tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From appa rao <appa_rao...@yahoo.co.in>
Subject Re: How to use digital certificates
Date Sat, 21 Jun 2003 07:21:37 GMT
HTTPS is working properly(I configured SSL properly).  I installed the root/chain cert in Tomcat
and User certs in browser.  I set the clientauthentication to true in server.xml.  It is working
properly.  The only thing I need is to pick the username/password from the user cert and authenticate.
 As said, I think I'll have to write custom Realm.  Where can I get more information on getting
the usernames from the certficates?

Appa
Bill Barker <wbarker@wilshire.com> wrote:
Assuming that iPlanet is sending a normal x509 chain, then it should be
mostly working. You'll have to make certain that the root-CA is installed
in cacerts (I'm assuming that you are using JSSE) so that the client-cert
can be verified. At least with the Sun JVM, I believe that only Verisign
and Thwate are installed by default.

Getting the name is a bit more of a problem. It is usually the CN of the
Subject, but not always. If this is the case with your certs, then you'll
need a custom Realm that extracts the CN and validates the user (MemoryRealm
uses the full Subject as the user-name).

"appa rao" wrote in message
news:20030620082830.51789.qmail@web8105.in.yahoo.com...
> Thanks for the reply..
> let me clearly tell you the problem..
> we use certificates generated by iPlanet Certificate Server. All the
client(user) certificates are on a swipe card which are read by Gemplus card
reader using USB port.... The problem is when the user swipes it, user
should automatically be authenticated..(currently we have another web
application running on iPlanet web server - which picks up username from the
card and authenticates against LDAP). Is this possible in Tomcat? SSL is
working fine - only problem is authentication..
>
> Thanks
> Appa
>
> Bill Barker wrote:
> Ok, everyone else is signing their replies. I can do that too ;-).
>
> Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the
> (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone
> JSSE Connector will correctly retrieve the x509 certs in the current
release
> version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for
the
> Stand-Alone PureTLS Connector will show up before 4.1.25 comes out).
>
>
> "Mario Ivankovits" wrote in message
> news:003501c336f4$386662a0$65011bac@ops.hq...
> > I have developed a solution, where you can use client-certificates for
> user
> > authentication.
> >
> > You can find information at
> > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831
> >
> > Currently an implementation for "Standard LDAP" and "Windows-2000
> > ActiveDirectory" is available.
> > Using W2K-AD you might have troubles, since i have tested it only with
two
> > different client-certificates.
> >
> > Mainly you have to import the certificate in your LDAP Server, and then
> the
> > user-mapping is done by my JNDIRealm* classes.
> >
> > Mario
> >
> >
> > ----- Original Message -----
> > From: "appa rao"
> > To:
> > Sent: Friday, June 20, 2003 7:33 AM
> > Subject: How to use digital certificates
> >
> >
> > > Hi,
> > >
> > > Can any one give me an example of how to use Digital Certificates for
> > authentication and authorizatioin in Tomcat? I am struggling to under
the
> > concept of certificates and their use in authentication and
> authorization..
> > I am using Tomcat - 4.1.24.
> > >
> > > Thanks in advance..
> > >
> > > appa
> > >
> > > SMS using the Yahoo! Messenger;Download latest version.
> >
> > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s
> SMS using the Yahoo! Messenger;Download latest version.




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

SMS using the Yahoo! Messenger;Download latest version.
Mime
  • Unnamed multipart/alternative (inline, 8-Bit, 0 bytes)
View raw message