What do you mean when you say "dynamic client auth"?
Dynamic in so far as you drop an intermediate ca and hash link into a
directory, to allow tomcat to recognise the new client. Ex.. DOD CAC
cards. I believe you indicated using the caCertificatePath or
caCertificateFile for this.
I'm trying to change my configuration to using the SSLHostConfig.
This is what I have but it does not work. I get an error (see below)
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
maxPostSize="-1"
scheme="https"
secure="true"
defaultSSLHostConfigName="WSD-2DNX4M3.xxxx.com"
>
<SSLHostConfig hostName="WSD-2DNX4M3.xxxx.com"
ciphers="-ALL
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
honorCipherOrder="true"
sslProtocol="TLSv1.2"
protocols="TLSv1.2"
caCertificateFile="C:\Certificates\CA\intermediate.ca"
caCertificatePath="C:\Certificates\CA\"
certificateVerification="optional"
truststoreFile="C:\Certificate\Keystore\Tomcat SAMM Vessel.p12"
truststorePassword="Emprise#1"
truststoreType="PKCS12"
>
<Certificate
certificateKeyFile="C:\Certificate\Private
Key\WSD-2DNX4M3.xxxx.com.key"
certificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.xxxx.com.cer"
certificateChainFile="C:\Certificates\CA\intermediate.ca"
type="RSA" certificateKeystoreType="PKCS12"
/>
</SSLHostConfig>
</Connector>
The "intermediate.ca" file is a list of DOD intermediates.
This is the error log. When we upgraded from Tomcat 9.075 to 9.0.83 I had
to add to my original config keystoreType="PKCS12" in order to get it to
recognize the pem file with the "PKCS#8 encryption algorithm with DER
encoded OID of [2a864886f70d010c0103]" which worked for 9.0.83. The config
I have show above is now creating the same error again.
Can you tell me why it will not recognise the certs now?
14-Jan-2025 16:35:23.990 WARNING [main]
org.apache.tomcat.util.net.SSLHostConfig.setProperty The property
[caCertificateFile] was set on the SSLHostConfig named [
wsd-2dnx4m3.emprisecorporation.com] and is for the [OPENSSL] configuration
syntax but the SSLHostConfig is being used with the [JSSE] configuration
syntax
14-Jan-2025 16:35:23.990 WARNING [main]
org.apache.tomcat.util.net.SSLHostConfig.setProperty The property
[caCertificatePath] was set on the SSLHostConfig named [
wsd-2dnx4m3.emprisecorporation.com] and is for the [OPENSSL] configuration
syntax but the SSLHostConfig is being used with the [JSSE] configuration
syntax
14-Jan-2025 16:35:24.257 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version name:
Apache Tomcat
14-Jan-2025 16:35:24.257 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server built:
unknown
14-Jan-2025 16:35:24.257 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server version
number: 9.0.x
14-Jan-2025 16:35:24.257 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:
Windows 11
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
10.0
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architecture:
amd64
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home:
C:\Tomcat Applications\jre9
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:
1.8.0_422-422-b05
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
OpenLogic-OpenJDK
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:
C:\Tomcat Applications\Tomcat9
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:
C:\Tomcat Applications\Tomcat9
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dcatalina.home=C:\Tomcat Applications\Tomcat9
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dcatalina.base=C:\Tomcat Applications\Tomcat9
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Djava.io.tmpdir=C:\Tomcat Applications\Tomcat9\temp
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Djava.util.logging.config.file=C:\Tomcat
Applications\Tomcat9\conf\logging.properties
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument:
-Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dorg.apache.catalina.connectorALLOW_BACKSLASH=false
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Dorg.apache.catalina.connector.RECYCLE_FACADES=true
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Djava.security.manager
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Djava.security.policy=C:\Tomcat
Applications\Tomcat9\conf\catalina.policy
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Xrs
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -XX:MaxHeapSize=2g
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -XX:+UseG1GC
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -XX:+UseStringDeduplication
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: exit
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: abort
14-Jan-2025 16:35:24.258 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Xms128m
14-Jan-2025 16:35:24.259 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command line
argument: -Xmx1500m
14-Jan-2025 16:35:24.262 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent An older
version [1.2.26] of the Apache Tomcat Native library is installed, while
Tomcat recommends a minimum version of [1.3.0]
14-Jan-2025 16:35:24.262 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache
Tomcat Native library [1.2.26] using APR version [1.7.0].
14-Jan-2025 16:35:24.262 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true], UDS [true].
14-Jan-2025 16:35:24.262 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
14-Jan-2025 16:35:25.050 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Initializing
FIPS mode...
14-Jan-2025 16:35:25.054 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL Successfully
entered FIPS mode
14-Jan-2025 16:35:25.054 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2u-fips 20 Dec 2019]
14-Jan-2025 16:35:25.340 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["http-apr-127.0.0.1-8080"]
14-Jan-2025 16:35:25.358 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-openssl-apr-8443"]
14-Jan-2025 16:35:25.391 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector["https-openssl-apr-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1027)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:525)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:986)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at org.apache.catalina.startup.Catalina.load(Catalina.java:686)
at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:467)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1373)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1386)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:663)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1025)
... 13 more
Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not recognised
at
org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:382)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:215)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:143)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:465)
... 19 more
14-Jan-2025 16:35:25.391 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1598]
milliseconds
On Mon, Jan 13, 2025 at 1:01 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Timothy,
>
> On 1/13/25 9:58 AM, Timothy Resh wrote:
> > This system and configuration I inherited and was told it works and it
> > should have been working in earlier Tomcat versions like 8. We have
> > hundreds of installations so having a Dynamic client auth is paramount.
>
> What do you mean when you say "dynamic client auth"?
>
> > I have tried several versions of Tomcat 9.079 to 9.089 and nothing seems
> > to work, unless I put the intermediates in the certificates file, then
> it
> > works.
>
> If the intermediates are required, then they are and were ALWAYS
> required. Your trust store contains certificates. It can contain either
> all the certificates you directly trust (like each individual user), or
> one or more intermediate certificates, or both kinds.
>
> But if you need to trust User A and User A's certificate is not in the
> trust store, the only way to make it work is to trust the certificate
> that signed User A's certificate, or have the user provide a trust chain
> that proves they are using a client cert your server's trust store
> trusts... eventually, following the chain.
>
> > What I'm trying to do is have the intermediates for client
> > authorization use the path to get the intermediates. This way we just
> send
> > a single certificate out to the remote and they drop it in the
> > caCertificatePath and it should work. I have also tried the
> > caCertificateFile as the intermediate for client auth and it does not
> seem
> > to work. In your configuration does the caCertificateFile file hold the
> > intermediates for client auth?
>
> Neither caCertificatePath nor caCertificateFile are "for intermediates"
> per se. You can put any number of certs in there. Using the
> intermediates is very very common, though.
>
> Note that when using trusted intermediates, it is of critical importance
> that you configure and test that your certificate revocation list (not
> specified in your original configuration!) using
> SSLCARevocationFile/SSLCARevocationPath or SSLHostConfig's
> certificateRevocationListFile/certificateRevocationListPath.
>
> > I assume that the Certificate section is only for SSL and not client
> auth?
>
> Correct, the <Certificate>s are for server certificates. You want to use
> <SSLHostConfig> attributes like truststoreFile, etc. to configure your
> trust store for client certificates.
>
> Your configuration uses the <Connector> sslCACertificatePath attribute,
> which is used with the APR connector to specify a directory containing
> files. To move that to <SSLHostConfig> (recommended), you can move it to
> SSLHostConfig.caCertificatePath.
>
> On 1/9/25 11:15 AM, Timothy Resh wrote:
> > The only way to get it to work is to put it in the TrustStore/Keystore.
>
> During your upgrade, did you happen to remove the APR connector? The
> settings you have in your original post are only applicable to the
> OpenSSL-based APR connector where the libtcnative library is in use.
>
> When you start Tomcat, do you get any warning in the log file about APR
> and/or native not being supported? When the TLS/SSL connector becomes
> available, it should log what kind of cryptographic library is in use
> under the hood.
>
> If you have dropped libtcnative, then you may need to change your
> configuration slightly, including packaging your certificates
> differently (into a truststore file instead of a directory of PEM files).
>
> -chris
>
> > On Fri, Jan 10, 2025 at 5:33 PM <l...@kreuser.name> wrote:
> >
> >> Timothy
> >>
> >>> Am 09.01.2025 um 17:15 schrieb Timothy Resh <mresh1...@gmail.com>:
> >>>
> >>> The following is a configuration that we have used to set up the Client
> >>> Authorization to work in Tomcat. We use introspection
> >>> the IntrospectionUtils.PropertySource to decipher the password and set
> >> the
> >>> following environment variables
> >>>
> >>> System.setProperty("javax.net.ssl.keyStore", keyStorePath);
> >>> System.setProperty("javax.net.ssl.keyStorePassword", clearText);
> >>> System.setProperty("javax.net.ssl.trustStore", trustStorePath);
> >>> System.setProperty("javax.net.ssl.trustStorePassword", clearText);
> >>>
> >>> and then we use this connector configuration.
> >>>
> >>> <Connector URIEncoding="UTF-8"
> >>> port="8443"
> >>> address="10.2.110.235"
> >>> maxThreads="300"
> >>> maxConnections="300"
> >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>> scheme="https" secure="true" SSLEnabled="true"
> >>> SSLProtocol="TLSv1.2"
> >>> SSLCipherSuite="-ALL ..... this has all the ciphers"
> >>>
> >>> SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
> >>> C:\Certificate\Keystore\Tomcat xxx Vessel.p12)}"
> >>> SSLCertificateChainFile="C:\Certificate\Public
> >>> Key\WSD-2DNX4M3.xxx.com.cer"
> >>> SSLCertificateFile="C:\Certificate\Public
> >> Key\WSD-2DNX4M3.xxx.com.cer"
> >>> SSLCertificateKeyFile="C:\Certificate\Private
> >>> Key\WSD-2DNX4M3.xxx.com.key"
> >>> SSLVerifyClient="optional"
> >>>
> >>> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> >>> SSLCACertificatePath="C:\Certificates\CA\"
> >>> />
> >>>
> >>
> >> I'm not sure that all these parameters are available.
> >>
> >> Which version of Tomcat do you use?
> >>
> >>
> >> I have switched to the new config with SSLHostConfig long time ago.
> >>
> >> I also use client auth and this works:
> >>
> >>
> >> <SSLHostConfig honorCipherOrder="true"
> insecureRenegotiation="false"
> >> hostName="tomcat.xxxx.xxx"
> >> protocols="+TLSv1.2,+TLSv1.3"
> >> certificateVerification="required"
> >>
> >> caCertificateFile="${catalina.base}/conf/ssl/chain.xxx.crt.pem"
> >> disableCompression="true"
> >> disableSessionTickets="true"
> >>
> >>
>
> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
> >>>
> >>
> >>
>
> certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl">
> >> <Certificate
> >> certificateKeyFile="${catalina.base}/conf/ssl/tomcat.key"
> >>
> certificateFile="${catalina.base}/conf/ssl/tomcat.crt"
> >>
> >> certificateChainFile="${catalina.base}/conf/ssl/int.xxx.crt.pem"
> >> type="RSA" />
> >> </SSLHostConfig>
> >>
> >>
> >> I guess the most significant config is caCertificateFile that contains
> the
> >> complete chain (Intermediates before ROOT). I do use pem certificate
> files
> >> but in another connector I also use jks/p12 - yet without client auth.
> >>
> >> HTH
> >>
> >> Peter
> >>
> >>> The last two settings SSLCACertificateFile and SSLCACertificatePath
> >> appear
> >>> to not work. We have a Certificate "DODxxx" intermediate in the
> >>> SSLCACertificatePath directory and it does not present itself to the
> >> client.
> >>> We have also tried putting it in the SSLCACertificateFile and that does
> >> not
> >>> work either.
> >>> The only way to get it to work is to put it in the TrustStore/Keystore.
> >>>
> >>> Did this type of configuration work on Tomcat? What changes do you
> >> suggest
> >>> to get this to work with at least an external "intermediate.ca" file
> >> with
> >>> all the"DODxxx" intermediates concatenated in the file.
> >>>
> >>>
> >>> Regards
> >>>
> >>> Tnmothy Resh
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
