JKS is still working well, I believe
-----Original Message-----
From: Almaz Sharipov [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 8:46 AM
To: [EMAIL PROTECTED]
Subject: CLIENT-CERT login (5.0.19)
Hi! I am newbie here.
I spent a lot of time discovering that:
1. CLIENT-CERT login works only with MemoryRealm, all
other predefined realms must be commented in
server.xml
2. In tomcat-user.xml there must be presented the full
Subject DN of client certificate as username, instead
of CN, as mentioned in mail archive. The password
entered here has no meaning.
To get the sample of string containing subject DN from
certificate I switched off authorization and run this
simple JSP:
<%
X509Certificate[] certs = (X509Certificate [])
request.getAttribute("javax.servlet.request.X509Certificate");
X509Certificate clientCert = certs[0];
%>
<%=clientCert.getSubjectDN()%>
3. It is not true that only keystores in PKSC12 format
work as mentioned in mail archive. JKS is working
well.
4. To work CLIENT-CERT authorization using OpenSSL is
enough to import:
a) CA cert. to JDK keystore
($JAVA_HOME/jre/lib/security/cacerts)
b) CA cert. to Tomcat keystore, as described in mail
archive. You do not need to import client certificates
to the keystores.
That'all :)
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you�re looking for faster
http://search.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
