thanks a lot.
I´ll try it this weekend
----- Original Message -----
From: "jean-frederic clere" <jfrederic.clere@fujitsu-siemens.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Friday, November 08, 2002 5:59 PM
Subject: Re: Client-cert authentication.
Moisés Serrano Martínez wrote:
> I´ve done it and the problem continues: I´ve included the self-signed and
> intermedia certificates in cacerts (
> perhaps it´s a problem with the java environment?
> what files is necesary to configure in order to obtain client-cert
> authentication?
The only thing I am able to make to help you is to send the steps I am using
to
test the client certificates (forget the 2 last steps that is to test
mod_jk).
Cheers
Jean-frederic
>
> Thanks a lot for the interest.
>
>
>
>
>
>
> ----- Original Message -----
> From: "Bob Herrmann" <bob@hue.jadn.com>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Wednesday, November 06, 2002 5:32 PM
> Subject: Re: Client-cert authentication.
>
>
>
>>On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
>>
>>>Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
>>
> don´t
>
>>>understand clearly the solution:
>>
>>
>>As I understand it, Tomcat uses a keystore and a truststore.
>>
>>Tomcat uses the keystore to answer the client's "who are you?" question.
>>The answer (Who is this Tomcat server) is retrieved from the keystore.
>>(I am a trusted Tomcat server for Acme corp, my certificate is signed by
>>some central authority.)
>>
>>The truststore is used when Tomcat wants to verify who the client is,
>>"Do I trust this client?" (Should this client really be allowed to
>>access this site?) Tomcat only asks this, or verifies the client, if
>>the Connector has clientauth=true **OR** if a resource is marked up in
>>the web.xml as requiring CLIENT-CERT
>>
>>The keystore can be set in the server.xml. The truststore must be set
>>using the JDK's property files or via an environment variable (like I
>>mentioned in my earlier email.) This is a tad kludgy because verifying
>>the certs of the client seem to be fairly rare in practice. (I imagine
>>this is because verifying the client certs is something B2B requires and
>>not so much needed by the casual JSP developer.)
>>
>>Cheers,
>>-bob
>>
>>
>>
>>
>>>As far as I know, when I configure the server.xml of the Tomcat/conf
>>>directory in order to use the keystore where I´ve imported the trusted
>>
> certs
>
>>>of the chain
>>>I thought I was saying tomcat that the keystore for the authentication
>>
> was
>
>>>that, and it wasn´t necesary to configure another trusted keystore.
>>>
>>><Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>Is necesary to configure both keystores?
>>>Thanks again, and sorry for my question if it´s something clear for
>>>everyone.
>>>
>>>----- Original Message -----
>>>From: "Bob Herrmann" <bob@jadn.com>
>>>To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
>>>Sent: Tuesday, November 05, 2002 9:58 PM
>>>Subject: Re: Client-cert authentication.
>>>
>>>
>>>
>>>>As someone else already pointed out, you need to configure the trust
>>>>stores (Which tell tomcat what clients to trust.) You can do that by
>>>>changing some config files, or like this on the command line (with
>>>>redhat)
>>>>
>>>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit"
>>>>
>>>>Cheers,
>>>>-bob
>>>>
>>>>
>>>>
>>>>export CATALINA
>>>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit
>>>>
>>>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
>>>>
>>>>>I´ve a small (or big) problem configuring Tomcat 4.1.12.
>>>>>
>>>>>Does anyone know how to configure the client side of the matter?
>>>>>
>>>>>What I have done is :
>>>>>
>>>>>1) Create a selfsigned certificate (master certificate).
>>>>>2) With the master create another one intemediate for localhost
>>>>
> (signed
>
>>>with the private key of the master one)
>>>
>>>>> - Import the chain into a keystore: server.keystore ( the
>>>>
> master
>
>>>and localhost, this last one with the private key)
>>>
>>>>>3) With the localhost certificate create a user certificate (signed
>>>>
> with
>
>>>the private key of localhost).
>>>
>>>>> - Import the user certificate into the server.keystore.
>>>>>4) Import the chain into a keystore: server.keystore
>>>>> - At this point all must be ok because the server
>>>>
>>>authentication works perfectly, when a client try to connect to
>>
> localhost.
>
>>>>>5) Configure the server.xml:
>>>>> - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>>>>>
>>>>> <Connector
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
>>>minProcessors="5" maxProcessors="75" enableLookups="true"
>>
> acceptCount="10"
>
>>>debug="3" scheme="https" secure="true" useURIValidationHack="false">
>>>
>>>>> - Locate the keystore inside the factory,
>>>>
>>>CoyoteServerSocketFactory, with clientAuth="false".
>>>
>>>>> <Factory
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>>>6) Configure the web.xml, if the auth.method selected is BASIC
>>>>
>>>everything works fine, the problem begins when I try that a context
>>
> works
>
>>>with client authentication.
>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
>>>>
> Inc.//DTD
>
>>>Web Application 2.2//EN"
>>
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
>>>>> <web-app>
>>>>> <display-name>adminWeb</display-name>
>>>>> <welcome-file-list>
>>>>> <welcome-file>adminWeb.jsp</welcome-file>
>>>>> </welcome-file-list>
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>>
> <web-resource-name>adminWeb</web-resource-name>
>
>>>>> <url-pattern>/*</url-pattern>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> <role-name>admin</role-name>
>>>>> </auth-constraint>
>>>>> <user-data-constraint>
>>>>>
>>><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>
>>>>> </user-data-constraint>
>>>>> </security-constraint>
>>>>> <login-config>
>>>>> <auth-method>CLIENT-CERT</auth-method>
>>>>> </login-config>
>>>>> <security-role>
>>>>> <description>An example role defined in
>>>>
>>>"conf/tomcat-users.xml"</description>
>>>
>>>>> <role-name>admin</role-name>
>>>>> </security-role>
>>>>> </web-app>
>>>>>
>>>>>7) In the client side:
>>>>>
>>>>> - Generate a p12 keystore in order to import the user
>>>>
> certificate
>
>>>and his private key.
>>>
>>>>> - Import in the Client (browser) the master, the intermediate
>>>>
>>>(localhost) and the user certificates.
>>>
>>>>> - The user certificate in the p12 format (with the
>>>>
> private
>
>>>key) and the other ones with the X509 format: localhost.cer and
>>
> master.cer.
>
>>>>>At the end, the result is:
>>>>>type Status report
>>>>>
>>>>>message No hay cadena de certificados del cliente en esta peticion
>>>>>
>>>>>description The request sent by the client was syntactically
>>>>
> incorrect
>
>>>(No hay cadena de certificados del cliente en esta peticion).
>>>
>>>>>Using CATALINA_BASE: ..
>>>>>Using CATALINA_HOME: ..
>>>>>Using CATALINA_TMPDIR: ..\temp
>>>>>Using JAVA_HOME: C:\jbuilder5\jdk1.3
>>>>>[INFO] Registry - -Loading registry information
>>>>>[INFO] Registry - -Creating new Registry instance
>>>>>[INFO] Registry - -Creating MBeanServer
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
>>>>>Starting service Tomcat-Standalone
>>>>>Apache Tomcat/4.1.12
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>> at
>>>>
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
>
>>>>> at org.apache.coyote.Response.action(Response.java:216)
>>>>> at
>>>>
>
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
>
>>>314)
>>>
>>>>> at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>> at
>>>>
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>> at
>>>>
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>> at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL attributes
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>> at
>>>>
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
>
>>>>> at org.apache.coyote.Request.action(Request.java:367)
>>>>> at
>>>>
>
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
>
>>>>> at
>>>>
>
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
>
>>>de.java:141)
>>>
>>>>> at
>>>>
>
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
>
>>>ator.java:154)
>>>
>>>>> at
>>>>
>
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
>
>>>.java:502)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
>
>>>46)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
>
>>>)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>> at
>>>>
>
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
>
>>>java:170)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
>
>>>)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
>>
> 80)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
>
>>>:174)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>> at
>>>>
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>> at
>>>>
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>> at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL Cert
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>
>>>>>
>>>>>
>>>>>Please I´ve been trying to solve this problem for days and I am
>>>>
>>>desperate.
>>>
>>>>>Thanks a lot in advance.
>>>>>
>>>>>Moises
>>>>
>>>>--
>>>>Bob Herrmann <bob@jadn.com>
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail:
>>>
>>><mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>>>
>>>>For additional commands, e-mail:
>>>
>>><mailto:tomcat-dev-help@jakarta.apache.org>
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>
>>>For additional commands, e-mail:
>>
> <mailto:tomcat-dev-help@jakarta.apache.org>
>
>>
>>--
>>To unsubscribe, e-mail:
>
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>
>>For additional commands, e-mail:
>
> <mailto:tomcat-dev-help@jakarta.apache.org>
>
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>
>
----------------------------------------------------------------------------
----
> Connecting to the server:
> openssl s_client -port 443 -host vtxclere
>
> List the CA of a JVM:
> keytool -list -rfc -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> Steps to set up a demoCA and user certificates:
>
> 1 - /usr/local/ssl/misc/CA.pl -newca
> This creates a demoCA directory that contains the CA certificates.
>
> 2 - /usr/local/ssl/misc/CA.pl -newreq
> This creates a newreq.pem that contains the private key and request.
>
> 3 - separe the request and private key.
> Put the private key is key.pem and the request in newreq.pem
>
> 4 - /usr/local/ssl/misc/CA.pl -signreq
> It displays the certificate before signing it.
> The result is in newcert.pem
>
> 5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \
> -in newcert.pem -out test.p12
> The test.p12 contains a file that can be imported in the browser.
>
> 6 - import in the browser the test.p12 file.
>
> 7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts
> chmod u+w $JAVA_HOME/jre/lib/security/cacerts
> $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \
> -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> 8 - mod_jk (Apache).
> The CA certificates are stored in
$APACHE_HOME/conf/ssl.crt/ca-bundle.crt
> Just add the demoCA/cacert.pem to it.
>
>
> 9 - In case a certificate is for the Apache server:
> Do the step 2,3,4 and put the file key.pem into SSLCertificateKeyFile
> and the file newcert.pem into SSLCertificateFile (in httpd.conf).
>
>
----------------------------------------------------------------------------
----
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
|