tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Moisés Serrano Martínez <mserr...@tecnesis.com>
Subject Re: Client-cert authentication.
Date Wed, 06 Nov 2002 15:55:52 GMT
Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t
understand clearly the solution:

As far as I know,  when I configure the server.xml of the Tomcat/conf
directory in order to use the keystore where I´ve imported the trusted certs
of the chain
I thought I was saying tomcat that the keystore for the authentication was
that, and it wasn´t necesary to configure another trusted keystore.

<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and
Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509"
keystoreType="JKS"/>

Is necesary to configure both keystores?
Thanks again, and sorry for my question if it´s something clear for
everyone.

----- Original Message -----
From: "Bob Herrmann" <bob@jadn.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, November 05, 2002 9:58 PM
Subject: Re: Client-cert authentication.


>
> As someone else already pointed out, you need to configure the trust
> stores (Which tell tomcat what clients to trust.) You can do that by
> changing some config files, or like this on the command line (with
> redhat)
>
> export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
> -Djavax.net.ssl.trustStorePassword=changeit"
>
> Cheers,
> -bob
>
>
>
> export CATALINA
> -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
> -Djavax.net.ssl.trustStorePassword=changeit
>
> On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> > I´ve a small (or big) problem configuring Tomcat 4.1.12.
> >
> > Does anyone know how to configure the client side of the matter?
> >
> > What I have done is :
> >
> > 1) Create a selfsigned certificate (master certificate).
> > 2) With the master create another one intemediate for localhost (signed
with the private key of the master one)
> >         - Import the chain into a keystore: server.keystore ( the master
and localhost, this last one with the private key)
> > 3) With the localhost certificate create a user certificate (signed with
the private key of localhost).
> >         - Import the user certificate into the server.keystore.
> > 4) Import the chain into a keystore: server.keystore
> >        -  At  this point all must be ok because the server
authentication works perfectly, when a client try to connect to localhost.
> > 5) Configure the server.xml:
> >         - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> >
> >                 <Connector
className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10"
debug="3" scheme="https" secure="true" useURIValidationHack="false">
> >
> >         - Locate the keystore inside the factory,
CoyoteServerSocketFactory, with clientAuth="false".
> >                 <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and
Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509"
keystoreType="JKS"/>
> >
> > 6) Configure the web.xml, if the auth.method selected is BASIC
everything works fine, the problem begins when I try that a context works
with client authentication.
> >
> >                 <?xml version="1.0" encoding="UTF-8"?>
> >                 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> >                 <web-app>
> >                 <display-name>adminWeb</display-name>
> >                 <welcome-file-list>
> >                 <welcome-file>adminWeb.jsp</welcome-file>
> >                 </welcome-file-list>
> >                 <security-constraint>
> >                     <web-resource-collection>
> >                         <web-resource-name>adminWeb</web-resource-name>
> >                         <url-pattern>/*</url-pattern>
> >                     </web-resource-collection>
> >                     <auth-constraint>
> >                     <role-name>admin</role-name>
> >                     </auth-constraint>
> >                     <user-data-constraint>
> >
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >                     </user-data-constraint>
> >             </security-constraint>
> >             <login-config>
> >                 <auth-method>CLIENT-CERT</auth-method>
> >             </login-config>
> >             <security-role>
> >                 <description>An example role defined in
"conf/tomcat-users.xml"</description>
> >                 <role-name>admin</role-name>
> >             </security-role>
> >             </web-app>
> >
> > 7) In the client side:
> >
> >       - Generate a p12 keystore in order to import the user certificate
and his private key.
> >     - Import in the Client (browser) the master, the intermediate
(localhost) and the user certificates.
> >               - The user certificate in the p12 format (with the private
key) and the other ones with the X509 format: localhost.cer and master.cer.
> >
> > At the end, the result is:
> > type Status report
> >
> > message No hay cadena de certificados del cliente en esta peticion
> >
> > description The request sent by the client was syntactically incorrect
(No hay cadena de certificados del cliente en esta peticion).
> >
> > Using CATALINA_BASE:   ..
> > Using CATALINA_HOME:   ..
> > Using CATALINA_TMPDIR: ..\temp
> > Using JAVA_HOME:       C:\jbuilder5\jdk1.3
> > [INFO] Registry - -Loading registry information
> > [INFO] Registry - -Creating new Registry instance
> > [INFO] Registry - -Creating MBeanServer
> > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> > Starting service Tomcat-Standalone
> > Apache Tomcat/4.1.12
> > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> >         at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
75)
> >         at
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
ava:118)
> >         at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> >         at org.apache.coyote.Response.action(Response.java:216)
> >         at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
314)
> >         at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> >         at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> >         at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
ction(Http11Protocol.java:380)
> >         at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> >         at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:533)
> >         at java.lang.Thread.run(Thread.java:484)
> > [WARN] Http11Processor - -Exception getting SSL attributes
<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> >         at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
75)
> >         at
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
ava:118)
> >         at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> >         at org.apache.coyote.Request.action(Request.java:367)
> >         at
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> >         at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
de.java:141)
> >         at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
ator.java:154)
> >         at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
.java:502)
> >         at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> >         at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
46)
> >         at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> >         at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> >         at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> >         at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> >         at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
)
> >         at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
> >         at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
java:170)
> >         at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> >         at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
)
> >         at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> >         at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> >         at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> >         at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:174)
> >         at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
> >         at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> >         at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> >         at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> >         at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> >         at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
ction(Http11Protocol.java:380)
> >         at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> >         at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:533)
> >         at java.lang.Thread.run(Thread.java:484)
> > [WARN] Http11Processor - -Exception getting SSL Cert
<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> >
> >
> >
> >
> > Please  I´ve been trying to solve this problem for days and I am
desperate.
> >
> > Thanks a lot in advance.
> >
> > Moises
> --
> Bob Herrmann <bob@jadn.com>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message