Liferay CAS integration on Separate servers SSL error

2012-11-22T23:56:30Z

hi, i m new with liferay and i'm facing a problem related to the CAS single sign on configuration.
I followed faithfully the steps listed in the wiki at: http://www.liferay.com/community/wiki/-/wiki/Main/CAS+Liferay+6+Integration
and i got my cas server working JUST with it deployed in the same tomcat hosting liferay 6.1.1 ga2.
But now i've the real situation to be implemented i.e. hosting the cas server on a different tomcat.

I'm working in develpment mode i.e. in a intranet, so dealing with IP ADDRESSES.
This is my simple configuration:

SERVER 1: IP address: 192.168.1.5. This hosts tomcat and liferay listening on the port 8080.The version of Cas client deployed in Liferay is 3.2.1
SERVER 2: IP address: 192.168.1.6 this hosts cas server deployed on a tomcat instance. cas version is 3.5.1

JAVA_HOME = C:\Java\jdk1.6.0_37
JRE_HOME = %JAVA_HOME%\jre

These are the steps i did for configuring all:
_____________________________________
On SERVER 1:
1) in tomcat server.xml
uncommented these code lines for activating https

<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

2) On liferay portal-ext.properties:

cas.auth.enabled=true
cas.login.url=https://192.168.1.6:8443/cas-web/login
cas.logout.url=https://192.168.1.6:8443/cas-web/logout
cas.service.url=http://192.168.1.5:8080/c/portal/login
cas.server.name=192.168.1.5:8080
cas.validate.url=https://192.168.1.6:8443/cas/proxyValidate

3) i put the same values in the Control Panel ---> Portal Settings ---> Authentication ---> CAS Form.

4) I create my server keystore

keytool -genkey -alias tomcatLiferay -keypass changeit -keyalg RSA

keystore password: changeit
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: y

________________________________________________________________

On SERVER 2:

1)uncomment these code lines for activating https

<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

2)i create a self signed certificate:

keytool -genkey -alias tomcatCAS -keypass changeit -keyalg RSA

keystore password: changeit
What is your first and last name?
[Unknown]: ServerCAS
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: y

keytool -export -alias tomcatCAS -keypass changeit -file server.cert

keytool -import -alias tomcatCAS -file server.cert -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

____________________________________________________________________________________________________

1) Now i copy server.cert from SERVER 2, i paste it on SERVER 1 then i import it in %JAVA_HOME%/jre/lib/security/cacerts of SERVER 1

keytool -import -alias tomcatCAS -file c:\server.cert -keypass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts

Now the certificate is copied in the keystore of the liferay Server.

2)I turn on both the servers.
3)I access the liferay login page, i click on sing-in button then the https://192.168.1.6:8443/cas-web/login page opens.
I fill it with username and pwd... and i got a white page.
On catalina.out of liferay server there is this exception:

23:25:36,623 ERROR [http-bio-8080-exec-9][CommonUtils:340] sun.security.validato
r.ValidatorException: PKIX path building failed: sun.security.provider.certpath.
SunCertPathBuilderException: unable to find valid certification path to requeste
d target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExce
ption: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1
623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien
tHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHa
ndshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:5
29)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.jav
a:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.j
ava:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SS
LSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketIm
pl.java:1147)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustM
anagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:209)

23:25:36,733 ERROR [http-bio-8080-exec-9][CASFilter:81] java.lang.RuntimeExcepti
on: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExcepti
on: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilder
Exception: unable to find valid certification path to requested target
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.va
lidator.ValidatorException: PKIX path building failed: sun.security.provider.cer
tpath.SunCertPathBuilderException: unable to find valid certification path to re
quested target
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUti
ls.java:341)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUti
ls.java:305)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketVali
dator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java
:50)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.Validator
Exception: PKIX path building failed: sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1
623)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:198)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien
tHandshaker.java:1074)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHa
ndshaker.java:128)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:5
29)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.jav
a:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.j
ava:884)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
d certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustM
anagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(
X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Clien
tHandshaker.java:1053)
... 59 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 65 more

It's the same error as reported in the cas wiki:

https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide#SSLTroubleshootingandReferenceGuide-ImportTrustedCertificate

But i think the steps i listed above are the same described in this wiki.
It's probably a certificate issue... but i cannot understand where is my error.

if i run this command on liferay server:
keytool -list -alias tomcatCAS -keystore %JAVA_HOME%/jre/lib/security/cacerts i get the certificate, that means it's present.

Thanks a lot.
Alessio