You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by ar...@libero.it on 2007/01/29 10:00:39 UTC

Cannot authenticate client with Tomcat 5.0.28

Hi everyone,

I work for a municipality we need to implement a service that can log users(from a browser) by electronic identity card.
I've installed a card reader, and created https connector for tomcat 5.5 that way:

	<Connector port="7443" 
	               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
	               enableLookups="false" disableUploadTimeout="true"
	               acceptCount="100" debug="99" scheme="https" secure="true"
	               clientAuth="true" sslProtocol="TLS"
	               keystoreFile="mypath/tomcat.jks"
	               keystorePass="*****" keystoreType="JKS"
			    truststoreFile="mypath/tomcat.jks" 
	               	       truststorePass="*****" truststoreType="JKS" />

For server authentication, I've created a self-signed certificate using java tool keytool:
keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore mypath\tomcat.jks

because i don't need to obtain a trusted certificate from a certification authority.
The problem is for the client.
When I insert a smartcard, the card reader software installs a card certificate in Internet Explorer and in Firefox. This certificate is at the "bottom" of a chain of 3 certificates, so I downloaded via web the chain of certificates, then installed the chain in both browsers, then added the root CA certificate to the repository truststore of the server:
keytool -import -v -file pathToCer\root.cer  -keystore mypath\tomcat.jks -trustcacerts
this, as instructions found in Internet, should be enough for tomcat to recognize the client certificate.
But when trying to access https://myservername:7443
i get "Error estabilishing an ecrypted connection Error code: -12222" whit Firefox, Explorer instead prompts me asking for pin of the card(this is necessary i think to use private key in the card) then "Cannot display page"(or something similar, i've installed browser in a non-english language)

I tested the server trying to replace browser certificate with another self-signed certificate, then importing it in the truststore and it works well.
So i think it's a problem of how client certificate is stored in the truststore file.
I also tried to import all certificates in the truststore(the client card certificate, the intermediate cert., the root cert.) but it doesn't work.

Can anybody help me?I'm sure i did something wrong importing certificates but i can't understand what.
thanks!

Castalia


------------------------------------------------------
Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom
http://click.libero.it/infostrada29ge07



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Cannot authenticate client with Tomcat 5.0.28

Posted by Jose Rafael Romero Miret <jr...@dunasoft.es>.

arrow.toni@libero.it wrote:
> Hi everyone,
>
> I work for a municipality we need to implement a service that can log users(from a browser) by electronic identity card.
> I've installed a card reader, and created https connector for tomcat 5.5 that way:
>
> 	<Connector port="7443" 
> 	               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> 	               enableLookups="false" disableUploadTimeout="true"
> 	               acceptCount="100" debug="99" scheme="https" secure="true"
> 	               clientAuth="true" sslProtocol="TLS"
> 	               keystoreFile="mypath/tomcat.jks"
> 	               keystorePass="*****" keystoreType="JKS"
> 			    truststoreFile="mypath/tomcat.jks" 
> 	               	       truststorePass="*****" truststoreType="JKS" />
>
> For server authentication, I've created a self-signed certificate using java tool keytool:
> keytool -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore mypath\tomcat.jks
>
> because i don't need to obtain a trusted certificate from a certification authority.
> The problem is for the client.
> When I insert a smartcard, the card reader software installs a card certificate in Internet Explorer and in Firefox. This certificate is at the "bottom" of a chain of 3 certificates, so I downloaded via web the chain of certificates, then installed the chain in both browsers, then added the root CA certificate to the repository truststore of the server:
> keytool -import -v -file pathToCer\root.cer  -keystore mypath\tomcat.jks -trustcacerts
> this, as instructions found in Internet, should be enough for tomcat to recognize the client certificate.
> But when trying to access https://myservername:7443
> i get "Error estabilishing an ecrypted connection Error code: -12222" whit Firefox, Explorer instead prompts me asking for pin of the card(this is necessary i think to use private key in the card) then "Cannot display page"(or something similar, i've installed browser in a non-english language)
>
> I tested the server trying to replace browser certificate with another self-signed certificate, then importing it in the truststore and it works well.
> So i think it's a problem of how client certificate is stored in the truststore file.
> I also tried to import all certificates in the truststore(the client card certificate, the intermediate cert., the root cert.) but it doesn't work.
>
> Can anybody help me?I'm sure i did something wrong importing certificates but i can't understand what.
> thanks!
>
> Castalia
>
>
> ------------------------------------------------------
> Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom
> http://click.libero.it/infostrada29ge07
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>   
Hej, i had same problem las week, seems when you install tomcat apr is 
also intalles so the configuracion for ssl is different.

Try with:

<Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEngine="on"
               SSLCertificateFile="c:/server.crt"
               SSLCertificateKeyFile="c:/server.key"
               SSLPassword="*****"/>  *** are your actual pasword...

works for me, have luck!