tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@hue.jadn.com>
Subject Re: Client-cert authentication.
Date Wed, 06 Nov 2002 16:32:42 GMT
On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
> Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t
> understand clearly the solution:


As I understand it, Tomcat uses a keystore and a truststore.

Tomcat uses the keystore to answer the client's "who are you?" question.
The answer (Who is this Tomcat server) is retrieved from the keystore. 
(I am a trusted Tomcat server for Acme corp, my certificate is signed by
some central authority.)

The truststore is used when Tomcat wants to verify who the client is,
"Do I trust this client?" (Should this client really be allowed to
access this site?)  Tomcat only asks this, or verifies the client, if
the Connector has clientauth=true  **OR**  if a resource is marked up in
the web.xml as requiring CLIENT-CERT

The keystore can be set in the server.xml.  The truststore must be set
using the JDK's property files or via an environment variable (like I
mentioned in my earlier email.)  This is a tad kludgy because verifying
the certs of the client seem to be fairly rare in practice.  (I imagine
this is because verifying the client certs is something B2B requires and
not so much needed by the casual JSP developer.)

Cheers,
-bob



> 
> As far as I know,  when I configure the server.xml of the Tomcat/conf
> directory in order to use the keystore where I´ve imported the trusted certs
> of the chain
> I thought I was saying tomcat that the keystore for the authentication was
> that, and it wasn´t necesary to configure another trusted keystore.
> 
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
> 
> Is necesary to configure both keystores?
> Thanks again, and sorry for my question if it´s something clear for
> everyone.
> 
> ----- Original Message -----
> From: "Bob Herrmann" <bob@jadn.com>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Tuesday, November 05, 2002 9:58 PM
> Subject: Re: Client-cert authentication.
> 
> 
> >
> > As someone else already pointed out, you need to configure the trust
> > stores (Which tell tomcat what clients to trust.) You can do that by
> > changing some config files, or like this on the command line (with
> > redhat)
> >
> > export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
> > -Djavax.net.ssl.trustStorePassword=changeit"
> >
> > Cheers,
> > -bob
> >
> >
> >
> > export CATALINA
> > -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
> > -Djavax.net.ssl.trustStorePassword=changeit
> >
> > On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> > > I´ve a small (or big) problem configuring Tomcat 4.1.12.
> > >
> > > Does anyone know how to configure the client side of the matter?
> > >
> > > What I have done is :
> > >
> > > 1) Create a selfsigned certificate (master certificate).
> > > 2) With the master create another one intemediate for localhost (signed
> with the private key of the master one)
> > >         - Import the chain into a keystore: server.keystore ( the master
> and localhost, this last one with the private key)
> > > 3) With the localhost certificate create a user certificate (signed with
> the private key of localhost).
> > >         - Import the user certificate into the server.keystore.
> > > 4) Import the chain into a keystore: server.keystore
> > >        -  At  this point all must be ok because the server
> authentication works perfectly, when a client try to connect to localhost.
> > > 5) Configure the server.xml:
> > >         - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> > >
> > >                 <Connector
> className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10"
> debug="3" scheme="https" secure="true" useURIValidationHack="false">
> > >
> > >         - Locate the keystore inside the factory,
> CoyoteServerSocketFactory, with clientAuth="false".
> > >                 <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
> > >
> > > 6) Configure the web.xml, if the auth.method selected is BASIC
> everything works fine, the problem begins when I try that a context works
> with client authentication.
> > >
> > >                 <?xml version="1.0" encoding="UTF-8"?>
> > >                 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
> Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> > >                 <web-app>
> > >                 <display-name>adminWeb</display-name>
> > >                 <welcome-file-list>
> > >                 <welcome-file>adminWeb.jsp</welcome-file>
> > >                 </welcome-file-list>
> > >                 <security-constraint>
> > >                     <web-resource-collection>
> > >                         <web-resource-name>adminWeb</web-resource-name>
> > >                         <url-pattern>/*</url-pattern>
> > >                     </web-resource-collection>
> > >                     <auth-constraint>
> > >                     <role-name>admin</role-name>
> > >                     </auth-constraint>
> > >                     <user-data-constraint>
> > >
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >                     </user-data-constraint>
> > >             </security-constraint>
> > >             <login-config>
> > >                 <auth-method>CLIENT-CERT</auth-method>
> > >             </login-config>
> > >             <security-role>
> > >                 <description>An example role defined in
> "conf/tomcat-users.xml"</description>
> > >                 <role-name>admin</role-name>
> > >             </security-role>
> > >             </web-app>
> > >
> > > 7) In the client side:
> > >
> > >       - Generate a p12 keystore in order to import the user certificate
> and his private key.
> > >     - Import in the Client (browser) the master, the intermediate
> (localhost) and the user certificates.
> > >               - The user certificate in the p12 format (with the private
> key) and the other ones with the X509 format: localhost.cer and master.cer.
> > >
> > > At the end, the result is:
> > > type Status report
> > >
> > > message No hay cadena de certificados del cliente en esta peticion
> > >
> > > description The request sent by the client was syntactically incorrect
> (No hay cadena de certificados del cliente en esta peticion).
> > >
> > > Using CATALINA_BASE:   ..
> > > Using CATALINA_HOME:   ..
> > > Using CATALINA_TMPDIR: ..\temp
> > > Using JAVA_HOME:       C:\jbuilder5\jdk1.3
> > > [INFO] Registry - -Loading registry information
> > > [INFO] Registry - -Creating new Registry instance
> > > [INFO] Registry - -Creating MBeanServer
> > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> > > Starting service Tomcat-Standalone
> > > Apache Tomcat/4.1.12
> > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > >         at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 75)
> > >         at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> ava:118)
> > >         at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> > >         at org.apache.coyote.Response.action(Response.java:216)
> > >         at
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
> 314)
> > >         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> > >         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > >         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> ction(Http11Protocol.java:380)
> > >         at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > >         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:533)
> > >         at java.lang.Thread.run(Thread.java:484)
> > > [WARN] Http11Processor - -Exception getting SSL attributes
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > >         at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 75)
> > >         at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> ava:118)
> > >         at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> > >         at org.apache.coyote.Request.action(Request.java:367)
> > >         at
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> > >         at
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
> de.java:141)
> > >         at
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
> ator.java:154)
> > >         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
> .java:502)
> > >         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > >         at
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
> 46)
> > >         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > >         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > >         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > >         at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> > >         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
> )
> > >         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:643)
> > >         at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
> java:170)
> > >         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > >         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
> )
> > >         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > >         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > >         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > >         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> :174)
> > >         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:643)
> > >         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > >         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > >         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> > >         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > >         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> ction(Http11Protocol.java:380)
> > >         at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > >         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:533)
> > >         at java.lang.Thread.run(Thread.java:484)
> > > [WARN] Http11Processor - -Exception getting SSL Cert
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > >
> > >
> > >
> > >
> > > Please  I´ve been trying to solve this problem for days and I am
> desperate.
> > >
> > > Thanks a lot in advance.
> > >
> > > Moises
> > --
> > Bob Herrmann <bob@jadn.com>
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> <mailto:tomcat-dev-help@jakarta.apache.org>
> >
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message