Hi, Finally I did it works. I changed a piece of code for validating local certificates that i found looking for in internet:
*private static void localHostNameVerifi() throws Exception{* * HostnameVerifier hv = new HostnameVerifier()* * {* * public boolean verify(String urlHostName, SSLSession session)* * {* * System.out.println("Warning: URL Host: " + urlHostName + " vs. "* * + session.getPeerHost());* * return true;* * }* * };* * trustAllHttpsCertificates();* * HttpsURLConnection.setDefaultHostnameVerifier(hv);* * }* * * * * * public static class miTM implements javax.net.ssl.TrustManager,* * javax.net.ssl.X509TrustManager* * {* * public java.security.cert.X509Certificate[] getAcceptedIssuers()* * {* * return null;* * }* * * * public boolean isServerTrusted(* * java.security.cert.X509Certificate[] certs)* * {* * return true;* * }* * * * public boolean isClientTrusted(* * java.security.cert.X509Certificate[] certs)* * {* * return true;* * }* * * * public void checkServerTrusted(* * java.security.cert.X509Certificate[] certs, String authType)* * throws java.security.cert.CertificateException* * {* * return;* * }* * * * public void checkClientTrusted(* * java.security.cert.X509Certificate[] certs, String authType)* * throws java.security.cert.CertificateException* * {* * return;* * }* * }* * private static void trustAllHttpsCertificates() throws Exception* * {* * * * // Create a trust manager that does not validate certificate chains:* * * * javax.net.ssl.TrustManager[] trustAllCerts =* * * * new javax.net.ssl.TrustManager[1];* * * * javax.net.ssl.TrustManager tm = new miTM();* * * * trustAllCerts[0] = tm;* * * * javax.net.ssl.SSLContext sc =* * * * javax.net.ssl.SSLContext.getInstance("SSL");* * * * sc.init(null, trustAllCerts, null);* * * * javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(* * * * sc.getSocketFactory());* * * * }* For this code (get on SCJWS guide by Ivan A Kirzsan): * static{* * HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {* * public boolean verify(String hostname, SSLSession session) {* * if(hostname.equals("localhost")){* * return true;* * }* * return false;* * }* * * * });* * }* Now, almost in local, it´s working perfect. Thanks, regards. Ángel. 2011/1/18 Goo Sam Kong <skgo...@gmail.com> > Hi Angel, > > I encountered the same problem as you with Tomcat 5.5.27, so I upgraded to > latest Tomcat to get rid of the certification error. > > https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 is bug report on > certification error. > > Thank you. > > > On 17 January 2011 22:14, amcereijo cereijo <amcere...@gmail.com> wrote: > > > Hi, > > > > > > I´m trying to configure the tomcat for mutual authentication with server > > and client using certificate. > > > > I have a tomcat 5.5.26 and a java web application (web service) under JVM > > 1.5 > > > > I did the next: > > > > > > > > I generated two certificates with keytool, one for client and other for > > server. > > > > I created a cacerts importing for the server, the client certificate and > > for the client, importing the server certificate. > > > > > > > > In my web application (web service), I configure the web.xml like this > > > > *<**security-constraint**>*** > > > > * **<**web-resource-collection**>*** > > > > * **<**web-resource-name**>**webservice**</** > > web-resource-name**>*** > > > > * > > **<**url-pattern**>**/webservice**</**url-pattern**>*** > > > > * **<**http-method**>**POST**</**http-method**>*** > > > > * **</**web-resource-collection**>*** > > > > * *** > > > > * **<**auth-constraint**>*** > > > > * **<**role-name**>**webservice**</**role-name**>*** > > > > * **</**auth-constraint**>*** > > > > * *** > > > > * **<**user-data-constraint**>*** > > > > * **<**transport-guarantee**>**CONFIDENTIAL**</** > > transport-guarantee**>*** > > > > * **</**user-data-constraint**>*** > > > > * *** > > > > * **</**security-constraint**>*** > > > > * * > > > > * **<**login-config**>*** > > > > * **<!-- auth-method>BASIC</auth-method -->*** > > > > * **<**auth-method**>**CLIENT-CERT**</**auth-method**>*** > > > > * **<**realm-name**>**webservice** </**realm-name**>*** > > > > * **</**login-config**>*** > > > > * * > > > > * **<**security-role**>*** > > > > * **<**role-name**>**webservice**</**role-name**>*** > > > > * **</**security-role**>*** > > > > > > > > I configure the server.xml adding > > > > *<Connector port="8443" maxHttpHeaderSize="8192"* > > > > * protocol="HTTP/1.1"* > > > > * SSLEnabled="true"* > > > > * maxThreads="150" > > minSpareThreads="25" maxSpareThreads="75"* > > > > * enableLookups="false" > > disableUploadTimeout="true"* > > > > * acceptCount="100" > > scheme="https" secure="true"* > > > > * clientAuth="true" > > sslProtocol="TLS" * > > > > * keystoreFile="C:\Archivos > > de > > programa\Apache Software Foundation\Tomcat > 5.5\conf\tomcatserver.keystore"* > > > > * keystorePass="tomcat"* > > > > * > > keyAlias="tomcatcertlocalhost"* > > > > * keypass="tomcat"* > > > > * > truststoreFile="C:\Archivos > > de programa\Apache Software Foundation\Tomcat > > 5.5\conf\tomcatservercacerts.keystore"* > > > > * truststorePass="tomcat"* > > > > */>* > > > > > > > > I add in tomcat-users.xml the following > > > > *<role rolename="webservice"/>* > > > > *<user username="CN=client, OU=client, O=client, L=Madrid, ST=Madrid, > C=ES" > > password="null" roles="webservice"/>* > > > > > > > > When I execute my client for call the webservice, I put the properties > > > > *System.setProperty(**"javax.net.ssl.trustStore"**,**"C:/Program > > Files/Apache Software Foundation/Tomcat > > 5.5/conf/truststore.keystore"**);*** > > > > * > System.setProperty(**"javax.net.ssl.trustStorePassword"**,** > > "tomcat"**);*** > > > > * *** > > > > * > > System.setProperty(**"javax.net.ssl.keyStore"**, > > **"C:/OpenSSL-Win32/bin/ssl/client/client1.p12"**);*** > > > > * System.setProperty(** > > "javax.net.ssl.keyStorePassword"**,**"tomcat"**);*** > > > > * System.setProperty(** > > "javax.net.ssl.keyStoreType"**,**"PKCS12"**);* > > > > > > > > In server logs I get the error: > > > > > > *17-ene-2011 13:20:34 org.apache.coyote.http11.Http11Processor action* > > > > *ADVERTENCIA: Exception getting SSL attributes* > > > > *javax.net.ssl.SSLHandshakeException: null cert chain* > > > > * at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown > > Source)* > > > > * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown > > Source)* > > > > * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown > Source)* > > > > * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown > Source)* > > > > * at > > com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown > > Source)* > > > > * at > > com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown > > Source) > > * > > > > * at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown > > Source)* > > > > * at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > > Source)* > > > > * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > > Source)* > > > > * at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown > > Source)* > > > > * at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown > > Source)* > > > > * at java.io.InputStream.read(Unknown Source)* > > > > * at > > > > > org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) > > * > > > > * at > > > > > org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) > > * > > > > * at > > > > > org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) > > * > > > > * at > > > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131)* > > > > * at org.apache.coyote.Request.action(Request.java:349)* > > > > * at > > > > > org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) > > * > > > > * at > > > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) > > * > > > > * at > > > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > > * > > > > * at > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) > > * > > > > * at > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) > > * > > > > * at > > > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)* > > > > * at > > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)* > > > > * at > > > > > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) > > * > > > > * at > > > > > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) > > * > > > > * at > > > > > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) > > * > > > > * at > > > > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) > > * > > > > * at java.lang.Thread.run(Unknown Source)* > > > > > > > > > > > > I also prove different configurations and I never get good result. Only > > with > > user and password I get successful result (putting BASIC authentication > > instead of CLIENT-CERT). > > > > > > > > Thanks, regards. Ángel. > > >