Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

Christopher Schultz Thu, 27 Jun 2024 08:49:59 -0700

Gavioto,

On 6/25/24 13:51, Gavioto 🕵 wrote:

Finally, I got a configuration that works with Certificate Storage. Itis very specific, and I couldn't find any other until date.It works, but in our environment there is a required manual step yet. Ithink it should be configured in Windows and is common for all programsrequesting private key not special for Tomcat.A dialog of Windows Security is shown asking to allow access, similar toUAC but for certificates.

Your image was stripped from your mailing-list post. Can you please*describe* this manual-step? Without the image, I fear your post has nousable content.

The server.xml configuration used is
|<Connector port="8443" scheme="https" secure="true"SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreType="Windows-MY-LOCALMACHINE"certificateKeystoreFile="" certificateKeyAlias="tomcat"/> </SSLHostConfig> </Connector> |


This is the same as before, yes?

I continue my research trying to use different ciphers and properties,because I won't be able to use the standard without the . It is clearfor me, that different internals libraries are used in Tomcat, so when Iuse the only the it doesn't work and it won't find the key in the storage.

Do you need to specify the Provider to use? Your sample code wasmanually-loading a specific JSSE Provider.

*For the purpose of the initial question, I consider this solutions asvalid, as Tomcat is able to work with the Windows Local MachineCertificate Storage.*
Solution versions:

  * JDK 11.0.20+ or JDK version with fixed bug
    _https://bugs.openjdk.org/browse/JDK-8286790
    <https://bugs.openjdk.org/browse/JDK-8286790>_
  * Tested with Tomcat 9.0.63
  * Tested in Windows 2019
*Thank you for your support. Hope this information is useful to crate aUse Case in the wiki.*
Some doubts are in the air yet, but it is essentially possible forTomcat to work with this.
Two questions thats remaining for the future:

  *
    How to disable or bypass the Windows Security dialog? Is it possible
    to disable for specific Users/Services?

Does it show every time, or only once and after that it works without adialog?

  *
    Why if I use keyStoreType="windows-my-localmachine" directly in
    <connector> it doesn't find the certificate?


Do you mean certificateKeystoreType? Speling matters.

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Special%20Features_SSL%20Support%20-%20Certificate_certificateKeystoreType

There is a note about key store types:

"
Key store types

In addition to the standard key store types (JKS and PKCS12), most Javaruntimes support additional key store types such as Windows-ROOT,Windows-My, DKS as well as hardware security modules. Generally, to usethese additional keystore types with a TLS Connector in Tomcat:

* Set the certificateKeystoreType and/or truststoreType Connectorattribute (as appropriate) to the necessary type

* If a configuration file is required, set thecertificateKeystoreFile and/or truststoreFile Connector attribute (asappropriate) to point to the file

* If no configuration file is required then you will almost certainlyneed to explicitly set the certificateKeystoreFile and/or truststoreFileConnector attribute (as appropriate) to the empty string ("")

* If a password is required, set the certificateKeystorePasswordand/or truststorePassword Connector attribute (as appropriate) to therequired password

* If no password is required then you will almost certainly need toexplicitly set the certificateKeystorePassword and/or truststorePasswordConnector attribute (as appropriate) to the empty string ("")

"

Note this last item. I'm not sure if it is required in your particular case.

-chris

------------------------------------------------------------------------
*De:* Gavioto 🕵 <gaviot...@hotmail.com>
*Enviado:* martes, 25 de junio de 2024 15:27
*Para:* users@tomcat.apache.org <users@tomcat.apache.org>
*Asunto:* RE: How to configure Tomcat with a Managed Service Accountwhen using LocalMachine certificates for TLS
- how are are starting Tomcat?
Tomcat is starting as a service with "Domain\account1$" (ManagedService Account)
- is Tomcat installed as a Windows service?
      Yes

- which account is Tomcat running under?
"Domain\account1$" (Managed Service Account) It is not a normaldomain account used for the service. Secure group managed serviceaccounts - Microsoft Entra | MicrosoftLearn<https://learn.microsoft.com/en-us/entra/architecture/service-accounts-group-managed#assess-gmsa-security-posture <https://learn.microsoft.com/en-us/entra/architecture/service-accounts-group-managed#assess-gmsa-security-posture>>
Regarding the mean of "user" I'm referring to the user who is runningthe Tomcat Service. In this case, the Managed Service Account.
________________________________
De: Mark Thomas <ma...@apache.org>
Enviado: martes, 25 de junio de 2024 12:51
Para: users@tomcat.apache.org <users@tomcat.apache.org>
Asunto: Re: How to configure Tomcat with a Managed Service Account whenusing LocalMachine certificates for TLS
A few questions:

- how are are starting Tomcat?

- is Tomcat installed as a Windows service?

- which account is Tomcat running under?

There are a few references to "user" in your question. It is not clear
if this is:
- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else

Mark


On 25/06/2024 11:30, Alberto Corral wrote:
 > Hello!
 >
> After some research, docs, and test, I didn't found an answer to myissue.
 >
> I'm writing to the list because I have to configure a probably notvery common Tomcat configuration and didn't found correct configurationof if it is posible to do it.> Also I didn't find previous information or examples on internet andthe wiki.
 >
> There is a similar question in Server Faulthttps://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account <https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account>, but not solved yet.
 >
> The configuration has been also involved with a JDK recent bug-fix(but 10 years old), but this part is fixed using latest available JDKversions.> So I think it would be valuable to document an Use Case based on realexperience that can be both, tested in future versions, and also usefulfor future users, available in the wiki or official docs :-)
 >
> May be what's I'm trying to do is not really possible, but need toknow if this is a Tomcat limitation or a Windows one.
 >
 > My actual configuration
 >
 > Server version name:   Apache Tomcat/9.0.65
 > Server version number: 9.0.65.0
 > Server built:          Jul 14 2022 12:28:53 UTC
 > Architecture:          amd64
 > OS Version:            10.0
 > OS Name:               Windows Server 2019
 > JVM Vendor:            Eclipse Adoptium
 > JVM Version:           11.0.23+9
> Java Home:C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9
 >
 > Actual secure configuration used:
 >
 > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 > server="Unknown"
 > maxThreads="150" scheme="https" secure="true"
 >   enableLookups="true"
 >   KeystoreType="Windows-MY-LOCALMACHINE"
 > clientAuth="false" sslProtocol="TLS"
 > KeystoreFile=""
 > KeyAlias="tomcat" />
 >
 >
 > Configuration:
> - The certificate is in the LOCALMACHINE Windows Storage and allowsread access to the user "account1$" which is an AD Managed Service Account.
 > -
 >
 > Facts:
> - If the user have read access but not local admin, then the previousstack trace is generated.> - If I give local Admin rights to the service account, it seems canaccess to the Certificate Storage, in other case, the previous StackTrace is generated.> - Unless I gave local Admin rights, apache opens port 8443, butdoesn't respond to requests on 8443 when testing and no error in logsappears.
 >
> What is the question is "How to configure Tomcat with a ManagedService Account when using LocalMachine certificates for TLS"
 >
 > Notes:
> - JDK 11.0.20+ is required due a well known bug that has beenbackported from JDK 21 [JDK-6782021] It is not possible to read localcomputer certificates with the SunMSCAPI provider - Java Bug System(openjdk.org<http://openjdk.org/>)(https://bugs.openjdk.org/browse/JDK-6782021<https://bugs.openjdk.org/browse/JDK-6782021>) and [JDK-8303520] It isnot possible to read local computer certificates with the SunMSCAPIprovider - Java Bug System (openjdk.org<http://openjdk.org/>)(https://bugs.openjdk.org/browse/JDK-8303520<https://bugs.openjdk.org/browse/JDK-8303520>)
 >
> Next program can help to check different configurations, and it workswhen the certificate has read permission for the user who is running it.
 >
> // JDK8313367test.java - Simple test case to demonstrate OpenJDKdefect JDK-8313367
 > // References:
> // * https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367<https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367>> // *https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio <https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio>
 >
 > /*
> Here is the command line to run the test using JDK 11.0.20+,17.0.20+ or 20.0.2+> java --add-modules=jdk.crypto.mscapi--add-exports=jdk.crypto.mscapi/sun.security.mscapi=ALL-UNNAMEDJDK8313367test.java
 > */
 >
 > import java.io.*;
 > import java.security.KeyStore;
 > import java.security.Security;
 > import java.util.Enumeration;
 > import sun.security.mscapi.SunMSCAPI;
 >
 > public class JDK8313367test {
 >      public static void main(String[] args) {
 >          try {
 >              Security.addProvider(new SunMSCAPI());
> KeyStore keyStore =KeyStore.getInstance("Windows-My-LOCALMACHINE");> // When running as non-elevated, the SunMSCAPI provider,enhanced with JDK-6782021, incorrectly> // triggers system error 5 "Access is denied" whenattempting to load the keystore when invoking the following method:
 >                    keyStore.load(null, null);
 >              Enumeration<String> aliases = keyStore.aliases();
> // Print Friendly Names, a.k.a. aliases, of eachcertificate in the keystore
 >              for (int i = 0 ; aliases.hasMoreElements() ; i++) {
 >                          System.out.println( aliases.nextElement() );
 >              }
 >          } catch (Exception e) {
 >              throw new RuntimeException(e);
 >          }
 >      }
 > }
 >
 > Pending tests:
> - What I haven't tested, but it is an idea to test, is to launch thiscode from Tomcat and validate if it works (It isn't possible to run aCLI program using a Managed Service Account as per my knowledge). Incase this test succeeds, it would mean the program flow in tomcat sideis doing something different with ACL or something.
 > Thank you in advance for your support.
> Please, send me back any question or clarification about the Use CaseI could miss.
 > /Gavioto
 >
 >

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to configure Tomcat with a Managed Service Account when using LocalMachine certificates for TLS

Reply via email to