Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
Wiki Markup
{scrollbar}

Note: This document is only applicable for the CAS server. There is no need to enable SSL on the servlet container running the Pentaho BI Server.

...

Why does one need to trust the certificate? Usually, only clients that are connecting to servers via https need to trust the certificate of the server. And while the client (the web browser in one case) must trust the certificate of the CAS server, there is another client that must trust the CAS server. That client is the web application using CAS services. In the case of Pentaho, there are two web applications--the servlet interface (pentaho.war) and the portlet interface. Both of these web applications connect --in this case, the Pentaho BI Server. The Pentaho BI Server connects via https to the CAS server during the ticket validation process. See section 2.6. in the CAS Protocol documentation.

Note: If you do not trust the certificate, you'll get

...

the following error: sun.security.

...

provider.certpath.

...

SunCertPathBuilderException: unable to find valid certification path to requested target

  1. Execute the following in %USER_HOME%:
    Panel

    keytool -export -alias tomcat -file tomcat.cer -storepass changeit -keypass changeit -keystore .keystore

  2. Execute the following in %JAVA_HOME%/jre/lib/security:

    Note: You might need to run the command below as an administrator. Also, if you are setting up security with the PCI on Windows, the start-pentaho script sets %JAVA_HOME% to the PCI's jre directory: pentaho-demo\jre. So run the command from pentaho-demo\jre\lib\security. Furthermore, if you're on Windows, and you have created the tomcat.cer in C:\Documents and Settings\User, you will need to put double quotes (") around the -file argument because of the spaces in the path name.

    Panel

    keytool -import -alias tomcat -file %USER_HOME%/tomcat.cer -keystore cacerts -storepass changeit

  3. Now confirm that the tomcat entry in %USER_HOME%/.keystore is the same entry that is in %JAVA_HOME%/jre/lib/security/cacerts. Do this by comparing the fingerprints of the two entries.
    1. Execute the following in %USER_HOME%:
      Panel

      keytool -list -keystore .keystore

      Panel
      titleOutput of keytool -list -keystore .keystore

      Keystore type: jks
      Keystore provider: SUN
      Your keystore contains 1 entry
      tomcat, Mar 1, 2007, keyEntry,
      Certificate fingerprint (MD5): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

    2. Note the fingerprint of the tomcat entry. Execute the following in %JAVA_HOME%/jre/lib/security:
      Panel

      keytool -list -keystore cacerts

      Panel
      titleOutput of keytool -list -keystore cacerts

      Keystore type: jks
      Keystore provider: SUN
      Your keystore contains n entries
      entries omitted
      tomcat, Mar 1, 2007, trustedCertEntry,
      Certificate fingerprint (MD5): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
      entries omitted

    3. Make sure that the fingerprint for the tomcat entry in cacerts is the same as the tomcat entry in .keystore.

...

Child pages (Children Display)