-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sushil,
Please maintain a single thread when (repeatedly) asking the same questions. On 9/4/13 5:20 AM, Sushil Prusty wrote: > <Connector SSLEnabled="true" acceptCount="100" clientAuth="want" > disableUploadTimeout="true" enableLookups="false" > keystoreFile="/LocalDev/software/ssl/server/server.ks" > keystorePass="password" > truststoreFile="/LocalDev/software/ssl/server/server.ks" > truststorePass="password" maxThreads="250" port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > scheme="https" secure="true" sslProtocol="TLS" /> > > Please let me know is there any extra configuration required to do > in server side to validate client certificate? It sounds like you have already configured client certificate validation, but it's not working the way you expected. First off, I usually see configurations where the "trust store" is separate from the "key store". Your keystore should be considered "super secret" and shouldn't change much. Your trust store, on the other hand, might undergo lots of changes over time to add CA certs, client certs, etc. Second, what do you actually have in your keystore? Since you are using JSSE, your keystore should contain the server's key and certificate, plus any CA certificates and intermediate CA certificates necessary to provide a certificate chain from your server to one the browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate -> Your cert). What else do you have in there? In order to verify client certificates, you'll need to have either the client certificate itself, or the certificate that signed the client certificate, or a chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your client cert). This may be a simple problem of not having the right CA certificate(s) in your trust store. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+ mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+ erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1 BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp 2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1 LOQKMPyViSEZsktnh/Oq =eN4a -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
