Overview
This document summarizes common errors and solutions for CAS Single Sign-on (SSO), helping you quickly find the required answer.
Javax.net.ssl.SSLHandshakeException
Problem:
Javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching xxx.xxx.xx found
Cause:
The domain name in the web.xml file does not match the domain name entered to answer the first question during certificate generation.
Solution:
Check configurations in the web.xml file.
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://susie:8443/cas/login</param-value>
<!--The server here refers to its IP address-->
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://susie:8443/cas/proxyValidate</param-value>
<!--The ServerName here refers to the hostname of the server, namely the CN-->
</init-param>
Ensure that susie matchs the domain name entered to answer the first question during certificate generation.
Keytool Error During Certificate Import/Export
Problem:
A Keytool error message is reported during certificate import/export as follows: "java.io.IOException: Keystore was tampered with, or password was incorrect."
Solution:
The default password is changeit, and you need to change 123456 following -storepass to changeit.
500-Internal Server Error
Problem:
After configuration, the error message" 500-Internal Server Error " is reported during login.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
HTTP Status 500 – Internal Server Error
Solution:
This is because Java does not successfully add the created certificate to the trusted database. So you can either redo the trusted operation, or replace the trusted database file in the JRE with the created cacerts file. You need to figure out which JRE is used by Tomcat.
As shown in the above figure, the JRE used by Tomcat here is in the %JAVA_HOME%\jdk path. Move the certificate to the %JAVA_HOME%\jdk\jre\lib\security path.
Empty Chart on the Memory Management Page After Login
Problem:
Multiple servers are used for CAS SSO and clustered. The cluster and SSO are normal, but the charts on the Memory Management page are empty after login.
If you remove the SSO configuration file and log in directly, those charts are displayed normally.
Solution:
CAS SLO needs to be configured.
Otherwise, though new users can log in, tokens in the session are still of previous users, which conflicts with existing users' tokens in the cookie.
The token conflict causes WebSocket disconnection during connection validation, and charts on the Memory Management page are thus empty.
Invalid Ticket Error for CAS Integration
Problem:
An invalid ticket error is reported for CAS integration.
Cause:
The ticket is invalid after its expiration date.
Solution:
After successful login, jump to an address without a ticket. After login, first check whether the URL in the request contains the ticket information. If not, execute the doFilter. If so, replace the URL with one containing no ticket, then jump to the URL through the sendRedirect method.
Failed CAS SSO Through HTTP After Decision-Making Platform Login Through HTTPS
Problem:
You may fail to jump to and access FanRuan through the CAS Single Sign-on plugin. Upon checking the request, you find that the decision-making platform is accessed through HTTPS.
Cause:
The HTTPS protocol is lost during access and the HTTP protocol is used during redirection.
Solution:
Generally, the nginx https+tomcat http configuration are used. You need to use the nginx+tomcat configuration.
