Re: [Dev] Define tomcat connector as first in the order in catalina-server.xml for mutual SSL with X509 authenticator

Thu, 18 Jan 2018 20:33:40 -0800 

Adding rajas and connector team members

On Thu, Jan 18, 2018 at 4:55 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:

> Hi,
>
> Each of the <Connector> elements in catalina-server.xml, defines one port
> number on which tomcat will listen for requests. AFIK, the trust store file
> use to validate client certificates of the connections for a particular
> port, should be what defined in the connector configuration. This will
> essentially tell tomcat to use the specified trust store instead of the
> default cacerts trust store which tomcat loads.
>
> For mutual SSL with X509 authenticator, we can configure a new tomcat http
> connector, as follows in catalina-server.xml. This supports the HTTP/1.1
> protocol and listening to a specific TCP port (8443) for connections.
> <Connector
>         protocol="HTTP/1.1"
>         port="8443" maxThreads="200"
>         scheme="https" secure="true" SSLEnabled="true"
>         keystoreFile="/path/to/keystore.jks" keystorePass="keystorepwd"
>         truststoreFile="/path/to/truststore.jks" truststorePass="
> truststorespassword"
>         clientAuth="want" sslProtocol="TLS"/>
>
> Noted that, with X509 authenticator, during the authentication, the client
> certificate in the browser will be considered as trusted and sent to the IS
> server, *if only if, the tomcat connector defined for port "8443" is
> configured as 1st in the order*.
>
> Otherwise when mutual SSL happens, the already existing connector (9443)
> will be picked up and certificate will not retrieved correctly. If so, the
> certificate of the CA, which issued the client certificate, should be added
> into the server client-truststore.jks.
>
> Noticed that, when we configure connector for 8443 in 1st in order, wso2
> carbon console will be hosted in both port 8443 ("https://localhost:8443/
> carbon/") and 9443.
>
> Is this an expected behavior? Anyone knows the reason for this behavior in
> tomcat level? Appreciate your help on this.
>
> If this is an expected behavior, we need to mention that in the
> documentation [1].
>
>
> [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+
> X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-
> ConfiguringtheX509Certificatefortheapp
>
> Thanks and Regards
> --
> Indunil Upeksha Rathnayake
> Software Engineer | WSO2 Inc
> Email    indu...@wso2.com
> Mobile   0772182255
>



-- 
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Email    indu...@wso2.com
Mobile   0772182255

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to