On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote:

> On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com> wrote:
>> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote:
>> 
>>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> wrote:
>>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote:
>>>> 
>>>>> I have a self signed server certificate - and the user certs have no
>>>>> association/connection to the server cert.
>>>> 
>>>> I apologize, but I'm not exactly sure what you are trying to configure 
>>>> with the certs and the crl file.  Can you take a step back from the 
>>>> problem and give us some higher level details on what you are trying to 
>>>> achieve with this configuration?
>>>> 
>>>> Dan
>>> 
>>> OK, I'm am emulating the production enviroment for the application my
>>> development team works on.  The production environment is on goverment
>>> facilitiies and equipment.  Users authenticate with a Common Access
>>> Card (CAC) & PIN.  Our current environment has a locally developed PIN
>>> check, which is insufficient going forward.  Rather than developing
>>> code to do all of the work, it seems most appropriate to simply
>>> utilize the abilities built into tomcat to do that before our
>>> application even gets accessed.
>>> 
>>> The development server I stood up is a virtual server, running CentOS
>>> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips.  I used openssl to
>>> generate a self-signed certificate, rather than getting an actual SSL
>>> cert from an outside source since this is a closed development system.
>>> 
>>> With that in mind, we are working to implement Certificate
>>> Authentication & Validation within Tomcat.  I've got the environment
>>> configured to prompt for the certificate and through the
>>> browser/client enviroment the PIN prompt is triggered without issue as
>>> long as the crlFile parameter isn't set in the connector.  That was
>>> easy.
>>> 
>>> My problem comes when I attempt to implement Certificate Revocation
>>> List checking.  The Government has a root certificate and about 20-30
>>> different intermediate certificate authorities that could have issued
>>> the user certificate.  I have loaded the root and intermediate
>>> government certificate into my local truststore and am loading it
>>> properly (based on the fact that the user certificates are recognized
>>> and accepted).
>>> 
>>> I have downloaded all the root certificate CRL data and each
>>> individual CA's CRL data.  Through the openssl commands, I converted
>>> them to PEM and then copied them all into one file massive CRL.  I
>>> have also, for testing, created a file with the root CRL data and the
>>> CRL data for the CA which issued my Certificate.
>>> 
>>> When I run the complete CRL, I run out of memory (271 MB CRL).  When I
>>> run just the root & my CA, it doesn't run out of memory, but it also
>>> doesn't trigger the PIN prompt (I assume the crl check happens before
>>> the PIN is checked?), and just displays "Page cannot be displayed."
>>> 
>>> I know my certificate is OK - when I use it to access other sites that
>>> require that certificate, it works fine.
>>> 
>>> Does that give you a clear(er) picture?  :)
>> 
>> Definitely.  A couple suggestions…
>> 
>> 1.) You may want to take a look at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.  Search for "crlFile" and 
>> you can see how this is being configured and utilized.
>> 
>>  
>> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
>> 
>> 2.) Maybe try using Tomcat native and the APR connector.  This would offload 
>> SSL to openssl which may handle things more efficiently.
>> 
>> Dan
>> 
> OK - I enabled Tomcat native & the APR, but now it doesn't prompt me
> for the Client Certificate.
> 
> The log file has:
> 
> Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
> property 'clientAuth' to 'true' did not find a matching property.

clientAuth only works for the BIO / NIO connectors.  I think you want 
"SSLVerifyClient" with the APR connector.

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

Dan

> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to