Re: [EXTERNAL] Using CLIENT-CERT

[Amit Pande]

Thank you so much Chris and Mark! Sincerely appreciate the inputs.

Sent from my iPhone

> On Apr 11, 2018, at 8:16 AM, Christopher Schultz 
>  wrote:
> 
> Mark and Amit,
> 
>> On 4/10/18 2:21 AM, Mark Thomas wrote:
>>> On 9 April 2018 23:29:43 BST, Amit Pande  wrote:
>>> Some more debugging here and I got some stuff working here.
>>> 
>>> Only one question:
>>> 
>>> It is not really clear from the documentation of "clientAuth"
>>> 
>>> "Set to true if you want the SSL stack to require a valid certificate
>>> chain from the client before accepting a connection. Set to want if you
>>> want the SSL stack to request a client Certificate, but not fail if one
>>> isn't presented. A false value (which is the default) will not require
>>> a certificate chain unless the client requests a resource protected by
>>> a security constraint that uses CLIENT-CERT authentication. See the SSL
>>> HowTo for an example. That SSL HowTo also contains tips on using
>>> per-user or per-session certificate-based clientAuth."
>>> 
>>> So, if I am using a clientAuth="false" and relying on "CLIENT-CERT"
>>> configuration, does that mean browsers won't prompt users to supply the
>>> certificate when a protected resource is accessed?
>> 
>> In that scenario the browser will prompt the user for a certificate if 
>> everything is correctly configured.
>> 
>> However, it is possible that the browser will determine that it has no 
>> matching certificates and therefore decide not to display the certificate 
>> prompt.
> 
> Also, sometimes browsers will "remember" your choice from a prior
> interaction during the same browser session. So for example if you have
> clientAuth="want" and you press "No/Cancel/[escape]/[close window]" the
> browser may "remember" that you don't want to present a certificate.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Using CLIENT-CERT

[Christopher Schultz]

Mark and Amit,

On 4/10/18 2:21 AM, Mark Thomas wrote:
> On 9 April 2018 23:29:43 BST, Amit Pande  wrote:
>> Some more debugging here and I got some stuff working here.
>>
>> Only one question:
>>
>> It is not really clear from the documentation of "clientAuth"
>>
>> "Set to true if you want the SSL stack to require a valid certificate
>> chain from the client before accepting a connection. Set to want if you
>> want the SSL stack to request a client Certificate, but not fail if one
>> isn't presented. A false value (which is the default) will not require
>> a certificate chain unless the client requests a resource protected by
>> a security constraint that uses CLIENT-CERT authentication. See the SSL
>> HowTo for an example. That SSL HowTo also contains tips on using
>> per-user or per-session certificate-based clientAuth."
>>
>> So, if I am using a clientAuth="false" and relying on "CLIENT-CERT"
>> configuration, does that mean browsers won't prompt users to supply the
>> certificate when a protected resource is accessed?
> 
> In that scenario the browser will prompt the user for a certificate if 
> everything is correctly configured.
> 
> However, it is possible that the browser will determine that it has no 
> matching certificates and therefore decide not to display the certificate 
> prompt.

Also, sometimes browsers will "remember" your choice from a prior
interaction during the same browser session. So for example if you have
clientAuth="want" and you press "No/Cancel/[escape]/[close window]" the
browser may "remember" that you don't want to present a certificate.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Using CLIENT-CERT

[Mark Thomas]

On 9 April 2018 23:29:43 BST, Amit Pande  wrote:
>Some more debugging here and I got some stuff working here.
>
>Only one question:
>
>It is not really clear from the documentation of "clientAuth"
>
>"Set to true if you want the SSL stack to require a valid certificate
>chain from the client before accepting a connection. Set to want if you
>want the SSL stack to request a client Certificate, but not fail if one
>isn't presented. A false value (which is the default) will not require
>a certificate chain unless the client requests a resource protected by
>a security constraint that uses CLIENT-CERT authentication. See the SSL
>HowTo for an example. That SSL HowTo also contains tips on using
>per-user or per-session certificate-based clientAuth."
>
>So, if I am using a clientAuth="false" and relying on "CLIENT-CERT"
>configuration, does that mean browsers won't prompt users to supply the
>certificate when a protected resource is accessed?

In that scenario the browser will prompt the user for a certificate if 
everything is correctly configured.

However, it is possible that the browser will determine that it has no matching 
certificates and therefore decide not to display the certificate prompt.

Mark

>
>Is it because in case of "CLIENT-CERT", the client is always expected
>to supply a certificate?  If yes, is there any recommended practice to
>configure browser for this? Or application needs to take care of
>supplying one when accessing such a protected resource?
>
>Appreciate your inputs.
>
>
>
>On 4/8/18, 6:44 PM, "Amit Pande"  wrote:
>
>I am trying to setup Tomcat (8.5.28) and the web-app correctly in order
>to get the mutual authentication (using client certificates) done but
>only for some recourses and not all.
>
>For instance, I have a “authenticate” API for which I want to enable
>the client certificate authentication.  So, I want only a
>“/authenticate” URL to ask for a client certificate from the browser.
>
>I want to first validate if this client certificate is issued by a
>trusted CA. If yes, accept the request and invoke the “/authenticate”
>business logic which further validates the certificate/user against our
>own user database.
>
>Looking at Tomcat documentation “clientAuth=want” in server.xml seemed
>a potential option but the issue with that is when this results in
>asking for user certificate for all the URLs being invoked from the
>Browser (unless we tell Browser to remember the decision). Also, this
>approach results in renegotiation for every request.
>
>This is when I came across, “CLIENT-CERT” alternate, which can be
>configured only for certain URL (e.g. “/authenticate” in my case).
>However, I am not able to get it configured as expected. I issued a
>client certificate and imported in browser but still unable to get the
>browser pop-up which asks for the certificate to be sent. Debugging SSL
>level did not yield much.
>
>https://stackoverflow.com/questions/41438536/protecting-webresource-in-tomcat-8-5-with-client-cert
>
>This is the link that closely matches the requirement and I saw Chris’
>input there. However,
>
>
>“Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>allRolesMode="authOnly"
>resourceName="UserDatabase" />
>“
>In server.xml
>
>And
>
>
>
>
>  
>
>My Secure Area
>
>/authenticate
>
>  
>
>  
>
>CONFIDENTIAL
>
>  
>
>  
>
>  *
>
>  
>
>
>
>In my web app’s web.xml.
>
>When I access the URL from browser, I expected to see a dialog asking
>for client-certificate and then a successful invocation of the
>“/authenticate”. However, from browser, I don’t get a pop-up and I get
>a HTTP 401 with below message.
>
>
>Message Cannot authenticate with the provided credentials
>
>Description The request has not been applied because it lacks valid
>authentication credentials for the target resource.
>
>
>Appreciate your help on this.
>
>Thanks,
>Amit
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Using CLIENT-CERT

[Amit Pande]

Some more debugging here and I got some stuff working here.

Only one question:

It is not really clear from the documentation of "clientAuth"

"Set to true if you want the SSL stack to require a valid certificate chain 
from the client before accepting a connection. Set to want if you want the SSL 
stack to request a client Certificate, but not fail if one isn't presented. A 
false value (which is the default) will not require a certificate chain unless 
the client requests a resource protected by a security constraint that uses 
CLIENT-CERT authentication. See the SSL HowTo for an example. That SSL HowTo 
also contains tips on using per-user or per-session certificate-based 
clientAuth."

So, if I am using a clientAuth="false" and relying on "CLIENT-CERT" 
configuration, does that mean browsers won't prompt users to supply the 
certificate when a protected resource is accessed?

Is it because in case of "CLIENT-CERT", the client is always expected to supply 
a certificate?  If yes, is there any recommended practice to configure browser 
for this? Or application needs to take care of supplying one when accessing 
such a protected resource?

Appreciate your inputs.



On 4/8/18, 6:44 PM, "Amit Pande"  wrote:

I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to 
get the mutual authentication (using client certificates) done but only for 
some recourses and not all.

For instance, I have a “authenticate” API for which I want to enable the 
client certificate authentication.  So, I want only a “/authenticate” URL to 
ask for a client certificate from the browser.

I want to first validate if this client certificate is issued by a trusted 
CA. If yes, accept the request and invoke the “/authenticate” business logic 
which further validates the certificate/user against our own user database.

Looking at Tomcat documentation “clientAuth=want” in server.xml seemed a 
potential option but the issue with that is when this results in asking for 
user certificate for all the URLs being invoked from the Browser (unless we 
tell Browser to remember the decision). Also, this approach results in 
renegotiation for every request.

This is when I came across, “CLIENT-CERT” alternate, which can be 
configured only for certain URL (e.g. “/authenticate” in my case). However, I 
am not able to get it configured as expected. I issued a client certificate and 
imported in browser but still unable to get the browser pop-up which asks for 
the certificate to be sent. Debugging SSL level did not yield much.


https://stackoverflow.com/questions/41438536/protecting-webresource-in-tomcat-8-5-with-client-cert

This is the link that closely matches the requirement and I saw Chris’ 
input there. However,


“Realm className="org.apache.catalina.realm.UserDatabaseRealm"
allRolesMode="authOnly"
resourceName="UserDatabase" />
“
In server.xml

And




  

My Secure Area

/authenticate

  

  

CONFIDENTIAL

  

  

  *

  



In my web app’s web.xml.

When I access the URL from browser, I expected to see a dialog asking for 
client-certificate and then a successful invocation of the “/authenticate”. 
However, from browser, I don’t get a pop-up and I get a HTTP 401 with below 
message.


Message Cannot authenticate with the provided credentials

Description The request has not been applied because it lacks valid 
authentication credentials for the target resource.


Appreciate your help on this.

Thanks,
Amit



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using CLIENT-CERT

[Amit Pande]

I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to get 
the mutual authentication (using client certificates) done but only for some 
recourses and not all.

For instance, I have a “authenticate” API for which I want to enable the client 
certificate authentication.  So, I want only a “/authenticate” URL to ask for a 
client certificate from the browser.

I want to first validate if this client certificate is issued by a trusted CA. 
If yes, accept the request and invoke the “/authenticate” business logic which 
further validates the certificate/user against our own user database.

Looking at Tomcat documentation “clientAuth=want” in server.xml seemed a 
potential option but the issue with that is when this results in asking for 
user certificate for all the URLs being invoked from the Browser (unless we 
tell Browser to remember the decision). Also, this approach results in 
renegotiation for every request.

This is when I came across, “CLIENT-CERT” alternate, which can be configured 
only for certain URL (e.g. “/authenticate” in my case). However, I am not able 
to get it configured as expected. I issued a client certificate and imported in 
browser but still unable to get the browser pop-up which asks for the 
certificate to be sent. Debugging SSL level did not yield much.

https://stackoverflow.com/questions/41438536/protecting-webresource-in-tomcat-8-5-with-client-cert

This is the link that closely matches the requirement and I saw Chris’ input 
there. However,


“Realm className="org.apache.catalina.realm.UserDatabaseRealm"
allRolesMode="authOnly"
resourceName="UserDatabase" />
“
In server.xml

And




  

My Secure Area

/authenticate

  

  

CONFIDENTIAL

  

  

  *

  



In my web app’s web.xml.

When I access the URL from browser, I expected to see a dialog asking for 
client-certificate and then a successful invocation of the “/authenticate”. 
However, from browser, I don’t get a pop-up and I get a HTTP 401 with below 
message.


Message Cannot authenticate with the provided credentials

Description The request has not been applied because it lacks valid 
authentication credentials for the target resource.


Appreciate your help on this.

Thanks,
Amit