshake, length = 149
http-bio-8443-exec-5, READ: TLSv1 Handshake, length = 5089
*** ServerHello, TLSv1
RandomCookie: GMT: 1428389663 bytes = { 249, 216, 159, 16, 62, 117, 92, 153, 37
, 122, 171, 186, 182, 204, 148, 71, 198, 113, 223, 0, 227, 187, 48, 1, 215, 161,
252, 189 }
Session ID: {8, 56, 0, 0, 23, 230, 106, 155, 234, 191, 212, 35, 42, 164, 246, 7
2, 47, 146, 174, 115, 25, 64, 143, 7, 11, 54, 26, 6, 125, 239, 205, 71}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject:
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 123587049144444449866062873316371894902716725437121501991374083492415
21336397423864928961495010744530119809441226215782787448955326099692069963007787
00088167939390598502948672895684688614282870790423689814626939394613797008369843
21137000130555242549253625882064313063982563252949590488818446778990478859280853
public exponent: 65537
Validity: [From: Fri Sep 05 05:01:29 IST 2014,
To: Sat Sep 05 05:01:29 IST 2015]
Issuer: CN=HMAIssuingCA, DC=hma, DC=com
SerialNumber: [ 18f3696d 00000066 714e]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 28 30 26 30 0A 06 08 2B 06 01 05 05 07 03 02 .(0&0...+.......
0010: 30 0A 06 08 2B 06 01 05 05 07 03 01 30 0C 06 0A 0...+.......0...
0020: 2B 06 01 04 01 82 37 14 02 02 +.....7...
[2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 2A 30 28 06 20 2B 06 01 04 01 82 37 15 08 87 .*0(. +.....7...
0010: B5 A4 60 83 E7 8D 54 84 ED 85 1B 83 FB D9 4C 85 ..`...T.......L.
0020: D8 91 7E 27 01 1C 02 01 6E 02 01 00 ...'....n...
[3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=HMAIssuingCA,CN=AIA,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=hma,DC=com?cACertificate?base?objectClass=
certificationAuthority
,
accessMethod: caIssuers
accessLocation: URIName: http://pki.hma.com/CertEnroll/000TIER2CA01.hma.com_H
MAIssuingCA.crt
]
]
[4]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0A 11 AC D4 3C 0D 15 9D F6 CE 86 BB 32 ED 38 2E ....<.......2.8.
0010: 93 CA F5 E2 ....
]
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=HMAIssuingCA,CN=000TIER2CA01,CN=CDP,CN=Public%20Key%20
Services,CN=Services,CN=Configuration,DC=hma,DC=com?certificateRevocationList?ba
se?objectClass=cRLDistributionPoint, URIName: http://pki.hma.com/CertEnroll/HMAI
ssuingCA.crl]
]]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
1.3.6.1.4.1.311.20.2.2
]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 Criticality=true
SubjectAlternativeName [
DNSName: 00aDC02.hma.com
]
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C4 CC A6 1D D9 93 CA 64 35 68 EB 4C 93 A6 DB 0F .......d5h.L....
0010: 47 02 13 57 G..W
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: AE 27 CF A8 DA B2 94 8A 3B 62 49 2E 6F B8 F6 96 .'......;bI.o...
0010: 2B 77 67 3A 16 CA 1D 95 84 C2 2A B3 FA 94 44 00 +wg:......*...D.
0020: D1 66 E3 EF 89 08 6A 71 7F 24 10 C8 18 4F A8 E8 .f....jq.$...O..
0030: 34 C7 24 C4 CE 6D D1 D8 5E 94 28 14 76 11 38 81 4.$..m..^.(.v.8.
0040: 7B 82 2F C0 29 5A C1 4C 08 65 09 EC 33 2F 4B 84 ../.)Z.L.e..3/K.
0050: 2F 6A 84 63 73 35 E6 F3 32 C5 BD 43 E9 36 F1 A2 /j.cs5..2..C.6..
0060: 9C 2A 0F DB 45 28 5E 99 69 D8 F9 94 2C 5A 72 76 .*..E(^.i...,Zrv
0070: 47 78 AA A3 92 B3 37 F1 65 A7 EC BF 0D 06 82 9E Gx....7.e.......
0080: A4 A4 2F 9C AD 39 95 5B B1 A3 3A DB B4 A9 D7 CA ../..9.[..:.....
0090: 94 6E F4 E5 8B 14 07 7D D8 77 F1 9A 33 18 DC F7 .n.......w..3...
00A0: E1 57 FF EB 89 12 3A BF 6C 9E E6 56 F0 9F 30 18 .W....:.l..V..0.
00B0: 76 2D E0 E2 9D 96 8B 23 C1 6F 82 EE BC C7 2C F8 v-.....#.o....,.
00C0: 62 8A 23 9F 74 4A 51 4E 83 0D 65 D3 BC EF D3 61 b.#.tJQN..e....a
00D0: 66 15 DD 19 08 92 01 18 61 EF 11 7D 5F 92 BC 83 f.......a..._...
00E0: 4F 2B A0 78 46 B9 71 6A 26 04 8E 69 9E E4 9E B7 O+.xF.qj&..i....
00F0: 58 79 1E CA 3C A9 77 CA C7 8A 5B EA 05 BE E2 72 Xy..<.w...[....r
]
chain [1] = [
[
Version: V3
Subject: CN=HMAIssuingCA, DC=hma, DC=com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 252119053238242016428096556407677069930262456375977811240478656854140
22269270066845993050661647363969176941359559384849895482390283770784670290665316
68567149031446747822130256736169933543499767564842682928212982603592939565647469
14732367403895805800667905236178329987746862841039128052872776131492353155091365
79773720529093462224208784199511914884259298345528564535940988055868147460665404
00716000591208615176350207979540480355338345194959902532132868266372698950118274
63021424122193278074100425839211154803053898072437474040280296932847671882474501
98231706482551103961524356749651931903910820032892237106364421885541
public exponent: 65537
Validity: [From: Wed Oct 16 20:01:35 IST 2013,
To: Mon Oct 16 20:11:35 IST 2023]
Issuer: CN=HMAROOT-CA
SerialNumber: [ 6134bc1e 00000000 0002]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0C 1E 0A 00 53 00 75 00 62 00 43 00 41 .....S.u.b.C.A
[2]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 03 02 01 00 .....
[3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=HMAROOT-CA,CN=AIA,CN=Public%20Key%20Servi
ces,CN=Services,DC=UnavailableConfigDN?cACertificate?base?objectClass=certificat
ionAuthority
,
accessMethod: caIssuers
accessLocation: URIName: http://pki.hma.com/CertEnroll/000TIER1CA01_HMAROOT-C
A.crt
]
]
[4]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 59 86 B0 43 AF 92 63 14 09 60 B5 99 09 71 DB 2D Y..C..c..`...q.-
0010: 5D 3E A7 4E ]>.N
]
]
[5]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[6]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=HMAROOT-CA,CN=000TIER1CA01,CN=CDP,CN=Public%20Key%20Se
rvices,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectC
lass=cRLDistributionPoint, URIName: http://pki.hma.com/CertEnroll/HMAROOT-CA.crl
]
]]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0A 11 AC D4 3C 0D 15 9D F6 CE 86 BB 32 ED 38 2E ....<.......2.8.
0010: 93 CA F5 E2 ....
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 79 3C C0 D7 D6 B4 DD 9E 60 4C D0 90 C0 B3 DD D3 y<......`L......
0010: F2 52 F1 82 6E 15 41 67 6F 92 E7 87 C6 6C 92 C9 .R..n.Ago....l..
0020: 2F 80 A8 74 96 55 43 FB 3D 43 93 70 26 09 E3 25 /..t.UC.=C.p&..%
0030: 04 3E 8E 71 FD DD 6B CE 94 6A CD DE 69 7C 5B F8 .>.q..k..j..i.[.
0040: 4D 9F 7D 3A 37 7F 41 1D 7B 5C 8D 55 AB F8 49 E3 M..:7.A..\.U..I.
0050: 2F 07 A4 F5 05 5D FD 4E B5 B0 24 06 5B FB 3D 9C /....].N..$.[.=.
0060: 98 25 98 B8 95 4C 11 3D 0D 08 A1 A2 A8 8D 69 F7 .%...L.=......i.
0070: 9D AA 67 C1 51 E7 2D 00 54 3F F4 CE 8F 8D E2 D2 ..g.Q.-.T?......
0080: 77 3C 77 0A 3D 8B 0B 54 FB 52 07 1A BF F0 89 A3 w<w.=..T.R......
0090: 37 69 60 F9 6B 61 58 F9 41 89 CF 04 27 E4 4F 8F 7i`.kaX.A...'.O.
00A0: CA B0 E4 56 3C 15 21 9A 77 D9 1B 81 0C 2D D4 A1 ...V<.!.w....-..
00B0: DD 37 8A EA E5 7D EE BD 6A 0C 52 A3 8F 94 CE 46 .7......j.R....F
00C0: 85 C4 71 20 44 BC D5 A0 17 73 96 E8 E2 C9 99 F7 ..q D....s......
00D0: FC EF 00 A0 74 4B EB 53 6A 5A 3C FF C7 9B 07 48 ....tK.SjZ<....H
00E0: F7 3F 18 29 91 91 29 43 BB 0D A3 C9 4C 57 5C 9E .?.)..)C....LW\.
00F0: C7 FB FB 1A 3F 5B 5D 36 27 2B F7 8E 3A 0D 43 00 ....?[]6'+..:.C.
]
***
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_128_CBC_SHA]
http-bio-8443-exec-5, SEND TLSv1 ALERT: fatal, description = certificate_unknow
n
http-bio-8443-exec-5, WRITE: TLSv1 Alert, length = 2
http-bio-8443-exec-5, called closeSocket()
http-bio-8443-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: s
un.security.validator.ValidatorException: PKIX path building failed: sun.securit
y.provider.certpath.SunCertPathBuilderException: unable to find valid certificat
ion path to requested target
2015-04-07 12:24:24,647 ERROR [org.jasig.cas.authentication.AuthenticationManage
rImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler threw error
authenticating [username: corp.nurse]>
org.springframework.ldap.CommunicationException: ldaps.hma.com:636; nested excep
tion is javax.naming.CommunicationException: ldaps.hma.com:636 [Root exception i
s javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderEx
ception: unable to find valid certification path to requested target]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapU
tils.java:100)
at org.springframework.ldap.core.support.AbstractContextSource.createCon
text(AbstractContextSource.java:266)
at org.springframework.ldap.core.support.AbstractContextSource.getContex
t(AbstractContextSource.java:106)
at org.springframework.ldap.core.support.AbstractContextSource.getReadOn
lyContext(AbstractContextSource.java:125)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:2
87)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:3
61)
at org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler.authenticat
eUsernamePasswordInternal(BindLdapAuthenticationHandler.java:90)
at org.jasig.cas.authentication.handler.support.AbstractUsernamePassword
AuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHan
dler.java:71)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProces
singAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingA
uthenticationHandler.java:85)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProces
singAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProc
essingAuthenticationHandler.java:57)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProces
singAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticatio
nHandler.java:1)
at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAn
dObtainPrincipal(AuthenticationManagerImpl.java:93)
at org.jasig.cas.authentication.AbstractAuthenticationManager.authentica
te_aroundBody0(AbstractAuthenticationManager.java:57)
at org.jasig.cas.authentication.AbstractAuthenticationManager.authentica
te_aroundBody1$advice(AbstractAuthenticationManager.java:57)
at org.jasig.cas.authentication.AbstractAuthenticationManager.authentica
te(AbstractAuthenticationManager.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflecti
on(AopUtils.java:318)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJo
inpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.p
roceed(MethodInvocationProceedingJoinPoint.java:80)
at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.ja
va:47)
at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingA
spect.java:53)
at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspec
t.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAro
undAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:161)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.p
roceed(MethodInvocationProceedingJoinPoint.java:80)
at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail
(AuditTrailManagementAspect.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAro
undAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:161)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invok
e(ExposeInvocationInterceptor.java:90)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynami
cAopProxy.java:202)
at com.sun.proxy.$Proxy25.authenticate(Unknown Source)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTi
cket_aroundBody10(CentralAuthenticationServiceImpl.java:477)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTi
cket_aroundBody11$advice(CentralAuthenticationServiceImpl.java:57)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTi
cket(CentralAuthenticationServiceImpl.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflecti
on(AopUtils.java:318)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJo
inpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.p
roceed(MethodInvocationProceedingJoinPoint.java:80)
at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.ja
va:47)
at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingA
spect.java:53)
at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspec
t.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAro
undAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:161)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.p
roceed(MethodInvocationProceedingJoinPoint.java:80)
at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail
(AuditTrailManagementAspect.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMet
hod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAro
undAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:161)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invok
e(ExposeInvocationInterceptor.java:90)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(
ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynami
cAopProxy.java:202)
at com.sun.proxy.$Proxy26.createTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.flow.AuthenticationViaFormAction.submit_aroundBody2
(AuthenticationViaFormAction.java:109)
at org.jasig.cas.web.flow.AuthenticationViaFormAction.submit_aroundBody3
$advice(AuthenticationViaFormAction.java:57)
at org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(Authenticat
ionViaFormAction.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:830)
at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1253)
at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68)
at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1329)
at ognl.ASTMethod.getValueBody(ASTMethod.java:90)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.ASTChain.getValueBody(ASTChain.java:141)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.Ognl.getValue(Ognl.java:494)
at org.springframework.binding.expression.ognl.OgnlExpression.getValue(O
gnlExpression.java:85)
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateA
ction.java:75)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAct
ion.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execute(Annotat
edAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionEx
ecutor.java:51)
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.ja
va:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transition.java
:227)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(Flo
wExecutionImpl.java:393)
at org.springframework.webflow.engine.impl.RequestControlContextImpl.exe
cute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handleEvent(Tr
ansitionableState.java:119)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:555)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent
(FlowExecutionImpl.java:388)
at org.springframework.webflow.engine.impl.RequestControlContextImpl.han
dleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.ViewState.handleEvent(ViewState.ja
va:232)
at org.springframework.webflow.engine.ViewState.resume(ViewState.java:19
6)
at org.springframework.webflow.engine.Flow.resume(Flow.java:545)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.resume(Flow
ExecutionImpl.java:261)
at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution
(FlowExecutorImpl.java:169)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(Flo
wHandlerAdapter.java:183)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(Dispatch
erServlet.java:923)
at org.springframework.web.servlet.DispatcherServlet.doService(Dispatche
rServlet.java:852)
at org.springframework.web.servlet.FrameworkServlet.processRequest(Frame
workServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServ
let.java:789)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(Safe
DispatcherServlet.java:128)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advi
ce(SafeDispatcherServlet.java:57)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherSe
rvlet.java:1)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterIntern
al(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerR
equestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(D
elegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(Delegat
ingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:210)
at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(C
lientInfoThreadLocalFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
t.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:615)
at java.lang.Thread.run(Thread.java:722)
Caused by: javax.naming.CommunicationException: ldaps.hma.com:636 [Root exceptio
n is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExcept
ion: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilde
rException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:224)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1600)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211
)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
84)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307
)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
53)
at org.springframework.ldap.core.support.LdapContextSource.getDirContext
Instance(LdapContextSource.java:43)
at org.springframework.ldap.core.support.AbstractContextSource.createCon
text(AbstractContextSource.java:254)
... 154 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339
)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323
)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:379)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:201)
... 168 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1323)
... 177 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 183 more
-- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
John Gasper
Apr 7, 2015, 11:23:48 AM4/7/15
to cas-...@lists.jasig.org
Hello,
Have you exported the ldap server's cert/chain and imported it into the jre's cacerts file? I don't see a reference in the ssl trace for ldaps.hma.com.
-- You are currently subscribed to cas-...@lists.jasig.org as: jga...@unicon.net
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Venkatesh Babu KR
Apr 8, 2015, 5:40:14 AM4/8/15
to cas-...@lists.jasig.org
Hi John,
Looks like that was the issue. I did export certificate to jre's cacerts, but for some reason, the keystore lookedup was - jssecacerts.-- You are currently subscribed to cas-...@lists.jasig.org as: venkat...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Reply all
Reply to author
Forward
0 new messages