On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: > On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >> >>> I have a self signed server certificate - and the user certs have no >>> association/connection to the server cert. >> >> I apologize, but I'm not exactly sure what you are trying to configure with >> the certs and the crl file. Can you take a step back from the problem and >> give us some higher level details on what you are trying to achieve with >> this configuration? >> >> Dan > > OK, I'm am emulating the production enviroment for the application my > development team works on. The production environment is on goverment > facilitiies and equipment. Users authenticate with a Common Access > Card (CAC) & PIN. Our current environment has a locally developed PIN > check, which is insufficient going forward. Rather than developing > code to do all of the work, it seems most appropriate to simply > utilize the abilities built into tomcat to do that before our > application even gets accessed. > > The development server I stood up is a virtual server, running CentOS > 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to > generate a self-signed certificate, rather than getting an actual SSL > cert from an outside source since this is a closed development system. > > With that in mind, we are working to implement Certificate > Authentication & Validation within Tomcat. I've got the environment > configured to prompt for the certificate and through the > browser/client enviroment the PIN prompt is triggered without issue as > long as the crlFile parameter isn't set in the connector. That was > easy. > > My problem comes when I attempt to implement Certificate Revocation > List checking. The Government has a root certificate and about 20-30 > different intermediate certificate authorities that could have issued > the user certificate. I have loaded the root and intermediate > government certificate into my local truststore and am loading it > properly (based on the fact that the user certificates are recognized > and accepted). > > I have downloaded all the root certificate CRL data and each > individual CA's CRL data. Through the openssl commands, I converted > them to PEM and then copied them all into one file massive CRL. I > have also, for testing, created a file with the root CRL data and the > CRL data for the CA which issued my Certificate. > > When I run the complete CRL, I run out of memory (271 MB CRL). When I > run just the root & my CA, it doesn't run out of memory, but it also > doesn't trigger the PIN prompt (I assume the crl check happens before > the PIN is checked?), and just displays "Page cannot be displayed." > > I know my certificate is OK - when I use it to access other sites that > require that certificate, it works fine. > > Does that give you a clear(er) picture? :)
Definitely. A couple suggestions… 1.) You may want to take a look at org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" and you can see how this is being configured and utilized. https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2.) Maybe try using Tomcat native and the APR connector. This would offload SSL to openssl which may handle things more efficiently. Dan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
