[Dev] Define tomcat connector as first in the order in catalina-server.xml for mutual SSL with X509 authenticator

Thu, 18 Jan 2018 04:36:22 -0800 

Hi,

Each of the <Connector> elements in catalina-server.xml, defines one port
number on which tomcat will listen for requests. AFIK, the trust store file
use to validate client certificates of the connections for a particular
port, should be what defined in the connector configuration. This will
essentially tell tomcat to use the specified trust store instead of the
default cacerts trust store which tomcat loads.

For mutual SSL with X509 authenticator, we can configure a new tomcat http
connector, as follows in catalina-server.xml. This supports the HTTP/1.1
protocol and listening to a specific TCP port (8443) for connections.
<Connector
        protocol="HTTP/1.1"
        port="8443" maxThreads="200"
        scheme="https" secure="true" SSLEnabled="true"
        keystoreFile="/path/to/keystore.jks" keystorePass="keystorepwd"
        truststoreFile="/path/to/truststore.jks"
truststorePass="truststorespassword"
        clientAuth="want" sslProtocol="TLS"/>

Noted that, with X509 authenticator, during the authentication, the client
certificate in the browser will be considered as trusted and sent to the IS
server, *if only if, the tomcat connector defined for port "8443" is
configured as 1st in the order*.

Otherwise when mutual SSL happens, the already existing connector (9443)
will be picked up and certificate will not retrieved correctly. If so, the
certificate of the CA, which issued the client certificate, should be added
into the server client-truststore.jks.

Noticed that, when we configure connector for 8443 in 1st in order, wso2
carbon console will be hosted in both port 8443 ("
https://localhost:8443/carbon/";) and 9443.

Is this an expected behavior? Anyone knows the reason for this behavior in
tomcat level? Appreciate your help on this.

If this is an expected behavior, we need to mention that in the
documentation [1].


[1]
https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-ConfiguringtheX509Certificatefortheapp

Thanks and Regards
-- 
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Email    indu...@wso2.com
Mobile   0772182255

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to