Yes. Read and write as well. -----Original Message----- From: Christopher Mark Balz [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 2:58 PM To: Tomcat Users List Subject: Re: Tomcat 4 - SSL - Client Authentication
Have you checked the permissions to the directory where your keystore is held? The process running the webserver must of course be able to read the keystore. - CB Shiva.Devaguptapu wrote: >Hi, > I am using Tomcat 4 on a linux system. I am trying to enable SSL >with >client authentication enabled. I want the client to be the Internet >Explorer, running >on Win2K, my desktop. I found the following steps on the net and tried. >* Create keys on the server >* Create the certificate on the server >* Uncomment the required part in the server.xml of Tomcat >* Enter appropriate values for the attributes in server.xml as : > <Connector >className="org.apache.catalina.connector.http.HttpConnector" > port="8453" minProcessors="5" >maxProcessors="75" > enableLookups="true" > acceptCount="10" debug="0" >scheme="https" secure="true"> > <Factory >className="org.apache.catalina.net.SSLServerSocketFactory" > >keystoreFile="/home/shiva/tomcat/keystore/server.keystore" > keystorePass="changeit" > clientAuth="true" >protocol="TLS"/> > </Connector> >* Create keys on the client >* Create the certificate on the client >* Import the cliet certificate on the server >* Import the client certificate into Internet Explorer > Now I started tomcat and I tried to access from the IE, the URL >https://192.168.200.12:8453 - then the Client Authentication dialog box >appears >without any certificates in the list, as a result I cannot select any >certificate, and >if I click on OK button, it says page cannot be displayed. > I also tried importing the client certificate into >$JAVA_HOME/jre/lib/security/cacerts >on the serverand even that did not solve the problem and even I tried >importing >the server certificate on the client side into >$JAVA_HOME/jre/lib/security/cacerts >and into IE as well and even after the problem is not solved. > I am including all the commands I used to perform the above steps. >Can anyone help me out in getting this done. >Thanks in advance, >Shiva. > >========================================================= >Commnands used >========================================================= >***For generating server keys on Linux*** >keytool -genkey -alias tomcat-sv \ > -keyalg RSA -keypass changeit \ > -storepass changeit \ > -keystore $CATALINA_HOME/keystore/server.keystore >***this keystore directory is created by me*** >--------------- >***For generating server cetificate on Linux*** >keytool -export -alias tomcat-sv \ > -storepass changeit \ > -file server.cer \ > -keystore $CATALINA_HOME/keystore/server.keystore >--------------- >***For generating client keys on Win2K*** >keytool -genkey -alias tomcat-cl ^ > -keyalg RSA -keypass changeit ^ > -storepass changeit ^ > -keystore C:\ssltest\mykeystore\client.keystore >--------------- >***For generating client cetificate on Win2K*** >keytool -export -alias tomcat-cl ^ > -storepass changeit ^ > -file C:\ssltest\client.cer ^ > -keystore C:\ssltest\mykeystore\client.keystore >--------------- >***For importing the client certificate on the server*** >keytool -import -v -trustcacerts \ > -alias tomcat -file client.cer \ > -keypass changeit \ > -storepass changeit \ > -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore >========================================================= > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- ". . . / This Cabinet is formd of Gold / And Pearl & Crystal shining bright And within it opens into a World / . . . Another England there I saw / Another London with its Tower Another Thames & other Hills / And another pleasant Surrey Bower . . ." - from "The Crystal Cabinet", a poem by William Blake. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>