Good afternoon,
If I use this configuration, then the prompts for the client auth work,
where the intermediate.p12 file has all the intermediates from DOD ID CAx
imported. I do not see where the caCertificatePath can be used in this
configuration.
<Connector URIEncoding="UTF-8"
port="8443"
address="192.168.1.151"
connectionTimeout="60000"
maxThreads="300"
maxConnections="300"
protocol="org.apache.coyote.http11.Http11AprProtocol"
enableLookups="false"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="C:\\Certificate\\Keystore\\Tomcat SAMM Vessel.p12"
keystorePass="MyPassword"
keystoreType="PKCS12"
SSLProtocol="TLSv1.2"
SSLCipherSuite="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"
truststoreFile="C:\\Certificates\\CA\\intermediate.P12"
truststorePass="MyPassword"
truststoreType="PKCS12"
SSLVerifyClient="optional"
/>
In the old configuration we were able to hide the password using the
following parameter in the config
SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
C:\\Certificate\Keystore\Tomcat SAMM Vessel.p12)}"
We then used this
org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.emprisecorp.tomcat.propertysource.MyPropertySource
in the catalina.properties. This class would set the following properties
when it decrypted the KSENC(6qXemkaMkIOCflnMN4pErQ==;
System.setProperty("javax.net.ssl.keyStore", keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", clearText);
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", clearText);
I do not see in the Tomcat 9 documentation that these properties are used
for trustStorePass and keyStorePass. I believe these are aliases for the
above keys. If I use com.emprisecorp.tomcat.propertysource.MyPropertySource
and it sets these keys. Will this force me to JSSE and not OpenSSL, and
how does this impact using caCertificatePath?
Thanks,
On Wed, Jan 15, 2025 at 11:03 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Timothy,
>
> On 1/14/25 4:58 PM, Timothy Resh wrote:
> >> What do you mean when you say "dynamic client auth"?
> >
> > Dynamic in so far as you drop an intermediate ca and hash link into a
> > directory, to allow tomcat to recognise the new client. Ex.. DOD CAC
> > cards. I believe you indicated using the caCertificatePath or
> > caCertificateFile for this.
>
> You will likely need to reload the configuration each time you make a
> change. You can trigger this with a JMX notification for sure. I think
> there were some changes "recently" (last 2-3 years?) that allow
> automatic detection of configuration changes to trigger a reload, but
> that may be limited to the server's key store. I'll have to double-check.
>
> > I'm trying to change my configuration to using the SSLHostConfig.
> >
> > This is what I have but it does not work. I get an error (see below)
> >
> > <Connector
> > port="8443"
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > SSLEnabled="true"
> > maxPostSize="-1"
> > scheme="https"
> > secure="true"
> > defaultSSLHostConfigName="WSD-2DNX4M3.xxxx.com"
> >>
> >
> > <SSLHostConfig hostName="WSD-2DNX4M3.xxxx.com"
> > ciphers="-ALL
> > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> >
> >
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
> > honorCipherOrder="true"
> > sslProtocol="TLSv1.2"
> > protocols="TLSv1.2"
> > caCertificateFile="C:\Certificates\CA\intermediate.ca"
> > caCertificatePath="C:\Certificates\CA\"
> > certificateVerification="optional"
> > truststoreFile="C:\Certificate\Keystore\Tomcat SAMM
> Vessel.p12"
> > truststorePassword="Emprise#1"
> > truststoreType="PKCS12"
> > >
>
> You are mixing configurations, here.
>
> These configuration options are documented to be for OpenSSL only:
> caCertificateFile
> caCertificatePath
>
> These configuration options are documented to be for JSSE only:
> sslProtocol
> truststoreFile
> truststoreType
> truststorePassword
>
> That's why I asked which kind of connector you are using. Your
> <Connector> configuration above shows that you are using the APR
> connector, which meant libtcnative, APR, and OpenSSL should all be in
> use. Indeed, your log confirms this:
>
> > 14-Jan-2025 16:35:24.262 INFO [main]
> > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded
> Apache
> > Tomcat Native library [1.2.26] using APR version [1.7.0].
> > 14-Jan-2025 16:35:24.262 INFO [main]
> > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> > capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random
> > [true], UDS [true].
> > 14-Jan-2025 16:35:24.262 INFO [main]
> > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
> > configuration: useAprConnector [false], useOpenSSL [true]
>
> There are a bunch of warnings about your configuration in the log file.
> Did you read them?
>
> > <Certificate
> > certificateKeyFile="C:\Certificate\Private
> > Key\WSD-2DNX4M3.xxxx.com.key"
> > certificateFile="C:\Certificate\Public
> Key\WSD-2DNX4M3.xxxx.com.cer"
> > certificateChainFile="C:\Certificates\CA\intermediate.ca"
> > type="RSA" certificateKeystoreType="PKCS12"
> >
> > />
> > </SSLHostConfig>
> > </Connector>
> >
> >
> > The "intermediate.ca" file is a list of DOD intermediates.
> >
> > This is the error log. When we upgraded from Tomcat 9.075 to 9.0.83 I
> had
> > to add to my original config keystoreType="PKCS12" in order to get it to
> > recognize the pem file with the "PKCS#8 encryption algorithm with DER
> > encoded OID of [2a864886f70d010c0103]" which worked for 9.0.83. The
> config
> > I have show above is now creating the same error again.
>
> Something is definitely missing from your report and/or your
> configuration. You are not configuring a keystore. You are configuring a
> certificate file and certificate key file.
>
> This all sounds very familiar. Oh, right, this is why:
>
> https://lists.apache.org/thread/v9w8swz73w2ss6jslppwq6b6ldto089k
>
> > Can you tell me why it will not recognise the certs now?
>
> It's failing to read the key, not the certificate. The key file
> C:\Certificate\Private Key\WSD-2DNX4M3.xxxx.com.key is in a format this
> version of Tomcat doesn't understand.
>
> It looks like your key-generator is writing the key to a file in an
> obscure encrypted format (OID 1.2.840.113549.1.12.1.3,
> pbeWithSHAAnd3-KeyTripleDES-CBC). Can you export the key in a different
> format?
>
> -chris
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
