tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hubble, Christopher" <>
Subject RE: SSL mutual authentication problem with Tomcat5
Date Thu, 18 Nov 2004 19:11:59 GMT
You need to pass the truststore into Tomcat as a JVM option.  Look in the
archives of the list for SSL.  I posted all of my steps a month or so ago.


-----Original Message-----
From: Ryan LeCompte []
Sent: Thursday, November 18, 2004 2:07 PM
Subject: SSL mutual authentication problem with Tomcat5

I'm trying to have a standalone Java client communicate via SSL with a
remote Tomcat5 server. I'm setting the two system properties for specifying
the SSL trust store path and trust store password. The client is able to
successfully communicate via SSL when Tomcat is configured to not require
client-side authentication (for example in tomcat the configuration
attribute 'clientAuth="false"' would be used). However, when I turn on this
attribute and require client-side authentication, the client fails to
communicate successfully with the Tomcat5 server. The following exception is
java.rmi.RemoteException: HTTP transport error:
Software caused connection abort: recv failed; nested exception is: 
 HTTP transport error: Software caused connection
abort: recv failed
 at  .....
Is there anything else that must occur on the client side when the remote
web server requires a client-side certification authentication? I'm still
new to SSL, so perhaps I have the basic concept confused. Do I have to
import another certification in the client-side keystore for this to work? I
looked in the SSL HOW-TO but didn't find an answer to my question. I also
tried importing all of the certificates in the client keystore into the
"cacerts" file in JAVA_HOME/jre/lib/security/cacerts.
Here is the connector configuration for SSL in server.xml:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

<Connector port="8443" 

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" debug="0" scheme="https" secure="true"

clientAuth="true" sslProtocol="TLS"

keystoreFile="C:\ssl\sslWSCerts.keystore" keystorePass="changeit"/>


Thank you for any help that you may be able to provide.

-- Ryan 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message