tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steinberger, Richard" <Richard.Steinber...@mantech-ist.com>
Subject RE: Client Certificate Authentication Failure
Date Thu, 03 Nov 2005 19:07:01 GMT
As a follow-up, the CAs are in the jre/.../cacerts store as well as
being in the .truststore

Rick

-----Original Message-----
From: Steinberger, Richard [mailto:Richard.Steinberger@mantech-ist.com] 
Sent: Thursday, November 03, 2005 12:06 PM
To: users@tomcat.apache.org
Subject: Client Certificate Authentication Failure

 

 Hello All!

 

I am trying to setup client certificate authentication in 5.5.12 on
windows.

 

I am getting the following error page....

 

HTTP Status 401 - Cannot authenticate with the provided credentials

________________________________________

type Status report

message Cannot authenticate with the provided credentials

description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).

________________________________________

Apache Tomcat/5.5.12

 

 

With the following dumped to the log.....

 

INFO:           isSecure=true

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:           authType=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:      contentLength=-1

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:        contentType=text/html;charset=utf-8

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Pragma=No-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Cache-Control=no-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Expires=Wed, 31 Dec 1969 19:00:00 EST

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:            message=Cannot authenticate with the provided
credentials

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:         remoteUser=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             status=401

 

The log entry...

"authType=null"

confuses me.

 

 

The log entry...

"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"

...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,

based on a (default?) date in the past.

I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.

 

 

Here is the connector...

 

    <Connector port="8443" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="100" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS" 

               keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit" 

                   truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />

 

 

By switching the <login-config> to FORM I can login just fine over
https.

Also, turning off clientAuth, works fine.

 

My feeling is that the certifcicates are OK, but that I am missing a
config setting.

 

I am doing this testing on my local machine, with a fresh, default
install.

 

Any input would be appreciated.

 

Rick

 

 

 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message