SSL Client authentication: what goes in tomcat-users.xml?

[Christopher Williams <cc...@ntlworld.com>]

Following the advice from this link
http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html

I tried to get SSL client authentication to work by setting the following
entry in tomcat-users.xml:
<user username="CN=x, OU=y, O=z, L=a, S=b, C=c" password="" roles="user"/>

where x,y,z,etc. have real but unimportant values.  Evidently Tomcat somehow
matches the distinguished name from my certificate against an entry in the
users file, presumably to establish the user's role.  If it fails to make a
match, no authentication takes place which, I guess, is why I was able to
access protected pages but getUserPrincipal() was returning null.  However,
when I start Tomcat I get the error:
GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans for
UserDatabase
javax.management.MalformedObjectNameException: ObjectName: Invalid
(key,value) pair -> username=CN=x

So, what do I put in tomcat-users.xml to get client certificate
authentication to work?  Do I have to escape the '=' signs in some way?

TIA (as I really want to put this issue to bed),

Chris Williams.

P.S. If somebody tells me to "read the FAQ", please specify WHICH FAQ.  I've
read hundreds over the past few days trying to get to the bottom of
CLIENT-CERT auth.




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: SSL Client authentication: what goes in tomcat-users.xml?

[Bill Barker <wb...@wilshire.com>]

"Christopher Williams" <cc...@ntlworld.com> wrote in message
news:022201c389d5$c0f818f0$6602a8c0@inmezzo.com...
> Following the advice from this link
> http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html
>
> I tried to get SSL client authentication to work by setting the following
> entry in tomcat-users.xml:
> <user username="CN=x, OU=y, O=z, L=a, S=b, C=c" password="" roles="user"/>
>
> where x,y,z,etc. have real but unimportant values.  Evidently Tomcat
somehow
> matches the distinguished name from my certificate against an entry in the
> users file, presumably to establish the user's role.  If it fails to make
a
> match, no authentication takes place which, I guess, is why I was able to
> access protected pages but getUserPrincipal() was returning null.
However,
> when I start Tomcat I get the error:
> GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans
for
> UserDatabase
> javax.management.MalformedObjectNameException: ObjectName: Invalid
> (key,value) pair -> username=CN=x
>

The correct value to use is the string-value of the Certificate Subject.
However, only the MemoryRealm (of the standard Tomcat Realms) works with
CLIENT-CERT authentication.  So you have to disable the default
DatasourceRealm and enable the MemoryRealm.

You also have to (at least in 4.1.27 and lower) disable the Datasource under
the GlobalResources.  This is because it will attempt to write back the
tomcat-users.xml file without escaping the attribute values (resulting in
invalid XML).  Then (after fixing the damage that Tomcat has already done to
your file :), what you have should work.

> So, what do I put in tomcat-users.xml to get client certificate
> authentication to work?  Do I have to escape the '=' signs in some way?
>

The main thing that you have to escape is quote ('\"') characters.  For
example, Verisign-issued certs typically have an entry like O="Verisign,
Inc.".  You need to render this as O=&quot;Verisign, Inc.&quot;.


> TIA (as I really want to put this issue to bed),
>
> Chris Williams.
>
> P.S. If somebody tells me to "read the FAQ", please specify WHICH FAQ.
I've
> read hundreds over the past few days trying to get to the bottom of
> CLIENT-CERT auth.




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org