Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t understand clearly the solution:
As far as I know, when I configure the server.xml of the Tomcat/conf directory in order to use the keystore where I´ve imported the trusted certs of the chain I thought I was saying tomcat that the keystore for the authentication was that, and it wasn´t necesary to configure another trusted keystore. <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/> Is necesary to configure both keystores? Thanks again, and sorry for my question if it´s something clear for everyone. ----- Original Message ----- From: "Bob Herrmann" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Tuesday, November 05, 2002 9:58 PM Subject: Re: Client-cert authentication. > > As someone else already pointed out, you need to configure the trust > stores (Which tell tomcat what clients to trust.) You can do that by > changing some config files, or like this on the command line (with > redhat) > > export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks > -Djavax.net.ssl.trustStorePassword=changeit" > > Cheers, > -bob > > > > export CATALINA > -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks > -Djavax.net.ssl.trustStorePassword=changeit > > On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote: > > I´ve a small (or big) problem configuring Tomcat 4.1.12. > > > > Does anyone know how to configure the client side of the matter? > > > > What I have done is : > > > > 1) Create a selfsigned certificate (master certificate). > > 2) With the master create another one intemediate for localhost (signed with the private key of the master one) > > - Import the chain into a keystore: server.keystore ( the master and localhost, this last one with the private key) > > 3) With the localhost certificate create a user certificate (signed with the private key of localhost). > > - Import the user certificate into the server.keystore. > > 4) Import the chain into a keystore: server.keystore > > - At this point all must be ok because the server authentication works perfectly, when a client try to connect to localhost. > > 5) Configure the server.xml: > > - Define a SSL Coyote HTTP/1.1 Connector on port 8443: > > > > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="3" scheme="https" secure="true" useURIValidationHack="false"> > > > > - Locate the keystore inside the factory, CoyoteServerSocketFactory, with clientAuth="false". > > <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/> > > > > 6) Configure the web.xml, if the auth.method selected is BASIC everything works fine, the problem begins when I try that a context works with client authentication. > > > > <?xml version="1.0" encoding="UTF-8"?> > > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";> > > <web-app> > > <display-name>adminWeb</display-name> > > <welcome-file-list> > > <welcome-file>adminWeb.jsp</welcome-file> > > </welcome-file-list> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>adminWeb</web-resource-name> > > <url-pattern>/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>admin</role-name> > > </auth-constraint> > > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > <login-config> > > <auth-method>CLIENT-CERT</auth-method> > > </login-config> > > <security-role> > > <description>An example role defined in "conf/tomcat-users.xml"</description> > > <role-name>admin</role-name> > > </security-role> > > </web-app> > > > > 7) In the client side: > > > > - Generate a p12 keystore in order to import the user certificate and his private key. > > - Import in the Client (browser) the master, the intermediate (localhost) and the user certificates. > > - The user certificate in the p12 format (with the private key) and the other ones with the X509 format: localhost.cer and master.cer. > > > > At the end, the result is: > > type Status report > > > > message No hay cadena de certificados del cliente en esta peticion > > > > description The request sent by the client was syntactically incorrect (No hay cadena de certificados del cliente en esta peticion). > > > > Using CATALINA_BASE: .. > > Using CATALINA_HOME: .. > > Using CATALINA_TMPDIR: ..\temp > > Using JAVA_HOME: C:\jbuilder5\jdk1.3 > > [INFO] Registry - -Loading registry information > > [INFO] Registry - -Creating new Registry instance > > [INFO] Registry - -Creating MBeanServer > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080 > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443 > > Starting service Tomcat-Standalone > > Apache Tomcat/4.1.12 > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080 > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443 > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 75) > > at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j ava:118) > > at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543) > > at org.apache.coyote.Response.action(Response.java:216) > > at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: 314) > > at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221) > > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) > > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:380) > > at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) > > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:533) > > at java.lang.Thread.run(Thread.java:484) > > [WARN] Http11Processor - -Exception getting SSL attributes <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 75) > > at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j ava:118) > > at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567) > > at org.apache.coyote.Request.action(Request.java:367) > > at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797) > > at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca de.java:141) > > at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic ator.java:154) > > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:502) > > at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) > > at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) > > at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) > > at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > > at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396) > > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) > > at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) > > at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) > > at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) > > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 ) > > at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) > > at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > > at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) > > at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) > > at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > > at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) > > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) > > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:380) > > at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) > > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:533) > > at java.lang.Thread.run(Thread.java:484) > > [WARN] Http11Processor - -Exception getting SSL Cert <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> > > > > > > > > > > Please I´ve been trying to solve this problem for days and I am desperate. > > > > Thanks a lot in advance. > > > > Moises > -- > Bob Herrmann <[EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> > -- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
