At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm floating around in Bugzilla, that should be fine if you are using Sun's JVM. (The Sun dependencies are basically why they are still floating :).
Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable the default DataSource), then the 'username' in tomcat-users.xml is the cert's DN (aka Subject). The password can be anything you want (it is ignored for CLIENT-CERT auth). ----- Original Message ----- From: "Michael Jeffrey Tucker" <[EMAIL PROTECTED]> To: "Bill Barker" <[EMAIL PROTECTED]> Sent: Tuesday, November 11, 2003 8:55 PM Subject: Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool > Hi Bill, > > Do you know of a similar howto for client authentication with ssl? I've > had nothing but trouble getting a system with self-signed keys up and > running. I found a post in the archives about signing your own keys, which > suggests that is an OK thing to do, and I've found posts by people who > have client-side authentication up. But I haven't been able to combine the > two. Also, I've been doing all my debugging on the client-side with the > command line version of OpenSSL -- I'd like to look at what JSSE has to > say (because the catalina logs are only showing incoming connections > between assigned and awaited, no more details), are there any howto's that > describe the logging process in more detail that might be worth looking > at? > > Thanks, > Mike > > On Tue, 11 Nov 2003, Bill Barker wrote: > > > The Tomcat 5 ssl-howto contains an example of how to do this. It works with > > Tomcat 4.1.x as well. > > > > Long-story-short, it works by "combining" the private-key and the cert. > > JSSE can use the resulting pkcs12 file as a keystore. > > > > "Scott Kelley" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > Hi, > > > > > > I have an Apache+mod_ssl+Tomcat configuration that's been working > > > fine for several years. I have an SSL certificate from Verisign, and > > > my httpd.conf file contains: > > > > > > SSLCertificateFile /path/to/server.crt > > > SSLCertificateKeyFile /path/to/server.key > > > > > > The private key is unencrypted so that the server can restart > > automatically. > > > > > > Now I'd like to use the same certificate and private key in a > > > Tomcat-only configuration, but I can't quite figure out how to get > > > these two pieces of information into keytool for tomcat to use! > > > > > > It's easy enough to import the certificate: > > > > > > keytool -import -alias tomcat -file /path/to/server.crt > > > > > > but I know that the private key needs to be in the keystore too, and > > > I haven't been able to figure out how to get it in there! > > > > > > Simply trying to import it: > > > > > > keytool -import -alias tomcat -file /path/to/server.key > > > > > > gives me the message: > > > > > > keytool error: java.lang.Exception: Input not an X.509 certificate > > > > > > which doesn't really surprise me because the private key is not an > > > X.509 certificate! But how can I tell keytool about my private key? > > > > > > Can I do this? If so, how? Can I do it with just keytool? Do I need > > > to use openssl to tweak something? > > > > > > I saw some comments in the httpd.conf file (comments added by > > > mod_ssl) that suggest the certificate and the private key can be > > > "combined" somehow. Is this what I need to do? If so, how do I do > > > this? > > > > > > Or do I have to toss my old keys and generate a new CSR with keytool? > > > The Tomcat tutorial on how to do that seems reasonably > > > straightforward. But I would much prefer to use my existing key and > > > certificate! > > > > > > I actually tried this for the first time two years ago. After trying > > > everything I could think of, and posting to tomcat-user and getting > > > no replies, I gave up and left things the way they were. Now, two > > > years later, I *still* can't figure out, or find a recipe, to explain > > > how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain > > > Tomcat configuration! > > > > > > Thanks for any help. > > > > > > Scott > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > >
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
