Hi,
In Tomcat7, we are trying to do client certificate authentication using
datasource realm. But it fails.
Please fnd the configuration below:
server.xml:
----------------
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!-- <GlobalNamingResources><Resource auth="Container" description="User
database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase" pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources> -->
<Service name="Catalina">
<Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
keyAlias="masfed_server_dit"
keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di"
maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
secure="true" server="Server" sslProtocol="TLS"
truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
truststorepass="sso@di" enablelookups="false"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<!-- <Realm className="org.apache.catalina.realm.MemoryRealm"
resourceName="UserDatabase"/> -->
<!--
<Realm className="org.apache.catalina.realm.LockOutRealm"><Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
-->
<GlobalNamingResources>
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/FederationDS"
userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
allRolesMode="authOnly" />
</GlobalNamingResources>
<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true"><Valve
className="org.apache.catalina.valves.AccessLogValve" directory="logs"
pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>
security role configuration <tomcat_base>/conf/web.xml:
---------------------------------------------------------------------------------
<security-role>
<role-name>masFedClient</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>masFedClient</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<!-- <realm-name>tomcat-users</realm-name> -->
<realm-name>jdbc/FederationDS</realm-name>
</login-config>
Database has all the required tables and columns.
But authentication fails with the below mentioned error:
FINE: Checking validity for
'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary
Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized
use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
FINE: Got user name from X509 certificate:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Failed authenticate() test
For security purpose, I had mad the certificate cn name as $$$$$$$$$$.
The error message does not tell why the authentication is failing.
Do I need to enable additional logs. If so how to enable.
Request your help in fixing this issue.
Any help would be highly appreciated.
Thanks
Dhaya
