tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sushil Prusty <sushil.pru...@gmail.com>
Subject Re: If i configured client certificate at my browser unable to access my web app (Apace Tomcat 7.0.42/CentOs)
Date Wed, 04 Sep 2013 12:25:28 GMT
Hi Chris

Sure, I will maintain same thread .Thanks for your input.

I just follow below link to generate CA certificate .
http://oshogsb.blogspot.in/2007/07/how-to-create-custom-ca-and.html(Whichwill
help me te create custom CA certificate using OpenSSL)
And i just  point those generated file to server.xml file.

in step 13. The common name of the client must match a user in Tomcat's
user realm (e.g.an entry in conf/tomcat-users.xml) which i missed out.
Because of this i am unable to access client certificate?



On Wed, Sep 4, 2013 at 5:17 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sushil,
>
> Please maintain a single thread when (repeatedly) asking the same
> questions.
>
> On 9/4/13 5:20 AM, Sushil Prusty wrote:
> > <Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
> > disableUploadTimeout="true" enableLookups="false"
> > keystoreFile="/LocalDev/software/ssl/server/server.ks"
> > keystorePass="password"
> > truststoreFile="/LocalDev/software/ssl/server/server.ks"
> > truststorePass="password" maxThreads="250" port="8443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > scheme="https" secure="true" sslProtocol="TLS" />
> >
> > Please let me know is there any extra configuration required to do
> > in server side to validate  client certificate?
>
> It sounds like you have already configured client certificate
> validation, but it's not working the way you expected.
>
> First off, I usually see configurations where the "trust store" is
> separate from the "key store". Your keystore should be considered
> "super secret" and shouldn't change much. Your trust store, on the
> other hand, might undergo lots of changes over time to add CA certs,
> client certs, etc.
>
> Second, what do you actually have in your keystore? Since you are
> using JSSE, your keystore should contain the server's key and
> certificate, plus any CA certificates and intermediate CA certificates
> necessary to provide a certificate chain from your server to one the
> browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate ->
> Your cert). What else do you have in there? In order to verify client
> certificates, you'll need to have either the client certificate
> itself, or the certificate that signed the client certificate, or a
> chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your
> client cert).
>
> This may be a simple problem of not having the right CA certificate(s)
> in your trust store.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O
> o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT
> CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+
> mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs
> reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+
> erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe
> JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws
> rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1
> BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp
> 2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG
> E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1
> LOQKMPyViSEZsktnh/Oq
> =eN4a
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message