Yep, done that. Yesterday after sending this mail I was able to get it to work authenticating using the imported client key in Mozilla and putting the signed client key in this truststore. So it is working now using Mozilla (nice).Client cert verification is done against the TrustStore, not the KeyStore. Tomcat 5 has some improvements for this. Tomcat 4 is still a bit limited.
> I have no idea what is goin wrong. Can someone tell me how to make this > work? >
Assuming that you don't want to just import the signing cert into cacerts (see the JSSE docs for how to do this), then you need to have something like:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net
.ssl.trustStorePassword=myTrustStorePassword"
At the moment, your TrustStore file has to be in the same format as your
KeyStore file (a nasty limitation that I haven't gotten around to fixing :).
So now I found out there is a keyStore property as well (stupid me), and I was able to authenticate using my Java client against the server (nice again). If someone is interested in the code, this is the client part (just for testing):
System.setProperty("javax.net.ssl.trustStore", "f:/client.keystore"); System.setProperty("javax.net.ssl.keyStore", "f:/client.keystore"); System.setProperty("javax.net.ssl.keyStorePassword","changeit");
HttpClient httpclient = new HttpClient();
Protocol myhttps =
new Protocol(
"https",
new StrictSSLProtocolSocketFactory(false),
8443);
httpclient.getHostConfiguration().setHost("myhost", 8443, myhttps);
GetMethod httpget = new GetMethod("/");
httpclient.executeMethod(httpget);with StrictSSLProtocolSocketFactory the same code as the sample code you can download from the Apache/HTTPClient site. One question though ... suppose the client keyStore has different keys, how can one tell to the code to use key A or key B (for the moment there's only one key in this keyStore). Using mozilla it is simple, he just asks which key to use.
Thank you for your help.
regards,
Kenneth
_________________________________________________________________ Mis onze Back To School special niet! http://www.msn.be/backtoschool
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
