Tomcat 5.5.20 and client certs, not working (browser is not sending the cert to the server)

Tue, 23 Oct 2007 07:39:36 -0700 

Hello,
I am trying to implement mutual authentication in Tomcat 5.5.20 for many days now and it's giving me a real headache. I hope somebody is able to shed some light on this. Here is a digest version of what I did so far, would somebody please comment on the correctness (?) of my steps or provide me with an alternative way? The steps I have made are outlined at http://www.vorburger.ch/blog1/2006/08/setting-up-two-way-mutual-ssl-with.html. 

1) Creation of the server cert:


$JAVA_HOME/bin/keytool -genkey -v -alias tomcat -keyalg RSA -validity 
3650 -keystore /tmp/tomcat.keystore -dname "CN=192.168.1.34, OU=MYOU, 
O=MYORG, L=MYCITY, ST=MYSTATE, C=MY" -storepass hello123 -keypass hello123


2) Activation of SSL connector in server.xml:

<Connector port="8443" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              keystoreFile="/tmp/tomcat.keystore" keystorePass="hello123"

              trustStoreFile="/tmp/tomcat.keystore" 
trustStorePass="hello123"

              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />

3) Restartet Tomcat, short connectivity test, SSL works fine.

4) Creation of client certificate:


$JAVA_HOME/bin/keytool -genkey -v -alias wschalkKey -keyalg RSA -storetype 
PKCS12 -keystore /tmp/wschalk.p12 -dname "CN=Werner Schalk, OU=IT, 
O=MyCompany, L=Munich, ST=Bavaria, C=DE" -storepass hello123 -keypass 
hello123



5) Import of .p12 file and (later .cert file for FF) in both IE 6 and FF, no 
problem



6) Export from client certificate from client keystore and import into main 
tomcat keystore



$JAVA_HOME/bin/keytool -export -alias wschalkKey -keystore 
/tmp/wschalk.p12 -storetype PKCS12 -storepass hello123 -rfc -file 
/tmp/wschalk.cert



$JAVA_HOME/bin/keytool -import -v -file /tmp/wschalk.cert -keystore 
/tmp/tomcat.keystore -storepass hello123


Owner: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE
Issuer: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE
Serial number: 471dfc4b
Valid from: Tue Oct 23 13:51:07 GMT 2007 until: Mon Jan 21 13:51:07 GMT 2008
Certificate fingerprints:
        MD5:  4D:E0:13:E7:FC:D9:09:C7:A7:DD:04:47:32:58:6A:CD
        SHA1: F3:1F:FF:7E:13:A8:A8:6B:EB:1A:72:14:8D:8C:B6:C4:EC:62:51:E9
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing /tmp/tomcat.keystore]

7) Listing of the content of the keystore:

tomcat:~# $JAVA_HOME/bin/keytool -v -list -keystore /tmp/tomcat.keystore
Enter keystore password:  hello123

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: tomcat
Creation date: 18-Oct-2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=192.168.1.34, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY
Issuer: CN=192.168.1.34, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY
Serial number: 4716aedd
Valid from: Thu Oct 18 00:54:53 GMT 2007 until: Sun Oct 15 00:54:53 GMT 2017
Certificate fingerprints:
        MD5:  1C:65:FE:49:B2:40:66:96:47:13:46:42:10:83:2A:DE
        SHA1: 6E:4A:E8:5F:25:C9:EE:6E:8B:22:50:AE:17:46:66:DE:39:29:29:CD


*******************************************
*******************************************


Alias name: mykey
Creation date: 18-Oct-2007
Entry type: trustedCertEntry

Owner: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE
Issuer: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE
Serial number: 471dfc4b
Valid from: Tue Oct 23 13:51:07 GMT 2007 until: Mon Jan 21 13:51:07 GMT 2008
Certificate fingerprints:
        MD5:  4D:E0:13:E7:FC:D9:09:C7:A7:DD:04:47:32:58:6A:CD
        SHA1: F3:1F:FF:7E:13:A8:A8:6B:EB:1A:72:14:8D:8C:B6:C4:EC:62:51:E9


*******************************************
*******************************************

8) Activation of mutual authentication in server.xml

<Connector port="8443" maxHttpHeaderSize="8192"
              maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
              enableLookups="false" disableUploadTimeout="true"
              keystoreFile="/tmp/tomcat.keystore" keystorePass="hello123"

              trustStoreFile="/tmp/tomcat.keystore" 
trustStorePass="hello123"

              acceptCount="100" scheme="https" secure="true"
              clientAuth="true" sslProtocol="TLS" />

9) Finally, start of Tomcat (no error messages):


# /usr/local/tomcat/bin/startup.sh && tail -f 
/usr/local/tomcat/logs/catalina.out

Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:       /usr/local/jdk1.5.0_13
18-Oct-2007 01:16:08 org.apache.coyote.http11.Http11BaseProtocol pause
INFO: Pausing Coyote HTTP/1.1 on http-8443
18-Oct-2007 01:16:09 org.apache.catalina.core.StandardService stop
INFO: Stopping service Catalina
18-Oct-2007 01:16:09 org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8080
18-Oct-2007 01:16:09 org.apache.coyote.http11.Http11BaseProtocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-8443

18-Oct-2007 01:16:09 org.apache.catalina.core.AprLifecycleListener 
lifecycleEvent

INFO: Failed shutdown of Apache Portable Runtime

18-Oct-2007 01:16:16 org.apache.catalina.core.AprLifecycleListener 
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in 
production environments was not found on the java.library.path: 
/usr/local/jdk1.5.0_13/jre/lib/i386/client:/usr/local/jdk1.5.0_13/jre/lib/i386:/usr/local/jdk1.5.0_13/jre/../lib/i386

18-Oct-2007 01:16:17 org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
18-Oct-2007 01:16:17 org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
18-Oct-2007 01:16:17 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2521 ms
18-Oct-2007 01:16:18 org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
18-Oct-2007 01:16:18 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.20
18-Oct-2007 01:16:18 org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
18-Oct-2007 01:16:20 org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
18-Oct-2007 01:16:20 org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
18-Oct-2007 01:16:20 org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
18-Oct-2007 01:16:20 org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/76  config=null
18-Oct-2007 01:16:20 org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
18-Oct-2007 01:16:21 org.apache.catalina.startup.Catalina start
INFO: Server startup in 3059 ms


10) Access with web browser: In IE 6, the list of client certificates to 
send to the server is blank when accessing the site (see last comment from 
the website mentioned above, the same problem). In FF the following error 
message occurs: "FF: Could not establish an encrypted connection because 
your certificate was rejected by localhost. Error code : -12271.".



Any ideas how to solve this mutual authentication problem would be highly 
appreciated!


Bye and thanks a lot,

Werner. 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to