tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfrederic.cl...@fujitsu-siemens.com>
Subject Re: Client-cert authentication.
Date Tue, 05 Nov 2002 17:01:26 GMT
Moisés Serrano Martínez wrote:
> I´ve a small (or big) problem configuring Tomcat 4.1.12.
> 
> Does anyone know how to configure the client side of the matter?
> 
> What I have done is :
> 
> 1) Create a selfsigned certificate (master certificate).

A CA certificate ;-)

You have to import this certificate in $JAVA_HOME/jre/lib/security/cacerts 
(cacert.pem).

> 2) With the master create another one intemediate for localhost (signed
> with the private key of the master one)
>         - Import the chain into a keystore: server.keystore ( the master
> and localhost, this last one with the private key)
> 3) With the localhost certificate create a user certificate (signed with
> the private key of localhost).
>         - Import the user certificate into the server.keystore.
> 4) Import the chain into a keystore: server.keystore
>        -  At  this point all must be ok because the server
> authentication works perfectly, when a client try to connect to
> localhost.
> 5) Configure the server.xml:
>         - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> 
>                 <Connector
> className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> minProcessors="5" maxProcessors="75" enableLookups="true"
> acceptCount="10" debug="3" scheme="https" secure="true"
> useURIValidationHack="false">
>     
>         - Locate the keystore inside the factory,
> CoyoteServerSocketFactory, with clientAuth="false".
>                 <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
> 
> 6) Configure the web.xml, if the auth.method selected is BASIC
> everything works fine, the problem begins when I try that a context
> works with client authentication.
> 
>                 <?xml version="1.0" encoding="UTF-8"?>
>                 <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
> Web Application 2.2//EN"
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>                 <web-app>
>                 <display-name>adminWeb</display-name>
>                 <welcome-file-list>
>                 <welcome-file>adminWeb.jsp</welcome-file>
>                 </welcome-file-list>
>                 <security-constraint>
>                     <web-resource-collection>
>                         <web-resource-name>adminWeb</web-resource-name>
>                         <url-pattern>/*</url-pattern>
>                     </web-resource-collection>
>                     <auth-constraint>
>                     <role-name>admin</role-name>
>                     </auth-constraint>
>                     <user-data-constraint>
>  
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>                     </user-data-constraint>
>             </security-constraint>
>             <login-config>
>                 <auth-method>CLIENT-CERT</auth-method>
>             </login-config>
>             <security-role>
>                 <description>An example role defined in
> "conf/tomcat-users.xml"</description>
>                 <role-name>admin</role-name>
>             </security-role>
>             </web-app>
> 
> 7) In the client side:
> 
>       - Generate a p12 keystore in order to import the user certificate
> and his private key.
>     - Import in the Client (browser) the master, the intermediate
> (localhost) and the user certificates.
>               - The user certificate in the p12 format (with the private
> key) and the other ones with the X509 format: localhost.cer and
> master.cer.
> 
> At the end, the result is:
> type Status report
> 
> message No hay cadena de certificados del cliente en esta peticion
> 
> description The request sent by the client was syntactically incorrect
> (No hay cadena de certificados del cliente en esta peticion).
> 
> Using CATALINA_BASE:   ..
> Using CATALINA_HOME:   ..
> Using CATALINA_TMPDIR: ..\temp
> Using JAVA_HOME:       C:\jbuilder5\jdk1.3
> [INFO] Registry - -Loading registry information
> [INFO] Registry - -Creating new Registry instance
> [INFO] Registry - -Creating MBeanServer
> [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> Starting service Tomcat-Standalone
> Apache Tomcat/4.1.12
> [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>         at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Dash
> oA6275)
>         at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESuppo
> rt.java:118)
>         at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543
> )
>         at org.apache.coyote.Response.action(Response.java:216)
>         at
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.j
> ava:314)
>         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:40
> 5)
>         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
> onnection(Http11Protocol.java:380)
>         at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:50
> 8)
>         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:533)
>         at java.lang.Thread.run(Thread.java:484)
> [WARN] Http11Processor - -Exception getting SSL attributes
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>         at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Dash
> oA6275)
>         at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESuppo
> rt.java:118)
>         at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567
> )
>         at org.apache.coyote.Request.action(Request.java:367)
>         at
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:
> 797)
>         at
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequest
> Facade.java:141)
>         at
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe
> nticator.java:154)
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
> Base.java:502)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja
> va:246)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
> 80)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:239
> 6)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :180)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
> lve.java:170)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :172)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
> 80)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:174)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
> 80)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>         at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:40
> 5)
>         at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
> onnection(Http11Protocol.java:380)
>         at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:50
> 8)
>         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:533)
>         at java.lang.Thread.run(Thread.java:484)
> [WARN] Http11Processor - -Exception getting SSL Cert
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> 
> 
> 
> 
> Please  I´ve been trying to solve this problem for days and I am
> desperate. 
> 
> Thanks a lot in advance.
> 
> Moises
> 




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message