Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 16741 invoked from network); 5 Nov 2002 16:34:13 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 5 Nov 2002 16:34:13 -0000 Received: (qmail 28062 invoked by uid 97); 5 Nov 2002 16:34:39 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 27968 invoked by uid 97); 5 Nov 2002 16:34:38 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 27872 invoked by uid 98); 5 Nov 2002 16:34:37 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <004001c284e9$4eb18b60$2201000a@MOISES> From: =?iso-8859-1?Q?Mois=E9s_Serrano_Mart=EDnez?= To: "foro tomcat" , =?iso-8859-1?Q?Rub=E9n_Rubio_de_la_Oliva?= Subject: Client-cert authentication. Date: Tue, 5 Nov 2002 17:35:07 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003D_01C284F1.AF1048E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N ------=_NextPart_000_003D_01C284F1.AF1048E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I=B4ve a small (or big) problem configuring Tomcat 4.1.12. Does anyone know how to configure the client side of the matter? What I have done is : 1) Create a selfsigned certificate (master certificate). 2) With the master create another one intemediate for localhost (signed = with the private key of the master one) - Import the chain into a keystore: server.keystore ( the master = and localhost, this last one with the private key) 3) With the localhost certificate create a user certificate (signed with = the private key of localhost). - Import the user certificate into the server.keystore. 4) Import the chain into a keystore: server.keystore - At this point all must be ok because the server = authentication works perfectly, when a client try to connect to = localhost. 5) Configure the server.xml: - Define a SSL Coyote HTTP/1.1 Connector on port 8443: =20 - Locate the keystore inside the factory, = CoyoteServerSocketFactory, with clientAuth=3D"false". 6) Configure the web.xml, if the auth.method selected is BASIC = everything works fine, the problem begins when I try that a context = works with client authentication.

adminWeb

adminWeb.jsp

adminWeb

admin

= CONFIDENTIAL

CLIENT-CERT

An example role defined in = "conf/tomcat-users.xml"

admin

7) In the client side: - Generate a p12 keystore in order to import the user certificate = and his private key. - Import in the Client (browser) the master, the intermediate = (localhost) and the user certificates. - The user certificate in the p12 format (with the private = key) and the other ones with the X509 format: localhost.cer and = master.cer. At the end, the result is: type Status report message No hay cadena de certificados del cliente en esta peticion description The request sent by the client was syntactically incorrect = (No hay cadena de certificados del cliente en esta peticion). Using CATALINA_BASE: .. Using CATALINA_HOME: .. Using CATALINA_TMPDIR: ..\temp Using JAVA_HOME: C:\jbuilder5\jdk1.3 [INFO] Registry - -Loading registry information [INFO] Registry - -Creating new Registry instance [INFO] Registry - -Creating MBeanServer [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080 [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443 Starting service Tomcat-Standalone Apache Tomcat/4.1.12 [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080 [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at = com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Dasho= A6275) at = org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESuppor= t.java:118) at = org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)= at org.apache.coyote.Response.action(Response.java:216) at = org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.ja= va:314) at = org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221) at = org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405= ) at = org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processCo= nnection(Http11Protocol.java:380) at = org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508= ) at = org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.= java:533) at java.lang.Thread.run(Thread.java:484) [WARN] Http11Processor - -Exception getting SSL attributes = javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at = com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Dasho= A6275) at = org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESuppor= t.java:118) at = org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)= at org.apache.coyote.Request.action(Request.java:367) at = org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:7= 97) at = org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestF= acade.java:141) at = org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthen= ticator.java:154) at = org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorB= ase.java:502) at = org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.in= vokeNext(StandardPipeline.java:641) at = org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.jav= a:246) at = org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.in= vokeNext(StandardPipeline.java:641) at = org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:48= 0) at = org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at = org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396= ) at = org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:= 180) at = org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.in= vokeNext(StandardPipeline.java:643) at = org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVal= ve.java:170) at = org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.in= vokeNext(StandardPipeline.java:641) at = org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:= 172) at = org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.in= vokeNext(StandardPipeline.java:641) at = org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:48= 0) at = org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at = org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.j= ava:174) at = org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.in= vokeNext(StandardPipeline.java:643) at = org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:48= 0) at = org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at = org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at = org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405= ) at = org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processCo= nnection(Http11Protocol.java:380) at = org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508= ) at = org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.= java:533) at java.lang.Thread.run(Thread.java:484) [WARN] Http11Processor - -Exception getting SSL Cert = Please I=B4ve been trying to solve this problem for days and I am = desperate.=20 Thanks a lot in advance. Moises ------=_NextPart_000_003D_01C284F1.AF1048E0--