碼上快樂

相關內容    簡體    繁體

CAS 5.x搭建常見問題系列(2).PKIX path building failed

本文轉載自   查看原文   2018-07-02 20:48   860    統一登錄/ CAS/ 統一權限管理/ 單點登錄/ SSO

錯誤原因

 服務端的證書是不安全的,Cas的客戶端在調用時因為安全提醒造成調用失敗。

CAS的客戶端需要導入服務端的證書后,就正常了。

 

具體操作步驟如下:

1. 首先啟動tomcat,看下之前搭建的cas server啟動是否正常

雙擊D:\casoverlay\apache-tomcat-8.5.31\bin\startup.bat

訪問 https://cas.example.org:8443/cas/login

 

如對對cas的搭建有疑問,可看文章《輕松搭建CAS 5.x系列文章

 

·2. 創建生成證書的目錄

cd D:\casoverlay mkdir cert

 

-3. 創建文件InstallCert.java

具體內容如下:

import java.io.*; import java.net.URL; import java.security.*; import java.security.cert.*; import javax.net.ssl.*; public class InstallCert { public static void main(String[] args) throws Exception { String host; int port; char[] passphrase; if ((args.length == 1) || (args.length == 2)) { String[] c = args[0].split(":"); host = c[0]; port = (c.length == 1) ? 443 : Integer.parseInt(c[1]); String p = (args.length == 1) ? "changeit" : args[1]; passphrase = p.toCharArray(); } else { System.out.println("Usage: java InstallCert <host>[:port] [passphrase]"); return; } File file = new File("jssecacerts"); if (file.isFile() == false) { char SEP = File.separatorChar; File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security"); file = new File(dir, "jssecacerts"); if (file.isFile() == false) { file = new File(dir, "cacerts"); } } System.out.println("Loading KeyStore " + file + "..."); InputStream in = new FileInputStream(file); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(in, passphrase); in.close(); SSLContext context = SSLContext.getInstance("TLS"); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0]; SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); context.init(null, new TrustManager[] {tm}, null); SSLSocketFactory factory = context.getSocketFactory(); System.out.println("Opening connection to " + host + ":" + port + "..."); SSLSocket socket = (SSLSocket)factory.createSocket(host, port); socket.setSoTimeout(10000); try { System.out.println("Starting SSL handshake..."); socket.startHandshake(); socket.close(); System.out.println(); System.out.println("No errors, certificate is already trusted"); } catch (SSLException e) { System.out.println(); e.printStackTrace(System.out); } X509Certificate[] chain = tm.chain; if (chain == null) { System.out.println("Could not obtain server certificate chain"); return; } BufferedReader reader =
        new BufferedReader(new InputStreamReader(System.in)); System.out.println(); System.out.println("Server sent " + chain.length + " certificate(s):"); System.out.println(); MessageDigest sha1 = MessageDigest.getInstance("SHA1"); MessageDigest md5 = MessageDigest.getInstance("MD5"); for (int i = 0; i < chain.length; i++) { X509Certificate cert = chain[i]; System.out.println (" " + (i + 1) + " Subject " + cert.getSubjectDN()); System.out.println("   Issuer  " + cert.getIssuerDN()); sha1.update(cert.getEncoded()); System.out.println("   sha1    " + toHexString(sha1.digest())); md5.update(cert.getEncoded()); System.out.println("   md5     " + toHexString(md5.digest())); System.out.println(); } System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]"); String line = reader.readLine().trim(); int k; try { k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1; } catch (NumberFormatException e) { System.out.println("KeyStore not changed"); return; } X509Certificate cert = chain[k]; String alias = host + "-" + (k + 1); ks.setCertificateEntry(alias, cert); OutputStream out = new FileOutputStream("jssecacerts"); ks.store(out, passphrase); out.close(); System.out.println(); System.out.println(cert); System.out.println(); System.out.println ("Added certificate to keystore 'jssecacerts' using alias '"
        + alias + "'"); } private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray(); private static String toHexString(byte[] bytes) { StringBuilder sb = new StringBuilder(bytes.length * 3); for (int b : bytes) { b &= 0xff; sb.append(HEXDIGITS[b >> 4]); sb.append(HEXDIGITS[b & 15]); sb.append(' '); } return sb.toString(); } private static class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm; private X509Certificate[] chain; SavingTrustManager(X509TrustManager tm) { this.tm = tm; } public X509Certificate[] getAcceptedIssuers() { //throw new UnsupportedOperationException();
        return new X509Certificate[0]; } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new UnsupportedOperationException(); } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { this.chain = chain; tm.checkServerTrusted(chain, authType); } } }

 

-4. 編輯InstallCert.java

cd D:\casoverlay\cert
javac InstallCert.java

此時目錄會生成對應的class文件

 

-5. 生成客戶端證書

cd D:\casoverlay\cert java InstallCert cas.example.org:8443

填寫您的域名和端口,運行InstallCert。

運行過程中,出現了錯誤提示后,根據提示輸入1,命令就自動生成了證書

D:\casoverlay\cert>java InstallCert cas.example.org:8443 Loading KeyStore C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts... Opening connection to cas.example.org:8443... Starting SSL handshake... javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security. provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at InstallCert.main(InstallCert.java:87) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP athBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:183) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source) ... 9 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques ted target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 17 more Server sent 1 certificate(s): 1 Subject CN=cas.example.org, OU=casexampleorg, O=casexampleorg, L=casexampleorg, ST=casexampleorg, C=CN Issuer CN=cas.example.org, OU=casexampleorg, O=casexampleorg, L=casexampleorg, ST=casexampleorg, C=CN sha1 6e 6f 9e 68 9b 17 00 cb 24 00 c6 dd 5b 3e 98 1c dd 93 3b 58 md5 34 06 43 82 a3 89 30 73 77 37 e2 8b 22 2a a0 8a Enter certificate to add to trusted keystore or 'q' to quit: [1] 1 [ [ Version: V3 Subject: CN=cas.example.org, OU=casexampleorg, O=casexampleorg, L=casexampleorg, ST=casexampleorg, C=CN Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 1690620466251730075410187335527176539575574279164656191301268616376011867351755314109432788128763792853957685
509850737657313044903867516296492688699327787967525657153944349196906172329911432006555223477421064086655769564280443085
752416260227648518507908266556286126488172636414552577201541577021778173696705348205206800885112095634757232838095194599
467840130327744042458608666642772670848884551427300132389186144347259187506374891023727125201882125947109668529124319064
780959421387991371315373185390093486540418719240509126192650469625947655340408578607406180180595247169589979804514097709
6461946148979540598598705209
  public exponent: 65537 Validity: [From: Fri Jun 29 23:49:33 CST 2018, To: Thu Sep 27 23:49:33 CST 2018] Issuer: CN=cas.example.org, OU=casexampleorg, O=casexampleorg, L=casexampleorg, ST=casexampleorg, C=CN SerialNumber: [ 56261ad8] Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 45 84 BF 42 27 F5 B1 33   36 F4 6B CC 15 82 5D B0  E..B'..36.k...].
0010: AC AD 2A 9B                                        ..*. ] ] ] Algorithm: [SHA256withRSA] Signature: 0000: 0B C8 FA 28 E6 86 AC DE   FA 99 5C BE 96 B2 E3 00 ...(......\..... 0010: 2A 40 92 9C FF 44 D8 35   EF 3C 7C C2 DF 7A FB 9F  *@...D.5.<...z.. 0020: 23 E0 AC 2B 8D 2A AD 18   60 FC B4 33 E1 06 54 DB  #..+.*..`..3..T. 0030: 51 C8 94 4D 61 1C 97 3D   63 07 13 C7 90 B3 26 D6  Q..Ma..=c.....&. 0040: 68 EB 87 D7 04 FA 36 14   FE 70 42 C9 25 90 CB 09  h.....6..pB.%... 0050: 07 4B 96 79 2D 29 F1 D5   29 57 90 71 32 09 AE A6  .K.y-)..)W.q2... 0060: 51 4F D9 79 09 D1 0D 84   F5 D4 C3 AE 71 A2 D3 28 QO.y........q..( 0070: B9 09 0C 21 DB 1E 37 33   3B CF 4A 0B 52 89 4A 4D  ...!..73;.J.R.JM 0080: 9D E4 40 8C 09 FA 93 77   5C 53 A5 D0 E0 DD C0 4F ..@....w\S.....O 0090: 9B 30 0F C3 72 69 72 3D   90 90 20 30 5C 86 D2 A5  .0..rir=.. 0\... 00A0: 05 CF 9C 1D C3 2F 8E 1C   13 75 F2 A7 C3 65 92 61  ...../...u...e.a 00B0: 5C A9 DD C7 D6 90 6B 87   29 00 82 DD B3 28 05 AD \.....k.)....(.. 00C0: C8 BD EF 25 F3 5C 6C C9   50 62 C7 3B 8B 7B 8D 4D  ...%.\l.Pb.;...M 00D0: 92 DB D1 BE 87 D4 C3 F8   F4 5A FD 54 27 07 FF 18  .........Z.T'...
00E0: 14 C5 DB 77 A8 2D D8 38   58 0D 14 75 DC C1 61 42  ...w.-.8X..u..aB 00F0: 90 2E D1 94 B5 B9 9B FA   70 2F 25 3A 0D 61 8B 38  ........p/%:.a.8 ] Added certificate to keystore 'jssecacerts' using alias 'cas.example.org-1' D:\casoverlay\cert>

 

-6. 檢查下證書是否OK

重新運行運行InstallCert,就不會有錯誤提示了

java InstallCert cas.example.org:8443

 

-7. 最后一步,安裝證書到客戶端JVM

就是將生成的文件jssecacerts復制到 %java_home%\jre\lib\security目錄下

 

-8. 重新啟動,CAS 客戶端登錄下試試

如果操作正確,就沒有錯誤了能正常登錄了

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 CAS 5.x搭建常見問題系列(1).未認證的授權服務 CAS 5.x搭建常見問題系列(3).Failure to find org.apereo.cas:cas-server-support-pm-jdbc:jar:5.1.9 解決PKIX path building failed 從頭解決PKIX path building failed 輕松搭建CAS 5.x系列文章 解決PKIX(PKIX path building failed) 問題 unable to find valid certification path to requested target httpclient 提示PKIX path building failed jsoup訪問頁面: PKIX path building failed 關於http請求時 安全協議問題 PKIX path building failed 解決辦法 【筆記】Java 信任所有SSL證書(解決PKIX path building failed問題)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM