SSL between 2 Tomcat servers

Question

I'm currently trying to configure 2 Tomcats, one with CAS, and another one with Liferay. I've created with OpenSSL a certificate for the CAS server, which is displayed when Liferay redirects me to the CAS page login in my browser, but when the CAS redirects me back to the Liferay, (when Liferay tries to validate the ticket CAS created), I only get a wonderful white page and the Liferay server displays "Unable to find valid certification path to requested target". I tried creating the certificate with keytool, or adding it to a custom truststore passed to Liferay, but everything keeps failing me.

Maybe you guys could help?

Thanks.

UPDATE: I Looked at SSL trafic with wireshark, and it seems that liferay does not uses ssl to validate the CAS ticket, that explains why it can validate the certificate since the truststore is defined in the SSL connector... But I don't know how to solve that

Answer 1

For self-signed certificate you should specify attribute "truststoreFile" of SSL-connector in server.xml:

<Connector port="8443" sslProtocol="TLS" scheme="https" clientAuth="false" 
...
keystoreFile="tomcat.keystore" keystorePass="password" keyAlias="tomcat"

<!-- Here's attribute "truststoreFile" -->
truststoreFile="%JAVA_HOME%/jre/lib/security/cacerts"
... />

Try to use common truststore file that's located in "%JAVA_HOME%/jre/lib/security/cacerts". You should import your certificate to that truststore file with keytool command:

keytool -import -file tomcat.crt -alias tomcat -keystore %JAVA_HOME%/jre/lib/security/cacerts

Default password is "changeit". It's not necessary to specify default password in the <connector /> tag in server.xml.