Re: setting up tomcat to accept client certificate
Hi, Whenever I try to set the parameter clientAuth=true in the server.xml to accept client certificate from the user, after restarting Tomcat starts up well, but then I get 'Cannot find server' error when I try to access the https sites. But the http sites work perfectly. But when this parameter is set to 'false' https and http both works perfectly, though the client is not asked for certificate. The server certificate I am using has been generated by keytool. The client certificate is a third party one. I am using Tomcat standalone version 4.0.1 with jdk1.3.1 I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path. Any pointer will be really helpful. We're using client auth in our application and here's how we got it working (Linux 2.4/Windows NT/Windows 2000, Sun Jdk 1.3.1_02/IBM JDK 1.3): - The key store used when validating client certs against CA certs is JAVA_HOME/jre/lib/security/cacerts - Delete all unwanted CA certs from this keystore (usually all of them). - Add the required CA certs. - Client auth should now work fine. This solution has the problem that it affects all Java programs using JSSE. That's not an issue in our environment, but it may be in your's. Maybe an SSL specialist knows a little more about this (Erik?). BTW, I didn't see anything about this in the docs (though I haven't looked at them for quite a while). If it's not there, it should be added. Of course, a clean solution that only affects individual webapps would be better. Does it help using PureTLS? Best regards Andreas Junghans -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
setting up tomcat to accept client certificate
Hi All, Whenever I try to set the parameter clientAuth=true in the server.xml to accept client certificate from the user, after restarting Tomcat starts up well, but then I get 'Cannot find server' error when I try to access the https sites. But the http sites work perfectly. But when this parameter is set to 'false' https and http both works perfectly, though the client is not asked for certificate. The server certificate I am using has been generated by keytool. The client certificate is a third party one. I am using Tomcat standalone version 4.0.1 with jdk1.3.1 I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path. Any pointer will be really helpful. Thanks Kunal _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: setting up tomcat to accept client certificate
Kunal, This is exactly how the code is supposed to work: the certificate is *not* fetched from the client if the parameter is set to 'false'. Patrick kunal kaviraj wrote: Hi All, Whenever I try to set the parameter clientAuth=true in the server.xml to accept client certificate from the user, after restarting Tomcat starts up well, but then I get 'Cannot find server' error when I try to access the https sites. But the http sites work perfectly. But when this parameter is set to 'false' https and http both works perfectly, though the client is not asked for certificate. The server certificate I am using has been generated by keytool. The client certificate is a third party one. I am using Tomcat standalone version 4.0.1 with jdk1.3.1 I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path. Any pointer will be really helpful. Thanks Kunal _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- _ Patrick Luby Email: [EMAIL PROTECTED] Sun Microsystems Phone: 408-276-7471 901 San Antonio Road, USCA14-303 Palo Alto, CA 94303-4900 _ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: setting up tomcat to accept client certificate
kunal kaviraj [EMAIL PROTECTED] writes: Whenever I try to set the parameter clientAuth=true in the server.xml to accept client certificate from the user, after restarting Tomcat starts up well, but then I get 'Cannot find server' error when I try to access the https sites. But the http sites work perfectly. But when this parameter is set to 'false' https and http both works perfectly, though the client is not asked for certificate. The server certificate I am using has been generated by keytool. The client certificate is a third party one. I am using Tomcat standalone version 4.0.1 with jdk1.3.1 I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path. Any pointer will be really helpful. Hmm... Have you checked that: (1) Your client has a certificate. (2) The server has the appropriate CA for that certificate? What do the server log files say? You might try using ssldump (http://www.rtfm.com/ssldump) to see what's going on. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: setting up tomcat to accept client certificate
tomcat-user question... but: Can your server reach the CA for the client certificate? AFAICR it must check the cert is valid.. -Original Message- From: patrick.luby Sent: 15 March 2002 17:11 To: tomcat-dev Cc: patrick.luby Subject: Re: setting up tomcat to accept client certificate Kunal, This is exactly how the code is supposed to work: the certificate is *not* fetched from the client if the parameter is set to 'false'. Patrick kunal kaviraj wrote: Hi All, Whenever I try to set the parameter clientAuth=true in the server.xml to accept client certificate from the user, after restarting Tomcat starts up well, but then I get 'Cannot find server' error when I try to access the https sites. But the http sites work perfectly. But when this parameter is set to 'false' https and http both works perfectly, though the client is not asked for certificate. The server certificate I am using has been generated by keytool. The client certificate is a third party one. I am using Tomcat standalone version 4.0.1 with jdk1.3.1 I have downloaded the jsse1.0.2 and put the 3 jar files in the jdk ext path. Any pointer will be really helpful. Thanks Kunal _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- _ Patrick Luby Email: [EMAIL PROTECTED] Sun Microsystems Phone: 408-276-7471 901 San Antonio Road, USCA14-303 Palo Alto, CA 94303-4900 _ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]