On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com> wrote: > On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: > >> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >>> >>>> I have a self signed server certificate - and the user certs have no >>>> association/connection to the server cert. >>> >>> I apologize, but I'm not exactly sure what you are trying to configure with >>> the certs and the crl file. Can you take a step back from the problem and >>> give us some higher level details on what you are trying to achieve with >>> this configuration? >>> >>> Dan >> >> OK, I'm am emulating the production enviroment for the application my >> development team works on. The production environment is on goverment >> facilitiies and equipment. Users authenticate with a Common Access >> Card (CAC) & PIN. Our current environment has a locally developed PIN >> check, which is insufficient going forward. Rather than developing >> code to do all of the work, it seems most appropriate to simply >> utilize the abilities built into tomcat to do that before our >> application even gets accessed. >> >> The development server I stood up is a virtual server, running CentOS >> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to >> generate a self-signed certificate, rather than getting an actual SSL >> cert from an outside source since this is a closed development system. >> >> With that in mind, we are working to implement Certificate >> Authentication & Validation within Tomcat. I've got the environment >> configured to prompt for the certificate and through the >> browser/client enviroment the PIN prompt is triggered without issue as >> long as the crlFile parameter isn't set in the connector. That was >> easy. >> >> My problem comes when I attempt to implement Certificate Revocation >> List checking. The Government has a root certificate and about 20-30 >> different intermediate certificate authorities that could have issued >> the user certificate. I have loaded the root and intermediate >> government certificate into my local truststore and am loading it >> properly (based on the fact that the user certificates are recognized >> and accepted). >> >> I have downloaded all the root certificate CRL data and each >> individual CA's CRL data. Through the openssl commands, I converted >> them to PEM and then copied them all into one file massive CRL. I >> have also, for testing, created a file with the root CRL data and the >> CRL data for the CA which issued my Certificate. >> >> When I run the complete CRL, I run out of memory (271 MB CRL). When I >> run just the root & my CA, it doesn't run out of memory, but it also >> doesn't trigger the PIN prompt (I assume the crl check happens before >> the PIN is checked?), and just displays "Page cannot be displayed." >> >> I know my certificate is OK - when I use it to access other sites that >> require that certificate, it works fine. >> >> Does that give you a clear(er) picture? :) > > Definitely. A couple suggestions… > > 1.) You may want to take a look at > org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" and > you can see how this is being configured and utilized. > > > https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java > > 2.) Maybe try using Tomcat native and the APR connector. This would offload > SSL to openssl which may handle things more efficiently. > > Dan > OK - I enabled Tomcat native & the APR, but now it doesn't prompt me for the Client Certificate.
The log file has: Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clientAuth' to 'true' did not find a matching property. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org