1、配置Tomcat的SSL,如果能正确访问https://localhost:8443/,即说明SSL配置成功
一、生成 server key :
以命令行方式切换到目录%TOMCAT_HOME%,在command命令行输入如下命令(jdk1.4以上带的工具):
keytool -genkey -alias tomcat -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore -validity 3600
用户名输入域名,如localhost(开发或测试用)或hostname.domainname(用户拥有的域名),其它全部以 enter 跳过,最后确认,此时会在%TOMCAT_HOME%下生成server.keystore 文件。
注:参数 -validity 指证书的有效期(天),缺省有效期很短,只有90天。
二、将证书导入的JDK的证书信任库中:
这步对于Tomcat的SSL配置不是必须,但对于CAS SSO是必须的,否则会出现如下错误:edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator。。。
导入过程分2步,第一步是导出证书,第二步是导入到证书信任库,命令如下:
keytool -export -trustcacerts -alias tomcat -file server.cer -keystore server.keystore -storepass changeit
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore c:/jdk15/jre/lib/security/cacerts -storepass changeit
[linux下面:] <导入证书> keytool -import -trustcacerts -alias tomcat -file server.cer -keystore /usr/jdk15/jre/lib/security/cacerts -storepass changeit
<删除存在的证书>keytool -delete -trustcacerts -alias tomcat -keystore /usr/jdk15/jre/lib/security/cacerts -storepass changeit
如果有提示,输入Y就可以了。
其他有用keytool命令(列出信任证书库中所有已有证书,删除库中某个证书):
keytool -list -v -keystore c:/jdk15/jre/lib/security/cacerts (列出信任库中已经存在的证书)
keytool -delete -trustcacerts -alias tomcat -keystore c:/jdk15/jre/lib/security/cacerts -storepass changeit
(删除某一个证书)
2、修改server.xml中的SSL服务
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="server.keystore" keystorePass="changeit"/>
3、cas-server-3.2.1-release/cas-server-3.2.1/modules中的cas-server-webapp-3.2.1.war更名为为CAS.war,拷贝到Tomcat中。
访问 https://localhost:8443/cas/,出现CAS的登录页面则说明配置成功
4.客户端修改WEB.xml以便利用filter来保护受限制的资源
<context-param>
<param-name>serverName</param-name>
<param-value>https://192.168.1.179:8443</param-value>
</context-param>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://192.168.1.179:8443/cas/login</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://192.168.1.179:8443/cas</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/casTest2/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/casTest2/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/casTest2/*</url-pattern>
</filter-mapping>
5.Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be....(异常出现的原因及解决方式:重新导入证书)
Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....
严重: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator prox
yList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRv
MD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
这个CAS异常是从CAS Client里面抛出,是当我们不使用证书的CN去访问域名的时候(比如下文是用IP访问而且证书的CN是该IP对应的域名而非该IP),CASClient无法信任,因为你证书的CN命名写着abc.com,192.168.1.111这个IP是无法被CAS Client识别。
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList = [ null ] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl = [https: // 192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRvMD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java: 455 )
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java: 378 )
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
at filters.ExampleFilter.doFilter(ExampleFilter.java: 101 )
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 213 )
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 178 )
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java: 432 )
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java: 126 )
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java: 105 )
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java: 107 )
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 148 )
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 869 )
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java: 664 )
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java: 527 )
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java: 80 )
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java: 684 )
at java.lang.Thread.run(Thread.java: 595 )
Caused by: java.io.IOException: HTTPS hostname wrong: should be < 192.168 . 1.111 >
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java: 493 )
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 418 )
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java: 170 )
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java: 905 )
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java: 234 )
at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java: 84 )
at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java: 212 )
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 50 )
解决办法:
用域名访问,域名就是证书的CN。
5、如果发生kylix错误,则需要将服务器端的证书导到客户端的 c:/jdk15/jre/lib/security/XXX中。