Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 48426 invoked from network); 29 Jan 2007 09:25:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Jan 2007 09:25:28 -0000 Received: (qmail 79806 invoked by uid 500); 29 Jan 2007 09:25:20 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 79371 invoked by uid 500); 29 Jan 2007 09:25:18 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 79360 invoked by uid 99); 29 Jan 2007 09:25:18 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Jan 2007 01:25:18 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [82.223.190.43] (HELO llsb722-a02.servidoresdns.net) (82.223.190.43) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Jan 2007 01:25:08 -0800 Received: from [192.168.0.200] (62-43-206-54.user.ono.com [62.43.206.54]) by smtp-02.servidoresdns.net (Postfix) with ESMTP id 7811A4FF17; Mon, 29 Jan 2007 10:24:44 +0100 (CET) Message-ID: <45BDBD5C.6050107@dunasoft.es> Date: Mon, 29 Jan 2007 10:24:44 +0100 From: Jose Rafael Romero Miret User-Agent: Thunderbird 1.5.0.9 (X11/20061206) MIME-Version: 1.0 To: Tomcat Users List , arrow.toni@libero.it Subject: Re: Cannot authenticate client with Tomcat 5.0.28 References: In-Reply-To: Content-Type: multipart/mixed; boundary="------------070403030201070105010406" X-Virus-Checked: Checked by ClamAV on apache.org --------------070403030201070105010406 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit arrow.toni@libero.it wrote: > Hi everyone, > > I work for a municipality we need to implement a service that can log users(from a browser) by electronic identity card. > I've installed a card reader, and created https connector for tomcat 5.5 that way: > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" debug="99" scheme="https" secure="true" > clientAuth="true" sslProtocol="TLS" > keystoreFile="mypath/tomcat.jks" > keystorePass="*****" keystoreType="JKS" > truststoreFile="mypath/tomcat.jks" > truststorePass="*****" truststoreType="JKS" /> > > For server authentication, I've created a self-signed certificate using java tool keytool: > keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore mypath\tomcat.jks > > because i don't need to obtain a trusted certificate from a certification authority. > The problem is for the client. > When I insert a smartcard, the card reader software installs a card certificate in Internet Explorer and in Firefox. This certificate is at the "bottom" of a chain of 3 certificates, so I downloaded via web the chain of certificates, then installed the chain in both browsers, then added the root CA certificate to the repository truststore of the server: > keytool -import -v -file pathToCer\root.cer -keystore mypath\tomcat.jks -trustcacerts > this, as instructions found in Internet, should be enough for tomcat to recognize the client certificate. > But when trying to access https://myservername:7443 > i get "Error estabilishing an ecrypted connection Error code: -12222" whit Firefox, Explorer instead prompts me asking for pin of the card(this is necessary i think to use private key in the card) then "Cannot display page"(or something similar, i've installed browser in a non-english language) > > I tested the server trying to replace browser certificate with another self-signed certificate, then importing it in the truststore and it works well. > So i think it's a problem of how client certificate is stored in the truststore file. > I also tried to import all certificates in the truststore(the client card certificate, the intermediate cert., the root cert.) but it doesn't work. > > Can anybody help me?I'm sure i did something wrong importing certificates but i can't understand what. > thanks! > > Castalia > > > ------------------------------------------------------ > Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom > http://click.libero.it/infostrada29ge07 > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > Hej, i had same problem las week, seems when you install tomcat apr is also intalles so the configuracion for ssl is different. Try with: *** are your actual pasword... works for me, have luck! --------------070403030201070105010406 Content-Type: text/plain; charset=us-ascii --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --------------070403030201070105010406--