How to setup client certificate based authentication in Tomcat 9

[Patkar Omkar Anant <om...@gi-de.com>]

Hi,

I am a bit newbie to this domain of client certificate-based authentication. We have two applications … A(server) and B(client).
Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based application). Application B invokes the rest api of application A.

Now we want to introduce client certificate-based authentication between A and B. So far based on information I have gathered from the internet all I have got is different pieces, but I am not able to connect the dots how to setup or configure tomcat (where A is hosted) to achieve this requirement.

I have been provided certificate by application B that is going to access our application A.
But what are realms, how to map them with the certificate provided to us and configure that realm in tomcat, where to store the certificate provided by client, how to enforce webapp on system A to go for client certificate authentication etc…these dots I am not able to connect.

It would be great and appreciated, if someone can guide me the correct sequence and steps I should follow ? … basically, help me to connect the dots. 😊

Thanks and Regards
Omkar Patkar

Re: How to setup client certificate based authentication in Tomcat 9

[Christopher Schultz <ch...@christopherschultz.net>]

Omkar,

On 5/3/23 00:28, Patkar Omkar Anant wrote:
> The server A where tomcat is running... it hosts a REST based 
> application (BPMN based called Camunda ... it’s a 3rd party
> application).
> 
> For e.g., when an application wants to trigger a workflow or BPMN
> deployed in Camunda, then they will fire the appropriate request to URL
> that looks something like this: -
> 
> 
> 
> https://<Server A>/engine-rest/process-definition/key/<name of the process to be invoked>
 >
> Now, the requirement is ..., there are several custom processes
> deployed and multiple clients invoke multiple processes available with
> Camunda,... hence the <name of the process to be invoked> is the dynamic
> part here.
> 
> We want to apply client certificate authentication only for one of
> the process that only Application B will invoke using the above URL.
This ^^^ is the important part.

Are you using a reverse-proxy, or are clients connecting directly to Tomcat?

> Thus, we are looking at: -
> 
> 1) Applying client certificate authentication to only a particular URL and not for all URLs.

In order to do this, you have to tell Tomcat to "ask" for the 
certificate but not require it. The configuration for this is in 
conf/server.xml in the <Connector>[1] you use for you secure endpoint e.g.:

<Connector port="8443"
certificateVerification="optional"

> 2) How to create the trust store ? How is it different from keystore?
> can I use cacerts of the java that is used by tomcat as the trust
> store ?
The only difference between key stores and trust stores is how you use 
them. Physically, on the disk, they are the same thing. Java can use JKS 
or PKCS12 keystores, which is just a way to put multiple keys and/or 
certificates into a single file.

> 3) Is enabling SSL mandatory for client certificate authentication ?
> because we any ways will import the client certificate in the trust
> store so is enabling SSL and sharing server certificate to client
> required here ?
Yes. Client-certificate-based authentication is often called "mutual 
authentication" because the client authenticates the server (which is 
very common and what happens when you visit https://www.wikipedia.org/) 
and ALSO the server authenticates the client (which is less common, and 
really only used for private connections where the server knows all of 
the clients who might connect). The certificates are traded back and 
forth during the TLS handshake, so TLS is indeed required.

There is probably a way to use X.509 keys and certificates for mutual 
authentication that doesn't involve TLS but your server and client would 
have to invent a new way to do that and implement it on both sides of an 
unencrypted connection.

-chris


[1] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: How to setup client certificate based authentication in Tomcat 9

[Patkar Omkar Anant <om...@gi-de.com>]

Hi Christopher,



Thank you for your help. We really appreciate it 😊 ... Apologies for late reply though, as I am communicating with my office email id, and we had leaves here I could only reply now.



I will provide some more information here so that it is possible to imagine our requirement: -



The server A where tomcat is running... it hosts a REST based application (BPMN based called Camunda ... it’s a 3rd party application).

For e.g., when an application wants to trigger a workflow or BPMN deployed in Camunda, then they will fire the appropriate request to URL that looks something like this: -



https://<Server A or machine where Camunda is deployed in tomcat>/engine-rest/process-definition/key/<name of the process to be invoked>/start<https://%3cServer%20A%20or%20machine%20where%20Camunda%20is%20deployed%20in%20tomcat%3e/engine-rest/process-definition/key/%3cname%20of%20the%20process%20to%20be%20invoked%3e/start>



Now, the requirement is ..., there are several custom processes deployed and multiple clients invoke multiple processes available with Camunda,... hence the <name of the process to be invoked> is the dynamic part here.

We want to apply client certificate authentication only for one of the process that only Application B will invoke using the above URL.

Thus, we are looking at: -

1) Applying client certificate authentication to only a particular URL and not for all URLs.

2) How to create the trust store ? How is it different from keystore ? can I use cacerts of the java that is used by tomcat as the trust store ?

3) Is enabling SSL mandatory for client certificate authentication ? because we any ways will import the client certificate in the trust store so is enabling SSL and sharing server certificate to client required here ?



Let me know if you need any more information.



Thanks and Regards

Omkar Patkar



-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, April 26, 2023 10:28 PM
To: users@tomcat.apache.org
Subject: Re: How to setup client certificate based authentication in Tomcat 9



Parkar,



On 4/26/23 10:34, Patkar Omkar Anant wrote:

> I am a bit newbie to this domain of client certificate-based

> authentication. We have two applications … A(server) and B(client).

>

> Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based

> application). Application B invokes the rest api of application A.

>

> Now we want to introduce client certificate-based authentication

> between A and B.

Good for you. I wish more and more services would (a) offer this and (b) actually use it.



> So far based on information I have gathered from the internet all I

> have got is different pieces, but I am not able to connect the dots

> how to setup or configure tomcat (where A is hosted) to achieve this

> requirement. > I have been provided certificate by application B that

> is going to access our application A.

Good so far. You need to configure Application A (server) with a "trust store" which contains that certificate.



> But what are realms, how to map them with the certificate provided to

> us and configure that realm in tomcat, where to store the certificate

> provided by client, how to enforce webapp on system A to go for client

> certificate authentication etc…these dots I am not able to connect.

You are very unlikely to need a Realm at all.



Will you be requiring a client cert for every connection, or is it only for some users?



> It would be great and appreciated, if someone can guide me the correct

> sequence and steps I should follow ? … basically, help me to connect

> the dots. 😊

In order to get Tomcat to request and/or process a client's TLS certificate, you need to alter your <Connector> to include some of these:



(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)



truststoreFile (points to the JKS or P12 (preferred) file that contains your trusted certificates)



certificateVerification (choose either "optional" for requesting but not requiring it for all clients or "required" to require a certificate to be presented by all clients)



If you just want to require all requests to present that certificate, then you need:



certificateVerification="required"

truststoreFile="mykeystore.p12"

truststorePassword="secret"



This should do all the checking you need. You should not even have to configure your web application to use CLIENT-CERT authentication unless you want to be able to identify the caller from within the application.



If you want that, reply and I can explain what happens next.



-chris



---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>

For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>

Re: How to setup client certificate based authentication in Tomcat 9

[Christopher Schultz <ch...@christopherschultz.net>]

Parkar,

On 4/26/23 10:34, Patkar Omkar Anant wrote:
> I am a bit newbie to this domain of client certificate-based
> authentication. We have two applications … A(server) and B(client).
> 
> Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API
> based application). Application B invokes the rest api of application
> A.
> 
> Now we want to introduce client certificate-based authentication
> between A and B.
Good for you. I wish more and more services would (a) offer this and (b) 
actually use it.

> So far based on information I have gathered from the internet all I
> have got is different pieces, but I am not able to connect the dots
> how to setup or configure tomcat (where A is hosted) to achieve this
> requirement. >
> I have been provided certificate by application B that is going to
> access our application A.
Good so far. You need to configure Application A (server) with a "trust 
store" which contains that certificate.

> But what are realms, how to map them with the certificate provided to
> us and configure that realm in tomcat, where to store the certificate
> provided by client, how to enforce webapp on system A to go for
> client certificate authentication etc…these dots I am not able to
> connect.
You are very unlikely to need a Realm at all.

Will you be requiring a client cert for every connection, or is it only 
for some users?

> It would be great and appreciated, if someone can guide me the
> correct sequence and steps I should follow ? … basically, help me to
> connect the dots. 😊
In order to get Tomcat to request and/or process a client's TLS 
certificate, you need to alter your <Connector> to include some of these:

(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)

truststoreFile (points to the JKS or P12 (preferred) file that contains 
your trusted certificates)

certificateVerification (choose either "optional" for requesting but not 
requiring it for all clients or "required" to require a certificate to 
be presented by all clients)

If you just want to require all requests to present that certificate, 
then you need:

certificateVerification="required"
truststoreFile="mykeystore.p12"
truststorePassword="secret"

This should do all the checking you need. You should not even have to 
configure your web application to use CLIENT-CERT authentication unless 
you want to be able to identify the caller from within the application.

If you want that, reply and I can explain what happens next.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org