Moisés Serrano Martínez wrote:
Tomcat is only going to ask for the client certificates it could check therefore it needs the CA certificate that signed the client certificates.Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t understand clearly the solution:As far as I know, when I configure the server.xml of the Tomcat/conf directory in order to use the keystore where I´ve imported the trusted certs of the chain I thought I was saying tomcat that the keystore for the authentication was that, and it wasn´t necesary to configure another trusted keystore. <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/> Is necesary to configure both keystores?
The CA certificate are stored in "special" keystores file.
The keystoreFile you specified in the server.xml is for the server certificate and server private key (That is why it is protected by a password, you have one for each Tomcat you run on the machine).
The CA certificates are not encrypted because that the public keys of the CA's, they have to be in a different files (I normaly use one per JVM).
Thanks again, and sorry for my question if it´s something clear for everyone. ----- Original Message ----- From: "Bob Herrmann" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Tuesday, November 05, 2002 9:58 PM Subject: Re: Client-cert authentication.As someone else already pointed out, you need to configure the trust stores (Which tell tomcat what clients to trust.) You can do that by changing some config files, or like this on the command line (with redhat) export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit" Cheers, -bob export CATALINA -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:I´ve a small (or big) problem configuring Tomcat 4.1.12. Does anyone know how to configure the client side of the matter? What I have done is : 1) Create a selfsigned certificate (master certificate). 2) With the master create another one intemediate for localhost (signedwith the private key of the master one)- Import the chain into a keystore: server.keystore ( the masterand localhost, this last one with the private key)3) With the localhost certificate create a user certificate (signed withthe private key of localhost).- Import the user certificate into the server.keystore. 4) Import the chain into a keystore: server.keystore - At this point all must be ok because the serverauthentication works perfectly, when a client try to connect to localhost.5) Configure the server.xml: - Define a SSL Coyote HTTP/1.1 Connector on port 8443: <ConnectorclassName="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="3" scheme="https" secure="true" useURIValidationHack="false">- Locate the keystore inside the factory,CoyoteServerSocketFactory, with clientAuth="false".<FactoryclassName="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/>6) Configure the web.xml, if the auth.method selected is BASICeverything works fine, the problem begins when I try that a context works with client authentication.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTDWeb Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";><web-app> <display-name>adminWeb</display-name> <welcome-file-list> <welcome-file>adminWeb.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>adminWeb</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <description>An example role defined in"conf/tomcat-users.xml"</description><role-name>admin</role-name> </security-role> </web-app> 7) In the client side: - Generate a p12 keystore in order to import the user certificateand his private key.- Import in the Client (browser) the master, the intermediate(localhost) and the user certificates.- The user certificate in the p12 format (with the privatekey) and the other ones with the X509 format: localhost.cer and master.cer.At the end, the result is: type Status report message No hay cadena de certificados del cliente en esta peticion description The request sent by the client was syntactically incorrect(No hay cadena de certificados del cliente en esta peticion).Using CATALINA_BASE: .. Using CATALINA_HOME: .. Using CATALINA_TMPDIR: ..\temp Using JAVA_HOME: C:\jbuilder5\jdk1.3 [INFO] Registry - -Loading registry information [INFO] Registry - -Creating new Registry instance [INFO] Registry - -Creating MBeanServer [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080 [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443 Starting service Tomcat-Standalone Apache Tomcat/4.1.12 [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080 [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443 javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated atcom.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 75)atorg.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j ava:118)atorg.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)at org.apache.coyote.Response.action(Response.java:216) atorg.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: 314)atorg.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)atorg.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)atorg.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:380)atorg.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)atorg.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:533)at java.lang.Thread.run(Thread.java:484) [WARN] Http11Processor - -Exception getting SSL attributes<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated atcom.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 75)atorg.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j ava:118)atorg.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)at org.apache.coyote.Request.action(Request.java:367) atorg.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)atorg.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca de.java:141)atorg.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic ator.java:154)atorg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:502)atorg.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641)atorg.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46)atorg.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641)atorg.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)atorg.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)atorg.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 )atorg.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643)atorg.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170)atorg.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641)atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 )atorg.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641)atorg.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)atorg.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174)atorg.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643)atorg.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)atorg.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)atorg.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)atorg.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)atorg.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:380)atorg.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)atorg.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:533)at java.lang.Thread.run(Thread.java:484) [WARN] Http11Processor - -Exception getting SSL Cert<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>Please I´ve been trying to solve this problem for days and I amdesperate.Thanks a lot in advance. Moises-- Bob Herrmann <[EMAIL PROTECTED]> -- To unsubscribe, e-mail:<mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>For additional commands, e-mail:<mailto:tomcat-dev-help@;jakarta.apache.org>
-- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
