File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Tomcat SSL .Enabling Client authentication with tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat SSL .Enabling Client authentication with tomcat" Watch "Tomcat SSL .Enabling Client authentication with tomcat" New topic

Tomcat SSL .Enabling Client authentication with tomcat

Roopa Modugu

Joined: Jul 30, 2009
Posts: 1
I am trying to set up mutual authentication with tomcat.

I am able set up only server authentication by using java keytool and setting clientAuth="false".

now i want to set tup client authnetication i set the clientAuth="true"

created keystore with self signed certificates for both server and client..
set the ssl keystore path to this key store .
i enables ssl log for tomcat.

what i see is the log shows only entry for tomcat key entry. for the server certificate.

it does not show the client certificate.

I m sure my keystore has client certificate.
i know this when i lsited the entries in the key store.
$ keytool -list -keystore tomcat2.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

roopa, Jul 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): AD8:7B:88:5F0:A2:3E:6B:E4:8C:6D:29:CC:B5:A2
tomcat, Jul 24, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): 34:52:19:6D:3C:06:A8:91:12:4B:F2:1A:B7:1E:5D:4A
mykey, Jul 24, 2009, trustedCertEntry,
Certificate fingerprint (MD5): DE:A7:59:23:09:FF:BC:C4:EC:5B:73:6C:BB:B9:ED:25

I also imported the p12 client certificate into the web browser and tried. it did not work.

I see it that tomcat itself is not able to load the certificate named with alias roopa here.

Where could i go wrong.?

I also tried to import these self signed client certificates into cacerts.jks .it loads all commercial CA certificates but not the self signed client certificates i created.
to work with tomcat the client certificates have to be
CA certified??.

all the information i got from website show that these steps should be enough to make client authentication work.

But its not working for me here..

Here is my server.xml conf.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" scheme="https" secure="true"
debug="5" clientAuth="true" keystoreFile="c:\Roopa\test\tomcat2.keystore" keystorePass="roopanov14" truststorefile="c:\Roopa\test\tomcat2.keystore" truststorepass="roopanov14" sslProtocol="TLS" />.

the password and the path to keystore are correct.

it is loading entry for tomcat.

but not the client certificate entries..

can anybody tell me whats going on where i m going wrong.??


Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17421

You can very definitely use self-signed certs with Tomcat. I'm doing that myself.

I can't see anything immediately wrong with what you listed, but there is (as I understand it) an issue with HTTP itself in that for a given IP address, only one cert can be honored, even if ithe IP address supporting multiple hostnames (virtual hosts).

An IDE is no substitute for an Intelligent Developer.
Ravi Danum
Ranch Hand

Joined: Jan 13, 2009
Posts: 104

How did you enable the ssl logging?

Did you get the client authentication working on Tomcat?

I am so glad to see this posting!

I agree. Here's the link:
subject: Tomcat SSL .Enabling Client authentication with tomcat
It's not a secret anymore!