I'm trying to setup a CAS-based echosystem on the Jelastic infrastructure. I was able to setup both the server and a client under the same Tomcat 7 instance, using the example web application described here. The SSL certificates (CA and server's) I'm using are self signed.
When asking for a protected resource, the webapp correctly redirects to the CAS login page, and the authentication is done well at server level. However, in the return flow something goes bad and the browser shows an exception that has the following root cause:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
This is because the CAS protocol has an additional client-server verification dialogue that is done immediately after the authentication, and during this dialogue the client has to trust the server again. This time, it doesn't use Tomcat's SSL settings but the ones of the JVM (see here)
The problem is that on Jelastic there's no way to access the JAVA_HOME/jre/lib/security folder, as far I know. Any hint? Thanks.
UPDATE: I've found the solution. On Jelastic, since v.1.8.5, Tomcat apps have write rights on the the JAVA_HOME/jre/lib/security folder. This IMHO opens a security issue, but for this specific case was good. I've been able to write a simple servlet that added my certificate to the JVM cacerts file, and I've solved the problem.
