CAS SSO FAQs

This document summarizes common errors and solutions for CAS Single Sign-on (SSO), helping you quickly find the required answer.

Problem:

Javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching xxx.xxx.xx found

Cause:

The domain name in the web.xml file does not match the domain name entered to answer the first question during certificate generation.

Solution:

Check configurations in the web.xml file.

<init-param>

<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>

<param-value>https://susie:8443/cas/login</param-value>

<!--The server here refers to its IP address-->

</init-param>

<init-param>

<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

<param-value>https://susie:8443/cas/proxyValidate</param-value>

<!--The ServerName here refers to the hostname of the server, namely the CN-->

</init-param>

Ensure that susie matchs the domain name entered to answer the first question during certificate generation.

Problem:

A Keytool error message is reported during certificate import/export as follows: "java.io.IOException: Keystore was tampered with, or password was incorrect." 

Solution:

The default password is changeit, and you need to change 123456 following -storepass to changeit.

Problem:

After configuration, the error message" 500-Internal Server Error " is reported during login.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

HTTP Status 500 – Internal Server Error

Solution:

This is because Java does not successfully add the created certificate to the trusted database. So you can either redo the trusted operation, or replace the trusted database file in the JRE with the created cacerts file. You need to figure out which JRE is used by Tomcat.

As shown in the above figure, the JRE used by Tomcat here is in the %JAVA_HOME%\jdk path. Move the certificate to the %JAVA_HOME%\jdk\jre\lib\security path.

Problem:

Multiple servers are used for CAS SSO and clustered. The cluster and SSO are normal, but the charts on the Memory Management page are empty after login.

If you remove the SSO configuration file and log in directly, those charts are displayed normally.

Solution:

CAS SLO needs to be configured.

Otherwise, though new users can log in, tokens in the session are still of previous users, which conflicts with existing users' tokens in the cookie.

The token conflict causes WebSocket disconnection during connection validation, and charts on the Memory Management page are thus empty.

Problem:

An invalid ticket error is reported for CAS integration.

Cause:

The ticket is invalid after its expiration date.

Solution:

After successful login, jump to an address without a ticket. After login, first check whether the URL in the request contains the ticket information. If not, execute the doFilter. If so, replace the URL with one containing no ticket, then jump to the URL through the sendRedirect method.

Problem:

You may fail to jump to and access FanRuan through the CAS Single Sign-on plugin. Upon checking the request, you find that the decision-making platform is accessed through HTTPS.

Cause:

The HTTPS protocol is lost during access and the HTTP protocol is used during redirection.

Solution:

Generally, the nginx https+tomcat http configuration are used. You need to use the nginx+tomcat configuration.