Re: Tomcat and client certificates
Hi I have followed all the instructions on this discussion, and i´m still getting the error: HTTP Status 400 - No client certificate chain in this request Does the user cert that i´m using need to be trusted by cert of tomcat sever? I´m using Apache Tomcat/5.5.15, on Win Xp Pro SP2 I have generated the 2 certs like described on: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The acess to https://localhost:8443 works fine But the access to the restricted area https://localhost:8443/teste return the error: HTTP Status 400 - No client certificate chain in this request If i use the BASIC auth, it works, but with CLIENT-CERT it did not Is there anything wrong with my configuration? This are my configuration: server.xml : ... Realm className=org.apache.catalina.realm.MemoryRealm / ... Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=want sslProtocol=TLS keystoreFile=c:\\certificados\\tomcat.keystore / Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=want protocol=TLS / tomcat-users.xml : tomcat-users ... role rolename=cert/ user username=CN=Luis Henrrique Spoladore Amaral, OU=UFSC, O=UFSC, L=Floripa, ST=SC, C=BR password=null roles=cert/ /tomcat-users web.xml: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app display-nameBug 12218/display-name description Test web app for bug 12218. /description security-constraint web-resource-collection web-resource-nameApp/web-resource-name url-pattern/index.htm/url-pattern /web-resource-collection auth-constraint role-namecert/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namecert/role-name /security-role /web-app Thanks for your help Luis - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Ok, I just submitted the bugs #38553 and #38555 for both issues. If you need more information, please let me know via bugzilla. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus wrote: Ok, I just submitted the bugs #38553 and #38555 for both issues. If you need more information, please let me know via bugzilla. 5.5.x CLIENT-CERT shoudl work with all realms. 5.0.x - don't hold your breath. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Mark: Thank you for your link to the archive. It was my fault using the UserDatabase realm instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the case in 5.5.x that you MUST use the MemoryRealm for clientcert authentication? Anyway, there is still an issue when trying to access a restricted url without the proper certificate: 1) When there is the RIGHT client certificate in the browser keystore: it works :-) 2) When there is the WRONG client certificate I get: HTTP Status 401 - Cannot authenticate with the provided credentials (this is ok, too) 3) When there is NO client certificate I get: HTTP Status 400 - No client certificate chain in this request 400 usually stands for a bad request or bad syntax. I believe in this case 401 should be the appropriate reply. Is there any way to adjust the HTTP Status code for failed client-cert authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus wrote: Mark: Thank you for your link to the archive. It was my fault using the UserDatabase realm instead of the MemoryRealm. I'm, using tomcat 5.0.28 - is it still the case in 5.5.x that you MUST use the MemoryRealm for clientcert authentication? All realms should work with CLIENT-CERT. If they don't file a bug report and I'll look into it. 3) When there is NO client certificate I get: HTTP Status 400 - No client certificate chain in this request 400 usually stands for a bad request or bad syntax. I believe in this case 401 should be the appropriate reply. Hmm. I guess this could be debatable. Is there any way to adjust the HTTP Status code for failed client-cert authentication? No configuration option. I suspect it would require code changes. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus a écrit : Ok, when I set clientAuth to want the Exception getting SSL Cert goes away. (Wtf is this documented?). Yes it is documented: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Section 'Edit the Tomcat Configuration File' But I still get the 403 - Access denied error. This mean client didn't send a certificate or certificate was not recognized Here is how I added the users certificate to my realm: web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-namemyrole/role-name /auth-constraint user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namemyrole/role-name /security-role tomcat-users.xml: tomcat-users role rolename=myrole/ user username=EMAILADDRESS=mark... , CN=markus, OU=..., O=... , L=, ST=... C=... password= roles=myrole/ /tomcat-users As username I used exactly the cert.getSubjectDN().getName() String from the client certificate. Is this ok? Did you escape the quote character of subject line using quot; ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Ok, when I set clientAuth to want the Exception getting SSL Cert goes away. (Wtf is this documented?). But I still get the 403 - Access denied error. Here is how I added the users certificate to my realm: web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-namemyrole/role-name /auth-constraint user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config security-role role-namemyrole/role-name /security-role tomcat-users.xml: tomcat-users role rolename=myrole/ user username=EMAILADDRESS=mark... , CN=markus, OU=..., O=... , L=, ST=... C=... password= roles=myrole/ /tomcat-users As username I used exactly the cert.getSubjectDN().getName() String from the client certificate. Is this ok? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? This is my current configuration: In server.xml: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=\...\keystore.jks keystorePass=wonttell truststoreFile=\...\truststore.jks truststorePass=wonttell / In web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern /web-resource-collection auth-constraint/ user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied The logfile says: 01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL Cert java.net.SocketException: Socket Closed What's wrong with my configuration? Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and client certificates
The clientAuth attribute of the connector has to be set to true. Then you will need a client cert to access resources under /html/*, but not other pages. See the Tomcat SSL guide on how to create the client cert. ND -Original Message- From: Markus [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 01, 2006 9:22 AM To: Tomcat Users List Subject: Re: Tomcat and client certificates Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? This is my current configuration: In server.xml: Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=\...\keystore.jks keystorePass=wonttell truststoreFile=\...\truststore.jks truststorePass=wonttell / In web.xml: security-constraint web-resource-collection url-pattern/html/*/url-pattern /web-resource-collection auth-constraint/ user-data-constraint/ /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied The logfile says: 01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL Cert java.net.SocketException: Socket Closed What's wrong with my configuration? Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Creating client certs is no problem, I already had client authentication working on the Connector-Level. Nick: In other words: it is NOT possible in tomcat to have a webapp with BOTH, a private part with ssl AND client authentication and a public part with ssl but WITHOUT client authentication? That would be sad. Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Hi Yes, it is possible. From connector configuration doc: clientAuth: Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Set this value to want if you want Tomcat to request a client Certificate, but not fail if one isn't presented. So in your configuration, change clientAuth=false to clientAuth=want and connector will accept connection be there a certificate or not. But don't forget login-config auth-methodCLIENT-CERT/auth-method /login-config means access to /html/* will be refused to users not presenting a certificate. (They can still access other webapps in tomcat if those have a login-config not based on certificate and they can also browse in ssl the non restricted area of client-cert based webapp) for sensitive areas, you might also be interrested in adding, in particular for basic authentification based webapps ... user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Le Mercredi 01 Février 2006 17:55, Markus a écrit : Creating client certs is no problem, I already had client authentication working on the Connector-Level. Nick: In other words: it is NOT possible in tomcat to have a webapp with BOTH, a private part with ssl AND client authentication and a public part with ssl but WITHOUT client authentication? That would be sad. Markus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- David Delbecq Royal Meteorological Institute of Belgium - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and client certificates
Markus wrote: Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? snip/ And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied Have you added the user's certificate to your realm? Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat and client certificates
From: Tom Bednarz [mailto:[EMAIL PROTECTED] Subject: Tomcat and client certificates If that is not possible, I need two servers, each running an instance of Tomcat with different server.xml settings. I haven't tried it, but I would think all you need is two sets of Connector tags, not two complete installations. You'd have to differentiate between them by IP address or port numbers, of course. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
