You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ralph Carlson <RA...@mediacomcc.com> on 2010/07/01 00:45:08 UTC
RE: need help setting up tomcat with ssl client authentication
the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl)
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true"
keystoreFile="/server.ks"
keystorePass="MC126801$"
sslProtocol="TLS" />
I configured the tomcat keystore as follows (openssl commands included):
[1] create folders c:\ssl\ca, c:\ssl\server and c:\ssl\client and ca.srl with 02
[2] openssl req -new -newkey rsa:1024 -nodes -out c:\ssl\ca\ca.csr -keyout c:\ssl\ca\ca.key -config "C:\ssl\openssl.cnf"
country=US
state=newyork
city=fishkill
organization_name=myca
organization_unit=myca
common_name=myca
email=racarlson@medaicomcc.com
[3] openssl x509 -trustout -signkey c:\ssl\ca\ca.key -days 365 -req -in c:\ssl\ca\ca.csr -out c:\ssl\ca\ca.pem
[4] keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\ssl\ca\ca.pem -alias my_ca
**[5] keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore C:\ssl\server\server.ks -storetype JKS
What is your first and last name? myserver.localhost.com
What is the name of your organizational unit? mycompany
What is the name of your organization? mycompany
What is the name of your City or Locality? fishkill
What is the name of your State or Province? newyork
What is the two-letter country code for this unit? US
**[6] keytool -certreq -keyalg RSA -alias tomcat -file C:\ssl\server\server.csr -keystore C:\ssl\server\server.ks
[7] amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST"
[8] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key -CAserial
C:\ssl\ca\ca.srl -req -in C:\ssl\server\server.csr -out C:\ssl\server\server.crt -days 365
**[9] keytool -import -alias tomcat -keystore C:\ssl\server\server.ks -trustcacerts -file C:\ssl\server\server.crt
**[10] keytool -import -alias my_ca -keystore C:\ssl\server\server.ks -trustcacerts -file C:\ssl\ca\ca.pem
[11] openssl req -new -newkey rsa:512 -nodes -out C:\ssl\client\client1.req -keyout C:\ssl\client\client1.key
Country Name ? US
State or Province Name ? newyork
Locality Name (eg, city) ? fishkill
Organization Name ? mycompany
Organizational Unit Name ? mycompany
Common Name (eg, YOUR name) ? localhost <-- this value is in tomcat-users.xml
Email Address ? racarlson@mediacomcc.com
[12] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key
-CAserial C:\ssl\ca\ca.srl -req -in C:\ssl\client\client1.req -out C:\ssl\client\client1.pem -days 365
[13] openssl pkcs12 -export -clcerts -in C:\ssl\client\client1.pem
-inkey C:\ssl\client\client1.key -out C:\ssl\client\client1.p12 -name "my_client_certificate"
I also tried importing the client.pem and apache.pem from below into the keystore (not change in error)
openssl pkcs12 -in c:\ssl\client\client1.p12 -out c:\ssl\client\apache.pem -nodes -passin pass:MC126801$
________________________________________
From: users-return-214164-RACARLSON=mediacomcc.com@tomcat.apache.org [users-return-214164-RACARLSON=mediacomcc.com@tomcat.apache.org] On Behalf Of Pid [pid@pidster.com]
Sent: Wednesday, June 30, 2010 5:25 PM
To: Tomcat Users List
Subject: Re: need help setting up tomcat with ssl client authentication
On 30/06/2010 22:07, Ralph Carlson wrote:
> tomcat version 6.0.20
> os: windows xp sp3 professional edition
> sun java jdk 1.5.11
>
> I am trying to do the following
> (a) create a certificate authority and self sign server and client certificates using openssl and keytool
> (b) import the keytool keystore into tomcat
> (c) verify the certificate chaing using openssl verify (which does work and returns ok for all 3 certificates)
> (d) have client Authorization on - with it off tomcat ssl works just fine, when its turned on I get this error
Which error? What is in the Tomcat logs when the problem occurs?
> so far I have been following the steps listed in this tomcat user group message
> http://marc.info/?l=tomcat-user&m=106293430225790&w=2
How did you configure Tomcat to use the certificates in (b)?
What is your Tomcat Connector config in server.xml?
p
> but get this message from openssl s_client -cert c:\ssl\client\client.pem -CAfile c:\ssl\ca\ca.pem -connect localhost:443
>
> 3772:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
> 3772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
>
> and these messages from firefox (after importing the certificate)
> initially 'sslv3 alert certificate unknown' , then just 'SSL peer was not expecting a handshake message it received' after a few tries
>
> does anyone know how to do this or has anyone done this before,
> thanks for you help in advance
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: need help setting up tomcat with ssl client authentication
Posted by Ralph Carlson <RA...@mediacomcc.com>.
I am starting and stopping tomcat using startup.bat and shutdown.bat from the command line
I am not using the apr
I copied /server.ks into c:\tomcat folder in an attempt to get it working
if I change it to a fake name it throws an error so I think its reading it
the console looks like:
Jun 30, 2010 7:46:25 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performanc
e in production environments was not found on the java.library.path: C:\Program
Files\Java\jdk1.5.0_17\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32;
C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Co
re-Static;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Java\jdk1.5
.0_17\bin;C:\openssl\bin;
Jun 30, 2010 7:46:25 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jun 30, 2010 7:46:27 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-443
Jun 30, 2010 7:46:27 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2248 ms
Jun 30, 2010 7:46:27 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jun 30, 2010 7:46:27 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.20
Jun 30, 2010 7:46:28 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jun 30, 2010 7:46:28 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-443
Jun 30, 2010 7:46:28 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Jun 30, 2010 7:46:28 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/15 config=null
Jun 30, 2010 7:46:28 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1274 ms
________________________________________
From: users-return-214173-RACARLSON=mediacomcc.com@tomcat.apache.org [users-return-214173-RACARLSON=mediacomcc.com@tomcat.apache.org] On Behalf Of Pid [pid@pidster.com]
Sent: Wednesday, June 30, 2010 7:19 PM
To: Tomcat Users List
Subject: Re: need help setting up tomcat with ssl client authentication
On 30/06/2010 23:45, Ralph Carlson wrote:
> the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl)
Are you using APR?
This path:
> keystoreFile="/server.ks"
doesn't appear to match this path:
> C:\ssl\server\server.ks
Are there any errors in the logs, or displayed on the console, when
Tomcat starts up? (How are you starting the server, as a service, or
using startup.bat?)
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: need help setting up tomcat with ssl client authentication
Posted by Pid <pi...@pidster.com>.
On 30/06/2010 23:45, Ralph Carlson wrote:
> the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl)
Are you using APR?
This path:
> keystoreFile="/server.ks"
doesn't appear to match this path:
> C:\ssl\server\server.ks
Are there any errors in the logs, or displayed on the console, when
Tomcat starts up? (How are you starting the server, as a service, or
using startup.bat?)
p