RE: SSL in Tomcat
CN is actually taken as the web server's name on which the site is running. This is kind of a check that the certificate is coming from the same server on which the site is running, because if it is coming from another server then it could be fraud. cheers Tathagat -Original Message- From: randie ursal [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 08:53 To: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. Cc: Tomcat Users List; [EMAIL PROTECTED] Subject: SSL in Tomcat hi, sorry for this off the list topic but i really need some idea. when i created my self-signed certificate using keytool to make SSL available in Tomcat i specify in my certificate information ex. keytool -genkey -dname CN=Mark Smith, OU=JavaSoft, O=Sun, L=Cupertino, S=California, C=US -alias mark but when i access my webserver both through browser and java application by using https://carnelian:8443/testApp; i got and exception which says that HTTPS hostname is wrong or certificate is not the same as site name. so i change the CN key equal to my hostname (ex.Carnelian), now it works...why is this? keytool docs says that CN could be any valid full name...just like the example above when i use Mark Smith. is there a way i can specify the certificate information using the full name instead of the web server hostname?and access it using https without getting an exception. i'm using Apache Tomcat 4.0, JSSE1.0.3, JDK1.3.1 thanks in advance randie -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL in Tomcat
Hello Randie, check this page out. http://mindprod.com/jglosskeytool.html cheers Tathagat -Original Message- From: randie ursal [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 09:12 To: Tomcat Users List Subject: Re: SSL in Tomcat thanks Tathagat, but i was just wondering why on the keytool documentation the CN is having a value of the subjects full name...and not the web servers name. is this a documentation error on keytool on java? Tathagat (London) wrote: CN is actually taken as the web server's name on which the site is running. This is kind of a check that the certificate is coming from the same server on which the site is running, because if it is coming from another server then it could be fraud. cheers Tathagat -Original Message- From: randie ursal [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 08:53 To: A mailing list for discussion about Sun Microsystem's Java Servlet API Technology. Cc: Tomcat Users List; [EMAIL PROTECTED] Subject: SSL in Tomcat hi, sorry for this off the list topic but i really need some idea. when i created my self-signed certificate using keytool to make SSL available in Tomcat i specify in my certificate information ex. keytool -genkey -dname CN=Mark Smith, OU=JavaSoft, O=Sun, L=Cupertino, S=California, C=US -alias mark but when i access my webserver both through browser and java application by using https://carnelian:8443/testApp; i got and exception which says that HTTPS hostname is wrong or certificate is not the same as site name. so i change the CN key equal to my hostname (ex.Carnelian), now it works...why is this? keytool docs says that CN could be any valid full name...just like the example above when i use Mark Smith. is there a way i can specify the certificate information using the full name instead of the web server hostname?and access it using https without getting an exception. i'm using Apache Tomcat 4.0, JSSE1.0.3, JDK1.3.1 thanks in advance randie -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Redirects by TOMCAT in server.xml?
why can't you just use javascript? -Original Message- From: Barney Hamish [mailto:[EMAIL PROTECTED]] Sent: Sonntag, 25. August 2002 15:24 To: 'Tomcat Users List' Subject: RE: Redirects by TOMCAT in server.xml? Can you perhaps write a little servlet that forwards a request to a new address (a string defined in the web.xml) and then map the servlet to the url pattern you want. i.e. url pattern for servlet /COLANgamma/* then the servlet takes the request string (whatever is after the url pattern for the servlet) index.html and adds it to the url-prefix string which can be defined in the web.xml /opencms/opencms/COLANgamma/ so it ends up redirecting to /opencms/opencms/opencms/COLANgamma/ + index.html Hamish -Original Message- From: Alexander Schmidt [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 25, 2002 3:05 PM To: Tomcat Users List Subject: Redirects by TOMCAT in server.xml? Hi! I will explain my problem better! I have an application opencms. With this application you can create and manage HTML-Sites. The program uses Tomcat 4.0! To let me show the sites, i have to type in the browser the URL http://localhost:8080/opencms/opencms/COLANgamma/index.html; , but it is too long for me. So i want to redirect it. I only want to type in the URL http://localhost:8080/COLANgamma/index.html;. I want to do the redirection with TOMCAT 4.0 in that way, that i configure the server.xml. But I don´t find any solution. I know that there is a possibility with Apache, but we don´t use it. Thanks A.Schmidt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Client Certificates on Tomcat 3.3.1
okay, I have faced so many problems on this.. and finally could do it! Please answer the following questions. First question: The certificates that you are using on your machine (as client), where do you get them from? Second: When you connect the server (https://localhost:8443) or whatever), does your certificate pops up? cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 11:42 To: [EMAIL PROTECTED] Subject: Client Certificates on Tomcat 3.3.1 Hi all, I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap client. My soap service simply prints out some request data, and also the content of request.getAttribute(javax.servlet.request.X509Certificate) Following some example code I found on Internet (I'm not sure this code should function) I have followed the instructions in the xml.apache.org FAQ, and generated all certificates with keytool. Firstly, I configured tomcat with clientAuth set to false, and used a basic authentication scheme in my web-app. It worked fine. When connecting through my client, the service prints the next info: Authorization: BASIC Remote User: tomcat Secured: true Principal: tomcat No client certificate is available If I set clientAuth to true, it still works, but it keeps showing the No client certificate available message. The big problem comes when I configure my web-app to use CLIENT-CERT authorization scheme. It simply returns a 401 error code. Any one can help me, please?? Thanks in advance, Rodrigo Ruiz Aguayo PS: Following is the bat file I'm using to generate the keystores: del server.keystore del client.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore REM Change default passwords keytool -storepasswd -keystore server.keystore -storepass changeit -new 123456 keytool -storepasswd -keystore client.keystore -storepass changeit -new 123456 REM Create server.keystore keytool -genkey -alias tomcat-sv -dname CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore keytool -export -alias tomcat-sv -storepass 123456 -file server.cer -keystore server.keystore REM Import server certificate as a trusted CA in the client keystore keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass 123456 -storepass 123456 REM Create client keystore keytool -genkey -alias rruiz -dname CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore client.keystore keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore client.keystore keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore server.keystore -keypass 123456 -storepass 123456 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Client Certificates on Tomcat 3.3.1
ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 16:59 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 3:22 PM Subject: RE: Client Certificates on Tomcat 3.3.1 okay, I have faced so many problems on this.. and finally could do it! Please answer the following questions. First question: The certificates that you are using on your machine (as client), where do you get them from? I create them with KeyMan from IBM. I have tried to create a X509 Chain, signed with my server key, and also a .PFX file with the same characteristics. None seemed to work. In fact, when I import the certificates into Explorer, it places them into the Medium CA Providers Tab, and not in the Personal repository. Is it ok? Second: When you connect the server (https://localhost:8443) or whatever), does your certificate pops up? The browser only pops up the server certificate, not the client one. It looks like it does not send my client certificate at all. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 11:42 To: [EMAIL PROTECTED] Subject: Client Certificates on Tomcat 3.3.1 Hi all, I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap client. My soap service simply prints out some request data, and also the content of request.getAttribute(javax.servlet.request.X509Certificate) Following some example code I found on Internet (I'm not sure this code should function) I have followed the instructions in the xml.apache.org FAQ, and generated all certificates with keytool. Firstly, I configured tomcat with clientAuth set to false, and used a basic authentication scheme in my web-app. It worked fine. When connecting through my client, the service prints the next info: Authorization: BASIC Remote User: tomcat Secured: true Principal: tomcat No client certificate is available If I set clientAuth to true, it still works, but it keeps showing the No client certificate available message. The big problem comes when I configure my web-app to use CLIENT-CERT authorization scheme. It simply returns a 401 error code. Any one can help me, please?? Thanks in advance, Rodrigo Ruiz Aguayo PS: Following is the bat file I'm using to generate the keystores: del server.keystore del client.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore REM Change default passwords keytool -storepasswd -keystore server.keystore -storepass changeit -new 123456 keytool -storepasswd -keystore client.keystore -storepass changeit -new 123456 REM Create server.keystore keytool -genkey -alias tomcat-sv -dname CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore keytool -export -alias tomcat-sv -storepass 123456 -file server.cer -keystore server.keystore REM Import server certificate as a trusted CA in the client keystore keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass 123456 -storepass 123456 REM Create client keystore keytool -genkey -alias rruiz -dname CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore client.keystore keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore client.keystore keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore server.keystore -keypass 123456 -storepass 123456 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement
RE: Client Certificates on Tomcat 3.3.1
1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU CONNECT TO THE SERVER? If not you have to include your client side certificate store into your $JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with -trustcacerts option I use. keytool -import -alias drkw_root -file InvestmentBankCA_root.pem -trustcacerts -keystore cacerts -v Tell me if you see the certificates already pop up when you connect to the website, then I will try to find if anything else is going wrong. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Client Certificates on Tomcat 3.3.1
Also regarding PEM file, I get it from the authority who generates the my certificates (for the whole of my organization). So I don't generate PEM files. Please look in google how to get them yourself. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Web.xml
Here it is http://jakarta.apache.org/tomcat/tomcat-4.0-doc/appdev/web.xml.txt if you still got questions mail back. cheers -Original Message- From: Vishal Mukherjee [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 13, 2002 13:23 To: Tomcat Users List Subject: Web.xml Importance: High Hi all Can anyone assist me to write the web.xml in the WEB-INF directory. I have added the context and also created directory of Jsp and servlets. Thanks Regards Vishal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: JDBC Realm redirect problem
My guess would be that the roles being returned are not the correct ones. -Original Message- From: Polly Poon [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 10:20 To: Tomcat Users List Subject: JDBC Realm redirect problem Hi all, My configuration is Tomcat: 3.2.4 JDK: 1.3.01 Linux Red Hat7.3 MySQL3.2.3 I was using JDBC Realm for security. But for some reason even when the user have the correct password and username to authenticate it still end up redirect to the error page. Would any one give me a pointer? Thanks a lot! From, Polly -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: security filter Realm class file location
Put the new REALM you make in server/lib (if jar) or in server/classes. -Original Message- From: Jakarta Tomcat Newsgroup [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 14:40 To: [EMAIL PROTECTED] Subject: security filter Realm class file location Subject: security filter Realm class file location From: Torgeir Veimo [EMAIL PROTECTED] === I'm working on a security filter that takes a tomcat Realm definition exactly as in server.xml. However, I'm facing the problem that the Realm RealmBase classes (which most realms subclass) is defined in server/lib/catalina.jar, which is not available to filters located within a webapp. Is my best option to include both Realm RealmBase classes in the filter jar itself, or are there better options? -- -Torgeir -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: client authorization.
They only describe how to get a certificate on server side. I mean server can show a certificate to client, but it does not say how do the client sends a certificate to the server. I think we need to find this thing out., -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 16:59 To: Tomcat Users List Subject: Re: client authorization. On Wed, 17 Jul 2002, Anthony Geoghegan wrote: Date: Wed, 17 Jul 2002 11:18:33 +0100 From: Anthony Geoghegan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: client authorization. Is it possible to use client certificate authorization without a password and its associated dialog? Tomcat 4.x can do this. See the docs for the version of Tomcat you are using: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Client Certificates with Tomcat
Hi All, I am working with Tomcat 4. I do all the steps provided in server.xml vis: __ Step 2: Generate Client and Server Certificates It is necessary to generate a Certificate for the client and the server. These Certificates are then imported into a keystore, to which the client and server connect. The keystore acts as a database for security certificates. You are going to use the keytool utility in the JDK to do these tasks (see Sun's documentation for more information on this tool). Step 2a: Generate a Server Key and Certificate Launch keytool from a shell (or command prompt) to generate your public and private key. Note that the Certificate and keystore files will be generated in the directory you run keytool from. Use keytool as follows: keytool -genkey -alias tomcat-sv -dname CN=[Common Name],OU=[Organisation Unit], O=[Organisation Name], L=[Locality], S=[State Name], C=[Two-Letter Country Code] -keyalg RSA -keypass [private key password] -storepass [keystore password] -keystore [keystore file name] For example, to generate a keystore (in file server.keystore) for server soapsvr.test.tcd.ie using password changeit (for both the keystore and the certificate) in the Computer Engineering group at Trinity College Dublin, Ireland, one would type the following: keytool -genkey -alias tomcat-sv -dname CN=soapsvr.test.tcd.ie, OU=ComputerEngineering, O=Trinity College Dublin, L=Dublin, S=Dublin, C=IE -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore Note that The RSA algorithm is used to generate certificates. Ensure that the 'CN' field that you specify when you create the server certificate matches the name of the machine on which you're running tomcat, or your browser will complain about certificate name mis-matches (not a problem on a test server, a big problem on a production server!). Step 2b: Export the Server Certificate From command prompt run this command to export your certificate from the keystore into an external file (we do this so we can import the certificate into the client's keystore as a trusted certificate). keytool -export -alias tomcat-sv -storepass changeit -file server.cer -keystore server.keystore If everything works, you should now have a file called server.cer which contains your server's certificate. Step 2c: Generate a Client Key and Certificate This step is very similar to the generation of the server key and certificate - it uses the same keytool tool with different parameters. Note that the keystore file name has changed (it is now client.keystore). Use keytool as follows: keytool -genkey -alias tomcat-cl -dname CN=Client,OU=TRL, O=IBM, L=Yamato-shi, S=Kanagawa-ken, C=JP -keyalg RSA -keypass changeit -storepass changeit -keystore client.keystore Step 2d: Export the Client Certificate This step is very similar to the export of the server certificate - it uses the same keytool tool with different parameters: keytool -export -alias tomcat-cl -storepass changeit -file client.cer -keystore client.keystore If everything works, you should now have a file called client.cer which contains your client's certificate. Step 2e: Import the Certificates into the Keystores We want the client certificate to be added to the server's keystore, and the server's certificate to be added to the client's keystore. Doing this will mean that the client and server trust one another. Import the server certificate into the client's keystore: keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass changeit -storepass changeit Import the client certificate into the server's keystore: keytool -import -v -trustcacerts -alias tomcat -file client.cer -keystore server.keystore -keypass changeit -storepass changeit __ as long as I keep clientAuth=false in server.xml it runs fine. But when I make it true, it looks for the client certificate, which it obviousely can't find. How do I get the client certificate from above. What is client.cer then? Any clues appreciated. Thanks and Regards Tathagat GBS - Legal Services Phone: +49 (0) 69 263 16854 Fax: +49 (0) 69 263 16540 Mobile: +49 (0) 160 98589882 Private Email: [EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Client Certificates with Tomcat
Hi All, I am working with Tomcat 4. I do all the steps provided in server.xml vis: __ Step 2: Generate Client and Server Certificates It is necessary to generate a Certificate for the client and the server. These Certificates are then imported into a keystore, to which the client and server connect. The keystore acts as a database for security certificates. You are going to use the keytool utility in the JDK to do these tasks (see Sun's documentation for more information on this tool). Step 2a: Generate a Server Key and Certificate Launch keytool from a shell (or command prompt) to generate your public and private key. Note that the Certificate and keystore files will be generated in the directory you run keytool from. Use keytool as follows: keytool -genkey -alias tomcat-sv -dname CN=[Common Name],OU=[Organisation Unit], O=[Organisation Name], L=[Locality], S=[State Name], C=[Two-Letter Country Code] -keyalg RSA -keypass [private key password] -storepass [keystore password] -keystore [keystore file name] For example, to generate a keystore (in file server.keystore) for server soapsvr.test.tcd.ie using password changeit (for both the keystore and the certificate) in the Computer Engineering group at Trinity College Dublin, Ireland, one would type the following: keytool -genkey -alias tomcat-sv -dname CN=soapsvr.test.tcd.ie, OU=ComputerEngineering, O=Trinity College Dublin, L=Dublin, S=Dublin, C=IE -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore Note that The RSA algorithm is used to generate certificates. Ensure that the 'CN' field that you specify when you create the server certificate matches the name of the machine on which you're running tomcat, or your browser will complain about certificate name mis-matches (not a problem on a test server, a big problem on a production server!). Step 2b: Export the Server Certificate From command prompt run this command to export your certificate from the keystore into an external file (we do this so we can import the certificate into the client's keystore as a trusted certificate). keytool -export -alias tomcat-sv -storepass changeit -file server.cer -keystore server.keystore If everything works, you should now have a file called server.cer which contains your server's certificate. Step 2c: Generate a Client Key and Certificate This step is very similar to the generation of the server key and certificate - it uses the same keytool tool with different parameters. Note that the keystore file name has changed (it is now client.keystore). Use keytool as follows: keytool -genkey -alias tomcat-cl -dname CN=Client,OU=TRL, O=IBM, L=Yamato-shi, S=Kanagawa-ken, C=JP -keyalg RSA -keypass changeit -storepass changeit -keystore client.keystore Step 2d: Export the Client Certificate This step is very similar to the export of the server certificate - it uses the same keytool tool with different parameters: keytool -export -alias tomcat-cl -storepass changeit -file client.cer -keystore client.keystore If everything works, you should now have a file called client.cer which contains your client's certificate. Step 2e: Import the Certificates into the Keystores We want the client certificate to be added to the server's keystore, and the server's certificate to be added to the client's keystore. Doing this will mean that the client and server trust one another. Import the server certificate into the client's keystore: keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass changeit -storepass changeit Import the client certificate into the server's keystore: keytool -import -v -trustcacerts -alias tomcat -file client.cer -keystore server.keystore -keypass changeit -storepass changeit __ as long as I keep clientAuth=false in server.xml it runs fine. But when I make it true, it looks for the client certificate, which it obviousely can't find. How do I get the client certificate from above. What is client.cer then? Any clues appreciated. Thanks and Regards Tathagat GBS - Legal Services Phone: +49 (0) 69 263 16854 Fax: +49 (0) 69 263 16540 Mobile: +49 (0) 160 98589882 Private Email: [EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
