tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: If i configured client certificate at my browser unable to access my web app (Apace Tomcat 7.0.42/CentOs)
Date Wed, 04 Sep 2013 11:47:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sushil,

Please maintain a single thread when (repeatedly) asking the same
questions.

On 9/4/13 5:20 AM, Sushil Prusty wrote:
> <Connector SSLEnabled="true" acceptCount="100" clientAuth="want" 
> disableUploadTimeout="true" enableLookups="false" 
> keystoreFile="/LocalDev/software/ssl/server/server.ks" 
> keystorePass="password" 
> truststoreFile="/LocalDev/software/ssl/server/server.ks" 
> truststorePass="password" maxThreads="250" port="8443" 
> protocol="org.apache.coyote.http11.Http11NioProtocol" 
> scheme="https" secure="true" sslProtocol="TLS" />
> 
> Please let me know is there any extra configuration required to do
> in server side to validate  client certificate?

It sounds like you have already configured client certificate
validation, but it's not working the way you expected.

First off, I usually see configurations where the "trust store" is
separate from the "key store". Your keystore should be considered
"super secret" and shouldn't change much. Your trust store, on the
other hand, might undergo lots of changes over time to add CA certs,
client certs, etc.

Second, what do you actually have in your keystore? Since you are
using JSSE, your keystore should contain the server's key and
certificate, plus any CA certificates and intermediate CA certificates
necessary to provide a certificate chain from your server to one the
browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate ->
Your cert). What else do you have in there? In order to verify client
certificates, you'll need to have either the client certificate
itself, or the certificate that signed the client certificate, or a
chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your
client cert).

This may be a simple problem of not having the right CA certificate(s)
in your trust store.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O
o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT
CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+
mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs
reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+
erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe
JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws
rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1
BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp
2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG
E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1
LOQKMPyViSEZsktnh/Oq
=eN4a
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message