R: clent authentication using a smard card
-Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: lunedì 19 ottobre 2009 20.21 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card cut Do you have access to IE on windows for this? If you do, it will be much quicker, and easier. I am just trying to get a baseline established, so I can plow throught with my ten steps. Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clent authentication using a smard card
-Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Sent: Tuesday, October 20, 2009 5:10 To: 'Tomcat Users List' Subject: R: clent authentication using a smard card -Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: lunedì 19 ottobre 2009 20.21 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card cut Do you have access to IE on windows for this? If you do, it will be much quicker, and easier. I am just trying to get a baseline established, so I can plow throught with my ten steps. Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
-Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: martedì 20 ottobre 2009 12.13 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card -Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Sent: Tuesday, October 20, 2009 5:10 To: 'Tomcat Users List' Subject: R: clent authentication using a smard card -Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: lunedì 19 ottobre 2009 20.21 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card cut Do you have access to IE on windows for this? If you do, it will be much quicker, and easier. I am just trying to get a baseline established, so I can plow throught with my ten steps. Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? How can I print out the certificate chain? Thanks again M M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clent authentication using a smard card
-Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? Not always. Lets take for example: https://mail.pdinc.us -PD Inc Public CA-PD Inc Root CA and MySmartCard - DOD EMAIL CA-15 - DoD Root CA-2 The smime cert used on this email I can use my smart card to auth againstthe server. But the server must know about DoD Root CA-2. How can I print out the certificate chain? Thanks again M -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. mail.pdinc.us.cer Description: application/x509-ca-cert PDIncPublicCA.cer Description: application/x509-ca-cert PDIncRoot.cer Description: application/x509-ca-cert smartcard.cer Description: application/x509-ca-cert dodemailca-15.cer Description: application/x509-ca-cert DoDRootCA-2.cer Description: application/x509-ca-cert smime.p7s Description: S/MIME cryptographic signature
R: clent authentication using a smard card
-Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: martedì 20 ottobre 2009 13.03 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card -Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? Not always. Lets take for example: https://mail.pdinc.us -PD Inc Public CA-PD Inc Root CA and MySmartCard - DOD EMAIL CA-15 - DoD Root CA-2 The smime cert used on this email I can use my smart card to auth againstthe server. But the server must know about DoD Root CA-2. Ok. In my case: https://localhost - self signed certificate and Mysmartcard - my certificate - infocamere root CA And in my trusted certificates keystore there is infocamere root CA. Please find in attachment a signed text file you can read my cert info from. Thanks Marcello myfile.txt.p7m Description: S/MIME encrypted message - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clent authentication using a smard card
-Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] -Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] -Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? Not always. Lets take for example: https://mail.pdinc.us -PD Inc Public CA-PD Inc Root CA and MySmartCard - DOD EMAIL CA-15 - DoD Root CA-2 The smime cert used on this email I can use my smart card to auth againstthe server. But the server must know about DoD Root CA-2. Ok. In my case: https://localhost - self signed certificate and Mysmartcard - my certificate - infocamere root CA And in my trusted certificates keystore there is infocamere root CA. As a point of note, we always avoid using self signed certs for any purpose other than a CA. Lets take 1st few steps on making this more proper. 1. Create a self signed CA cert. 2. Create your web server cert and sign it with the CA. 3. install it (and the chain) in the web server. 4. install the CA into your browser 4a. for IE, it would be the Trusted Root Certification Authorities, 4b. you can do this by browsing to the web server, 4c. ignoring the errors, 4d. viewing the certs (click on the padlock) 4e. look at the chain, (there is a heiarchy right?) 4f. Select and open the root ot the heiarchy 4g. Install cert 4g1. select where to place 4g2. select Trusted Root Certification Authorities (if for all users select all users physical store for TRCA) 5. exit browser (all of the windows, verify iexplore.exe is not running), and revisit server, confirming no security prompts. Let me know if/where you get stuck. Please find in attachment a signed text file you can read my cert info from. Thanks Marcello -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
clent authentication using a smard card
Hi all This is my very first message in the list. I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a ssl_error_certificate_unknown_alert or a ssl_error_bad_certificate_alert. SSL without client authentication works perfectly. This is my server configuration: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=C:\apache-tomcat-6.0.20\conf\tomcat.keystore keystorePass=tomcat keyAlias=tomcat truststoreFile =C:\apache-tomcat-6.0.20\conf\cacerts truststorePass=changeit/ tomcat.keystore contains the self signed x509 certificate I use to perform the server ssl handshake. cacerts contains the root certificate of my signature and non repudiation certificate contained in my smartcard. From tomcat's log I obtained setting up JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that: 1) the root certificate is trusted (imported In cacerts with keytool -import -trustcacert .) adding as trusted cert: Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Algorithm: RSA; Serial number: 0x1 Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 16:47:52 CET 2016 2) The client certificate is taken from the smartcard and It's given to the server; furthermore, the issuer is exactly tue trusted one: *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Marcello Marangio, DNQ=20071112354269, SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN GIO, O=NON PRESENTE, C=IT Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Validity: [From: Wed Nov 21 12:11:08 CET 2007, To: Sun Nov 21 01:00:00 CET 2010] Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT SerialNumber: [131b58] 3) the browser (firefox) picks up the correct non repudiation certificate from the smartcard and sends it to the server: [9]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Non_repudiation ] The problem seems to be that tomcat is looking for the digital signature certificate and not the non_repudiation one. http-8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures Is tomcat's behavoir correct or is it a bug? Thanks a million Marcello
RE: clent authentication using a smard card
-Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Sent: Monday, October 19, 2009 8:30 To: users@tomcat.apache.org Subject: clent authentication using a smard card Hi all This is my very first message in the list. I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a First, make sure your browser knows about the certificate and smart card reader. We have been having with recent firefox releases on this. The debuging steps I would take are 1) Use Windows / IE, if the server requires or requests a client cert it will pop up a selection window even if IE does not know how to fulfil the request. Thi will indicate if Tomcat is or is not requesting client certs. 2) Verify IE know about the smart card cert, user the certmgr.msc to see if the smartcard certificate is installed, as well as the trust chain. 3) Verify IE prompts for the smartcard cert in the client cert popup selection dialog. 4) Verify Tomcat - IE talk over SSL. ssl_error_certificate_unknown_alert or a ssl_error_bad_certificate_alert. SSL without client authentication works perfectly. This is my server configuration: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=C:\apache-tomcat-6.0.20\conf\tomcat.keystore keystorePass=tomcat keyAlias=tomcat truststoreFile =C:\apache-tomcat-6.0.20\conf\cacerts truststorePass=changeit/ tomcat.keystore contains the self signed x509 certificate I use to perform the server ssl handshake. cacerts contains the root certificate of my signature and non repudiation certificate contained in my smartcard. From tomcat's log I obtained setting up JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that: 1) the root certificate is trusted (imported In cacerts with keytool -import -trustcacert .) adding as trusted cert: Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Algorithm: RSA; Serial number: 0x1 Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 16:47:52 CET 2016 2) The client certificate is taken from the smartcard and It's given to the server; furthermore, the issuer is exactly tue trusted one: *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Marcello Marangio, DNQ=20071112354269, SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN GIO, O=NON PRESENTE, C=IT Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Validity: [From: Wed Nov 21 12:11:08 CET 2007, To: Sun Nov 21 01:00:00 CET 2010] Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT SerialNumber: [131b58] 3) the browser (firefox) picks up the correct non repudiation certificate from the smartcard and sends it to the server: [9]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Non_repudiation ] The problem seems to be that tomcat is looking for the digital signature certificate and not the non_repudiation one. http-8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures Is tomcat's behavoir correct or is it a bug? The above steps will allow a more quickly diagnosis. Thanks a million Marcello -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
Hi Jason, tank for your answer. Hi all This is my very first message in the list. I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a First, make sure your browser knows about the certificate and smart card reader. We have been having with recent firefox releases on this. The debuging steps I would take are 1) Use Windows / IE, if the server requires or requests a client cert it will pop up a selection window even if IE does not know how to fulfil the request. Thi will indicate if Tomcat is or is not requesting client certs. 2) Verify IE know about the smart card cert, user the certmgr.msc to see if the smartcard certificate is installed, as well as the trust chain. 3) Verify IE prompts for the smartcard cert in the client cert popup selection dialog. 4) Verify Tomcat - IE talk over SSL. It seems that firefox behaves: if the smartcard is in firefox asks the PIN of the smartcard. I am pretty sure it can read my smartcard, because I can use mod_ssl with Apache 2.2 and I can read the certificate's information with a perl routine. Furthermore, from the debug logs it is clear that there is an ssl handshaking going on. Any clue? Thanks M [CUT ] Is tomcat's behavoir correct or is it a bug? The above steps will allow a more quickly diagnosis. Thanks a million Marcello - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clent authentication using a smard card
-Original Message- From: Marcello Marangio snip/ It seems that firefox behaves: if the smartcard is in firefox asks the PIN of the smartcard. I am pretty sure it can read my smartcard, because I can use mod_ssl with Apache 2.2 Apache 2.x can be forgiving about the chain, and may be presenting different information. and I can read the certificate's information with a perl routine. Furthermore, from the debug logs it is clear that there is an ssl handshaking going on. Can you verify that the browser knows the servers chain? And can you verify that the server is providing an acceptible chain for the cert that firefox knows about? Any clue? Thanks M Do you have access to IE on windows for this? If you do, it will be much quicker, and easier. I am just trying to get a baseline established, so I can plow throught with my ten steps. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
