You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael Migdol <mm...@bevocal.com> on 2002/02/22 18:54:44 UTC

Need help with SSL Client Authorization

Hi all,

I know this is at least the third request I have seen regarding this topic.
Maybe we need more information in the Tomcat documentation?


I've been trying for a day now to get this to work without success.
Hopefully someone here can help.  I'm running Tomcat 4.0.2 in standalone
mode.  I have enabled SSL with the following configuration in my server.xml
:

    <Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               enableLookups="false"
	       acceptCount="10" debug="99" scheme="https" secure="true">
      <Factory className="org.apache.catalina.net.SSLServerSocketFactory"

               debug="1"
               clientAuth="true" protocol="TLS"/>
    </Connector>

This configuration works fine with secure="false" (i.e. no client
authentication)

First, I used keytool to add the tomcat alias to USER_HOME/.keystore.  Then,
I used OpenSSL (OpenSSL 0.9.6c 21)  to create a CA, and have added that CA
to the cacerts keystore (using -trustcacerts with keytool).  I then used the
local OpenSSL CA to request and then sign a user certificate.  

I am testing my server-side configuration in two ways that both fail. In
both cases, I have set javax.net.debug=ssl for the server.

1) Convert both the user and CA certificates to PKCS12, import them both
into Internet Explorer, and then attempt to go to
https://localhost:8443/index.html .  This gets me a "Page cannot be
displayed" error on the client side.  On the server side I get
"handshake-failed" messages.

2) Run a Java program that uses the user certificate to connect to TC.  This
program fails with an exception:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Couldn't
find trusted certificate .  On the server side i get "certificate_unknown"
error messages.

I'm more concerned with the second case, since this is closer to what we are
actually trying to do, although I need to get both scenarios working. Can
anyone summarize the criteria used by Tomcat+SSL to determine that the
certificate passed over was "unknown"?  What exactly is the role of the
self-signed Tomcat alias certificate that is required?

Thanks in advance,
Michael




Michael Migdol
Senior Staff SW Engineer
1380 Bordeaux Drive
Sunnyvale, CA 94089
work 408-907-6265
cell  408-375-8001

		Supercharge your telephone! -- write your VoiceXML
application for free at http://cafe.bevocal.com
		BeVocal Cafe - Rated #1 VoiceXML development environment and
voice hosting service by CT Labs!




--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>