Custom Realm
I need to override a single method in a standard tomcat6 realm for a particular webApp/context. The method: RealmBase.getPrincipal(X509Certificate usercert) Q1) Should I create a new custom realm (..subClass of RealmBase) which is based-on/copied-from the original/standard tomcat realm? Q2) what all classes will I need in my new custom realm? (...only MyCustomRealm class itself? ) Q3) Should I reference my new realm via my webapp's META-INF/context.xml file? Q4) Should I put my realm class(es) in a jar inside the tomcat6/lib directory? ...I am new to tweaking realm's, so appreciate the feedback.
Re: CLIENT-AUTH x509 attribute mapping to user name
Our usernames are not named exactly the same as the x509 cert 'subject' attr. (or any other attr) I was hoping i could do some mapping to match a client cert (attr) to an existing tomcat username ...perhaps similar to the way it appears CAS does https://wiki.jasig.org/display/CASUM/X.509+Certificates From: "Caldarale, Charles R" To: Tomcat Users List Sent: Fri, August 27, 2010 1:12:24 PM Subject: RE: CLIENT-AUTH x509 attribute mapping to user name > From: Michael Dockery [mailto:dockeryjava...@yahoo.com] > Subject: CLIENT-AUTH x509 attribute mapping to user name Can anyone tell me what class.method > Can anyone tell me what Tomcat version you're using? > which I would need to override > to map a client x509 cert subject/dn attribute > to a valid tomcat username (in memory realm or otherwise) Why can't you use just use an of CLIENT-CERT in the for your webapp and let the container take care of it? (Hint: read the servlet spec.) Also check this wiki entry: http://wiki.apache.org/tomcat/SSLWithFORMFallback - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CLIENT-AUTH x509 attribute mapping to user name
Can anyone tell me what class.method which I would need to override to map a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) I assume the authenticator method or perhaps the login method...
CLIENT-AUTH x509 attribute mapping to user name
Can anyone tell me what class/method i would need to override to make a client x509 cert subject/dn attribute to a valid tomcat username (in memory realm or otherwise) I assume the authenticator method or perhaps the login method...
Re: Installing certificate chain on Tomat
in my case, i am testing with clients authenticating to tomcat with dod cac
cards. (smartcards)
i downloaded the dod root p7b cert files
i checked/verified the root cert for the client cac card certs,
matched the dod root certs (in the p7b files)
i extracted ONLY the root cert's from each p7b file
into x.509 base64_encoded .cer file's
then i imported ONLY those dod x509 root certs into tomcat's truststorefile
now when a client browses to tomcat, it tries to authenticate with the
client-cert (from the cac card)
because tomcat has the root for the client cert loaded into its truststore,
and the matching client cert "subject" name (ie: user) loaded in its auth
realm
the client is therefore authenticated
i have more to do but that much is working.
From: Christopher Schultz
To: Tomcat Users List
Sent: Mon, April 12, 2010 9:32:32 AM
Subject: Re: Installing certificate chain on Tomat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
/U,
On 4/10/2010 3:31 PM, /U wrote:
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="/users/me/.keystore" keystorePass="changeit"
> />
Are you using APR (aka Tomcat native)?
> I have received the following keys/certs from CA:
> - file1: private key for myhost
> - file2: identity certificate for "myhost" signed by "CA1"
> - file3: certificate for "CA1" signed by "entrust"
>
> I installed private key (file1) and "myhost" cert (file2) into
> /users/me/.keystore
> using the ImportKey utility.
> I installed the CA1's certificated into "/users/me/.keystore" using keytool.
> My keytool lookslike this:
> $ keytool -list -keystore /users/me/.keystore
> <...password...>
Heh... you mean it's not "changeit"? :)
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 2 entries
Shouldn't that be 3 entries?
> CA1, Apr 10, 2010, trustedCertEntry,
> Certificate fingerprint (MD5):
> 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
> tomcat, Apr 10, 2010, PrivateKeyEntry,
> Certificate fingerprint (MD5):
> CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50
What about the "entrust" one?
> I did not install any certificates into truststore
> (jre/lib/security/cacerts).
>
> When I connect browser to https://myhost, i get a cert error that
> "myhost" is signed by "CA1"and cannot be trusted.
> Browser show only one cert (for "myhost") and not show the full
> cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
> Why is the full cert chain not sent to browser.
Because you haven't provided the whole certificate chain to Tomcat.
Tomcat can only send what it already has.
> Since "entrust" CA cert is in browser CA list, if tomcat send full cert
> chain
> to browser, it would be trusted.
Maybe, maybe not. It's possible that the real cert chain goes like this:
myhost -> CA1 -> Entrust -> Entrust Global
If your browser only knows about the "Entrust Global" cert, then your
chain is broken.
Did you follow the instructions on Entrust's web site?
http://www.entrust.net/knowledge-base/technote.cfm?tn=7559
(for chain certs)
http://www.entrust.net/knowledge-base/technote.cfm?tn=7583
(for bare certs, I guess)
Perhaps they are the ones to ask about this.
You might want to ask why they don't "support" a version of Tomcat after
4.1.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkvDIPAACgkQ9CaO5/Lv0PDmAACfce9J55S5uIHkXTiku9l1YQKa
FGkAnjPIXGcvn2B2CQlguGbaz0eTmwkU
=G6eH
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Installing certificate chain on Tomat
i had to install my ca root certs in a keystore specificed/referenced by the "truststorefile" parameter NOT the keystorefile parm From: /U To: users@tomcat.apache.org Sent: Sat, April 10, 2010 10:07:47 AM Subject: Re: Installing certificate chain on Tomat hello Pid, am i right in assuming that the identity certificate+private key is installed in keystoreFile of the SSL connector (C:\keystore below) and the CA certificate chain is installed in jre/lib/security/cacerts? any assistance appreciated, /U -Original Message- > From: "/U" [uma...@comcast.net] > Date: 04/10/2010 12:02 AM > To: users@tomcat.apache.org > Subject: Re: Installing certificate chain on Tomat > > Note: Original message sent as attachment > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- -- pidster.com -- View this message in context: http://old.nabble.com/Installing-certificate-chain-on-Tomat-tp28199836p28202227.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: smartcards for tomcat webapps
Thank you. So did you load the ca root cert (self-signed "top of chain") into the truststorefile? via keytool? also does your web app's web.xml have the following? CLIENT-CERT and ... CONFIDENTIAL From: Goo Sam Kong To: Tomcat Users List Sent: Tue, April 6, 2010 10:21:49 PM Subject: Re: smartcards for tomcat webapps On 6 April 2010 20:39, wrote: > Anyone using smartcards for auth? > > If so, have specific example code excerpt and server.xml? Minimum configuration changes required for HTTPS connector in server.xml is to add attributes below and amend value of clientAuth attribute from false to true or want. 1. truststoreFile 2. truststorePass 3. truststoreType No code change required in server side. Refer to http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html for SSL configuration in server.xml. > > > Sent from my Verizon Wireless BlackBerry > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ms sql integrated auth woes
I get this error when my webapp on tomcat6 connects to ms sql via 1.2 jdbc driver using integrated auth. com.microsoft.sqlserver.jdbc.SQLServerException: This driver is not configured for integrated authentication. i have the sqljdbc_auth.dll in win\sys32 and other places the it all works when i restart tomcat but when i redeploy the webapp, it get the error. i saw a thread dealing with native libs or dll's can only be loaded once or such any ideas?
Re: How to get java process id of a user running tomcat
i agree with Chuck and would add these commands for consideration on a windows box netstat -ano will show the pid of any java job which is tied to a tcp port likewise (on windows only): wmic process get /all /value is another win vista/win7/xp pro+ command which will show all the output from all pid's including the command line options or more specifically something like this: wmic process where "commandline like '%java%'" get commandline, processid hope this helps someone out there From: "Caldarale, Charles R" To: Tomcat Users List Sent: Wed, December 2, 2009 9:32:18 AM Subject: RE: How to get java process id of a user running tomcat > From: Pierre Goupil [mailto:goupilpie...@gmail.com] > Subject: Re: How to get java process id of a user running tomcat > > " jps -mlv " will give you the PIDs of all running Java processes. Plus > it's a part of the standard SUN JVM. But not for the OP, who is running an unsupported version of Tomcat on an unsupported JVM that predates the jps tool. As Pid suggested, the correct thing to do is to fix the webapp so it properly manages the threads it has started. Attack the problem, not the symptom. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: SSL only working on localhost
problem solved the firewall exceptions were not config'ed correctly it seems the 443 inbound packet was hitting the box but not hitting tomcat itself (due to fw dropping the packets) i do however wonder for future ref, the best way to turn more logging-on for ssl (even though in this case, logging would not have helped much ...except it would have been more obvious that tomcat was NOT seeing the ssl attempts by the remote clients at all ) better logging ideas are welcomed. (as this might benefit others also) I was hoping the global "debug" logging level would have showm a bit more on the ssl connections, etc ...but i dont think it did that fyi Tomcat 6.0.13 Java 1.6.017 From: Guifre Bosch Fabregas To: Tomcat Users List ; p...@pidster.com Sent: Wed, December 2, 2009 8:13:58 AM Subject: Re: SSL only working on localhost Can you see your page from another computer without SSL? What's your OS? Is it possible that "the problem" is the Firewall. Can you see the port 80 and 443 are open? 2009/12/2 Pid > On 02/12/2009 12:41, Michael Dockery wrote: > >> >> >> >> >> I have gotten ssl w/self-signed cert >> working on tomcat 6 a few times in the past. >> >> I am trying it again on a different server >> >> I am using port 443 >> >> >> when i attempt https://localhost >> via a browswer on the server itself >> the browser is properly presented with the cert warning (as i >> expected) >> >> however, when i try to access https from another computer, >> it just hangs... (and therefore NO cert warning) >> >> i have wiresharked the server, and can see the inbound 443 connections, >> so the firewall does not seem to be the issue. >>(note: the other computers are on the same subnet/lan) >> >> i have tried browsing to the servers ip, netbios name, fqdn/dns >> with always the same result (below): >> ---http is fine (the home page appears) >> ---however httpS does not do anything >> (unless i browse from the server itself to itself) >> >> further the logs do not show anything interesting >> and i have the log level set to debug. >> >> ideas? >> > > Idea: describe Tomcat, JVM, OS - precise versions please. > Supply server.xml in use, comments removed. > > > p > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
SSL only working on localhost
I have gotten ssl w/self-signed cert working on tomcat 6 a few times in the past. I am trying it again on a different server I am using port 443 when i attempt https://localhost via a browswer on the server itself the browser is properly presented with the cert warning (as i expected) however, when i try to access https from another computer, it just hangs... (and therefore NO cert warning) i have wiresharked the server, and can see the inbound 443 connections, so the firewall does not seem to be the issue. (note: the other computers are on the same subnet/lan) i have tried browsing to the servers ip, netbios name, fqdn/dns with always the same result (below): ---http is fine (the home page appears) ---however httpS does not do anything (unless i browse from the server itself to itself) further the logs do not show anything interesting and i have the log level set to debug. ideas?
