A few pointers:
1. The trust store is the list of trusted CAs, not the list of trusted
client certificates. The CA that issued your client cert must be in the
trust store.
2. You need to modify your user details in your realm. If you are using
tomcat-users.xml it should look something like this:
...
<user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London,
ST=London, C=GB" password="null" roles="tomcat,certs"/>
...
HTH
Mark
Pascal Chanteux wrote:
Hi ,
I want to configure Tomcat/4.1.27 in order to use the client
certificate authentication. I first set up the SSL connector following
the How-To.
So now my site runs under SSL without any problem.
Next,I build the client certificate with keytool, and store it into a
file ( trust.keystore ). In my web.xml I change my BASIC into
CLIENT-CERT :
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client certificate auth.</realm-name>
</login-config>
and in my server.xml :
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true"
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
truststoreFile="c:\keystores\trust.keystore"
/>
</Connector>
When I connect to my protected JSP, I always get an error on tomcat :
13-jul-2005 11:19:25 org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHandshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:88)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:158)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:786)
at org.apache.coyote.Request.action(Request.java:367)
at
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:799)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:601)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:536)
I don't know if my configuration is OK. Where can be the problem ?
Does anyone have an idea ?
Thanks a lot
Pascal.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
