tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thilina Gunarathne" <cset...@gmail.com>
Subject Using X509 proxy certificate for single sign on using APR (grid security)
Date Tue, 04 Nov 2008 16:25:29 GMT
Hi,
I'm trying to support mutually authenticated SSL connection to tomcat using
pem encoded x509 certificates. I use APR as mentioned in
http://tomcat.apache.org/tomcat-5.5-doc/apr.html.  I have the mutual
authentication working well for normal certificates. We use our own CA's.
Our tomcat setup is going to be used in conjunction with grid..

The problem came in when I tried using a proxy certificate[1] generated by
MyProxy[4]  for the client side. The tomcat server contains the certificate
of the CA, but does not contain the certificate of the user who
issued/signed the proxy certificate. Hence the proxy certificate file also
contains the public key of the user as mentioned in here [2] .  The overall
format of the certificate has the following structure [3].

       PEM-encoded proxy certificate
       PEM-encoded private key
       PEM-encoded public certificate of the user (delegator) to help create
the certificate chain in the server side.

My question is whether APR+mod_ssl supports the above scenario of using a
public key contained in the client proxy file as an intermediary certificate
when building the trust path to the CA. If so please provide me some
pointers to follow.

Also I'm curious to know whether there are any users who supported MyProxy
generated proxy certificates  without using Globus security packages.

thanks,
Thilina

1. http://www.ietf.org/rfc/rfc3820.txt
2.
http://gdp.globus.org/gt4-tutorial/multiplehtml/ch10s05.html#fig_sec_gsi_proxyvalidation
3. http://dev.globus.org/wiki/Security/ProxyFileFormat
4. http://grid.ncsa.uiuc.edu/myproxy/
-- 
Thilina Gunarathne  - http://thilinag.blogspot.com



-- 
Thilina Gunarathne  - http://thilinag.blogspot.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message