subject:"RE\: setting up tomcat to accept client certificate"

Re: setting up tomcat to accept client certificate

2002-03-16 Thread Andreas Junghans


Hi,

> Whenever I try to set the parameter clientAuth="true" in the server.xml to
> accept client certificate from the user, after restarting Tomcat starts up
> well, but then I get 'Cannot find server' error when I try to access the
> https sites. But the http sites work perfectly.
> But when this parameter is set to 'false' https and http both works
> perfectly, though the client is not asked for certificate.
> The server certificate I am using has been generated by keytool.
> The client certificate is a third party one.
> I am using Tomcat standalone version 4.0.1 with jdk1.3.1
> I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path.
> Any pointer will be really helpful.

We're using client auth in our application and here's how we got it
working (Linux 2.4/Windows NT/Windows 2000, Sun Jdk 1.3.1_02/IBM JDK 1.3):

- The key store used when validating client certs against CA certs is
JAVA_HOME/jre/lib/security/cacerts
- Delete all unwanted CA certs from this keystore (usually all of them).
- Add the required CA certs.
- Client auth should now work fine.

This solution has the problem that it affects all Java programs using
JSSE. That's not an issue in our environment, but it may be in your's.
Maybe an SSL specialist knows a little more about this (Erik?). BTW, I
didn't see anything about this in the docs (though I haven't looked at
them for quite a while). If it's not there, it should be added. Of
course, a clean solution that only affects individual webapps would be
better. Does it help using PureTLS?

Best regards

  Andreas Junghans



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: setting up tomcat to accept client certificate

2002-03-15 Thread Ken . Horn

tomcat-user question... but:

Can your server reach the CA for the client certificate? AFAICR it must 
check the cert is valid..

-Original Message-
From: patrick.luby 
Sent: 15 March 2002 17:11
To: tomcat-dev
Cc: patrick.luby
Subject: Re: setting up tomcat to accept client certificate

Kunal,

This is exactly how the code is supposed to work: the certificate is 
*not*
fetched from the client if the parameter is set to 'false'.

Patrick

kunal kaviraj wrote:
> 
> Hi All,
> Whenever I try to set the parameter clientAuth="true" in the 
server.xml to
> accept client certificate from the user, after restarting Tomcat 
starts up
> well, but then I get 'Cannot find server' error when I try to access 
the
> https sites. But the http sites work perfectly.
> But when this parameter is set to 'false' https and http both works
> perfectly, though the client is not asked for certificate.
> The server certificate I am using has been generated by keytool.
> The client certificate is a third party one.
> I am using Tomcat standalone version 4.0.1 with jdk1.3.1
> I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk 
ext path.
> Any pointer will be really helpful.
> Thanks
> Kunal
> 
> _
> Get your FREE download of MSN Explorer at 
http://explorer.msn.com/intl.asp.
> 
> --
> To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
<mailto:[EMAIL PROTECTED]>

-- 
_
Patrick Luby  Email: [EMAIL PROTECTED]
Sun Microsystems  Phone: 408-276-7471
901 San Antonio Road, USCA14-303
Palo Alto, CA 94303-4900
_

--
To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: 
<mailto:[EMAIL PROTECTED]>

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: setting up tomcat to accept client certificate

2002-03-15 Thread Eric Rescorla


"kunal kaviraj" <[EMAIL PROTECTED]> writes:
> Whenever I try to set the parameter clientAuth="true" in the server.xml to 
> accept client certificate from the user, after restarting Tomcat starts up 
> well, but then I get 'Cannot find server' error when I try to access the 
> https sites. But the http sites work perfectly.
> But when this parameter is set to 'false' https and http both works
> perfectly, though the client is not asked for certificate.
> The server certificate I am using has been generated by keytool.
> The client certificate is a third party one.
> I am using Tomcat standalone version 4.0.1 with jdk1.3.1
> I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path.
> Any pointer will be really helpful.
Hmm... Have you checked that:

   (1) Your client has a certificate.
   (2) The server has the appropriate CA for that certificate?

What do the server log files say?
You might try using ssldump (http://www.rtfm.com/ssldump) to
see what's going on.

-Ekr


-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: setting up tomcat to accept client certificate

2002-03-15 Thread Patrick Luby


Kunal,

This is exactly how the code is supposed to work: the certificate is *not*
fetched from the client if the parameter is set to 'false'.

Patrick

kunal kaviraj wrote:
> 
> Hi All,
> Whenever I try to set the parameter clientAuth="true" in the server.xml to
> accept client certificate from the user, after restarting Tomcat starts up
> well, but then I get 'Cannot find server' error when I try to access the
> https sites. But the http sites work perfectly.
> But when this parameter is set to 'false' https and http both works
> perfectly, though the client is not asked for certificate.
> The server certificate I am using has been generated by keytool.
> The client certificate is a third party one.
> I am using Tomcat standalone version 4.0.1 with jdk1.3.1
> I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path.
> Any pointer will be really helpful.
> Thanks
> Kunal
> 
> _
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 

-- 
_
Patrick Luby  Email: [EMAIL PROTECTED]
Sun Microsystems  Phone: 408-276-7471
901 San Antonio Road, USCA14-303
Palo Alto, CA 94303-4900
_

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: setting up tomcat to accept client certificate

RE: setting up tomcat to accept client certificate

Re: setting up tomcat to accept client certificate

Re: setting up tomcat to accept client certificate

4 matches

Site Navigation

Mail list logo

Footer information