I´ve done it and the problem continues: I´ve included the self-signed and intermedia certificates in cacerts ( perhaps it´s a problem with the java environment? what files is necesary to configure in order to obtain client-cert authentication?
Thanks a lot for the interest. ----- Original Message ----- From: "Bob Herrmann" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Wednesday, November 06, 2002 5:32 PM Subject: Re: Client-cert authentication. > On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote: > > Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t > > understand clearly the solution: > > > As I understand it, Tomcat uses a keystore and a truststore. > > Tomcat uses the keystore to answer the client's "who are you?" question. > The answer (Who is this Tomcat server) is retrieved from the keystore. > (I am a trusted Tomcat server for Acme corp, my certificate is signed by > some central authority.) > > The truststore is used when Tomcat wants to verify who the client is, > "Do I trust this client?" (Should this client really be allowed to > access this site?) Tomcat only asks this, or verifies the client, if > the Connector has clientauth=true **OR** if a resource is marked up in > the web.xml as requiring CLIENT-CERT > > The keystore can be set in the server.xml. The truststore must be set > using the JDK's property files or via an environment variable (like I > mentioned in my earlier email.) This is a tad kludgy because verifying > the certs of the client seem to be fairly rare in practice. (I imagine > this is because verifying the client certs is something B2B requires and > not so much needed by the casual JSP developer.) > > Cheers, > -bob > > > > > > > As far as I know, when I configure the server.xml of the Tomcat/conf > > directory in order to use the keystore where I´ve imported the trusted certs > > of the chain > > I thought I was saying tomcat that the keystore for the authentication was > > that, and it wasn´t necesary to configure another trusted keystore. > > > > <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > > clientAuth="false" keystoreFile="C:\Documents and > > Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" > > keystorePass="396947j" protocol="TLS" algorithm="SunX509" > > keystoreType="JKS"/> > > > > Is necesary to configure both keystores? > > Thanks again, and sorry for my question if it´s something clear for > > everyone. > > > > ----- Original Message ----- > > From: "Bob Herrmann" <[EMAIL PROTECTED]> > > To: "Tomcat Developers List" <[EMAIL PROTECTED]> > > Sent: Tuesday, November 05, 2002 9:58 PM > > Subject: Re: Client-cert authentication. > > > > > > > > > > As someone else already pointed out, you need to configure the trust > > > stores (Which tell tomcat what clients to trust.) You can do that by > > > changing some config files, or like this on the command line (with > > > redhat) > > > > > > export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks > > > -Djavax.net.ssl.trustStorePassword=changeit" > > > > > > Cheers, > > > -bob > > > > > > > > > > > > export CATALINA > > > -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks > > > -Djavax.net.ssl.trustStorePassword=changeit > > > > > > On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote: > > > > I´ve a small (or big) problem configuring Tomcat 4.1.12. > > > > > > > > Does anyone know how to configure the client side of the matter? > > > > > > > > What I have done is : > > > > > > > > 1) Create a selfsigned certificate (master certificate). > > > > 2) With the master create another one intemediate for localhost (signed > > with the private key of the master one) > > > > - Import the chain into a keystore: server.keystore ( the master > > and localhost, this last one with the private key) > > > > 3) With the localhost certificate create a user certificate (signed with > > the private key of localhost). > > > > - Import the user certificate into the server.keystore. > > > > 4) Import the chain into a keystore: server.keystore > > > > - At this point all must be ok because the server > > authentication works perfectly, when a client try to connect to localhost. > > > > 5) Configure the server.xml: > > > > - Define a SSL Coyote HTTP/1.1 Connector on port 8443: > > > > > > > > <Connector > > className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" > > minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" > > debug="3" scheme="https" secure="true" useURIValidationHack="false"> > > > > > > > > - Locate the keystore inside the factory, > > CoyoteServerSocketFactory, with clientAuth="false". > > > > <Factory > > className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > > clientAuth="false" keystoreFile="C:\Documents and > > Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" > > keystorePass="396947j" protocol="TLS" algorithm="SunX509" > > keystoreType="JKS"/> > > > > > > > > 6) Configure the web.xml, if the auth.method selected is BASIC > > everything works fine, the problem begins when I try that a context works > > with client authentication. > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD > > Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";> > > > > <web-app> > > > > <display-name>adminWeb</display-name> > > > > <welcome-file-list> > > > > <welcome-file>adminWeb.jsp</welcome-file> > > > > </welcome-file-list> > > > > <security-constraint> > > > > <web-resource-collection> > > > > <web-resource-name>adminWeb</web-resource-name> > > > > <url-pattern>/*</url-pattern> > > > > </web-resource-collection> > > > > <auth-constraint> > > > > <role-name>admin</role-name> > > > > </auth-constraint> > > > > <user-data-constraint> > > > > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > > > </user-data-constraint> > > > > </security-constraint> > > > > <login-config> > > > > <auth-method>CLIENT-CERT</auth-method> > > > > </login-config> > > > > <security-role> > > > > <description>An example role defined in > > "conf/tomcat-users.xml"</description> > > > > <role-name>admin</role-name> > > > > </security-role> > > > > </web-app> > > > > > > > > 7) In the client side: > > > > > > > > - Generate a p12 keystore in order to import the user certificate > > and his private key. > > > > - Import in the Client (browser) the master, the intermediate > > (localhost) and the user certificates. > > > > - The user certificate in the p12 format (with the private > > key) and the other ones with the X509 format: localhost.cer and master.cer. > > > > > > > > At the end, the result is: > > > > type Status report > > > > > > > > message No hay cadena de certificados del cliente en esta peticion > > > > > > > > description The request sent by the client was syntactically incorrect > > (No hay cadena de certificados del cliente en esta peticion). > > > > > > > > Using CATALINA_BASE: .. > > > > Using CATALINA_HOME: .. > > > > Using CATALINA_TMPDIR: ..\temp > > > > Using JAVA_HOME: C:\jbuilder5\jdk1.3 > > > > [INFO] Registry - -Loading registry information > > > > [INFO] Registry - -Creating new Registry instance > > > > [INFO] Registry - -Creating MBeanServer > > > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080 > > > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443 > > > > Starting service Tomcat-Standalone > > > > Apache Tomcat/4.1.12 > > > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080 > > > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443 > > > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > > > at > > com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 > > 75) > > > > at > > org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j > > ava:118) > > > > at > > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543) > > > > at org.apache.coyote.Response.action(Response.java:216) > > > > at > > org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: > > 314) > > > > at > > org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221) > > > > at > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) > > > > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne > > ction(Http11Protocol.java:380) > > > > at > > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) > > > > at > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > > a:533) > > > > at java.lang.Thread.run(Thread.java:484) > > > > [WARN] Http11Processor - -Exception getting SSL attributes > > <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> > > > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > > > at > > com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 > > 75) > > > > at > > org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j > > ava:118) > > > > at > > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567) > > > > at org.apache.coyote.Request.action(Request.java:367) > > > > at > > org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797) > > > > at > > org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca > > de.java:141) > > > > at > > org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic > > ator.java:154) > > > > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase > > .java:502) > > > > at > > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > > eNext(StandardPipeline.java:641) > > > > at > > org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 > > 46) > > > > at > > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > > eNext(StandardPipeline.java:641) > > > > at > > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > > > > at > > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > > > at > > org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396) > > > > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 > > ) > > > > at > > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > > eNext(StandardPipeline.java:643) > > > > at > > org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. > > java:170) > > > > at > > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > > eNext(StandardPipeline.java:641) > > > > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 > > ) > > > > at > > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > > eNext(StandardPipeline.java:641) > > > > at > > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 80) > > > > at > > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > > > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java > > :174) > > > > at > > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > > eNext(StandardPipeline.java:643) > > > > at > > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > > > > at > > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) > > > > at > > org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) > > > > at > > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) > > > > at > > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne > > ction(Http11Protocol.java:380) > > > > at > > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) > > > > at > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > > a:533) > > > > at java.lang.Thread.run(Thread.java:484) > > > > [WARN] Http11Processor - -Exception getting SSL Cert > > <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> > > > > > > > > > > > > > > > > > > > > Please I´ve been trying to solve this problem for days and I am > > desperate. > > > > > > > > Thanks a lot in advance. > > > > > > > > Moises > > > -- > > > Bob Herrmann <[EMAIL PROTECTED]> > > > > > > > > > -- > > > To unsubscribe, e-mail: > > <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > > > For additional commands, e-mail: > > <mailto:tomcat-dev-help@;jakarta.apache.org> > > > > > > > > > > > -- > > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> > > > -- > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> > -- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
