You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pascal Chanteux <pa...@gmail.com> on 2005/07/13 13:44:59 UTC
CLIENT-CERT / Error : null cert chain
Hi ,
I want to configure Tomcat/4.1.27 in order to use the client
certificate authentication. I first set up the SSL connector following
the How-To.
So now my site runs under SSL without any problem.
Next,I build the client certificate with keytool, and store it into a
file ( trust.keystore ). In my web.xml I change my BASIC into
CLIENT-CERT :
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client certificate auth.</realm-name>
</login-config>
and in my server.xml :
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true"
>
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS"
truststoreFile="c:\keystores\trust.keystore"
/>
</Connector>
When I connect to my protected JSP, I always get an error on tomcat :
13-jul-2005 11:19:25 org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHandshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:88)
at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:158)
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:786)
at org.apache.coyote.Request.action(Request.java:367)
at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:799)
at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:601)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:536)
I don't know if my configuration is OK. Where can be the problem ?
Does anyone have an idea ?
Thanks a lot
Pascal.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: CLIENT-CERT / Error : null cert chain
Posted by Mark Thomas <ma...@apache.org>.
A few pointers:
1. The trust store is the list of trusted CAs, not the list of trusted
client certificates. The CA that issued your client cert must be in the
trust store.
2. You need to modify your user details in your realm. If you are using
tomcat-users.xml it should look something like this:
...
<user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London,
ST=London, C=GB" password="null" roles="tomcat,certs"/>
...
HTH
Mark
Pascal Chanteux wrote:
> Hi ,
>
> I want to configure Tomcat/4.1.27 in order to use the client
> certificate authentication. I first set up the SSL connector following
> the How-To.
> So now my site runs under SSL without any problem.
>
> Next,I build the client certificate with keytool, and store it into a
> file ( trust.keystore ). In my web.xml I change my BASIC into
> CLIENT-CERT :
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>Client certificate auth.</realm-name>
> </login-config>
>
> and in my server.xml :
>
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="75"
> enableLookups="true"
> acceptCount="100" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true"
>
> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> clientAuth="false" protocol="TLS"
> truststoreFile="c:\keystores\trust.keystore"
> />
> </Connector>
>
> When I connect to my protected JSP, I always get an error on tomcat :
>
> 13-jul-2005 11:19:25 org.apache.tomcat.util.net.jsse.JSSE14Support
> synchronousHandshake
> INFO: SSL Error getting client Certs
> javax.net.ssl.SSLHandshakeException: null cert chain
> at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
> at java.io.InputStream.read(InputStream.java:88)
> at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:126)
> at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:105)
> at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:158)
> at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:786)
> at org.apache.coyote.Request.action(Request.java:367)
> at org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.java:799)
> at org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequestFacade.java:141)
> at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:154)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2416)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
> at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
> at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
> at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
> at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
> at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:601)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:392)
> at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:565)
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
> at java.lang.Thread.run(Thread.java:536)
>
> I don't know if my configuration is OK. Where can be the problem ?
> Does anyone have an idea ?
>
> Thanks a lot
>
> Pascal.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org