You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sushil Prusty <su...@gmail.com> on 2013/09/04 11:20:18 UTC
If i configured client certificate at my browser unable to access my
web app (Apace Tomcat 7.0.42/CentOs)
Hi All
1)I have configured https to acces my web app .
Which is working fine.
2) 2nd i have configured client certificate at my browser (firfox).
3)3rd it's ask me pop message at client side for selecting a certificate.
4)4th once i select a certificate and click ok it will throw below excption
Secure Connection Failed
An error occurred during a connection to localhost:8443.
SSL peer had some unspecified issue with the certificate it received.
(Error code: ssl_error_certificate_unknown_alert)
--------------------------------------------------------------------------------------------------------------------
Please find server.xml configuration
<Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
disableUploadTimeout="true" enableLookups="false"
keystoreFile="/LocalDev/software/ssl/server/server.ks"
keystorePass="password"
truststoreFile="/LocalDev/software/ssl/server/server.ks"
truststorePass="password"
maxThreads="250" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true"
sslProtocol="TLS" />
and in my web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>https only</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>.
NOTE :- IF I REMOVE CLIENT CERTIFICATE FROM BROWSER I CAN
ABLE TO ACCESS MY WEB APP THROUGH HTTPS.
Please let me know is there any extra configuration required to do in
server side to validate client certificate?
Please let me know if you want any other information.
I have gone thorough all the side but not help full.
Re: If i configured client certificate at my browser unable to access
my web app (Apace Tomcat 7.0.42/CentOs)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sushil,
On 9/4/13 8:25 AM, Sushil Prusty wrote:
> Sure, I will maintain same thread .Thanks for your input.
>
> I just follow below link to generate CA certificate .
> http://oshogsb.blogspot.in/2007/07/how-to-create-custom-ca-and.html(Whichwill
>
>
help me te create custom CA certificate using OpenSSL)
> And i just point those generated file to server.xml file.
So, you created a custom CA for your server's SSL certificate, or you
created a custom CA for your client certificates, or you created a
custom CA for both purposes? (I would recommend separate CAs for each).
> in step 13. The common name of the client must match a user in
> Tomcat's user realm (e.g.an entry in conf/tomcat-users.xml) which i
> missed out. Because of this i am unable to access client
> certificate?
Well, you can always create a user in tomcat-users.xml that matches
the "common name" of the certificate.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSJyn7AAoJEBzwKT+lPKRYKmUP/0xXDbLu492gRT/bCNC7UGAr
kIvPYOTHEJsN6aADQet4+RW2EBMdT3vNh12yBpgCYFYfVV332SLLdHT26uqudRgp
mX9nfr303/A6EjtSbnuageYfeTzKTC90/PERdVB6QlIrbQ9jEIodIb6zEkA22Ou+
/EGitRexT1GX5UqxgUEEKt4U+9WyuzEEHG2AadxC+2VLj3pHTPuapYreCFQucSZZ
RH2ZHx8FXL0XOCpgT1ohbi9At85LCKbwFJL3poutidtXA2S0PKhMYZYgTGUt+O5I
FCsvXZ7OlEo/SpFVVN9uKseOZpOKXtHJV+cAZ7WBhT1c+LM+v76gfZv+0dw5SH7v
lYRngU+GRDFzeUxGto6uc7XNcGHx7sgrZCTRJdauuhmXnBc0k6L+PSVeVt8hN9I3
LAk9g+ZHnAYX72oRVWhXPqOtZXSikDTpcC5zOMFLCgAD9MdV02L4fJlyww9EtyRV
qIWsoRQWLoR/V0GOmOOMNFPKvu2bHd8MRDNtQG3SJ0vLlf9eQfrQP2/zc6J0T/p/
MN5R61mxasLJFUecCk7N0X1pcOyN3N+scpOOCP4EpiaPol8kXlHNGl1cq3HVJf8P
RsiBRz94syt90UE3btcZYQRGWF2J2ZUpnSzGBZBL48PvKrNZV3dN+TD4nEIE+2Ol
3PCjR+YCB5Ms+PqvMg6C
=J+F9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: If i configured client certificate at my browser unable to access
my web app (Apace Tomcat 7.0.42/CentOs)
Posted by Sushil Prusty <su...@gmail.com>.
Hi Chris
Sure, I will maintain same thread .Thanks for your input.
I just follow below link to generate CA certificate .
http://oshogsb.blogspot.in/2007/07/how-to-create-custom-ca-and.html(Whichwill
help me te create custom CA certificate using OpenSSL)
And i just point those generated file to server.xml file.
in step 13. The common name of the client must match a user in Tomcat's
user realm (e.g.an entry in conf/tomcat-users.xml) which i missed out.
Because of this i am unable to access client certificate?
On Wed, Sep 4, 2013 at 5:17 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sushil,
>
> Please maintain a single thread when (repeatedly) asking the same
> questions.
>
> On 9/4/13 5:20 AM, Sushil Prusty wrote:
> > <Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
> > disableUploadTimeout="true" enableLookups="false"
> > keystoreFile="/LocalDev/software/ssl/server/server.ks"
> > keystorePass="password"
> > truststoreFile="/LocalDev/software/ssl/server/server.ks"
> > truststorePass="password" maxThreads="250" port="8443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > scheme="https" secure="true" sslProtocol="TLS" />
> >
> > Please let me know is there any extra configuration required to do
> > in server side to validate client certificate?
>
> It sounds like you have already configured client certificate
> validation, but it's not working the way you expected.
>
> First off, I usually see configurations where the "trust store" is
> separate from the "key store". Your keystore should be considered
> "super secret" and shouldn't change much. Your trust store, on the
> other hand, might undergo lots of changes over time to add CA certs,
> client certs, etc.
>
> Second, what do you actually have in your keystore? Since you are
> using JSSE, your keystore should contain the server's key and
> certificate, plus any CA certificates and intermediate CA certificates
> necessary to provide a certificate chain from your server to one the
> browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate ->
> Your cert). What else do you have in there? In order to verify client
> certificates, you'll need to have either the client certificate
> itself, or the certificate that signed the client certificate, or a
> chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your
> client cert).
>
> This may be a simple problem of not having the right CA certificate(s)
> in your trust store.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O
> o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT
> CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+
> mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs
> reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+
> erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe
> JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws
> rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1
> BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp
> 2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG
> E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1
> LOQKMPyViSEZsktnh/Oq
> =eN4a
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: If i configured client certificate at my browser unable to access
my web app (Apace Tomcat 7.0.42/CentOs)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sushil,
Please maintain a single thread when (repeatedly) asking the same
questions.
On 9/4/13 5:20 AM, Sushil Prusty wrote:
> <Connector SSLEnabled="true" acceptCount="100" clientAuth="want"
> disableUploadTimeout="true" enableLookups="false"
> keystoreFile="/LocalDev/software/ssl/server/server.ks"
> keystorePass="password"
> truststoreFile="/LocalDev/software/ssl/server/server.ks"
> truststorePass="password" maxThreads="250" port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https" secure="true" sslProtocol="TLS" />
>
> Please let me know is there any extra configuration required to do
> in server side to validate client certificate?
It sounds like you have already configured client certificate
validation, but it's not working the way you expected.
First off, I usually see configurations where the "trust store" is
separate from the "key store". Your keystore should be considered
"super secret" and shouldn't change much. Your trust store, on the
other hand, might undergo lots of changes over time to add CA certs,
client certs, etc.
Second, what do you actually have in your keystore? Since you are
using JSSE, your keystore should contain the server's key and
certificate, plus any CA certificates and intermediate CA certificates
necessary to provide a certificate chain from your server to one the
browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate ->
Your cert). What else do you have in there? In order to verify client
certificates, you'll need to have either the client certificate
itself, or the certificate that signed the client certificate, or a
chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your
client cert).
This may be a simple problem of not having the right CA certificate(s)
in your trust store.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O
o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT
CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+
mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs
reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+
erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe
JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws
rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1
BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp
2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG
E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1
LOQKMPyViSEZsktnh/Oq
=eN4a
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org