CAS Cert Issues

Michael A Grady mgrady at unicon.net
Sat Aug 1 13:47:50 EDT 2015 

> On Aug 1, 2015, at 10:29 AM, Michael Dahlberg <olgamirth at gmail.com> wrote:
> 
> We're running Shib IdP v.2.4.0, java 1.7.0.55 and tomcat 6.0.39 with the CAS client libraries v. 3.2.1 (yes, I know some are a bit dated). We're using CAS as the backend authentication mechanism installed as detailed in https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration <https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration>
> 
> This morning we updated the SSL certificate on the CAS server and immediately Shib logins cease to function (if we move back to the old cert, logins work).  We were using RapidSSL as our CA, now we're using InCommon.
> 
> I've tried replacing /usr/java/latest/jre/lib/security/cacerts with a cacerts file from java 1.8

You'll need to add the needed intermediate cert(s) that the InCommon issuing cert has between it and the root CA cert (AddTrust External CA Root) to the cacerts file. Probably want to do this on your CAS Server, so that it serves out the full chain needed for your CAS clients (like the Shib IdP server with embedded CAS client libraries) to be able to verify who they are talking to for the ticket interaction. The InCommon cert site documents what those intermediate certs are, and these often won't be in the distributed cacerts that come with Java. If you aren't sure how to do that, then you can follow the info in something like:

  https://www.sslshopper.com/tomcat-ssl-installation-instructions.html <https://www.sslshopper.com/tomcat-ssl-installation-instructions.html> or Comodo's:
  https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/37/certificate-installation-java-based-web-servers-tomcat-using-keytool <https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/37/certificate-installation-java-based-web-servers-tomcat-using-keytool> 

or any number of StackOverFlow entries. From InCommon:

  https://spaces.internet2.edu/display/InCCollaborate/InCommon+Cert+Types <https://spaces.internet2.edu/display/InCCollaborate/InCommon+Cert+Types>

From that document:
SSL/TLS Certificates
SHA-2 Server Certificates
The intermediate CA known as the InCommon RSA Server CA, which uses the SHA-2 hash algorithm, was deployed on September 22, 2014.
Certificate Chain:
AddTrust External CA Root
USERTrust RSA Certification Authority [DER <http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt>]
InCommon RSA Server CA [DER <http://crt.incommon-rsa.org/InCommonRSAServerCA_2.crt>]
End-Entity Certificate



--
Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150801/9946d44b/attachment.html>

More information about the users mailing list