Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of quark122@gmail.com designates
 209.85.223.173 as permitted sender)
MIME-Version: 1.0
In-Reply-To: <EECB940C-ADA4-4C2D-ADB4-638DAC320745@vmware.com>
References: 
 <CAN=ruA6jqR+ZALoUpv5COGNkgDGJneR5v-6pmNF2DDMsN_cBfA@mail.gmail.com>
	<F53EE2F8-6E04-48C6-BAB8-E4F28C33E27C@vmware.com>
	<CAN=ruA4GkwS4dUHa=P8PdypimhLkQUK_68dLhmVVRAUHrVd+Hw@mail.gmail.com>
	<DEEDDA16-7A1A-4489-9C22-4A65A4361F8A@vmware.com>
	<CAN=ruA51aa+gurrbccdNzebUchpcSo3z5LV77FfnrHTuvT6cuw@mail.gmail.com>
	<A8AED0AC-456F-4AAC-A77E-0CA36FB259FE@vmware.com>
	<CAN=ruA55P9d14adhOc5bfJi_AtqEv7NF+A-0t-zd6Wdf_Mu=8w@mail.gmail.com>
	<EECB940C-ADA4-4C2D-ADB4-638DAC320745@vmware.com>
Date: Wed, 28 Nov 2012 08:35:05 -0500
Message-ID: 
 <CAN=ruA63Kmtf5acr-6s0VPUWLOXj94OnFV2CACXEPU2a6b_9OQ@mail.gmail.com>
Subject: Re: tomcat6 with crl doesn't load
From: Will Nordmeyer <quark122@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmikusa@vmware.com> wrote:
> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote:
>
>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmikusa@vmware.com> wro=
te:
>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote:
>>>
>>>> I have a self signed server certificate - and the user certs have no
>>>> association/connection to the server cert.
>>>
>>> I apologize, but I'm not exactly sure what you are trying to configure =
with the certs and the crl file.  Can you take a step back from the problem=
 and give us some higher level details on what you are trying to achieve wi=
th this configuration?
>>>
>>> Dan
>>
>> OK, I'm am emulating the production enviroment for the application my
>> development team works on.  The production environment is on goverment
>> facilitiies and equipment.  Users authenticate with a Common Access
>> Card (CAC) & PIN.  Our current environment has a locally developed PIN
>> check, which is insufficient going forward.  Rather than developing
>> code to do all of the work, it seems most appropriate to simply
>> utilize the abilities built into tomcat to do that before our
>> application even gets accessed.
>>
>> The development server I stood up is a virtual server, running CentOS
>> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips.  I used openssl to
>> generate a self-signed certificate, rather than getting an actual SSL
>> cert from an outside source since this is a closed development system.
>>
>> With that in mind, we are working to implement Certificate
>> Authentication & Validation within Tomcat.  I've got the environment
>> configured to prompt for the certificate and through the
>> browser/client enviroment the PIN prompt is triggered without issue as
>> long as the crlFile parameter isn't set in the connector.  That was
>> easy.
>>
>> My problem comes when I attempt to implement Certificate Revocation
>> List checking.  The Government has a root certificate and about 20-30
>> different intermediate certificate authorities that could have issued
>> the user certificate.  I have loaded the root and intermediate
>> government certificate into my local truststore and am loading it
>> properly (based on the fact that the user certificates are recognized
>> and accepted).
>>
>> I have downloaded all the root certificate CRL data and each
>> individual CA's CRL data.  Through the openssl commands, I converted
>> them to PEM and then copied them all into one file massive CRL.  I
>> have also, for testing, created a file with the root CRL data and the
>> CRL data for the CA which issued my Certificate.
>>
>> When I run the complete CRL, I run out of memory (271 MB CRL).  When I
>> run just the root & my CA, it doesn't run out of memory, but it also
>> doesn't trigger the PIN prompt (I assume the crl check happens before
>> the PIN is checked?), and just displays "Page cannot be displayed."
>>
>> I know my certificate is OK - when I use it to access other sites that
>> require that certificate, it works fine.
>>
>> Does that give you a clear(er) picture?  :)
>
> Definitely.  A couple suggestions=85
>
> 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESo=
cketFactory.  Search for "crlFile" and you can see how this is being config=
ured and utilized.
>
>   https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java=
/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> 2.) Maybe try using Tomcat native and the APR connector.  This would offl=
oad SSL to openssl which may handle things more efficiently.
>
> Dan
>
OK - I enabled Tomcat native & the APR, but now it doesn't prompt me
for the Client Certificate.

The log file has:

Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule be=
gin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'clientAuth' to 'true' did not find a matching property.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org