phew - I think I've sorted the problem. Thanks to all who responded. 

There were two issues:

1. In web.xml the <filter-mapping><url-pattern> was not the same as the dev 
value (dev was '/eh/*' Tomcat should be '/*') (silly oversight - but 
complicated matters)
2. My SSL certificate setup was incorrect:

For cert setup - this link definitely helped: 
http://tomcat.10.x6.nabble.com/tomcat-mutual-authentication-doesn-t-work-td2133404.html

But heres what I did to setup certs

Generate server keypair
1. keytool -genkeypair -alias tomcatserver -keypass changeit -keyalg RSA 
-keystore ../Certs/tomcat.keystore

Generate client keypair
2. keytool -genkeypair -alias tomcatclientA -keypass changeit -keyalg RSA 
-keystore ../Certs/clientA.keystore

Export client public
3. keytool -exportcert -alias tomcatclientA -keystore 
/root/Certs/clientA.keystore -file ../Certs/clientA.cert

Export server public
4. keytool -exportcert -alias tomcatserver -keystore 
/root/Certs/tomcat.keystore -file ../Certs/Servertomcat.cert


Add client public into Server trusted certificate store
4. keytool -importcert -keystore ../jre/lib/security/cacerts -file 
../Certs/clientA.cert -alias clientApublic


Add server public into Client trusted certificate store
7. keytool -importcert -keystore /root/Certs/Clientcacerts -file 
../Certs/Servertomcat.cert -alias serverPublic

Convert server cert to pkcs12 to go into Internet Browser
8. keytool -importkeystore -srckeystore ../Certs/tomcat.keystore -destkeystore 
../Certs/TomcatServer.p12 -srcstoretype JKS -deststoretype PKCS12 
-deststorepass changeit -srcalias tomcatserver -destalias tomcatserverpcs

Then setup Tomcat setenv.sh to point to the cert stores (do for both client & 
server Tomcat instances - stores will be different as above)

KEYSTORE="../Certs/clientA.keystore"
TRUSTSTORE="../Certs/Clientcacerts"
PASSWORD="changeit"
CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStore=$TRUSTSTORE"
CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStore=$KEYSTORE"
CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.keyStorePassword=$PASSWORD"
CATALINA_OPTS=$CATALINA_OPTS" -Djavax.net.ssl.trustStorePassword=$PASSWORD"

Thanks again
Cheers
Lee
-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to