• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

Tomcat SSL .Enabling Client authentication with tomcat

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
.
Hi.
I am trying to set up mutual authentication with tomcat.

I am able set up only server authentication by using java keytool and setting clientAuth="false".


now i want to set tup client authnetication i set the clientAuth="true"

created keystore with self signed certificates for both server and client..
set the ssl keystore path to this key store .
i enables ssl log for tomcat.

what i see is the log shows only entry for tomcat key entry. for the server certificate.

it does not show the client certificate.

I m sure my keystore has client certificate.
i know this when i lsited the entries in the key store.
$ keytool -list -keystore tomcat2.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

roopa, Jul 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): AD:D8:7B:88:5F:D0:A2:3E:6B:E4:8C:6D:29:CC:B5:A2
tomcat, Jul 24, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): 34:52:19:6D:3C:06:A8:91:12:4B:F2:1A:B7:1E:5D:4A
mykey, Jul 24, 2009, trustedCertEntry,
Certificate fingerprint (MD5): DE:A7:59:23:09:FF:BC:C4:EC:5B:73:6C:BB:B9:ED:25



I also imported the p12 client certificate into the web browser and tried. it did not work.

I see it that tomcat itself is not able to load the certificate named with alias roopa here.

Where could i go wrong.?

I also tried to import these self signed client certificates into cacerts.jks .it loads all commercial CA certificates but not the self signed client certificates i created.
to work with tomcat the client certificates have to be
CA certified??.

all the information i got from website show that these steps should be enough to make client authentication work.

But its not working for me here..

Here is my server.xml conf.


<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
debug="5" clientAuth="true" keystoreFile="c:\Roopa\test\tomcat2.keystore" keystorePass="roopanov14" truststorefile="c:\Roopa\test\tomcat2.keystore" truststorepass="roopanov14" sslProtocol="TLS" />.


the password and the path to keystore are correct.

it is loading entry for tomcat.

but not the client certificate entries..


can anybody tell me whats going on where i m going wrong.??

thanks
Roopa.






 
Saloon Keeper
Posts: 28114
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can very definitely use self-signed certs with Tomcat. I'm doing that myself.

I can't see anything immediately wrong with what you listed, but there is (as I understand it) an issue with HTTP itself in that for a given IP address, only one cert can be honored, even if ithe IP address supporting multiple hostnames (virtual hosts).
 
Ranch Hand
Posts: 165
1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

How did you enable the ssl logging?

Did you get the client authentication working on Tomcat?

I am so glad to see this posting!

-Ravi
 
I claim this furniture in the name of The Ottoman Empire! You can keep this tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic