tomcat ssl with client cerfiticates - solution

["Hough, Adriaan" <ad...@siemens.com>]

hi all

yes, i've got tomcat standalone running with ssl and client certificates.
i've seen a lot of questions about this, but no working solutions, so i
thought i'd share mine with you. keep in mind, though, that i'm an ssl
novice, so some of the things i say might not be entirely correct. but hey,
it works!

the way i see it, is there is basically two parties involved in the
scenario: the server, and the client. since we're implementing ssl with
client certificates, both the server and the client should have certificates
to prove their identities. now, unless the client simply takes the server's
certificate on face value, and the server the same for the client, we need
to introduce an additional entity (or two): the certification authority. the
ca is supposed to be a third party that can vouch for the authenticity of a
certificate. thus, the client may require the server's certificate to have
been signed by a specific ca, and the server may in return require the
client's certificate to have been signed by (possibly) another ca.

i'll only describe the simplest scenario, where the client trusts any
certificate that the server chooses to pass to it. this will leave us with
three parties: the server (with its certificate), the client (with its
certificate) and the ca that the server trusts to verify client
certificates.


scenario: client trusts everybody
---------------------------------
note: i've got jdk 1.3.1, tomcat 4.1.18, jsse 1.0.3_01 and openssl 0.9.6g
installed on my system.

first, create a self signed certificate to identify your server:
1) execute "keytool -genkey -alias tomcat -keyalg RSA -keystore
/anywhere/server.keystore" (tomcat requires the password to be "changeit").

next, you need to create the ca:
2) execute "openssl req -new -newkey rsa:512 -nodes -out ca.req -keyout
ca.key".
3) execute "openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.req
-out ca.crt".

now you can create the client's certificates, and have them signed by the
ca:
4) execute "openssl req -new -newkey rsa:512 -nodes -out client.req -keyout
client.key"
5) execute "openssl x509 -CA ca.crt -CAkey ca.key -req -in client.req -out
client.crt -CAcreateserial"

tomcat reads the list of trusted ca's from a file called
<$JAVA_HOME/jre/lib/security/cacerts>. to add our ca to this list, you will
need to do the following:
6) execute "keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
-file ca.crt -alias ClientCA" (the default installed password is
"changeit").

all that remains, is to configure tomcat for ssl, and tell it where to find
its certificates:
7) modify the server.xml as described at
<http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html>.
8) change the ssl connector as follows: <Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS" keystoreFile="/anywhere/server.keystore"/>.


that's it. now, whenever a client connects to the server, the server will
send its own certificate (from </anywhere/server.keystore>) along with a
list describing all ca's that it trusts (from
<$JAVA_HOME/jre/lib/security/cacerts>). the client should then return a
certificate (client.crt) that was signed by one of these ca's.

to verify your setup, start tomcat with JAVA_OPTS="-Djavax.net.debug=all",
and do the following:
*) execute "openssl s_client -cert client.crt -key client.key -connect
secured-server:8443"
note: i was unable to test this with internet explorer 5.50 - it never used
the certificates i imported (both ca & client certificates, converted with
"openssl x509 -in ca.crt -out ieca.crt -outform DER" etc.).


the tomcat configuration described above will require all clients to present
certificates for all resources on the server. if you require client
certificates for only some resources, you should rather set
clientAuth="false" (step 8), and specify "CLIENT_CERT" as login method in
the web application's deployment descriptor (described in the servlet
specification).


regards

adriaan hough

Note:
The information in this e-mail is confidential and is intended solely for
the addressee. If you have received this e-mail in error, you are hereby
notified that any review, copying or distribution is strictly prohibited.
Please inform the sender immediately and destroy the original. Siemens
Limited and/or its subsidiaries accepts no liability of whatever nature for
any loss, liability, damage or expense resulting directly or indirectly from
access to this message and any files or links that are attached hereto.

Re: tomcat ssl with client cerfiticates - solution

["Mark W. Webb" <ma...@dolphtech.com>]

I am working on a mini-HOWTO on tomcat 4.1.24/apache 2.0.45/openssl 
0.9.7b that performs client authentication.  I hope to have it posted in 
a day or two.  I have tested the HOWTO on RH 8, and Solaris 9.  

Note: there is a bug in tomcat 4.1.24 in the JkCoyoteHandler.action 
method.  I have a fixed tomcat-jk2.jar file if you are interested.

There seems to be a __ctype_b linking problem with mod_ssl and RH9 I am 
trying to figure out.

Hough, Adriaan wrote:

>hi all
>
>yes, i've got tomcat standalone running with ssl and client certificates.
>i've seen a lot of questions about this, but no working solutions, so i
>thought i'd share mine with you. keep in mind, though, that i'm an ssl
>novice, so some of the things i say might not be entirely correct. but hey,
>it works!
>
>the way i see it, is there is basically two parties involved in the
>scenario: the server, and the client. since we're implementing ssl with
>client certificates, both the server and the client should have certificates
>to prove their identities. now, unless the client simply takes the server's
>certificate on face value, and the server the same for the client, we need
>to introduce an additional entity (or two): the certification authority. the
>ca is supposed to be a third party that can vouch for the authenticity of a
>certificate. thus, the client may require the server's certificate to have
>been signed by a specific ca, and the server may in return require the
>client's certificate to have been signed by (possibly) another ca.
>
>i'll only describe the simplest scenario, where the client trusts any
>certificate that the server chooses to pass to it. this will leave us with
>three parties: the server (with its certificate), the client (with its
>certificate) and the ca that the server trusts to verify client
>certificates.
>
>
>scenario: client trusts everybody
>---------------------------------
>note: i've got jdk 1.3.1, tomcat 4.1.18, jsse 1.0.3_01 and openssl 0.9.6g
>installed on my system.
>
>first, create a self signed certificate to identify your server:
>1) execute "keytool -genkey -alias tomcat -keyalg RSA -keystore
>/anywhere/server.keystore" (tomcat requires the password to be "changeit").
>
>next, you need to create the ca:
>2) execute "openssl req -new -newkey rsa:512 -nodes -out ca.req -keyout
>ca.key".
>3) execute "openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.req
>-out ca.crt".
>
>now you can create the client's certificates, and have them signed by the
>ca:
>4) execute "openssl req -new -newkey rsa:512 -nodes -out client.req -keyout
>client.key"
>5) execute "openssl x509 -CA ca.crt -CAkey ca.key -req -in client.req -out
>client.crt -CAcreateserial"
>
>tomcat reads the list of trusted ca's from a file called
><$JAVA_HOME/jre/lib/security/cacerts>. to add our ca to this list, you will
>need to do the following:
>6) execute "keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
>-file ca.crt -alias ClientCA" (the default installed password is
>"changeit").
>
>all that remains, is to configure tomcat for ssl, and tell it where to find
>its certificates:
>7) modify the server.xml as described at
><http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html>.
>8) change the ssl connector as follows: <Factory
>className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>clientAuth="true" protocol="TLS" keystoreFile="/anywhere/server.keystore"/>.
>
>
>that's it. now, whenever a client connects to the server, the server will
>send its own certificate (from </anywhere/server.keystore>) along with a
>list describing all ca's that it trusts (from
><$JAVA_HOME/jre/lib/security/cacerts>). the client should then return a
>certificate (client.crt) that was signed by one of these ca's.
>
>to verify your setup, start tomcat with JAVA_OPTS="-Djavax.net.debug=all",
>and do the following:
>*) execute "openssl s_client -cert client.crt -key client.key -connect
>secured-server:8443"
>note: i was unable to test this with internet explorer 5.50 - it never used
>the certificates i imported (both ca & client certificates, converted with
>"openssl x509 -in ca.crt -out ieca.crt -outform DER" etc.).
>
>
>the tomcat configuration described above will require all clients to present
>certificates for all resources on the server. if you require client
>certificates for only some resources, you should rather set
>clientAuth="false" (step 8), and specify "CLIENT_CERT" as login method in
>the web application's deployment descriptor (described in the servlet
>specification).
>
>
>regards
>
>adriaan hough
>
>Note:
>The information in this e-mail is confidential and is intended solely for
>the addressee. If you have received this e-mail in error, you are hereby
>notified that any review, copying or distribution is strictly prohibited.
>Please inform the sender immediately and destroy the original. Siemens
>Limited and/or its subsidiaries accepts no liability of whatever nature for
>any loss, liability, damage or expense resulting directly or indirectly from
>access to this message and any files or links that are attached hereto.
>
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org