All,
This is as far as I have gotten. As I said, I believe I still have some
issues with the certificates because I
believe Tomcat is suppose to populate the HttpRequest object with a series
of "attributes" that we should be able to
use to retrieve things like the X.509 certificates. I found one site that
said we should be able to simply issue
something like:
X509Certificate cert =
request.getAttribute("java.security.cert.X509Certificate");
in order to get the specifics of the user. As configured per the notes
below, the SSL session "appears" to be OK as
the servlet gets dispatched as anticipated; only the HttpRequest object's
atrribute array is EMPTY, the principal is
null, but secure = = true.
If anyone out there in CertificateLand or the Tomcat realm can tell us
what's missing, this list ( not the least of
whom is yours truely) could sure use the help!! I think We have the simple
stuff (Form Login) under control, we
need deep down help on SSL, Certificates, and MutalAuthetication.
********* Mutal Authetication Progress notes follow *********
Since the list doesn't handle enclosures, and I don't have a fixed IP
address server to FTP from, here's a lengthy
series of snaps and notes:
Here's a batch file that will create a Certificate Authority in the /ca
directory that you can use to sign any
number of certs:
rem file: CreateCA.bat
openssl req -config ca.cnf -extensions ca_ext -new -newkey
rsa:1024 -nodes -out ca/ca.csr -keyout ca/ca.key
pause
openssl x509 -trustout -signkey ca/ca.key -days 3650 -req -in ca/ca.csr -out
ca/ca.pem
echo
echo "STOP! 1) Copy ca.pem -> ca.crt; 2)Edit ca.crt "TRUSTED
CERTIFICATE" -> "CERTIFICATE""
echo "Then continue"
pause
Here's a batch file that will create, then sign, then package in a p12
format Client certificate for a browser
import:
rem file: CreateClient.bat
echo "When prompted for common name, provide the users common name, e.g.
"Daniel Puryear"
pause
openssl req -config ca.cnf -extensions user_ext -new -newkey
rsa:1024 -nodes -out client/client1.req -keyout
client/client1.key
pause
openssl x509 -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/ca.ser -req -in
client/client1.req -out client/client1.pem
-days 3650
pause
openssl pkcs12 -export -clcerts -in client/client1.pem -inkey
client/client1.key -out client/client1.p12 -name
"Tomcat_Test_CERT"
pause
Here's a batch file that will create, then sign a server certificate, then
package in a keystore called
"server.keystore"
rem file: CreateServer.bat
echo "You can provide data interactively if you remove the -dname parameter"
pause
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
server/server.keystore -storetype JKS -dname
"CN=localhost, OU=NSIT, O=NGC, L=Columbia, S=MD, C=US" -keypass
changeit -storepass changeit
pause
keytool -certreq -keyalg RSA -alias tomcat -file server/server.csr -keystore
server/server.keystore -keypass
changeit -storepass changeit
echo
echo "STOP! Edit server.csr from 'NEW CERTIFICATE REQUEST' -> 'CERTIFICATE
REQUEST' "
echo "Then continue. When prompted for a EXPORT password, use 'changeit'
also..."
pause
openssl x509 -CA ca/ca.pem -CAkey ca/ca.key -CAserial ca/ca.ser -req -in
server/server.csr -out server/server.crt
-days 3650
pause
rem HEADS_UP! SEQUENCE ORDER DEPENDENCY!! CA first, so the tomcat import
can find the CA when needed!!
keytool -import -alias rootCA -keystore
server/server.keystore -trustcacerts -file ca/ca.pem -keypass changeit
-storepass changeit
pause
keytool -import -alias tomcat -keystore
server/server.keystore -trustcacerts -file server/server.crt -keypass
changeit -storepass changeit
pause
Here's a batch (crude) to create a truststore to contain your CA's public
key and save it in a file called
trust.keystore
rem file: CreateTrustStore.bat
keytool -genkey -alias truststore -keyalg RSA -keysize 1024 -keystore
trust/trust.keystore -storetype JKS -dname
"CN=truststore, OU=NSIT, O=NGC, L=Columbia, S=MD, C=US" -keypass
changeit -storepass changeit
pause
rem
rem Cause the TC signed CERT to be trusted by loading into the trusted
keystore(Public key Only )
keytool -import -alias rootCA -keystore
trust/trust.keystore -trustcacerts -file ca/ca.pem -keypass changeit
-storepass changeit
pause
You can find several places on the web that basically contains the above,
but here's an OpenSSL config file that
picks up the details. If you don't want the challenge/response dialog (
which, by the way, only the Foxfire engine gets right! Netscape, the
inventers of SSL, no longer handles the SSL itself, it delegates to you
option of either the Foxfire or MSIE SSL engine), comment out entries in the
req_attributes section.
#
# SSLeay example configuration file as modified by D Puryear.
#
RANDFILE = .rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir\certs # Where the issued certs are kept
crl_dir = $dir\crl # Where the issued crl are kept
database = $dir\index.txt # database index file.
new_certs_dir = $dir\newcerts # default place for new certs.
certificate = $dir\cacert.pem # The CA certificate
serial = $dir\serial # The current serial number
crl = $dir\crl.pem # The current CRL
private_key = $dir\private\cakey.pem # The private key
RANDFILE = $dir\private\private.rnd # private random number file
# Over-riding to force the use of a "-extensions xyz" on each "req" command
#x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 3650 # how long to certify for
default_crl_days= 365 # how long before next CRL
default_md = SHA1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
input_password = changeit
output_password = changeit
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MD
localityName = Locality Name (eg, city)
localityName_default = Columbia
organizationName = Organization Name (eg, company)
organizationName_default = NGC
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = NSIT
commonName = Common Name (eg, your website's domain name)
commonName_default = <Enter Real Common Name>
commonName_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_default = changeit
challengePassword_min = 4
challengePassword_max = 20
#
#Invoke for CA certs only
[ ca_ext ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints = critical, CA:true, pathlen:2
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
[user_ext]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
[server_cert]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
##******End of File *******
OpenSSL instructions.
1) Download the Windows binary executable from the OpenSSl site and unpack.
2) CD into the bin dir and create ca, client, server, and trust directories.
3) In the ca directory, creat a text file called "ca.ser". In it, add two
characters '0', and '1'
Its the serial number counter that the CA will use for stamping the certs
it signs.
4) Copy the OpenSSL configuration above into a file called "ca.cnf" and
place it in the OpenSSL bin directory
5) Likewise, create the four batch files and place them in the bin
directory.
6) Execute the CreateCA, CreateClient, CreateServer, CreateTrustStore batch
files in that order.
Tomcat instructions:
1) Track down the Tomcat version your using to find out where it likes to
see the server cert.
In 5.5.12, it likes TOMCAT_HOME (so do I), 5.5.9 requires it in the user's
home dictory of the user account that
launches Tomcat. Copy the server.keystore to that directory.
2) Copy the trust.keystore to the TOMCAT_HOME. Remember why we're doing
this. Without an explicitly assigned trust
store, Tomcat will go to the prevailing JDK/JRE and load the contents of
/lib/cacerts as the only "trusted" signers.
We short-circuit that pathing to specify our trust store until we are
satisfied we have it right. Afterwards, we
could load out "rootCA" trusted CA into the JRE's cacerts if you want.
3) Modify Tomcats server.xml file to add/modify the SSL connector to provide
the correct pathign to the two stores.
I used:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.keystore" keystorePass="changeit"
keystoreType="JKS"
truststoreFile="trust.keystore" truststorePass="changeit"
truststoreType="JKS"
/>
4) Add the certificate's CommonName for each client to the tomcat-users.xml
file. My play version is:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="user"/>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="Daniel Puryear danielp" password=""
roles="admin,manager,tomcat,user"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="admin" password="admin" roles="admin,manager"/>
</tomcat-users>
At this point Tomcat should find a client match and complete the SSL
"session" setup (not the HTTP session)
5) If you want Tomcat to provide user role control on a servlet by servlet
basis, edit the WebApps web.xml file. My
play version is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4" >
<display-name>
HelloWebProj</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>HelloWorld</servlet-name>
<servlet-class>HelloWorld</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>HelloWorld</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected H Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/h/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>tomcat-users</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>tomcat</role-name>
</security-role>
</web-app>
If you need to watch/debug the SSL protocol handshaking include
the -Djavax.net.debug=all System property. I used a
batch file to launch Tomcat while I was debugging the certificate issues:
java -Dcatalina.home="C:\Program Files\Apache Software Foundation\Tomcat
5.5" -Djava.endorsed.dirs="C:\Program
Files\Apache Software Foundation\Tomcat
5.5\common\endorsed" -Djavax.net.debug=all -cp ./bin/bootstrap.jar
org.apache.catalina.startup.Bootstrap "start"
pause
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
