场景:单点登陆需要改为https请求,登陆程序部署在service1,项目部署在service2。首先设置登陆程序为https,步骤如下:
一. 创建tomcat证书
这里使用JDK自带的keytool工具来生成证书:
1. 在jdk的安装目录\bin\keytool.exe下打开keytool.exe
./keytool -genkeypair -alias testdemo -keyalg "RSA" -keystore "/usr/testdemo.keystore"
会让依次填写信息,名字与姓氏我这里填的testdemo,地区jinan 省份shandong 国家cn,密码都是123456
然后查看/usr下是不是生成了testdemo.keystore文件。
注意:“名字与姓氏”应该是域名,后面会用到,这个是关键。 比如访问地址为:https://testdemo:8080/login.do则域名设置为testdemo。
二. 配置tomcat服务器
定位到tomcat服务器的安装目录, 找到conf下的server.xml文件
<Connector port="6120" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/testdemo.keystore" keystorePass="123456"/>
keystoreFile是生成的keystore的位置,keystorePass是第一步设置的密码。并注释掉其他的Connector,只留这一个就可以。
输入:在IE浏览器中输入: https://IP:6120,会出现证书安全问题,点击继续访问,就可以了。说明配置成功。
二. 但是项目登陆后报错,
HTTP Status 500 - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
type Exception report
message javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
root cause
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
root cause
java.security.cert.CertificateException: No subject alternative names present
sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
sun.security.util.HostnameChecker.match(HostnameChecker.java:91)
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347)
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203)
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
note The full stack trace of the root cause is available in the Apache Tomcat/8.0.45 logs.
Apache Tomcat/8.0.45
是项目单点登陆的时候没有配置域名,需要修改项目的web.xml,把
<context-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://testdemo:6120/</param-value>
</context-param>
这时候还得修改hosts文件,加入 service1IP地址 testdemo。
1再测试的时候,错误换了一个:
HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
type Exception report
message javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
root cause
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
root cause
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
sun.security.validator.Validator.validate(Validator.java:260)
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
root cause
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
sun.security.validator.Validator.validate(Validator.java:260)
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
note The full stack trace of the root cause is available in the Apache Tomcat/8.0.45 logs.
这是服务器2没有服务器1的证书的问题,这时候需要再服务器2的jre->lib->security中加入服务器1的证书:
具体参照https://blog.csdn.net/chaishen10000/article/details/82992291
测试单点登陆成功。