tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tathagat (London)" <Tathag...@DrKW.com>
Subject RE: Client Certificates on Tomcat 3.3.1
Date Tue, 20 Aug 2002 13:22:14 GMT
okay, I have faced so many problems on this.. and finally could do it!
Please answer the following questions.

First question: The certificates that you are using on your machine (as
client), where do you get them from?

Second: When you connect the server (https://localhost:8443) or whatever),
does your certificate pops up?

cheers
Tathagat

-----Original Message-----
From: Rodrigo Ruiz [mailto:rruiz@gridsystems.com]
Sent: Tuesday, August 20, 2002 11:42
To: tomcat-user@jakarta.apache.org
Subject: Client Certificates on Tomcat 3.3.1


Hi all,

I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap
client.

My soap service simply prints out some request data, and also the content of

request.getAttribute("javax.servlet.request.X509Certificate")

Following some example code I found on Internet (I'm not sure this code
should function)

I have followed the instructions in the xml.apache.org FAQ, and generated
all certificates with keytool.

Firstly, I configured tomcat with clientAuth set to false, and used a basic
authentication scheme in my web-app. It worked fine. When connecting through
my client, the service prints the next info:

Authorization: BASIC
Remote User: tomcat
Secured: true
Principal: tomcat
No client certificate is available

If I set clientAuth to true, it still works, but it keeps showing the "No
client certificate available" message.

The big problem comes when I configure my web-app to use CLIENT-CERT
authorization scheme.
It simply returns a 401 error code.

Any one can help me, please??

Thanks in advance,
Rodrigo Ruiz Aguayo

PS: Following is the bat file I'm using to generate the keystores:

del server.keystore
del client.keystore

copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore
copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore

REM Change default passwords
keytool -storepasswd -keystore server.keystore -storepass changeit -new
123456
keytool -storepasswd -keystore client.keystore -storepass changeit -new
123456

REM Create server.keystore
keytool -genkey -alias tomcat-sv -dname
"CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES" -keyalg
RSA -keypass 123456 -storepass 123456 -keystore server.keystore
keytool -export -alias tomcat-sv -storepass 123456 -file
server.cer -keystore server.keystore

REM Import server certificate as a trusted CA in the client keystore
keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
client.keystore -keypass 123456 -storepass 123456

REM Create client keystore
keytool -genkey -alias rruiz -dname
"CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES" -keyalg
RSA -keypass 123456 -storepass 123456 -keystore client.keystore
keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore
client.keystore

keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore
server.keystore -keypass 123456 -storepass 123456


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>


----------------------------------------------------------------------
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
----------------------------------------------------------------------


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message