Please don't 'top-post', just add your reply below the question(s) or it makes reading the thread impossible.
On 27/01/2012 02:40, Harish S K wrote: > Actually, the server is IBM WAS and the client is running in Tomcat which > runs on JRE6, I assume it uses JSSE libraries from jre6. Tomcat is only responsible for handling SSL on inbound connections, via the Connector configuration. Tomcat will use a JSSE based configuration unless you are also using APR, when it will use OpenSSL and a different configuration. If an application running in Tomcat consumes an external resource that is served via SSL, it is that application's responsibility to handle the SSL decoding, not Tomcat. > I never faced this problem if the same client program runs on IBM WAS which > uses IBM's java runtime and SSL handlers. Which problem, the 403 problem? What is an "SSL Handler"? Is it possible that you're using a keystore in WAS, by accident/default, that contains the right certs? > So it could be a JRE problem rather than Tomcat's, in fact subsequent to my > last post, I got the same situation by porting the client program to a plain > java application. It is not Tomcat's fault. It is an application issue. > I know for sure which cacerts is being used and listing cacerts shows the > required cert. I will try in JSSE forums too. Or fix your code. p > -----Original Message----- > From: Pid [mailto:p...@pidster.com] > Sent: Friday, January 27, 2012 4:20 AM > To: Tomcat Users List > Subject: Re: SSL client auth > > On 26/01/2012 17:37, Harish S K wrote: >> I am trying to open a https URL on IBM webshpere where ClientAuth is enabled. >> In response I was getting HTTP 403 whereas the URL can be accessed through >> http. On debugging further, it looks like the client is not sending the >> client certificate in response to server's request. In some forum somebody >> from Tomcat has said it is not a Tomcat issue as it is upto the client >> application to handle. However as the client app uses the SSL handlers etc >> from tomcat runtime I was wondering if anyone can help. See the below >> excerpts from verbose output certificate chain found by client is empty. I >> am sure the keystore loaded is correct.... > > Eh? > > So you've imported a Tomcat jar as a dependency, into your IBM WebSphere > application then? Which jar have you imported? > > > p > > >> ===================================== >> >> adding as trusted cert: >> Subject: CN=testmc.myorg.net, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US >> Issuer: CN=testmc.myorg.net, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US >> Algorithm: RSA; Serial number: 0x4f1e5842 >> Valid from Tue Jan 24 02:05:38 EST 2012 until Fri Jan 18 02:05:38 >> EST 2013 >> >> . >> . >> . >> *** CertificateRequest >> Cert Types: RSA >> Cert Authorities: >> <CN=testmc.myorg.net, OU=myorg, O=myorg, L=NJ, ST=NJ, C=US> >> *** ServerHelloDone >> *** Certificate chain >> *** >> *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 >> >> >> ===================================== >> >> Thanks >> Harish. >> >> >> ________________________________ >> >> http://www.mindtree.com/email/disclaimer.html >> > > -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
