HTTPS is working properly(I configured SSL properly). I installed the root/chain cert in Tomcat and User certs in browser. I set the clientauthentication to true in server.xml. It is working properly. The only thing I need is to pick the username/password from the user cert and authenticate. As said, I think I'll have to write custom Realm. Where can I get more information on getting the usernames from the certficates?
Appa Bill Barker <[EMAIL PROTECTED]> wrote: Assuming that iPlanet is sending a normal x509 chain, then it should be mostly working. You'll have to make certain that the root-CA is installed in cacerts (I'm assuming that you are using JSSE) so that the client-cert can be verified. At least with the Sun JVM, I believe that only Verisign and Thwate are installed by default. Getting the name is a bit more of a problem. It is usually the CN of the Subject, but not always. If this is the case with your certs, then you'll need a custom Realm that extracts the CN and validates the user (MemoryRealm uses the full Subject as the user-name). "appa rao" wrote in message news:[EMAIL PROTECTED] > Thanks for the reply.. > let me clearly tell you the problem.. > we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port.... The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. > > Thanks > Appa > > Bill Barker wrote: > Ok, everyone else is signing their replies. I can do that too ;-). > > Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the > (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone > JSSE Connector will correctly retrieve the x509 certs in the current release > version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the > Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). > > > "Mario Ivankovits" wrote in message > news:[EMAIL PROTECTED] > > I have developed a solution, where you can use client-certificates for > user > > authentication. > > > > You can find information at > > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 > > > > Currently an implementation for "Standard LDAP" and "Windows-2000 > > ActiveDirectory" is available. > > Using W2K-AD you might have troubles, since i have tested it only with two > > different client-certificates. > > > > Mainly you have to import the certificate in your LDAP Server, and then > the > > user-mapping is done by my JNDIRealm* classes. > > > > Mario > > > > > > ----- Original Message ----- > > From: "appa rao" > > To: > > Sent: Friday, June 20, 2003 7:33 AM > > Subject: How to use digital certificates > > > > > > > Hi, > > > > > > Can any one give me an example of how to use Digital Certificates for > > authentication and authorizatioin in Tomcat? I am struggling to under the > > concept of certificates and their use in authentication and > authorization.. > > I am using Tomcat - 4.1.24. > > > > > > Thanks in advance.. > > > > > > appa > > > > > > SMS using the Yahoo! Messenger;Download latest version. > > > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s > SMS using the Yahoo! Messenger;Download latest version. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] SMS using the Yahoo! Messenger;Download latest version.
