tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Moisés Serrano Martínez <mserr...@tecnesis.com>
Subject Client-cert authentication.
Date Tue, 05 Nov 2002 16:35:07 GMT
I´ve a small (or big) problem configuring Tomcat 4.1.12.

Does anyone know how to configure the client side of the matter?

What I have done is :

1) Create a selfsigned certificate (master certificate).
2) With the master create another one intemediate for localhost (signed with the private key
of the master one)
        - Import the chain into a keystore: server.keystore ( the master and localhost, this
last one with the private key)
3) With the localhost certificate create a user certificate (signed with the private key of
localhost).
        - Import the user certificate into the server.keystore.
4) Import the chain into a keystore: server.keystore
       -  At  this point all must be ok because the server authentication works perfectly,
when a client try to connect to localhost.
5) Configure the server.xml:
        - Define a SSL Coyote HTTP/1.1 Connector on port 8443:

                <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="3" scheme="https"
secure="true" useURIValidationHack="false">
    
        - Locate the keystore inside the factory, CoyoteServerSocketFactory, with clientAuth="false".
                <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/>

6) Configure the web.xml, if the auth.method selected is BASIC everything works fine, the
problem begins when I try that a context works with client authentication.

                <?xml version="1.0" encoding="UTF-8"?>
                <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
                <web-app>
                <display-name>adminWeb</display-name>
                <welcome-file-list>
                <welcome-file>adminWeb.jsp</welcome-file>
                </welcome-file-list>
                <security-constraint>
                    <web-resource-collection>
                        <web-resource-name>adminWeb</web-resource-name>
                        <url-pattern>/*</url-pattern>
                    </web-resource-collection>
                    <auth-constraint>
                    <role-name>admin</role-name>
                    </auth-constraint>
                    <user-data-constraint>
                            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                    </user-data-constraint>
            </security-constraint>
            <login-config>
                <auth-method>CLIENT-CERT</auth-method>
            </login-config>
            <security-role>
                <description>An example role defined in "conf/tomcat-users.xml"</description>
                <role-name>admin</role-name>
            </security-role>
            </web-app>

7) In the client side:

      - Generate a p12 keystore in order to import the user certificate and his private key.
    - Import in the Client (browser) the master, the intermediate (localhost) and the user
certificates.
              - The user certificate in the p12 format (with the private key) and the other
ones with the X509 format: localhost.cer and master.cer.

At the end, the result is:
type Status report

message No hay cadena de certificados del cliente en esta peticion

description The request sent by the client was syntactically incorrect (No hay cadena de certificados
del cliente en esta peticion).

Using CATALINA_BASE:   ..
Using CATALINA_HOME:   ..
Using CATALINA_TMPDIR: ..\temp
Using JAVA_HOME:       C:\jbuilder5\jdk1.3
[INFO] Registry - -Loading registry information
[INFO] Registry - -Creating new Registry instance
[INFO] Registry - -Creating MBeanServer
[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
Starting service Tomcat-Standalone
Apache Tomcat/4.1.12
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
        at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
        at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
        at org.apache.coyote.Response.action(Response.java:216)
        at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
        at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380)
        at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
        at java.lang.Thread.run(Thread.java:484)
[WARN] Http11Processor - -Exception getting SSL attributes  <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
        at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
        at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
        at org.apache.coyote.Request.action(Request.java:367)
        at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
        at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
        at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
        at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380)
        at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
        at java.lang.Thread.run(Thread.java:484)
[WARN] Http11Processor - -Exception getting SSL Cert <javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated>




Please  I´ve been trying to solve this problem for days and I am desperate. 

Thanks a lot in advance.

Moises

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message