By default, IE will store a self-signed cert as a CA cert, not as a user cert (which is why I don't like using self-signed certs for testing client-auth). Probably the quickest way to see what is wrong is to set -Djavax.net.debug=all (at least if you have a Sun JVM) in your JAVA_OPTS, and try again. You could also try using different files for the keystore and truststore.
"Werner Schalk" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hello, > > I am trying to implement mutual authentication in Tomcat 5.5.20 for many > days now and it's giving me a real headache. I hope somebody is able to > shed some light on this. Here is a digest version of what I did so far, > would somebody please comment on the correctness (?) of my steps or > provide me with an alternative way? The steps I have made are outlined at > http://www.vorburger.ch/blog1/2006/08/setting-up-two-way-mutual-ssl-with.html. > > 1) Creation of the server cert: > > $JAVA_HOME/bin/keytool -genkey -v -alias tomcat -keyalg RSA -validity > 3650 -keystore /tmp/tomcat.keystore -dname "CN=192.168.1.34, OU=MYOU, > O=MYORG, L=MYCITY, ST=MYSTATE, C=MY" -storepass hello123 -keypass hello123 > > 2) Activation of SSL connector in server.xml: > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > keystoreFile="/tmp/tomcat.keystore" keystorePass="hello123" > trustStoreFile="/tmp/tomcat.keystore" > trustStorePass="hello123" > acceptCount="100" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" /> > > 3) Restartet Tomcat, short connectivity test, SSL works fine. > > 4) Creation of client certificate: > > $JAVA_HOME/bin/keytool -genkey -v -alias wschalkKey -keyalg RSA -storetype > PKCS12 -keystore /tmp/wschalk.p12 -dname "CN=Werner Schalk, OU=IT, > O=MyCompany, L=Munich, ST=Bavaria, C=DE" -storepass hello123 -keypass > hello123 > > 5) Import of .p12 file and (later .cert file for FF) in both IE 6 and FF, > no problem > > 6) Export from client certificate from client keystore and import into > main tomcat keystore > > $JAVA_HOME/bin/keytool -export -alias wschalkKey -keystore > /tmp/wschalk.p12 -storetype PKCS12 -storepass hello123 -rfc -file > /tmp/wschalk.cert > > $JAVA_HOME/bin/keytool -import -v -file /tmp/wschalk.cert -keystore > /tmp/tomcat.keystore -storepass hello123 > > Owner: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE > Issuer: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE > Serial number: 471dfc4b > Valid from: Tue Oct 23 13:51:07 GMT 2007 until: Mon Jan 21 13:51:07 GMT > 2008 > Certificate fingerprints: > MD5: 4D:E0:13:E7:FC:D9:09:C7:A7:DD:04:47:32:58:6A:CD > SHA1: F3:1F:FF:7E:13:A8:A8:6B:EB:1A:72:14:8D:8C:B6:C4:EC:62:51:E9 > Trust this certificate? [no]: yes > Certificate was added to keystore > [Storing /tmp/tomcat.keystore] > > 7) Listing of the content of the keystore: > > tomcat:~# $JAVA_HOME/bin/keytool -v -list -keystore /tmp/tomcat.keystore > Enter keystore password: hello123 > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 2 entries > > Alias name: tomcat > Creation date: 18-Oct-2007 > Entry type: keyEntry > Certificate chain length: 1 > Certificate[1]: > Owner: CN=192.168.1.34, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY > Issuer: CN=192.168.1.34, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY > Serial number: 4716aedd > Valid from: Thu Oct 18 00:54:53 GMT 2007 until: Sun Oct 15 00:54:53 GMT > 2017 > Certificate fingerprints: > MD5: 1C:65:FE:49:B2:40:66:96:47:13:46:42:10:83:2A:DE > SHA1: 6E:4A:E8:5F:25:C9:EE:6E:8B:22:50:AE:17:46:66:DE:39:29:29:CD > > > ******************************************* > ******************************************* > > > Alias name: mykey > Creation date: 18-Oct-2007 > Entry type: trustedCertEntry > > Owner: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE > Issuer: CN=Werner Schalk, OU=IT, O=MyCompany, L=Munich, ST=Bavaria, C=DE > Serial number: 471dfc4b > Valid from: Tue Oct 23 13:51:07 GMT 2007 until: Mon Jan 21 13:51:07 GMT > 2008 > Certificate fingerprints: > MD5: 4D:E0:13:E7:FC:D9:09:C7:A7:DD:04:47:32:58:6A:CD > SHA1: F3:1F:FF:7E:13:A8:A8:6B:EB:1A:72:14:8D:8C:B6:C4:EC:62:51:E9 > > > ******************************************* > ******************************************* > > 8) Activation of mutual authentication in server.xml > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > keystoreFile="/tmp/tomcat.keystore" keystorePass="hello123" > trustStoreFile="/tmp/tomcat.keystore" > trustStorePass="hello123" > acceptCount="100" scheme="https" secure="true" > clientAuth="true" sslProtocol="TLS" /> > > 9) Finally, start of Tomcat (no error messages): > > # /usr/local/tomcat/bin/startup.sh && tail -f > /usr/local/tomcat/logs/catalina.out > Using CATALINA_BASE: /usr/local/tomcat > Using CATALINA_HOME: /usr/local/tomcat > Using CATALINA_TMPDIR: /usr/local/tomcat/temp > Using JRE_HOME: /usr/local/jdk1.5.0_13 > 18-Oct-2007 01:16:08 org.apache.coyote.http11.Http11BaseProtocol pause > INFO: Pausing Coyote HTTP/1.1 on http-8443 > 18-Oct-2007 01:16:09 org.apache.catalina.core.StandardService stop > INFO: Stopping service Catalina > 18-Oct-2007 01:16:09 org.apache.coyote.http11.Http11BaseProtocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-8080 > 18-Oct-2007 01:16:09 org.apache.coyote.http11.Http11BaseProtocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-8443 > 18-Oct-2007 01:16:09 org.apache.catalina.core.AprLifecycleListener > lifecycleEvent > INFO: Failed shutdown of Apache Portable Runtime > 18-Oct-2007 01:16:16 org.apache.catalina.core.AprLifecycleListener > lifecycleEvent > INFO: The Apache Tomcat Native library which allows optimal performance in > production environments was not found on the java.library.path: > /usr/local/jdk1.5.0_13/jre/lib/i386/client:/usr/local/jdk1.5.0_13/jre/lib/i386:/usr/local/jdk1.5.0_13/jre/../lib/i386 > 18-Oct-2007 01:16:17 org.apache.coyote.http11.Http11BaseProtocol init > INFO: Initializing Coyote HTTP/1.1 on http-8080 > 18-Oct-2007 01:16:17 org.apache.coyote.http11.Http11BaseProtocol init > INFO: Initializing Coyote HTTP/1.1 on http-8443 > 18-Oct-2007 01:16:17 org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 2521 ms > 18-Oct-2007 01:16:18 org.apache.catalina.core.StandardService start > INFO: Starting service Catalina > 18-Oct-2007 01:16:18 org.apache.catalina.core.StandardEngine start > INFO: Starting Servlet Engine: Apache Tomcat/5.5.20 > 18-Oct-2007 01:16:18 org.apache.catalina.core.StandardHost start > INFO: XML validation disabled > 18-Oct-2007 01:16:20 org.apache.coyote.http11.Http11BaseProtocol start > INFO: Starting Coyote HTTP/1.1 on http-8080 > 18-Oct-2007 01:16:20 org.apache.coyote.http11.Http11BaseProtocol start > INFO: Starting Coyote HTTP/1.1 on http-8443 > 18-Oct-2007 01:16:20 org.apache.jk.common.ChannelSocket init > INFO: JK: ajp13 listening on /0.0.0.0:8009 > 18-Oct-2007 01:16:20 org.apache.jk.server.JkMain start > INFO: Jk running ID=0 time=0/76 config=null > 18-Oct-2007 01:16:20 org.apache.catalina.storeconfig.StoreLoader load > INFO: Find registry server-registry.xml at classpath resource > 18-Oct-2007 01:16:21 org.apache.catalina.startup.Catalina start > INFO: Server startup in 3059 ms > > 10) Access with web browser: In IE 6, the list of client certificates to > send to the server is blank when accessing the site (see last comment from > the website mentioned above, the same problem). In FF the following error > message occurs: "FF: Could not establish an encrypted connection because > your certificate was rejected by localhost. Error code : -12271.". > > Any ideas how to solve this mutual authentication problem would be highly > appreciated! > > Bye and thanks a lot, > Werner. > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
