Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CE5C910883 for ; Wed, 4 Sep 2013 11:48:30 +0000 (UTC) Received: (qmail 18166 invoked by uid 500); 4 Sep 2013 11:48:27 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 17241 invoked by uid 500); 4 Sep 2013 11:48:21 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 17225 invoked by uid 99); 4 Sep 2013 11:48:19 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2013 11:48:19 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [76.96.62.40] (HELO qmta04.westchester.pa.mail.comcast.net) (76.96.62.40) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2013 11:48:12 +0000 Received: from omta12.westchester.pa.mail.comcast.net ([76.96.62.44]) by qmta04.westchester.pa.mail.comcast.net with comcast id LykZ1m0030xGWP854znWzV; Wed, 04 Sep 2013 11:47:30 +0000 Received: from Christophers-MacBook-Pro.local ([69.143.106.98]) by omta12.westchester.pa.mail.comcast.net with comcast id LznW1m00L27QCxh3YznW79; Wed, 04 Sep 2013 11:47:30 +0000 Message-ID: <52271DD4.8060709@christopherschultz.net> Date: Wed, 04 Sep 2013 07:47:32 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: If i configured client certificate at my browser unable to access my web app (Apace Tomcat 7.0.42/CentOs) References: In-Reply-To: X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1378295250; bh=biAFf4ET3OP61pQQGsoxskbeecFP0iJ4RIvBjNq/s9U=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=VhWgbvpfeeTC1m8ezig14fQY0LhjdB5TelqPXbKF/Zy2ImnRloN6gIvcFf50atKJy Hm1LzH/akw7M7pBXc305tgzjawptbV2Qh09NcTpOdb2ON3a0VPi0cCpVPT62IRWEWG JPF3KJQzt+7nriG0IDFUYeWu8m4R1bynwrOgLbNfpGaOQXRD2UhOLuXQkfBVQ3FvF/ OOXbC8ibicWHnz7gpZDOCcjYzXCphG8Gihrfqd5qdtZaD0lRAy0exqFVIlyJMUZ+jk ROjewHlxaaf/oZwNDFDNetBFW2bkCXw4nxrNQ4NKbqxlNqTUIT/989vMLBTRI41bb0 oTWdDhfKllGdA== X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sushil, Please maintain a single thread when (repeatedly) asking the same questions. On 9/4/13 5:20 AM, Sushil Prusty wrote: > disableUploadTimeout="true" enableLookups="false" > keystoreFile="/LocalDev/software/ssl/server/server.ks" > keystorePass="password" > truststoreFile="/LocalDev/software/ssl/server/server.ks" > truststorePass="password" maxThreads="250" port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > scheme="https" secure="true" sslProtocol="TLS" /> > > Please let me know is there any extra configuration required to do > in server side to validate client certificate? It sounds like you have already configured client certificate validation, but it's not working the way you expected. First off, I usually see configurations where the "trust store" is separate from the "key store". Your keystore should be considered "super secret" and shouldn't change much. Your trust store, on the other hand, might undergo lots of changes over time to add CA certs, client certs, etc. Second, what do you actually have in your keystore? Since you are using JSSE, your keystore should contain the server's key and certificate, plus any CA certificates and intermediate CA certificates necessary to provide a certificate chain from your server to one the browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate -> Your cert). What else do you have in there? In order to verify client certificates, you'll need to have either the client certificate itself, or the certificate that signed the client certificate, or a chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your client cert). This may be a simple problem of not having the right CA certificate(s) in your trust store. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+ mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+ erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1 BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp 2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1 LOQKMPyViSEZsktnh/Oq =eN4a -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org