tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Client Authentication
Date Tue, 03 May 2005 22:00:57 GMT
The CN for your server cert can be anything you like but you will get a 
warning in your browser if the CN differs from how you express it in the 
URL.

The user needs to look something like this
<user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB" 
password="null" roles="tomcat,certs"/>
in tomcat-users. It must be the full DN of the user certificate.

HTH,

Mark

Mahesh S Kudva wrote:
> Hi 
> 
> It seems like a silly question. But I am new to SSL and Certificates as 
> well as Tomcat.
> 
> If my machines IP is 192.168.0.1 then I access tomcat as 
> https://192.168.0.1:8443. Keeping this mind should I give the Common Name 
> as 192.168.0.1 ??? 
> 
> How do I specify the client info in the tomcat-users.xml?
> 
> <user name=mahesh password=kudva role="admin">
> 
> This is how my tomcat-users.xml file looks like. 
> 
> Regards & Thanks
> ================
> Mahesh S Kudva
> 
> 
> -----Original Message-----
> From: "lercoli" <lercoli@dynaproc.com>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Date: Tue, 3 May 2005 14:33:46 +0200
> Subject: Re: Client Authentication
> 
> 
>>CA and Tomcat  common name should be the same (localhost or better your
>>DNS).
>>First and Last Name of client sould the name of a Tomcat user declared
>>in
>>tomcat-users.xml.
>>
>>Luca Ercoli
>>
>>----- Original Message ----- 
>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>Sent: Tuesday, May 03, 2005 1:41 PM
>>Subject: Re: Client Authentication
>>
>>
>>
>>>Hi
>>>
>>>What kind of information do i need to put in the fields of First and
>>
>>Last
>>
>>>name and Common name. Will any information do or is it required that
>>
>>I
>>
>>>need to put in the server address in the client.p12 certificate..
>>>
>>>Regards & Thanks
>>>================
>>>Mahesh S Kudva
>>>
>>>
>>>-----Original Message-----
>>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>Date: Mon, 02 May 2005 23:04:50 +0530
>>>Subject: Re: Client Authentication
>>>
>>>
>>>>Hi
>>>>
>>>>I tried with client.p12 first, when i failed I went on with
>>>>client_cert.x509. I placed it in the personal folder ...
>>>>
>>>>Regards & Thanks
>>>>================
>>>>Mahesh S Kudva
>>>>
>>>>
>>>>-----Original Message-----
>>>>From: "lercoli" <lercoli@dynaproc.com>
>>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
>>>>Date: Mon, 2 May 2005 17:31:54 +0200
>>>>Subject: Re: Client Authentication
>>>>
>>>>
>>>>>You should import only client.p12 certificate in IE browser and
>>>>>when IE asks you in which folder you want to put it select
>>
>>Personal
>>
>>>>>Folder.
>>>>>
>>>>>I hope it helps you.
>>>>>
>>>>>Luca Ercoli
>>>>>
>>>>>
>>>>>----- Original Message ----- 
>>>>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
>>>>>To: <tomcat-user@jakarta.apache.org>
>>>>>Sent: Monday, May 02, 2005 5:08 PM
>>>>>Subject: Client Authentication
>>>>>
>>>>>
>>>>>
>>>>>>Dear All
>>>>>>
>>>>>>I've been able to setup Tomcat 5.0.30 successfully on port
>>
>>8443. I
>>
>>>>>want to
>>>>>
>>>>>>use client authentication. Hence i've enabled clientAuth=true
>>
>>in
>>
>>>>>>server.xml
>>>>>>
>>>>>>Running on Mac OS X these were the commands to create a CA and
>>
>>sign
>>
>>>>a
>>>>
>>>>>>certificate using this CA.
>>>>>>
>>>>>>Creating a new CA:
>>>>>>1) perl CA.pl -newca
>>>>>>
>>>>>>Certificate request using openssl:
>>>>>>1) perl CA.pl -newreq
>>>>>>2) perl CA.pl -sign
>>>>>>3) mv newreq.pem client_req.pem
>>>>>>4) mv newcert.pem client_cert.pem
>>>>>>5) openssl rsa < client_req.pem > client_key.pem
>>>>>>6) openssl pkcs12 -export -in client_cert.pem -inkey
>>
>>client_key.pem
>>
>>>>>-out
>>>>>
>>>>>>   client.p12
>>>>>>
>>>>>>For Tomcat using Java keytool to request certificate:
>>>>>>1) openssl x509 -in server_cert.pem -out server.x509
>>>>>>2) openssl pkcs12 -export -in server_cert.pem -inkey
>>
>>server_key.pem
>>
>>>>>>   -out server.p12
>>>>>>3) keytool -genkey -alias meAsClient -storepass changeit
>>>>>>4) keytool -certreq -alias measclient -file client.csr
>>
>>-storepass
>>
>>>>>changeit
>>>>>
>>>>>>5) openssl x509   -req -CA demoCA/cacert.pem -CAkey
>>>>>>   demoCA/private/cakey.pem -extensions v3_ca -in client.csr
>>>>
>>>>-inform
>>>>
>>>>>DER
>>>>>
>>>>>>   -out client_cert.x509 -CAcreateserial
>>>>>>6) keytool -import -alias butterflyCA -keystore /Syst..
>>>>>
>>>>>..urity/cacerts
>>>>>
>>>>>>   -file ../CA/demoCA/cacert.pem
>>>>>>7) keytool -import -alias measclient -keystore clientstore
>>>>>
>>>>>-trustcacerts
>>>>>
>>>>>>   -file client_cert.x509
>>>>>>
>>>>>>
>>>>>>Following these commands I dont get any errors. I then import
>>
>>the
>>
>>>>>>cacert.pem, the ROOT CA certificate and the client.p12 and
>>>>>>client_cert.x509 to the browser I.E 6.0. But still there is a
>>
>>popup
>>
>>>>>>requesting for the clients identity and it asks me to select a
>>>>>>certificate and no certificates are displayed.
>>>>>>
>>>>>>How can I go about this?
>>>>>>
>>>>>>
>>>>>>All suggestion and ideas are welcome.
>>>>>>
>>>>>>
>>>>>>
>>>>>>Regards & Thanks
>>>>>>================
>>>>>>Mahesh S Kudva
>>>>>>
>>>>>>
>>>>>>
>>>>>>-------------------------------------------------------
>>>>>>Robosoft Technologies - Partners in Product Development
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>---------------------------------------------------------------------
>>
>>>>>>To unsubscribe, e-mail:
>>
>>tomcat-user-unsubscribe@jakarta.apache.org
>>
>>>>>>For additional commands, e-mail:
>>>>
>>>>tomcat-user-help@jakarta.apache.org
>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>---------------------------------------------------------------------
>>
>>>>>To unsubscribe, e-mail:
>>
>>tomcat-user-unsubscribe@jakarta.apache.org
>>
>>>>>For additional commands, e-mail:
>>
>>tomcat-user-help@jakarta.apache.org
>>
>>>
>>>
>>>-------------------------------------------------------
>>>Robosoft Technologies - Partners in Product Development
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message