Thank you for your reply.
This system and configuration I inherited and was told it works and it
should have been working in earlier Tomcat versions like 8. We have
hundreds of installations so having a Dynamic client auth is paramount.
I have tried several versions of Tomcat 9.079 to 9.089 and nothing seems
to work, unless I put the intermediates in the certificates file, then it
works. What I'm trying to do is have the intermediates for client
authorization use the path to get the intermediates. This way we just send
a single certificate out to the remote and they drop it in the
caCertificatePath and it should work. I have also tried the
caCertificateFile as the intermediate for client auth and it does not seem
to work. In your configuration does the caCertificateFile file hold the
intermediates for client auth?
I assume that the Certificate section is only for SSL and not client auth?
On Fri, Jan 10, 2025 at 5:33 PM <l...@kreuser.name> wrote:
> Timothy
>
> > Am 09.01.2025 um 17:15 schrieb Timothy Resh <mresh1...@gmail.com>:
> >
> > The following is a configuration that we have used to set up the Client
> > Authorization to work in Tomcat. We use introspection
> > the IntrospectionUtils.PropertySource to decipher the password and set
> the
> > following environment variables
> >
> > System.setProperty("javax.net.ssl.keyStore", keyStorePath);
> > System.setProperty("javax.net.ssl.keyStorePassword", clearText);
> > System.setProperty("javax.net.ssl.trustStore", trustStorePath);
> > System.setProperty("javax.net.ssl.trustStorePassword", clearText);
> >
> > and then we use this connector configuration.
> >
> > <Connector URIEncoding="UTF-8"
> > port="8443"
> > address="10.2.110.235"
> > maxThreads="300"
> > maxConnections="300"
> > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > scheme="https" secure="true" SSLEnabled="true"
> > SSLProtocol="TLSv1.2"
> > SSLCipherSuite="-ALL ..... this has all the ciphers"
> >
> > SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
> > C:\Certificate\Keystore\Tomcat xxx Vessel.p12)}"
> > SSLCertificateChainFile="C:\Certificate\Public
> > Key\WSD-2DNX4M3.xxx.com.cer"
> > SSLCertificateFile="C:\Certificate\Public
> Key\WSD-2DNX4M3.xxx.com.cer"
> > SSLCertificateKeyFile="C:\Certificate\Private
> > Key\WSD-2DNX4M3.xxx.com.key"
> > SSLVerifyClient="optional"
> >
> > SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> > SSLCACertificatePath="C:\Certificates\CA\"
> > />
> >
>
> I'm not sure that all these parameters are available.
>
> Which version of Tomcat do you use?
>
>
> I have switched to the new config with SSLHostConfig long time ago.
>
> I also use client auth and this works:
>
>
> <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
> hostName="tomcat.xxxx.xxx"
> protocols="+TLSv1.2,+TLSv1.3"
> certificateVerification="required"
>
> caCertificateFile="${catalina.base}/conf/ssl/chain.xxx.crt.pem"
> disableCompression="true"
> disableSessionTickets="true"
>
>
> ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
> >
>
>
> certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl">
> <Certificate
> certificateKeyFile="${catalina.base}/conf/ssl/tomcat.key"
> certificateFile="${catalina.base}/conf/ssl/tomcat.crt"
>
> certificateChainFile="${catalina.base}/conf/ssl/int.xxx.crt.pem"
> type="RSA" />
> </SSLHostConfig>
>
>
> I guess the most significant config is caCertificateFile that contains the
> complete chain (Intermediates before ROOT). I do use pem certificate files
> but in another connector I also use jks/p12 - yet without client auth.
>
> HTH
>
> Peter
>
> > The last two settings SSLCACertificateFile and SSLCACertificatePath
> appear
> > to not work. We have a Certificate "DODxxx" intermediate in the
> > SSLCACertificatePath directory and it does not present itself to the
> client.
> > We have also tried putting it in the SSLCACertificateFile and that does
> not
> > work either.
> > The only way to get it to work is to put it in the TrustStore/Keystore.
> >
> > Did this type of configuration work on Tomcat? What changes do you
> suggest
> > to get this to work with at least an external "intermediate.ca" file
> with
> > all the"DODxxx" intermediates concatenated in the file.
> >
> >
> > Regards
> >
> > Tnmothy Resh
>
>
