tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mahesh S Kudva" <mahesh.ku...@robosoftin.com>
Subject Re: Client Authentication
Date Tue, 17 May 2005 17:17:57 GMT
Hi all

I sorted it out. Thanks for you help.

These are the steps I followed. Hope it helps someone.

1) perl CA.pl -newca    (create a new CA)
2) perl CA.pl -newreq   (new client request)
3) perl CA.pl -sign     (sign the certificare request)
4) openssl rsa < newreq.pem > client_key.pem  (extract the RSA key)
5) mv newreq.pem client_req.pem    (renaming for your identification)
6) mv newcert.pem client_cert.pem  (renaming for your identification)
7) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out 
client.p12    (generate a pkcs12 certificate)
8) keytool -genkey -alias tomcat -keyalg RSA   (generate your keystore)
9) keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr (generate 
a request for tomcat)
10) openssl x509 -req -CA democa/cacert.pem -CAkey 
democa/private/cakey.pem -extensions v3_ca -in tomcat.csr -inform DER -
out tomcat.x509 -CAcreateserial      (signs the tomcat certificate 
request with your CA)
11) keytool -import -alias MyRootCA -keystore 
JAVA_HOME/jre/lib/security/cacerts -file democa/cacert.pem   (import CA 
selfsigned into the truststore)
12) keytool -import -alias tomcat -file tomcat.x509

Import both the democa/cacert.pem and client.p12 to the clients machine.

In your server.xml file enable client authentication by changing 
clientauth="true" and that's it.

Regards & Thanks
================
Mahesh S Kudva


-----Original Message-----
From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Date: Fri, 13 May 2005 22:26:59 +0530
Subject: Re: Client Authentication

> Hi All
> 
> Ho do i go about with clien Authentication
> 
> Regards & Thanks
> ================
> Mahesh S Kudva
> 
> 
> -----Original Message-----
> From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Date: Tue, 10 May 2005 20:51:08 +0530
> Subject: Re: Client Authentication
> 
> Hi All
> 
> Nothing seems to work out for me whith client auth. Here is what 've
> done
> 
> CA and Certificates
> 1) perl CA.pl -newca
> 2) perl CA.pl -newreq
> 3) perl CA.pl -sign
> 4) openssl rsa < newreq.pem > server_key.pem
> 5) mv newcert.pem server_cert.pem  
> 6) mv newreq.pem server_req.pem
> 7) perl CA.pl -newreq
> 8) perl CA.pl -sign
> 9) mv newreq.pem client_req.pem
> 10) mv newcert.pem client_cert.pem
> 11) openssl rsa < client_req.pem > client_key.pem
> 12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem
> -out
>     client.p12
> 13) openssl x509 -in server_cert.pem -out server.x509
> 14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem 
>                -out server.p12  
> 15) keytool -genkey -alias tomcat -storepass changeit
> 16) keytool -import -alias TomcatCA -file demoCA/cacert.pem
> 
> I then import the CA's self signed certificate to the clients machine 
> along with the p12 certficicate
> 
> My Tomcat-users.xml file
> 
> <tomcat-users>
>   <role rolename="tomcat"/>
>   <role rolename="role1"/>
>   <role rolename="manager"/>
>   <role rolename="certs"/>
>   <role rolename="admin"/>
>   <user username="mahesh" password="mahesh" roles="admin,manager"/>
>   <user username="CN=Mahesh, OU=SAD, O=Robosoft, L=UDP, ST=Kar, C=IN"
> password="" 
> roles="tomcat,certs"/>
>   <user username="tomcat" password="tomcat" roles="tomcat"/>
>   <user username="role1" password="tomcat" roles="role1"/>
>   <user username="both" password="tomcat" roles="tomcat,role1"/>
> </tomcat-users>
> 
> 
> 
> Where am i going wrong? Even if the certificates are in the client's 
> mcahine the certificates identity windows alowys pop's up
>   
> 
> 
> Regards & Thanks
> ================
> Mahesh S Kudva
> 
> 
> -----Original Message-----
> From: Mark Thomas <markt@apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Date: Tue, 03 May 2005 23:00:57 +0100
> Subject: Re: Client Authentication
> 
> > The CN for your server cert can be anything you like but you will get
> a
> > warning in your browser if the CN differs from how you express it in
> > the 
> > URL.
> > 
> > The user needs to look something like this
> > <user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB"
> > password="null" roles="tomcat,certs"/>
> > in tomcat-users. It must be the full DN of the user certificate.
> > 
> > HTH,
> > 
> > Mark
> > 
> > Mahesh S Kudva wrote:
> > > Hi 
> > > 
> > > It seems like a silly question. But I am new to SSL and
> Certificates
> > as 
> > > well as Tomcat.
> > > 
> > > If my machines IP is 192.168.0.1 then I access tomcat as 
> > > https://192.168.0.1:8443. Keeping this mind should I give the
> Common
> > Name 
> > > as 192.168.0.1 ??? 
> > > 
> > > How do I specify the client info in the tomcat-users.xml?
> > > 
> > > <user name=mahesh password=kudva role="admin">
> > > 
> > > This is how my tomcat-users.xml file looks like. 
> > > 
> > > Regards & Thanks
> > > ================
> > > Mahesh S Kudva
> > > 
> > > 
> > > -----Original Message-----
> > > From: "lercoli" <lercoli@dynaproc.com>
> > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > > Date: Tue, 3 May 2005 14:33:46 +0200
> > > Subject: Re: Client Authentication
> > > 
> > > 
> > >>CA and Tomcat  common name should be the same (localhost or better
> > your
> > >>DNS).
> > >>First and Last Name of client sould the name of a Tomcat user
> > declared
> > >>in
> > >>tomcat-users.xml.
> > >>
> > >>Luca Ercoli
> > >>
> > >>----- Original Message ----- 
> > >>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> > >>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > >>Sent: Tuesday, May 03, 2005 1:41 PM
> > >>Subject: Re: Client Authentication
> > >>
> > >>
> > >>
> > >>>Hi
> > >>>
> > >>>What kind of information do i need to put in the fields of First
> and
> > >>
> > >>Last
> > >>
> > >>>name and Common name. Will any information do or is it required
> that
> > >>
> > >>I
> > >>
> > >>>need to put in the server address in the client.p12 certificate..
> > >>>
> > >>>Regards & Thanks
> > >>>================
> > >>>Mahesh S Kudva
> > >>>
> > >>>
> > >>>-----Original Message-----
> > >>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> > >>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > >>>Date: Mon, 02 May 2005 23:04:50 +0530
> > >>>Subject: Re: Client Authentication
> > >>>
> > >>>
> > >>>>Hi
> > >>>>
> > >>>>I tried with client.p12 first, when i failed I went on with
> > >>>>client_cert.x509. I placed it in the personal folder ...
> > >>>>
> > >>>>Regards & Thanks
> > >>>>================
> > >>>>Mahesh S Kudva
> > >>>>
> > >>>>
> > >>>>-----Original Message-----
> > >>>>From: "lercoli" <lercoli@dynaproc.com>
> > >>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > >>>>Date: Mon, 2 May 2005 17:31:54 +0200
> > >>>>Subject: Re: Client Authentication
> > >>>>
> > >>>>
> > >>>>>You should import only client.p12 certificate in IE browser
and
> > >>>>>when IE asks you in which folder you want to put it select
> > >>
> > >>Personal
> > >>
> > >>>>>Folder.
> > >>>>>
> > >>>>>I hope it helps you.
> > >>>>>
> > >>>>>Luca Ercoli
> > >>>>>
> > >>>>>
> > >>>>>----- Original Message ----- 
> > >>>>>From: "Mahesh S Kudva" <mahesh.kudva@robosoftin.com>
> > >>>>>To: <tomcat-user@jakarta.apache.org>
> > >>>>>Sent: Monday, May 02, 2005 5:08 PM
> > >>>>>Subject: Client Authentication
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>>Dear All
> > >>>>>>
> > >>>>>>I've been able to setup Tomcat 5.0.30 successfully on port
> > >>
> > >>8443. I
> > >>
> > >>>>>want to
> > >>>>>
> > >>>>>>use client authentication. Hence i've enabled clientAuth=true
> > >>
> > >>in
> > >>
> > >>>>>>server.xml
> > >>>>>>
> > >>>>>>Running on Mac OS X these were the commands to create a
CA and
> > >>
> > >>sign
> > >>
> > >>>>a
> > >>>>
> > >>>>>>certificate using this CA.
> > >>>>>>
> > >>>>>>Creating a new CA:
> > >>>>>>1) perl CA.pl -newca
> > >>>>>>
> > >>>>>>Certificate request using openssl:
> > >>>>>>1) perl CA.pl -newreq
> > >>>>>>2) perl CA.pl -sign
> > >>>>>>3) mv newreq.pem client_req.pem
> > >>>>>>4) mv newcert.pem client_cert.pem
> > >>>>>>5) openssl rsa < client_req.pem > client_key.pem
> > >>>>>>6) openssl pkcs12 -export -in client_cert.pem -inkey
> > >>
> > >>client_key.pem
> > >>
> > >>>>>-out
> > >>>>>
> > >>>>>>   client.p12
> > >>>>>>
> > >>>>>>For Tomcat using Java keytool to request certificate:
> > >>>>>>1) openssl x509 -in server_cert.pem -out server.x509
> > >>>>>>2) openssl pkcs12 -export -in server_cert.pem -inkey
> > >>
> > >>server_key.pem
> > >>
> > >>>>>>   -out server.p12
> > >>>>>>3) keytool -genkey -alias meAsClient -storepass changeit
> > >>>>>>4) keytool -certreq -alias measclient -file client.csr
> > >>
> > >>-storepass
> > >>
> > >>>>>changeit
> > >>>>>
> > >>>>>>5) openssl x509   -req -CA demoCA/cacert.pem -CAkey
> > >>>>>>   demoCA/private/cakey.pem -extensions v3_ca -in client.csr
> > >>>>
> > >>>>-inform
> > >>>>
> > >>>>>DER
> > >>>>>
> > >>>>>>   -out client_cert.x509 -CAcreateserial
> > >>>>>>6) keytool -import -alias butterflyCA -keystore /Syst..
> > >>>>>
> > >>>>>..urity/cacerts
> > >>>>>
> > >>>>>>   -file ../CA/demoCA/cacert.pem
> > >>>>>>7) keytool -import -alias measclient -keystore clientstore
> > >>>>>
> > >>>>>-trustcacerts
> > >>>>>
> > >>>>>>   -file client_cert.x509
> > >>>>>>
> > >>>>>>
> > >>>>>>Following these commands I dont get any errors. I then import
> > >>
> > >>the
> > >>
> > >>>>>>cacert.pem, the ROOT CA certificate and the client.p12 and
> > >>>>>>client_cert.x509 to the browser I.E 6.0. But still there
is a
> > >>
> > >>popup
> > >>
> > >>>>>>requesting for the clients identity and it asks me to select
a
> > >>>>>>certificate and no certificates are displayed.
> > >>>>>>
> > >>>>>>How can I go about this?
> > >>>>>>
> > >>>>>>
> > >>>>>>All suggestion and ideas are welcome.
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>Regards & Thanks
> > >>>>>>================
> > >>>>>>Mahesh S Kudva
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>-------------------------------------------------------
> > >>>>>>Robosoft Technologies - Partners in Product Development
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>
> >
> >>---------------------------------------------------------------------
> > >>
> > >>>>>>To unsubscribe, e-mail:
> > >>
> > >>tomcat-user-unsubscribe@jakarta.apache.org
> > >>
> > >>>>>>For additional commands, e-mail:
> > >>>>
> > >>>>tomcat-user-help@jakarta.apache.org
> > >>>>
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> >
> >>---------------------------------------------------------------------
> > >>
> > >>>>>To unsubscribe, e-mail:
> > >>
> > >>tomcat-user-unsubscribe@jakarta.apache.org
> > >>
> > >>>>>For additional commands, e-mail:
> > >>
> > >>tomcat-user-help@jakarta.apache.org
> > >>
> > >>>
> > >>>
> > >>>-------------------------------------------------------
> > >>>Robosoft Technologies - Partners in Product Development
> > >>>
> > >>>
> > >>>
> >
> >>>--------------------------------------------------------------------
> > -
> > >>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >>>For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> > >>>
> > >>>
> > >>>
> > >>
> > >>
> > >>
> >
> >>---------------------------------------------------------------------
> > >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > Robosoft Technologies - Partners in Product Development
> > > 
> > > 
> > > 
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> > > 
> > > 
> > > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



-------------------------------------------------------
Robosoft Technologies - Partners in Product Development



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message