Hi, Please find the meaningful log again.
FINE: Authenticating client certificate chain May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=ssodemo01.es.ad.adp.com, OU="DataExchange, ADP Technologies", O="Automatic Data Processing, Inc", STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase authenticate FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US' May 03, 2014 8:11:00 PM org.apache.catalina.realm.RealmBase getPrincipal FINE: Got user name from X509 certificate: CN=ssodemo01.es.ad.adp.com, OU="DataExchange, ADP Technologies", O="Automatic Data Processing, Inc", STREET=1 ADP Blvd., L=Roseland, ST=New Jersey, POSTALCODE=07068, C=US, SERIALNUMBER=0568328, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US May 03, 2014 8:11:00 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed authenticate() test Desc T_User Name Null Type ----------- -------- ---------- USERNAME NOT NULL CHAR(1000) PASSWORD CHAR(24) DESCRIPTION CHAR(500) Desc T_Roles Name Null Type ----------- -------- --------- ROLENAME NOT NULL CHAR(100) DESCRIPTION CHAR(250) Desc T_User_Roles Name Null Type -------- -------- ---------- USERNAME CHAR(1000) ROLENAME NOT NULL CHAR(100) Appreciate your help and support. Thanks Dhaya On Sat, May 3, 2014 at 8:37 PM, Martin Gainty <mgai...@hotmail.com> wrote: > > > > Date: Sat, 3 May 2014 19:31:17 -0400 > > Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm > Fails > > From: dhayamoorthi2...@gmail.com > > To: users@tomcat.apache.org > > > > Hi, > > > > In Tomcat7, we are trying to do client certificate authentication using > > datasource realm. But it fails. > > > > Please fnd the configuration below: > > > > server.xml: > > ---------------- > > <?xml version="1.0" encoding="UTF-8" standalone="no" ?> > > <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on" > > className="org.apache.catalina.core.AprLifecycleListener"/> > > <Listener className="org.apache.catalina.core.JasperListener"/> > > <Listener > > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> > > <Listener > > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> > > <Listener > > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> > > <!-- <GlobalNamingResources><Resource auth="Container" description="User > > database that can be updated and saved" > > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > > name="UserDatabase" pathname="conf/tomcat-users.xml" > > type="org.apache.catalina.UserDatabase"/> > > </GlobalNamingResources> --> > > <Service name="Catalina"> > > <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000" > > keyAlias="masfed_server_dit" > > keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" > keystorePass="sso@di" > > maxThreads="150" port="8443" > > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > > secure="true" server="Server" sslProtocol="TLS" > > truststorefile="/opt/ADP/keystores/masfed_server_dit.jks" > > truststorepass="sso@di" enablelookups="false"/> > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/> > > <Engine defaultHost="localhost" name="Catalina"> > > <!-- <Realm className="org.apache.catalina.realm.MemoryRealm" > > resourceName="UserDatabase"/> --> > > <!-- > > <Realm className="org.apache.catalina.realm.LockOutRealm"><Realm > > className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase"/> > > </Realm> > > --> > > <GlobalNamingResources> > > <Realm className="org.apache.catalina.realm.DataSourceRealm" > > dataSourceName="jdbc/FederationDS" > > userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD" > > userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99" > > allRolesMode="authOnly" /> > > </GlobalNamingResources> > > > > <Host appBase="webapps" autoDeploy="true" name="localhost" > > unpackWARs="true"><Valve > > className="org.apache.catalina.valves.AccessLogValve" directory="logs" > > pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." > > suffix=".txt"/> > > </Host> > > </Engine> > > </Service> > > </Server> > > > > > > security role configuration <tomcat_base>/conf/web.xml: > > > --------------------------------------------------------------------------------- > > > > <security-role> > > <role-name>masFedClient</role-name> > > </security-role> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>all</web-resource-name> > > <url-pattern>/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>masFedClient</role-name> > > </auth-constraint> > > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > <login-config> > > <auth-method>CLIENT-CERT</auth-method> > > <!-- <realm-name>tomcat-users</realm-name> --> > > <realm-name>jdbc/FederationDS</realm-name> > > </login-config> > > > > Database has all the required tables and columns. > > > > But authentication fails with the below mentioned error: > > > > FINE: Checking validity for > > '$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$' > MG>this is an insane value..change it to something meaningful using > [A-Z][O-9] characters > MG>besides which your user_name length is WAY beyond the 15 byte > allocation for the table > create table T_USER > ( > user_name varchar(15) not null primary key, > user_pass varchar(15) not null > ); > MG> > > > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate > > FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL > > SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, > OU=VeriSign > > Trust Network, O="VeriSign, Inc.", C=US' > > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate > > FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary > > Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For > authorized > > use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US' > > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal > > FINE: Got user name from X509 certificate: > > $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ > > May 03, 2014 7:16:29 PM > org.apache.catalina.authenticator.AuthenticatorBase > > invoke > > FINE: Failed authenticate() test > > > > For security purpose, I had mad the certificate cn name as $$$$$$$$$$. > MG>cn is ROLE not the user_name > MG>https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html > > > The error message does not tell why the authentication is failing. > MG>yes it does ..it cannot authenticate > $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ > > > Do I need to enable additional logs. If so how to enable. > > > > Request your help in fixing this issue. > > Any help would be highly appreciated. > > > > Thanks > > Dhaya > >
