here is how to patch the tomcat 4.1.x to handle to make client authentication 'optional':
in the java class: org.apache.tomcat.util.net.jsse.JSSESocketFactory
you find 2 times this method call: .setNeedClientAuth(clientAuth); change this to: .setWantClientAuth(clientAuth);
thats it!
and don't forget to change your server.xml:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--^M -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="/root/certs/java.concrete-it.com.keystore"
keystorePass="changeit" />
</Connector>
here is my link collection for ssl: http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html http://developer.java.sun.com/developer/qow/archive/169/index.jsp http://www.catgen.com/developer/manual/ssl.html#jbosscatalina
you can find a lot of howtos how to make your own CA , server cert and client certs.
hope this helps, joe
joe wrote:
hi,
it's true that there is no 'step-by-step' howto for tomcat, but there are many other ssl (and client auth) howtos which you can use for tomcat.
the only thing is just a little bit of searching and reading about ssl, CA, X509 certificates, certification chains ...
i have succesfully established ssl connections with (mutual) client certificates. i'll try to find the howto's i've used and post it here (i hope i'll find them again).
i haven't used CRL's - i'm sure there are howtos 'out there'.
and: it's true that tomcat does NOT support mutual client auth ! but i've read a little bit of the doc's and the source code and pathed my tomcat 4.1.x to change the ssl client auth behavior to mutual.
cu, joe
Mark Liu wrote:
Hi,
No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server.
You have an idea about how to turn on client cert?
--- Norris Shelton <[EMAIL PROTECTED]> wrote:
That about sums it up. We are looking at client---------------------------------------------------------------------
certs also. The Tomcat docs say how to turn on client
authentication, but
there is not much out there on hooking up to a CA
and verifying
against a CRL. All of that is beyond the scope of this list and
dives deep into
the realm of JCE.
We are looking into going with a vendor (probably VeriSign).
--- Mark Liu <[EMAIL PROTECTED]> wrote:
For over 1 week, I've been exploring about this.
So
far, I got no reply. Is this so professional, so tough that nobody's got a clue?
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,
live on your
desktop! http://platinum.yahoo.com
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
=====
Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton
__________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
