tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From /U <uma...@comcast.net>
Subject AprHttp11 Connector - unable to locate certificates
Date Thu, 12 Nov 2009 01:22:16 GMT

I am unable to get APR connector working. I have build Apr, configured the
conenctor, generated certificates, updated the environment (LD_LIBRARY_PATH)
and it cannot find the certificates when an authentication is required.

I have supplied all the relevant details below. I would appreciate
any insights into why its unable to find the certificates.

Environment:
  # openssl version
  OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
  # 
  #
  # java version "1.6.0_01"
  Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
  Java HotSpot(TM) Server VM (build 1.6.0_01-b06, mixed mode)
  #
  # 
  # uname -srvompi
  Linux 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 i386
GNU/Linux

  # Tomcat version: 6.0.14

  #APR version (built from source on RHEL5): 1.3.8
  

Configuration:
  * APR is build and installed in /usr/local/apr:
     # ls -l /usr/local/apr/lib
     total 3212
     -rwxr-xr-x 1 root root    8130 Nov  2 09:48 apr.exp
     -rwxr-xr-x 1 root root  806678 Nov  2 09:48 libapr-1.a
     -rwxr-xr-x 1 root root     838 Nov  2 09:48 libapr-1.la
     lrwxrwxrwx 1 root root      17 Nov 10 12:07 libapr-1.so ->
libapr-1.so.0.3.8
     lrwxrwxrwx 1 root root      17 Nov 10 12:07 libapr-1.so.0 ->
libapr-1.so.0.3.8
     -rwxr-xr-x 1 root root  549998 Nov  2 09:48 libapr-1.so.0.3.8
     -rwxr-xr-x 1 root root 1113618 Nov  2 10:52 libtcnative-1.a
     -rwxr-xr-x 1 root root     921 Nov  2 10:52 libtcnative-1.la
     lrwxrwxrwx 1 root root      23 Nov 10 12:07 libtcnative-1.so ->
libtcnative-1.so.0.1.16
     lrwxrwxrwx 1 root root      23 Nov 10 12:07 libtcnative-1.so.0 ->
libtcnative-1.so.0.1.16
     -rwxr-xr-x 1 root root  777409 Nov  2 10:52 libtcnative-1.so.0.1.16
     drwxr-xr-x 2 root root    4096 Nov  2 10:52 pkgconfig

  * Standalone Tomcat with an HTTP and an APR connector. 
  * Relevant excerpts from ${catalina.home}/conf/server.xml:
  
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />

   //...
   
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                SSLCertificateFile="${catalina.home}/conf/server.cert"
                SSLCertificateKeyFile="${catalina.home}/conf/server.key"
    />

   //...

   * LD_LIBRARY_PATH is set in ${catalina.home}/bin/setenv.sh as follows:
      export LD_LIBRARY_PATH=/usr/local/apr/lib:${LD_LIBRARY_PATH}


Key/Certificate Generation:

   # export CATALINA_HOME=/usr/local/apache-tomcat
   # export CATALINA_CONF=${CATALINA_HOME}/conf

   # rm -fr  ${CATALINA_CONF}/server.cert
   # rm -fr  ${CATALINA_CONF}/server.key

   # openssl genrsa -out $CATALINA_CONF/server.key 2048
   openssl req -new -x509 -days 1095 -key $CATALINA_CONF/server.key -out
$CATALINA_CONF/server.cert < $CATALINA_CONF/cert.input


     where $CATALINA_CONF/cert.input contains:
             
          US
          CA
          MyCity
          MyCompany Inc
          My Dept.
          myhost.mycompany.com
          nobody@mycompany.com
 

Logs:

  APR connector is initialized (seemingly) correctly:

       Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener
init
       INFO: Loaded Apache Tomcat Native library 1.1.16.
       Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener
init
       INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
       Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol
init
       INFO: Initializing Coyote HTTP/1.1 on http-8080
       Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol
init
       INFO: Initializing Coyote HTTP/1.1 on http-8443
       Nov 10, 2009 1:54:22 PM org.apache.coyote.ajp.AjpAprProtocol init
       INFO: Initializing Coyote AJP/1.3 on ajp-8009
       Nov 10, 2009 1:54:22 PM org.apache.catalina.startup.Catalina load
       INFO: Initialization processed in 1440 ms
       Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardService
start
       INFO: Starting service Catalina
       Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardEngine start
       INFO: Starting Servlet Engine: Apache Tomcat/6.0.14
       //...


  ... but it fails to find the certificate when an authentication is
required:

  
       2009-11-10 16:18:59,622 INFO  [http-8443-1]
cas.CentralAuthenticationServiceImpl:229     - Granted service ticket
[ST-1-QnrXKg6DAe4RTxUsSexs-cas] for service
[http://myhost.mycompany.com:8080/myapp] for user [johndoe]
       2009-11-10 16:18:59,720 ERROR [http-8443-1]
validation.Cas20ProxyTicketValidator:49     -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1520)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:182)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
	at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
	at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)
	at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:449)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:817)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1056)
	at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1040)
	at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
	at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
	at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:981)
	at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
	at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:35)
	at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
	at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
	at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:111)
	at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
	at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
	at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
	at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:852)
	at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:584)
	at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1508)
	at java.lang.Thread.run(Thread.java:619)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
	at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
	at sun.security.validator.Validator.validate(Validator.java:218)
	at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
	at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
	at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
	at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
	... 34 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
	at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
	... 40 more


Thanx!

/U


-- 
View this message in context: http://old.nabble.com/AprHttp11-Connector---unable-to-locate-certificates-tp26311889p26311889.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message