You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Moisés Serrano Martínez <ms...@tecnesis.com> on 2002/11/05 17:35:07 UTC
Client-cert authentication.
I´ve a small (or big) problem configuring Tomcat 4.1.12.
Does anyone know how to configure the client side of the matter?
What I have done is :
1) Create a selfsigned certificate (master certificate).
2) With the master create another one intemediate for localhost (signed with the private key of the master one)
- Import the chain into a keystore: server.keystore ( the master and localhost, this last one with the private key)
3) With the localhost certificate create a user certificate (signed with the private key of localhost).
- Import the user certificate into the server.keystore.
4) Import the chain into a keystore: server.keystore
- At this point all must be ok because the server authentication works perfectly, when a client try to connect to localhost.
5) Configure the server.xml:
- Define a SSL Coyote HTTP/1.1 Connector on port 8443:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="3" scheme="https" secure="true" useURIValidationHack="false">
- Locate the keystore inside the factory, CoyoteServerSocketFactory, with clientAuth="false".
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/>
6) Configure the web.xml, if the auth.method selected is BASIC everything works fine, the problem begins when I try that a context works with client authentication.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
<display-name>adminWeb</display-name>
<welcome-file-list>
<welcome-file>adminWeb.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>adminWeb</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description>An example role defined in "conf/tomcat-users.xml"</description>
<role-name>admin</role-name>
</security-role>
</web-app>
7) In the client side:
- Generate a p12 keystore in order to import the user certificate and his private key.
- Import in the Client (browser) the master, the intermediate (localhost) and the user certificates.
- The user certificate in the p12 format (with the private key) and the other ones with the X509 format: localhost.cer and master.cer.
At the end, the result is:
type Status report
message No hay cadena de certificados del cliente en esta peticion
description The request sent by the client was syntactically incorrect (No hay cadena de certificados del cliente en esta peticion).
Using CATALINA_BASE: ..
Using CATALINA_HOME: ..
Using CATALINA_TMPDIR: ..\temp
Using JAVA_HOME: C:\jbuilder5\jdk1.3
[INFO] Registry - -Loading registry information
[INFO] Registry - -Creating new Registry instance
[INFO] Registry - -Creating MBeanServer
[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
Starting service Tomcat-Standalone
Apache Tomcat/4.1.12
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
at org.apache.coyote.Response.action(Response.java:216)
at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
at java.lang.Thread.run(Thread.java:484)
[WARN] Http11Processor - -Exception getting SSL attributes <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
at org.apache.coyote.Request.action(Request.java:367)
at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
at java.lang.Thread.run(Thread.java:484)
[WARN] Http11Processor - -Exception getting SSL Cert <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
Please I´ve been trying to solve this problem for days and I am desperate.
Thanks a lot in advance.
Moises
Re: Client-cert authentication.
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Moisés Serrano Martínez wrote:
> I´ve a small (or big) problem configuring Tomcat 4.1.12.
>
> Does anyone know how to configure the client side of the matter?
>
> What I have done is :
>
> 1) Create a selfsigned certificate (master certificate).
A CA certificate ;-)
You have to import this certificate in $JAVA_HOME/jre/lib/security/cacerts
(cacert.pem).
> 2) With the master create another one intemediate for localhost (signed
> with the private key of the master one)
> - Import the chain into a keystore: server.keystore ( the master
> and localhost, this last one with the private key)
> 3) With the localhost certificate create a user certificate (signed with
> the private key of localhost).
> - Import the user certificate into the server.keystore.
> 4) Import the chain into a keystore: server.keystore
> - At this point all must be ok because the server
> authentication works perfectly, when a client try to connect to
> localhost.
> 5) Configure the server.xml:
> - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>
> <Connector
> className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> minProcessors="5" maxProcessors="75" enableLookups="true"
> acceptCount="10" debug="3" scheme="https" secure="true"
> useURIValidationHack="false">
>
> - Locate the keystore inside the factory,
> CoyoteServerSocketFactory, with clientAuth="false".
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
>
> 6) Configure the web.xml, if the auth.method selected is BASIC
> everything works fine, the problem begins when I try that a context
> works with client authentication.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
> Web Application 2.2//EN"
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> <web-app>
> <display-name>adminWeb</display-name>
> <welcome-file-list>
> <welcome-file>adminWeb.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminWeb</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> <user-data-constraint>
>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> <security-role>
> <description>An example role defined in
> "conf/tomcat-users.xml"</description>
> <role-name>admin</role-name>
> </security-role>
> </web-app>
>
> 7) In the client side:
>
> - Generate a p12 keystore in order to import the user certificate
> and his private key.
> - Import in the Client (browser) the master, the intermediate
> (localhost) and the user certificates.
> - The user certificate in the p12 format (with the private
> key) and the other ones with the X509 format: localhost.cer and
> master.cer.
>
> At the end, the result is:
> type Status report
>
> message No hay cadena de certificados del cliente en esta peticion
>
> description The request sent by the client was syntactically incorrect
> (No hay cadena de certificados del cliente en esta peticion).
>
> Using CATALINA_BASE: ..
> Using CATALINA_HOME: ..
> Using CATALINA_TMPDIR: ..\temp
> Using JAVA_HOME: C:\jbuilder5\jdk1.3
> [INFO] Registry - -Loading registry information
> [INFO] Registry - -Creating new Registry instance
> [INFO] Registry - -Creating MBeanServer
> [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> Starting service Tomcat-Standalone
> Apache Tomcat/4.1.12
> [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Dash
> oA6275)
> at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESuppo
> rt.java:118)
> at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543
> )
> at org.apache.coyote.Response.action(Response.java:216)
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.j
> ava:314)
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:40
> 5)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
> onnection(Http11Protocol.java:380)
> at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:50
> 8)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:533)
> at java.lang.Thread.run(Thread.java:484)
> [WARN] Http11Processor - -Exception getting SSL attributes
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Dash
> oA6275)
> at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESuppo
> rt.java:118)
> at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567
> )
> at org.apache.coyote.Request.action(Request.java:367)
> at
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:
> 797)
> at
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequest
> Facade.java:141)
> at
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthe
> nticator.java:154)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
> Base.java:502)
> at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
> at
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja
> va:246)
> at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
> 80)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:239
> 6)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :180)
> at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:643)
> at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
> lve.java:170)
> at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :172)
> at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:641)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
> 80)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:174)
> at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
> nvokeNext(StandardPipeline.java:643)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
> 80)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:40
> 5)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
> onnection(Http11Protocol.java:380)
> at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:50
> 8)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
> .java:533)
> at java.lang.Thread.run(Thread.java:484)
> [WARN] Http11Processor - -Exception getting SSL Cert
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
>
>
>
> Please I´ve been trying to solve this problem for days and I am
> desperate.
>
> Thanks a lot in advance.
>
> Moises
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Moisés Serrano Martínez wrote:
>
>
> ----- Original Message -----
> From: "jean-frederic clere" <jf...@fujitsu-siemens.com>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Wednesday, November 13, 2002 4:58 PM
> Subject: Re: Client-cert authentication.
>
>
> Moisés Serrano Martínez wrote:
>
>>Thanks a lot. At the end I got it.
>
>
> Great!
>
>
>>A new question:
>>
>>Does anybody know how to access to the data in a certificate from a client
>>browser.
>>In order to sign a document in a client who doesn´t have the Java
>>environment.
>
>
> I am not sure I understand what you want to do: import a certificate in the
> browser?
>
> No. This is quite clear, thanks a lot.
>
> What I need to do is to access the data included in a certificate in the
> client side. In order to develop a work-flow process signing/verifying the
> document in every step of the work-flow. All these in a client withour J2EE
> environment.
>
> As far as I know, when you sign something in a asymetric encryption mode you
> sign the document with your private key and the receiver can verify the sign
> with the public key included in the certificate.
>
> The question is : How can I manage to access the private key included in the
> client keystore (.pfx or .p12 certificate) in order to allow the client to
> sign something. I suppose this is something similar than a client mail do
> when you sign an e-mail attaching the certificate to the e-mail and the
> receiver can read it only if he has the certificate associated to the
> address with the correct email in the address book.
>
> is the question more clear now?
Yes. But it has only very little to do with Tomcat... (WebDAV to transfer the
documents).
>
> Thank´s a lot in advance
>
>
>
>
>
>
>
>>any idea for beginning to investigate.
>>javasript?
>>browser api?
>>
>>
>>
>>--
>>To unsubscribe, e-mail:
>
> <ma...@jakarta.apache.org>
>
>>For additional commands, e-mail:
>
> <ma...@jakarta.apache.org>
>
>>
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by Moisés Serrano Martínez <ms...@tecnesis.com>.
----- Original Message -----
From: "jean-frederic clere" <jf...@fujitsu-siemens.com>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Wednesday, November 13, 2002 4:58 PM
Subject: Re: Client-cert authentication.
Moisés Serrano Martínez wrote:
> Thanks a lot. At the end I got it.
Great!
>
> A new question:
>
> Does anybody know how to access to the data in a certificate from a client
> browser.
> In order to sign a document in a client who doesn´t have the Java
> environment.
I am not sure I understand what you want to do: import a certificate in the
browser?
No. This is quite clear, thanks a lot.
What I need to do is to access the data included in a certificate in the
client side. In order to develop a work-flow process signing/verifying the
document in every step of the work-flow. All these in a client withour J2EE
environment.
As far as I know, when you sign something in a asymetric encryption mode you
sign the document with your private key and the receiver can verify the sign
with the public key included in the certificate.
The question is : How can I manage to access the private key included in the
client keystore (.pfx or .p12 certificate) in order to allow the client to
sign something. I suppose this is something similar than a client mail do
when you sign an e-mail attaching the certificate to the e-mail and the
receiver can read it only if he has the certificate associated to the
address with the correct email in the address book.
is the question more clear now?
Thank´s a lot in advance
>
> any idea for beginning to investigate.
> javasript?
> browser api?
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Moisés Serrano Martínez wrote:
> Thanks a lot. At the end I got it.
Great!
>
> A new question:
>
> Does anybody know how to access to the data in a certificate from a client
> browser.
> In order to sign a document in a client who doesn´t have the Java
> environment.
I am not sure I understand what you want to do: import a certificate in the browser?
>
> any idea for beginning to investigate.
> javasript?
> browser api?
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by Moisés Serrano Martínez <ms...@tecnesis.com>.
Thanks a lot. At the end I got it.
A new question:
Does anybody know how to access to the data in a certificate from a client
browser.
In order to sign a document in a client who doesn´t have the Java
environment.
any idea for beginning to investigate.
javasript?
browser api?
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by Moisés Serrano Martínez <ms...@tecnesis.com>.
thanks a lot.
I´ll try it this weekend
----- Original Message -----
From: "jean-frederic clere" <jf...@fujitsu-siemens.com>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Friday, November 08, 2002 5:59 PM
Subject: Re: Client-cert authentication.
Moisés Serrano Martínez wrote:
> I´ve done it and the problem continues: I´ve included the self-signed and
> intermedia certificates in cacerts (
> perhaps it´s a problem with the java environment?
> what files is necesary to configure in order to obtain client-cert
> authentication?
The only thing I am able to make to help you is to send the steps I am using
to
test the client certificates (forget the 2 last steps that is to test
mod_jk).
Cheers
Jean-frederic
>
> Thanks a lot for the interest.
>
>
>
>
>
>
> ----- Original Message -----
> From: "Bob Herrmann" <bo...@hue.jadn.com>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Wednesday, November 06, 2002 5:32 PM
> Subject: Re: Client-cert authentication.
>
>
>
>>On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
>>
>>>Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
>>
> don´t
>
>>>understand clearly the solution:
>>
>>
>>As I understand it, Tomcat uses a keystore and a truststore.
>>
>>Tomcat uses the keystore to answer the client's "who are you?" question.
>>The answer (Who is this Tomcat server) is retrieved from the keystore.
>>(I am a trusted Tomcat server for Acme corp, my certificate is signed by
>>some central authority.)
>>
>>The truststore is used when Tomcat wants to verify who the client is,
>>"Do I trust this client?" (Should this client really be allowed to
>>access this site?) Tomcat only asks this, or verifies the client, if
>>the Connector has clientauth=true **OR** if a resource is marked up in
>>the web.xml as requiring CLIENT-CERT
>>
>>The keystore can be set in the server.xml. The truststore must be set
>>using the JDK's property files or via an environment variable (like I
>>mentioned in my earlier email.) This is a tad kludgy because verifying
>>the certs of the client seem to be fairly rare in practice. (I imagine
>>this is because verifying the client certs is something B2B requires and
>>not so much needed by the casual JSP developer.)
>>
>>Cheers,
>>-bob
>>
>>
>>
>>
>>>As far as I know, when I configure the server.xml of the Tomcat/conf
>>>directory in order to use the keystore where I´ve imported the trusted
>>
> certs
>
>>>of the chain
>>>I thought I was saying tomcat that the keystore for the authentication
>>
> was
>
>>>that, and it wasn´t necesary to configure another trusted keystore.
>>>
>>><Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>Is necesary to configure both keystores?
>>>Thanks again, and sorry for my question if it´s something clear for
>>>everyone.
>>>
>>>----- Original Message -----
>>>From: "Bob Herrmann" <bo...@jadn.com>
>>>To: "Tomcat Developers List" <to...@jakarta.apache.org>
>>>Sent: Tuesday, November 05, 2002 9:58 PM
>>>Subject: Re: Client-cert authentication.
>>>
>>>
>>>
>>>>As someone else already pointed out, you need to configure the trust
>>>>stores (Which tell tomcat what clients to trust.) You can do that by
>>>>changing some config files, or like this on the command line (with
>>>>redhat)
>>>>
>>>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit"
>>>>
>>>>Cheers,
>>>>-bob
>>>>
>>>>
>>>>
>>>>export CATALINA
>>>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit
>>>>
>>>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
>>>>
>>>>>I´ve a small (or big) problem configuring Tomcat 4.1.12.
>>>>>
>>>>>Does anyone know how to configure the client side of the matter?
>>>>>
>>>>>What I have done is :
>>>>>
>>>>>1) Create a selfsigned certificate (master certificate).
>>>>>2) With the master create another one intemediate for localhost
>>>>
> (signed
>
>>>with the private key of the master one)
>>>
>>>>> - Import the chain into a keystore: server.keystore ( the
>>>>
> master
>
>>>and localhost, this last one with the private key)
>>>
>>>>>3) With the localhost certificate create a user certificate (signed
>>>>
> with
>
>>>the private key of localhost).
>>>
>>>>> - Import the user certificate into the server.keystore.
>>>>>4) Import the chain into a keystore: server.keystore
>>>>> - At this point all must be ok because the server
>>>>
>>>authentication works perfectly, when a client try to connect to
>>
> localhost.
>
>>>>>5) Configure the server.xml:
>>>>> - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>>>>>
>>>>> <Connector
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
>>>minProcessors="5" maxProcessors="75" enableLookups="true"
>>
> acceptCount="10"
>
>>>debug="3" scheme="https" secure="true" useURIValidationHack="false">
>>>
>>>>> - Locate the keystore inside the factory,
>>>>
>>>CoyoteServerSocketFactory, with clientAuth="false".
>>>
>>>>> <Factory
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>>>6) Configure the web.xml, if the auth.method selected is BASIC
>>>>
>>>everything works fine, the problem begins when I try that a context
>>
> works
>
>>>with client authentication.
>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
>>>>
> Inc.//DTD
>
>>>Web Application 2.2//EN"
>>
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
>>>>> <web-app>
>>>>> <display-name>adminWeb</display-name>
>>>>> <welcome-file-list>
>>>>> <welcome-file>adminWeb.jsp</welcome-file>
>>>>> </welcome-file-list>
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>>
> <web-resource-name>adminWeb</web-resource-name>
>
>>>>> <url-pattern>/*</url-pattern>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> <role-name>admin</role-name>
>>>>> </auth-constraint>
>>>>> <user-data-constraint>
>>>>>
>>><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>
>>>>> </user-data-constraint>
>>>>> </security-constraint>
>>>>> <login-config>
>>>>> <auth-method>CLIENT-CERT</auth-method>
>>>>> </login-config>
>>>>> <security-role>
>>>>> <description>An example role defined in
>>>>
>>>"conf/tomcat-users.xml"</description>
>>>
>>>>> <role-name>admin</role-name>
>>>>> </security-role>
>>>>> </web-app>
>>>>>
>>>>>7) In the client side:
>>>>>
>>>>> - Generate a p12 keystore in order to import the user
>>>>
> certificate
>
>>>and his private key.
>>>
>>>>> - Import in the Client (browser) the master, the intermediate
>>>>
>>>(localhost) and the user certificates.
>>>
>>>>> - The user certificate in the p12 format (with the
>>>>
> private
>
>>>key) and the other ones with the X509 format: localhost.cer and
>>
> master.cer.
>
>>>>>At the end, the result is:
>>>>>type Status report
>>>>>
>>>>>message No hay cadena de certificados del cliente en esta peticion
>>>>>
>>>>>description The request sent by the client was syntactically
>>>>
> incorrect
>
>>>(No hay cadena de certificados del cliente en esta peticion).
>>>
>>>>>Using CATALINA_BASE: ..
>>>>>Using CATALINA_HOME: ..
>>>>>Using CATALINA_TMPDIR: ..\temp
>>>>>Using JAVA_HOME: C:\jbuilder5\jdk1.3
>>>>>[INFO] Registry - -Loading registry information
>>>>>[INFO] Registry - -Creating new Registry instance
>>>>>[INFO] Registry - -Creating MBeanServer
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
>>>>>Starting service Tomcat-Standalone
>>>>>Apache Tomcat/4.1.12
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>> at
>>>>
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
>
>>>>> at org.apache.coyote.Response.action(Response.java:216)
>>>>> at
>>>>
>
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
>
>>>314)
>>>
>>>>> at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>> at
>>>>
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>> at
>>>>
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>> at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL attributes
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>
>
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>> at
>>>>
>
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
>
>>>>> at org.apache.coyote.Request.action(Request.java:367)
>>>>> at
>>>>
>
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
>
>>>>> at
>>>>
>
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
>
>>>de.java:141)
>>>
>>>>> at
>>>>
>
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
>
>>>ator.java:154)
>>>
>>>>> at
>>>>
>
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
>
>>>.java:502)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
>
>>>46)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
>
>>>)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>> at
>>>>
>
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
>
>>>java:170)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
>
>>>)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
>>
> 80)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
>
>>>:174)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>> at
>>>>
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>> at
>>>>
>
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>> at
>>>>
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>> at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL Cert
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>
>>>>>
>>>>>
>>>>>Please I´ve been trying to solve this problem for days and I am
>>>>
>>>desperate.
>>>
>>>>>Thanks a lot in advance.
>>>>>
>>>>>Moises
>>>>
>>>>--
>>>>Bob Herrmann <bo...@jadn.com>
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail:
>>>
>>><ma...@jakarta.apache.org>
>>>
>>>>For additional commands, e-mail:
>>>
>>><ma...@jakarta.apache.org>
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>
> <ma...@jakarta.apache.org>
>
>>>For additional commands, e-mail:
>>
> <ma...@jakarta.apache.org>
>
>>
>>--
>>To unsubscribe, e-mail:
>
> <ma...@jakarta.apache.org>
>
>>For additional commands, e-mail:
>
> <ma...@jakarta.apache.org>
>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
----------------------------------------------------------------------------
----
> Connecting to the server:
> openssl s_client -port 443 -host vtxclere
>
> List the CA of a JVM:
> keytool -list -rfc -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> Steps to set up a demoCA and user certificates:
>
> 1 - /usr/local/ssl/misc/CA.pl -newca
> This creates a demoCA directory that contains the CA certificates.
>
> 2 - /usr/local/ssl/misc/CA.pl -newreq
> This creates a newreq.pem that contains the private key and request.
>
> 3 - separe the request and private key.
> Put the private key is key.pem and the request in newreq.pem
>
> 4 - /usr/local/ssl/misc/CA.pl -signreq
> It displays the certificate before signing it.
> The result is in newcert.pem
>
> 5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \
> -in newcert.pem -out test.p12
> The test.p12 contains a file that can be imported in the browser.
>
> 6 - import in the browser the test.p12 file.
>
> 7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts
> chmod u+w $JAVA_HOME/jre/lib/security/cacerts
> $JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \
> -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> 8 - mod_jk (Apache).
> The CA certificates are stored in
$APACHE_HOME/conf/ssl.crt/ca-bundle.crt
> Just add the demoCA/cacert.pem to it.
>
>
> 9 - In case a certificate is for the Apache server:
> Do the step 2,3,4 and put the file key.pem into SSLCertificateKeyFile
> and the file newcert.pem into SSLCertificateFile (in httpd.conf).
>
>
----------------------------------------------------------------------------
----
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Moisés Serrano Martínez wrote:
> I´ve done it and the problem continues: I´ve included the self-signed and
> intermedia certificates in cacerts (
> perhaps it´s a problem with the java environment?
> what files is necesary to configure in order to obtain client-cert
> authentication?
The only thing I am able to make to help you is to send the steps I am using to
test the client certificates (forget the 2 last steps that is to test mod_jk).
Cheers
Jean-frederic
>
> Thanks a lot for the interest.
>
>
>
>
>
>
> ----- Original Message -----
> From: "Bob Herrmann" <bo...@hue.jadn.com>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Wednesday, November 06, 2002 5:32 PM
> Subject: Re: Client-cert authentication.
>
>
>
>>On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
>>
>>>Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
>>
> don´t
>
>>>understand clearly the solution:
>>
>>
>>As I understand it, Tomcat uses a keystore and a truststore.
>>
>>Tomcat uses the keystore to answer the client's "who are you?" question.
>>The answer (Who is this Tomcat server) is retrieved from the keystore.
>>(I am a trusted Tomcat server for Acme corp, my certificate is signed by
>>some central authority.)
>>
>>The truststore is used when Tomcat wants to verify who the client is,
>>"Do I trust this client?" (Should this client really be allowed to
>>access this site?) Tomcat only asks this, or verifies the client, if
>>the Connector has clientauth=true **OR** if a resource is marked up in
>>the web.xml as requiring CLIENT-CERT
>>
>>The keystore can be set in the server.xml. The truststore must be set
>>using the JDK's property files or via an environment variable (like I
>>mentioned in my earlier email.) This is a tad kludgy because verifying
>>the certs of the client seem to be fairly rare in practice. (I imagine
>>this is because verifying the client certs is something B2B requires and
>>not so much needed by the casual JSP developer.)
>>
>>Cheers,
>>-bob
>>
>>
>>
>>
>>>As far as I know, when I configure the server.xml of the Tomcat/conf
>>>directory in order to use the keystore where I´ve imported the trusted
>>
> certs
>
>>>of the chain
>>>I thought I was saying tomcat that the keystore for the authentication
>>
> was
>
>>>that, and it wasn´t necesary to configure another trusted keystore.
>>>
>>><Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>Is necesary to configure both keystores?
>>>Thanks again, and sorry for my question if it´s something clear for
>>>everyone.
>>>
>>>----- Original Message -----
>>>From: "Bob Herrmann" <bo...@jadn.com>
>>>To: "Tomcat Developers List" <to...@jakarta.apache.org>
>>>Sent: Tuesday, November 05, 2002 9:58 PM
>>>Subject: Re: Client-cert authentication.
>>>
>>>
>>>
>>>>As someone else already pointed out, you need to configure the trust
>>>>stores (Which tell tomcat what clients to trust.) You can do that by
>>>>changing some config files, or like this on the command line (with
>>>>redhat)
>>>>
>>>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit"
>>>>
>>>>Cheers,
>>>>-bob
>>>>
>>>>
>>>>
>>>>export CATALINA
>>>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
>>>>-Djavax.net.ssl.trustStorePassword=changeit
>>>>
>>>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
>>>>
>>>>>I´ve a small (or big) problem configuring Tomcat 4.1.12.
>>>>>
>>>>>Does anyone know how to configure the client side of the matter?
>>>>>
>>>>>What I have done is :
>>>>>
>>>>>1) Create a selfsigned certificate (master certificate).
>>>>>2) With the master create another one intemediate for localhost
>>>>
> (signed
>
>>>with the private key of the master one)
>>>
>>>>> - Import the chain into a keystore: server.keystore ( the
>>>>
> master
>
>>>and localhost, this last one with the private key)
>>>
>>>>>3) With the localhost certificate create a user certificate (signed
>>>>
> with
>
>>>the private key of localhost).
>>>
>>>>> - Import the user certificate into the server.keystore.
>>>>>4) Import the chain into a keystore: server.keystore
>>>>> - At this point all must be ok because the server
>>>>
>>>authentication works perfectly, when a client try to connect to
>>
> localhost.
>
>>>>>5) Configure the server.xml:
>>>>> - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>>>>>
>>>>> <Connector
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
>>>minProcessors="5" maxProcessors="75" enableLookups="true"
>>
> acceptCount="10"
>
>>>debug="3" scheme="https" secure="true" useURIValidationHack="false">
>>>
>>>>> - Locate the keystore inside the factory,
>>>>
>>>CoyoteServerSocketFactory, with clientAuth="false".
>>>
>>>>> <Factory
>>>>
>>>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>>>clientAuth="false" keystoreFile="C:\Documents and
>>>Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
>>>keystorePass="396947j" protocol="TLS" algorithm="SunX509"
>>>keystoreType="JKS"/>
>>>
>>>>>6) Configure the web.xml, if the auth.method selected is BASIC
>>>>
>>>everything works fine, the problem begins when I try that a context
>>
> works
>
>>>with client authentication.
>>>
>>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>>> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
>>>>
> Inc.//DTD
>
>>>Web Application 2.2//EN"
>>
> "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
>>>>> <web-app>
>>>>> <display-name>adminWeb</display-name>
>>>>> <welcome-file-list>
>>>>> <welcome-file>adminWeb.jsp</welcome-file>
>>>>> </welcome-file-list>
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>>
> <web-resource-name>adminWeb</web-resource-name>
>
>>>>> <url-pattern>/*</url-pattern>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> <role-name>admin</role-name>
>>>>> </auth-constraint>
>>>>> <user-data-constraint>
>>>>>
>>><transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>>
>>>>> </user-data-constraint>
>>>>> </security-constraint>
>>>>> <login-config>
>>>>> <auth-method>CLIENT-CERT</auth-method>
>>>>> </login-config>
>>>>> <security-role>
>>>>> <description>An example role defined in
>>>>
>>>"conf/tomcat-users.xml"</description>
>>>
>>>>> <role-name>admin</role-name>
>>>>> </security-role>
>>>>> </web-app>
>>>>>
>>>>>7) In the client side:
>>>>>
>>>>> - Generate a p12 keystore in order to import the user
>>>>
> certificate
>
>>>and his private key.
>>>
>>>>> - Import in the Client (browser) the master, the intermediate
>>>>
>>>(localhost) and the user certificates.
>>>
>>>>> - The user certificate in the p12 format (with the
>>>>
> private
>
>>>key) and the other ones with the X509 format: localhost.cer and
>>
> master.cer.
>
>>>>>At the end, the result is:
>>>>>type Status report
>>>>>
>>>>>message No hay cadena de certificados del cliente en esta peticion
>>>>>
>>>>>description The request sent by the client was syntactically
>>>>
> incorrect
>
>>>(No hay cadena de certificados del cliente en esta peticion).
>>>
>>>>>Using CATALINA_BASE: ..
>>>>>Using CATALINA_HOME: ..
>>>>>Using CATALINA_TMPDIR: ..\temp
>>>>>Using JAVA_HOME: C:\jbuilder5\jdk1.3
>>>>>[INFO] Registry - -Loading registry information
>>>>>[INFO] Registry - -Creating new Registry instance
>>>>>[INFO] Registry - -Creating MBeanServer
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
>>>>>Starting service Tomcat-Standalone
>>>>>Apache Tomcat/4.1.12
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
>>>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
>
>>>>> at org.apache.coyote.Response.action(Response.java:216)
>>>>> at
>>>>
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
>
>>>314)
>>>
>>>>> at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>> at
>>>>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>> at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL attributes
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>>>> at
>>>>
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
>
>>>75)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
>
>>>ava:118)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
>
>>>>> at org.apache.coyote.Request.action(Request.java:367)
>>>>> at
>>>>
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
>
>>>>> at
>>>>
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
>
>>>de.java:141)
>>>
>>>>> at
>>>>
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
>
>>>ator.java:154)
>>>
>>>>> at
>>>>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
>
>>>.java:502)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
>
>>>46)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>
>>>>> at
>>>>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
>
>>>)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>> at
>>>>
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
>
>>>java:170)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
>
>>>)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:641)
>>>
>>>>> at
>>>>
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
>>
> 80)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
>
>>>:174)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
>
>>>eNext(StandardPipeline.java:643)
>>>
>>>>> at
>>>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>>>> at
>>>>
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>>>
>>>>> at
>>>>
>>>org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>>>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>>>> at
>>>>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
>
>>>ction(Http11Protocol.java:380)
>>>
>>>>> at
>>>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>>>> at
>>>>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
>
>>>a:533)
>>>
>>>>> at java.lang.Thread.run(Thread.java:484)
>>>>>[WARN] Http11Processor - -Exception getting SSL Cert
>>>>
>>><javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>>>
>>>>>
>>>>>
>>>>>
>>>>>Please I´ve been trying to solve this problem for days and I am
>>>>
>>>desperate.
>>>
>>>>>Thanks a lot in advance.
>>>>>
>>>>>Moises
>>>>
>>>>--
>>>>Bob Herrmann <bo...@jadn.com>
>>>>
>>>>
>>>>--
>>>>To unsubscribe, e-mail:
>>>
>>><ma...@jakarta.apache.org>
>>>
>>>>For additional commands, e-mail:
>>>
>>><ma...@jakarta.apache.org>
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>
> <ma...@jakarta.apache.org>
>
>>>For additional commands, e-mail:
>>
> <ma...@jakarta.apache.org>
>
>>
>>--
>>To unsubscribe, e-mail:
>
> <ma...@jakarta.apache.org>
>
>>For additional commands, e-mail:
>
> <ma...@jakarta.apache.org>
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
Re: Client-cert authentication.
Posted by Moisés Serrano Martínez <ms...@tecnesis.com>.
I´ve done it and the problem continues: I´ve included the self-signed and
intermedia certificates in cacerts (
perhaps it´s a problem with the java environment?
what files is necesary to configure in order to obtain client-cert
authentication?
Thanks a lot for the interest.
----- Original Message -----
From: "Bob Herrmann" <bo...@hue.jadn.com>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Wednesday, November 06, 2002 5:32 PM
Subject: Re: Client-cert authentication.
> On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
> > Thanks a lot Bob and Jean-frederic for the response but I´m afraid I
don´t
> > understand clearly the solution:
>
>
> As I understand it, Tomcat uses a keystore and a truststore.
>
> Tomcat uses the keystore to answer the client's "who are you?" question.
> The answer (Who is this Tomcat server) is retrieved from the keystore.
> (I am a trusted Tomcat server for Acme corp, my certificate is signed by
> some central authority.)
>
> The truststore is used when Tomcat wants to verify who the client is,
> "Do I trust this client?" (Should this client really be allowed to
> access this site?) Tomcat only asks this, or verifies the client, if
> the Connector has clientauth=true **OR** if a resource is marked up in
> the web.xml as requiring CLIENT-CERT
>
> The keystore can be set in the server.xml. The truststore must be set
> using the JDK's property files or via an environment variable (like I
> mentioned in my earlier email.) This is a tad kludgy because verifying
> the certs of the client seem to be fairly rare in practice. (I imagine
> this is because verifying the client certs is something B2B requires and
> not so much needed by the casual JSP developer.)
>
> Cheers,
> -bob
>
>
>
> >
> > As far as I know, when I configure the server.xml of the Tomcat/conf
> > directory in order to use the keystore where I´ve imported the trusted
certs
> > of the chain
> > I thought I was saying tomcat that the keystore for the authentication
was
> > that, and it wasn´t necesary to configure another trusted keystore.
> >
> > <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> > clientAuth="false" keystoreFile="C:\Documents and
> > Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> > keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> > keystoreType="JKS"/>
> >
> > Is necesary to configure both keystores?
> > Thanks again, and sorry for my question if it´s something clear for
> > everyone.
> >
> > ----- Original Message -----
> > From: "Bob Herrmann" <bo...@jadn.com>
> > To: "Tomcat Developers List" <to...@jakarta.apache.org>
> > Sent: Tuesday, November 05, 2002 9:58 PM
> > Subject: Re: Client-cert authentication.
> >
> >
> > >
> > > As someone else already pointed out, you need to configure the trust
> > > stores (Which tell tomcat what clients to trust.) You can do that by
> > > changing some config files, or like this on the command line (with
> > > redhat)
> > >
> > > export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
> > > -Djavax.net.ssl.trustStorePassword=changeit"
> > >
> > > Cheers,
> > > -bob
> > >
> > >
> > >
> > > export CATALINA
> > > -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
> > > -Djavax.net.ssl.trustStorePassword=changeit
> > >
> > > On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> > > > I´ve a small (or big) problem configuring Tomcat 4.1.12.
> > > >
> > > > Does anyone know how to configure the client side of the matter?
> > > >
> > > > What I have done is :
> > > >
> > > > 1) Create a selfsigned certificate (master certificate).
> > > > 2) With the master create another one intemediate for localhost
(signed
> > with the private key of the master one)
> > > > - Import the chain into a keystore: server.keystore ( the
master
> > and localhost, this last one with the private key)
> > > > 3) With the localhost certificate create a user certificate (signed
with
> > the private key of localhost).
> > > > - Import the user certificate into the server.keystore.
> > > > 4) Import the chain into a keystore: server.keystore
> > > > - At this point all must be ok because the server
> > authentication works perfectly, when a client try to connect to
localhost.
> > > > 5) Configure the server.xml:
> > > > - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> > > >
> > > > <Connector
> > className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> > minProcessors="5" maxProcessors="75" enableLookups="true"
acceptCount="10"
> > debug="3" scheme="https" secure="true" useURIValidationHack="false">
> > > >
> > > > - Locate the keystore inside the factory,
> > CoyoteServerSocketFactory, with clientAuth="false".
> > > > <Factory
> > className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> > clientAuth="false" keystoreFile="C:\Documents and
> > Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> > keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> > keystoreType="JKS"/>
> > > >
> > > > 6) Configure the web.xml, if the auth.method selected is BASIC
> > everything works fine, the problem begins when I try that a context
works
> > with client authentication.
> > > >
> > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems,
Inc.//DTD
> > Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> > > > <web-app>
> > > > <display-name>adminWeb</display-name>
> > > > <welcome-file-list>
> > > > <welcome-file>adminWeb.jsp</welcome-file>
> > > > </welcome-file-list>
> > > > <security-constraint>
> > > > <web-resource-collection>
> > > >
<web-resource-name>adminWeb</web-resource-name>
> > > > <url-pattern>/*</url-pattern>
> > > > </web-resource-collection>
> > > > <auth-constraint>
> > > > <role-name>admin</role-name>
> > > > </auth-constraint>
> > > > <user-data-constraint>
> > > >
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > > </user-data-constraint>
> > > > </security-constraint>
> > > > <login-config>
> > > > <auth-method>CLIENT-CERT</auth-method>
> > > > </login-config>
> > > > <security-role>
> > > > <description>An example role defined in
> > "conf/tomcat-users.xml"</description>
> > > > <role-name>admin</role-name>
> > > > </security-role>
> > > > </web-app>
> > > >
> > > > 7) In the client side:
> > > >
> > > > - Generate a p12 keystore in order to import the user
certificate
> > and his private key.
> > > > - Import in the Client (browser) the master, the intermediate
> > (localhost) and the user certificates.
> > > > - The user certificate in the p12 format (with the
private
> > key) and the other ones with the X509 format: localhost.cer and
master.cer.
> > > >
> > > > At the end, the result is:
> > > > type Status report
> > > >
> > > > message No hay cadena de certificados del cliente en esta peticion
> > > >
> > > > description The request sent by the client was syntactically
incorrect
> > (No hay cadena de certificados del cliente en esta peticion).
> > > >
> > > > Using CATALINA_BASE: ..
> > > > Using CATALINA_HOME: ..
> > > > Using CATALINA_TMPDIR: ..\temp
> > > > Using JAVA_HOME: C:\jbuilder5\jdk1.3
> > > > [INFO] Registry - -Loading registry information
> > > > [INFO] Registry - -Creating new Registry instance
> > > > [INFO] Registry - -Creating MBeanServer
> > > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> > > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> > > > Starting service Tomcat-Standalone
> > > > Apache Tomcat/4.1.12
> > > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> > > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> > > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > > > at
> >
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> > 75)
> > > > at
> >
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> > ava:118)
> > > > at
> >
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> > > > at org.apache.coyote.Response.action(Response.java:216)
> > > > at
> >
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
> > 314)
> > > > at
> > org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> > > > at
> >
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > > > at
> >
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> > ction(Http11Protocol.java:380)
> > > > at
> >
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > > > at
> >
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> > a:533)
> > > > at java.lang.Thread.run(Thread.java:484)
> > > > [WARN] Http11Processor - -Exception getting SSL attributes
> > <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > > > at
> >
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> > 75)
> > > > at
> >
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> > ava:118)
> > > > at
> >
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> > > > at org.apache.coyote.Request.action(Request.java:367)
> > > > at
> >
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> > > > at
> >
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
> > de.java:141)
> > > > at
> >
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
> > ator.java:154)
> > > > at
> >
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
> > .java:502)
> > > > at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > > at
> >
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
> > 46)
> > > > at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > > at
> >
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > > at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > > at
> >
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> > > > at
> >
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
> > )
> > > > at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:643)
> > > > at
> >
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
> > java:170)
> > > > at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > > at
> >
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
> > )
> > > > at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:641)
> > > > at
> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
80)
> > > > at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > > at
> >
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> > :174)
> > > > at
> >
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> > eNext(StandardPipeline.java:643)
> > > > at
> >
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > > at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > > at
> > org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> > > > at
> >
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > > > at
> >
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> > ction(Http11Protocol.java:380)
> > > > at
> >
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > > > at
> >
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> > a:533)
> > > > at java.lang.Thread.run(Thread.java:484)
> > > > [WARN] Http11Processor - -Exception getting SSL Cert
> > <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > > >
> > > >
> > > >
> > > >
> > > > Please I´ve been trying to solve this problem for days and I am
> > desperate.
> > > >
> > > > Thanks a lot in advance.
> > > >
> > > > Moises
> > > --
> > > Bob Herrmann <bo...@jadn.com>
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <ma...@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> > For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by Bob Herrmann <bo...@hue.jadn.com>.
On Wed, 2002-11-06 at 10:55, Moisés Serrano Martínez wrote:
> Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t
> understand clearly the solution:
As I understand it, Tomcat uses a keystore and a truststore.
Tomcat uses the keystore to answer the client's "who are you?" question.
The answer (Who is this Tomcat server) is retrieved from the keystore.
(I am a trusted Tomcat server for Acme corp, my certificate is signed by
some central authority.)
The truststore is used when Tomcat wants to verify who the client is,
"Do I trust this client?" (Should this client really be allowed to
access this site?) Tomcat only asks this, or verifies the client, if
the Connector has clientauth=true **OR** if a resource is marked up in
the web.xml as requiring CLIENT-CERT
The keystore can be set in the server.xml. The truststore must be set
using the JDK's property files or via an environment variable (like I
mentioned in my earlier email.) This is a tad kludgy because verifying
the certs of the client seem to be fairly rare in practice. (I imagine
this is because verifying the client certs is something B2B requires and
not so much needed by the casual JSP developer.)
Cheers,
-bob
>
> As far as I know, when I configure the server.xml of the Tomcat/conf
> directory in order to use the keystore where I´ve imported the trusted certs
> of the chain
> I thought I was saying tomcat that the keystore for the authentication was
> that, and it wasn´t necesary to configure another trusted keystore.
>
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
>
> Is necesary to configure both keystores?
> Thanks again, and sorry for my question if it´s something clear for
> everyone.
>
> ----- Original Message -----
> From: "Bob Herrmann" <bo...@jadn.com>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Tuesday, November 05, 2002 9:58 PM
> Subject: Re: Client-cert authentication.
>
>
> >
> > As someone else already pointed out, you need to configure the trust
> > stores (Which tell tomcat what clients to trust.) You can do that by
> > changing some config files, or like this on the command line (with
> > redhat)
> >
> > export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
> > -Djavax.net.ssl.trustStorePassword=changeit"
> >
> > Cheers,
> > -bob
> >
> >
> >
> > export CATALINA
> > -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
> > -Djavax.net.ssl.trustStorePassword=changeit
> >
> > On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> > > I´ve a small (or big) problem configuring Tomcat 4.1.12.
> > >
> > > Does anyone know how to configure the client side of the matter?
> > >
> > > What I have done is :
> > >
> > > 1) Create a selfsigned certificate (master certificate).
> > > 2) With the master create another one intemediate for localhost (signed
> with the private key of the master one)
> > > - Import the chain into a keystore: server.keystore ( the master
> and localhost, this last one with the private key)
> > > 3) With the localhost certificate create a user certificate (signed with
> the private key of localhost).
> > > - Import the user certificate into the server.keystore.
> > > 4) Import the chain into a keystore: server.keystore
> > > - At this point all must be ok because the server
> authentication works perfectly, when a client try to connect to localhost.
> > > 5) Configure the server.xml:
> > > - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> > >
> > > <Connector
> className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10"
> debug="3" scheme="https" secure="true" useURIValidationHack="false">
> > >
> > > - Locate the keystore inside the factory,
> CoyoteServerSocketFactory, with clientAuth="false".
> > > <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
> > >
> > > 6) Configure the web.xml, if the auth.method selected is BASIC
> everything works fine, the problem begins when I try that a context works
> with client authentication.
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
> Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> > > <web-app>
> > > <display-name>adminWeb</display-name>
> > > <welcome-file-list>
> > > <welcome-file>adminWeb.jsp</welcome-file>
> > > </welcome-file-list>
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>adminWeb</web-resource-name>
> > > <url-pattern>/*</url-pattern>
> > > </web-resource-collection>
> > > <auth-constraint>
> > > <role-name>admin</role-name>
> > > </auth-constraint>
> > > <user-data-constraint>
> > >
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > > </user-data-constraint>
> > > </security-constraint>
> > > <login-config>
> > > <auth-method>CLIENT-CERT</auth-method>
> > > </login-config>
> > > <security-role>
> > > <description>An example role defined in
> "conf/tomcat-users.xml"</description>
> > > <role-name>admin</role-name>
> > > </security-role>
> > > </web-app>
> > >
> > > 7) In the client side:
> > >
> > > - Generate a p12 keystore in order to import the user certificate
> and his private key.
> > > - Import in the Client (browser) the master, the intermediate
> (localhost) and the user certificates.
> > > - The user certificate in the p12 format (with the private
> key) and the other ones with the X509 format: localhost.cer and master.cer.
> > >
> > > At the end, the result is:
> > > type Status report
> > >
> > > message No hay cadena de certificados del cliente en esta peticion
> > >
> > > description The request sent by the client was syntactically incorrect
> (No hay cadena de certificados del cliente en esta peticion).
> > >
> > > Using CATALINA_BASE: ..
> > > Using CATALINA_HOME: ..
> > > Using CATALINA_TMPDIR: ..\temp
> > > Using JAVA_HOME: C:\jbuilder5\jdk1.3
> > > [INFO] Registry - -Loading registry information
> > > [INFO] Registry - -Creating new Registry instance
> > > [INFO] Registry - -Creating MBeanServer
> > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> > > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> > > Starting service Tomcat-Standalone
> > > Apache Tomcat/4.1.12
> > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> > > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > > at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 75)
> > > at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> ava:118)
> > > at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> > > at org.apache.coyote.Response.action(Response.java:216)
> > > at
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
> 314)
> > > at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> > > at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > > at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> ction(Http11Protocol.java:380)
> > > at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > > at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:533)
> > > at java.lang.Thread.run(Thread.java:484)
> > > [WARN] Http11Processor - -Exception getting SSL attributes
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > > at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 75)
> > > at
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> ava:118)
> > > at
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> > > at org.apache.coyote.Request.action(Request.java:367)
> > > at
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> > > at
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
> de.java:141)
> > > at
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
> ator.java:154)
> > > at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
> .java:502)
> > > at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > > at
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
> 46)
> > > at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > > at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> > > at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
> )
> > > at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:643)
> > > at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
> java:170)
> > > at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > > at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
> )
> > > at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
> > > at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> :174)
> > > at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:643)
> > > at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > > at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > > at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> > > at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > > at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> ction(Http11Protocol.java:380)
> > > at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > > at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:533)
> > > at java.lang.Thread.run(Thread.java:484)
> > > [WARN] Http11Processor - -Exception getting SSL Cert
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > >
> > >
> > >
> > >
> > > Please I´ve been trying to solve this problem for days and I am
> desperate.
> > >
> > > Thanks a lot in advance.
> > >
> > > Moises
> > --
> > Bob Herrmann <bo...@jadn.com>
> >
> >
> > --
> > To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> > For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> >
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Moisés Serrano Martínez wrote:
> Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t
> understand clearly the solution:
>
> As far as I know, when I configure the server.xml of the Tomcat/conf
> directory in order to use the keystore where I´ve imported the trusted certs
> of the chain
> I thought I was saying tomcat that the keystore for the authentication was
> that, and it wasn´t necesary to configure another trusted keystore.
>
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
>
> Is necesary to configure both keystores?
Tomcat is only going to ask for the client certificates it could check therefore
it needs the CA certificate that signed the client certificates.
The CA certificate are stored in "special" keystores file.
The keystoreFile you specified in the server.xml is for the server certificate
and server private key (That is why it is protected by a password, you have one
for each Tomcat you run on the machine).
The CA certificates are not encrypted because that the public keys of the CA's,
they have to be in a different files (I normaly use one per JVM).
> Thanks again, and sorry for my question if it´s something clear for
> everyone.
>
> ----- Original Message -----
> From: "Bob Herrmann" <bo...@jadn.com>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Tuesday, November 05, 2002 9:58 PM
> Subject: Re: Client-cert authentication.
>
>
>
>>As someone else already pointed out, you need to configure the trust
>>stores (Which tell tomcat what clients to trust.) You can do that by
>>changing some config files, or like this on the command line (with
>>redhat)
>>
>>export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
>>-Djavax.net.ssl.trustStorePassword=changeit"
>>
>>Cheers,
>>-bob
>>
>>
>>
>>export CATALINA
>>-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
>>-Djavax.net.ssl.trustStorePassword=changeit
>>
>>On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
>>
>>>I´ve a small (or big) problem configuring Tomcat 4.1.12.
>>>
>>>Does anyone know how to configure the client side of the matter?
>>>
>>>What I have done is :
>>>
>>>1) Create a selfsigned certificate (master certificate).
>>>2) With the master create another one intemediate for localhost (signed
>>
> with the private key of the master one)
>
>>> - Import the chain into a keystore: server.keystore ( the master
>>
> and localhost, this last one with the private key)
>
>>>3) With the localhost certificate create a user certificate (signed with
>>
> the private key of localhost).
>
>>> - Import the user certificate into the server.keystore.
>>>4) Import the chain into a keystore: server.keystore
>>> - At this point all must be ok because the server
>>
> authentication works perfectly, when a client try to connect to localhost.
>
>>>5) Configure the server.xml:
>>> - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>>>
>>> <Connector
>>
> className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
> minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10"
> debug="3" scheme="https" secure="true" useURIValidationHack="false">
>
>>> - Locate the keystore inside the factory,
>>
> CoyoteServerSocketFactory, with clientAuth="false".
>
>>> <Factory
>>
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" keystoreFile="C:\Documents and
> Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
> keystorePass="396947j" protocol="TLS" algorithm="SunX509"
> keystoreType="JKS"/>
>
>>>6) Configure the web.xml, if the auth.method selected is BASIC
>>
> everything works fine, the problem begins when I try that a context works
> with client authentication.
>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
>>
> Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
>
>>> <web-app>
>>> <display-name>adminWeb</display-name>
>>> <welcome-file-list>
>>> <welcome-file>adminWeb.jsp</welcome-file>
>>> </welcome-file-list>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>adminWeb</web-resource-name>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>admin</role-name>
>>> </auth-constraint>
>>> <user-data-constraint>
>>>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
>>> </user-data-constraint>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>CLIENT-CERT</auth-method>
>>> </login-config>
>>> <security-role>
>>> <description>An example role defined in
>>
> "conf/tomcat-users.xml"</description>
>
>>> <role-name>admin</role-name>
>>> </security-role>
>>> </web-app>
>>>
>>>7) In the client side:
>>>
>>> - Generate a p12 keystore in order to import the user certificate
>>
> and his private key.
>
>>> - Import in the Client (browser) the master, the intermediate
>>
> (localhost) and the user certificates.
>
>>> - The user certificate in the p12 format (with the private
>>
> key) and the other ones with the X509 format: localhost.cer and master.cer.
>
>>>At the end, the result is:
>>>type Status report
>>>
>>>message No hay cadena de certificados del cliente en esta peticion
>>>
>>>description The request sent by the client was syntactically incorrect
>>
> (No hay cadena de certificados del cliente en esta peticion).
>
>>>Using CATALINA_BASE: ..
>>>Using CATALINA_HOME: ..
>>>Using CATALINA_TMPDIR: ..\temp
>>>Using JAVA_HOME: C:\jbuilder5\jdk1.3
>>>[INFO] Registry - -Loading registry information
>>>[INFO] Registry - -Creating new Registry instance
>>>[INFO] Registry - -Creating MBeanServer
>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
>>>[INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
>>>Starting service Tomcat-Standalone
>>>Apache Tomcat/4.1.12
>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
>>>[INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>> at
>>
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 75)
>
>>> at
>>
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> ava:118)
>
>>> at
>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
>
>>> at org.apache.coyote.Response.action(Response.java:216)
>>> at
>>
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
> 314)
>
>>> at
>>
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>
>>> at
>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>> at
>>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> ction(Http11Protocol.java:380)
>
>>> at
>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>> at
>>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:533)
>
>>> at java.lang.Thread.run(Thread.java:484)
>>>[WARN] Http11Processor - -Exception getting SSL attributes
>>
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
>>>javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>>> at
>>
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
> 75)
>
>>> at
>>
> org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
> ava:118)
>
>>> at
>>
> org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
>
>>> at org.apache.coyote.Request.action(Request.java:367)
>>> at
>>
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
>
>>> at
>>
> org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
> de.java:141)
>
>>> at
>>
> org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
> ator.java:154)
>
>>> at
>>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
> .java:502)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
>
>>> at
>>
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
> 46)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>> at
>>
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>
>>> at
>>
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>
>>> at
>>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
> )
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:643)
>
>>> at
>>
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
> java:170)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
>
>>> at
>>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
> )
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:641)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>> at
>>
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>
>>> at
>>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
> :174)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
> eNext(StandardPipeline.java:643)
>
>>> at
>>
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>
>>> at
>>
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>
>>> at
>>
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>
>>> at
>>
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
>
>>> at
>>
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
> ction(Http11Protocol.java:380)
>
>>> at
>>
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
>
>>> at
>>
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
> a:533)
>
>>> at java.lang.Thread.run(Thread.java:484)
>>>[WARN] Http11Processor - -Exception getting SSL Cert
>>
> <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
>>>
>>>
>>>
>>>Please I´ve been trying to solve this problem for days and I am
>>
> desperate.
>
>>>Thanks a lot in advance.
>>>
>>>Moises
>>
>>--
>>Bob Herrmann <bo...@jadn.com>
>>
>>
>>--
>>To unsubscribe, e-mail:
>
> <ma...@jakarta.apache.org>
>
>>For additional commands, e-mail:
>
> <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by Moisés Serrano Martínez <ms...@tecnesis.com>.
Thanks a lot Bob and Jean-frederic for the response but I´m afraid I don´t
understand clearly the solution:
As far as I know, when I configure the server.xml of the Tomcat/conf
directory in order to use the keystore where I´ve imported the trusted certs
of the chain
I thought I was saying tomcat that the keystore for the authentication was
that, and it wasn´t necesary to configure another trusted keystore.
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and
Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509"
keystoreType="JKS"/>
Is necesary to configure both keystores?
Thanks again, and sorry for my question if it´s something clear for
everyone.
----- Original Message -----
From: "Bob Herrmann" <bo...@jadn.com>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Tuesday, November 05, 2002 9:58 PM
Subject: Re: Client-cert authentication.
>
> As someone else already pointed out, you need to configure the trust
> stores (Which tell tomcat what clients to trust.) You can do that by
> changing some config files, or like this on the command line (with
> redhat)
>
> export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
> -Djavax.net.ssl.trustStorePassword=changeit"
>
> Cheers,
> -bob
>
>
>
> export CATALINA
> -Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
> -Djavax.net.ssl.trustStorePassword=changeit
>
> On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> > I´ve a small (or big) problem configuring Tomcat 4.1.12.
> >
> > Does anyone know how to configure the client side of the matter?
> >
> > What I have done is :
> >
> > 1) Create a selfsigned certificate (master certificate).
> > 2) With the master create another one intemediate for localhost (signed
with the private key of the master one)
> > - Import the chain into a keystore: server.keystore ( the master
and localhost, this last one with the private key)
> > 3) With the localhost certificate create a user certificate (signed with
the private key of localhost).
> > - Import the user certificate into the server.keystore.
> > 4) Import the chain into a keystore: server.keystore
> > - At this point all must be ok because the server
authentication works perfectly, when a client try to connect to localhost.
> > 5) Configure the server.xml:
> > - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
> >
> > <Connector
className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443"
minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10"
debug="3" scheme="https" secure="true" useURIValidationHack="false">
> >
> > - Locate the keystore inside the factory,
CoyoteServerSocketFactory, with clientAuth="false".
> > <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" keystoreFile="C:\Documents and
Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore"
keystorePass="396947j" protocol="TLS" algorithm="SunX509"
keystoreType="JKS"/>
> >
> > 6) Configure the web.xml, if the auth.method selected is BASIC
everything works fine, the problem begins when I try that a context works
with client authentication.
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD
Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> > <web-app>
> > <display-name>adminWeb</display-name>
> > <welcome-file-list>
> > <welcome-file>adminWeb.jsp</welcome-file>
> > </welcome-file-list>
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>adminWeb</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>admin</role-name>
> > </auth-constraint>
> > <user-data-constraint>
> >
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>CLIENT-CERT</auth-method>
> > </login-config>
> > <security-role>
> > <description>An example role defined in
"conf/tomcat-users.xml"</description>
> > <role-name>admin</role-name>
> > </security-role>
> > </web-app>
> >
> > 7) In the client side:
> >
> > - Generate a p12 keystore in order to import the user certificate
and his private key.
> > - Import in the Client (browser) the master, the intermediate
(localhost) and the user certificates.
> > - The user certificate in the p12 format (with the private
key) and the other ones with the X509 format: localhost.cer and master.cer.
> >
> > At the end, the result is:
> > type Status report
> >
> > message No hay cadena de certificados del cliente en esta peticion
> >
> > description The request sent by the client was syntactically incorrect
(No hay cadena de certificados del cliente en esta peticion).
> >
> > Using CATALINA_BASE: ..
> > Using CATALINA_HOME: ..
> > Using CATALINA_TMPDIR: ..\temp
> > Using JAVA_HOME: C:\jbuilder5\jdk1.3
> > [INFO] Registry - -Loading registry information
> > [INFO] Registry - -Creating new Registry instance
> > [INFO] Registry - -Creating MBeanServer
> > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> > [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> > Starting service Tomcat-Standalone
> > Apache Tomcat/4.1.12
> > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> > [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
75)
> > at
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
ava:118)
> > at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> > at org.apache.coyote.Response.action(Response.java:216)
> > at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:
314)
> > at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> > at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
ction(Http11Protocol.java:380)
> > at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:533)
> > at java.lang.Thread.run(Thread.java:484)
> > [WARN] Http11Processor - -Exception getting SSL attributes
<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> > at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA62
75)
> > at
org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.j
ava:118)
> > at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> > at org.apache.coyote.Request.action(Request.java:367)
> > at
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> > at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFaca
de.java:141)
> > at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthentic
ator.java:154)
> > at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase
.java:502)
> > at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> > at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
46)
> > at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> > at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> > at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
)
> > at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
> > at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
java:170)
> > at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> > at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
)
> > at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
> > at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:174)
> > at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
> > at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> > at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> > at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> > at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> > at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
ction(Http11Protocol.java:380)
> > at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> > at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:533)
> > at java.lang.Thread.run(Thread.java:484)
> > [WARN] Http11Processor - -Exception getting SSL Cert
<javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> >
> >
> >
> >
> > Please I´ve been trying to solve this problem for days and I am
desperate.
> >
> > Thanks a lot in advance.
> >
> > Moises
> --
> Bob Herrmann <bo...@jadn.com>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Client-cert authentication.
Posted by Bob Herrmann <bo...@jadn.com>.
As someone else already pointed out, you need to configure the trust
stores (Which tell tomcat what clients to trust.) You can do that by
changing some config files, or like this on the command line (with
redhat)
export CATALINA_OPTS="-Djavax.net.ssl.trustStore=/home/bob/cacerts.jks
-Djavax.net.ssl.trustStorePassword=changeit"
Cheers,
-bob
export CATALINA
-Djavax.net.ssl.trustStore=/home/bob/issues/ssl/cacerts.jks
-Djavax.net.ssl.trustStorePassword=changeit
On Tue, 2002-11-05 at 11:35, Moisés Serrano Martínez wrote:
> I´ve a small (or big) problem configuring Tomcat 4.1.12.
>
> Does anyone know how to configure the client side of the matter?
>
> What I have done is :
>
> 1) Create a selfsigned certificate (master certificate).
> 2) With the master create another one intemediate for localhost (signed with the private key of the master one)
> - Import the chain into a keystore: server.keystore ( the master and localhost, this last one with the private key)
> 3) With the localhost certificate create a user certificate (signed with the private key of localhost).
> - Import the user certificate into the server.keystore.
> 4) Import the chain into a keystore: server.keystore
> - At this point all must be ok because the server authentication works perfectly, when a client try to connect to localhost.
> 5) Configure the server.xml:
> - Define a SSL Coyote HTTP/1.1 Connector on port 8443:
>
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="3" scheme="https" secure="true" useURIValidationHack="false">
>
> - Locate the keystore inside the factory, CoyoteServerSocketFactory, with clientAuth="false".
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Documents and Settings\mserrano\.jbuilder4\Claves\CA_almacen\ca\server.keystore" keystorePass="396947j" protocol="TLS" algorithm="SunX509" keystoreType="JKS"/>
>
> 6) Configure the web.xml, if the auth.method selected is BASIC everything works fine, the problem begins when I try that a context works with client authentication.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> <web-app>
> <display-name>adminWeb</display-name>
> <welcome-file-list>
> <welcome-file>adminWeb.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminWeb</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> <security-role>
> <description>An example role defined in "conf/tomcat-users.xml"</description>
> <role-name>admin</role-name>
> </security-role>
> </web-app>
>
> 7) In the client side:
>
> - Generate a p12 keystore in order to import the user certificate and his private key.
> - Import in the Client (browser) the master, the intermediate (localhost) and the user certificates.
> - The user certificate in the p12 format (with the private key) and the other ones with the X509 format: localhost.cer and master.cer.
>
> At the end, the result is:
> type Status report
>
> message No hay cadena de certificados del cliente en esta peticion
>
> description The request sent by the client was syntactically incorrect (No hay cadena de certificados del cliente en esta peticion).
>
> Using CATALINA_BASE: ..
> Using CATALINA_HOME: ..
> Using CATALINA_TMPDIR: ..\temp
> Using JAVA_HOME: C:\jbuilder5\jdk1.3
> [INFO] Registry - -Loading registry information
> [INFO] Registry - -Creating new Registry instance
> [INFO] Registry - -Creating MBeanServer
> [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8080
> [INFO] Http11Protocol - -Initializing Coyote HTTP/1.1 on port 8443
> Starting service Tomcat-Standalone
> Apache Tomcat/4.1.12
> [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8080
> [INFO] Http11Protocol - -Starting Coyote HTTP/1.1 on port 8443
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
> at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
> at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:543)
> at org.apache.coyote.Response.action(Response.java:216)
> at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
> at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380)
> at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
> at java.lang.Thread.run(Thread.java:484)
> [WARN] Http11Processor - -Exception getting SSL attributes <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA6275)
> at org.apache.tomcat.util.net.JSSESupport.getPeerCertificateChain(JSSESupport.java:118)
> at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:567)
> at org.apache.coyote.Request.action(Request.java:367)
> at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:797)
> at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
> at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
> at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380)
> at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508)
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
> at java.lang.Thread.run(Thread.java:484)
> [WARN] Http11Processor - -Exception getting SSL Cert <javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated>
>
>
>
>
> Please I´ve been trying to solve this problem for days and I am desperate.
>
> Thanks a lot in advance.
>
> Moises
--
Bob Herrmann <bo...@jadn.com>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>