tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Jeffrey Tucker <mtuc...@eecs.harvard.edu>
Subject Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
Date Wed, 12 Nov 2003 16:29:46 GMT
Hi,

  Thanks for your help. I was wondering if anyone has any suggestions for
the following problem: I would like Tomcat to accept any SSL connection
where it recognizes the CA for the client certificate and then provide my
webapp access to this certificate. It turns out that I don't think I want
to use the CLIENT-CERT auth.

  My current setup seems to handle the first part -- I have clientAuth set
to true in my server.xml's SSLServerSocketFactory configuration and I have
removed the security constraints from my app's web.xml. When I point a
browser at the site/ssl port, I am prompted for my client certificate. So
far, so good!

  The problem is that when I am not sure how to get access to the
certificate from JSP. I have looked into the methods that are provided by
the HttpServletRequest interface, but getAuthType(), getRemoteUser(), and
getUserPrincipal() all return NULL. I guess this makes sense because the
SSL certificate is not being used for apps-specific security enforcement,
but I know that the certificate must be floating around there somewhere.
Are there any other request-related objects that my JSP code can access
that would give me access to the cert? Any pointers would be greatly
appreciated!

Thanks,
Mike


On Tue, 11 Nov 2003, Bill Barker wrote:

> At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the
> Tomcat ships-with Realms).  There are patches for JNDIRealm and JDBCRealm
> floating around in Bugzilla, that should be fine if you are using Sun's JVM.
> (The Sun dependencies are basically why they are still floating :).
>
> Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable the
> default DataSource), then the 'username' in tomcat-users.xml is the cert's
> DN (aka Subject).  The password can be anything you want (it is ignored for
> CLIENT-CERT auth).
>
> ----- Original Message -----
> From: "Michael Jeffrey Tucker" <mtucker@eecs.harvard.edu>
> To: "Bill Barker" <wbarker@wilshire.com>
> Sent: Tuesday, November 11, 2003 8:55 PM
> Subject: Re: Using Apache/mod_ssl certificate and private key with
> Tomcat/keytool
>
>
> > Hi Bill,
> >
> >   Do you know of a similar howto for client authentication with ssl? I've
> > had nothing but trouble getting a system with self-signed keys up and
> > running. I found a post in the archives about signing your own keys, which
> > suggests that is an OK thing to do, and I've found posts by people who
> > have client-side authentication up. But I haven't been able to combine the
> > two. Also, I've been doing all my debugging on the client-side with the
> > command line version of OpenSSL -- I'd like to look at what JSSE has to
> > say (because the catalina logs are only showing incoming connections
> > between assigned and awaited, no more details), are there any howto's that
> > describe the logging process in more detail that might be worth looking
> > at?
> >
> > Thanks,
> > Mike
> >
> > On Tue, 11 Nov 2003, Bill Barker wrote:
> >
> > > The Tomcat 5 ssl-howto contains an example of how to do this.  It works
> with
> > > Tomcat 4.1.x as well.
> > >
> > > Long-story-short, it works by "combining" the private-key and the cert.
> > > JSSE can use the resulting pkcs12 file as a keystore.
> > >
> > > "Scott Kelley" <sk01@biomail.ucsd.edu> wrote in message
> > > news:p05210606bbd72e6bb131@[132.239.58.113]...
> > > > Hi,
> > > >
> > > > I have an Apache+mod_ssl+Tomcat configuration that's been working
> > > > fine for several years. I have an SSL certificate from Verisign, and
> > > > my httpd.conf file contains:
> > > >
> > > > SSLCertificateFile /path/to/server.crt
> > > > SSLCertificateKeyFile /path/to/server.key
> > > >
> > > > The private key is unencrypted so that the server can restart
> > > automatically.
> > > >
> > > > Now I'd like to use the same certificate and private key in a
> > > > Tomcat-only configuration, but I can't quite figure out how to get
> > > > these two pieces of information into keytool for tomcat to use!
> > > >
> > > > It's easy enough to import the certificate:
> > > >
> > > >      keytool -import -alias tomcat -file /path/to/server.crt
> > > >
> > > > but I know that the private key needs to be in the keystore too, and
> > > > I haven't been able to figure out how to get it in there!
> > > >
> > > > Simply trying to import it:
> > > >
> > > >      keytool -import -alias tomcat -file /path/to/server.key
> > > >
> > > > gives me the message:
> > > >
> > > >      keytool error: java.lang.Exception: Input not an X.509
> certificate
> > > >
> > > > which doesn't really surprise me because the private key is not an
> > > > X.509 certificate! But how can I tell keytool about my private key?
> > > >
> > > > Can I do this? If so, how? Can I do it with just keytool? Do I need
> > > > to use openssl to tweak something?
> > > >
> > > > I saw some comments in the httpd.conf file (comments added by
> > > > mod_ssl) that suggest the certificate and the private key can be
> > > > "combined" somehow. Is this what I need to do? If so, how do I do
> > > > this?
> > > >
> > > > Or do I have to toss my old keys and generate a new CSR with keytool?
> > > > The Tomcat tutorial on how to do that seems reasonably
> > > > straightforward. But I would much prefer to use my existing key and
> > > > certificate!
> > > >
> > > > I actually tried this for the first time two years ago. After trying
> > > > everything I could think of, and posting to tomcat-user and getting
> > > > no replies, I gave up and left things the way they were. Now, two
> > > > years later, I *still* can't figure out, or find a recipe, to explain
> > > > how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain
> > > > Tomcat configuration!
> > > >
> > > > Thanks for any help.
> > > >
> > > > Scott
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >
> > >
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message