R: clent authentication using a smard card
-Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: lunedì 19 ottobre 2009 20.21 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card cut Do you have access to IE on windows for this? If you do, it will be much quicker, and easier. I am just trying to get a baseline established, so I can plow throught with my ten steps. Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
-Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: martedì 20 ottobre 2009 12.13 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card -Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Sent: Tuesday, October 20, 2009 5:10 To: 'Tomcat Users List' Subject: R: clent authentication using a smard card -Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: lunedì 19 ottobre 2009 20.21 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card cut Do you have access to IE on windows for this? If you do, it will be much quicker, and easier. I am just trying to get a baseline established, so I can plow throught with my ten steps. Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? How can I print out the certificate chain? Thanks again M M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
-Messaggio originale- Da: Jason Pyeron [mailto:jpye...@pdinc.us] Inviato: martedì 20 ottobre 2009 13.03 A: 'Tomcat Users List' Oggetto: RE: clent authentication using a smard card -Original Message- From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] Da: Jason Pyeron [mailto:jpye...@pdinc.us] Ok. I made the same thing with IE and in the debug it says null cert chain during the client authentication handshake. Now I am confused... Lets step back and look. Can you provide the smart card and server certificate chain (no keys please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? Not always. Lets take for example: https://mail.pdinc.us -PD Inc Public CA-PD Inc Root CA and MySmartCard - DOD EMAIL CA-15 - DoD Root CA-2 The smime cert used on this email I can use my smart card to auth againstthe server. But the server must know about DoD Root CA-2. Ok. In my case: https://localhost - self signed certificate and Mysmartcard - my certificate - infocamere root CA And in my trusted certificates keystore there is infocamere root CA. Please find in attachment a signed text file you can read my cert info from. Thanks Marcello myfile.txt.p7m Description: S/MIME encrypted message - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
clent authentication using a smard card
Hi all This is my very first message in the list. I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a ssl_error_certificate_unknown_alert or a ssl_error_bad_certificate_alert. SSL without client authentication works perfectly. This is my server configuration: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=C:\apache-tomcat-6.0.20\conf\tomcat.keystore keystorePass=tomcat keyAlias=tomcat truststoreFile =C:\apache-tomcat-6.0.20\conf\cacerts truststorePass=changeit/ tomcat.keystore contains the self signed x509 certificate I use to perform the server ssl handshake. cacerts contains the root certificate of my signature and non repudiation certificate contained in my smartcard. From tomcat's log I obtained setting up JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that: 1) the root certificate is trusted (imported In cacerts with keytool -import -trustcacert .) adding as trusted cert: Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Algorithm: RSA; Serial number: 0x1 Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 16:47:52 CET 2016 2) The client certificate is taken from the smartcard and It's given to the server; furthermore, the issuer is exactly tue trusted one: *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Marcello Marangio, DNQ=20071112354269, SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN GIO, O=NON PRESENTE, C=IT Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Validity: [From: Wed Nov 21 12:11:08 CET 2007, To: Sun Nov 21 01:00:00 CET 2010] Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT SerialNumber: [131b58] 3) the browser (firefox) picks up the correct non repudiation certificate from the smartcard and sends it to the server: [9]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Non_repudiation ] The problem seems to be that tomcat is looking for the digital signature certificate and not the non_repudiation one. http-8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures Is tomcat's behavoir correct or is it a bug? Thanks a million Marcello
R: clent authentication using a smard card
Hi Jason, tank for your answer. Hi all This is my very first message in the list. I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a First, make sure your browser knows about the certificate and smart card reader. We have been having with recent firefox releases on this. The debuging steps I would take are 1) Use Windows / IE, if the server requires or requests a client cert it will pop up a selection window even if IE does not know how to fulfil the request. Thi will indicate if Tomcat is or is not requesting client certs. 2) Verify IE know about the smart card cert, user the certmgr.msc to see if the smartcard certificate is installed, as well as the trust chain. 3) Verify IE prompts for the smartcard cert in the client cert popup selection dialog. 4) Verify Tomcat - IE talk over SSL. It seems that firefox behaves: if the smartcard is in firefox asks the PIN of the smartcard. I am pretty sure it can read my smartcard, because I can use mod_ssl with Apache 2.2 and I can read the certificate's information with a perl routine. Furthermore, from the debug logs it is clear that there is an ssl handshaking going on. Any clue? Thanks M [CUT ] Is tomcat's behavoir correct or is it a bug? The above steps will allow a more quickly diagnosis. Thanks a million Marcello - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TC6, SRV 2.5, annotations
Hi, did you succeed since then in configuring a DataSource using annotations on Tomcat6? I did the same on the latest Tomcat 6.0.16 and I got a similar error, with the datasource correctly configured in context.xml (checked with normal JNDI lookup on java:comp/env/jdbc/...) and the annotation on a ServletContextListener example.NewServletListener: 7-may-2008 12.47.09 org.apache.catalina.core.StandardContext listenerStart SEVERE: Error configuring application listener of class example.NewServletListener javax.naming.NameNotFoundException: Name example.NewServletListener is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:770) at org.apache.naming.NamingContext.lookup(NamingContext.java:153) at org.apache.catalina.util.DefaultAnnotationProcessor.lookupMethodResource(DefaultAnnotationProcessor.java:233) at org.apache.catalina.util.DefaultAnnotationProcessor.processAnnotations(DefaultAnnotationProcessor.java:163) Marcello Hassan Schroeder-2 wrote: First pass at playing with the 2.5 Servlet stuff, annotations specifically. On TC 6.0.7, adding this line to a test Filter: @Resource javax.sql.DataSource foo; :: causes this exception when the context is reloaded: SEVERE: Exception starting filter EnvironmentFilter javax.naming.NameNotFoundException: Name com.example.filters.EnvironmentFilter is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:770) at org.apache.naming.NamingContext.lookup(NamingContext.java:153) at org.apache.catalina.util.DefaultAnnotationProcessor.lookupFieldResource(DefaultAnnotationProcessor.java:203) at org.apache.catalina.util.DefaultAnnotationProcessor.processAnnotations(DefaultAnnotationProcessor.java:135) (That seems like the most relevant part of the stacktrace...) Using standard name-based lookup of foo works fine. I added a metadata-complete=false to the web.xml declaration just to be on the safe side, but no change. The Filter is declared and mapped in web.xml in the usual way, and works fine sans annotation. Anyone using this successfully? TIA! -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/TC6%2C-SRV-2.5%2C-annotations-tp8668875p17103078.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JSP/Servlets and SSL access
Hi. I'm implementing an Access control system on a Web Application with Tomcat As of now the login.jsp passes the username and the password to the Servlet that manages the login in clear text. I would like to add security in the login process using SSL to encrypt the data. How can I make the user enter the login.jsp using SSL? Tomcat is already configured for SSL support (using https://URL/login.jsp works). I want to use SSL only for the login process (so I would like to connect to login.jsp via SSL switching from http to https automatically and then revert to http when done) . I have two problems in doing this : 1) I don't know how to automatically switch to SSL when login.jsp is requested. I've tried by setting security-constraint in the web.xml and somehow works (when login.jsp is selected it automatically switches to SSL), but then it doesn't turn back to clear HTTP and remain in SSL for the other pages to. 2) I heard that switching from SSL to non-SSL connection invalidates the current session. This is a problem, because my login implementation uses the session to store login details. Do you know solutions to this? Thanks for your help. I've spent many hours in trying to understand what to do, but when it comes to SSL the informations are quite confused. Marcello Maggioni
How to compile from source
I've just completed the steps required to build apache-tomcat-5.5 from source, next step should be going to install all required binary files in the final distribution directory, e.g /opt/apache-tomcat-5.5/ How can i achieve this goal ? I won't copy all uncessary source (.java) files. I can't find any dist target in build.xml file coming from svn source repository. Can u help me? Thank in advice. Ciao - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Don´t work :(
Checked your browser proxy settings yet? Hi. Bernardo Martin wrote: hi list, I have a rarely problem with jakarta-tomcat 5.5.17. I install jdk1.5.0_07 first, httpd 2.2..0 second and jakarta tomcat 5.5.17at the end in suse 9.0, I had edit /etc/profiles when it was necessary but when i do /usr/local/apache/bin/apachectl start (any error) apache work at 127.0.0.1:80 in webbrowser /usr/local//apache-tomcat-5.5.17/bin/startup.sh Using CATALINA_BASE: /usr/local/apache-tomcat-5.5.17 Using CATALINA_HOME: /usr/local/apache-tomcat-5.5.17 Using CATALINA_TMPDIR: /usr/local/apache-tomcat-5.5.17/temp Using JRE_HOME: /usr/lib/java/jre webbrowser can´t connect at 127.0.0.1:8080 The firewall is down. what happend? Thanks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
