You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Liu <ma...@yahoo.com> on 2003/03/25 22:41:04 UTC
Tomcat SSL mutual authentication: Nobody's got a clue?
For over 1 week, I've been exploring about this. So
far, I got no reply. Is this so professional, so
tough that nobody's got a clue?
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
Posted by joe <li...@concrete-it.com>.
first of all: use jdk1.4.x !!! i found a bug in the old implementatin.
if someone is interrested i can search in my archive to describe the bug.
here is how to patch the tomcat 4.1.x to handle to make client
authentication 'optional':
in the java class:
org.apache.tomcat.util.net.jsse.JSSESocketFactory
you find 2 times this method call:
.setNeedClientAuth(clientAuth);
change this to:
.setWantClientAuth(clientAuth);
thats it!
and don't forget to change your server.xml:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--^M -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="/root/certs/java.concrete-it.com.keystore"
keystorePass="changeit" />
</Connector>
here is my link collection for ssl:
http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html
http://developer.java.sun.com/developer/qow/archive/169/index.jsp
http://www.catgen.com/developer/manual/ssl.html#jbosscatalina
you can find a lot of howtos how to make your own CA , server cert and
client certs.
hope this helps,
joe
joe wrote:
> hi,
>
> it's true that there is no 'step-by-step' howto for tomcat, but there
> are many other ssl (and client auth) howtos which you can use for tomcat.
> the only thing is just a little bit of searching and reading about
> ssl, CA, X509 certificates, certification chains ...
>
> i have succesfully established ssl connections with (mutual) client
> certificates. i'll try to find the howto's i've used and post it here
> (i hope i'll find them again).
> i haven't used CRL's - i'm sure there are howtos 'out there'.
>
> and: it's true that tomcat does NOT support mutual client auth ! but
> i've read a little bit of the doc's and the source code and pathed my
> tomcat 4.1.x to change the ssl client auth behavior to mutual.
>
> cu, joe
>
> Mark Liu wrote:
>
>> Hi,
>>
>> No, the Tomcat docs only says how to turn on the
>> *server* authentication, i.e., how to run Tomcat in
>> SSL mode. It does not mention how to have the client
>> also pass over its certificate to the Web server.
>>
>> You have an idea about how to turn on client cert?
>>
>> --- Norris Shelton <no...@yahoo.com> wrote:
>>
>>
>>> That about sums it up. We are looking at client
>>> certs also. The Tomcat docs say how to turn on client
>>> authentication, but
>>> there is not much out there on hooking up to a CA
>>> and verifying
>>> against a CRL.
>>> All of that is beyond the scope of this list and
>>> dives deep into
>>> the realm of JCE.
>>>
>>> We are looking into going with a vendor (probably
>>> VeriSign).
>>>
>>>
>>> --- Mark Liu <ma...@yahoo.com> wrote:
>>>
>>>
>>>> For over 1 week, I've been exploring about this.
>>>
>>> So
>>>
>>>
>>>> far, I got no reply. Is this so professional, so
>>>> tough that nobody's got a clue?
>>>>
>>>> __________________________________________________
>>>> Do you Yahoo!?
>>>> Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>>>
>>>
>>> live on your
>>>
>>>
>>>> desktop!
>>>> http://platinum.yahoo.com
>>>>
>>>>
>>>>
>>>
>> ---------------------------------------------------------------------
>>
>>
>>>> To unsubscribe, e-mail:
>>>> tomcat-user-unsubscribe@jakarta.apache.org
>>>> For additional commands, e-mail:
>>>> tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>
>>> =====
>>>
>>> Norris Shelton
>>> Software Engineer
>>> Sun Certified Java 1.1 Programmer
>>> Appriss, Inc.
>>> ICQ# 26487421
>>> AIM NorrisEShelton
>>> YIM norrisshelton
>>>
>>>
>>> __________________________________________________
>>> Do you Yahoo!?
>>> Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>> live on your desktop!
>>> http://platinum.yahoo.com
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>>
>>
>>> To unsubscribe, e-mail:
>>> tomcat-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail:
>>> tomcat-user-help@jakarta.apache.org
>>>
>>>
>>
>>
>>
>> __________________________________________________
>> Do you Yahoo!?
>> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
>> http://platinum.yahoo.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>
>
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
Posted by joe <li...@concrete-it.com>.
hi,
it's true that there is no 'step-by-step' howto for tomcat, but there
are many other ssl (and client auth) howtos which you can use for tomcat.
the only thing is just a little bit of searching and reading about ssl,
CA, X509 certificates, certification chains ...
i have succesfully established ssl connections with (mutual) client
certificates. i'll try to find the howto's i've used and post it here (i
hope i'll find them again).
i haven't used CRL's - i'm sure there are howtos 'out there'.
and: it's true that tomcat does NOT support mutual client auth ! but
i've read a little bit of the doc's and the source code and pathed my
tomcat 4.1.x to change the ssl client auth behavior to mutual.
cu, joe
Mark Liu wrote:
>Hi,
>
>No, the Tomcat docs only says how to turn on the
>*server* authentication, i.e., how to run Tomcat in
>SSL mode. It does not mention how to have the client
>also pass over its certificate to the Web server.
>
>You have an idea about how to turn on client cert?
>
>--- Norris Shelton <no...@yahoo.com> wrote:
>
>
>>That about sums it up. We are looking at client
>>certs also.
>>The Tomcat docs say how to turn on client
>>authentication, but
>>there is not much out there on hooking up to a CA
>>and verifying
>>against a CRL.
>>
>>All of that is beyond the scope of this list and
>>dives deep into
>>the realm of JCE.
>>
>>We are looking into going with a vendor (probably
>>VeriSign).
>>
>>
>>--- Mark Liu <ma...@yahoo.com> wrote:
>>
>>
>>>For over 1 week, I've been exploring about this.
>>>
>>>
>>So
>>
>>
>>>far, I got no reply. Is this so professional, so
>>>tough that nobody's got a clue?
>>>
>>>__________________________________________________
>>>Do you Yahoo!?
>>>Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>>
>>>
>>live on your
>>
>>
>>>desktop!
>>>http://platinum.yahoo.com
>>>
>>>
>>>
>>>
>---------------------------------------------------------------------
>
>
>>>To unsubscribe, e-mail:
>>>tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail:
>>>tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>=====
>>
>>Norris Shelton
>>Software Engineer
>>Sun Certified Java 1.1 Programmer
>>Appriss, Inc.
>>ICQ# 26487421
>>AIM NorrisEShelton
>>YIM norrisshelton
>>
>>
>>__________________________________________________
>>Do you Yahoo!?
>>Yahoo! Platinum - Watch CBS' NCAA March Madness,
>>live on your desktop!
>>http://platinum.yahoo.com
>>
>>
>>
>>
>---------------------------------------------------------------------
>
>
>>To unsubscribe, e-mail:
>>tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
>>tomcat-user-help@jakarta.apache.org
>>
>>
>>
>
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
>http://platinum.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
Posted by Mark Liu <ma...@yahoo.com>.
Hi,
No, the Tomcat docs only says how to turn on the
*server* authentication, i.e., how to run Tomcat in
SSL mode. It does not mention how to have the client
also pass over its certificate to the Web server.
You have an idea about how to turn on client cert?
--- Norris Shelton <no...@yahoo.com> wrote:
> That about sums it up. We are looking at client
> certs also.
> The Tomcat docs say how to turn on client
> authentication, but
> there is not much out there on hooking up to a CA
> and verifying
> against a CRL.
>
> All of that is beyond the scope of this list and
> dives deep into
> the realm of JCE.
>
> We are looking into going with a vendor (probably
> VeriSign).
>
>
> --- Mark Liu <ma...@yahoo.com> wrote:
> > For over 1 week, I've been exploring about this.
> So
> > far, I got no reply. Is this so professional, so
> > tough that nobody's got a clue?
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your
> > desktop!
> > http://platinum.yahoo.com
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > tomcat-user-help@jakarta.apache.org
> >
>
>
> =====
>
> Norris Shelton
> Software Engineer
> Sun Certified Java 1.1 Programmer
> Appriss, Inc.
> ICQ# 26487421
> AIM NorrisEShelton
> YIM norrisshelton
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your desktop!
> http://platinum.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
>
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
Posted by Norris Shelton <no...@yahoo.com>.
That about sums it up. We are looking at client certs also.
The Tomcat docs say how to turn on client authentication, but
there is not much out there on hooking up to a CA and verifying
against a CRL.
All of that is beyond the scope of this list and dives deep into
the realm of JCE.
We are looking into going with a vendor (probably VeriSign).
--- Mark Liu <ma...@yahoo.com> wrote:
> For over 1 week, I've been exploring about this. So
> far, I got no reply. Is this so professional, so
> tough that nobody's got a clue?
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your
> desktop!
> http://platinum.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
>
=====
Norris Shelton
Software Engineer
Sun Certified Java 1.1 Programmer
Appriss, Inc.
ICQ# 26487421
AIM NorrisEShelton
YIM norrisshelton
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org