tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hough, Adriaan" <adriaan.ho...@siemens.com>
Subject tomcat ssl with client cerfiticates - solution
Date Wed, 16 Apr 2003 10:53:39 GMT
hi all

yes, i've got tomcat standalone running with ssl and client certificates.
i've seen a lot of questions about this, but no working solutions, so i
thought i'd share mine with you. keep in mind, though, that i'm an ssl
novice, so some of the things i say might not be entirely correct. but hey,
it works!

the way i see it, is there is basically two parties involved in the
scenario: the server, and the client. since we're implementing ssl with
client certificates, both the server and the client should have certificates
to prove their identities. now, unless the client simply takes the server's
certificate on face value, and the server the same for the client, we need
to introduce an additional entity (or two): the certification authority. the
ca is supposed to be a third party that can vouch for the authenticity of a
certificate. thus, the client may require the server's certificate to have
been signed by a specific ca, and the server may in return require the
client's certificate to have been signed by (possibly) another ca.

i'll only describe the simplest scenario, where the client trusts any
certificate that the server chooses to pass to it. this will leave us with
three parties: the server (with its certificate), the client (with its
certificate) and the ca that the server trusts to verify client
certificates.


scenario: client trusts everybody
---------------------------------
note: i've got jdk 1.3.1, tomcat 4.1.18, jsse 1.0.3_01 and openssl 0.9.6g
installed on my system.

first, create a self signed certificate to identify your server:
1) execute "keytool -genkey -alias tomcat -keyalg RSA -keystore
/anywhere/server.keystore" (tomcat requires the password to be "changeit").

next, you need to create the ca:
2) execute "openssl req -new -newkey rsa:512 -nodes -out ca.req -keyout
ca.key".
3) execute "openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.req
-out ca.crt".

now you can create the client's certificates, and have them signed by the
ca:
4) execute "openssl req -new -newkey rsa:512 -nodes -out client.req -keyout
client.key"
5) execute "openssl x509 -CA ca.crt -CAkey ca.key -req -in client.req -out
client.crt -CAcreateserial"

tomcat reads the list of trusted ca's from a file called
<$JAVA_HOME/jre/lib/security/cacerts>. to add our ca to this list, you will
need to do the following:
6) execute "keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
-file ca.crt -alias ClientCA" (the default installed password is
"changeit").

all that remains, is to configure tomcat for ssl, and tell it where to find
its certificates:
7) modify the server.xml as described at
<http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html>.
8) change the ssl connector as follows: <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS" keystoreFile="/anywhere/server.keystore"/>.


that's it. now, whenever a client connects to the server, the server will
send its own certificate (from </anywhere/server.keystore>) along with a
list describing all ca's that it trusts (from
<$JAVA_HOME/jre/lib/security/cacerts>). the client should then return a
certificate (client.crt) that was signed by one of these ca's.

to verify your setup, start tomcat with JAVA_OPTS="-Djavax.net.debug=all",
and do the following:
*) execute "openssl s_client -cert client.crt -key client.key -connect
secured-server:8443"
note: i was unable to test this with internet explorer 5.50 - it never used
the certificates i imported (both ca & client certificates, converted with
"openssl x509 -in ca.crt -out ieca.crt -outform DER" etc.).


the tomcat configuration described above will require all clients to present
certificates for all resources on the server. if you require client
certificates for only some resources, you should rather set
clientAuth="false" (step 8), and specify "CLIENT_CERT" as login method in
the web application's deployment descriptor (described in the servlet
specification).


regards

adriaan hough

Note:
The information in this e-mail is confidential and is intended solely for
the addressee. If you have received this e-mail in error, you are hereby
notified that any review, copying or distribution is strictly prohibited.
Please inform the sender immediately and destroy the original. Siemens
Limited and/or its subsidiaries accepts no liability of whatever nature for
any loss, liability, damage or expense resulting directly or indirectly from
access to this message and any files or links that are attached hereto.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message