Re: Client-cert authentication.

Fri, 08 Nov 2002 09:01:39 -0800 

Moisés Serrano Martínez wrote:

I´ve done it and the problem continues: I´ve included the self-signed and
intermedia certificates in cacerts (
perhaps it´s a problem with the java environment?
what  files is necesary to configure in order to obtain client-cert
authentication?
The only thing I am able to make to help you is to send the steps I am using to test the client certificates (forget the 2 last steps that is to test mod_jk).

Cheers

Jean-frederic

Thanks a lot for the interest.






----- Original Message -----
From: "Bob Herrmann" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Wednesday, November 06, 2002 5:32 PM
Subject: Re: Client-cert authentication.




On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:


Thanks a lot Bob and Jean-frederic for the response but I´m afraid I



don´t




understand clearly the solution:




As I understand it, Tomcat uses a keystore and a truststore.

Tomcat uses the keystore to answer the client's "who are you?" question.
The answer (Who is this Tomcat server) is retrieved from the keystore.
(I am a trusted Tomcat server for Acme corp, my certificate is signed by
some central authority.)

The truststore is used when Tomcat wants to verify who the client is,
"Do I trust this client?" (Should this client really be allowed to
access this site?)  Tomcat only asks this, or verifies the client, if
the Connector has clientauth=true  **OR**  if a resource is marked up in
the web.xml as requiring CLIENT-CERT

The keystore can be set in the server.xml.  The truststore must be set
using the JDK's property files or via an environment variable (like I
mentioned in my earlier email.)  This is a tad kludgy because verifying
the certs of the client seem to be fairly rare in practice.  (I imagine
this is because verifying the client certs is something B2B requires and
not so much needed by the casual JSP developer.)

Cheers,
-bob







As far as I know,  when I configure the server.xml of the Tomcat/conf
directory in order to use the keystore where I´ve imported the trusted





certs




of the chain
I thought I was saying tomcat that the keystore for the authentication





was




that, and it wasn´t necesary to configure another trusted keystore.

<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and
Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509"
keystoreType="JKS"/>

Is necesary to configure both keystores?
Thanks again, and sorry for my question if it´s something clear for
everyone.

----- Original Message -----
From: "Bob Herrmann" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Tuesday, November 05, 2002 9:58 PM
Subject: Re: Client-cert authentication.






As someone else already pointed out, you need to configure the trust
stores (Which tell tomcat what clients to trust.) You can do that by
changing some config files, or like this on the command line (with
redhat)

export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
-Djavax.net.ssl.trustStorePassword=changeit"

Cheers,
-bob



export CATALINA
-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
-Djavax.net.ssl.trustStorePassword=changeit

On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:




I´ve a small (or big) problem configuring Tomcat 4.1.12.

Does anyone know how to configure the client side of the matter?

What I have done is :

1) Create a selfsigned certificate (master certificate).
2) With the master create another one intemediate for localhost





(signed




with the private key of the master one)




       - Import the chain into a keystore: server.keystore ( the





master




and localhost, this last one with the private key)




3) With the localhost certificate create a user certificate (signed





with




the private key of localhost).




       - Import the user certificate into the server.keystore.
4) Import the chain into a keystore: server.keystore
      -  At  this point all must be ok because the server





authentication works perfectly, when a client try to connect to





localhost.




5) Configure the server.xml:
       - Define a SSL Coyote HTTP/1.1 Connector on port 8443:

               <Connector





className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
minProcessors="5" maxProcessors="75" enableLookups="true"





acceptCount="10"




debug="3" scheme="https" secure="true" useURIValidationHack="false">




       - Locate the keystore inside the factory,





CoyoteServerSocketFactory, with clientAuth="false".




               <Factory





className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and
Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509"
keystoreType="JKS"/>




6) Configure the web.xml, if the auth.method selected is BASIC





everything works fine, the problem begins when I try that a context





works




with client authentication.




               <?xml version="1.0" encoding="UTF-8"?>
               <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,





Inc.//DTD




Web Application 2.2//EN"





"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>




               <web-app>
               <display-name>adminWeb</display-name>
               <welcome-file-list>
               <welcome-file>adminWeb.jsp</welcome-file>
               </welcome-file-list>
               <security-constraint>
                   <web-resource-collection>




<web-resource-name>adminWeb</web-resource-name>




                       <url-pattern>/*</url-pattern>
                   </web-resource-collection>
                   <auth-constraint>
                   <role-name>admin</role-name>
                   </auth-constraint>
                   <user-data-constraint>




<transport-guarantee>CONFIDENTIAL</transport-guarantee>




                   </user-data-constraint>
           </security-constraint>
           <login-config>
               <auth-method>CLIENT-CERT</auth-method>
           </login-config>
           <security-role>
               <description>An example role defined in





"conf/tomcat-users.xml"</description>




               <role-name>admin</role-name>
           </security-role>
           </web-app>

7) In the client side:

     - Generate a p12 keystore in order to import the user





certificate




and his private key.




   - Import in the Client (browser) the master, the intermediate





(localhost) and the user certificates.




             - The user certificate in the p12 format (with the





private




key) and the other ones with the X509 format: localhost.cer and





master.cer.




At the end, the result is:
type Status report

message No hay cadena de certificados del cliente en esta peticion

description The request sent by the client was syntactically





incorrect




(No hay cadena de certificados del cliente en esta peticion).




Using CATALINA_BASE:   ..
Using CATALINA_HOME:   ..
Using CATALINA_TMPDIR: ..\temp
Using JAVA_HOME:       C:\jbuilder5\jdk1.3
[INFO] Registry - -Loading registry information
[INFO] Registry - -Creating new Registry instance
[INFO] Registry - -Creating MBeanServer
[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
Starting service Tomcat-Standalone
Apache Tomcat/4.1.12
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
       at





com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62




75)




       at





org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j




ava:118)




       at





org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)




       at org.apache.coyote.Response.action(Response.java:216)
       at





org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:




314)




       at





org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)




       at





org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)




       at





org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne




ction(Http11Protocol.java:380)




       at





org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)




       at





org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav




a:533)




       at java.lang.Thread.run(Thread.java:484)
[WARN] Http11Processor - -Exception getting SSL attributes





<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>




javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
       at





com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62




75)




       at





org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j




ava:118)




       at





org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)




       at org.apache.coyote.Request.action(Request.java:367)
       at





org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)




       at





org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca




de.java:141)




       at





org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic




ator.java:154)




       at





org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase




.java:502)




       at





org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok




eNext(StandardPipeline.java:641)




       at





org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2




46)




       at





org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok




eNext(StandardPipeline.java:641)




       at





org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)




       at





org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)




       at





org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)




       at





org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180




)




       at





org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok




eNext(StandardPipeline.java:643)




       at





org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.




java:170)




       at





org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok




eNext(StandardPipeline.java:641)




       at





org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172




)




       at





org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok




eNext(StandardPipeline.java:641)




       at





org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4





80)




       at





org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)




       at





org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java




:174)




       at





org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok




eNext(StandardPipeline.java:643)




       at





org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)




       at





org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)




       at





org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)




       at





org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)




       at





org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne




ction(Http11Protocol.java:380)




       at





org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)




       at





org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav




a:533)




       at java.lang.Thread.run(Thread.java:484)
[WARN] Http11Processor - -Exception getting SSL Cert





<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>






Please  I´ve been trying to solve this problem for days and I am





desperate.




Thanks a lot in advance.

Moises



--
Bob Herrmann <[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:



<mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>




For additional commands, e-mail:



<mailto:tomcat-dev-help@;jakarta.apache.org>



--
To unsubscribe, e-mail:





<mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>




For additional commands, e-mail:





<mailto:tomcat-dev-help@;jakarta.apache.org>




--
To unsubscribe, e-mail:



<mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>




For additional commands, e-mail:



<mailto:tomcat-dev-help@;jakarta.apache.org>




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>









Connecting to the server:
openssl s_client -port 443 -host vtxclere

List the CA of a JVM:
keytool -list -rfc -keystore $JAVA_HOME/jre/lib/security/cacerts

Steps to set up a demoCA and user certificates:

1 - /usr/local/ssl/misc/CA.pl -newca
    This creates a demoCA directory that contains the CA certificates.

2 - /usr/local/ssl/misc/CA.pl -newreq
    This creates a newreq.pem that contains the  private key and request.

3 - separe the request and private key.
    Put the private key is key.pem and the request in newreq.pem

4 - /usr/local/ssl/misc/CA.pl -signreq
    It displays the certificate before signing it.
    The result is in newcert.pem

5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \
    -in newcert.pem -out test.p12
    The test.p12 contains a file that can be imported in the browser.

6 - import in the browser the test.p12 file.

7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts
    chmod u+w $JAVA_HOME/jre/lib/security/cacerts
    $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \
    -keystore $JAVA_HOME/jre/lib/security/cacerts

8 - mod_jk (Apache).
    The CA certificates are stored in $APACHE_HOME/conf/ssl.crt/ca-bundle.crt 
    Just add the demoCA/cacert.pem to it.
    

9 - In case a certificate is for the Apache server:
    Do the step 2,3,4 and put the file key.pem into SSLCertificateKeyFile
    and  the file newcert.pem into SSLCertificateFile (in httpd.conf).




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>






















					Reply via email to