Tomcat SSL Client Authentication
Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli
Re: Tomcat SSL Client Authentication
Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi, Sorry if that didn't help. Here's what I have in server.xml (I don't remember if I had to change anything outside of server.xml to enable client authentication): !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector port=8443 className=org.apache.coyote.tomcat5.CoyoteConnector maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=e:\tomcat\jakart~1.27\ssl\servercertificate.keystore keystoreType=PKCS12 truststoreFile=C:\Documents and Settings\Administrator\.keystore truststorePass=XXX truststoreType=JKS / Jim P.S. When I was doing this (which was awhile ago), I didn't find any way to get Tomcat to check for client cert revocations (i.e., CRL checking). I don't know if that has changed at all since then. lercoli wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Tomcat version 5.5.9 (JDK 1.5.0_02 and Windows 2000 Professional). Client certificate username is a tomcat user (with which I've already successfully tested in DIGEST authentication). The strange thing is that when I set authClient to true I never see the the alert window of the server certificate (while instead appears with clientAuth = false). - Original Message - From: Darryl Wilburn [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 3:55 PM Subject: Re: Tomcat SSL Client Authentication What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client authentication against MemoryRealm
Hi, The SSL client authentication doesn't work agains MemoryRealm, because the authentication mechanism passes the DN of the client certificate to the realm after validation for role assignement, but the memory realm don't allow usernames that contains , or = characters. Because the DN contains these characters, the user can't get authenticated. I haven't tested this with other Realms, but it's important to fix it on MemoryRealm, used primarily for testing purposes. The tomcat version with I'm using is 5.0.16. Greetings -- Jesus De Oliveira Consultor IT Baysystem Consultores C.A. Tlf: (0212) 339.06.96 (0414) 300.06.46 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client authentication
Hi All, Using jboss-3.2.3-tomact 4.1.29, i've got both server and client authentication fully working. Using the same keystore and with clientAuth set to false, everything works fine, but when i set clientAuth to 'true', the server fails to authenticate my client. My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is... Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=5 scheme=https secure=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=/opt/local/.keystore keystorePass=picalo clientAuth=true protocol=SSLv3/ The log file error indicates the handshake failed - 'null cert chain'. any help.
Re: SSL Client authentication
It sounds like your client is trying to send a self-signed cert (which won't work). The client needs to send a cert that is signed by somebody in the TrustStore. tkassem [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, Using jboss-3.2.3-tomact 4.1.29, i've got both server and client authentication fully working. Using the same keystore and with clientAuth set to false, everything works fine, but when i set clientAuth to 'true', the server fails to authenticate my client. My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is... Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=5 scheme=https secure=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=/opt/local/.keystore keystorePass=picalo clientAuth=true protocol=SSLv3/ The log file error indicates the handshake failed - 'null cert chain'. any help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: 2 way SSL ( client authentication)
The ssl-howto has instructions for generating a self-signed Server-cert. You can't use a self-signed client-cert (Ok, I'm lying, but it's for your own good: You can with PureTLS, but for your own good, I'm going to make you look it up yourself :). The client-cert needs to be signed by someone in your TrustStore. Amjad Shahrour [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I am trying to implement 2 way SSL ( client authentication) on tomcat 4. I am following all steps. But still have something missing. ( all documentations descrips how to deal with certificates that are varified by CA). I need to know how to generate a normal self-signed certificate and how to use it in a proper way. Thnx. Amjad Shahrour Application Developer Tel: +966.2.653.3334 ext 213 [EMAIL PROTECTED] www.labbaik.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
2 way SSL ( client authentication)
Hi all, I am trying to implement 2 way SSL ( client authentication) on tomcat 4. I am following all steps. But still have something missing. ( all documentations descrips how to deal with certificates that are varified by CA). I need to know how to generate a normal self-signed certificate and how to use it in a proper way. Thnx. Amjad Shahrour Application Developer Tel: +966.2.653.3334 ext 213 [EMAIL PROTECTED] www.labbaik.com
solution problems with ssl client authentication
Hello, Here's the solution for some major problems, which i expirienced getting client authentication to work. I'll post it to help people save time. It cost me more than a week to get it working and the solution is so simple it can be done in less than half an hour. Problem 1 getting excisting certificates in keystore If you already have a ca,client and server certificate this is what to do: openssl pkcs12 -export -in servercert.crt -inkey mykey.key -out servercert.p12 -name tomcat -CAfile myCA.crt -caname root -chain this is the only command that works, trust me i've tried a lot to ;-) than set in server.xml in ssl connector keystoreType =PKCS12 Problem 2 certificate is not trusted on the net all sorts of solutions are given, but this is the only one I got working. The only solution is adding manually with a program like keytool or keyman the CA certificate of the client to JAVA_HOME\jre\lib\security\cacerts creating truststore, adding CATALINA_OPTS=-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE -Djavax.net.ssl.trustStorePassword=PASSWORD_FROM_TRUSTSTORE didn't work for me Hope it helps a lot of people, Twan
ssl client authentication drives me crazy
Hello, With apache client authentication was so simple. Now my boss wants to use it for smartcard login and I have to use tomcat with cocoon. Thats why I need the client authentication with ssl to work. But I just can't fix it can anyone please help me. All examples wont work I always get errors like Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error Can somebody please tell me how to use keytool. I've got the following certificates and I use them in apache like this: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster
Re: ssl client authentication drives me crazy
This article solved everything for me: http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html Follow it to the letter and you will get it to work. Trust me. From: Twan Munster [EMAIL PROTECTED] Reply-To: Twan Munster [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: ssl client authentication drives me crazy Date: Tue, 14 Oct 2003 09:33:26 +0200 Hello, With apache client authentication was so simple. Now my boss wants to use it for smartcard login and I have to use tomcat with cocoon. Thats why I need the client authentication with ssl to work. But I just can't fix it can anyone please help me. All examples wont work I always get errors like Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error Can somebody please tell me how to use keytool. I've got the following certificates and I use them in apache like this: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster _ Chatten met je online vrienden via MSN Messenger. http://messenger.msn.be - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl client authentication drives me crazy
Hi, And also when i use that self signed certificates, it won't work alwasy the same errors: Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error. what can it be???something wrong configured? this is my server.xml Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=c:/server.keystore keystorePass=changeit/ /Connector - Original Message - From: Kenneth Westelinck [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 9:40 AM Subject: Re: ssl client authentication drives me crazy This article solved everything for me: http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html Follow it to the letter and you will get it to work. Trust me. From: Twan Munster [EMAIL PROTECTED] Reply-To: Twan Munster [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: ssl client authentication drives me crazy Date: Tue, 14 Oct 2003 09:33:26 +0200 Hello, With apache client authentication was so simple. Now my boss wants to use it for smartcard login and I have to use tomcat with cocoon. Thats why I need the client authentication with ssl to work. But I just can't fix it can anyone please help me. All examples wont work I always get errors like Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error Can somebody please tell me how to use keytool. I've got the following certificates and I use them in apache like this: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster _ Chatten met je online vrienden via MSN Messenger. http://messenger.msn.be - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4 + ssl + client authentication
Client cert verification is done against the TrustStore, not the KeyStore. Tomcat 5 has some improvements for this. Tomcat 4 is still a bit limited. I have no idea what is goin wrong. Can someone tell me how to make this work? Assuming that you don't want to just import the signing cert into cacerts (see the JSSE docs for how to do this), then you need to have something like: CATALINA_OPTS=-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net .ssl.trustStorePassword=myTrustStorePassword At the moment, your TrustStore file has to be in the same format as your KeyStore file (a nasty limitation that I haven't gotten around to fixing :). Yep, done that. Yesterday after sending this mail I was able to get it to work authenticating using the imported client key in Mozilla and putting the signed client key in this truststore. So it is working now using Mozilla (nice). So now I found out there is a keyStore property as well (stupid me), and I was able to authenticate using my Java client against the server (nice again). If someone is interested in the code, this is the client part (just for testing): System.setProperty(javax.net.ssl.trustStore, f:/client.keystore); System.setProperty(javax.net.ssl.keyStore, f:/client.keystore); System.setProperty(javax.net.ssl.keyStorePassword,changeit); HttpClient httpclient = new HttpClient(); Protocol myhttps = new Protocol( https, new StrictSSLProtocolSocketFactory(false), 8443); httpclient.getHostConfiguration().setHost(myhost, 8443, myhttps); GetMethod httpget = new GetMethod(/); httpclient.executeMethod(httpget); with StrictSSLProtocolSocketFactory the same code as the sample code you can download from the Apache/HTTPClient site. One question though ... suppose the client keyStore has different keys, how can one tell to the code to use key A or key B (for the moment there's only one key in this keyStore). Using mozilla it is simple, he just asks which key to use. Thank you for your help. regards, Kenneth _ Mis onze Back To School special niet! http://www.msn.be/backtoschool - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ssl client authentication again
Hello, I've worked around with using apache+mod_ssl, but i'm running in several problems now so please can somebody help me with the next problem: I've always used apache http server for client authenticatien with ssl. I've installed Tomcat now voor mij jsp's. But I'm not able to get the ssl client authentication working. The problem is getting my existing certificates working in tomcat. Is apache http server it was very easy. I configured all the stuff in my httpd.conf. I also tried to get tomcat working with keytool. But ther's something I do wrong. I alwas get handshake error. Can somebody please tell me how to use keytool. I've got the following certificates: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster
Re: ssl client authentication again
The Tomcat 5 docs have an example for this: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html Since it's just about setting up the KeyStore, this section applies to Tomcat 4 (or even Tomcat 3 :) as well. Twan Munster [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I've worked around with using apache+mod_ssl, but i'm running in several problems now so please can somebody help me with the next problem: I've always used apache http server for client authenticatien with ssl. I've installed Tomcat now voor mij jsp's. But I'm not able to get the ssl client authentication working. The problem is getting my existing certificates working in tomcat. Is apache http server it was very easy. I configured all the stuff in my httpd.conf. I also tried to get tomcat working with keytool. But ther's something I do wrong. I alwas get handshake error. Can somebody please tell me how to use keytool. I've got the following certificates: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4 + ssl + client authentication
Hi all, I've been searching the internet for 2 days now and still haven't found a solution for my problem. I am trying to set up a Tomcat 4 server running in HTTPS mode, contacted by a client written in Java. The client is using HTTPClient from apache. I have done everything the document at http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes. If I disable client authentication in the tomcat config, the client is able to comunicate with the server. If I enable the authentication the client aborts with the following exception: java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read at java.net.SocketInputStream.socketRead0(Native Method) ... I enabled all possible debugging on the Tomcat server and this is part of what I found in the console: Thread-10, WRITE: SSL v3.1 Handshake, length = 625 Thread-10, READ: SSL v3.1 Handshake, length = 141 *** Certificate chain *** Thread-10, SEND SSL v3.1 ALERT: fatal, description = bad_certificate Thread-10, WRITE: SSL v3.1 Alert, length = 2 The client's certificate cannot be bad. It was signed with the server's key and it's in the server's keystore. I have no idea what is goin wrong. Can someone tell me how to make this work? MTIA regards, Kenneth _ Op zoek naar makkelijk recept? http://www.msn.be/culinair - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4 + ssl + client authentication
Kenneth Westelinck [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I've been searching the internet for 2 days now and still haven't found a solution for my problem. I am trying to set up a Tomcat 4 server running in HTTPS mode, contacted by a client written in Java. The client is using HTTPClient from apache. I have done everything the document at http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes. If I disable client authentication in the tomcat config, the client is able to comunicate with the server. If I enable the authentication the client aborts with the following exception: java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read at java.net.SocketInputStream.socketRead0(Native Method) ... I enabled all possible debugging on the Tomcat server and this is part of what I found in the console: Thread-10, WRITE: SSL v3.1 Handshake, length = 625 Thread-10, READ: SSL v3.1 Handshake, length = 141 *** Certificate chain *** Thread-10, SEND SSL v3.1 ALERT: fatal, description = bad_certificate Thread-10, WRITE: SSL v3.1 Alert, length = 2 The client's certificate cannot be bad. It was signed with the server's key and it's in the server's keystore. Client cert verification is done against the TrustStore, not the KeyStore. Tomcat 5 has some improvements for this. Tomcat 4 is still a bit limited. I have no idea what is goin wrong. Can someone tell me how to make this work? Assuming that you don't want to just import the signing cert into cacerts (see the JSSE docs for how to do this), then you need to have something like: CATALINA_OPTS=-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net .ssl.trustStorePassword=myTrustStorePassword At the moment, your TrustStore file has to be in the same format as your KeyStore file (a nasty limitation that I haven't gotten around to fixing :). MTIA regards, Kenneth _ Op zoek naar makkelijk recept? http://www.msn.be/culinair - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client authentication: what goes in tomcat-users.xml?
Following the advice from this link http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html I tried to get SSL client authentication to work by setting the following entry in tomcat-users.xml: user username=CN=x, OU=y, O=z, L=a, S=b, C=c password= roles=user/ where x,y,z,etc. have real but unimportant values. Evidently Tomcat somehow matches the distinguished name from my certificate against an entry in the users file, presumably to establish the user's role. If it fails to make a match, no authentication takes place which, I guess, is why I was able to access protected pages but getUserPrincipal() was returning null. However, when I start Tomcat I get the error: GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans for UserDatabase javax.management.MalformedObjectNameException: ObjectName: Invalid (key,value) pair - username=CN=x So, what do I put in tomcat-users.xml to get client certificate authentication to work? Do I have to escape the '=' signs in some way? TIA (as I really want to put this issue to bed), Chris Williams. P.S. If somebody tells me to read the FAQ, please specify WHICH FAQ. I've read hundreds over the past few days trying to get to the bottom of CLIENT-CERT auth. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client authentication: what goes in tomcat-users.xml?
Christopher Williams [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Following the advice from this link http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html I tried to get SSL client authentication to work by setting the following entry in tomcat-users.xml: user username=CN=x, OU=y, O=z, L=a, S=b, C=c password= roles=user/ where x,y,z,etc. have real but unimportant values. Evidently Tomcat somehow matches the distinguished name from my certificate against an entry in the users file, presumably to establish the user's role. If it fails to make a match, no authentication takes place which, I guess, is why I was able to access protected pages but getUserPrincipal() was returning null. However, when I start Tomcat I get the error: GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans for UserDatabase javax.management.MalformedObjectNameException: ObjectName: Invalid (key,value) pair - username=CN=x The correct value to use is the string-value of the Certificate Subject. However, only the MemoryRealm (of the standard Tomcat Realms) works with CLIENT-CERT authentication. So you have to disable the default DatasourceRealm and enable the MemoryRealm. You also have to (at least in 4.1.27 and lower) disable the Datasource under the GlobalResources. This is because it will attempt to write back the tomcat-users.xml file without escaping the attribute values (resulting in invalid XML). Then (after fixing the damage that Tomcat has already done to your file :), what you have should work. So, what do I put in tomcat-users.xml to get client certificate authentication to work? Do I have to escape the '=' signs in some way? The main thing that you have to escape is quote ('\') characters. For example, Verisign-issued certs typically have an entry like O=Verisign, Inc.. You need to render this as O=quot;Verisign, Inc.quot;. TIA (as I really want to put this issue to bed), Chris Williams. P.S. If somebody tells me to read the FAQ, please specify WHICH FAQ. I've read hundreds over the past few days trying to get to the bottom of CLIENT-CERT auth. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client authentication woes
My setup: Windows XP Pro JDK 1.4.1 JWSDP 1.0 I'm hoping to get SSL client authentication working for web services. I set up Tomcat for SSL ages ago and it works fine. However, I run into multiple problems when I attempt to use SSL client authentication. I have enabled client authentication by changing the value of clientAuth in server.xml to true. I removed all security-constraint and login-config entries from my web.xml as they didn't appear to have any effect (question: am I right to do so? I've done my research on the web and there are no consistent instructions for what to do). When I access https://localhost:8443/ in Internet Explorer, I get notified that a private key is being used and the server home page displays fine. However, when I first access the page, the following stack trace appears on Tomcat's console: PoolTcpEndpoint: Handshake failed javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake ... Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) ... 7 more ThreadPool: Caught exception executing [EMAIL PROTECTED], terminating thread java.lang.NullPointerException at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512) ... Does anybody know what the problem is here? The second thing is, I want to know who's accessing pages and web services. That's the whole point of authentication, right? However, when SSL client authentication is in force, the following calls all return null: request.getUserPrincipal() request.getRemoteUser() request.getAttribute(javax.servlet.request.X509Certificate) request.getAttribute(org.apache.coyote.request.X509Certificate) This seems most bizarre. At some point these calls must return non-null values as they are used in org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know whether there are any server settings to make these calls return the correct values? Ideally, I would like to have just one or two URL-patterns protected by SSL, like you do with HTTP authentication rather than it being all or nothing. Is this possible with Tomcat? Kind regards, Chris Williams. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client authentication woes
Christopher Williams [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] My setup: Windows XP Pro JDK 1.4.1 JWSDP 1.0 I'm hoping to get SSL client authentication working for web services. I set up Tomcat for SSL ages ago and it works fine. However, I run into multiple problems when I attempt to use SSL client authentication. I have enabled client authentication by changing the value of clientAuth in server.xml to true. I removed all security-constraint and login-config entries from my web.xml as they didn't appear to have any effect (question: am I right to do so? I've done my research on the web and there are no consistent instructions for what to do). Tomcat currently has only very light support for this, but this is orthogonal to your current problem. When I access https://localhost:8443/ in Internet Explorer, I get notified that a private key is being used and the server home page displays fine. However, when I first access the page, the following stack trace appears on Tomcat's console: PoolTcpEndpoint: Handshake failed javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake ... Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) ... 7 more ThreadPool: Caught exception executing [EMAIL PROTECTED], terminating thread java.lang.NullPointerException at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512) ... Does anybody know what the problem is here? Tomcat obviously doesn't like your client-cert, or (more likely) you don't have any. By default, only Verisign Thwate signed client certs are recoginized (at least with Sun's JVM). If this is your problem, then you need to set up a TrustStore (or import the signer into cacerts). Searching the archives for 'TrustStore' will give you an answer faster than waiting on me. The second thing is, I want to know who's accessing pages and web services. That's the whole point of authentication, right? However, when SSL client authentication is in force, the following calls all return null: request.getUserPrincipal() request.getRemoteUser() request.getAttribute(javax.servlet.request.X509Certificate) request.getAttribute(org.apache.coyote.request.X509Certificate) This seems most bizarre. At some point these calls must return non-null values as they are used in org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know whether there are any server settings to make these calls return the correct values? Ideally, I would like to have just one or two URL-patterns protected by SSL, like you do with HTTP authentication rather than it being all or nothing. Is this possible with Tomcat? This is in the FAQ. Kind regards, Chris Williams. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL client authentication
Hello, I've always used apache http server for client authenticatien with ssl. I've installed Tomcat now voor mij jsp's. But I'm not able to get the ssl client authentication working. The problem is getting my existing certificates working in tomcat. Is apache http server it was very easy. I configured all the stuff in my httpd.conf. I also tried to get tomcat working with keytool. But ther's something I do wrong. I alwas get handshake error. Can somebody please tell me how to use keytool. I've got the following certificates: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster
Re: SSL client authentication
Personally, I think that the easiest way to move an Apache cert to a Tomcat cert is to export it to a pkcs12 file and use that as the keystore (of course, setting keystoreType=pkcs12 on the Factory element). Using OpenSSL, something like: $ openssl pkcs12 -export -chain -inkey server.key -in server.crt -CAfile ca.crt \ -name tomcat -caname root -out server.p12 Twan Munster [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I've always used apache http server for client authenticatien with ssl. I've installed Tomcat now voor mij jsp's. But I'm not able to get the ssl client authentication working. The problem is getting my existing certificates working in tomcat. Is apache http server it was very easy. I configured all the stuff in my httpd.conf. I also tried to get tomcat working with keytool. But ther's something I do wrong. I alwas get handshake error. Can somebody please tell me how to use keytool. I've got the following certificates: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL client authentication problem with Internet Explore
Hi again... CA cert is installed in MSIE's root certificates (also in Mozilla root certificates) but the box is still empty. Any idea? Thank you!!! -Mensaje original- De: Bill Barker [mailto:[EMAIL PROTECTED] Enviado el: viernes, 22 de agosto de 2003 6:17 Para: [EMAIL PROTECTED] Asunto: Re: Tomcat SSL client authentication problem with Internet Explore I'm guessing that you didn't install your CA's cert in MSIE's root certificates. Since Tomcat will ask for certs signed by your CA, if MSIE can't find any (that it can verify the chain with), you get an empty box. Ratón Lacarcel, Antonio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication
SSL-CLIENT authentication causes getUserPrincipal() to return null. Any idea why?
My setup: JWSDP 1.2 Windows XP Pro JDK 1.4.2 I want to know who's accessing a certain web page after they've authenticated to Tomcat. No problem if I use BASIC authentication. However, when I use SSL-CLIENT authentication, calling getUserPrincipal() on the incoming Request object returns null, which is no use at all. Question: is this intended behaviour (it's pretty dumb if it is)? If not, how do I get information about the authenticated user? TIA, Chris Williams. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RV: Tomcat SSL client authentication problem with Internet Explore
Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL client authentication problem with Internet Explore
I'm guessing that you didn't install your CA's cert in MSIE's root certificates. Since Tomcat will ask for certs signed by your CA, if MSIE can't find any (that it can verify the chain with), you get an empty box. Ratón Lacarcel, Antonio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re[4]: Tomcat: SSL client authentication
Hi Bill, Thanks for answering. I did solve the problem. My client certificate is not self-signed (as I pointed out in 2.-4.). So I have a certificate signed by my CA. The problem was solved by setting CATALINA_OPTS system variable before starting Tomcat: set CATALINA_OPTS=-Djavax.net.ssl.trustStore=server.truststore where server.truststore contains only imported CA certificate. It seems that Tomcat doesn't use %JAVA_HOME%\jre\lib\security\cacerts as a truststore by default (I did import CA cert into the cacerts) as I understood from previous discussions. Thanks! Dmitry. BB From your 1., your client cert is self-signed, not signed by your CA cert. BB Since this amounts to telling the server I am Dmitry, because I said so, BB it's a security-risk to accept self-signed client certs, so most HTTPS BB servers won't accept them. (Of course, it is also the same security-risk to BB accept self-signed server-certs. However, there is a big difference between BB clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to BB agree to accept it ;-). BB The easiest thing would be to get a Thawte client-cert (since you don't have BB to pay for it), and use that instead of your self-signed one. For testing, BB that is what I do (except that I use my Verisign cert, since my employer BB pays for that one :). At least with Sun's JSSE, Thawte's Root cert is BB installed in cacerts by default. Setting up your own CA is only needed if BB you have to hand out your own client-certs when you move to production. BB Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message BB news:[EMAIL PROTECTED] But (as I pointed out in 3.,4. and 6) I have client cert and CA cert. The latter I imported to the cacert. I tried to do the same without Tomact but with very simple HTTP(s) server and got the same result. So I suggest that I did something wrong with creating/importing certs. But what's wrong? BB You can't generally use a self-signed client cert with JSSE (you can BB configure PureTLS to accept it, but another bug means that you'd have BB to BB wait for 4.1.26). The work-around is way too much trouble for the BB sysadmin, BB and I don't feel like being an enabler for a true hideous design. So, BB you'll just have to read the JSSE docs for yourself ;-). BB If you need to issue your own client-certs, I'd suggest setting up BB your own BB CA (with OpenSSL or otherwise), and import your CA's cert into BB cacerts. You BB can then hand out client certs, and Tomcat will accept them. BB Dmitry S.Rogulin wrote in message BB news:[EMAIL PROTECTED] Hello all, Sorry for the previous e-mail. %) This theme was discussed about month ago. I tried to use what I've found but I'm still having a problem... I'm trying to do SSL client authentication with Tomcat 4.1.18 BB (clientAuth=true). 1. I've generated a client certificate using keytool: keytool -genkey -alias tomcat-cl -keyalg RSA -keystore BB client.keystore 2. Then I created Certificate Signing Request: keytool -certreq -keyalg RSA -alias tomcat-cl -file BB certreq.csr -keystore client.keystore 3. I sent it to CA and got a signed certificate and CA Certificate. 4. I imported them to the client keystore: keytool -import -alias root -keystore client.keystore -file cacert keytool -import -alias tomcat-cl -keystore client.keystore -file BB usercert 5. I exported server certificate and imported it as a trusted to the trusted keystore: keytool -import -trustcacerts -alias tomcat -file BB server.cer -keystore BB trust.keystore 6. I imported CA Certificate to \jre\lib\security\cacerts : keytool -import -file cacert -keystore BB %java_home%\jre\lib\security\cacerts -storepass changeit I'm running Tomcat and test client on the same machine. Server keystore: %USERHOME%\.keystore Client keystore: %USERHOME%\client.keystore Client trusted keystore: %USERHOME%\trust.keystore Test Client: import java.net.*; import java.io.*; import java.util.*; import java.security.*; import javax.net.ssl.*; public class SimpleClient { public static void main(String[] args) { System.setProperty(javax.net.ssl.trustStore, BB System.getProperty(user.home)+File.separator +trust.keystore); System.setProperty(javax.net.ssl.keyStore, BB System.getProperty(user.home)+File.separator +client.keystore); System.setProperty(javax.net.ssl.keyStorePassword, BB changeit); InputStream is = null; OutputStream os = new ByteArrayOutputStream(); try { URL url = new BB URL(https://localhost:8443/readme.txt;); try { is = url.openStream(); byte[] buffer = new byte[4096]; int
Re[2]: Tomcat: SSL client authentication
But (as I pointed out in 3.,4. and 6) I have client cert and CA cert. The latter I imported to the cacert. I tried to do the same without Tomact but with very simple HTTP(s) server and got the same result. So I suggest that I did something wrong with creating/importing certs. But what's wrong? BB You can't generally use a self-signed client cert with JSSE (you can BB configure PureTLS to accept it, but another bug means that you'd have to BB wait for 4.1.26). The work-around is way too much trouble for the sysadmin, BB and I don't feel like being an enabler for a true hideous design. So, BB you'll just have to read the JSSE docs for yourself ;-). BB If you need to issue your own client-certs, I'd suggest setting up your own BB CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You BB can then hand out client certs, and Tomcat will accept them. BB Dmitry S.Rogulin wrote in message BB news:[EMAIL PROTECTED] Hello all, Sorry for the previous e-mail. %) This theme was discussed about month ago. I tried to use what I've found but I'm still having a problem... I'm trying to do SSL client authentication with Tomcat 4.1.18 BB (clientAuth=true). 1. I've generated a client certificate using keytool: keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore 2. Then I created Certificate Signing Request: keytool -certreq -keyalg RSA -alias tomcat-cl -file BB certreq.csr -keystore client.keystore 3. I sent it to CA and got a signed certificate and CA Certificate. 4. I imported them to the client keystore: keytool -import -alias root -keystore client.keystore -file cacert keytool -import -alias tomcat-cl -keystore client.keystore -file BB usercert 5. I exported server certificate and imported it as a trusted to the trusted keystore: keytool -import -trustcacerts -alias tomcat -file server.cer -keystore BB trust.keystore 6. I imported CA Certificate to \jre\lib\security\cacerts : keytool -import -file cacert -keystore BB %java_home%\jre\lib\security\cacerts -storepass changeit I'm running Tomcat and test client on the same machine. Server keystore: %USERHOME%\.keystore Client keystore: %USERHOME%\client.keystore Client trusted keystore: %USERHOME%\trust.keystore Test Client: import java.net.*; import java.io.*; import java.util.*; import java.security.*; import javax.net.ssl.*; public class SimpleClient { public static void main(String[] args) { System.setProperty(javax.net.ssl.trustStore, BB System.getProperty(user.home)+File.separator +trust.keystore); System.setProperty(javax.net.ssl.keyStore, BB System.getProperty(user.home)+File.separator +client.keystore); System.setProperty(javax.net.ssl.keyStorePassword, BB changeit); InputStream is = null; OutputStream os = new ByteArrayOutputStream(); try { URL url = new BB URL(https://localhost:8443/readme.txt;); try { is = url.openStream(); byte[] buffer = new byte[4096]; int bytes_read; while((bytes_read = is.read(buffer)) BB != -1) os.write(buffer, 0, bytes_read); System.out.println(os.toString()); } catch (Exception e) { e.printStackTrace(); } finally { try { is.close(); os.close(); } catch (IOException e) { BB e.printStackTrace(); } } } catch (Exception e) { e.printStackTrace(); } } } With [clientAuth=false] it works fine, but with [clientAuth=true] it gives an error: java.net.SocketException: Software caused connection abort: recv failed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) What did I do in a wrong way? Thanks in advance. Best regards, Dmitry. BB - BB To unsubscribe, e-mail: [EMAIL PROTECTED] BB For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Re[2]: Tomcat: SSL client authentication
From your 1., your client cert is self-signed, not signed by your CA cert. Since this amounts to telling the server I am Dmitry, because I said so, it's a security-risk to accept self-signed client certs, so most HTTPS servers won't accept them. (Of course, it is also the same security-risk to accept self-signed server-certs. However, there is a big difference between clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to agree to accept it ;-). The easiest thing would be to get a Thawte client-cert (since you don't have to pay for it), and use that instead of your self-signed one. For testing, that is what I do (except that I use my Verisign cert, since my employer pays for that one :). At least with Sun's JSSE, Thawte's Root cert is installed in cacerts by default. Setting up your own CA is only needed if you have to hand out your own client-certs when you move to production. Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] But (as I pointed out in 3.,4. and 6) I have client cert and CA cert. The latter I imported to the cacert. I tried to do the same without Tomact but with very simple HTTP(s) server and got the same result. So I suggest that I did something wrong with creating/importing certs. But what's wrong? BB You can't generally use a self-signed client cert with JSSE (you can BB configure PureTLS to accept it, but another bug means that you'd have to BB wait for 4.1.26). The work-around is way too much trouble for the sysadmin, BB and I don't feel like being an enabler for a true hideous design. So, BB you'll just have to read the JSSE docs for yourself ;-). BB If you need to issue your own client-certs, I'd suggest setting up your own BB CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You BB can then hand out client certs, and Tomcat will accept them. BB Dmitry S.Rogulin wrote in message BB news:[EMAIL PROTECTED] Hello all, Sorry for the previous e-mail. %) This theme was discussed about month ago. I tried to use what I've found but I'm still having a problem... I'm trying to do SSL client authentication with Tomcat 4.1.18 BB (clientAuth=true). 1. I've generated a client certificate using keytool: keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore 2. Then I created Certificate Signing Request: keytool -certreq -keyalg RSA -alias tomcat-cl -file BB certreq.csr -keystore client.keystore 3. I sent it to CA and got a signed certificate and CA Certificate. 4. I imported them to the client keystore: keytool -import -alias root -keystore client.keystore -file cacert keytool -import -alias tomcat-cl -keystore client.keystore -file BB usercert 5. I exported server certificate and imported it as a trusted to the trusted keystore: keytool -import -trustcacerts -alias tomcat -file server.cer -keystore BB trust.keystore 6. I imported CA Certificate to \jre\lib\security\cacerts : keytool -import -file cacert -keystore BB %java_home%\jre\lib\security\cacerts -storepass changeit I'm running Tomcat and test client on the same machine. Server keystore: %USERHOME%\.keystore Client keystore: %USERHOME%\client.keystore Client trusted keystore: %USERHOME%\trust.keystore Test Client: import java.net.*; import java.io.*; import java.util.*; import java.security.*; import javax.net.ssl.*; public class SimpleClient { public static void main(String[] args) { System.setProperty(javax.net.ssl.trustStore, BB System.getProperty(user.home)+File.separator +trust.keystore); System.setProperty(javax.net.ssl.keyStore, BB System.getProperty(user.home)+File.separator +client.keystore); System.setProperty(javax.net.ssl.keyStorePassword, BB changeit); InputStream is = null; OutputStream os = new ByteArrayOutputStream(); try { URL url = new BB URL(https://localhost:8443/readme.txt;); try { is = url.openStream(); byte[] buffer = new byte[4096]; int bytes_read; while((bytes_read = is.read(buffer)) BB != -1) os.write(buffer, 0, bytes_read); System.out.println(os.toString()); } catch (Exception e) { e.printStackTrace(); } finally { try { is.close(); os.close(); } catch (IOException e) { BB e.printStackTrace(); } } } catch
Re: Tomcat: SSL client authentication
You can't generally use a self-signed client cert with JSSE (you can configure PureTLS to accept it, but another bug means that you'd have to wait for 4.1.26). The work-around is way too much trouble for the sysadmin, and I don't feel like being an enabler for a true hideous design. So, you'll just have to read the JSSE docs for yourself ;-). If you need to issue your own client-certs, I'd suggest setting up your own CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You can then hand out client certs, and Tomcat will accept them. Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello all, Sorry for the previous e-mail. %) This theme was discussed about month ago. I tried to use what I've found but I'm still having a problem... I'm trying to do SSL client authentication with Tomcat 4.1.18 (clientAuth=true). 1. I've generated a client certificate using keytool: keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore 2. Then I created Certificate Signing Request: keytool -certreq -keyalg RSA -alias tomcat-cl -file certreq.csr -keystore client.keystore 3. I sent it to CA and got a signed certificate and CA Certificate. 4. I imported them to the client keystore: keytool -import -alias root -keystore client.keystore -file cacert keytool -import -alias tomcat-cl -keystore client.keystore -file usercert 5. I exported server certificate and imported it as a trusted to the trusted keystore: keytool -import -trustcacerts -alias tomcat -file server.cer -keystore trust.keystore 6. I imported CA Certificate to \jre\lib\security\cacerts : keytool -import -file cacert -keystore %java_home%\jre\lib\security\cacerts -storepass changeit I'm running Tomcat and test client on the same machine. Server keystore: %USERHOME%\.keystore Client keystore: %USERHOME%\client.keystore Client trusted keystore: %USERHOME%\trust.keystore Test Client: import java.net.*; import java.io.*; import java.util.*; import java.security.*; import javax.net.ssl.*; public class SimpleClient { public static void main(String[] args) { System.setProperty(javax.net.ssl.trustStore, System.getProperty(user.home)+File.separator +trust.keystore); System.setProperty(javax.net.ssl.keyStore, System.getProperty(user.home)+File.separator +client.keystore); System.setProperty(javax.net.ssl.keyStorePassword, changeit); InputStream is = null; OutputStream os = new ByteArrayOutputStream(); try { URL url = new URL(https://localhost:8443/readme.txt;); try { is = url.openStream(); byte[] buffer = new byte[4096]; int bytes_read; while((bytes_read = is.read(buffer)) != -1) os.write(buffer, 0, bytes_read); System.out.println(os.toString()); } catch (Exception e) { e.printStackTrace(); } finally { try { is.close(); os.close(); } catch (IOException e) { e.printStackTrace(); } } } catch (Exception e) { e.printStackTrace(); } } } With [clientAuth=false] it works fine, but with [clientAuth=true] it gives an error: java.net.SocketException: Software caused connection abort: recv failed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) What did I do in a wrong way? Thanks in advance. Best regards, Dmitry. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat: SSL client authentication
Hello all, I'm Best regards, Dmitry. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat: SSL client authentication
Hello all, Sorry for the previous e-mail. %) This theme was discussed about month ago. I tried to use what I've found but I'm still having a problem... I'm trying to do SSL client authentication with Tomcat 4.1.18 (clientAuth=true). 1. I've generated a client certificate using keytool: keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore 2. Then I created Certificate Signing Request: keytool -certreq -keyalg RSA -alias tomcat-cl -file certreq.csr -keystore client.keystore 3. I sent it to CA and got a signed certificate and CA Certificate. 4. I imported them to the client keystore: keytool -import -alias root -keystore client.keystore -file cacert keytool -import -alias tomcat-cl -keystore client.keystore -file usercert 5. I exported server certificate and imported it as a trusted to the trusted keystore: keytool -import -trustcacerts -alias tomcat -file server.cer -keystore trust.keystore 6. I imported CA Certificate to \jre\lib\security\cacerts : keytool -import -file cacert -keystore %java_home%\jre\lib\security\cacerts -storepass changeit I'm running Tomcat and test client on the same machine. Server keystore: %USERHOME%\.keystore Client keystore: %USERHOME%\client.keystore Client trusted keystore: %USERHOME%\trust.keystore Test Client: import java.net.*; import java.io.*; import java.util.*; import java.security.*; import javax.net.ssl.*; public class SimpleClient { public static void main(String[] args) { System.setProperty(javax.net.ssl.trustStore, System.getProperty(user.home)+File.separator +trust.keystore); System.setProperty(javax.net.ssl.keyStore, System.getProperty(user.home)+File.separator +client.keystore); System.setProperty(javax.net.ssl.keyStorePassword, changeit); InputStream is = null; OutputStream os = new ByteArrayOutputStream(); try { URL url = new URL(https://localhost:8443/readme.txt;); try { is = url.openStream(); byte[] buffer = new byte[4096]; int bytes_read; while((bytes_read = is.read(buffer)) != -1) os.write(buffer, 0, bytes_read); System.out.println(os.toString()); } catch (Exception e) { e.printStackTrace(); } finally { try { is.close(); os.close(); } catch (IOException e) { e.printStackTrace(); } } } catch (Exception e) { e.printStackTrace(); } } } With [clientAuth=false] it works fine, but with [clientAuth=true] it gives an error: java.net.SocketException: Software caused connection abort: recv failed at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:129) at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) What did I do in a wrong way? Thanks in advance. Best regards, Dmitry. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
It works! Thank you - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
You have to import the root CA into the java cacerts keystore Assuming a windows-java installation in C:\j2sdk the location is: C:\j2sdk\jre\lib\security\cacerts using cd C:\j2sdk\jre\lib\security keytool -import -keystore cacerts -storepass changeit -file the-root-ca.cer did the job for me. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:24 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: SSL client authentication with tomcat 4.1.24
It works, thanks a lot for your help. - Original Message - From: Mario Ivankovits [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:36 AM Subject: Re: SSL client authentication with tomcat 4.1.24 You have to import the root CA into the java cacerts keystore Assuming a windows-java installation in C:\j2sdk the location is: C:\j2sdk\jre\lib\security\cacerts using cd C:\j2sdk\jre\lib\security keytool -import -keystore cacerts -storepass changeit -file the-root-ca.cer did the job for me. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:24 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
SSL client authentication with IE 6.0
I'm running Tomcat 4.1.24 standalone with SSL client authentication enabled.Internet Explorer 6.0 when I try to access the server pops up a window that ask me which certificate will be used for client authentication, but the list of certificates is empty! I've tested my browser on apache with mod_ssl and client authentication, and IE pops up the same window but in this case my personal certificate is present. This is the only tomcat connector configured on my PC. Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8080 minProcessors=15 maxProcessors=25 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/.keystore keystorePass=xx/ /Connector Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL client authentication with tomcat 4.1.24
Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL client authentication with tomcat 4.1.24
You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL client authentication with IE 6.0
Duma, the list of certificates is empty! This means that you don't have client certificate in your client machine. -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:31 AM To: Tomcat Mailing List Subject: SSL client authentication with IE 6.0 I'm running Tomcat 4.1.24 standalone with SSL client authentication enabled.Internet Explorer 6.0 when I try to access the server pops up a window that ask me which certificate will be used for client authentication, but the list of certificates is empty! I've tested my browser on apache with mod_ssl and client authentication, and IE pops up the same window but in this case my personal certificate is present. This is the only tomcat connector configured on my PC. Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8080 minProcessors=15 maxProcessors=25 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/.keystore keystorePass=xx/ /Connector Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL client authentication + LDAP realm / Tomcat 4.1.18
Hello. I try to set up the following features : - Client authentication using client SSL certificates - Client authorization using the JNDI realm, against an iPlanet LDAP directory I first tested a simpler configuration using the LDAP realm with BASIC authentication, and it works fine. The realm configuration, set up in the server.xml application context is : Contextpath=/test docBase=../_PHILIPPE_/TEST-CONTEXT debug=0 reloadable=true crossContext=true Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_test-context_log. suffix=.txt timestamp=true / Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=uid=Tomcat,ou=People,dc=moon.net connectionPassword=tomcat connectionURL=ldap://localhost:389; roleBase=ou=Roles,ou=TomcatRealm,dc=moon.net roleName=cn roleSearch=(uniqueMember={0}) roleSubtree=false userBase=ou=Users,ou=TomcatRealm,dc=moon.net userSearch=(cn={0}) / /Context According to this configuration, when a user tries to access a secured URL and provides its BASIC login and password, the realm correctly checks the credentials against the directory, binding with the DN using the userBase and userSearch parameters. On the other hand, i tried another configuration, using SSL client authentication and the default realm, adding a user entry in the tomcat-users.xml file with the complete DN as username : cn=SomeBody,ou=Users,ou=TomcatRealm,dc=moon.net. As expected, the certificate is successfully verified in the trust cacerts store, and the default realm correctly matches the user with the issuer DN extracted from the client certificate. In this last case, i assumed the DN provided by the client certificate is the exact expression used by the realm to match the users identity. Now, i don't understand how it should be possible to configure both the JNDI realm and the SSL connector to indicate how the client certificates DN must be used to check the user identity in the LDAP directory. It seems obvious that using the full DN from the client certificate as a single user identifier (cn, uid, etc.) fails, since the search filter doesn't match. Should it be sensible to use the key alias from the trust keystore as the directory identifier value ? Perhaps i don't go the right way !... Thanks for your help. Philippe Maseres - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL client authentication with mod_ssl+mod_jk
Hi, If somebody has a working client SSL authentication for Apache 1.3.*, mod_ssl/mod_jk, i.e., ajp mounts that require client certificate (SSLVerifyClient require), I'd be very grateful to see the appropriate pieces of configuration files. Thank you. -a -- Aaron Stromas | Tik-tik-tik!!!... ja, Pantani is weg... [EMAIL PROTECTED]| BRTN commentator +1 (301) 493 4933 | L'Alpe d'Huez http://www.izoard.com | 1995 Tour de France - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4 - SSL - Client Authentication
Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - SSL - Client Authentication
Have you checked the permissions to the directory where your keystore is held? The process running the webserver must of course be able to read the keystore. - CB Shiva.Devaguptapu wrote: Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- . . . / This Cabinet is formd of Gold / And Pearl Crystal shining bright And within it opens into a World / . . . Another England there I saw / Another London with its Tower Another Thames other Hills / And another pleasant Surrey Bower . . . - from The Crystal Cabinet, a poem by William Blake. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - SSL - Client Authentication
Yes. Read and write as well. -Original Message- From: Christopher Mark Balz [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 2:58 PM To: Tomcat Users List Subject: Re: Tomcat 4 - SSL - Client Authentication Have you checked the permissions to the directory where your keystore is held? The process running the webserver must of course be able to read the keystore. - CB Shiva.Devaguptapu wrote: Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- . . . / This Cabinet is formd of Gold / And Pearl Crystal shining bright And within it opens into a World / . . . Another England there I saw / Another London with its Tower Another Thames other Hills / And another pleasant Surrey Bower . . . - from The Crystal Cabinet, a poem by William Blake. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat 4 - SSL - Client Authentication
Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
SSL Client Authentication
Hi all, I have a B2B app that needs optionally the client authentication because not always the client has a certificate, but unfortunately Tomcat apparently doesn't have this option like apache. For this reason I still have apache as my web server and Tomcat as application server, but I'd like to migrate to Tomcat. At the Tomcat config files we have the directive in the server.xml: clientAuth=false (or true) but I'd like to set it to optional. Does anyone knows a workaround for this? Regards, Chico.
SSL Client authentication
Hi all, I am using SSL client authentication on Tomcat 4.0.1 but I am getting some errors. I've enabled client authentication in server.xml and I've created all the certificates. If somebody has some experience in similar configurations please have a look to the steps I followed and let me know if you see something wrong: * Generate tomcat certificate *** keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file tomcat.csr * Generate the ca certificate *** openssl req -new -newkey rsa:512 -nodes - \ out ca.req -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt * Sign the tomcat request to generate my certificates * openssl x509 -CA ca.crt -CAkey ca.key -in tomcat.csr \ -out tomcat.crt -req -CAcreateserial Import both into the cacerts *** keytool -import -file ca.crt -alias RootCert \ -keystore $JAVA_HOME/jre/lib/security/cacerts keytool -import -file tomcat.crt -alias tomcat \ -keystore $JAVA_HOME/jre/lib/security/cacerts *** Generate a client certificate *** openssl req -new -newkey rsa:512 -nodes -out \ client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key -req -in client.req -out client.crt But when I run the following test: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 I get an error: CONNECTED(0003) 2504:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:455: Any idea? Thanks Spiros -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
SSL client authentication
Is there a way to configure Tomcat to allow/disallow access to a web application based on the common name (CN) in an SSL client certificate? I can set clientAuth=true in the server.xml, which works fine, and I know I can read the certificate once I'm in the web application, but I'm looking for a way to do this before Tomcat passes the request on to the web application. i.e. I'm looking for something analogous to the mod_ssl directives like SSLRequire, SSLVerifyDepth, etc. Any ideas? Is this type of thing supported in Tomcat 3? 4? Neither? The SSL docs are great from a server perspective but I couldn't find much that's client-related. Thanks for any input! Greg Bailey [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
Wolfgang Stein [EMAIL PROTECTED] writes: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. First, sorry for not responding earlier to this thread. My laptop died and stopped my forward momentum for a few days. This solved my problem; I had thought I needed to do something like that, but hadn't known how, exactly. Thanks a lot! -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Client authentication with standalone Tomcat
Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Palmer Sent: Tuesday, February 26, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) And I bet client certificate should be signed in specific way. Some guys mentioned that you can find some help at openSSL site. -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file. If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Gruß, Wolfgang Anton Brazhnyk wrote I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is taken from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Client authentication with standalone Tomcat
Hi Wolfgang, -Original Message- From: Wolfgang Stein [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: SSL Client authentication with standalone Tomcat Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file. If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Actually I meant importaing server certificate, since there wasn't -trustcacerts in statement with -alias tomcat. And, well, I'm not sure again... :) Client cert should be signed with sertificate of the server (not just with CA certificate) Gru?, Wolfgang Anton Brazhnyk wrote I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is taken from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Reposting: SSL Client authentication with standalone Tomcat
I repost this because it didn't show up on the list but a subsequent posting already did: The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. This part should read: The client browser scans his (previously imported) client certs for a matching cert issuer/signer, fills / pops up a choice dialog box to select a client cert from, and sends (?) the users selection back to the server. This choice box was usually empty in MS IE. Read my previous posting Any success with Tomcat 4.0.2 and client certificates in MS IE ? Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. You will face a difference in comparism of the ca certs between nestcape / MS IE. Gruß, Wolfgang -Ursprüngliche Nachricht- Von: Brian Palmer [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 26. Februar 2002 11:58 An: [EMAIL PROTECTED] Betreff: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. This part should read: The client browser scans his (previously imported) client certs for a matching cert issuer/signer, fills / pops up a choice dialog box to select a client cert from, and sends (?) the users selection back to the server. This choice box was usually empty in MS IE. Read my previous posting Any success with Tomcat 4.0.2 and client certificates in MS IE ? Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. You will face a difference in comparism of the ca certs between nestcape / MS IE. Gruß, Wolfgang -Ursprüngliche Nachricht- Von: Brian Palmer [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 26. Februar 2002 11:58 An: [EMAIL PROTECTED] Betreff: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Help with ssl client authentication
Hi all, and thanks for reading me ... I have read a lot of posts about client authentication with tomcat and i pray to somebody for giving a final solution to this problem in Tomcat 4.0 b7. I mean, could somebody describe all the process (commands used) of the certificates generation (keytool + openssl), conversion and instalation of this certificates in the tomcat keystore and IE ? Thank in advance, Ricardo Borillo Domenech Programació - Servei d'Informàtica Universitat Jaume I
SSL client Authentication problem.
hello all, I am testing Tomcat standalone with client authentication on, and getting some odd results. It works fine if client authentication is not turned on (for both IE and Netscape browsers). If I turn on client authentication, Netscape claims that I do not have a personal certificate, and IE asks me to choose from an empty list of certificates. Any ideas on the problem with the certificate request when I use Tomcat standalone? Is there some configuration to indicate the type of certificate the server is requesting? I am using both client server certificates generated by Openssl. More precisely I have an Server Certificate stored in Keystore (Tomcat side) and a client Certificate integrated in my browser. Both certificates are signed by a CA Authority whose certificate is on my browser too. This problem has been already encoutered by many people ([EMAIL PROTECTED] for example) Many thanks, Arnaud Pierre. PS: I use tomcat 4.0b5
Re: SSL client authentication with Tomcat
Hi, when you say this feature is not supported in Tomcat 3.x, do you also mean that it is not available either for Apache+Tomcat 3.1? Thanks in advance This feature is not supported in Tomcat 3.x presently, although it is available in Tomcat 4.0 (pre-alpha nightly builds currently available). Craig McClanahan Hi to all! Does anybody know whether there is the possibility to access the SSL client certificate variables from a servlet running in Tomcat?. Thanks to all of you!