RE: [QUAR]Re: Tomcat5 and Client Certificates
Thanks guys - Got the configs and logging worked out. Your help appreciated. Still stuck on getting the .pfx out of the client.keystore. Trying java forums on that front. If anyone interested in the solution let me know and I'll fill you in when I get it worked out. - wjs -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker Sent: Saturday, March 05, 2005 3:27 PM To: tomcat-user@jakarta.apache.org Subject: [QUAR]Re: Tomcat5 and Client Certificates Jason Bainbridge [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill [EMAIL PROTECTED] wrote: Hello TC5 Users - I used %java-home%/bin/keytool to build the certificate store and the server and client certificates (self-signed). Tomcat asks for the client certificate when I try and connect, but - here is the problem: (1) I can't seem to get the client key to export properly so that I can install it in the browser; how do I get a .pfx out of the keystore? I think you are going to have to use openssl to convert the file after exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html has a little info on that but the reverse. I'm sure there are better resources but that was the first Google I saw. (2) How can I validate which certificate store is being used by tomcat? (I made a few along the way in testing) There is a parameter (keyStoreFile?) that you can specify the location in the Connector properties it's detailled in one of those links you have. The one you want is: truststoreFile. (3) I set debug=3 in the SSL connector but am not seeing the SSL handshake in stdout. Is there some other way for setting debug to see the handshake? Not sure on that one. Configure the logging category 'org.apache.tomcat.util.net.jsse' to be DEBUG (in your log4j/JDK 1.4 logging configuration). That will give you lots of Tomcat messages. If you want lower level messages, consult the JSSE docs. Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat5 and Client Certificates
Jason Bainbridge [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill [EMAIL PROTECTED] wrote: Hello TC5 Users - I used %java-home%/bin/keytool to build the certificate store and the server and client certificates (self-signed). Tomcat asks for the client certificate when I try and connect, but - here is the problem: (1) I can't seem to get the client key to export properly so that I can install it in the browser; how do I get a .pfx out of the keystore? I think you are going to have to use openssl to convert the file after exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html has a little info on that but the reverse. I'm sure there are better resources but that was the first Google I saw. (2) How can I validate which certificate store is being used by tomcat? (I made a few along the way in testing) There is a parameter (keyStoreFile?) that you can specify the location in the Connector properties it's detailled in one of those links you have. The one you want is: truststoreFile. (3) I set debug=3 in the SSL connector but am not seeing the SSL handshake in stdout. Is there some other way for setting debug to see the handshake? Not sure on that one. Configure the logging category 'org.apache.tomcat.util.net.jsse' to be DEBUG (in your log4j/JDK 1.4 logging configuration). That will give you lots of Tomcat messages. If you want lower level messages, consult the JSSE docs. Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat5 and Client Certificates
Hello TC5 Users - I am setting up Tomcat 5 in a production environment. The requirement is to lock down the site so that only users with trusted personal certificates may access the site. I believe I have everything configured in server.xml. Connector port=443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=3 scheme=https secure=true clientAuth=true sslProtocol=TLS / I used %java-home%/bin/keytool to build the certificate store and the server and client certificates (self-signed). Tomcat asks for the client certificate when I try and connect, but - here is the problem: (1) I can't seem to get the client key to export properly so that I can install it in the browser; how do I get a .pfx out of the keystore? (2) How can I validate which certificate store is being used by tomcat? (I made a few along the way in testing) (3) I set debug=3 in the SSL connector but am not seeing the SSL handshake in stdout. Is there some other way for setting debug to see the handshake? Environment is J2sdk1.4.2_07; Tomcat 5.0.28 running as a service on Win2003 Server. FYI - for others working with Tomcat and SSL these links are an excellent resource: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S upport http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht ml http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey Cmd Thanks in advance to everyone in the group ! - wjs - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat5 and Client Certificates
On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill [EMAIL PROTECTED] wrote: Hello TC5 Users - I used %java-home%/bin/keytool to build the certificate store and the server and client certificates (self-signed). Tomcat asks for the client certificate when I try and connect, but - here is the problem: (1) I can't seem to get the client key to export properly so that I can install it in the browser; how do I get a .pfx out of the keystore? I think you are going to have to use openssl to convert the file after exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html has a little info on that but the reverse. I'm sure there are better resources but that was the first Google I saw. (2) How can I validate which certificate store is being used by tomcat? (I made a few along the way in testing) There is a parameter (keyStoreFile?) that you can specify the location in the Connector properties it's detailled in one of those links you have. (3) I set debug=3 in the SSL connector but am not seeing the SSL handshake in stdout. Is there some other way for setting debug to see the handshake? Not sure on that one. Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat5 and Client Certificates
On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill [EMAIL PROTECTED] wrote: Hello TC5 Users - I used %java-home%/bin/keytool to build the certificate store and the server and client certificates (self-signed). Tomcat asks for the client certificate when I try and connect, but - here is the problem: (1) I can't seem to get the client key to export properly so that I can install it in the browser; how do I get a .pfx out of the keystore? I think you are going to have to use openssl to convert the file after exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html has a little info on that but the reverse. I'm sure there are better resources but that was the first Google I saw. (2) How can I validate which certificate store is being used by tomcat? (I made a few along the way in testing) There is a parameter (keyStoreFile?) that you can specify the location in the Connector properties it's detailled in one of those links you have. (3) I set debug=3 in the SSL connector but am not seeing the SSL handshake in stdout. Is there some other way for setting debug to see the handshake? Not sure on that one. Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]