CAS部署问题合集

发表于   |   分类于   |  

一、客户端导入证书错误

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Documents and Settings\Administrator>keytool -import -file C:\Program Files (
x86)\Java\jdk1.7.0_45\jre\lib\security\cacerts -file E:\sso\ssodemo.crt -alias s
sodemo
非法选项:  Files
keytool -importcert [OPTION]...

<!-- more -->

导入证书或证书链

选项:

 -noprompt                       不提示
 -trustcacerts                   信任来自 cacerts 的证书
 -protected                      通过受保护的机制的口令
 -alias <alias>                  要处理的条目的别名
 -file <filename>                输入文件名
 -keypass <arg>                  密钥口令
 -keystore <keystore>            密钥库名称
 -storepass <arg>                密钥库口令
 -storetype <storetype>          密钥库类型
 -providername <providername>    提供方名称
 -providerclass <providerclass>  提供方类名
 -providerarg <arg>              提供方参数
 -providerpath <pathlist>        提供方类路径
 -v                              详细输出

使用 "keytool -help" 获取所有可用命令

这个错误的来源是jre安装在c盘Program Files里面造成的:

C:\Program Files (x86)\Java\jdk1.7.0_45\jre\lib\security\cacerts

由于只是要用cacerts这个工具,可以把这个工具拷贝到e:\123\cacerts下面来执行客户端导入证书操作:

keytool -import -file E:\12\cacerts -file E:\sso\ssodemo.crt -alias ssodemo

  • 结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
C:\Documents and Settings\Administrator>keytool -import -file E:\12\cacerts -fil
e E:\sso\ssodemo.crt -alias ssodemo
输入密钥库口令:
再次输入新口令:
所有者: CN=demo.micmiu.co, OU=micmiu.com, O=micmiu, L=SH, ST=SH, C=CN
发布者: CN=demo.micmiu.co, OU=micmiu.com, O=micmiu, L=SH, ST=SH, C=CN
序列号: 7cf7329d
有效期开始日期: Tue Jun 14 18:04:07 CST 2016, 截止日期: Wed Jun 14 18:04:07 CST
2017
证书指纹:
         MD5: 36:0B:D4:86:3E:6B:9B:F6:20:A5:F9:B6:6E:5E:88:89
         SHA1: F0:DC:38:9C:D4:7F:7B:15:50:6C:AF:34:BE:42:3B:26:C7:06:A1:58
         SHA256: 76:9A:49:67:1D:DB:43:6F:BE:88:D7:E7:B4:5F:42:6F:A9:89:80:14:EA:
F8:AE:40:96:A0:B3:D7:65:00:19:7F
         签名算法名称: SHA256withRSA
         版本: 3

扩展:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 92 49 BB 71 3C 9F E5   28 D7 73 0E 89 7B 8F DB  ..I.q<..(.s.....
0010: E6 A3 5E DC                                        ..^.
]
]

是否信任此证书? [否]:  y
证书已添加到密钥库中

二、启动tomcat错误

原始配置如下:

1
2
3
4
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
 keystoreFile="e:/sso/ssodemo.keystore" keystorePass="michaelpwd"
    clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />

报错如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
java.lang.Exception: Connector attribute SSLCertificateFile must be defined when
 using SSL with APR
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:469)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.jav
a:482)
        at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandle
r.java:355)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
10)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
        at org.apache.catalina.core.StandardService.initInternal(StandardService
.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
ava:781)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:572)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)

六月 14, 2016 6:43:44 下午 org.apache.catalina.core.StandardService initInternal

严重: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
12)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
        at org.apache.catalina.core.StandardService.initInternal(StandardService
.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
ava:781)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:572)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
Caused by: java.lang.Exception: Connector attribute SSLCertificateFile must be d
efined when using SSL with APR
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:469)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.jav
a:482)
        at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandle
r.java:355)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:9
10)
        ... 13 more

  • 原因:

Tomcat提供了两个SSL实现,一个是JSSE实现,另一个是APR实现。Tomcat将自动选择使用哪个实现,即如果安装了APR则自动选择APR,否则选择JSSE。如果不希望让Tomcat自动选择,而是我们自己指定一个实现则可通过protocol定义,如下:

APR文件名为tcnative-1.dll。6.0里没这个dll文件,而7.0里有。换句话说,6.0默认使用JSSE实现,而7.0默认使用APR实现。弄明白缘由就好办了。由于习惯使用6.0的配置方式(即JSEE实现),因此只要把conf\server.xml里的protocol修改一下就行了: 

1
2
3
4
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
            maxThreads="150" scheme="https" secure="true"
   keystoreFile="e:/sso/ssodemo.keystore" keystorePass="michaelpwd"
            clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" />

然后启动就不会报错了。

Tomcat报错“connector attribute SSLCertificateFile must be defined…

热评文章