ssl - CAS + SSLHandshakeException + ValidatorException + PKIX 路径构建失败 + 无法找到请求目标的有效证书路径

Question

我正在研究中央认证系统 (jasig.org) 以实现单点登录功能对于我的 Intranet Web 应用程序。我有两个 tomcat 实例在我的同一台机器(windows)上运行。两个 tomcat 实例都已配置为使用 SSL 并使用了自签名证书(使用 java keytool 创建)。

Tomcat1

Cas 服务器。

服务器.xml

<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
           keystoreFile="C:/Users/sandip.paul/.keystore"
           keystorePass="changeit"
           truststoreFile="C:/Program Files/Java/jdk1.6.0_20/jre/lib/security/cacerts" />

Tomcat2

myWebApp(使用 spring security)

服务器.xml

<Connector port="8663" maxHttpHeaderSize="8192" SSLEnabled="true"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

下面是myWebApp的applicationContext-security.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:security="http://www.springframework.org/schema/security"
    xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

    <!--
        Enable security, let the casAuthenticationEntryPoint handle all intercepted urls.
        The CAS_FILTER needs to be in the right position within the filter chain.
    -->
    <security:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true">
        <security:intercept-url pattern="/protected/**" access="IS_AUTHENTICATED_FULLY" />
    </security:http>

    <!--
        Required for the casProcessingFilter, so define it explicitly set and
        specify an Id Even though the authenticationManager is created by
        default when namespace based config is used.
    -->
    <security:authentication-manager alias="authenticationManager" />

    <!--
        This section is used to configure CAS. The service is the
        actual redirect Client URL that will be triggered after the CAS login sequence.
    -->
    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="https://obll1973.abc.com:8663/myWebApp/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <!-- 
        The customUserDetailsService provides ROLE & other Details and 
        create an object of UserDetail for this application.
    -->
    <bean id="customUserDetailsService"
        class="edu.sandip.cas.client.authentication.CustomUserDetailsService">
    </bean>

    <!-- 
        The CasProcessingFilter has very similar properties to the 
        AuthenticationProcessingFilter (used for form-based logins).

        The CAS Processing filter handles the redirect from the CAS server 
        and starts the ticket validation.
    -->
    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <security:custom-filter after="CAS_PROCESSING_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
        <property name="defaultTargetUrl" value="/"/>
    </bean>

    <!--
        The entryPoint intercepts all the CAS authentication requests.
        It redirects to the CAS loginUrl for the CAS login page.
    -->
    <bean id="casProcessingFilterEntryPoint" 
        class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="https://obll1973.abc.com:8443/cas/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <!-- 
        Handles the CAS ticket processing.
    -->
    <bean id="casAuthenticationProvider" 
        class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <security:custom-authentication-provider />
        <property name="userDetailsService" ref="customUserDetailsService" />
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://obll1973.abc.com:8443/cas" />
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>    
    </bean>

    <!-- 
        To access request.getRemoteUser() from client application  
    -->
    <bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />
</beans>

我面临的问题是以下异常:

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
    org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
    org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
    org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
    org.springframework.security.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:145)
    org.springframework.security.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:131)
    org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188)
    org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
    org.springframework.security.ui.cas.CasProcessingFilter.attemptAuthentication(CasProcessingFilter.java:94)
    org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258)
    org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
    org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
    org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

复制上述异常的步骤:1) 我尝试使用 https://obll1973.abc.com:8663/myWebApp/protected/ 访问 myWebApp2) 它被重定向到 cas 服务器，即 https://obll1973.abc.com:8443/cas/login并在提供用户名/密码后在这里，一旦 myWebApp 再次向 cas 服务器发送请求以验证生成的 token ，就会捕获异常。

我们将不胜感激任何建议/帮助。

Answer 1

您的 Spring-CAS 配置看起来不错。

SSLHandshakeException 出现的唯一原因是将 SSL key 不正确地导入到创建的 keystore 或 JVM keystore 中。

在 key 创建过程中，您是否遵循了以下内容

注意:CN 的别名(这里是 cas)应该与机器的主机名相同。

要查找机器的主机名，在控制台或命令提示符中只需键入不带引号的“主机名”。

在根目录下创建一个名为app的目录

[root@localhost app]# keytool -genkey -alias cas -keyalg RSA -keystore .cas -storepass caspasswd

What is your first and last name? [Unknown]: cas What is the name of your organizational unit? [Unknown]: MYCOMPANY What is the name of your organization? [Unknown]: MYCOMPANY What is the name of your City or Locality? [Unknown]: Bangalore What is the name of your State or Province? [Unknown]: Karnataka What is the two-letter country code for this unit? [Unknown]: IN Is CN=cas, OU=MYCOMPANY, O=MYCOMPANY, L=Bangalore, ST=Karnataka, C=IN correct? [no]: yes

Enter key password for (give the password mentioned above -- i.e caspasswd in this case) (RETURN if same as keystore password): Re-enter new password:

[root@localhost app]# keytool -exportcert -alias cas -file cas.crt -keystore .cas Enter keystore password: Certificate stored in file

[root@localhost app]# ls cas.crt softwares test.class test.java tomcat7027CAS

[root@localhost app]# keytool -import -alias cas -file cas.crt -keystore /app/softwares/jdk1.6.0_27/jre/lib/security/cacerts Enter keystore password: Owner: CN=cas, OU=MYCOMPANY, O=MYCOMPANY, L=Bangalore, ST=Karnataka, C=IN Issuer: CN=cas, OU=MYCOMPANY, O=MYCOMPANY, L=Bangalore, ST=Karnataka, C=IN Serial number: 510a6a63 Valid from: Thu Jan 31 18:28:11 IST 2013 until: Wed May 01 18:28:11 IST 2013 Certificate fingerprints: MD5: 52:8E:2E:74:C6:57:CD:B3:B0:B6:6C:17:D9:0D:77:F3 SHA1: 1F:AA:4C:22:B9:16:DC:AA:D4:87:07:CF:DD:B2:11:A6:AE:36:9A:DB Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore

[root@localhost app]# keytool -list -keystore /app/softwares/jdk1.6.0_27/jre/lib/security/cacerts -alias cas Enter keystore password: cas, Jan 31, 2013, trustedCertEntry, Certificate fingerprint (MD5): 52:8E:2E:74:C6:57:CD:B3:B0:B6:6C:17:D9:0D:77:F3

[root@localhost app]#

在您的 tomcat server.xml 中，您还可以使用 https 连接器，如下所示

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" keystoreFile="/app/.cas" keystorePass="mykeypassword" 
    secure="true" connectionTimeout="240000" 
               clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8069" protocol="AJP/1.3" redirectPort="8443" />

以上 key 用于 CAS 服务器。您可以为应用程序创建自己的单独 key 。

但是两个 key 都应该导入到 JVM cacerts keystore (如何:在下面提到)

现在是最重要的部分:假设您的 CAS 服务器别名是 cas

你的应用服务器别名是myapp

在两台服务器中同时保留 key cas.crt 和 myapp.crt 以导入 JVM

在两个服务器中执行以下操作:

1) keytool -import -alias cas -file /app/cas.crt -keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts

2) keytool -import -alias myapp -file /app/cas.crt -keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts

要验证使用以下命令 --

1) keytool -list -v -keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts -alias cas

2) keytool -list -v -keystore /usr/java/jdk1.5.0_22/jre/lib/security/cacerts -alias myapp

如果使用多个版本的 java，请确保 Java--JRE--LIB--SECURITY--CACERTS 文件

这将消除您的错误。

注意:

如果在提供正确的用户凭据后浏览器显示空白页面，修改系统的host文件(linux为/etc/hosts，windows为c:\windows\system32\driver\etc\hosts)

在那里添加cas服务器ip

例如。

162.25.250.60 我的应用程序162.25.250.81 ca

任何疑问都可以澄清。

您可以引用以下内容:

https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide