thanks a lot. I´ll try it this weekend
----- Original Message ----- From: "jean-frederic clere" <[EMAIL PROTECTED]> To: "Tomcat Developers List" <[EMAIL PROTECTED]> Sent: Friday, November 08, 2002 5:59 PM Subject: Re: Client-cert authentication. Moisés Serrano Martínez wrote: > I´ve done it and the problem continues: I´ve included the self-signed and > intermedia certificates in cacerts ( > perhaps it´s a problem with the java environment? > what files is necesary to configure in order to obtain client-cert > authentication? The only thing I am able to make to help you is to send the steps I am using to test the client certificates (forget the 2 last steps that is to test mod_jk). Cheers Jean-frederic > > Thanks a lot for the interest. > > > > > > > ----- Original Message ----- > From: "Bob Herrmann" <[EMAIL PROTECTED]> > To: "Tomcat Developers List" <[EMAIL PROTECTED]> > Sent: Wednesday, November 06, 2002 5:32 PM > Subject: Re: Client-cert authentication. > > > >>On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote: >> >>>Thanks a lot Bob and Jean-frederic for the response but I´m afraid I >> > don´t > >>>understand clearly the solution: >> >> >>As I understand it, Tomcat uses a keystore and a truststore. >> >>Tomcat uses the keystore to answer the client's "who are you?" question. >>The answer (Who is this Tomcat server) is retrieved from the keystore. >>(I am a trusted Tomcat server for Acme corp, my certificate is signed by >>some central authority.) >> >>The truststore is used when Tomcat wants to verify who the client is, >>"Do I trust this client?" (Should this client really be allowed to >>access this site?) Tomcat only asks this, or verifies the client, if >>the Connector has clientauth=true **OR** if a resource is marked up in >>the web.xml as requiring CLIENT-CERT >> >>The keystore can be set in the server.xml. The truststore must be set >>using the JDK's property files or via an environment variable (like I >>mentioned in my earlier email.) This is a tad kludgy because verifying >>the certs of the client seem to be fairly rare in practice. (I imagine >>this is because verifying the client certs is something B2B requires and >>not so much needed by the casual JSP developer.) >> >>Cheers, >>-bob >> >> >> >> >>>As far as I know, when I configure the server.xml of the Tomcat/conf >>>directory in order to use the keystore where I´ve imported the trusted >> > certs > >>>of the chain >>>I thought I was saying tomcat that the keystore for the authentication >> > was > >>>that, and it wasn´t necesary to configure another trusted keystore. >>> >>><Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" >>>clientAuth="false" keystoreFile="C:\Documents and >>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" >>>keystorePass="396947j" protocol="TLS" algorithm="SunX509" >>>keystoreType="JKS"/> >>> >>>Is necesary to configure both keystores? >>>Thanks again, and sorry for my question if it´s something clear for >>>everyone. >>> >>>----- Original Message ----- >>>From: "Bob Herrmann" <[EMAIL PROTECTED]> >>>To: "Tomcat Developers List" <[EMAIL PROTECTED]> >>>Sent: Tuesday, November 05, 2002 9:58 PM >>>Subject: Re: Client-cert authentication. >>> >>> >>> >>>>As someone else already pointed out, you need to configure the trust >>>>stores (Which tell tomcat what clients to trust.) You can do that by >>>>changing some config files, or like this on the command line (with >>>>redhat) >>>> >>>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks >>>>-Djavax.net.ssl.trustStorePassword=changeit" >>>> >>>>Cheers, >>>>-bob >>>> >>>> >>>> >>>>export CATALINA >>>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks >>>>-Djavax.net.ssl.trustStorePassword=changeit >>>> >>>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote: >>>> >>>>>I´ve a small (or big) problem configuring Tomcat 4.1.12. >>>>> >>>>>Does anyone know how to configure the client side of the matter? >>>>> >>>>>What I have done is : >>>>> >>>>>1) Create a selfsigned certificate (master certificate). >>>>>2) With the master create another one intemediate for localhost >>>> > (signed > >>>with the private key of the master one) >>> >>>>> - Import the chain into a keystore: server.keystore ( the >>>> > master > >>>and localhost, this last one with the private key) >>> >>>>>3) With the localhost certificate create a user certificate (signed >>>> > with > >>>the private key of localhost). >>> >>>>> - Import the user certificate into the server.keystore. >>>>>4) Import the chain into a keystore: server.keystore >>>>> - At this point all must be ok because the server >>>> >>>authentication works perfectly, when a client try to connect to >> > localhost. > >>>>>5) Configure the server.xml: >>>>> - Define a SSL Coyote HTTP/1.1 Connector on port 8443: >>>>> >>>>> <Connector >>>> >>>className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" >>>minProcessors="5" maxProcessors="75" enableLookups="true" >> > acceptCount="10" > >>>debug="3" scheme="https" secure="true" useURIValidationHack="false"> >>> >>>>> - Locate the keystore inside the factory, >>>> >>>CoyoteServerSocketFactory, with clientAuth="false". >>> >>>>> <Factory >>>> >>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" >>>clientAuth="false" keystoreFile="C:\Documents and >>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" >>>keystorePass="396947j" protocol="TLS" algorithm="SunX509" >>>keystoreType="JKS"/> >>> >>>>>6) Configure the web.xml, if the auth.method selected is BASIC >>>> >>>everything works fine, the problem begins when I try that a context >> > works > >>>with client authentication. >>> >>>>> <?xml version="1.0" encoding="UTF-8"?> >>>>> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, >>>> > Inc.//DTD > >>>Web Application 2.2//EN" >> > "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";> > >>>>> <web-app> >>>>> <display-name>adminWeb</display-name> >>>>> <welcome-file-list> >>>>> <welcome-file>adminWeb.jsp</welcome-file> >>>>> </welcome-file-list> >>>>> <security-constraint> >>>>> <web-resource-collection> >>>>> > <web-resource-name>adminWeb</web-resource-name> > >>>>> <url-pattern>/*</url-pattern> >>>>> </web-resource-collection> >>>>> <auth-constraint> >>>>> <role-name>admin</role-name> >>>>> </auth-constraint> >>>>> <user-data-constraint> >>>>> >>><transport-guarantee>CONFIDENTIAL</transport-guarantee> >>> >>>>> </user-data-constraint> >>>>> </security-constraint> >>>>> <login-config> >>>>> <auth-method>CLIENT-CERT</auth-method> >>>>> </login-config> >>>>> <security-role> >>>>> <description>An example role defined in >>>> >>>"conf/tomcat-users.xml"</description> >>> >>>>> <role-name>admin</role-name> >>>>> </security-role> >>>>> </web-app> >>>>> >>>>>7) In the client side: >>>>> >>>>> - Generate a p12 keystore in order to import the user >>>> > certificate > >>>and his private key. >>> >>>>> - Import in the Client (browser) the master, the intermediate >>>> >>>(localhost) and the user certificates. >>> >>>>> - The user certificate in the p12 format (with the >>>> > private > >>>key) and the other ones with the X509 format: localhost.cer and >> > master.cer. > >>>>>At the end, the result is: >>>>>type Status report >>>>> >>>>>message No hay cadena de certificados del cliente en esta peticion >>>>> >>>>>description The request sent by the client was syntactically >>>> > incorrect > >>>(No hay cadena de certificados del cliente en esta peticion). >>> >>>>>Using CATALINA_BASE: .. >>>>>Using CATALINA_HOME: .. >>>>>Using CATALINA_TMPDIR: ..\temp >>>>>Using JAVA_HOME: C:\jbuilder5\jdk1.3 >>>>>[INFO] Registry - -Loading registry information >>>>>[INFO] Registry - -Creating new Registry instance >>>>>[INFO] Registry - -Creating MBeanServer >>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080 >>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443 >>>>>Starting service Tomcat-Standalone >>>>>Apache Tomcat/4.1.12 >>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080 >>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443 >>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated >>>>> at >>>> > com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 > >>>75) >>> >>>>> at >>>> > org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j > >>>ava:118) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543) > >>>>> at org.apache.coyote.Response.action(Response.java:216) >>>>> at >>>> > org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: > >>>314) >>> >>>>> at >>>> >>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) > >>>>> at >>>> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne > >>>ction(Http11Protocol.java:380) >>> >>>>> at >>>> > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) > >>>>> at >>>> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > >>>a:533) >>> >>>>> at java.lang.Thread.run(Thread.java:484) >>>>>[WARN] Http11Processor - -Exception getting SSL attributes >>>> >>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> >>> >>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated >>>>> at >>>> > com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62 > >>>75) >>> >>>>> at >>>> > org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j > >>>ava:118) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567) > >>>>> at org.apache.coyote.Request.action(Request.java:367) >>>>> at >>>> > org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797) > >>>>> at >>>> > org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca > >>>de.java:141) >>> >>>>> at >>>> > org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic > >>>ator.java:154) >>> >>>>> at >>>> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase > >>>.java:502) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> > org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 > >>>46) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > >>>>> at >>>> >>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) >>> >>>>> at >>>> > org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396) > >>>>> at >>>> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 > >>>) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > >>>eNext(StandardPipeline.java:643) >>> >>>>> at >>>> > org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. > >>>java:170) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 > >>>) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > >>>eNext(StandardPipeline.java:641) >>> >>>>> at >>>> >>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 >> > 80) > >>>>> at >>>> >>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) >>> >>>>> at >>>> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java > >>>:174) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok > >>>eNext(StandardPipeline.java:643) >>> >>>>> at >>>> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) > >>>>> at >>>> >>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) >>> >>>>> at >>>> >>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) >>> >>>>> at >>>> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) > >>>>> at >>>> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne > >>>ction(Http11Protocol.java:380) >>> >>>>> at >>>> > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) > >>>>> at >>>> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav > >>>a:533) >>> >>>>> at java.lang.Thread.run(Thread.java:484) >>>>>[WARN] Http11Processor - -Exception getting SSL Cert >>>> >>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated> >>> >>>>> >>>>> >>>>> >>>>>Please I´ve been trying to solve this problem for days and I am >>>> >>>desperate. >>> >>>>>Thanks a lot in advance. >>>>> >>>>>Moises >>>> >>>>-- >>>>Bob Herrmann <[EMAIL PROTECTED]> >>>> >>>> >>>>-- >>>>To unsubscribe, e-mail: >>> >>><mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> >>> >>>>For additional commands, e-mail: >>> >>><mailto:tomcat-dev-help@;jakarta.apache.org> >>> >>> >>> >>>-- >>>To unsubscribe, e-mail: >> > <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > >>>For additional commands, e-mail: >> > <mailto:tomcat-dev-help@;jakarta.apache.org> > >> >>-- >>To unsubscribe, e-mail: > > <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > >>For additional commands, e-mail: > > <mailto:tomcat-dev-help@;jakarta.apache.org> > > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> > > ---------------------------------------------------------------------------- ---- > Connecting to the server: > openssl s_client -port 443 -host vtxclere > > List the CA of a JVM: > keytool -list -rfc -keystore $JAVA_HOME/jre/lib/security/cacerts > > Steps to set up a demoCA and user certificates: > > 1 - /usr/local/ssl/misc/CA.pl -newca > This creates a demoCA directory that contains the CA certificates. > > 2 - /usr/local/ssl/misc/CA.pl -newreq > This creates a newreq.pem that contains the private key and request. > > 3 - separe the request and private key. > Put the private key is key.pem and the request in newreq.pem > > 4 - /usr/local/ssl/misc/CA.pl -signreq > It displays the certificate before signing it. > The result is in newcert.pem > > 5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \ > -in newcert.pem -out test.p12 > The test.p12 contains a file that can be imported in the browser. > > 6 - import in the browser the test.p12 file. > > 7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts > chmod u+w $JAVA_HOME/jre/lib/security/cacerts > $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \ > -keystore $JAVA_HOME/jre/lib/security/cacerts > > 8 - mod_jk (Apache). > The CA certificates are stored in $APACHE_HOME/conf/ssl.crt/ca-bundle.crt > Just add the demoCA/cacert.pem to it. > > > 9 - In case a certificate is for the Apache server: > Do the step 2,3,4 and put the file key.pem into SSLCertificateKeyFile > and the file newcert.pem into SSLCertificateFile (in httpd.conf). > > ---------------------------------------------------------------------------- ---- > -- > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
