"Remy Maucherat" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Almaz Sharipov wrote:
>
> > Hi! I am newbie here.
> > I spent a lot of time discovering that:
> >
> > 1. CLIENT-CERT login works only with MemoryRealm, all
> > other predefined realms must be commented in
> > server.xml
>
> I don't see how this is the case. I think you are making mistakes
somewhere.
>
Nope, Almez is correct. There was a recent patch to allow UDBRealm in
Tomcat 5, but that was after the 5.0.19 release. All other Realms return
'null' from getPrincipal(String).
> > 2. In tomcat-user.xml there must be presented the full
> > Subject DN of client certificate as username, instead
> > of CN, as mentioned in mail archive. The password
> > entered here has no meaning.
> > To get the sample of string containing subject DN from
> > certificate I switched off authorization and run this
> > simple JSP:
> > <%
> > X509Certificate[] certs = (X509Certificate [])
> > request.getAttribute("javax.servlet.request.X509Certificate");
> > X509Certificate clientCert = certs[0];
> > %>
> > <%=clientCert.getSubjectDN()%>
> >
Personally, I set the logging level to TRACE for
'org.apache.tomcat.util.net', and grab it from the log files.
> > 3. It is not true that only keystores in PKSC12 format
> > work as mentioned in mail archive. JKS is working
> > well.
> >
Yes, JKS works fine. It's just that I, personally, find it easier to use a
PKCS12 keystore when I need to import an OpenSSL certificate.
> > 4. To work CLIENT-CERT authorization using OpenSSL is
> > enough to import:
> > a) CA cert. to JDK keystore
> > ($JAVA_HOME/jre/lib/security/cacerts)
> > b) CA cert. to Tomcat keystore, as described in mail
> > archive. You do not need to import client certificates
> > to the keystores.
> >
It's cleaner to import the client-cert CA into your truststoreFile (and
specify it in the Connector config), but this works as well (assuming that
you have permission to modify cacerts :).
> > That'all :)
>
> Well, you should look at the authenticator.SSLAuthenticator code, as
> well as realm.RealmBase and other realm implementations.
>
> --
> xxxxxxxxxxxxxxxxxxxxxxxxx
> Rémy Maucherat
> Developer & Consultant
> JBoss Group (Europe) SàRL
> xxxxxxxxxxxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
