Thanks for confirming my assumption.
You are correct, I am finding that the configuration has to be perfect.
I am having a lot of trouble getting it correct. At the moment, I am
testing some code changes that I have made in my servlet, and I want to
see the client certificate details come through.
I have 2 instances of tomcat running. I have one instance to emulate
the client, and the other is the server.
Client:
This is on my PC. As this is the client, it is not receiving
connections using SSL, so I have not configured SSL in server.xml.
I have a keystore on the PC, and extracted a certificate using:
keytool -export ...
My client version of tomcat has a servlet that sends data to my server
using the following mechanism:
try{
System.setProperty("javax.net.ssl.trustStore",trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword
);
HostnameVerifier hostnameVerifier = new HostnameVerifier()
{
public boolean verify(String hostname, SSLSession
session)
{
logger.error("WARNING: Hostname is not matched
for certificate.");
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
} catch(Exception e){
e.printStackTrace();
}
URL destUrl = new URL(EndPoint);
try {
DocumentBuilder builder = XMLParserUtils.getXMLDocBuilder();
Document doc = builder.parse(new InputSource(new
StringReader(msgString.trim())));
Envelope msgEnvelope = new Envelope();
Vector vect = new Vector();
vect.add(doc.getDocumentElement());
Body tmpBody = new Body();
tmpBody.setBodyEntries(vect);
msgEnvelope.setBody(tmpBody);
Message tmpMsg = new Message();
try {
tmpMsg.send(destUrl, soapAction, msgEnvelope);
SOAPTransport transport = tmpMsg.getSOAPTransport();
BufferedReader resReader = transport.receive();
StringBuffer retMsg = new StringBuffer();
String retLine = "";
while ((retLine = resReader.readLine()) != null){
retMsg.append(retLine);
}
} catch (org.apache.soap.SOAPException soape){
soape.printStackTrace();
}
} catch (SAXException se) {
se.printStackTrace();
}
Server:
I imported the PC certificate into the keystore on the server. The
server tomcat instance has SSL configured in the server.xml file. My
web.xml for my application on the server has the following for client
authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>My Test Realm</web-resource-name>
<url-pattern>/myURL</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>myrole</role-name>
</security-role>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>My Test Realm</realm-name>
</login-config>
This should allow me to extract the client certificate information. I
am not aware of any set up that I am missing.
Is there anything that you can see that I am not doing that I need to
do?
Regards,
Andrew Friebel
-----Original Message-----
From: Mark Thomas [mailto:[EMAIL PROTECTED]
Sent: Saturday, 11 November 2006 5:05 AM
To: Tomcat Users List
Subject: Re: Accessing ssl pages using client authentication
Andrew Friebel wrote:
> I think I have an issue with how my client is sending the certificate.
> I thought tomcat handled this automatically. Is my assumption
correct?
Your assumption is correct. With SSL, as I am sure you are finding,
every bit of the configuration has to be perfect or it just doesn't
work. My best guess is that the issuer of your client certificate is
not trusted by the SSL provider Tomcat is using.
Mark
