Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi, Thanks for your response. Can you pls let me know the exact location where I am supposed to configure the realm in server.xml? If I place the configuration in tomcat_base/conf/web.xml, the configuration is applicable for all the web apps. I want all the webapplication needs to be protected. Thanks Dhaya On Sun, May 4, 2014 at 8:27 AM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2014-05-04 3:31 GMT+04:00 Dhayanidhi sundaramoorthi dhayamoorthi2...@gmail.com: Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di It is a public list, do you know? You may want to change your passwords. maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / This is a wrong place for a Realm element. Here it will be silently ignored. When parsing server.xml only known and expected XML elements are recognized. All others are silently ignored. I do not see a DataSource configuration anywhere. /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: The conf/web.xml file is a wrong place for your configuration. It should be in your webapp's own WEB-INF/web.xml file, not in the global one. - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemasFedClient/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method !-- realm-nametomcat-users/realm-name -- realm-namejdbc/FederationDS/realm-name The realm-name is the message shown to users when using DIGEST or BASIC authentication. It has not relation to Tomcat's realms. /login-config Database has all the required tables and columns. (...) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi, I have moved the realm configuration inside host tag Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /Host Still I get the same below mentioned error. May 04, 2014 11:10:11 AM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: No role found: masFedClient May 04, 2014 11:10:11 AM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: Checking for all roles mode: authOnly May 04, 2014 11:10:11 AM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed accessControl() test please suggest. Thanks Dhaya On Sun, May 4, 2014 at 10:40 AM, Konstantin Kolinko knst.koli...@gmail.comwrote: 2014-05-04 17:24 GMT+04:00 Dhayanidhi sundaramoorthi dhayamoorthi2...@gmail.com: Hi, Thanks for your response. Can you pls let me know the exact location where I am supposed to configure the realm in server.xml? It belongs to a container (Context, Host or Engine). In server.xml that will be Host or Engine. http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html If I place the configuration in tomcat_base/conf/web.xml, the configuration is applicable for all the web apps. I want all the webapplication needs to be protected. If you know what you are doing... OK. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat7 Client Certificate Authentication Using Datasource Ralm Fails
Hi,
Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina !-- Realm className=org.apache.catalina.realm.MemoryRealm resourceName=UserDatabase/ -- !-- Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm -- GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t quot;%rquot; %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemasFedClient/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method !-- realm-nametomcat-users/realm-name -- realm-namejdbc/FederationDS/realm-name /login-config Database has all the required tables and columns. But authentication fails with the below mentioned error: FINE: Checking validity for '$' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: $$ May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test For security purpose, I had mad the certificate cn name as $$. The error message does not tell why the authentication is failing. Do I need to enable additional logs. If so how to enable. Request your help in fixing this issue. Any help would be highly appreciated. Thanks Dhaya
Re: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Hi, Please find the meaningful log again. FINE: Authenticating client certificate chain May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=ssodemo01.es.ad.adp.com, OU=DataExchange, ADP Technologies, O=Automatic Data Processing, Inc, STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: CN=ssodemo01.es.ad.adp.com, OU=DataExchange, ADP Technologies, O=Automatic Data Processing, Inc, STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US May 03, 2014 8:11:00 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test Desc T_User NameNull Type --- -- USERNAMENOT NULL CHAR(1000) PASSWORD CHAR(24) DESCRIPTION CHAR(500) Desc T_Roles NameNull Type --- - ROLENAMENOT NULL CHAR(100) DESCRIPTION CHAR(250) Desc T_User_Roles Name Null Type -- USERNAME CHAR(1000) ROLENAME NOT NULL CHAR(100) Appreciate your help and support. Thanks Dhaya On Sat, May 3, 2014 at 8:37 PM, Martin Gainty mgai...@hotmail.com wrote: Date: Sat, 3 May 2014 19:31:17 -0400 Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails From: dhayamoorthi2...@gmail.com To: users@tomcat.apache.org Hi, In Tomcat7, we are trying to do client certificate authentication using datasource realm. But it fails. Please fnd the configuration below: server.xml: ?xml version=1.0 encoding=UTF-8 standalone=no ? Server port=8005 shutdown=SHUTDOWNListener SSLEngine=on className=org.apache.catalina.core.AprLifecycleListener/ Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener/ !-- GlobalNamingResourcesResource auth=Container description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ /GlobalNamingResources -- Service name=Catalina Connector SSLEnabled=true clientAuth=true connectionTimeout=1 keyAlias=masfed_server_dit keystoreFile=/opt/ADP/keystores/masfed_server_dit.jks keystorePass=sso@di maxThreads=150 port=8443 protocol=org.apache.coyote.http11.Http11Protocol scheme=https secure=true server=Server sslProtocol=TLS truststorefile=/opt/ADP/keystores/masfed_server_dit.jks truststorepass=sso@di enablelookups=false/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina !-- Realm className=org.apache.catalina.realm.MemoryRealm resourceName=UserDatabase/ -- !-- Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ /Realm -- GlobalNamingResources Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/FederationDS userTable=T_USER userNameCol=USERNAME userCredCol=PASSWORD userRoleTable=T_USER_ROLES roleNameCol=ROLENAME debug=99 allRolesMode=authOnly / /GlobalNamingResources Host appBase=webapps autoDeploy=true name=localhost unpackWARs=trueValve className=org.apache.catalina.valves.AccessLogValve directory=logs pattern=%h %l %u %t %r %s %b prefix=localhost_access_log. suffix=.txt/ /Host /Engine /Service /Server security role configuration tomcat_base/conf/web.xml: - security-role role-namemasFedClient/role-name /security-role security-constraint web-resource-collection web-resource-nameall/web-resource-name