tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Jeffrey Tucker <mtuc...@eecs.harvard.edu>
Subject Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
Date Wed, 12 Nov 2003 20:10:48 GMT
Hi,

  Some more digging revealed that what I have done so far is what is/was
intended. Back in 2000, Craig McClanahan wrote that:

"If all you want to do is make sure the client has a valid certificate,
you don't need to use a security constraint at all -- just set the
"clientAuth"  property on the Connector to true, and no requests will be
accepted without a certificate.  On the other hand, if you want to use
security constraints in addition, you will need to define the user (and
associated roles) in your Realm, just as you would for any other login
method."

All I want Tomcat to do is make sure that the client has a valid
certificate. But I also want this certificate to be accessible to my
webapps. There doesn't seem to be any discussion of how the authentication
information flows from the initial SSL connection to the JSP request
object. Is there any such information flow without security constraints?
Or am I approaching this all wrong?

Thanks again,
Mike

On Wed, 12 Nov 2003, Michael Jeffrey Tucker wrote:

> Hi,
>
>   Thanks for your help. I was wondering if anyone has any suggestions for
> the following problem: I would like Tomcat to accept any SSL connection
> where it recognizes the CA for the client certificate and then provide my
> webapp access to this certificate. It turns out that I don't think I want
> to use the CLIENT-CERT auth.
>
>   My current setup seems to handle the first part -- I have clientAuth set
> to true in my server.xml's SSLServerSocketFactory configuration and I have
> removed the security constraints from my app's web.xml. When I point a
> browser at the site/ssl port, I am prompted for my client certificate. So
> far, so good!
>
>   The problem is that when I am not sure how to get access to the
> certificate from JSP. I have looked into the methods that are provided by
> the HttpServletRequest interface, but getAuthType(), getRemoteUser(), and
> getUserPrincipal() all return NULL. I guess this makes sense because the
> SSL certificate is not being used for apps-specific security enforcement,
> but I know that the certificate must be floating around there somewhere.
> Are there any other request-related objects that my JSP code can access
> that would give me access to the cert? Any pointers would be greatly
> appreciated!
>
> Thanks,
> Mike
>
>
> On Tue, 11 Nov 2003, Bill Barker wrote:
>
> > At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the
> > Tomcat ships-with Realms).  There are patches for JNDIRealm and JDBCRealm
> > floating around in Bugzilla, that should be fine if you are using Sun's JVM.
> > (The Sun dependencies are basically why they are still floating :).
> >
> > Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable the
> > default DataSource), then the 'username' in tomcat-users.xml is the cert's
> > DN (aka Subject).  The password can be anything you want (it is ignored for
> > CLIENT-CERT auth).
> >
> > ----- Original Message -----
> > From: "Michael Jeffrey Tucker" <mtucker@eecs.harvard.edu>
> > To: "Bill Barker" <wbarker@wilshire.com>
> > Sent: Tuesday, November 11, 2003 8:55 PM
> > Subject: Re: Using Apache/mod_ssl certificate and private key with
> > Tomcat/keytool
> >
> >
> > > Hi Bill,
> > >
> > >   Do you know of a similar howto for client authentication with ssl? I've
> > > had nothing but trouble getting a system with self-signed keys up and
> > > running. I found a post in the archives about signing your own keys, which
> > > suggests that is an OK thing to do, and I've found posts by people who
> > > have client-side authentication up. But I haven't been able to combine the
> > > two. Also, I've been doing all my debugging on the client-side with the
> > > command line version of OpenSSL -- I'd like to look at what JSSE has to
> > > say (because the catalina logs are only showing incoming connections
> > > between assigned and awaited, no more details), are there any howto's that
> > > describe the logging process in more detail that might be worth looking
> > > at?
> > >
> > > Thanks,
> > > Mike
> > >
> > > On Tue, 11 Nov 2003, Bill Barker wrote:
> > >
> > > > The Tomcat 5 ssl-howto contains an example of how to do this.  It works
> > with
> > > > Tomcat 4.1.x as well.
> > > >
> > > > Long-story-short, it works by "combining" the private-key and the cert.
> > > > JSSE can use the resulting pkcs12 file as a keystore.
> > > >
> > > > "Scott Kelley" <sk01@biomail.ucsd.edu> wrote in message
> > > > news:p05210606bbd72e6bb131@[132.239.58.113]...
> > > > > Hi,
> > > > >
> > > > > I have an Apache+mod_ssl+Tomcat configuration that's been working
> > > > > fine for several years. I have an SSL certificate from Verisign,
and
> > > > > my httpd.conf file contains:
> > > > >
> > > > > SSLCertificateFile /path/to/server.crt
> > > > > SSLCertificateKeyFile /path/to/server.key
> > > > >
> > > > > The private key is unencrypted so that the server can restart
> > > > automatically.
> > > > >
> > > > > Now I'd like to use the same certificate and private key in a
> > > > > Tomcat-only configuration, but I can't quite figure out how to get
> > > > > these two pieces of information into keytool for tomcat to use!
> > > > >
> > > > > It's easy enough to import the certificate:
> > > > >
> > > > >      keytool -import -alias tomcat -file /path/to/server.crt
> > > > >
> > > > > but I know that the private key needs to be in the keystore too,
and
> > > > > I haven't been able to figure out how to get it in there!
> > > > >
> > > > > Simply trying to import it:
> > > > >
> > > > >      keytool -import -alias tomcat -file /path/to/server.key
> > > > >
> > > > > gives me the message:
> > > > >
> > > > >      keytool error: java.lang.Exception: Input not an X.509
> > certificate
> > > > >
> > > > > which doesn't really surprise me because the private key is not an
> > > > > X.509 certificate! But how can I tell keytool about my private key?
> > > > >
> > > > > Can I do this? If so, how? Can I do it with just keytool? Do I need
> > > > > to use openssl to tweak something?
> > > > >
> > > > > I saw some comments in the httpd.conf file (comments added by
> > > > > mod_ssl) that suggest the certificate and the private key can be
> > > > > "combined" somehow. Is this what I need to do? If so, how do I do
> > > > > this?
> > > > >
> > > > > Or do I have to toss my old keys and generate a new CSR with keytool?
> > > > > The Tomcat tutorial on how to do that seems reasonably
> > > > > straightforward. But I would much prefer to use my existing key and
> > > > > certificate!
> > > > >
> > > > > I actually tried this for the first time two years ago. After trying
> > > > > everything I could think of, and posting to tomcat-user and getting
> > > > > no replies, I gave up and left things the way they were. Now, two
> > > > > years later, I *still* can't figure out, or find a recipe, to explain
> > > > > how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain
> > > > > Tomcat configuration!
> > > > >
> > > > > Thanks for any help.
> > > > >
> > > > > Scott
> > > >
> > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > >
> > > >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message