On Wed, Nov 28, 2012 at 8:45 AM, Daniel Mikusa <dmik...@vmware.com> wrote: > On Nov 28, 2012, at 8:35 AM, Will Nordmeyer wrote: > >> On Tue, Nov 27, 2012 at 5:12 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >>> On Nov 27, 2012, at 12:56 PM, Will Nordmeyer wrote: >>> >>>> On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> wrote: >>>>> On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: >>>>> >>>>>> I have a self signed server certificate - and the user certs have no >>>>>> association/connection to the server cert. >>>>> >>>>> I apologize, but I'm not exactly sure what you are trying to configure >>>>> with the certs and the crl file. Can you take a step back from the >>>>> problem and give us some higher level details on what you are trying to >>>>> achieve with this configuration? >>>>> >>>>> Dan >>>> >>>> OK, I'm am emulating the production enviroment for the application my >>>> development team works on. The production environment is on goverment >>>> facilitiies and equipment. Users authenticate with a Common Access >>>> Card (CAC) & PIN. Our current environment has a locally developed PIN >>>> check, which is insufficient going forward. Rather than developing >>>> code to do all of the work, it seems most appropriate to simply >>>> utilize the abilities built into tomcat to do that before our >>>> application even gets accessed. >>>> >>>> The development server I stood up is a virtual server, running CentOS >>>> 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to >>>> generate a self-signed certificate, rather than getting an actual SSL >>>> cert from an outside source since this is a closed development system. >>>> >>>> With that in mind, we are working to implement Certificate >>>> Authentication & Validation within Tomcat. I've got the environment >>>> configured to prompt for the certificate and through the >>>> browser/client enviroment the PIN prompt is triggered without issue as >>>> long as the crlFile parameter isn't set in the connector. That was >>>> easy. >>>> >>>> My problem comes when I attempt to implement Certificate Revocation >>>> List checking. The Government has a root certificate and about 20-30 >>>> different intermediate certificate authorities that could have issued >>>> the user certificate. I have loaded the root and intermediate >>>> government certificate into my local truststore and am loading it >>>> properly (based on the fact that the user certificates are recognized >>>> and accepted). >>>> >>>> I have downloaded all the root certificate CRL data and each >>>> individual CA's CRL data. Through the openssl commands, I converted >>>> them to PEM and then copied them all into one file massive CRL. I >>>> have also, for testing, created a file with the root CRL data and the >>>> CRL data for the CA which issued my Certificate. >>>> >>>> When I run the complete CRL, I run out of memory (271 MB CRL). When I >>>> run just the root & my CA, it doesn't run out of memory, but it also >>>> doesn't trigger the PIN prompt (I assume the crl check happens before >>>> the PIN is checked?), and just displays "Page cannot be displayed." >>>> >>>> I know my certificate is OK - when I use it to access other sites that >>>> require that certificate, it works fine. >>>> >>>> Does that give you a clear(er) picture? :) >>> >>> Definitely. A couple suggestions… >>> >>> 1.) You may want to take a look at >>> org.apache.tomcat.util.net.jsse.JSSESocketFactory. Search for "crlFile" >>> and you can see how this is being configured and utilized. >>> >>> >>> https://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_36/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >>> >>> 2.) Maybe try using Tomcat native and the APR connector. This would >>> offload SSL to openssl which may handle things more efficiently. >>> >>> Dan >>> >> OK - I enabled Tomcat native & the APR, but now it doesn't prompt me >> for the Client Certificate. >> >> The log file has: >> >> Nov 28, 2012 8:10:36 AM org.apache.catalina.startup.SetAllPropertiesRule >> begin >> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting >> property 'clientAuth' to 'true' did not find a matching property. > > clientAuth only works for the BIO / NIO connectors. I think you want > "SSLVerifyClient" with the APR connector. > > https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > Dan > OK... thanks. That was purely me and literacy this morning. I looked RIGHT at that line and decided, nope...must not apply to me. I changed everything ELSE.
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
