clientAuth=true; non-SSL?
Hello folks - I am working with Tomcat 5.0.28; j2sdk 1_4_2_07 The question is this: Do I need an SSL connection in order to get Tomcat to force the presentation of a client side certificate? In other words, I only want to force authentication, not wrap the connection in SSL. Here is the connector config: Connector port=8080maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 scheme=http secure=true clientAuth=true acceptCount=100keystoreType=JKS keystoreFile=C:\j2sdk1.4.2_07\bin\client.keystore keystorePass=changeit debug=0 connectionTimeout=2 disableUploadTimeout=true / The result is that I am not able to access the page at port 8080, but I am not getting the normal certificate request either. Any help welcome and appreciated! - wjs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: clientAuth=true; non-SSL?
On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote: : The question is this: Do I need an SSL connection in order to get : Tomcat to force the presentation of a client side certificate? In other : words, I only want to force authentication, not wrap the connection in : SSL. If you want to force authentication using certs (which is what clientAuth is all about) then I don't see a way around SSL. The cert exchange takes place during the SSL handshake. If you want to just protect access to certain areas of the webapp, check the Tomcat docs for realms and skim the servlet spec for FORM authentication. -QM -- software -- http://www.brandxdev.net/ tech news -- http://www.RoarNetworX.com/ code scan -- http://www.JxRef.org/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[QUAR]Re: clientAuth=true; non-SSL?
Thanks QM - Agreed. No way around SSL, as the client certificate request is dependent on the SSL handshake. For those in the list who have followed these links while building their own keystores and self signed certs and client certs for authentication: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S upport http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht ml http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey Cmd http://mark.foster.cc/kb/openssl-keytool.html I needed to add to the Java Options: -Djavax.net.ssl.trustStore=[path to]\myClient.keystore -Djavax.net.ssl.trustStorePassword=mypassword Else the server was not finding the client.keystore and was throwing bad_certificate errors. Now works fine. Tested in IE6 and Firefox. - wjs -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 7:10 PM To: Tomcat Users List Subject: [QUAR]Re: clientAuth=true; non-SSL? On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote: : The question is this: Do I need an SSL connection in order to get : Tomcat to force the presentation of a client side certificate? In other : words, I only want to force authentication, not wrap the connection in : SSL. If you want to force authentication using certs (which is what clientAuth is all about) then I don't see a way around SSL. The cert exchange takes place during the SSL handshake. If you want to just protect access to certain areas of the webapp, check the Tomcat docs for realms and skim the servlet spec for FORM authentication. -QM -- software -- http://www.brandxdev.net/ tech news -- http://www.RoarNetworX.com/ code scan -- http://www.JxRef.org/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [QUAR]Re: clientAuth=true; non-SSL?
You may not be able to get around SSL, but you can go through it, so to speak. If you want cert-based authentication but you don't want to pay the overhead price for crypto processing, or you want your session to be accessible to third party systems, then you should be able to configure SSL or TLS with null values for the encryption algorithm and Message Authentication Code (MAC) (aka hash) algorithm. This is the default way that SSL/TLS work until the handshake protocol negotiates a cypherspec to use. By specifying null values in the cypherspec you can cause the record layer protocol (the underlying transport layer in SSL/TLS) to pass the application protocol in the clear just as it does the handshake protocol during cypherspec negotiation. I'm just learning Tomcat, so I can't tell you how to do this in Tomcat. But I'm very familiar with the SSL and TLS protocol specs, and I know they support null cypherspecs. Hopefully there's a way to configure that in Tomcat- or if it's really important you could try hacking the code. -Mark Sweeney, Bill wrote: Thanks QM - Agreed. No way around SSL, as the client certificate request is dependent on the SSL handshake. For those in the list who have followed these links while building their own keystores and self signed certs and client certs for authentication: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S upport http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht ml http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey Cmd http://mark.foster.cc/kb/openssl-keytool.html I needed to add to the Java Options: -Djavax.net.ssl.trustStore=[path to]\myClient.keystore -Djavax.net.ssl.trustStorePassword=mypassword Else the server was not finding the client.keystore and was throwing bad_certificate errors. Now works fine. Tested in IE6 and Firefox. - wjs -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 7:10 PM To: Tomcat Users List Subject: [QUAR]Re: clientAuth=true; non-SSL? On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote: : The question is this: Do I need an SSL connection in order to get : Tomcat to force the presentation of a client side certificate? In other : words, I only want to force authentication, not wrap the connection in : SSL. If you want to force authentication using certs (which is what clientAuth is all about) then I don't see a way around SSL. The cert exchange takes place during the SSL handshake. If you want to just protect access to certain areas of the webapp, check the Tomcat docs for realms and skim the servlet spec for FORM authentication. -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]