"Remy Maucherat" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Almaz Sharipov wrote: > > > Hi! I am newbie here. > > I spent a lot of time discovering that: > > > > 1. CLIENT-CERT login works only with MemoryRealm, all > > other predefined realms must be commented in > > server.xml > > I don't see how this is the case. I think you are making mistakes somewhere. >
Nope, Almez is correct. There was a recent patch to allow UDBRealm in Tomcat 5, but that was after the 5.0.19 release. All other Realms return 'null' from getPrincipal(String). > > 2. In tomcat-user.xml there must be presented the full > > Subject DN of client certificate as username, instead > > of CN, as mentioned in mail archive. The password > > entered here has no meaning. > > To get the sample of string containing subject DN from > > certificate I switched off authorization and run this > > simple JSP: > > <% > > X509Certificate[] certs = (X509Certificate []) > > request.getAttribute("javax.servlet.request.X509Certificate"); > > X509Certificate clientCert = certs[0]; > > %> > > <%=clientCert.getSubjectDN()%> > > Personally, I set the logging level to TRACE for 'org.apache.tomcat.util.net', and grab it from the log files. > > 3. It is not true that only keystores in PKSC12 format > > work as mentioned in mail archive. JKS is working > > well. > > Yes, JKS works fine. It's just that I, personally, find it easier to use a PKCS12 keystore when I need to import an OpenSSL certificate. > > 4. To work CLIENT-CERT authorization using OpenSSL is > > enough to import: > > a) CA cert. to JDK keystore > > ($JAVA_HOME/jre/lib/security/cacerts) > > b) CA cert. to Tomcat keystore, as described in mail > > archive. You do not need to import client certificates > > to the keystores. > > It's cleaner to import the client-cert CA into your truststoreFile (and specify it in the Connector config), but this works as well (assuming that you have permission to modify cacerts :). > > That'all :) > > Well, you should look at the authenticator.SSLAuthenticator code, as > well as realm.RealmBase and other realm implementations. > > -- > xxxxxxxxxxxxxxxxxxxxxxxxx > Rémy Maucherat > Developer & Consultant > JBoss Group (Europe) SàRL > xxxxxxxxxxxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]