tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: CLIENT-CERT / Error : null cert chain
Date Sun, 17 Jul 2005 16:35:33 GMT
A few pointers:

1. The trust store is the list of trusted CAs, not the list of trusted 
client certificates. The CA that issued your client cert must be in the 
trust store.

2. You need to modify your user details in your realm. If you are using 
tomcat-users.xml it should look something like this:
...
<user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, 
ST=London, C=GB" password="null" roles="tomcat,certs"/>
...

HTH

Mark

Pascal Chanteux wrote:
> Hi ,
> 
> I want to configure Tomcat/4.1.27 in order to use the client
> certificate authentication. I first set up the SSL connector following
> the How-To.
> So now my site runs under SSL without any problem.
> 
> Next,I build the client certificate with keytool, and store it into a
> file ( trust.keystore ). In my web.xml I change my BASIC into
> CLIENT-CERT :
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Client certificate auth.</realm-name>
> </login-config>
> 
> and in my server.xml :
> 
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="75"
> enableLookups="true"
> acceptCount="100" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true"
> 
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" protocol="TLS"
> truststoreFile="c:\keystores\trust.keystore"
> />
> </Connector>
> 
> When I connect to my protected JSP, I always get an error on tomcat :
> 
> 13-jul-2005 11:19:25 org.apache.tomcat.util.net.jsse.JSSE14Support
> synchronousHandshake
> INFO: SSL Error getting client Certs
> javax.net.ssl.SSLHandshakeException: null cert chain
>         at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
>         at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
>         at java.io.InputStream.read(InputStream.java:88)
>         at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
>         at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
>         at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:158)
>         at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:786)
>         at org.apache.coyote.Request.action(Request.java:367)
>         at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:799)
>         at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
>         at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
>         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416)
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:601)
>         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392)
>         at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
>         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
>         at java.lang.Thread.run(Thread.java:536)
> 
> I don't know if my configuration is OK. Where can be the problem ?
> Does anyone have an idea ?
> 
> Thanks a lot
> 
> Pascal.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message