Hi Paul, I'll admit, I've never used the X.509 cert auth myself, but I notice there are some more notes in the X.509 docs at: https://wiki.duraspace.org/display/DSDOC6x/Authentication+Plugins#AuthenticationPlugins-X.509CertificateAuthentication
Namely, I see that it states: "If you are using HTTPS with Tomcat, note that the <Connector> tag *must* include the attribute clientAuth="true" so the server requests a personal Web certificate from the client." Not sure if that's the problem here, but you might want to carefully review the instructions here again. If you are still hitting issues, you also should check your logs to see if there's any errors being logged there, see https://wiki.duraspace.org/display/DSPACE/Troubleshoot+an+error - Tim On Thu, Sep 7, 2017 at 7:25 AM Paul Warner <[email protected]> wrote: > Hi, > > I have configured Apache with ssl using a self-signed certificate, and > then generated a client certificate from the server certificate. With > SSLVerifyClient set to 'require', I can get to Dspace only from a browser > with the client certificate installed. So it works! > > But getting Dspace to recognize the certificate is my problem. When I try > to login with the certificate, at https://myserver/jspui/certificate-login, > I get the message: 'You do not seem to have a valid Web certificate.' I > am running Apache 2.4.18, Apache Tomcat/8.5.15, and Dspace 6.1 on Ubuntu > 16.04. > > In my apache conf, I have SSLOptions StdEnvVars ExportCertData. > > I loaded my client.crt certificate into the tomcat keystore, following the > directions in https://wiki.duraspace.org/display/DSDOC6x/Installing+DSpace > : > > Optional – ONLY if you need to accept client certificates for the X.509 > certificate stackable authentication module See the configuration section > for instructions on enabling the X.509 authentication method. Load the > keystore with the CA (certifying authority) certificates for the > authorities of any clients whose certificates you wish to accept. For > example, assuming the client CA certificate is in *client1.pem*: > > > $JAVA_HOME/bin/keytool -import -noprompt -storepass changeit > -trustcacerts -keystore $CATALINA_BASE/conf/keystore -alias client1 > -file client1.pem > > I have set authentication.cfg so it includes X509 authentication: > > plugin.sequence.org.dspace.authenticate.AuthenticationMethod = > org.dspace.authenticate.PasswordAuthentication,org.dspace.authenticate.X509Authentication > > I have set authentication-x509.cfg to include the keystore and password: > > authentication-x509.keystore.path = /opt/tomcat/conf/keystore > authentication-x509.keystore.password = changeit > > What am I missing? > > Thanks, > Paul > > > > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- Tim Donohue Technical Lead for DSpace & DSpaceDirect DuraSpace.org | DSpace.org | DSpaceDirect.org -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
