tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Moisés Serrano Martínez <mserr...@tecnesis.com>
Subject Re: Client-cert authentication.
Date Fri, 08 Nov 2002 17:33:35 GMT
thanks a lot.

I´ll try it this weekend

----- Original Message -----
From: "jean-frederic clere" <jfrederic.clere@fujitsu-siemens.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Friday, November 08, 2002 5:59 PM
Subject: Re: Client-cert authentication.


Moisés Serrano Martínez wrote:
> I´ve done it and the problem continues: I´ve included the self-signed and
> intermedia certificates in cacerts (
> perhaps it´s a problem with the java environment?
> what  files is necesary to configure in order to obtain client-cert
> authentication?

The only thing I am able to make to help you is to send the steps I am using
to
  test the client certificates (forget the 2 last steps that is to test
mod_jk).

Cheers

Jean-frederic

>
> Thanks a lot for the interest.
>
>
>
>
>
>
> ----- Original Message -----
> From: "Bob Herrmann" <bob@hue.jadn.com>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Wednesday, November 06, 2002 5:32 PM
> Subject: Re: Client-cert authentication.
>
>
>
>>On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
>>
>>>Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
>>
> don´t
>
>>>understand clearly the solution:
>>
>>
>>As I understand it, Tomcat uses a keystore and a truststore.
>>
>>Tomcat uses the keystore to answer the client's "who are you?" question.
>>The answer (Who is this Tomcat server) is retrieved from the keystore.
>>(I am a trusted Tomcat server for Acme corp, my certificate is signed by
>>some central authority.)
>>
>>The truststore is used when Tomcat wants to verify who the client is,
>>"Do I trust this client?" (Should this client really be allowed to
>>access this site?)  Tomcat only asks this, or verifies the client, if
>>the Connector has clientauth=true  **OR**  if a resource is marked up in
>>the web.xml as requiring CLIENT-CERT
>>
>>The keystore can be set in the server.xml.  The truststore must be set
>>using the JDK's property files or via an environment variable (like I
>>mentioned in my earlier email.)  This is a tad kludgy because verifying
>>the certs of the client seem to be fairly rare in practice.  (I imagine
>>this is because verifying the client certs is something B2B requires and
>>not so much needed by the casual JSP developer.)
>>
>>Cheers,
>>-bob
>>
>>
>>
>>
>>>As far as I know,  when I configure the server.xml of the Tomcat/conf
>>>directory in order to use the keystore where I´ve imported the trusted
>>
> certs
>
>>>of the chain
>>>I thought I was saying tomcat that the keystore for the authentication
>>
> was
>
>>>that, and it wasn´t necesary to configure another trusted keystore.
>>>
>>><Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>Is necesary to configure both keystores?
>>>Thanks again, and sorry for my question if it´s something clear for
>>>everyone.
>>>
>>>----- Original Message -----
>>>From: "Bob Herrmann" <bob@jadn.com>
>>>To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
>>>Sent: Tuesday, November 05, 2002 9:58 PM
>>>Subject: Re: Client-cert authentication.
>>>
>>>
>>>
>>>>As someone else already pointed out, you need to configure the trust
>>>>stores (Which tell tomcat what clients to trust.) You can do that by
>>>>changing some config files, or like this on the command line (with
>>>>redhat)
>>>>
>>>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit"
>>>>
>>>>Cheers,
>>>>-bob
>>>>
>>>>
>>>>
>>>>export CATALINA
>>>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit
>>>>
>>>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
>>>>
>>>>>I´ve a small (or big) problem configuring Tomcat 4.1.12.
>>>>>
>>>>>Does anyone know how to configure the client side of the matter?
>>>>>
>>>>>What I have done is :
>>>>>
>>>>>1) Create a selfsigned certificate (master certificate).
>>>>>2) With the master create another one intemediate for localhost
>>>>
> (signed
>
>>>with the private key of the master one)
>>>
>>>>>        - Import the chain into a keystore: server.keystore ( the
>>>>
> master
>
>>>and localhost, this last one with the private key)
>>>
>>>>>3) With the localhost certificate create a user certificate (signed
>>>>
> with
>
>>>the private key of localhost).
>>>
>>>>>        - Import the user certificate into the server.keystore.
>>>>>4) Import the chain into a keystore: server.keystore
>>>>>       -  At  this point all must be ok because the server
>>>>
>>>authentication works perfectly, when a client try to connect to
>>
> localhost.
>
>>>>>5) Configure the server.xml:
>>>>>        - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>>>>>
>>>>>                <Connector
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
>>>minProcessors="5" maxProcessors="75" enableLookups="true"
>>
> acceptCount="10"
>
>>>debug="3" scheme="https" secure="true" useURIValidationHack="false">
>>>
>>>>>        - Locate the keystore inside the factory,
>>>>
>>>CoyoteServerSocketFactory, with clientAuth="false".
>>>
>>>>>                <Factory
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>>>6) Configure the web.xml, if the auth.method selected is BASIC
>>>>
>>>everything works fine, the problem begins when I try that a context
>>
> works
>
>>>with client authentication.
>>>
>>>>>                <?xml version="1.0" encoding="UTF-8"?>
>>>>>                <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
>>>>
> Inc.//DTD
>
>>>Web Application 2.2//EN"
>>
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
>>>>>                <web-app>
>>>>>                <display-name>adminWeb</display-name>
>>>>>                <welcome-file-list>
>>>>>                <welcome-file>adminWeb.jsp</welcome-file>
>>>>>                </welcome-file-list>
>>>>>                <security-constraint>
>>>>>                    <web-resource-collection>
>>>>>
> <web-resource-name>adminWeb</web-resource-name>
>
>>>>>                        <url-pattern>/*</url-pattern>
>>>>>                    </web-resource-collection>
>>>>>                    <auth-constraint>
>>>>>                    <role-name>admin</role-name>
>>>>>                    </auth-constraint>
>>>>>                    <user-data-constraint>
>>>>>
>>><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>
>>>>>                    </user-data-constraint>
>>>>>            </security-constraint>
>>>>>            <login-config>
>>>>>                <auth-method>CLIENT-CERT</auth-method>
>>>>>            </login-config>
>>>>>            <security-role>
>>>>>                <description>An example role defined in
>>>>
>>>"conf/tomcat-users.xml"</description>
>>>
>>>>>                <role-name>admin</role-name>
>>>>>            </security-role>
>>>>>            </web-app>
>>>>>
>>>>>7) In the client side:
>>>>>
>>>>>      - Generate a p12 keystore in order to import the user
>>>>
> certificate
>
>>>and his private key.
>>>
>>>>>    - Import in the Client (browser) the master, the intermediate
>>>>
>>>(localhost) and the user certificates.
>>>
>>>>>              - The user certificate in the p12 format (with the
>>>>
> private
>
>>>key) and the other ones with the X509 format: localhost.cer and
>>
> master.cer.
>
>>>>>At the end, the result is:
>>>>>type Status report
>>>>>
>>>>>message No hay cadena de certificados del cliente en esta peticion
>>>>>
>>>>>description The request sent by the client was syntactically
>>>>
> incorrect
>
>>>(No hay cadena de certificados del cliente en esta peticion).
>>>
>>>>>Using CATALINA_BASE:   ..
>>>>>Using CATALINA_HOME:   ..
>>>>>Using CATALINA_TMPDIR: ..\temp
>>>>>Using JAVA_HOME:       C:\jbuilder5\jdk1.3
>>>>>[INFO] Registry - -Loading registry information
>>>>>[INFO] Registry - -Creating new Registry instance
>>>>>[INFO] Registry - -Creating MBeanServer
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
>>>>>Starting service Tomcat-Standalone
>>>>>Apache Tomcat/4.1.12
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>>        at
>>>>
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>>        at
>>>>
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
>
>>>>>        at org.apache.coyote.Response.action(Response.java:216)
>>>>>        at
>>>>
>
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
>
>>>314)
>>>
>>>>>        at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>>        at
>>>>
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>>        at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>>        at
>>>>
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>>        at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL attributes
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>>        at
>>>>
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>>        at
>>>>
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
>
>>>>>        at org.apache.coyote.Request.action(Request.java:367)
>>>>>        at
>>>>
>
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
>
>>>>>        at
>>>>
>
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
>
>>>de.java:141)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
>
>>>ator.java:154)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
>
>>>.java:502)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
>
>>>46)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>>        at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
>
>>>)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
>
>>>java:170)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
>
>>>)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
>>
> 80)
>
>>>>>        at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
>
>>>:174)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>>        at
>>>>
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>>        at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>>        at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>>        at
>>>>
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>>        at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>>        at
>>>>
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>>        at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL Cert
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>
>>>>>
>>>>>
>>>>>Please  I´ve been trying to solve this problem for days and I am
>>>>
>>>desperate.
>>>
>>>>>Thanks a lot in advance.
>>>>>
>>>>>Moises
>>>>
>>>>--
>>>>Bob Herrmann <bob@jadn.com>
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail:
>>>
>>><mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>>>
>>>>For additional commands, e-mail:
>>>
>>><mailto:tomcat-dev-help@jakarta.apache.org>
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>
>>>For additional commands, e-mail:
>>
> <mailto:tomcat-dev-help@jakarta.apache.org>
>
>>
>>--
>>To unsubscribe, e-mail:
>
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>
>>For additional commands, e-mail:
>
> <mailto:tomcat-dev-help@jakarta.apache.org>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>
>





----------------------------------------------------------------------------
----


> Connecting to the server:
> openssl s_client -port 443 -host vtxclere
>
> List the CA of a JVM:
> keytool -list -rfc -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> Steps to set up a demoCA and user certificates:
>
> 1 - /usr/local/ssl/misc/CA.pl -newca
>     This creates a demoCA directory that contains the CA certificates.
>
> 2 - /usr/local/ssl/misc/CA.pl -newreq
>     This creates a newreq.pem that contains the  private key and request.
>
> 3 - separe the request and private key.
>     Put the private key is key.pem and the request in newreq.pem
>
> 4 - /usr/local/ssl/misc/CA.pl -signreq
>     It displays the certificate before signing it.
>     The result is in newcert.pem
>
> 5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \
>     -in newcert.pem -out test.p12
>     The test.p12 contains a file that can be imported in the browser.
>
> 6 - import in the browser the test.p12 file.
>
> 7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts
>     chmod u+w $JAVA_HOME/jre/lib/security/cacerts
>     $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \
>     -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> 8 - mod_jk (Apache).
>     The CA certificates are stored in
$APACHE_HOME/conf/ssl.crt/ca-bundle.crt
>     Just add the demoCA/cacert.pem to it.
>
>
> 9 - In case a certificate is for the Apache server:
>     Do the step 2,3,4 and put the file key.pem into SSLCertificateKeyFile
>     and  the file newcert.pem into SSLCertificateFile (in httpd.conf).
>
>


----------------------------------------------------------------------------
----


> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message