Re: SSL client auth in Tomcat 4.0
Clere, Jean-Frederic wrote: Steven Bradley wrote: I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble getting SSL client authentication working (getting SSL server auth working was a snap). Here's what I've done so far: * created a self-signed client cert using openSSL (key usage includes digital signature) * imported client cert (and private key) into Internet Explorer (by way of a PKCS#12 file) * imported the Tomcat JKS file with the client certificate CA file? * configure tomcat server.xml file as follows: Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=true keystoreFile=conf/server.keystore keystorePass=password protocol=TLS/ /Connector * stop/start tomcat * point IE browser to https://localhost/index.html What IE tells me is that the page can't be displayed (after some handshaking attempts). Unfortunately, there is no log info generated (even if I increase the debug param in the Connector element). Try with Mozilla or with openssl (something like: openssl s_client -port 8443 -host localhost). Does it work when clientAuth=false? Any clues as to what I may be doing wrong? Has ANYONE been able to get SSL client authentication working with Tomcat 4.0 standalone (Catalina). Sure I tested it... It worked ok. I have found a document that I wrote at that time: +++ Steps to set up a demoCA and user certificates: 1 - /usr/local/ssl/misc/CA.pl -newca This creates a demoCA directory that contains the CA certificates. 2 - /usr/local/ssl/misc/CA.pl -newreq This creates a newreq.pem that contains the private key and request. 3 - separe the request and private key. Put the private key is key.pem and the request in newreq.pem 4 - /usr/local/ssl/misc/CA.pl -signreq It displays the certificate before signing it. The result is in newcert.pem 5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \ -in newcert.pem -out test.p12 The test.p12 contains a file that can be imported in the browser. 6 - import in the browser the test.p12 file. 7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts chmod u+w $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \ -keystore $JAVA_HOME/jre/lib/security/cacerts +++ Make sure the CA that has signed your certificates is in the CA file ($JAVA_HOME/jre/lib/security/cacerts or something). Thanks in advance -- Steven -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
SSL client auth in Tomcat 4.0
I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble getting SSL client authentication working (getting SSL server auth working was a snap). Here's what I've done so far: * created a self-signed client cert using openSSL (key usage includes digital signature) * imported client cert (and private key) into Internet Explorer (by way of a PKCS#12 file) * imported the Tomcat JKS file with the client certificate * configure tomcat server.xml file as follows: Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=true keystoreFile=conf/server.keystore keystorePass =password protocol=TLS/ /Connector * stop/start tomcat * point IE browser to https://localhost/index.html What IE tells me is that the page can't be displayed (after some handshaking attempts). Unfortunately, there is no log info generated (even if I increase the debug param in the Connector element). Any clues as to what I may be doing wrong? Has ANYONE been able to get SSL client authentication working with Tomcat 4.0 standalone (Catalina). Thanks in advance -- Steven -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL client auth in Tomcat 4.0
Steven Bradley wrote: I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble getting SSL client authentication working (getting SSL server auth working was a snap). Here's what I've done so far: * created a self-signed client cert using openSSL (key usage includes digital signature) * imported client cert (and private key) into Internet Explorer (by way of a PKCS#12 file) * imported the Tomcat JKS file with the client certificate CA file? * configure tomcat server.xml file as follows: Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=true keystoreFile=conf/server.keystore keystorePass=password protocol=TLS/ /Connector * stop/start tomcat * point IE browser to https://localhost/index.html What IE tells me is that the page can't be displayed (after some handshaking attempts). Unfortunately, there is no log info generated (even if I increase the debug param in the Connector element). Try with Mozilla or with openssl (something like: openssl s_client -port 8443 -host localhost). Does it work when clientAuth=false? Any clues as to what I may be doing wrong? Has ANYONE been able to get SSL client authentication working with Tomcat 4.0 standalone (Catalina). Sure I tested it... It worked ok. Make sure the CA that has signed your certificates is in the CA file ($JAVA_HOME/jre/lib/security/cacerts or something). Thanks in advance -- Steven -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL client auth in Tomcat 4.0
Yes, I did it. It worked fine. * First, let the clientAuth=false then try. If it doesn't work, you might going wrong when generating the certificates stuff. Here are the steps: keytool -genkey -keystore client.keystore -alias client1 keytool -keystore client.keystore -certreq -file client.csr -alias client1 openssl ca -config /openssl.cnf -in client.csr -out client.pem -keyfile ca.key openssl x509 -in client.pem -out client.der -outform DER keytool -keystore -import -file ca.cert -alias root keytool -keystore -import -file client.der -alias client1 If you strictly follow these steps, you will be able to get it done. Please try and let me know the feedback to [EMAIL PROTECTED] Cheers -Original Message- From: jean-frederic clere [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 3:53 PM To: Tomcat Developers List Subject: Re: SSL client auth in Tomcat 4.0 Steven Bradley wrote: I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble getting SSL client authentication working (getting SSL server auth working was a snap). Here's what I've done so far: * created a self-signed client cert using openSSL (key usage includes digital signature) * imported client cert (and private key) into Internet Explorer (by way of a PKCS#12 file) * imported the Tomcat JKS file with the client certificate CA file? * configure tomcat server.xml file as follows: Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=true keystoreFile=conf/server.keystore keystorePass=password protocol=TLS/ /Connector * stop/start tomcat * point IE browser to https://localhost/index.html What IE tells me is that the page can't be displayed (after some handshaking attempts). Unfortunately, there is no log info generated (even if I increase the debug param in the Connector element). Try with Mozilla or with openssl (something like: openssl s_client -port 8443 -host localhost). Does it work when clientAuth=false? Any clues as to what I may be doing wrong? Has ANYONE been able to get SSL client authentication working with Tomcat 4.0 standalone (Catalina). Sure I tested it... It worked ok. Make sure the CA that has signed your certificates is in the CA file ($JAVA_HOME/jre/lib/security/cacerts or something). Thanks in advance -- Steven -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] * ** *** ** * ** *** ** * ** *** ** * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any views or opinions presented are solely those of the author, and do not necessarily represent those of ESB. If you have received this email in error please notify the sender. Although ESB scans e-mail and attachments for viruses, it does not guarantee that either are virus-free and accepts no liability for any damage sustained as a result of viruses. * ** *** ** * ** *** ** * ** *** ** * -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL client auth in Tomcat 4.0
I have gotten clientAuth=true working with Tomcat 5. It is important to get the trusted certificates properly defined. I did this, export CATALINA_OPTS=-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit And sometimes defined this to get extra info. # -Djavax.net.debug=ssl,handshake,data,trustmanager Cheers, -bob On Mon, 2002-10-14 at 20:13, Steven Bradley wrote: I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble getting SSL client authentication working (getting SSL server auth working was a snap). Here's what I've done so far: * created a self-signed client cert using openSSL (key usage includes digital signature) * imported client cert (and private key) into Internet Explorer (by way of a PKCS#12 file) * imported the Tomcat JKS file with the client certificate * configure tomcat server.xml file as follows: Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=true keystoreFile=conf/server.keystore keystorePass =password protocol=TLS/ /Connector * stop/start tomcat * point IE browser to https://localhost/index.html What IE tells me is that the page can't be displayed (after some handshaking attempts). Unfortunately, there is no log info generated (even if I increase the debug param in the Connector element). Any clues as to what I may be doing wrong? Has ANYONE been able to get SSL client authentication working with Tomcat 4.0 standalone (Catalina). Thanks in advance -- Steven -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]