[EMAIL PROTECTED] wrote:
Hi everyone,
I work for a municipality we need to implement a service that can log
users(from a browser) by electronic identity card.
I've installed a card reader, and created https connector for tomcat 5.5 that
way:
<Connector port="7443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="99" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="mypath/tomcat.jks"
keystorePass="*****" keystoreType="JKS"
truststoreFile="mypath/tomcat.jks"
truststorePass="*****" truststoreType="JKS" />
For server authentication, I've created a self-signed certificate using java
tool keytool:
keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore
mypath\tomcat.jks
because i don't need to obtain a trusted certificate from a certification
authority.
The problem is for the client.
When I insert a smartcard, the card reader software installs a card certificate in
Internet Explorer and in Firefox. This certificate is at the "bottom" of a
chain of 3 certificates, so I downloaded via web the chain of certificates, then
installed the chain in both browsers, then added the root CA certificate to the
repository truststore of the server:
keytool -import -v -file pathToCer\root.cer -keystore mypath\tomcat.jks
-trustcacerts
this, as instructions found in Internet, should be enough for tomcat to
recognize the client certificate.
But when trying to access https://myservername:7443
i get "Error estabilishing an ecrypted connection Error code: -12222" whit Firefox,
Explorer instead prompts me asking for pin of the card(this is necessary i think to use private key
in the card) then "Cannot display page"(or something similar, i've installed browser in a
non-english language)
I tested the server trying to replace browser certificate with another
self-signed certificate, then importing it in the truststore and it works well.
So i think it's a problem of how client certificate is stored in the truststore
file.
I also tried to import all certificates in the truststore(the client card
certificate, the intermediate cert., the root cert.) but it doesn't work.
Can anybody help me?I'm sure i did something wrong importing certificates but i
can't understand what.
thanks!
Castalia
------------------------------------------------------
Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom
http://click.libero.it/infostrada29ge07
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Hej, i had same problem las week, seems when you install tomcat apr is
also intalles so the configuracion for ssl is different.
Try with:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEngine="on"
SSLCertificateFile="c:/server.crt"
SSLCertificateKeyFile="c:/server.key"
SSLPassword="*****"/> *** are your actual pasword...
works for me, have luck!
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
