You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by aravidu <ar...@yahoo.com> on 2010/08/19 22:35:15 UTC
tomcat mutual authentication doesn't work
Hi All,
I am trying to setup mutual authentication for an app in tomcat/webapps/
folder.
I have done the following to create a Trust Store for Tomcat 6.0 to use:
I created the keystore and truststore too. keystore has a PrivateKeyEntry
and truststore has a trustedCertEntry.
Here is my server.xml config:
<Connector
port="8443"
enableLookups="true"
acceptCount="100"
connectionTimeout="20000"
useURIValidationHack="false"
disableUploadTimeout="true"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="C:/Apache Software Foundation/Tomcat
6.0/conf/tomcat.keystore"
keystorePass="server"
truststoreFile="C:/Apache Software Foundation/Tomcat
6.0/conf/tmp/tomcat.truststore"
truststorePass="client"/>
Here is my /tomcat/conf/web.xml config:
<web-app>
......
<security-constraint>
<web-resource-collection>
<web-resource-name>myapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
.....
</web-app>
My tomcat https port is 8443 (https://localhost:8443/myapp). When I try to
access using firefox, it gives me the following error:
SSL peer cannot verify your certificate (Errorcode:
ssl_error_bad_cert_alert)
This is after I imported the server certificate and have the client
certificate (same as the one in truststore) installed in my firefox.
If I change the clientAuth="false", it works fine, with just server
authentication.. doesn't care for whether client has a certificate or not.
Can someone please help? I have read so many articles online but this seems
to be the gist of most of the articles. Do i have to create any roles and/or
change tomcat-users.xml too?
Please help. I need to get this working!! :-((
--
View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29486233.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Posted by aravidu <ar...@yahoo.com>.
Hey.. if you are able to read this again, what I am trying to do now is, set
the same thing up in a UNIX box. I created the client keys as i had done
previously and exported the key to my local machine so that I can import it
into my firefox. however, when i try to import the pkcs12 key.. it is not
able to recognize the password i gave. it kept complaining that the password
is incorrect.
is it because of trying to use a key on windows that was created on UNIX? Do
you think the key is tampered when i do a file transfer? how can i resolve
this?
Thanks much.
aravidu wrote:
>
> I tried your steps and it worked!!! Thank you very very much!! You are
> awesome!! :-)
>
>
> Ognjen Blagojevic-5 wrote:
>>
>> On 20.8.2010 0:44, aravidu wrote:
>>> I don't have a client.keystore.
>>>
>>> Commands I used for creating a truststore& adding keys to it:
>>> keytool" -export -alias clientcert -file client-cert.cer -keystore
>>> tomcat.truststore
>>> keytool" -import -file client-cert.cer -alias clientcert -keystore
>>> tomcat.truststore
>>
>> That is wrong since you are configuring Tomcat to trust itself.
>>
>> What you need to do is to configure Tomcat to trust the client, and to
>> add client *private and public key* (pkcs12 file) to Firefox. So, you
>> don't import .cert file (that is just public key) into Firefox but
>> .pkcs12/.p12 file (it contains both private and public key).
>>
>> You need to delete tomcat.truststore you created, and do steps 2-5 as I
>> described:
>>
>>>> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
>>>> 3. import ClientPublic in tomcat.truststore, and
>>>> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file)
>>>> in
>>>> firefox ("Your certificates" tab inside certificate manager).
>>>> 5. import ServerPublic in firefox
>>>>
>>>> Something like this:
>>>>
>> (...)
>>>> 2. keytool -genkeypair -keystore client.keystore ...
>>>>
>>>> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
>>>> 3b. keytool -importcert -keystore server.truststore -file client.cert
>>>> ...
>>>>
>>>> 4a. convert client.keystore to client.pkcs12 (google for that)
>>>> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
>>>> certificates, Import, client.pkcs12
>>>>
>>>> 5. Point firefox to webapp, add security exception.
>>
>> Regards,
>> Ognjen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
--
View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29600943.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Posted by aravidu <ar...@yahoo.com>.
I tried your steps and it worked!!! Thank you very very much!! You are
awesome!! :-)
Ognjen Blagojevic-5 wrote:
>
> On 20.8.2010 0:44, aravidu wrote:
>> I don't have a client.keystore.
>>
>> Commands I used for creating a truststore& adding keys to it:
>> keytool" -export -alias clientcert -file client-cert.cer -keystore
>> tomcat.truststore
>> keytool" -import -file client-cert.cer -alias clientcert -keystore
>> tomcat.truststore
>
> That is wrong since you are configuring Tomcat to trust itself.
>
> What you need to do is to configure Tomcat to trust the client, and to
> add client *private and public key* (pkcs12 file) to Firefox. So, you
> don't import .cert file (that is just public key) into Firefox but
> .pkcs12/.p12 file (it contains both private and public key).
>
> You need to delete tomcat.truststore you created, and do steps 2-5 as I
> described:
>
>>> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
>>> 3. import ClientPublic in tomcat.truststore, and
>>> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
>>> firefox ("Your certificates" tab inside certificate manager).
>>> 5. import ServerPublic in firefox
>>>
>>> Something like this:
>>>
> (...)
>>> 2. keytool -genkeypair -keystore client.keystore ...
>>>
>>> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
>>> 3b. keytool -importcert -keystore server.truststore -file client.cert
>>> ...
>>>
>>> 4a. convert client.keystore to client.pkcs12 (google for that)
>>> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
>>> certificates, Import, client.pkcs12
>>>
>>> 5. Point firefox to webapp, add security exception.
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29493323.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Posted by aravidu <ar...@yahoo.com>.
Ok. I will follow your steps and get back to you. I will write back in a
couple hours..
Thanks very much!
-A
Ognjen Blagojevic-5 wrote:
>
> On 20.8.2010 0:44, aravidu wrote:
>> I don't have a client.keystore.
>>
>> Commands I used for creating a truststore& adding keys to it:
>> keytool" -export -alias clientcert -file client-cert.cer -keystore
>> tomcat.truststore
>> keytool" -import -file client-cert.cer -alias clientcert -keystore
>> tomcat.truststore
>
> That is wrong since you are configuring Tomcat to trust itself.
>
> What you need to do is to configure Tomcat to trust the client, and to
> add client *private and public key* (pkcs12 file) to Firefox. So, you
> don't import .cert file (that is just public key) into Firefox but
> .pkcs12/.p12 file (it contains both private and public key).
>
> You need to delete tomcat.truststore you created, and do steps 2-5 as I
> described:
>
>>> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
>>> 3. import ClientPublic in tomcat.truststore, and
>>> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
>>> firefox ("Your certificates" tab inside certificate manager).
>>> 5. import ServerPublic in firefox
>>>
>>> Something like this:
>>>
> (...)
>>> 2. keytool -genkeypair -keystore client.keystore ...
>>>
>>> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
>>> 3b. keytool -importcert -keystore server.truststore -file client.cert
>>> ...
>>>
>>> 4a. convert client.keystore to client.pkcs12 (google for that)
>>> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
>>> certificates, Import, client.pkcs12
>>>
>>> 5. Point firefox to webapp, add security exception.
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29492500.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Posted by Ognjen Blagojevic <og...@gmail.com>.
On 20.8.2010 0:44, aravidu wrote:
> I don't have a client.keystore.
>
> Commands I used for creating a truststore& adding keys to it:
> keytool" -export -alias clientcert -file client-cert.cer -keystore
> tomcat.truststore
> keytool" -import -file client-cert.cer -alias clientcert -keystore
> tomcat.truststore
That is wrong since you are configuring Tomcat to trust itself.
What you need to do is to configure Tomcat to trust the client, and to
add client *private and public key* (pkcs12 file) to Firefox. So, you
don't import .cert file (that is just public key) into Firefox but
.pkcs12/.p12 file (it contains both private and public key).
You need to delete tomcat.truststore you created, and do steps 2-5 as I
described:
>> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
>> 3. import ClientPublic in tomcat.truststore, and
>> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
>> firefox ("Your certificates" tab inside certificate manager).
>> 5. import ServerPublic in firefox
>>
>> Something like this:
>>
(...)
>> 2. keytool -genkeypair -keystore client.keystore ...
>>
>> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
>> 3b. keytool -importcert -keystore server.truststore -file client.cert ...
>>
>> 4a. convert client.keystore to client.pkcs12 (google for that)
>> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
>> certificates, Import, client.pkcs12
>>
>> 5. Point firefox to webapp, add security exception.
Regards,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Posted by aravidu <ar...@yahoo.com>.
Thank you so much for your response!! To answer your questions:
1. Yes, they are self-signed certificates.
2. Yes, I am dealing with only one client. I am using firefox.
Here is the tomcat.keystore entry: (i believe this will be my
ServerPrivateKey)
------------------------------------------------
keytool -list -keystore tomcat.keystore
------------------------------------------------
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Aug 15, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5):
56:E0:24:CC:7F:45:6F:C5:F2:07:D0:5C:27:33:04:18
Here is the tomcat.keystore entry: (i believe this will be my
ClientPublicKey)
------------------------------------------------
keytool -list -keystore tomcat.truststore
------------------------------------------------
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
clientcert, Aug 19, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
11:7F:F8:FF:3B:85:CD:A0:72:5C:1B:52:D4:C4:29:E6
I have not worked with SSL before so, I am a bit new to this. See the
difference in these two: keystore has "PrivateKeyEntry" and truststore has
"trustedCertEntry".
I don't have a client.keystore.
Commands I used for creating a truststore & adding keys to it:
keytool" -export -alias clientcert -file client-cert.cer -keystore
tomcat.truststore
keytool" -import -file client-cert.cer -alias clientcert -keystore
tomcat.truststore
I already had a preloaded tomcat.keystore to begin with. So, I did not
change that.
Before making the server request, I went to Firefox-> Options-> Advanced->
View Certificates-> Import-> client-cert.cer
Then, made a server request. First time, server produces it's certificate
and I add the exception (install it into my browser). Upon completion, I see
this error: SSL peer cannot verify your certificate. (Error code:
ssl_error_bad_cert_alert)
Let me know if this doesn't make sense.
Regards,
Aravind.
Ognjen Blagojevic-5 wrote:
>
> On 19.8.2010 22:35, aravidu wrote:
>> I created the keystore and truststore too. keystore has a PrivateKeyEntry
>> and truststore has a trustedCertEntry.
>
> Are those self-signed certificates?
>
> Could you provide exact commands you used to create them?
>
> I believe you must have one key pair for server, and one key pair for
> every client. In other words, at least two key pairs, in case you are
> describing when there is only one client. Let those keys be called
> ServerPublic, ServerPrivate, ClientPublic and ClientPrivate.
>
> You should:
>
> 1. generate ServerPublic+ServerPrivate in tomcat.keystore file,
> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
> 3. import ClientPublic in tomcat.truststore, and
> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
> firefox ("Your certificates" tab inside certificate manager).
> 5. import ServerPublic in firefox
>
> Something like this:
>
> 1. keytool -genkeypair -keystore tomcat.keystore ...
>
> 2. keytool -genkeypair -keystore client.keystore ...
>
> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
> 3b. keytool -importcert -keystore server.truststore -file client.cert ...
>
> 4a. convert client.keystore to client.pkcs12 (google for that)
> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
> certificates, Import, client.pkcs12
>
> 5. Point firefox to webapp, add security exception.
>
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29487220.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat mutual authentication doesn't work
Posted by Ognjen Blagojevic <og...@gmail.com>.
On 19.8.2010 22:35, aravidu wrote:
> I created the keystore and truststore too. keystore has a PrivateKeyEntry
> and truststore has a trustedCertEntry.
Are those self-signed certificates?
Could you provide exact commands you used to create them?
I believe you must have one key pair for server, and one key pair for
every client. In other words, at least two key pairs, in case you are
describing when there is only one client. Let those keys be called
ServerPublic, ServerPrivate, ClientPublic and ClientPrivate.
You should:
1. generate ServerPublic+ServerPrivate in tomcat.keystore file,
2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
3. import ClientPublic in tomcat.truststore, and
4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
firefox ("Your certificates" tab inside certificate manager).
5. import ServerPublic in firefox
Something like this:
1. keytool -genkeypair -keystore tomcat.keystore ...
2. keytool -genkeypair -keystore client.keystore ...
3a. keytool -exportcert -keystore client.keystore -file client.cert ...
3b. keytool -importcert -keystore server.truststore -file client.cert ...
4a. convert client.keystore to client.pkcs12 (google for that)
4b. Firefox, Tools, Options, Advanced, View Certificates, Your
certificates, Import, client.pkcs12
5. Point firefox to webapp, add security exception.
Regards,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org