• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Two way SSL and verifying that it works in Tomcat

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi everybody!

I'm completely out of ideas with my problem so I thought that maybe some kind person here would have any advices (and perhaps have this situation documented for others also!). (I have tried searching here and the web but it seems that there is not enough good documentation about two way ssl with tomcat anywhere.)

I'm trying to accomplish two way SSL authentication with Tomcat:
- This means that I have a client (to which I have not much control over) which sends data as webservice calls to my Tomcat server.
- I want to authenticate the client so no other client can send data to my Tomcat server.
- Unfortunately, I can't make any other security blockings such as "basic authentication" security or firewall blocking, so currently the two way ssl is the only way that is supported by the client.

Here's part of my tomcat (version 6.0) server.xml configuration:

<Connector port="443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" SSLEnabled="true"
keystorePass="xxx" keystoreFile="/opt/apache-tomcat-6.0.24/myhttps.keystore"
truststorePass="yyy" truststorefile="/opt/apache-tomcat-6.0.24/clientskey.keystore" />

Now I should have setup the tomcat to have:
- a valid sertificate so that normal https connection would be fine. This I can verify that it's ok.
- a truststore which should contain the clients certificate.

Questions:
1. Is this correct way to setup two way ssl?
2. How can I verify that it is on? The problem is that the client can send now the data ok, but it can -also- send data ok if I empty the truststore file! With this kind of configuration I would have thought that then no one should be able to use my 443 port at all if I empty the truststore file?
3. One thing I was thinking that does tomcat use also some other general truststore also, such as java's cacerts file? Which then would have caused the clients calls to be authenticated? If this is the case, should I disable the java's cacerts file also in tomcat startup parameters somehow?

Phew, a long post, hopefully I was clear enough!

BR, Pasi
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'd have to look at this a lot more closely to be sure, but I think that you're making one assumption that's not realistic.

You say that no one should be able to access the SSL port without a client cert. I think that's not accurate. It's perfectly reasonable to be able to set up a site where some client have a fast-track authentication (client cert) and others have to use a traditional logon. For example for preferred users such an vendors or people in-house versus the general public.

If you don't provide any non-cert logon credentials, you should get the same general effect. After all, it's not whether or not you can get a response from sending to port 443. You have to be able to get something from that port or you won't get the challenge that tells your client to send the certifiicate. What's important is blocking unauthorized users from actually accessing the webapp itself. Or at least the restricted parts of it.
 
Pasi Kallioniemi
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tim,
thanks for the reply. That is an interesting point that of course anyone can access the port, but what I am actually looking for is that pushing data to the tomcat server would be possible only with right certificate, I would restrict access to other areas of tomcat with firewall & basic auth. I would have assumed that this is what two way ssl would be good?
I have to look into deeper to tomcat confs that is it possible to select alternatively normal credentials or client certificate.

I have also made some progress on the technical problem: Almost instantly after posting my original message I noticed that I had a typo in the configuration all along! Stupid mistake, the "truststorefile" should be "truststoreFile". Sometimes it just helps to write the problem down and looking at it..
After changing the configuration name, tomcat started to use my empty truststore and the client wasn't able to connect anymore.

However the situation has now changed so that the client is not able to connect even after installing its certificate to the truststore. But this must be another problem which is not related to tomcat (probably something to do with what root CA's are trusted by the client).

BR, Pasi
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hai

check this blog for SSL in tomcat

http://ramkitechnology.wordpress.com/2010/05/
 
reply
    Bookmark Topic Watch Topic
  • New Topic