I am creating a Java web app (Java v17, 2021-09-14) that runs on a Tomcat
10.1.23 server. I need to authenticate users by verifying their certificate
from a smart card. (This Stack Overflow question I posted gives some good
context: "
https://stackoverflow.com/questions/78387597/what-is-the-standard-modern-way-to-use-cac-piv-card-authentication-in-java-tomca
".)
Through all the research I have done, the best way to solve this is by
using the server configuration in "server.xml". I am very new to Tomcat,
but I will try to explain everything as best as I can.
This authentication must occur after the user has entered their
credentials, so I'm thinking the best way is to redirect the user to a new
port (e.g., from 8443 to 8444) with the appropriate settings. And some
users will not be required to authenticate with a smart card certificate. I
asked another question on Stack Overflow ("
https://stackoverflow.com/questions/78624062/how-to-get-the-popup-menu-to-select-user-certificate-in-tomcat-10-server";)
that describes more of the things that I have tried specific to the server
config.
I added the command "-Djavax.net.debug=ssl" to see more details about what
was happening during the SSL handshake; I get the following:
- javax.net.ssl|ALL|F3|https-jsse-nio-8444-exec-6|2024-06-18 10:25:02.564
MDT|X509Authentication.java:304|No X.509 cert selected for EC (and also
for EdDSA, RSA, and RSASSA-PSS)
- javax.net.ssl|ERROR|E3|https-jsse-nio-8444-exec-5|2024-06-18
10:25:02.524 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE): Empty
client certificate chain
- javax.net.ssl|ERROR|E2|https-jsse-nio-8443-exec-1|2024-06-18
10:25:02.532 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE):
Received fatal alert: bad_certificate
According to some sources (like "
https://stackoverflow.com/a/11803823/15811117";) this happens because some
certificates have not yet been added to the keystore/truststore. I have
ensured that the test client certificates and the server certificate have
been successfully added to the stores.
The two major questions I have are these:
1) How can I get the popup menu for the user to select their certificate
and enter the smart cards pin? (Both to set up their account and for later
logins.)
2) How do I configure my server to accept the clients' certificates?
Let me know what more information would be useful.
Thanks,
Izek Hornbeck
