Hi, On Thursday 18 April 2002 7:27 am, you wrote: > I am trying to run Tomcat https with clientAuth="true", but my browser > (IE) fails to authenticate. It presents a blank "select one of your > certificates to use when connecting" screen. > My personal certificate that I usually use when connecting to Weblogic > does not appear. > I believe that I installed the same server certs into tomcat as I > installed into weblogic. > > Question1) can anyone tell me the exact steps to create and install new > certs on both tomcat and IE to make clientAuth work? (do I have to > create the "personal" cert via OpenSSL?)
Before I start, I've noticed this problem when I was using a beta version of JDK1.4 and not the full release. If you're not using the beta then the following is what I've discovered getting this to work: 1) Install the root certificate for your personal certificate in the file jssecacerts. Tomcat uses JSSE to provide its SSL services. The default setup looks for root certificates in jssecacerts and, if that doesn't exist, in the JRE's cacerts file. These are both JKS keystores and can probably be found somewhere like JAVA_HOME/jre/lib/security/. I assume you are happy doing imports into java keystore. When JSSE asks for client auth during the SSL exchange it will give the DNs of the root certificates it is willing to accept from this keystore. IE compares this against the root certificates you have available and tries to build a trust path to one of your personal certificates from these. One reason you get no certificates is if IE can't find any personal certs that have a chain back to one of these root certificates. NOTE: I'm not sure about this but the root certificate DN's have to exactly match, if IE can't find any root certificates in its store that match the JSSE root certificates then its game over. I've heard of problems with RSA's email address attribute. I think java calls this Email and IE calls it E, anyway the following don't match: C=UK,O=University College London,[EMAIL PROTECTED],CN=UCL-CS PKI C=UK,O=University College London,[EMAIL PROTECTED],CN=UCL-CS PKI I'm afraid my certificates don't use this attribute for other reasons, so I can't confirm this problem. 2) Tomcat needs a key and certificate to identify itself. This is described in the SSL howto. To make things simple, it would be easiest if Tomcat's certificate has the same root certificate as your personal certificate. > Question2) any ideas how to debug the handshake of my existing certs? You need to start the JDK with an option to debug SSL, this can be achieved by adding a comandline option. The trick is making sure this gets added when your tomcat scripts actually run the java command, you might have something like $CATALINA_OPTS, which can be used for this purpose. The option you should add is "-Djavax.net.debug=ssl" and this should be before the classname. Discussion about this can be found in the JSSE reference guide, e.g http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html Note: this dumps a text representation of the handshake to stdout so you might want to 'run' catalina rather than 'start' it. Its quite useful because you will see the DN's of the certs JSSE is willing to accept. > Why do they work on Weblogic but not on Tomcat? I don't know much about weblogic. If it doesn't use JSSE its probably because JSSE can be a real stickler for the specs and it could be that email address problem above. That attribute was added by RSA and is a bit funny. I think the IETF are trying to phase it out. It always causes me issues. Sorry this isn't comprehensive (or cogent) but it might give you a few pointers. Regards, Richard -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
