On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <[email protected]> wrote:
> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote:
>
>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <[email protected]> wrote:
>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote:
>>>
>>>> I have a self signed server certificate - and the user certs have no
>>>> association/connection to the server cert.
>>>
>>> I apologize, but I'm not exactly sure what you are trying to configure with
>>> the certs and the crl file. Can you take a step back from the problem and
>>> give us some higher level details on what you are trying to achieve with
>>> this configuration?
>>>
>>> Dan
>>
>> OK, I'm am emulating the production enviroment for the application my
>> development team works on. The production environment is on goverment
>> facilitiies and equipment. Users authenticate with a Common Access
>> Card (CAC) & PIN. Our current environment has a locally developed PIN
>> check, which is insufficient going forward. Rather than developing
>> code to do all of the work, it seems most appropriate to simply
>> utilize the abilities built into tomcat to do that before our
>> application even gets accessed.
>>
>> The development server I stood up is a virtual server, running CentOS
>> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to
>> generate a self-signed certificate, rather than getting an actual SSL
>> cert from an outside source since this is a closed development system.
>>
>> With that in mind, we are working to implement Certificate
>> Authentication & Validation within Tomcat. I've got the environment
>> configured to prompt for the certificate and through the
>> browser/client enviroment the PIN prompt is triggered without issue as
>> long as the crlFile parameter isn't set in the connector. That was
>> easy.
>>
>> My problem comes when I attempt to implement Certificate Revocation
>> List checking. The Government has a root certificate and about 20-30
>> different intermediate certificate authorities that could have issued
>> the user certificate. I have loaded the root and intermediate
>> government certificate into my local truststore and am loading it
>> properly (based on the fact that the user certificates are recognized
>> and accepted).
>>
>> I have downloaded all the root certificate CRL data and each
>> individual CA's CRL data. Through the openssl commands, I converted
>> them to PEM and then copied them all into one file massive CRL. I
>> have also, for testing, created a file with the root CRL data and the
>> CRL data for the CA which issued my Certificate.
>>
>> When I run the complete CRL, I run out of memory (271 MB CRL). When I
>> run just the root & my CA, it doesn't run out of memory, but it also
>> doesn't trigger the PIN prompt (I assume the crl check happens before
>> the PIN is checked?), and just displays "Page cannot be displayed."
>>
>> I know my certificate is OK - when I use it to access other sites that
>> require that certificate, it works fine.
>>
>> Does that give you a clear(er) picture? :)
>
> Definitely. A couple suggestions…
>
> 1.) You may want to take a look at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" and
> you can see how this is being configured and utilized.
>
>
> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>
> 2.) Maybe try using Tomcat native and the APR connector. This would offload
> SSL to openssl which may handle things more efficiently.
>
> Dan
>
OK - I enabled Tomcat native & the APR, but now it doesn't prompt me
for the Client Certificate.
The log file has:
Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'clientAuth' to 'true' did not find a matching property.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
