You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Sweeney, Bill" <bs...@CHARTONE.COM> on 2005/03/04 15:54:34 UTC
Tomcat5 and Client Certificates
Hello TC5 Users -
I am setting up Tomcat 5 in a production environment. The requirement
is to lock down the site so that only users with trusted personal
certificates may access the site.
I believe I have everything configured in server.xml.
<Connector port="443" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="3" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" />
I used %java-home%/bin/keytool to build the certificate store and the
server and client certificates (self-signed). Tomcat asks for the
client certificate when I try and connect, but - here is the problem:
(1) I can't seem to get the client key to export properly so that I can
install it in the browser; how do I get a .pfx out of the keystore?
(2) How can I validate which certificate store is being used by tomcat?
(I made a few along the way in testing)
(3) I set debug="3" in the SSL connector but am not seeing the SSL
handshake in stdout. Is there some other way for setting debug to see
the handshake?
Environment is J2sdk1.4.2_07; Tomcat 5.0.28 running as a service on
Win2003 Server.
FYI - for others working with Tomcat and SSL these links are an
excellent resource:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S
upport
http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht
ml
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey
Cmd
Thanks in advance to everyone in the group !
- wjs
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat5 and Client Certificates
Posted by Bill Barker <wb...@wilshire.com>.
"Jason Bainbridge" <jb...@gmail.com> wrote in message
news:d6491f48050304075446dd28a6@mail.gmail.com...
> On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill <bs...@chartone.com>
> wrote:
>> Hello TC5 Users -
>> I used %java-home%/bin/keytool to build the certificate store and the
>> server and client certificates (self-signed). Tomcat asks for the
>> client certificate when I try and connect, but - here is the problem:
>>
>> (1) I can't seem to get the client key to export properly so that I can
>> install it in the browser; how do I get a .pfx out of the keystore?
>
> I think you are going to have to use openssl to convert the file after
> exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html
> has a little info on that but the reverse. I'm sure there are better
> resources but that was the first Google I saw.
>
>> (2) How can I validate which certificate store is being used by tomcat?
>> (I made a few along the way in testing)
>
> There is a parameter (keyStoreFile?) that you can specify the location
> in the Connector properties it's detailled in one of those links you
> have.
The one you want is: truststoreFile.
>
>> (3) I set debug="3" in the SSL connector but am not seeing the SSL
>> handshake in stdout. Is there some other way for setting debug to see
>> the handshake?
>
> Not sure on that one.
Configure the logging category 'org.apache.tomcat.util.net.jsse' to be DEBUG
(in your log4j/JDK 1.4 logging configuration). That will give you lots of
Tomcat messages. If you want lower level messages, consult the JSSE docs.
>
> Regards,
> --
> Jason Bainbridge
> http://kde.org - webmaster@kde.org
> Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat5 and Client Certificates
Posted by Jason Bainbridge <jb...@gmail.com>.
On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill <bs...@chartone.com> wrote:
> Hello TC5 Users -
> I used %java-home%/bin/keytool to build the certificate store and the
> server and client certificates (self-signed). Tomcat asks for the
> client certificate when I try and connect, but - here is the problem:
>
> (1) I can't seem to get the client key to export properly so that I can
> install it in the browser; how do I get a .pfx out of the keystore?
I think you are going to have to use openssl to convert the file after
exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html
has a little info on that but the reverse. I'm sure there are better
resources but that was the first Google I saw.
> (2) How can I validate which certificate store is being used by tomcat?
> (I made a few along the way in testing)
There is a parameter (keyStoreFile?) that you can specify the location
in the Connector properties it's detailled in one of those links you
have.
> (3) I set debug="3" in the SSL connector but am not seeing the SSL
> handshake in stdout. Is there some other way for setting debug to see
> the handshake?
Not sure on that one.
Regards,
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat5 and Client Certificates
Posted by Jason Bainbridge <jb...@gmail.com>.
On Fri, 4 Mar 2005 06:54:34 -0800, Sweeney, Bill <bs...@chartone.com> wrote:
> Hello TC5 Users -
> I used %java-home%/bin/keytool to build the certificate store and the
> server and client certificates (self-signed). Tomcat asks for the
> client certificate when I try and connect, but - here is the problem:
>
> (1) I can't seem to get the client key to export properly so that I can
> install it in the browser; how do I get a .pfx out of the keystore?
I think you are going to have to use openssl to convert the file after
exporting it, http://www.mindreef.com/products/4.1/help/sslcerts.html
has a little info on that but the reverse. I'm sure there are better
resources but that was the first Google I saw.
> (2) How can I validate which certificate store is being used by tomcat?
> (I made a few along the way in testing)
There is a parameter (keyStoreFile?) that you can specify the location
in the Connector properties it's detailled in one of those links you
have.
> (3) I set debug="3" in the SSL connector but am not seeing the SSL
> handshake in stdout. Is there some other way for setting debug to see
> the handshake?
Not sure on that one.
Regards,
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org