Hi,
I´m trying to configure the tomcat for mutual authentication with server and client using certificate. I have a tomcat 5.5.26 and a java web application (web service) under JVM 1.5 I did the next: I generated two certificates with keytool, one for client and other for server. I created a cacerts importing for the server, the client certificate and for the client, importing the server certificate. In my web application (web service), I configure the web.xml like this *<**security-constraint**>*** * **<**web-resource-collection**>*** * **<**web-resource-name**>**webservice**</** web-resource-name**>*** * **<**url-pattern**>**/webservice**</**url-pattern**>*** * **<**http-method**>**POST**</**http-method**>*** * **</**web-resource-collection**>*** * *** * **<**auth-constraint**>*** * **<**role-name**>**webservice**</**role-name**>*** * **</**auth-constraint**>*** * *** * **<**user-data-constraint**>*** * **<**transport-guarantee**>**CONFIDENTIAL**</** transport-guarantee**>*** * **</**user-data-constraint**>*** * *** * **</**security-constraint**>*** * * * **<**login-config**>*** * **<!-- auth-method>BASIC</auth-method -->*** * **<**auth-method**>**CLIENT-CERT**</**auth-method**>*** * **<**realm-name**>**webservice** </**realm-name**>*** * **</**login-config**>*** * * * **<**security-role**>*** * **<**role-name**>**webservice**</**role-name**>*** * **</**security-role**>*** I configure the server.xml adding *<Connector port="8443" maxHttpHeaderSize="8192"* * protocol="HTTP/1.1"* * SSLEnabled="true"* * maxThreads="150" minSpareThreads="25" maxSpareThreads="75"* * enableLookups="false" disableUploadTimeout="true"* * acceptCount="100" scheme="https" secure="true"* * clientAuth="true" sslProtocol="TLS" * * keystoreFile="C:\Archivos de programa\Apache Software Foundation\Tomcat 5.5\conf\tomcatserver.keystore"* * keystorePass="tomcat"* * keyAlias="tomcatcertlocalhost"* * keypass="tomcat"* * truststoreFile="C:\Archivos de programa\Apache Software Foundation\Tomcat 5.5\conf\tomcatservercacerts.keystore"* * truststorePass="tomcat"* */>* I add in tomcat-users.xml the following *<role rolename="webservice"/>* *<user username="CN=client, OU=client, O=client, L=Madrid, ST=Madrid, C=ES" password="null" roles="webservice"/>* When I execute my client for call the webservice, I put the properties *System.setProperty(**"javax.net.ssl.trustStore"**,**"C:/Program Files/Apache Software Foundation/Tomcat 5.5/conf/truststore.keystore"**);*** * System.setProperty(**"javax.net.ssl.trustStorePassword"**,** "tomcat"**);*** * *** * System.setProperty(**"javax.net.ssl.keyStore"**, **"C:/OpenSSL-Win32/bin/ssl/client/client1.p12"**);*** * System.setProperty(** "javax.net.ssl.keyStorePassword"**,**"tomcat"**);*** * System.setProperty(** "javax.net.ssl.keyStoreType"**,**"PKCS12"**);* In server logs I get the error: *17-ene-2011 13:20:34 org.apache.coyote.http11.Http11Processor action* *ADVERTENCIA: Exception getting SSL attributes* *javax.net.ssl.SSLHandshakeException: null cert chain* * at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)* * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)* * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)* * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)* * at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown Source)* * at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source) * * at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)* * at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)* * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)* * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source)* * at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)* * at java.io.InputStream.read(Unknown Source)* * at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) * * at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) * * at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) * * at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131)* * at org.apache.coyote.Request.action(Request.java:349)* * at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) * * at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) * * at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) * * at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) * * at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) * * at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)* * at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)* * at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) * * at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) * * at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) * * at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) * * at java.lang.Thread.run(Unknown Source)* I also prove different configurations and I never get good result. Only with user and password I get successful result (putting BASIC authentication instead of CLIENT-CERT). Thanks, regards. Ángel.
