tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfrederic.cl...@fujitsu-siemens.com>
Subject Re: Client-cert authentication.
Date Fri, 08 Nov 2002 16:59:29 GMT
Moisés Serrano Martínez wrote:
> I´ve done it and the problem continues: I´ve included the self-signed and
> intermedia certificates in cacerts (
> perhaps it´s a problem with the java environment?
> what  files is necesary to configure in order to obtain client-cert
> authentication?

The only thing I am able to make to help you is to send the steps I am using to 
  test the client certificates (forget the 2 last steps that is to test mod_jk).

Cheers

Jean-frederic

> 
> Thanks a lot for the interest.
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> From: "Bob Herrmann" <bob@hue.jadn.com>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Wednesday, November 06, 2002 5:32 PM
> Subject: Re: Client-cert authentication.
> 
> 
> 
>>On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
>>
>>>Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
>>
> don´t
> 
>>>understand clearly the solution:
>>
>>
>>As I understand it, Tomcat uses a keystore and a truststore.
>>
>>Tomcat uses the keystore to answer the client's "who are you?" question.
>>The answer (Who is this Tomcat server) is retrieved from the keystore.
>>(I am a trusted Tomcat server for Acme corp, my certificate is signed by
>>some central authority.)
>>
>>The truststore is used when Tomcat wants to verify who the client is,
>>"Do I trust this client?" (Should this client really be allowed to
>>access this site?)  Tomcat only asks this, or verifies the client, if
>>the Connector has clientauth=true  **OR**  if a resource is marked up in
>>the web.xml as requiring CLIENT-CERT
>>
>>The keystore can be set in the server.xml.  The truststore must be set
>>using the JDK's property files or via an environment variable (like I
>>mentioned in my earlier email.)  This is a tad kludgy because verifying
>>the certs of the client seem to be fairly rare in practice.  (I imagine
>>this is because verifying the client certs is something B2B requires and
>>not so much needed by the casual JSP developer.)
>>
>>Cheers,
>>-bob
>>
>>
>>
>>
>>>As far as I know,  when I configure the server.xml of the Tomcat/conf
>>>directory in order to use the keystore where I´ve imported the trusted
>>
> certs
> 
>>>of the chain
>>>I thought I was saying tomcat that the keystore for the authentication
>>
> was
> 
>>>that, and it wasn´t necesary to configure another trusted keystore.
>>>
>>><Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>Is necesary to configure both keystores?
>>>Thanks again, and sorry for my question if it´s something clear for
>>>everyone.
>>>
>>>----- Original Message -----
>>>From: "Bob Herrmann" <bob@jadn.com>
>>>To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
>>>Sent: Tuesday, November 05, 2002 9:58 PM
>>>Subject: Re: Client-cert authentication.
>>>
>>>
>>>
>>>>As someone else already pointed out, you need to configure the trust
>>>>stores (Which tell tomcat what clients to trust.) You can do that by
>>>>changing some config files, or like this on the command line (with
>>>>redhat)
>>>>
>>>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit"
>>>>
>>>>Cheers,
>>>>-bob
>>>>
>>>>
>>>>
>>>>export CATALINA
>>>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit
>>>>
>>>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
>>>>
>>>>>I´ve a small (or big) problem configuring Tomcat 4.1.12.
>>>>>
>>>>>Does anyone know how to configure the client side of the matter?
>>>>>
>>>>>What I have done is :
>>>>>
>>>>>1) Create a selfsigned certificate (master certificate).
>>>>>2) With the master create another one intemediate for localhost
>>>>
> (signed
> 
>>>with the private key of the master one)
>>>
>>>>>        - Import the chain into a keystore: server.keystore ( the
>>>>
> master
> 
>>>and localhost, this last one with the private key)
>>>
>>>>>3) With the localhost certificate create a user certificate (signed
>>>>
> with
> 
>>>the private key of localhost).
>>>
>>>>>        - Import the user certificate into the server.keystore.
>>>>>4) Import the chain into a keystore: server.keystore
>>>>>       -  At  this point all must be ok because the server
>>>>
>>>authentication works perfectly, when a client try to connect to
>>
> localhost.
> 
>>>>>5) Configure the server.xml:
>>>>>        - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>>>>>
>>>>>                <Connector
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
>>>minProcessors="5" maxProcessors="75" enableLookups="true"
>>
> acceptCount="10"
> 
>>>debug="3" scheme="https" secure="true" useURIValidationHack="false">
>>>
>>>>>        - Locate the keystore inside the factory,
>>>>
>>>CoyoteServerSocketFactory, with clientAuth="false".
>>>
>>>>>                <Factory
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>>>6) Configure the web.xml, if the auth.method selected is BASIC
>>>>
>>>everything works fine, the problem begins when I try that a context
>>
> works
> 
>>>with client authentication.
>>>
>>>>>                <?xml version="1.0" encoding="UTF-8"?>
>>>>>                <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
>>>>
> Inc.//DTD
> 
>>>Web Application 2.2//EN"
>>
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> 
>>>>>                <web-app>
>>>>>                <display-name>adminWeb</display-name>
>>>>>                <welcome-file-list>
>>>>>                <welcome-file>adminWeb.jsp</welcome-file>
>>>>>                </welcome-file-list>
>>>>>                <security-constraint>
>>>>>                    <web-resource-collection>
>>>>>
> <web-resource-name>adminWeb</web-resource-name>
> 
>>>>>                        <url-pattern>/*</url-pattern>
>>>>>                    </web-resource-collection>
>>>>>                    <auth-constraint>
>>>>>                    <role-name>admin</role-name>
>>>>>                    </auth-constraint>
>>>>>                    <user-data-constraint>
>>>>>
>>><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>
>>>>>                    </user-data-constraint>
>>>>>            </security-constraint>
>>>>>            <login-config>
>>>>>                <auth-method>CLIENT-CERT</auth-method>
>>>>>            </login-config>
>>>>>            <security-role>
>>>>>                <description>An example role defined in
>>>>
>>>"conf/tomcat-users.xml"</description>
>>>
>>>>>                <role-name>admin</role-name>
>>>>>            </security-role>
>>>>>            </web-app>
>>>>>
>>>>>7) In the client side:
>>>>>
>>>>>      - Generate a p12 keystore in order to import the user
>>>>
> certificate
> 
>>>and his private key.
>>>
>>>>>    - Import in the Client (browser) the master, the intermediate
>>>>
>>>(localhost) and the user certificates.
>>>
>>>>>              - The user certificate in the p12 format (with the
>>>>
> private
> 
>>>key) and the other ones with the X509 format: localhost.cer and
>>
> master.cer.
> 
>>>>>At the end, the result is:
>>>>>type Status report
>>>>>
>>>>>message No hay cadena de certificados del cliente en esta peticion
>>>>>
>>>>>description The request sent by the client was syntactically
>>>>
> incorrect
> 
>>>(No hay cadena de certificados del cliente en esta peticion).
>>>
>>>>>Using CATALINA_BASE:   ..
>>>>>Using CATALINA_HOME:   ..
>>>>>Using CATALINA_TMPDIR: ..\temp
>>>>>Using JAVA_HOME:       C:\jbuilder5\jdk1.3
>>>>>[INFO] Registry - -Loading registry information
>>>>>[INFO] Registry - -Creating new Registry instance
>>>>>[INFO] Registry - -Creating MBeanServer
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
>>>>>Starting service Tomcat-Standalone
>>>>>Apache Tomcat/4.1.12
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>>        at
>>>>
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 
>>>75)
>>>
>>>>>        at
>>>>
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> 
>>>ava:118)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> 
>>>>>        at org.apache.coyote.Response.action(Response.java:216)
>>>>>        at
>>>>
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
> 
>>>314)
>>>
>>>>>        at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> 
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> 
>>>ction(Http11Protocol.java:380)
>>>
>>>>>        at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> 
>>>>>        at
>>>>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> 
>>>a:533)
>>>
>>>>>        at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL attributes
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>>        at
>>>>
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 
>>>75)
>>>
>>>>>        at
>>>>
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> 
>>>ava:118)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> 
>>>>>        at org.apache.coyote.Request.action(Request.java:367)
>>>>>        at
>>>>
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> 
>>>>>        at
>>>>
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
> 
>>>de.java:141)
>>>
>>>>>        at
>>>>
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
> 
>>>ator.java:154)
>>>
>>>>>        at
>>>>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
> 
>>>.java:502)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> 
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
> 
>>>46)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> 
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> 
>>>>>        at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> 
>>>>>        at
>>>>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
> 
>>>)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> 
>>>eNext(StandardPipeline.java:643)
>>>
>>>>>        at
>>>>
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
> 
>>>java:170)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> 
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
> 
>>>)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> 
>>>eNext(StandardPipeline.java:641)
>>>
>>>>>        at
>>>>
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
>>
> 80)
> 
>>>>>        at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> 
>>>:174)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> 
>>>eNext(StandardPipeline.java:643)
>>>
>>>>>        at
>>>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> 
>>>>>        at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>>        at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>>>
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> 
>>>>>        at
>>>>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> 
>>>ction(Http11Protocol.java:380)
>>>
>>>>>        at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> 
>>>>>        at
>>>>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> 
>>>a:533)
>>>
>>>>>        at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL Cert
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>
>>>>>
>>>>>
>>>>>Please  I´ve been trying to solve this problem for days and I am
>>>>
>>>desperate.
>>>
>>>>>Thanks a lot in advance.
>>>>>
>>>>>Moises
>>>>
>>>>--
>>>>Bob Herrmann <bob@jadn.com>
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail:
>>>
>>><mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>>>
>>>>For additional commands, e-mail:
>>>
>>><mailto:tomcat-dev-help@jakarta.apache.org>
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> 
>>>For additional commands, e-mail:
>>
> <mailto:tomcat-dev-help@jakarta.apache.org>
> 
>>
>>--
>>To unsubscribe, e-mail:
> 
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> 
>>For additional commands, e-mail:
> 
> <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 



Mime
View raw message