tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steinberger, Richard" <Richard.Steinber...@mantech-ist.com>
Subject Client Certificate Authentication Failure
Date Thu, 03 Nov 2005 17:05:48 GMT
 

 Hello All!

 

I am trying to setup client certificate authentication in 5.5.12 on
windows.

 

I am getting the following error page....

 

HTTP Status 401 - Cannot authenticate with the provided credentials

________________________________________

type Status report

message Cannot authenticate with the provided credentials

description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).

________________________________________

Apache Tomcat/5.5.12

 

 

With the following dumped to the log.....

 

INFO:           isSecure=true

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:           authType=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:      contentLength=-1

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:        contentType=text/html;charset=utf-8

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Pragma=No-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Cache-Control=no-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Expires=Wed, 31 Dec 1969 19:00:00 EST

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:            message=Cannot authenticate with the provided
credentials

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:         remoteUser=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             status=401

 

The log entry...

"authType=null"

confuses me.

 

 

The log entry...

"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"

...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,

based on a (default?) date in the past.

I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.

 

 

Here is the connector...

 

    <Connector port="8443" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="100" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS" 

               keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit" 

                   truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />

 

 

By switching the <login-config> to FORM I can login just fine over
https.

Also, turning off clientAuth, works fine.

 

My feeling is that the certifcicates are OK, but that I am missing a
config setting.

 

I am doing this testing on my local machine, with a fresh, default
install.

 

Any input would be appreciated.

 

Rick

 

 

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message