tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dave.pr...@bt.com
Subject RE: Tomcat SSL mutual authentication: Nobody's got a clue?
Date Wed, 26 Mar 2003 09:05:52 GMT
Joe,

	I've also been trying to do this for ages. I assume you import the
client certificate into the server trustore. How does the server know where
to look for this truststore ?

	Thanks

Dave 


-----Original Message-----
From: joe [mailto:list@concrete-it.com]
Sent: 26 March 2003 08:49
To: Tomcat Users List
Subject: Re: Tomcat SSL mutual authentication: Nobody's got a clue?


first of all: use jdk1.4.x !!! i found a bug in the old implementatin. 
if someone is interrested i can search in my archive to describe the bug.

here is how to patch the tomcat 4.1.x to handle to make client 
authentication 'optional':

in the java class:
org.apache.tomcat.util.net.jsse.JSSESocketFactory

you find 2 times this method call:
.setNeedClientAuth(clientAuth);
change this to:
.setWantClientAuth(clientAuth);

thats it!

and don't forget to change your server.xml:

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <!--^M -->
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
               port="443" minProcessors="5" maxProcessors="75"
               enableLookups="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               useURIValidationHack="false" disableUploadTimeout="true">
      <Factory 
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
               clientAuth="true" protocol="TLS"
               keystoreFile="/root/certs/java.concrete-it.com.keystore"
               keystorePass="changeit" />
    </Connector>


here is my link collection for ssl:
http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html
http://developer.java.sun.com/developer/qow/archive/169/index.jsp
http://www.catgen.com/developer/manual/ssl.html#jbosscatalina

you can find a lot of howtos how to make your own CA , server cert and 
client certs.

hope this helps,
joe

joe wrote:

> hi,
>
> it's true that there is no 'step-by-step' howto for tomcat, but there 
> are many other ssl (and client auth) howtos which you can use for tomcat.
> the only thing is just a little bit of searching and reading about 
> ssl, CA, X509 certificates, certification chains ...
>
> i have succesfully established ssl connections with (mutual) client 
> certificates. i'll try to find the howto's i've used and post it here 
> (i hope i'll find them again).
> i haven't used CRL's - i'm sure there are howtos 'out there'.
>
> and: it's true that tomcat does NOT support mutual client auth ! but 
> i've read a little bit of the doc's and the source code and pathed my 
> tomcat 4.1.x to change the ssl client auth behavior to mutual.
>
> cu, joe
>
> Mark Liu wrote:
>
>> Hi,
>>
>> No, the Tomcat docs only says how to turn on the
>> *server* authentication, i.e., how to run Tomcat in
>> SSL mode.  It does not mention how to have the client
>> also pass over its certificate to the Web server.
>>
>> You have an idea about how to turn on client cert?
>>
>> --- Norris Shelton <norrisshelton@yahoo.com> wrote:
>>  
>>
>>> That about sums it up.  We are looking at client
>>> certs also. The Tomcat docs say how to turn on client
>>> authentication, but
>>> there is not much out there on hooking up to a CA
>>> and verifying
>>> against a CRL. 
>>> All of that is beyond the scope of this list and
>>> dives deep into
>>> the realm of JCE.
>>>
>>> We are looking into going with a vendor (probably
>>> VeriSign).
>>>
>>>
>>> --- Mark Liu <markliu1989@yahoo.com> wrote:
>>>   
>>>
>>>> For over 1 week, I've been exploring about this.     
>>>
>>> So
>>>   
>>>
>>>> far, I got no reply.  Is this so professional, so
>>>> tough that nobody's got a clue?
>>>>
>>>> __________________________________________________
>>>> Do you Yahoo!?
>>>> Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>>>     
>>>
>>> live on your
>>>   
>>>
>>>> desktop!
>>>> http://platinum.yahoo.com
>>>>
>>>>
>>>>     
>>>
>> ---------------------------------------------------------------------
>>  
>>
>>>> To unsubscribe, e-mail:
>>>> tomcat-user-unsubscribe@jakarta.apache.org
>>>> For additional commands, e-mail:
>>>> tomcat-user-help@jakarta.apache.org
>>>>
>>>>     
>>>
>>> =====
>>>
>>> Norris Shelton
>>> Software Engineer
>>> Sun Certified Java 1.1 Programmer
>>> Appriss, Inc.
>>> ICQ# 26487421
>>> AIM NorrisEShelton
>>> YIM norrisshelton
>>>
>>>
>>> __________________________________________________
>>> Do you Yahoo!?
>>> Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>> live on your desktop!
>>> http://platinum.yahoo.com
>>>
>>>
>>>   
>>
>> ---------------------------------------------------------------------
>>  
>>
>>> To unsubscribe, e-mail:
>>> tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail:
>>> tomcat-user-help@jakarta.apache.org
>>>
>>>   
>>
>>
>>
>> __________________________________________________
>> Do you Yahoo!?
>> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
>> http://platinum.yahoo.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>  
>>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message