tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfrederic.cl...@fujitsu-siemens.com>
Subject Re: SSL client auth in Tomcat 4.0
Date Tue, 15 Oct 2002 14:52:34 GMT
Steven Bradley wrote:
> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
> getting SSL client authentication working (getting SSL server auth 
> working was a snap).  Here's what I've done so far:
> 
> * created a self-signed client cert using openSSL (key usage includes 
> digital signature)
> * imported client cert (and private key) into Internet Explorer (by way 
> of a PKCS#12 file)
> * imported the Tomcat JKS file with the client certificate

CA file?

> * configure tomcat server.xml file as follows:
> 
>     <Connector className="org.apache.catalina.connector.http.HttpConnector"
>                port="443"
>                minProcessors="5"
>                maxProcessors="75"
>                enableLookups="true"
>                   acceptCount="10"
>                   debug="0"
>                   scheme="https"
>                   secure="true">
>         <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
>                clientAuth="true"
>                   keystoreFile="conf/server.keystore"
>                   keystorePass    ="password"
>                protocol="TLS"/>
>     </Connector>
> 
> * stop/start tomcat
> * point IE browser to https://localhost/index.html
> 
> What IE tells me is that the page can't be displayed (after some 
> handshaking attempts).  Unfortunately, there is no log info generated 
> (even if I increase the debug param in the <Connector> element).

Try with Mozilla or with openssl (something like: openssl s_client -port 8443 
-host localhost).
Does it work when clientAuth="false"?

> 
> Any clues as to what I may be doing wrong?  Has ANYONE been able to get 
> SSL client authentication working with Tomcat 4.0 standalone (Catalina).

Sure I tested it... It worked ok.
Make sure the CA that has signed your certificates is in the CA file 
($JAVA_HOME/jre/lib/security/cacerts or something).

> 
> Thanks in advance
> -- Steven
> 
> 
> -- 
> To unsubscribe, e-mail:   
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message