tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Moisés Serrano Martínez <mserr...@tecnesis.com>
Subject Re: Client-cert authentication.
Date Fri, 08 Nov 2002 15:22:09 GMT
I´ve done it and the problem continues: I´ve included the self-signed and
intermedia certificates in cacerts (
perhaps it´s a problem with the java environment?
what  files is necesary to configure in order to obtain client-cert
authentication?

Thanks a lot for the interest.






----- Original Message -----
From: "Bob Herrmann" <bob@hue.jadn.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, November 06, 2002 5:32 PM
Subject: Re: Client-cert authentication.


> On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
> > Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
don´t
> > understand clearly the solution:
>
>
> As I understand it, Tomcat uses a keystore and a truststore.
>
> Tomcat uses the keystore to answer the client's "who are you?" question.
> The answer (Who is this Tomcat server) is retrieved from the keystore.
> (I am a trusted Tomcat server for Acme corp, my certificate is signed by
> some central authority.)
>
> The truststore is used when Tomcat wants to verify who the client is,
> "Do I trust this client?" (Should this client really be allowed to
> access this site?)  Tomcat only asks this, or verifies the client, if
> the Connector has clientauth=true  **OR**  if a resource is marked up in
> the web.xml as requiring CLIENT-CERT
>
> The keystore can be set in the server.xml.  The truststore must be set
> using the JDK's property files or via an environment variable (like I
> mentioned in my earlier email.)  This is a tad kludgy because verifying
> the certs of the client seem to be fairly rare in practice.  (I imagine
> this is because verifying the client certs is something B2B requires and
> not so much needed by the casual JSP developer.)
>
> Cheers,
> -bob
>
>
>
> >
> > As far as I know,  when I configure the server.xml of the Tomcat/conf
> > directory in order to use the keystore where I´ve imported the trusted
certs
> > of the chain
> > I thought I was saying tomcat that the keystore for the authentication
was
> > that, and it wasn´t necesary to configure another trusted keystore.
> >
> > <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> > clientAuth="false" keystoreFile="C:\Documents and
> > Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> > keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> > keystoreType="JKS"/>
> >
> > Is necesary to configure both keystores?
> > Thanks again, and sorry for my question if it´s something clear for
> > everyone.
> >
> > ----- Original Message -----
> > From: "Bob Herrmann" <bob@jadn.com>
> > To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> > Sent: Tuesday, November 05, 2002 9:58 PM
> > Subject: Re: Client-cert authentication.
> >
> >
> > >
> > > As someone else already pointed out, you need to configure the trust
> > > stores (Which tell tomcat what clients to trust.) You can do that by
> > > changing some config files, or like this on the command line (with
> > > redhat)
> > >
> > > export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
> > > -Djavax.net.ssl.trustStorePassword=changeit"
> > >
> > > Cheers,
> > > -bob
> > >
> > >
> > >
> > > export CATALINA
> > > -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
> > > -Djavax.net.ssl.trustStorePassword=changeit
> > >
> > > On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> > > > I´ve a small (or big) problem configuring Tomcat 4.1.12.
> > > >
> > > > Does anyone know how to configure the client side of the matter?
> > > >
> > > > What I have done is :
> > > >
> > > > 1) Create a selfsigned certificate (master certificate).
> > > > 2) With the master create another one intemediate for localhost
(signed
> > with the private key of the master one)
> > > >         - Import the chain into a keystore: server.keystore ( the
master
> > and localhost, this last one with the private key)
> > > > 3) With the localhost certificate create a user certificate (signed
with
> > the private key of localhost).
> > > >         - Import the user certificate into the server.keystore.
> > > > 4) Import the chain into a keystore: server.keystore
> > > >        -  At  this point all must be ok because the server
> > authentication works perfectly, when a client try to connect to
localhost.
> > > > 5) Configure the server.xml:
> > > >         - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> > > >
> > > >                 <Connector
> > className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> > minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="10"
> > debug="3" scheme="https" secure="true" useURIValidationHack="false">
> > > >
> > > >         - Locate the keystore inside the factory,
> > CoyoteServerSocketFactory, with clientAuth="false".
> > > >                 <Factory
> > className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> > clientAuth="false" keystoreFile="C:\Documents and
> > Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> > keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> > keystoreType="JKS"/>
> > > >
> > > > 6) Configure the web.xml, if the auth.method selected is BASIC
> > everything works fine, the problem begins when I try that a context
works
> > with client authentication.
> > > >
> > > >                 <?xml version="1.0" encoding="UTF-8"?>
> > > >                 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
Inc.//DTD
> > Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> > > >                 <web-app>
> > > >                 <display-name>adminWeb</display-name>
> > > >                 <welcome-file-list>
> > > >                 <welcome-file>adminWeb.jsp</welcome-file>
> > > >                 </welcome-file-list>
> > > >                 <security-constraint>
> > > >                     <web-resource-collection>
> > > >
<web-resource-name>adminWeb</web-resource-name>
> > > >                         <url-pattern>/*</url-pattern>
> > > >                     </web-resource-collection>
> > > >                     <auth-constraint>
> > > >                     <role-name>admin</role-name>
> > > >                     </auth-constraint>
> > > >                     <user-data-constraint>
> > > >
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > >                     </user-data-constraint>
> > > >             </security-constraint>
> > > >             <login-config>
> > > >                 <auth-method>CLIENT-CERT</auth-method>
> > > >             </login-config>
> > > >             <security-role>
> > > >                 <description>An example role defined in
> > "conf/tomcat-users.xml"</description>
> > > >                 <role-name>admin</role-name>
> > > >             </security-role>
> > > >             </web-app>
> > > >
> > > > 7) In the client side:
> > > >
> > > >       - Generate a p12 keystore in order to import the user
certificate
> > and his private key.
> > > >     - Import in the Client (browser) the master, the intermediate
> > (localhost) and the user certificates.
> > > >               - The user certificate in the p12 format (with the
private
> > key) and the other ones with the X509 format: localhost.cer and
master.cer.
> > > >
> > > > At the end, the result is:
> > > > type Status report
> > > >
> > > > message No hay cadena de certificados del cliente en esta peticion
> > > >
> > > > description The request sent by the client was syntactically
incorrect
> > (No hay cadena de certificados del cliente en esta peticion).
> > > >
> > > > Using CATALINA_BASE:   ..
> > > > Using CATALINA_HOME:   ..
> > > > Using CATALINA_TMPDIR: ..\temp
> > > > Using JAVA_HOME:       C:\jbuilder5\jdk1.3
> > > > [INFO] Registry - -Loading registry information
> > > > [INFO] Registry - -Creating new Registry instance
> > > > [INFO] Registry - -Creating MBeanServer
> > > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> > > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> > > > Starting service Tomcat-Standalone
> > > > Apache Tomcat/4.1.12
> > > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> > > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> > > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > > >         at
> >
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> > 75)
> > > >         at
> >
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> > ava:118)
> > > >         at
> >
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> > > >         at org.apache.coyote.Response.action(Response.java:216)
> > > >         at
> >
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
> > 314)
> > > >         at
> > org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> > > >         at
> >
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > > >         at
> >
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> > ction(Http11Protocol.java:380)
> > > >         at
> >
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > > >         at
> >
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> > a:533)
> > > >         at java.lang.Thread.run(Thread.java:484)
> > > > [WARN] Http11Processor - -Exception getting SSL attributes
> > <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > > >         at
> >
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> > 75)
> > > >         at
> >
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> > ava:118)
> > > >         at
> >
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> > > >         at org.apache.coyote.Request.action(Request.java:367)
> > > >         at
> >
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> > > >         at
> >
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
> > de.java:141)
> > > >         at
> >
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
> > ator.java:154)
> > > >         at
> >
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
> > .java:502)
> > > >         at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > >         at
> >
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
> > 46)
> > > >         at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > >         at
> >
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > >         at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > >         at
> >
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> > > >         at
> >
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
> > )
> > > >         at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:643)
> > > >         at
> >
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
> > java:170)
> > > >         at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > >         at
> >
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
> > )
> > > >         at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > >         at
> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
80)
> > > >         at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > >         at
> >
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> > :174)
> > > >         at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:643)
> > > >         at
> >
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > >         at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > >         at
> > org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> > > >         at
> >
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > > >         at
> >
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> > ction(Http11Protocol.java:380)
> > > >         at
> >
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > > >         at
> >
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> > a:533)
> > > >         at java.lang.Thread.run(Thread.java:484)
> > > > [WARN] Http11Processor - -Exception getting SSL Cert
> > <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > > >
> > > >
> > > >
> > > >
> > > > Please  I´ve been trying to solve this problem for days and I am
> > desperate.
> > > >
> > > > Thanks a lot in advance.
> > > >
> > > > Moises
> > > --
> > > Bob Herrmann <bob@jadn.com>
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <mailto:tomcat-dev-help@jakarta.apache.org>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message