>>> You have http://host/ClientCertSignServlet configured to redirect to https://host/ClientCertSignServlet due to the <transport-guarantee>. Did you expect some other response than 302? <<<<< When I enable client authentication on tomcat, I'm not able to open the https url, it says page cannot be displayed. I can't find what status code it is, as it is all encrypted on the network, but I could see that some step of the handshake had been attempted, and I see a list of CA (Certifying Authority) names amongs the encrypted junk of text. These CA names are those configured as "Intermediate Certifying Authorities" on the browser cert store. I'm not sure why these are required to be sent on the network, I thought the browser should send the certificate from the "Personal Certificate" store as this is the keystore of the browser (whose issuing CA I have added to the truststore on tomcat), but it does not seem to be sending the personal certificate. thanks Kannan
--- On Fri, 4/2/11, Christopher Schultz <ch...@christopherschultz.net> wrote: From: Christopher Schultz <ch...@christopherschultz.net> Subject: Re: CLIENT-CERT configuration doesn't work for servlet. To: "Tomcat Users List" <users@tomcat.apache.org> Date: Friday, 4 February, 2011, 1:54 AM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kannan, On 2/3/2011 2:20 PM, Kannan J wrote: > In web.xml of a war file I’m forcing ssl to be used for a particular > servlet. Tomcat has been configured for client authentication. > > <!-- Force SSL for entire site --> > <security-constraint> > <web-resource-collection> > <web-resource-name>RUSA Authentication</web-resource-name> > <url-pattern>/ClientCertSignServlet</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>CLIENT-CERT</auth-method> > <realm-name>Client Cert Users-only Area</realm-name> > </login-config> > > When I try to access the servlet (using http url) , it immediately > returns 302 permanently moved. It is supposed to ask the user to choose > a certificate from the list of available certificates in the browser > cert store and use it for client authentication. How to get it working? You have http://host/ClientCertSignServlet configured to redirect to https://host/ClientCertSignServlet due to the <transport-guarantee>. Did you expect some other response than 302? SSL client certificates can't be negotiated over HTTP... you need HTTPS. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1LDukACgkQ9CaO5/Lv0PBaXwCfdbp5epSvyjuwRRRd4fgZh2Kr YdUAoKOcGe15s0Q+2UccCQpoNCz55Z3Q =mGdv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
