tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: SSL client auth
Date Fri, 27 Jan 2012 10:23:11 GMT
Please don't 'top-post', just add your reply below the question(s) or it
makes reading the thread impossible.

On 27/01/2012 02:40, Harish S K wrote:
> Actually, the server is IBM WAS and the client is running in Tomcat which runs on JRE6,
I assume it uses JSSE libraries from jre6. 

Tomcat is only responsible for handling SSL on inbound connections, via
the Connector configuration.  Tomcat will use a JSSE based configuration
unless you are also using APR, when it will use OpenSSL and a different

If an application running in Tomcat consumes an external resource that
is served via SSL, it is that application's responsibility to handle the
SSL decoding, not Tomcat.

> I never faced this problem if the same client program runs on IBM WAS which uses IBM's
java runtime and SSL handlers. 

Which problem, the 403 problem?  What is an "SSL Handler"?

Is it possible that you're using a keystore in WAS, by accident/default,
that contains the right certs?

> So it could be a JRE problem rather than Tomcat's, in fact subsequent to my last post,
I got the same situation by porting the client program to a plain java application. 

It is not Tomcat's fault.  It is an application issue.

> I know for sure which cacerts is being used and listing cacerts shows the required cert.
 I will try in JSSE forums too.

Or fix your code.


> -----Original Message-----
> From: Pid [] 
> Sent: Friday, January 27, 2012 4:20 AM
> To: Tomcat Users List
> Subject: Re: SSL client auth
> On 26/01/2012 17:37, Harish S K wrote:
>> I am trying to open a https URL on IBM webshpere where ClientAuth is enabled.
>> In response I was getting HTTP 403 whereas the URL can be accessed through http.
On debugging further, it looks like the client is not sending the client certificate in response
to server's request. In some forum somebody from Tomcat has said it is not a Tomcat issue
as it is upto the client application to handle. However as the client app uses the SSL handlers
etc from tomcat runtime I was wondering if anyone can help. See the below excerpts from verbose
output certificate chain found by client is empty. I am sure the keystore loaded is correct....
> Eh?
> So you've imported a Tomcat jar as a dependency, into your IBM WebSphere application
then?  Which jar have you imported?
> p
>> =====================================
>> adding as trusted cert:
>>   Subject:, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US
>>   Issuer:, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US
>>   Algorithm: RSA; Serial number: 0x4f1e5842
>>   Valid from Tue Jan 24 02:05:38 EST 2012 until Fri Jan 18 02:05:38 
>> EST 2013
>> .
>> .
>> .
>> *** CertificateRequest
>> Cert Types: RSA
>> Cert Authorities:
>> <, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US>
>> *** ServerHelloDone
>> *** Certificate chain
>> ***
>> *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
>> =====================================
>> Thanks
>> Harish.
>> ________________________________



View raw message