tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 24563] - Problem with SSL authentication
Date Tue, 11 Nov 2003 19:37:15 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24563>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24563

Problem with SSL authentication





------- Additional Comments From medthomas@ntlworld.com  2003-11-11 19:37 -------
I have this working using J2SE 1.3.1_02, JSSE 1.0.3_01, JBoss 3.2.1, Tomcat 
4.1.24, NT4 SP6a, MS Certificate Server, MS IE 6. The users were authenticated 
using a custom LoginModule (reasons explained below).

It took quite a bit of trial and error to get working because, as you are 
finding, the error messages are not always the most helpful.

I am going to assume that you can connect using https without authentication 
(ie https://localhost:8443/jmx-console works)

I am also going to assume that you have imported the certificate(s) of the 
server(s) that issued your tomcat and client certificates using a command(s) 
similar to:
keytool -import -alias CertServerName -file CertServerRootCert.cer -keystore 
c:\jdk1.3.1_02\jre\lib\security\cacerts -storepass changeit

To keep things simple, I tried to use the UsersRolesLoginModule. However, this 
module always refuses null passwords. Certificates don't have passwords - 
hence the problem. I created my own login module that extended 
UsersRolesLoginModule and overrode the function that checked the password so 
it always returned true.

The second problem was the user name to use in the user.properties and 
roles.properties files. Certificate authentication in standalone tomact uses 
the DN of the cert as the user name. Tomcat embedded in JBoss uses the 
certificate serial number appended to the DN of the cert issuer. Further the 
whitespace and equal signs in the DN must be escaped. This leads to 
users.properties of the form:
nnnnnnnnnnnnnnnnnnn\ CN\=certserver,\ OU\=unit,\ O\=org,\ L\=city,\ 
ST\=state,\ C\=UK=dummypassword

If you are still having difficulties I can provide you with more detail.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message