Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to setup SSL for CAS and Client (different machines)

how to setup ssl certificate(self signed) in different machines for CAS server and client

  • CAS Server : Linux , Tomcat , jdk6
  • Client : windows ,Tomcat,jdk6
  • Certificate : self signed (keytool)
  • Environment : development

CAS and Clients are working fine with single machine , if using different machine it is throwing certificate error.

whether single self signed certificate is enought for both client and server machine ?

any specific client and server settings changes are required like server machine name and client machine name for certificate creation

like image 583
Arun Avatar asked Oct 08 '22 15:10

Arun


1 Answers

Can you please add the exception you are getting and in which node?

As a general advice, please note that:

1) you have to install the certificate on the client JVM machine if you are using https communication on the server side between the cas client and the CAS server

2) JVM will not accept (at runtime) self signed certificate with the ip in the CN (common name).

See https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide for more details


So from the exception you posted it seems the folowing case (quoted from the CAS Troubleshooting link above):

No subject alternative names present Sample Alt Name Stack Trace javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present In most cases this is a hostname/SSL certificate CN mismatch.

This commonly happens when a self-signed certificate issued to localhost is placed on a machine that is accessed by IP address. It should be noted that generating a certificate with an IP address for a common name, e.g. CN=192.168.1.1,OU=Middleware,dc=vt,dc=edu, will not work in most cases where the client making the connection is Java. For example the Java CAS client will throw SSL errors on connecting to a CAS server secured with a certificate containing an IP address in the CN.

Have you resolved changing the certificate with a domain name instead of the ip and then reinstalling it in the system truststore for the CAS client and in the keystore for the CAS server?

like image 94
Tony Rad Avatar answered Oct 29 '22 01:10

Tony Rad