You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Thurber, Fred" <Fr...@gdit.com> on 2007/02/28 22:50:51 UTC

Tomcat Smart Card (CAC card) problem

I am trying to get a smart card to work with Tomcat.  The smart card in question is a DoD CAC (Common Access Card).
 
I believe that I have setup my Connector element correctly in my server.xml:
 
 <Connector port="8443" 
     enableLookups="true"
     disableUploadTimeout="true"
     debug="1"
     acceptCount="10" scheme="https" secure="true"
     clientAuth="true" 
     sslProtocol="TLS"
      keystoreFile="<deleted>\.keystore"
 />

The issue seems to be with the IE /Tomat handshake.  When IE hits my Tomcat site, it puts up a dialog with a title of "Choose a Digital Certificate".  However the list of certificates to choose from is empty.
 
The certificates are loaded into my IE browser.   It seem to work with IIS.  When I hit an IIS site, the same form comes up, but the form is pre-populated with the list of certifcates.  
 
Why doesn't IE show the certificates when accessing Tomcat but does when accessing IIS?
 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat Smart Card (CAC card) problem

Posted by Martin Gainty <mg...@hotmail.com>.

Good Evening Fred
It appears your connector in server.xml does not have CertificatePath and or RequestPath defined
keep in mind that all of the paths unless otherwise specified are relative to $CATALINA+BASE

Here is an example of connector parameters to get you started
 <connector 
scheme="https" secure="true"
  SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="3"
sslProtocol="TLSv1"

 SSLOptions="+StdEnvVars +CompatEnvVars +ExportCertData"
  SSLCertificateFile="${catalina.base}/conf/localhost_pem.crt"
  SSLCertificateKeyFile="${catalina.base}/conf/localhost.key"
  SSLCACertificateFile="${catalina.base}/conf/SSLCACertificateFile.pem"
  SSLCACertificatePath="${catalina.base}/conf/ssl.crt/"
  SSLCertificateChainFile="${catalina.base}/conf/SSLCACertificateFile.pem"
  SSLCertificateChainPath="${catalina.base}/conf/ssl.crt/"
  SSLCADNRequestFile="${catalina.base}/conf/SSLCACertificateFile.pem"
  SSLCADNRequestPath="${catalina.base}/conf/ssl.crt/"
/>

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
HTH
M--
--------------------------------------------------------------------------- 
This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited.
--------------------------------------------------------------------------- 
Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire.
----- Original Message ----- 
From: "Thurber, Fred" <Fr...@gdit.com>
To: <us...@tomcat.apache.org>
Sent: Wednesday, February 28, 2007 4:50 PM
Subject: Tomcat Smart Card (CAC card) problem


I am trying to get a smart card to work with Tomcat.  The smart card in question is a DoD CAC (Common Access Card).
 
I believe that I have setup my Connector element correctly in my server.xml:
 
 <Connector port="8443" 
     enableLookups="true"
     disableUploadTimeout="true"
     debug="1"
     acceptCount="10" scheme="https" secure="true"
     clientAuth="true" 
     sslProtocol="TLS"
      keystoreFile="<deleted>\.keystore"
 />

The issue seems to be with the IE /Tomat handshake.  When IE hits my Tomcat site, it puts up a dialog with a title of "Choose a Digital Certificate".  However the list of certificates to choose from is empty.
 
The certificates are loaded into my IE browser.   It seem to work with IIS.  When I hit an IIS site, the same form comes up, but the form is pre-populated with the list of certifcates.  
 
Why doesn't IE show the certificates when accessing Tomcat but does when accessing IIS?
 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org