tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Will Nordmeyer <quark...@gmail.com>
Subject Re: tomcat6 with crl doesn't load
Date Wed, 28 Nov 2012 13:35:05 GMT
On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmikusa@vmware.com> wrote:
> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote:
>
>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmikusa@vmware.com> wrote:
>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote:
>>>
>>>> I have a self signed server certificate - and the user certs have no
>>>> association/connection to the server cert.
>>>
>>> I apologize, but I'm not exactly sure what you are trying to configure with the
certs and the crl file.  Can you take a step back from the problem and give us some higher
level details on what you are trying to achieve with this configuration?
>>>
>>> Dan
>>
>> OK, I'm am emulating the production enviroment for the application my
>> development team works on.  The production environment is on goverment
>> facilitiies and equipment.  Users authenticate with a Common Access
>> Card (CAC) & PIN.  Our current environment has a locally developed PIN
>> check, which is insufficient going forward.  Rather than developing
>> code to do all of the work, it seems most appropriate to simply
>> utilize the abilities built into tomcat to do that before our
>> application even gets accessed.
>>
>> The development server I stood up is a virtual server, running CentOS
>> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips.  I used openssl to
>> generate a self-signed certificate, rather than getting an actual SSL
>> cert from an outside source since this is a closed development system.
>>
>> With that in mind, we are working to implement Certificate
>> Authentication & Validation within Tomcat.  I've got the environment
>> configured to prompt for the certificate and through the
>> browser/client enviroment the PIN prompt is triggered without issue as
>> long as the crlFile parameter isn't set in the connector.  That was
>> easy.
>>
>> My problem comes when I attempt to implement Certificate Revocation
>> List checking.  The Government has a root certificate and about 20-30
>> different intermediate certificate authorities that could have issued
>> the user certificate.  I have loaded the root and intermediate
>> government certificate into my local truststore and am loading it
>> properly (based on the fact that the user certificates are recognized
>> and accepted).
>>
>> I have downloaded all the root certificate CRL data and each
>> individual CA's CRL data.  Through the openssl commands, I converted
>> them to PEM and then copied them all into one file massive CRL.  I
>> have also, for testing, created a file with the root CRL data and the
>> CRL data for the CA which issued my Certificate.
>>
>> When I run the complete CRL, I run out of memory (271 MB CRL).  When I
>> run just the root & my CA, it doesn't run out of memory, but it also
>> doesn't trigger the PIN prompt (I assume the crl check happens before
>> the PIN is checked?), and just displays "Page cannot be displayed."
>>
>> I know my certificate is OK - when I use it to access other sites that
>> require that certificate, it works fine.
>>
>> Does that give you a clear(er) picture?  :)
>
> Definitely.  A couple suggestions…
>
> 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory.
 Search for "crlFile" and you can see how this is being configured and utilized.
>
>   https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> 2.) Maybe try using Tomcat native and the APR connector.  This would offload SSL to openssl
which may handle things more efficiently.
>
> Dan
>
OK - I enabled Tomcat native & the APR, but now it doesn't prompt me
for the Client Certificate.

The log file has:

Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'clientAuth' to 'true' did not find a matching property.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message