tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mahesh S Kudva" <mahesh.ku...@robosoftin.com>
Subject Re: Client Authentication
Date Tue, 10 May 2005 15:21:08 GMT
Hi All

Nothing seems to work out for me whith client auth. Here is what 've done

CA and Certificates
1) perl CA.pl -newca
2) perl CA.pl -newreq
3) perl CA.pl -sign
4) openssl rsa < newreq.pem > server_key.pem
5) mv newcert.pem server_cert.pem  
6) mv newreq.pem server_req.pem
7) perl CA.pl -newreq
8) perl CA.pl -sign
9) mv newreq.pem client_req.pem
10) mv newcert.pem client_cert.pem
11) openssl rsa < client_req.pem > client_key.pem
12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out 
    client.p12
13) openssl x509 -in server_cert.pem -out server.x509
14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem 
               -out server.p12  
15) keytool -genkey -alias tomcat -storepass changeit
16) keytool -import -alias TomcatCA -file demoCA/cacert.pem

I then import the CA's self signed certificate to the clients machine 
along with the p12 certficicate

My Tomcat-users.xml file

<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="manager"/>
  <role rolename="certs"/>
  <role rolename="admin"/>
  <user username="mahesh" password="mahesh" roles="admin,manager"/>
  <user username="CN=Mahesh, OU=SAD, O=Robosoft, L=UDP, ST=Kar, C=IN" password="" 
roles="tomcat,certs"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
</tomcat-users>



Where am i going wrong? Even if the certificates are in the client's 
mcahine the certificates identity windows alowys pop's up
  


Regards & Thanks
================
Mahesh S Kudva


-----Original Message-----
From: Mark Thomas <markt@apache.org>
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Date: Tue, 03 May 2005 23:00:57 +0100
Subject: Re: Client Authentication

> The CN for your server cert can be anything you like but you will get a
> warning in your browser if the CN differs from how you express it in
> the 
> URL.
> 
> The user needs to look something like this
> <user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB" 
> password="null" roles="tomcat,certs"/>
> in tomcat-users. It must be the full DN of the user certificate.
> 
> HTH,
> 
> Mark
> 
> Mahesh S Kudva wrote:
> > Hi 
> > 
> > It seems like a silly question. But I am new to SSL and Certificates
> as 
> > well as Tomcat.
> > 
> > If my machines IP is 192.168.0.1 then I access tomcat as 
> > https://192.168.0.1:8443. Keeping this mind should I give the Common
> Name 
> > as 192.168.0.1 ??? 
> > 
> > How do I specify the client info in the tomcat-users.xml?
> > 
> > <user name=mahesh password=kudva role="admin">
> > 
> > This is how my tomcat-users.xml file looks like. 
> > 
> > Regards & Thanks
> > ================
> > Mahesh S Kudva
> > 
> > 
> > -----Original Message-----
> > From: "lercoli" <lercoli@dynaproc.com>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Date: Tue, 3 May 2005 14:33:46 +0200
> > Subject: Re: Client Authentication
> > 
> > 
> >>CA and Tomcat  common name should be the same (localhost or better
> your
> >>DNS).
> >>First and Last Name of client sould the name of a Tomcat user
> declared
> >>in
> >>tomcat-users.xml.
> >>
> >>Luca Ercoli
> >>
> >>----- Original Message ----- 
> >>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> >>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> >>Sent: Tuesday, May 03, 2005 1:41 PM
> >>Subject: Re: Client Authentication
> >>
> >>
> >>
> >>>Hi
> >>>
> >>>What kind of information do i need to put in the fields of First and
> >>
> >>Last
> >>
> >>>name and Common name. Will any information do or is it required that
> >>
> >>I
> >>
> >>>need to put in the server address in the client.p12 certificate..
> >>>
> >>>Regards & Thanks
> >>>================
> >>>Mahesh S Kudva
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> >>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> >>>Date: Mon, 02 May 2005 23:04:50 +0530
> >>>Subject: Re: Client Authentication
> >>>
> >>>
> >>>>Hi
> >>>>
> >>>>I tried with client.p12 first, when i failed I went on with
> >>>>client_cert.x509. I placed it in the personal folder ...
> >>>>
> >>>>Regards & Thanks
> >>>>================
> >>>>Mahesh S Kudva
> >>>>
> >>>>
> >>>>-----Original Message-----
> >>>>From: "lercoli" <lercoli@dynaproc.com>
> >>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> >>>>Date: Mon, 2 May 2005 17:31:54 +0200
> >>>>Subject: Re: Client Authentication
> >>>>
> >>>>
> >>>>>You should import only client.p12 certificate in IE browser and
> >>>>>when IE asks you in which folder you want to put it select
> >>
> >>Personal
> >>
> >>>>>Folder.
> >>>>>
> >>>>>I hope it helps you.
> >>>>>
> >>>>>Luca Ercoli
> >>>>>
> >>>>>
> >>>>>----- Original Message ----- 
> >>>>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> >>>>>To: <tomcat-user@jakarta.apache.org>
> >>>>>Sent: Monday, May 02, 2005 5:08 PM
> >>>>>Subject: Client Authentication
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Dear All
> >>>>>>
> >>>>>>I've been able to setup Tomcat 5.0.30 successfully on port
> >>
> >>8443. I
> >>
> >>>>>want to
> >>>>>
> >>>>>>use client authentication. Hence i've enabled clientAuth=true
> >>
> >>in
> >>
> >>>>>>server.xml
> >>>>>>
> >>>>>>Running on Mac OS X these were the commands to create a CA and
> >>
> >>sign
> >>
> >>>>a
> >>>>
> >>>>>>certificate using this CA.
> >>>>>>
> >>>>>>Creating a new CA:
> >>>>>>1) perl CA.pl -newca
> >>>>>>
> >>>>>>Certificate request using openssl:
> >>>>>>1) perl CA.pl -newreq
> >>>>>>2) perl CA.pl -sign
> >>>>>>3) mv newreq.pem client_req.pem
> >>>>>>4) mv newcert.pem client_cert.pem
> >>>>>>5) openssl rsa < client_req.pem > client_key.pem
> >>>>>>6) openssl pkcs12 -export -in client_cert.pem -inkey
> >>
> >>client_key.pem
> >>
> >>>>>-out
> >>>>>
> >>>>>>   client.p12
> >>>>>>
> >>>>>>For Tomcat using Java keytool to request certificate:
> >>>>>>1) openssl x509 -in server_cert.pem -out server.x509
> >>>>>>2) openssl pkcs12 -export -in server_cert.pem -inkey
> >>
> >>server_key.pem
> >>
> >>>>>>   -out server.p12
> >>>>>>3) keytool -genkey -alias meAsClient -storepass changeit
> >>>>>>4) keytool -certreq -alias measclient -file client.csr
> >>
> >>-storepass
> >>
> >>>>>changeit
> >>>>>
> >>>>>>5) openssl x509   -req -CA demoCA/cacert.pem -CAkey
> >>>>>>   demoCA/private/cakey.pem -extensions v3_ca -in client.csr
> >>>>
> >>>>-inform
> >>>>
> >>>>>DER
> >>>>>
> >>>>>>   -out client_cert.x509 -CAcreateserial
> >>>>>>6) keytool -import -alias butterflyCA -keystore /Syst..
> >>>>>
> >>>>>..urity/cacerts
> >>>>>
> >>>>>>   -file ../CA/demoCA/cacert.pem
> >>>>>>7) keytool -import -alias measclient -keystore clientstore
> >>>>>
> >>>>>-trustcacerts
> >>>>>
> >>>>>>   -file client_cert.x509
> >>>>>>
> >>>>>>
> >>>>>>Following these commands I dont get any errors. I then import
> >>
> >>the
> >>
> >>>>>>cacert.pem, the ROOT CA certificate and the client.p12 and
> >>>>>>client_cert.x509 to the browser I.E 6.0. But still there is a
> >>
> >>popup
> >>
> >>>>>>requesting for the clients identity and it asks me to select
a
> >>>>>>certificate and no certificates are displayed.
> >>>>>>
> >>>>>>How can I go about this?
> >>>>>>
> >>>>>>
> >>>>>>All suggestion and ideas are welcome.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Regards & Thanks
> >>>>>>================
> >>>>>>Mahesh S Kudva
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>-------------------------------------------------------
> >>>>>>Robosoft Technologies - Partners in Product Development
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>---------------------------------------------------------------------
> >>
> >>>>>>To unsubscribe, e-mail:
> >>
> >>tomcat-user-unsubscribe@jakarta.apache.org
> >>
> >>>>>>For additional commands, e-mail:
> >>>>
> >>>>tomcat-user-help@jakarta.apache.org
> >>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>---------------------------------------------------------------------
> >>
> >>>>>To unsubscribe, e-mail:
> >>
> >>tomcat-user-unsubscribe@jakarta.apache.org
> >>
> >>>>>For additional commands, e-mail:
> >>
> >>tomcat-user-help@jakarta.apache.org
> >>
> >>>
> >>>
> >>>-------------------------------------------------------
> >>>Robosoft Technologies - Partners in Product Development
> >>>
> >>>
> >>>
> >>>--------------------------------------------------------------------
> -
> >>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > Robosoft Technologies - Partners in Product Development
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



-------------------------------------------------------
Robosoft Technologies - Partners in Product Development



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message