On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: > On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: >> >>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >>>> >>>>> I have a self signed server certificate - and the user certs have no >>>>> association/connection to the server cert. >>>> >>>> I apologize, but I'm not exactly sure what you are trying to configure >>>> with the certs and the crl file. Can you take a step back from the >>>> problem and give us some higher level details on what you are trying to >>>> achieve with this configuration? >>>> >>>> Dan >>> >>> OK, I'm am emulating the production enviroment for the application my >>> development team works on. The production environment is on goverment >>> facilitiies and equipment. Users authenticate with a Common Access >>> Card (CAC) & PIN. Our current environment has a locally developed PIN >>> check, which is insufficient going forward. Rather than developing >>> code to do all of the work, it seems most appropriate to simply >>> utilize the abilities built into tomcat to do that before our >>> application even gets accessed. >>> >>> The development server I stood up is a virtual server, running CentOS >>> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to >>> generate a self-signed certificate, rather than getting an actual SSL >>> cert from an outside source since this is a closed development system. >>> >>> With that in mind, we are working to implement Certificate >>> Authentication & Validation within Tomcat. I've got the environment >>> configured to prompt for the certificate and through the >>> browser/client enviroment the PIN prompt is triggered without issue as >>> long as the crlFile parameter isn't set in the connector. That was >>> easy. >>> >>> My problem comes when I attempt to implement Certificate Revocation >>> List checking. The Government has a root certificate and about 20-30 >>> different intermediate certificate authorities that could have issued >>> the user certificate. I have loaded the root and intermediate >>> government certificate into my local truststore and am loading it >>> properly (based on the fact that the user certificates are recognized >>> and accepted). >>> >>> I have downloaded all the root certificate CRL data and each >>> individual CA's CRL data. Through the openssl commands, I converted >>> them to PEM and then copied them all into one file massive CRL. I >>> have also, for testing, created a file with the root CRL data and the >>> CRL data for the CA which issued my Certificate. >>> >>> When I run the complete CRL, I run out of memory (271 MB CRL). When I >>> run just the root & my CA, it doesn't run out of memory, but it also >>> doesn't trigger the PIN prompt (I assume the crl check happens before >>> the PIN is checked?), and just displays "Page cannot be displayed." >>> >>> I know my certificate is OK - when I use it to access other sites that >>> require that certificate, it works fine. >>> >>> Does that give you a clear(er) picture? :) >> >> Definitely. A couple suggestions… >> >> 1.) You may want to take a look at >> org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" and >> you can see how this is being configured and utilized. >> >> >> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >> >> 2.) Maybe try using Tomcat native and the APR connector. This would offload >> SSL to openssl which may handle things more efficiently. >> >> Dan >> > OK - I enabled Tomcat native & the APR, but now it doesn't prompt me > for the Client Certificate. > > The log file has: > > Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin > WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting > property 'clientAuth' to 'true' did not find a matching property.
clientAuth only works for the BIO / NIO connectors. I think you want "SSLVerifyClient" with the APR connector. https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native Dan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org