tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Reddy.Thirumal" <Reddy.Thiru...@mail.esb.ie>
Subject RE: SSL client auth in Tomcat 4.0
Date Tue, 15 Oct 2002 15:11:27 GMT
Yes, I did it. It worked fine. 

* First, let the clientAuth="false" then try.

If it doesn't work, you might going wrong when generating the certificates
stuff.

Here are the steps:

keytool -genkey -keystore client.keystore -alias client1 

keytool -keystore client.keystore -certreq -file client.csr -alias client1

openssl ca -config /openssl.cnf -in client.csr -out client.pem -keyfile
ca.key

openssl x509 -in client.pem -out client.der -outform DER

keytool -keystore -import -file ca.cert -alias root

keytool -keystore -import -file client.der -alias client1

If you strictly follow these steps, you will be able to get it done.

Please try and let me know the feedback to reddy.thirumal@mail.esb.ie

Cheers



-----Original Message-----
From: jean-frederic clere [mailto:jfrederic.clere@fujitsu-siemens.com]
Sent: Tuesday, October 15, 2002 3:53 PM
To: Tomcat Developers List
Subject: Re: SSL client auth in Tomcat 4.0


Steven Bradley wrote:
> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble 
> getting SSL client authentication working (getting SSL server auth 
> working was a snap).  Here's what I've done so far:
> 
> * created a self-signed client cert using openSSL (key usage includes 
> digital signature)
> * imported client cert (and private key) into Internet Explorer (by way 
> of a PKCS#12 file)
> * imported the Tomcat JKS file with the client certificate

CA file?

> * configure tomcat server.xml file as follows:
> 
>     <Connector
className="org.apache.catalina.connector.http.HttpConnector"
>                port="443"
>                minProcessors="5"
>                maxProcessors="75"
>                enableLookups="true"
>                   acceptCount="10"
>                   debug="0"
>                   scheme="https"
>                   secure="true">
>         <Factory
className="org.apache.catalina.net.SSLServerSocketFactory"
>                clientAuth="true"
>                   keystoreFile="conf/server.keystore"
>                   keystorePass    ="password"
>                protocol="TLS"/>
>     </Connector>
> 
> * stop/start tomcat
> * point IE browser to https://localhost/index.html
> 
> What IE tells me is that the page can't be displayed (after some 
> handshaking attempts).  Unfortunately, there is no log info generated 
> (even if I increase the debug param in the <Connector> element).

Try with Mozilla or with openssl (something like: openssl s_client -port
8443 
-host localhost).
Does it work when clientAuth="false"?

> 
> Any clues as to what I may be doing wrong?  Has ANYONE been able to get 
> SSL client authentication working with Tomcat 4.0 standalone (Catalina).

Sure I tested it... It worked ok.
Make sure the CA that has signed your certificates is in the CA file 
($JAVA_HOME/jre/lib/security/cacerts or something).

> 
> Thanks in advance
> -- Steven
> 
> 
> -- 
> To unsubscribe, e-mail:   
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


* ** *** ** * ** *** ** * ** *** ** *
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. 
Any views or opinions presented are solely those of the author, and do not necessarily
represent those of ESB. 
If you have received this email in error please notify the sender.

Although ESB scans e-mail and attachments for viruses, it does not guarantee
that either are virus-free and accepts no liability for any damage sustained
as a result of viruses.

* ** *** ** * ** *** ** * ** *** ** *

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message