tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sushil Prusty <sushil.pru...@gmail.com>
Subject If i configured client certificate at my browser unable to access my web app (Apace Tomcat 7.0.42/CentOs)
Date Wed, 04 Sep 2013 09:20:18 GMT
Hi All

1)I have configured https to acces my web app .
Which is working fine.
2) 2nd i have configured client certificate at my browser (firfox).
3)3rd it's ask me pop message at client side  for selecting a certificate.
4)4th once i select a certificate and click ok it will throw below excption

Secure Connection Failed
          An error occurred during a connection to localhost:8443.

SSL peer had some unspecified issue with the certificate it received.

(Error code: ssl_error_certificate_unknown_alert)
--------------------------------------------------------------------------------------------------------------------
Please find server.xml configuration
<Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
 disableUploadTimeout="true" enableLookups="false"
 keystoreFile="/LocalDev/software/ssl/server/server.ks"
keystorePass="password"
 truststoreFile="/LocalDev/software/ssl/server/server.ks"
truststorePass="password"
 maxThreads="250" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true"
 sslProtocol="TLS" />

and in my web.xml file

<security-constraint>
        <web-resource-collection>
                <web-resource-name>https only</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
                <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>.

NOTE :- IF I REMOVE CLIENT CERTIFICATE FROM BROWSER I CAN
 ABLE TO ACCESS MY WEB APP THROUGH HTTPS.


Please let me know is there any extra configuration required to do in
server side to validate  client certificate?

Please let me know if you want any other information.

I have gone thorough all the side but not help full.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message