Hi,
Finally I did it works.
I changed a piece of code for validating local certificates that i found
looking for in internet:
*private static void localHostNameVerifi() throws Exception{*
* HostnameVerifier hv = new HostnameVerifier()*
* {*
* public boolean verify(String urlHostName, SSLSession session)*
* {*
* System.out.println("Warning: URL Host: " + urlHostName + " vs.
"*
* + session.getPeerHost());*
* return true;*
* }*
* };*
* trustAllHttpsCertificates();*
* HttpsURLConnection.setDefaultHostnameVerifier(hv);*
* }*
* *
* *
* public static class miTM implements javax.net.ssl.TrustManager,*
* javax.net.ssl.X509TrustManager*
* {*
* public java.security.cert.X509Certificate[] getAcceptedIssuers()*
* {*
* return null;*
* }*
* *
* public boolean isServerTrusted(*
* java.security.cert.X509Certificate[] certs)*
* {*
* return true;*
* }*
* *
* public boolean isClientTrusted(*
* java.security.cert.X509Certificate[] certs)*
* {*
* return true;*
* }*
* *
* public void checkServerTrusted(*
* java.security.cert.X509Certificate[] certs, String
authType)*
* throws java.security.cert.CertificateException*
* {*
* return;*
* }*
* *
* public void checkClientTrusted(*
* java.security.cert.X509Certificate[] certs, String
authType)*
* throws java.security.cert.CertificateException*
* {*
* return;*
* }*
* }*
* private static void trustAllHttpsCertificates() throws Exception*
* {*
* *
* // Create a trust manager that does not validate certificate
chains:*
* *
* javax.net.ssl.TrustManager[] trustAllCerts =*
* *
* new javax.net.ssl.TrustManager[1];*
* *
* javax.net.ssl.TrustManager tm = new miTM();*
* *
* trustAllCerts[0] = tm;*
* *
* javax.net.ssl.SSLContext sc =*
* *
* javax.net.ssl.SSLContext.getInstance("SSL");*
* *
* sc.init(null, trustAllCerts, null);*
* *
* javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(*
* *
* sc.getSocketFactory());*
* *
* }*
For this code (get on SCJWS guide by Ivan A Kirzsan):
* static{*
* HttpsURLConnection.setDefaultHostnameVerifier(new
HostnameVerifier() {*
* public boolean verify(String hostname, SSLSession session) {*
* if(hostname.equals("localhost")){*
* return true;*
* }*
* return false;*
* }*
*
*
* });*
* }*
Now, almost in local, it´s working perfect.
Thanks, regards. Ángel.
2011/1/18 Goo Sam Kong <skgo...@gmail.com>
> Hi Angel,
>
> I encountered the same problem as you with Tomcat 5.5.27, so I upgraded to
> latest Tomcat to get rid of the certification error.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 is bug report on
> certification error.
>
> Thank you.
>
>
> On 17 January 2011 22:14, amcereijo cereijo <amcere...@gmail.com> wrote:
>
> > Hi,
> >
> >
> > I´m trying to configure the tomcat for mutual authentication with server
> > and client using certificate.
> >
> > I have a tomcat 5.5.26 and a java web application (web service) under JVM
> > 1.5
> >
> > I did the next:
> >
> >
> >
> > I generated two certificates with keytool, one for client and other for
> > server.
> >
> > I created a cacerts importing for the server, the client certificate and
> > for the client, importing the server certificate.
> >
> >
> >
> > In my web application (web service), I configure the web.xml like this
> >
> > *<**security-constraint**>***
> >
> > * **<**web-resource-collection**>***
> >
> > * **<**web-resource-name**>**webservice**</**
> > web-resource-name**>***
> >
> > *
> > **<**url-pattern**>**/webservice**</**url-pattern**>***
> >
> > * **<**http-method**>**POST**</**http-method**>***
> >
> > * **</**web-resource-collection**>***
> >
> > * ***
> >
> > * **<**auth-constraint**>***
> >
> > * **<**role-name**>**webservice**</**role-name**>***
> >
> > * **</**auth-constraint**>***
> >
> > * ***
> >
> > * **<**user-data-constraint**>***
> >
> > * **<**transport-guarantee**>**CONFIDENTIAL**</**
> > transport-guarantee**>***
> >
> > * **</**user-data-constraint**>***
> >
> > * ***
> >
> > * **</**security-constraint**>***
> >
> > * *
> >
> > * **<**login-config**>***
> >
> > * **<!-- auth-method>BASIC</auth-method -->***
> >
> > * **<**auth-method**>**CLIENT-CERT**</**auth-method**>***
> >
> > * **<**realm-name**>**webservice** </**realm-name**>***
> >
> > * **</**login-config**>***
> >
> > * *
> >
> > * **<**security-role**>***
> >
> > * **<**role-name**>**webservice**</**role-name**>***
> >
> > * **</**security-role**>***
> >
> >
> >
> > I configure the server.xml adding
> >
> > *<Connector port="8443" maxHttpHeaderSize="8192"*
> >
> > * protocol="HTTP/1.1"*
> >
> > * SSLEnabled="true"*
> >
> > * maxThreads="150"
> > minSpareThreads="25" maxSpareThreads="75"*
> >
> > * enableLookups="false"
> > disableUploadTimeout="true"*
> >
> > * acceptCount="100"
> > scheme="https" secure="true"*
> >
> > * clientAuth="true"
> > sslProtocol="TLS" *
> >
> > * keystoreFile="C:\Archivos
> > de
> > programa\Apache Software Foundation\Tomcat
> 5.5\conf\tomcatserver.keystore"*
> >
> > * keystorePass="tomcat"*
> >
> > *
> > keyAlias="tomcatcertlocalhost"*
> >
> > * keypass="tomcat"*
> >
> > *
> truststoreFile="C:\Archivos
> > de programa\Apache Software Foundation\Tomcat
> > 5.5\conf\tomcatservercacerts.keystore"*
> >
> > * truststorePass="tomcat"*
> >
> > */>*
> >
> >
> >
> > I add in tomcat-users.xml the following
> >
> > *<role rolename="webservice"/>*
> >
> > *<user username="CN=client, OU=client, O=client, L=Madrid, ST=Madrid,
> C=ES"
> > password="null" roles="webservice"/>*
> >
> >
> >
> > When I execute my client for call the webservice, I put the properties
> >
> > *System.setProperty(**"javax.net.ssl.trustStore"**,**"C:/Program
> > Files/Apache Software Foundation/Tomcat
> > 5.5/conf/truststore.keystore"**);***
> >
> > *
> System.setProperty(**"javax.net.ssl.trustStorePassword"**,**
> > "tomcat"**);***
> >
> > * ***
> >
> > *
> > System.setProperty(**"javax.net.ssl.keyStore"**,
> > **"C:/OpenSSL-Win32/bin/ssl/client/client1.p12"**);***
> >
> > * System.setProperty(**
> > "javax.net.ssl.keyStorePassword"**,**"tomcat"**);***
> >
> > * System.setProperty(**
> > "javax.net.ssl.keyStoreType"**,**"PKCS12"**);*
> >
> >
> >
> > In server logs I get the error:
> >
> >
> > *17-ene-2011 13:20:34 org.apache.coyote.http11.Http11Processor action*
> >
> > *ADVERTENCIA: Exception getting SSL attributes*
> >
> > *javax.net.ssl.SSLHandshakeException: null cert chain*
> >
> > * at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
> > Source)*
> >
> > * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown
> > Source)*
> >
> > * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> Source)*
> >
> > * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
> Source)*
> >
> > * at
> > com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown
> > Source)*
> >
> > * at
> > com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown
> > Source)
> > *
> >
> > * at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
> > Source)*
> >
> > * at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
> > Source)*
> >
> > * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
> > Source)*
> >
> > * at
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
> > Source)*
> >
> > * at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown
> > Source)*
> >
> > * at java.io.InputStream.read(Unknown Source)*
> >
> > * at
> >
> >
> org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88)
> > *
> >
> > * at
> >
> >
> org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67)
> > *
> >
> > * at
> >
> >
> org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121)
> > *
> >
> > * at
> >
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131)*
> >
> > * at org.apache.coyote.Request.action(Request.java:349)*
> >
> > * at
> >
> >
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138)
> > *
> >
> > * at
> >
> >
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
> > *
> >
> > * at
> >
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> > *
> >
> > * at
> >
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
> > *
> >
> > * at
> >
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
> > *
> >
> > * at
> >
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)*
> >
> > * at
> >
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)*
> >
> > * at
> >
> >
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
> > *
> >
> > * at
> >
> >
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
> > *
> >
> > * at
> >
> >
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
> > *
> >
> > * at
> >
> >
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
> > *
> >
> > * at java.lang.Thread.run(Unknown Source)*
> >
> >
> >
> >
> >
> > I also prove different configurations and I never get good result. Only
> > with
> > user and password I get successful result (putting BASIC authentication
> > instead of CLIENT-CERT).
> >
> >
> >
> > Thanks, regards. Ángel.
> >
>
