Actually, the server is IBM WAS and the client is running in Tomcat which runs on JRE6, I assume it uses JSSE libraries from jre6. I never faced this problem if the same client program runs on IBM WAS which uses IBM's java runtime and SSL handlers. So it could be a JRE problem rather than Tomcat's, in fact subsequent to my last post, I got the same situation by porting the client program to a plain java application. I know for sure which cacerts is being used and listing cacerts shows the required cert. I will try in JSSE forums too.
-----Original Message----- From: Pid [mailto:p...@pidster.com] Sent: Friday, January 27, 2012 4:20 AM To: Tomcat Users List Subject: Re: SSL client auth On 26/01/2012 17:37, Harish S K wrote: > I am trying to open a https URL on IBM webshpere where ClientAuth is enabled. > In response I was getting HTTP 403 whereas the URL can be accessed through > http. On debugging further, it looks like the client is not sending the > client certificate in response to server's request. In some forum somebody > from Tomcat has said it is not a Tomcat issue as it is upto the client > application to handle. However as the client app uses the SSL handlers etc > from tomcat runtime I was wondering if anyone can help. See the below > excerpts from verbose output certificate chain found by client is empty. I am > sure the keystore loaded is correct.... Eh? So you've imported a Tomcat jar as a dependency, into your IBM WebSphere application then? Which jar have you imported? p > ===================================== > > adding as trusted cert: > Subject: CN=testmc.myorg.net, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US > Issuer: CN=testmc.myorg.net, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US > Algorithm: RSA; Serial number: 0x4f1e5842 > Valid from Tue Jan 24 02:05:38 EST 2012 until Fri Jan 18 02:05:38 > EST 2013 > > . > . > . > *** CertificateRequest > Cert Types: RSA > Cert Authorities: > <CN=testmc.myorg.net, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US> > *** ServerHelloDone > *** Certificate chain > *** > *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 > > > ===================================== > > Thanks > Harish. > > > ________________________________ > > http://www.mindtree.com/email/disclaimer.html > -- [key:62590808] --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
