Re: How to use digital certificates
I think, it is not a good idea to use the subject of the certificate as username. 1) You could not mix form or basic authentication with certificate authentication. You have to implement a certificate to user mapping within your application 2) A certificate can change This is what my JNDIRealm* Classes try to archive. It makes no difference if one uses certificates or any other authentication, the username is always the same. The mapping to the real username is done during authentication, transparently to the application. Mario - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 21, 2003 9:01 AM Subject: Re: How to use digital certificates Assuming that iPlanet is sending a normal x509 chain, then it should be mostly working. You'll have to make certain that the root-CA is installed in cacerts (I'm assuming that you are using JSSE) so that the client-cert can be verified. At least with the Sun JVM, I believe that only Verisign and Thwate are installed by default. Getting the name is a bit more of a problem. It is usually the CN of the Subject, but not always. If this is the case with your certs, then you'll need a custom Realm that extracts the CN and validates the user (MemoryRealm uses the full Subject as the user-name). appa rao [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks for the reply.. let me clearly tell you the problem.. we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. Thanks Appa Bill Barker [EMAIL PROTECTED] wrote: Ok, everyone else is signing their replies. I can do that too ;-). Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone JSSE Connector will correctly retrieve the x509 certs in the current release version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). Mario Ivankovits wrote in message news:[EMAIL PROTECTED] I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao To: Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s SMS using the Yahoo! Messenger;Download latest version. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to use digital certificates
Assuming that iPlanet is sending a normal x509 chain, then it should be mostly working. You'll have to make certain that the root-CA is installed in cacerts (I'm assuming that you are using JSSE) so that the client-cert can be verified. At least with the Sun JVM, I believe that only Verisign and Thwate are installed by default. Getting the name is a bit more of a problem. It is usually the CN of the Subject, but not always. If this is the case with your certs, then you'll need a custom Realm that extracts the CN and validates the user (MemoryRealm uses the full Subject as the user-name). appa rao [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks for the reply.. let me clearly tell you the problem.. we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. Thanks Appa Bill Barker [EMAIL PROTECTED] wrote: Ok, everyone else is signing their replies. I can do that too ;-). Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone JSSE Connector will correctly retrieve the x509 certs in the current release version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). Mario Ivankovits wrote in message news:[EMAIL PROTECTED] I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao To: Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s SMS using the Yahoo! Messenger;Download latest version. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to use digital certificates
HTTPS is working properly(I configured SSL properly). I installed the root/chain cert in Tomcat and User certs in browser. I set the clientauthentication to true in server.xml. It is working properly. The only thing I need is to pick the username/password from the user cert and authenticate. As said, I think I'll have to write custom Realm. Where can I get more information on getting the usernames from the certficates? Appa Bill Barker [EMAIL PROTECTED] wrote: Assuming that iPlanet is sending a normal x509 chain, then it should be mostly working. You'll have to make certain that the root-CA is installed in cacerts (I'm assuming that you are using JSSE) so that the client-cert can be verified. At least with the Sun JVM, I believe that only Verisign and Thwate are installed by default. Getting the name is a bit more of a problem. It is usually the CN of the Subject, but not always. If this is the case with your certs, then you'll need a custom Realm that extracts the CN and validates the user (MemoryRealm uses the full Subject as the user-name). appa rao wrote in message news:[EMAIL PROTECTED] Thanks for the reply.. let me clearly tell you the problem.. we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. Thanks Appa Bill Barker wrote: Ok, everyone else is signing their replies. I can do that too ;-). Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone JSSE Connector will correctly retrieve the x509 certs in the current release version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). Mario Ivankovits wrote in message news:[EMAIL PROTECTED] I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao To: Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s SMS using the Yahoo! Messenger;Download latest version. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] SMS using the Yahoo! Messenger;Download latest version.
Re: How to use digital certificates
Do you mean... ?
X509Certificate[] certs;
certs=(X509Certificate[])request.getAttribute(javax.servlet.request.X509Certificate);
if(certs!=null) {
X509Certificate crt = certs[0];
// Use the cert here.
String subjectDNName = crt.getSubjectDN().getName();
System.out.println(Issuer: +crt.getIssuerDN().getName());
// And so on...
}
I developed a simple test servlet that may help you test your servlet
environment. If someone wishes it, I can contribute it to TC or send it
privately for any use. For that, please contact me at work: antonio
dot fiol at red dot es
Antonio Fiol
appa rao wrote:
Hi,
Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24.
Thanks in advance..
appa
SMS using the Yahoo! Messenger;Download latest version.
smime.p7s
Description: S/MIME Cryptographic Signature
Re: How to use digital certificates
I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. smime.p7s Description: S/MIME cryptographic signature
Re: How to use digital certificates
Ok, everyone else is signing their replies. I can do that too ;-). Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone JSSE Connector will correctly retrieve the x509 certs in the current release version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. smime.p7s Description: S/MIME cryptographic signature
Re: How to use digital certificates
Thanks for the reply.. let me clearly tell you the problem.. we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. Thanks Appa Bill Barker [EMAIL PROTECTED] wrote: Ok, everyone else is signing their replies. I can do that too ;-). Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone JSSE Connector will correctly retrieve the x509 certs in the current release version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). Mario Ivankovits wrote in message news:[EMAIL PROTECTED] I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao To: Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s SMS using the Yahoo! Messenger;Download latest version.
Re: How to use digital certificates
we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. I do not know the iPlanet Certificate Server, we use the LDAP Server (openldap) from SuSE OpenExchange. *) The Browser sends the user-certificate to tomcat (standalone installation !!). I do not know, what you mean by the web-application pick the username, i think such an web-application can only get the certificate. *) JNDIRealmCertOpenExchange tries to lookup a user with this certificate *) If a user is found, the username of this ldap-entry is used for the resulting principal I am not aware of the protocol iPlanet uses, if it is standard LDAP you might have luck, else you have to write your own realm. Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to use digital certificates
Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version.
