Tomcat SSL Client Authentication
Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli
Re: Tomcat SSL Client Authentication
Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi, Sorry if that didn't help. Here's what I have in server.xml (I don't remember if I had to change anything outside of server.xml to enable client authentication): !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector port=8443 className=org.apache.coyote.tomcat5.CoyoteConnector maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=e:\tomcat\jakart~1.27\ssl\servercertificate.keystore keystoreType=PKCS12 truststoreFile=C:\Documents and Settings\Administrator\.keystore truststorePass=XXX truststoreType=JKS / Jim P.S. When I was doing this (which was awhile ago), I didn't find any way to get Tomcat to check for client cert revocations (i.e., CRL checking). I don't know if that has changed at all since then. lercoli wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Tomcat version 5.5.9 (JDK 1.5.0_02 and Windows 2000 Professional). Client certificate username is a tomcat user (with which I've already successfully tested in DIGEST authentication). The strange thing is that when I set authClient to true I never see the the alert window of the server certificate (while instead appears with clientAuth = false). - Original Message - From: Darryl Wilburn [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 3:55 PM Subject: Re: Tomcat SSL Client Authentication What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL client authentication problem with Internet Explore
Hi again... CA cert is installed in MSIE's root certificates (also in Mozilla root certificates) but the box is still empty. Any idea? Thank you!!! -Mensaje original- De: Bill Barker [mailto:[EMAIL PROTECTED] Enviado el: viernes, 22 de agosto de 2003 6:17 Para: [EMAIL PROTECTED] Asunto: Re: Tomcat SSL client authentication problem with Internet Explore I'm guessing that you didn't install your CA's cert in MSIE's root certificates. Since Tomcat will ask for certs signed by your CA, if MSIE can't find any (that it can verify the chain with), you get an empty box. Ratón Lacarcel, Antonio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication
RV: Tomcat SSL client authentication problem with Internet Explore
Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL client authentication problem with Internet Explore
I'm guessing that you didn't install your CA's cert in MSIE's root certificates. Since Tomcat will ask for certs signed by your CA, if MSIE can't find any (that it can verify the chain with), you get an empty box. Ratón Lacarcel, Antonio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[4]: Tomcat: SSL client authentication
Hi Bill,
Thanks for answering.
I did solve the problem.
My client certificate is not self-signed (as I pointed out in 2.-4.).
So I have a certificate signed by my CA.
The problem was solved by setting CATALINA_OPTS system variable before
starting Tomcat:
set CATALINA_OPTS=-Djavax.net.ssl.trustStore=server.truststore
where server.truststore contains only imported CA certificate.
It seems that Tomcat doesn't use %JAVA_HOME%\jre\lib\security\cacerts
as a truststore by default (I did import CA cert into the cacerts) as
I understood from previous discussions.
Thanks!
Dmitry.
BB From your 1., your client cert is self-signed, not signed by your CA cert.
BB Since this amounts to telling the server I am Dmitry, because I said so,
BB it's a security-risk to accept self-signed client certs, so most HTTPS
BB servers won't accept them. (Of course, it is also the same security-risk to
BB accept self-signed server-certs. However, there is a big difference between
BB clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to
BB agree to accept it ;-).
BB The easiest thing would be to get a Thawte client-cert (since you don't have
BB to pay for it), and use that instead of your self-signed one. For testing,
BB that is what I do (except that I use my Verisign cert, since my employer
BB pays for that one :). At least with Sun's JSSE, Thawte's Root cert is
BB installed in cacerts by default. Setting up your own CA is only needed if
BB you have to hand out your own client-certs when you move to production.
BB Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message
BB news:[EMAIL PROTECTED]
But (as I pointed out in 3.,4. and 6) I have client cert and CA cert.
The latter I imported to the cacert.
I tried to do the same without Tomact but with very simple HTTP(s)
server and got the same result. So I suggest that I did something
wrong with creating/importing certs.
But what's wrong?
BB You can't generally use a self-signed client cert with JSSE (you can
BB configure PureTLS to accept it, but another bug means that you'd have
BB to
BB wait for 4.1.26). The work-around is way too much trouble for the
BB sysadmin,
BB and I don't feel like being an enabler for a true hideous design. So,
BB you'll just have to read the JSSE docs for yourself ;-).
BB If you need to issue your own client-certs, I'd suggest setting up
BB your own
BB CA (with OpenSSL or otherwise), and import your CA's cert into
BB cacerts. You
BB can then hand out client certs, and Tomcat will accept them.
BB Dmitry S.Rogulin wrote in message
BB news:[EMAIL PROTECTED]
Hello all,
Sorry for the previous e-mail. %)
This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...
I'm trying to do SSL client authentication with Tomcat 4.1.18
BB (clientAuth=true).
1. I've generated a client certificate using keytool:
keytool -genkey -alias tomcat-cl -keyalg RSA -keystore
BB client.keystore
2. Then I created Certificate Signing Request:
keytool -certreq -keyalg RSA -alias tomcat-cl -file
BB certreq.csr -keystore client.keystore
3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
keytool -import -alias root -keystore client.keystore -file cacert
keytool -import -alias tomcat-cl -keystore client.keystore -file
BB usercert
5. I exported server certificate and imported it as a trusted to the
trusted keystore:
keytool -import -trustcacerts -alias tomcat -file
BB server.cer -keystore
BB trust.keystore
6. I imported CA Certificate to \jre\lib\security\cacerts :
keytool -import -file cacert -keystore
BB %java_home%\jre\lib\security\cacerts -storepass changeit
I'm running Tomcat and test client on the same machine.
Server keystore: %USERHOME%\.keystore
Client keystore: %USERHOME%\client.keystore
Client trusted keystore: %USERHOME%\trust.keystore
Test Client:
import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
public class SimpleClient {
public static void main(String[] args) {
System.setProperty(javax.net.ssl.trustStore,
BB System.getProperty(user.home)+File.separator +trust.keystore);
System.setProperty(javax.net.ssl.keyStore,
BB System.getProperty(user.home)+File.separator +client.keystore);
System.setProperty(javax.net.ssl.keyStorePassword,
BB changeit);
InputStream is = null;
OutputStream os = new ByteArrayOutputStream();
try {
URL url = new
BB URL(https://localhost:8443/readme.txt;);
try {
is = url.openStream();
byte[] buffer = new byte[4096];
int
Re[2]: Tomcat: SSL client authentication
But (as I pointed out in 3.,4. and 6) I have client cert and CA cert.
The latter I imported to the cacert.
I tried to do the same without Tomact but with very simple HTTP(s)
server and got the same result. So I suggest that I did something
wrong with creating/importing certs.
But what's wrong?
BB You can't generally use a self-signed client cert with JSSE (you can
BB configure PureTLS to accept it, but another bug means that you'd have to
BB wait for 4.1.26). The work-around is way too much trouble for the sysadmin,
BB and I don't feel like being an enabler for a true hideous design. So,
BB you'll just have to read the JSSE docs for yourself ;-).
BB If you need to issue your own client-certs, I'd suggest setting up your own
BB CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You
BB can then hand out client certs, and Tomcat will accept them.
BB Dmitry S.Rogulin wrote in message
BB news:[EMAIL PROTECTED]
Hello all,
Sorry for the previous e-mail. %)
This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...
I'm trying to do SSL client authentication with Tomcat 4.1.18
BB (clientAuth=true).
1. I've generated a client certificate using keytool:
keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore
2. Then I created Certificate Signing Request:
keytool -certreq -keyalg RSA -alias tomcat-cl -file
BB certreq.csr -keystore client.keystore
3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
keytool -import -alias root -keystore client.keystore -file cacert
keytool -import -alias tomcat-cl -keystore client.keystore -file
BB usercert
5. I exported server certificate and imported it as a trusted to the
trusted keystore:
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore
BB trust.keystore
6. I imported CA Certificate to \jre\lib\security\cacerts :
keytool -import -file cacert -keystore
BB %java_home%\jre\lib\security\cacerts -storepass changeit
I'm running Tomcat and test client on the same machine.
Server keystore: %USERHOME%\.keystore
Client keystore: %USERHOME%\client.keystore
Client trusted keystore: %USERHOME%\trust.keystore
Test Client:
import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
public class SimpleClient {
public static void main(String[] args) {
System.setProperty(javax.net.ssl.trustStore,
BB System.getProperty(user.home)+File.separator +trust.keystore);
System.setProperty(javax.net.ssl.keyStore,
BB System.getProperty(user.home)+File.separator +client.keystore);
System.setProperty(javax.net.ssl.keyStorePassword,
BB changeit);
InputStream is = null;
OutputStream os = new ByteArrayOutputStream();
try {
URL url = new
BB URL(https://localhost:8443/readme.txt;);
try {
is = url.openStream();
byte[] buffer = new byte[4096];
int bytes_read;
while((bytes_read = is.read(buffer))
BB != -1)
os.write(buffer, 0, bytes_read);
System.out.println(os.toString());
} catch (Exception e) { e.printStackTrace(); }
finally {
try {
is.close();
os.close();
} catch (IOException e) {
BB e.printStackTrace(); }
}
} catch (Exception e) { e.printStackTrace(); }
}
}
With [clientAuth=false] it works fine, but with [clientAuth=true]
it gives an error:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
What did I do in a wrong way?
Thanks in advance.
Best regards,
Dmitry.
BB -
BB To unsubscribe, e-mail: [EMAIL PROTECTED]
BB For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re[2]: Tomcat: SSL client authentication
From your 1., your client cert is self-signed, not signed by your CA cert.
Since this amounts to telling the server I am Dmitry, because I said so,
it's a security-risk to accept self-signed client certs, so most HTTPS
servers won't accept them. (Of course, it is also the same security-risk to
accept self-signed server-certs. However, there is a big difference between
clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to
agree to accept it ;-).
The easiest thing would be to get a Thawte client-cert (since you don't have
to pay for it), and use that instead of your self-signed one. For testing,
that is what I do (except that I use my Verisign cert, since my employer
pays for that one :). At least with Sun's JSSE, Thawte's Root cert is
installed in cacerts by default. Setting up your own CA is only needed if
you have to hand out your own client-certs when you move to production.
Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
But (as I pointed out in 3.,4. and 6) I have client cert and CA cert.
The latter I imported to the cacert.
I tried to do the same without Tomact but with very simple HTTP(s)
server and got the same result. So I suggest that I did something
wrong with creating/importing certs.
But what's wrong?
BB You can't generally use a self-signed client cert with JSSE (you can
BB configure PureTLS to accept it, but another bug means that you'd have
to
BB wait for 4.1.26). The work-around is way too much trouble for the
sysadmin,
BB and I don't feel like being an enabler for a true hideous design. So,
BB you'll just have to read the JSSE docs for yourself ;-).
BB If you need to issue your own client-certs, I'd suggest setting up
your own
BB CA (with OpenSSL or otherwise), and import your CA's cert into
cacerts. You
BB can then hand out client certs, and Tomcat will accept them.
BB Dmitry S.Rogulin wrote in message
BB news:[EMAIL PROTECTED]
Hello all,
Sorry for the previous e-mail. %)
This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...
I'm trying to do SSL client authentication with Tomcat 4.1.18
BB (clientAuth=true).
1. I've generated a client certificate using keytool:
keytool -genkey -alias tomcat-cl -keyalg RSA -keystore
client.keystore
2. Then I created Certificate Signing Request:
keytool -certreq -keyalg RSA -alias tomcat-cl -file
BB certreq.csr -keystore client.keystore
3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
keytool -import -alias root -keystore client.keystore -file cacert
keytool -import -alias tomcat-cl -keystore client.keystore -file
BB usercert
5. I exported server certificate and imported it as a trusted to the
trusted keystore:
keytool -import -trustcacerts -alias tomcat -file
server.cer -keystore
BB trust.keystore
6. I imported CA Certificate to \jre\lib\security\cacerts :
keytool -import -file cacert -keystore
BB %java_home%\jre\lib\security\cacerts -storepass changeit
I'm running Tomcat and test client on the same machine.
Server keystore: %USERHOME%\.keystore
Client keystore: %USERHOME%\client.keystore
Client trusted keystore: %USERHOME%\trust.keystore
Test Client:
import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
public class SimpleClient {
public static void main(String[] args) {
System.setProperty(javax.net.ssl.trustStore,
BB System.getProperty(user.home)+File.separator +trust.keystore);
System.setProperty(javax.net.ssl.keyStore,
BB System.getProperty(user.home)+File.separator +client.keystore);
System.setProperty(javax.net.ssl.keyStorePassword,
BB changeit);
InputStream is = null;
OutputStream os = new ByteArrayOutputStream();
try {
URL url = new
BB URL(https://localhost:8443/readme.txt;);
try {
is = url.openStream();
byte[] buffer = new byte[4096];
int bytes_read;
while((bytes_read = is.read(buffer))
BB != -1)
os.write(buffer, 0,
bytes_read);
System.out.println(os.toString());
} catch (Exception e) { e.printStackTrace(); }
finally {
try {
is.close();
os.close();
} catch (IOException e) {
BB e.printStackTrace(); }
}
} catch
Re: Tomcat: SSL client authentication
You can't generally use a self-signed client cert with JSSE (you can
configure PureTLS to accept it, but another bug means that you'd have to
wait for 4.1.26). The work-around is way too much trouble for the sysadmin,
and I don't feel like being an enabler for a true hideous design. So,
you'll just have to read the JSSE docs for yourself ;-).
If you need to issue your own client-certs, I'd suggest setting up your own
CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You
can then hand out client certs, and Tomcat will accept them.
Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hello all,
Sorry for the previous e-mail. %)
This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...
I'm trying to do SSL client authentication with Tomcat 4.1.18
(clientAuth=true).
1. I've generated a client certificate using keytool:
keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore
2. Then I created Certificate Signing Request:
keytool -certreq -keyalg RSA -alias tomcat-cl -file
certreq.csr -keystore client.keystore
3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
keytool -import -alias root -keystore client.keystore -file cacert
keytool -import -alias tomcat-cl -keystore client.keystore -file
usercert
5. I exported server certificate and imported it as a trusted to the
trusted keystore:
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore
trust.keystore
6. I imported CA Certificate to \jre\lib\security\cacerts :
keytool -import -file cacert -keystore
%java_home%\jre\lib\security\cacerts -storepass changeit
I'm running Tomcat and test client on the same machine.
Server keystore: %USERHOME%\.keystore
Client keystore: %USERHOME%\client.keystore
Client trusted keystore: %USERHOME%\trust.keystore
Test Client:
import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
public class SimpleClient {
public static void main(String[] args) {
System.setProperty(javax.net.ssl.trustStore,
System.getProperty(user.home)+File.separator +trust.keystore);
System.setProperty(javax.net.ssl.keyStore,
System.getProperty(user.home)+File.separator +client.keystore);
System.setProperty(javax.net.ssl.keyStorePassword,
changeit);
InputStream is = null;
OutputStream os = new ByteArrayOutputStream();
try {
URL url = new
URL(https://localhost:8443/readme.txt;);
try {
is = url.openStream();
byte[] buffer = new byte[4096];
int bytes_read;
while((bytes_read = is.read(buffer))
!= -1)
os.write(buffer, 0, bytes_read);
System.out.println(os.toString());
} catch (Exception e) { e.printStackTrace(); }
finally {
try {
is.close();
os.close();
} catch (IOException e) {
e.printStackTrace(); }
}
} catch (Exception e) { e.printStackTrace(); }
}
}
With [clientAuth=false] it works fine, but with [clientAuth=true]
it gives an error:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
What did I do in a wrong way?
Thanks in advance.
Best regards,
Dmitry.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat: SSL client authentication
Hello all, I'm Best regards, Dmitry. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat: SSL client authentication
Hello all,
Sorry for the previous e-mail. %)
This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...
I'm trying to do SSL client authentication with Tomcat 4.1.18 (clientAuth=true).
1. I've generated a client certificate using keytool:
keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore
2. Then I created Certificate Signing Request:
keytool -certreq -keyalg RSA -alias tomcat-cl -file certreq.csr -keystore
client.keystore
3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
keytool -import -alias root -keystore client.keystore -file cacert
keytool -import -alias tomcat-cl -keystore client.keystore -file usercert
5. I exported server certificate and imported it as a trusted to the
trusted keystore:
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore trust.keystore
6. I imported CA Certificate to \jre\lib\security\cacerts :
keytool -import -file cacert -keystore %java_home%\jre\lib\security\cacerts
-storepass changeit
I'm running Tomcat and test client on the same machine.
Server keystore: %USERHOME%\.keystore
Client keystore: %USERHOME%\client.keystore
Client trusted keystore: %USERHOME%\trust.keystore
Test Client:
import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
public class SimpleClient {
public static void main(String[] args) {
System.setProperty(javax.net.ssl.trustStore,
System.getProperty(user.home)+File.separator +trust.keystore);
System.setProperty(javax.net.ssl.keyStore,
System.getProperty(user.home)+File.separator +client.keystore);
System.setProperty(javax.net.ssl.keyStorePassword, changeit);
InputStream is = null;
OutputStream os = new ByteArrayOutputStream();
try {
URL url = new URL(https://localhost:8443/readme.txt;);
try {
is = url.openStream();
byte[] buffer = new byte[4096];
int bytes_read;
while((bytes_read = is.read(buffer)) != -1)
os.write(buffer, 0, bytes_read);
System.out.println(os.toString());
} catch (Exception e) { e.printStackTrace(); }
finally {
try {
is.close();
os.close();
} catch (IOException e) { e.printStackTrace(); }
}
} catch (Exception e) { e.printStackTrace(); }
}
}
With [clientAuth=false] it works fine, but with [clientAuth=true]
it gives an error:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
What did I do in a wrong way?
Thanks in advance.
Best regards,
Dmitry.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
