----- Original Message ----- From: "Tathagat (London)" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Tuesday, August 20, 2002 3:22 PM Subject: RE: Client Certificates on Tomcat 3.3.1
> okay, I have faced so many problems on this.. and finally could do it! > Please answer the following questions. > > First question: The certificates that you are using on your machine (as > client), where do you get them from? I create them with KeyMan from IBM. I have tried to create a X509 Chain, signed with my server key, and also a .PFX file with the same characteristics. None seemed to work. In fact, when I import the certificates into Explorer, it places them into the Medium CA Providers Tab, and not in the "Personal" repository. Is it ok? > > Second: When you connect the server (https://localhost:8443) or whatever), > does your certificate pops up? The browser only pops up the server certificate, not the client one. It looks like it does not send my client certificate at all. > > cheers > Tathagat > > -----Original Message----- > From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 20, 2002 11:42 > To: [EMAIL PROTECTED] > Subject: Client Certificates on Tomcat 3.3.1 > > > Hi all, > > I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap > client. > > My soap service simply prints out some request data, and also the content of > > request.getAttribute("javax.servlet.request.X509Certificate") > > Following some example code I found on Internet (I'm not sure this code > should function) > > I have followed the instructions in the xml.apache.org FAQ, and generated > all certificates with keytool. > > Firstly, I configured tomcat with clientAuth set to false, and used a basic > authentication scheme in my web-app. It worked fine. When connecting through > my client, the service prints the next info: > > Authorization: BASIC > Remote User: tomcat > Secured: true > Principal: tomcat > No client certificate is available > > If I set clientAuth to true, it still works, but it keeps showing the "No > client certificate available" message. > > The big problem comes when I configure my web-app to use CLIENT-CERT > authorization scheme. > It simply returns a 401 error code. > > Any one can help me, please?? > > Thanks in advance, > Rodrigo Ruiz Aguayo > > PS: Following is the bat file I'm using to generate the keystores: > > del server.keystore > del client.keystore > > copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore > copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore > > REM Change default passwords > keytool -storepasswd -keystore server.keystore -storepass changeit -new > 123456 > keytool -storepasswd -keystore client.keystore -storepass changeit -new > 123456 > > REM Create server.keystore > keytool -genkey -alias tomcat-sv -dname > "CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES" -keyalg > RSA -keypass 123456 -storepass 123456 -keystore server.keystore > keytool -export -alias tomcat-sv -storepass 123456 -file > server.cer -keystore server.keystore > > REM Import server certificate as a trusted CA in the client keystore > keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore > client.keystore -keypass 123456 -storepass 123456 > > REM Create client keystore > keytool -genkey -alias rruiz -dname > "CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES" -keyalg > RSA -keypass 123456 -storepass 123456 -keystore client.keystore > keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore > client.keystore > > keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore > server.keystore -keypass 123456 -storepass 123456 > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > ---------------------------------------------------------------------- > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > http://www.drkw.com/disc/email/ or contact the sender. > ---------------------------------------------------------------------- > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
