Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 9420 invoked from network); 8 Nov 2002 17:00:17 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 8 Nov 2002 17:00:17 -0000 Received: (qmail 27629 invoked by uid 97); 8 Nov 2002 17:00:56 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 27570 invoked by uid 97); 8 Nov 2002 17:00:55 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 27539 invoked by uid 98); 8 Nov 2002 17:00:55 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <3DCBED71.4060705@fujitsu-siemens.com> Date: Fri, 08 Nov 2002 17:59:29 +0100 From: jean-frederic clere Reply-To: jfrederic.clere@fujitsu-siemens.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en, fr, de MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Client-cert authentication. References: <004001c284e9$4eb18b60$2201000a@MOISES> <1036529884.1356.13.camel@dhcp-ubur02-70-212.East.Sun.COM> <00e301c285ac$fd626b70$2201000a@MOISES> <1036600361.25332.80.camel@hue.jadn.com> <00ae01c2873a$9c1044c0$2201000a@MOISES> Content-Type: multipart/mixed; boundary="------------020207010908080504060203" X-Virus-Scanned: by AMaViS perl-11 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N --------------020207010908080504060203 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Mois=E9s Serrano Mart=EDnez wrote: > I=B4ve done it and the problem continues: I=B4ve included the self-sign= ed and > intermedia certificates in cacerts ( > perhaps it=B4s a problem with the java environment? > what files is necesary to configure in order to obtain client-cert > authentication? The only thing I am able to make to help you is to send the steps I am us= ing to=20 test the client certificates (forget the 2 last steps that is to test m= od_jk). Cheers Jean-frederic >=20 > Thanks a lot for the interest. >=20 >=20 >=20 >=20 >=20 >=20 > ----- Original Message ----- > From: "Bob Herrmann" > To: "Tomcat Developers List" > Sent: Wednesday, November 06, 2002 5:32 PM > Subject: Re: Client-cert authentication. >=20 >=20 >=20 >>On Wed, 2002-11-06 at 10:55, Mois=E9s Serrano Mart=EDnez wrote: >> >>>Thanks a lot Bob and Jean-frederic for the response but I=B4m afraid I= >> > don=B4t >=20 >>>understand clearly the solution: >> >> >>As I understand it, Tomcat uses a keystore and a truststore. >> >>Tomcat uses the keystore to answer the client's "who are you?" question= =2E >>The answer (Who is this Tomcat server) is retrieved from the keystore. >>(I am a trusted Tomcat server for Acme corp, my certificate is signed b= y >>some central authority.) >> >>The truststore is used when Tomcat wants to verify who the client is, >>"Do I trust this client?" (Should this client really be allowed to >>access this site?) Tomcat only asks this, or verifies the client, if >>the Connector has clientauth=3Dtrue **OR** if a resource is marked up= in >>the web.xml as requiring CLIENT-CERT >> >>The keystore can be set in the server.xml. The truststore must be set >>using the JDK's property files or via an environment variable (like I >>mentioned in my earlier email.) This is a tad kludgy because verifying= >>the certs of the client seem to be fairly rare in practice. (I imagine= >>this is because verifying the client certs is something B2B requires an= d >>not so much needed by the casual JSP developer.) >> >>Cheers, >>-bob >> >> >> >> >>>As far as I know, when I configure the server.xml of the Tomcat/conf >>>directory in order to use the keystore where I=B4ve imported the trust= ed >> > certs >=20 >>>of the chain >>>I thought I was saying tomcat that the keystore for the authentication= >> > was >=20 >>>that, and it wasn=B4t necesary to configure another trusted keystore. >>> >>>>>clientAuth=3D"false" keystoreFile=3D"C:\Documents and >>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" >>>keystorePass=3D"396947j" protocol=3D"TLS" algorithm=3D"SunX509" >>>keystoreType=3D"JKS"/> >>> >>>Is necesary to configure both keystores? >>>Thanks again, and sorry for my question if it=B4s something clear for >>>everyone. >>> >>>----- Original Message ----- >>>From: "Bob Herrmann" >>>To: "Tomcat Developers List" >>>Sent: Tuesday, November 05, 2002 9:58 PM >>>Subject: Re: Client-cert authentication. >>> >>> >>> >>>>As someone else already pointed out, you need to configure the trust >>>>stores (Which tell tomcat what clients to trust.) You can do that by >>>>changing some config files, or like this on the command line (with >>>>redhat) >>>> >>>>export CATALINA_OPTS=3D"-Djavax.net.ssl.trustStore=3D/home/bob/cacert= s.jks >>>>-Djavax.net.ssl.trustStorePassword=3Dchangeit" >>>> >>>>Cheers, >>>>-bob >>>> >>>> >>>> >>>>export CATALINA >>>>-Djavax.net.ssl.trustStore=3D/home/bob/issues/ssl/cacerts.jks >>>>-Djavax.net.ssl.trustStorePassword=3Dchangeit >>>> >>>>On Tue, 2002-11-05 at 11:35, Mois=E9s Serrano Mart=EDnez wrote: >>>> >>>>>I=B4ve a small (or big) problem configuring Tomcat 4.1.12. >>>>> >>>>>Does anyone know how to configure the client side of the matter? >>>>> >>>>>What I have done is : >>>>> >>>>>1) Create a selfsigned certificate (master certificate). >>>>>2) With the master create another one intemediate for localhost >>>> > (signed >=20 >>>with the private key of the master one) >>> >>>>> - Import the chain into a keystore: server.keystore ( the >>>> > master >=20 >>>and localhost, this last one with the private key) >>> >>>>>3) With the localhost certificate create a user certificate (signed >>>> > with >=20 >>>the private key of localhost). >>> >>>>> - Import the user certificate into the server.keystore. >>>>>4) Import the chain into a keystore: server.keystore >>>>> - At this point all must be ok because the server >>>> >>>authentication works perfectly, when a client try to connect to >> > localhost. >=20 >>>>>5) Configure the server.xml: >>>>> - Define a SSL Coyote HTTP/1.1 Connector on port 8443: >>>>> >>>>> >>> >>>className=3D"org.apache.coyote.tomcat4.CoyoteConnector" port=3D"8443" >>>minProcessors=3D"5" maxProcessors=3D"75" enableLookups=3D"true" >> > acceptCount=3D"10" >=20 >>>debug=3D"3" scheme=3D"https" secure=3D"true" useURIValidationHack=3D"f= alse"> >>> >>>>> - Locate the keystore inside the factory, >>>> >>>CoyoteServerSocketFactory, with clientAuth=3D"false". >>> >>>>> >>> >>>className=3D"org.apache.coyote.tomcat4.CoyoteServerSocketFactory" >>>clientAuth=3D"false" keystoreFile=3D"C:\Documents and >>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" >>>keystorePass=3D"396947j" protocol=3D"TLS" algorithm=3D"SunX509" >>>keystoreType=3D"JKS"/> >>> >>>>>6) Configure the web.xml, if the auth.method selected is BASIC >>>> >>>everything works fine, the problem begins when I try that a context >> > works >=20 >>>with client authentication. >>> >>>>> >>>>> >>> > Inc.//DTD >=20 >>>Web Application 2.2//EN" >> > "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> >=20 >>>>> >>>>> adminWeb >>>>> >>>>> adminWeb.jsp >>>>> >>>>> >>>>> >>>>> > adminWeb >=20 >>>>> /* >>>>> >>>>> >>>>> admin >>>>> >>>>> >>>>> >>>CONFIDENTIAL >>> >>>>> >>>>> >>>>> >>>>> CLIENT-CERT >>>>> >>>>> >>>>> An example role defined in >>>> >>>"conf/tomcat-users.xml" >>> >>>>> admin >>>>> >>>>> >>>>> >>>>>7) In the client side: >>>>> >>>>> - Generate a p12 keystore in order to import the user >>>> > certificate >=20 >>>and his private key. >>> >>>>> - Import in the Client (browser) the master, the intermediate >>>> >>>(localhost) and the user certificates. >>> >>>>> - The user certificate in the p12 format (with the >>>> > private >=20 >>>key) and the other ones with the X509 format: localhost.cer and >> > master.cer. >=20 >>>>>At the end, the result is: >>>>>type Status report >>>>> >>>>>message No hay cadena de certificados del cliente en esta peticion >>>>> >>>>>description The request sent by the client was syntactically >>>> > incorrect >=20 >>>(No hay cadena de certificados del cliente en esta peticion). >>> >>>>>Using CATALINA_BASE: .. >>>>>Using CATALINA_HOME: .. >>>>>Using CATALINA_TMPDIR: ..\temp >>>>>Using JAVA_HOME: C:\jbuilder5\jdk1.3 >>>>>[INFO] Registry - -Loading registry information >>>>>[INFO] Registry - -Creating new Registry instance >>>>>[INFO] Registry - -Creating MBeanServer >>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080 >>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443 >>>>>Starting service Tomcat-Standalone >>>>>Apache Tomcat/4.1.12 >>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080 >>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443 >>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated >>>>> at >>>> > com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Das= hoA62 >=20 >>>75) >>> >>>>> at >>>> > org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupp= ort.j >=20 >>>ava:118) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:54= 3) >=20 >>>>> at org.apache.coyote.Response.action(Response.java:216) >>>>> at >>>> > org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.= java: >=20 >>>314) >>> >>>>> at >>>> >>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221= ) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:4= 05) >=20 >>>>> at >>>> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process= Conne >=20 >>>ction(Http11Protocol.java:380) >>> >>>>> at >>>> > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5= 08) >=20 >>>>> at >>>> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo= l.jav >=20 >>>a:533) >>> >>>>> at java.lang.Thread.run(Thread.java:484) >>>>>[WARN] Http11Processor - -Exception getting SSL attributes >>>> >>> >>> >>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated >>>>> at >>>> > com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Das= hoA62 >=20 >>>75) >>> >>>>> at >>>> > org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupp= ort.j >=20 >>>ava:118) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:56= 7) >=20 >>>>> at org.apache.coyote.Request.action(Request.java:367) >>>>> at >>>> > org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java= :797) >=20 >>>>> at >>>> > org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteReques= tFaca >=20 >>>de.java:141) >>> >>>>> at >>>> > org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuth= entic >=20 >>>ator.java:154) >>> >>>>> at >>>> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato= rBase >=20 >>>.java:502) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.= invok >=20 >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> > org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.j= ava:2 >=20 >>>46) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.= invok >=20 >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:= 480) >=20 >>>>> at >>>> >>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) >>> >>>>> at >>>> > org.apache.catalina.core.StandardContext.invoke(StandardContext.java:23= 96) >=20 >>>>> at >>>> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav= a:180 >=20 >>>) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.= invok >=20 >>>eNext(StandardPipeline.java:643) >>> >>>>> at >>>> > org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherV= alve. >=20 >>>java:170) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.= invok >=20 >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav= a:172 >=20 >>>) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.= invok >=20 >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> >>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java= :4 >> > 80) >=20 >>>>> at >>>> >>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) >>> >>>>> at >>>> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve= =2Ejava >=20 >>>:174) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.= invok >=20 >>>eNext(StandardPipeline.java:643) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:= 480) >=20 >>>>> at >>>> >>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) >>> >>>>> at >>>> >>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223= ) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:4= 05) >=20 >>>>> at >>>> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process= Conne >=20 >>>ction(Http11Protocol.java:380) >>> >>>>> at >>>> > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5= 08) >=20 >>>>> at >>>> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo= l.jav >=20 >>>a:533) >>> >>>>> at java.lang.Thread.run(Thread.java:484) >>>>>[WARN] Http11Processor - -Exception getting SSL Cert >>>> >>> >>> >>>>> >>>>> >>>>> >>>>>Please I=B4ve been trying to solve this problem for days and I am >>>> >>>desperate. >>> >>>>>Thanks a lot in advance. >>>>> >>>>>Moises >>>> >>>>-- >>>>Bob Herrmann >>>> >>>> >>>>-- >>>>To unsubscribe, e-mail: >>> >>> >>> >>>>For additional commands, e-mail: >>> >>> >>> >>> >>> >>>-- >>>To unsubscribe, e-mail: >> > >=20 >>>For additional commands, e-mail: >> > >=20 >> >>-- >>To unsubscribe, e-mail: >=20 > >=20 >>For additional commands, e-mail: >=20 > >=20 >=20 >=20 >=20 > -- > To unsubscribe, e-mail: > For additional commands, e-mail: >=20 >=20 --------------020207010908080504060203 Content-Type: text/plain; name="certs.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="certs.txt" Connecting to the server: openssl s_client -port 443 -host vtxclere List the CA of a JVM: keytool -list -rfc -keystore $JAVA_HOME/jre/lib/security/cacerts Steps to set up a demoCA and user certificates: 1 - /usr/local/ssl/misc/CA.pl -newca This creates a demoCA directory that contains the CA certificates. 2 - /usr/local/ssl/misc/CA.pl -newreq This creates a newreq.pem that contains the private key and request. 3 - separe the request and private key. Put the private key is key.pem and the request in newreq.pem 4 - /usr/local/ssl/misc/CA.pl -signreq It displays the certificate before signing it. The result is in newcert.pem 5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \ -in newcert.pem -out test.p12 The test.p12 contains a file that can be imported in the browser. 6 - import in the browser the test.p12 file. 7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts chmod u+w $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \ -keystore $JAVA_HOME/jre/lib/security/cacerts 8 - mod_jk (Apache). The CA certificates are stored in $APACHE_HOME/conf/ssl.crt/ca-bundle.crt Just add the demoCA/cacert.pem to it. 9 - In case a certificate is for the Apache server: Do the step 2,3,4 and put the file key.pem into SSLCertificateKeyFile and the file newcert.pem into SSLCertificateFile (in httpd.conf). --------------020207010908080504060203 Content-Type: text/plain; charset=us-ascii -- To unsubscribe, e-mail: For additional commands, e-mail: --------------020207010908080504060203--