Hi everybody!
I'm completely out of ideas with my problem so I thought that maybe some kind person here would have any advices (and perhaps have this situation documented for others also!). (I have tried searching here and the web but it seems that there is not enough good documentation about two way ssl with
tomcat anywhere.)
I'm trying to accomplish two way SSL authentication with Tomcat:
- This means that I have a client (to which I have not much control over) which sends data as webservice calls to my Tomcat server.
- I want to authenticate the client so no other client can send data to my Tomcat server.
- Unfortunately, I can't make any other security blockings such as "basic authentication" security or firewall blocking, so currently the two way ssl is the only way that is supported by the client.
Here's part of my tomcat (version 6.0) server.xml configuration:
<Connector port="443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" SSLEnabled="true"
keystorePass="xxx" keystoreFile="/opt/apache-tomcat-6.0.24/myhttps.keystore"
truststorePass="yyy" truststorefile="/opt/apache-tomcat-6.0.24/clientskey.keystore" />
Now I should have setup the tomcat to have:
- a valid sertificate so that normal https connection would be fine. This I can verify that it's ok.
- a truststore which should contain the clients certificate.
Questions:
1. Is this correct way to setup two way ssl?
2. How can I verify that it is on? The problem is that the client can send now the data ok, but it can -also- send data ok if I empty the truststore file! With this kind of configuration I would have thought that then no one should be able to use my 443 port at all if I empty the truststore file?
3. One thing I was thinking that does tomcat use also some other general truststore also, such as
java's cacerts file? Which then would have caused the clients calls to be authenticated? If this is the case, should I disable the java's cacerts file also in tomcat startup parameters somehow?
Phew, a long post, hopefully I was clear enough!
BR, Pasi