You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Macca, Diego" <Di...@ecb.int> on 2017/01/24 13:24:06 UTC

Mutual certificate authentication between Tomcat and MS IIS

Dears,
Has somebody of you ever tried to configure certificate mutual authentication between a MS IIS webserver and a Tomcat instance ?
Does somebody know if this is even possible in IIS ?

I usually do it very well with Apache but this time I'm requested to put in front of Tomcat an IIS webserver.

Thanks in advance.

Kind Regards,

Diego Macca
Senior IT Specialist

DG-IS/EDA - Executional Domain Applications
EUROPEAN CENTRAL BANK
Tel.: +49 (69) 1344 6991
E-mail: Diego.Macca@ecb.europa.eu<ma...@ecb.europa.eu>
www.ecb.europa.eu<http://www.ecb.europa.eu/>
www.youtube.com/ecbeuro<http://www.youtube.com/ecbeuro>
https://twitter.com/ecb

Any e-mail message from the European Central Bank (ECB) is sent in good faith, but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. The ECB processes personal data in line with Regulation (EC) No 45/2001 and Decision ECB/2007/1. For any further information you can consult the Data Protection Disclaimer on the ECB webpage. In case of queries, please contact the ECB Data Protection Officer (dpo@ecb.europa.eu). You may also contact the European Data Protection Supervisor.

RE: Mutual certificate authentication between Tomcat and MS IIS

Posted by "Macca, Diego" <Di...@ecb.int>.

Thanks, we will try your suggestions. In the meantime we logged a request in Microsoft.
I'll keep you posted.


-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 24 January 2017 22:46
To: Tomcat Users List
Subject: Re: Mutual certificate authentication between Tomcat and MS IIS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diago,

On 1/24/17 4:41 PM, Christopher Schultz wrote:
> Diago,
>
> On 1/24/17 11:40 AM, Macca, Diego wrote:
>> On 1/24/17 8:24 AM, Macca, Diego wrote:
>>>> Has somebody of you ever tried to configure certificate mutual
>>>> authentication between a MS IIS webserver and a Tomcat instance?
>
>>> You want IIS to present a client certificate to Tomcat? Tomcat
>>> shouldn't have a problem with that.
>
>> Yes, that's what I need. Tomcat does not have any problem and it
>> works well with Apache. It seems that IIS is not able to present the
>> certificate when I configure it as reverse proxy (so when it should
>> act as a client).
>
>>>> Does somebody know if this is even possible in IIS ?
>
>>> You'd have to configure IIS's HTTP proxy to use a client
>>> certificate.
>
>> Do you know how to configure it ? I mean, IIS does the reverse proxy
>> things but I need it also to send the present to Tomcat.
>
> I don't know at all how to configure it, unfortunately.
>
> Do you need to have IIS *forward* the actual client's certificate to
> Tomcat, or do you want to use a static client cert just from IIS? If
> you want to forward the cert, you might find this useful:
> https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-w
it
>
>
h-client-certificate/

If you want to install a single certificate into the reverse-proxy, perhaps this can help:
https://blogs.msdn.microsoft.com/benjaminperkins/2014/06/02/configure-ap
plication-request-routing-arr-with-client-certificates/

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYh8sEAAoJEBzwKT+lPKRYV2sQAJ5dSq7UkrBeaiipMS9VCuPm
1925yNm22ewsPnwNAZ5Vo9koRXbYAg/AVMAHgf1Ge8umrTYAByfno2gtTcuBtJEb
DBHlm+9uPI+UZdbTs+GsdfW11nCYFc2DFy0cwDewO+N57h26Ji8MLtbd0SwVtYWG
LxwA3chdX6pFc1Q1SlEF0XUT89TNZHL1OJUk5QgY4IxwQHOjqKq+dBv5SmgrEeSp
rGkkzL+hL6AGjt4JmT1z+lnSiCZryO1Sn8gEuD8b+bob8t9S4Gmsg2/clVYNdvwL
nfvpQYTkuZNawaUQCLmMfGoiLf3c6e3expTB09mtOKZA43c6hLXG9lKaI1/A/kOy
Z34S3Uriy+NZaFjyClrrY7AvjjgENS4hQoElDdXXk3PFqOQRz5mSUKQAi1ksM9aK
wyC8EYLaME2nO18KpIDcCrJCXTdwPBZCRWqu8QR26Vz0cLlqxd/B7WZLaiJgjzlN
1DZkAgVYdb0UFmbg/d012CVRlsMlMcs6tPaVoh8I8cB80wl/A6s6kQ6xCpGBDmto
yfA4rl7STfou/868kx5NZ2/msJvs2DD909RNBbZ625aYTtLash82ttwLX42uTiAp
JFJr/wnhGSCibfxmDjVEOoxMIbHTGm1PHF2yvi55aDTF9IyC32JSmlvncI5tedrI
l+TLRr57yPiAJ6tOh+5R
=ZSq/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Any e-mail message from the European Central Bank (ECB) is sent in good faith, but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. The ECB processes personal data in line with Regulation (EC) No 45/2001 and Decision ECB/2007/1. For any further information you can consult the Data Protection Disclaimer on the ECB webpage. In case of queries, please contact the ECB Data Protection Officer (dpo@ecb.europa.eu). You may also contact the European Data Protection Supervisor.

Re: Mutual certificate authentication between Tomcat and MS IIS

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diago,

On 1/24/17 4:41 PM, Christopher Schultz wrote:
> Diago,
> 
> On 1/24/17 11:40 AM, Macca, Diego wrote:
>> On 1/24/17 8:24 AM, Macca, Diego wrote:
>>>> Has somebody of you ever tried to configure certificate
>>>> mutual authentication between a MS IIS webserver and a
>>>> Tomcat instance?
> 
>>> You want IIS to present a client certificate to Tomcat? Tomcat
>>>  shouldn't have a problem with that.
> 
>> Yes, that's what I need. Tomcat does not have any problem and it
>>  works well with Apache. It seems that IIS is not able to
>> present the certificate when I configure it as reverse proxy (so
>> when it should act as a client).
> 
>>>> Does somebody know if this is even possible in IIS ?
> 
>>> You'd have to configure IIS's HTTP proxy to use a client 
>>> certificate.
> 
>> Do you know how to configure it ? I mean, IIS does the reverse 
>> proxy things but I need it also to send the present to Tomcat.
> 
> I don't know at all how to configure it, unfortunately.
> 
> Do you need to have IIS *forward* the actual client's certificate
> to Tomcat, or do you want to use a static client cert just from
> IIS? If you want to forward the cert, you might find this useful: 
> https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-w
it
>
> 
h-client-certificate/

If you want to install a single certificate into the reverse-proxy,
perhaps this can help:
https://blogs.msdn.microsoft.com/benjaminperkins/2014/06/02/configure-ap
plication-request-routing-arr-with-client-certificates/

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYh8sEAAoJEBzwKT+lPKRYV2sQAJ5dSq7UkrBeaiipMS9VCuPm
1925yNm22ewsPnwNAZ5Vo9koRXbYAg/AVMAHgf1Ge8umrTYAByfno2gtTcuBtJEb
DBHlm+9uPI+UZdbTs+GsdfW11nCYFc2DFy0cwDewO+N57h26Ji8MLtbd0SwVtYWG
LxwA3chdX6pFc1Q1SlEF0XUT89TNZHL1OJUk5QgY4IxwQHOjqKq+dBv5SmgrEeSp
rGkkzL+hL6AGjt4JmT1z+lnSiCZryO1Sn8gEuD8b+bob8t9S4Gmsg2/clVYNdvwL
nfvpQYTkuZNawaUQCLmMfGoiLf3c6e3expTB09mtOKZA43c6hLXG9lKaI1/A/kOy
Z34S3Uriy+NZaFjyClrrY7AvjjgENS4hQoElDdXXk3PFqOQRz5mSUKQAi1ksM9aK
wyC8EYLaME2nO18KpIDcCrJCXTdwPBZCRWqu8QR26Vz0cLlqxd/B7WZLaiJgjzlN
1DZkAgVYdb0UFmbg/d012CVRlsMlMcs6tPaVoh8I8cB80wl/A6s6kQ6xCpGBDmto
yfA4rl7STfou/868kx5NZ2/msJvs2DD909RNBbZ625aYTtLash82ttwLX42uTiAp
JFJr/wnhGSCibfxmDjVEOoxMIbHTGm1PHF2yvi55aDTF9IyC32JSmlvncI5tedrI
l+TLRr57yPiAJ6tOh+5R
=ZSq/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Mutual certificate authentication between Tomcat and MS IIS

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diago,

On 1/24/17 11:40 AM, Macca, Diego wrote:
> On 1/24/17 8:24 AM, Macca, Diego wrote:
>>> Has somebody of you ever tried to configure certificate mutual
>>>  authentication between a MS IIS webserver and a Tomcat
>>> instance?
> 
>> You want IIS to present a client certificate to Tomcat? Tomcat 
>> shouldn't have a problem with that.
> 
> Yes, that's what I need. Tomcat does not have any problem and it 
> works well with Apache. It seems that IIS is not able to present
> the certificate when I configure it as reverse proxy (so when it
> should act as a client).
> 
>>> Does somebody know if this is even possible in IIS ?
> 
>> You'd have to configure IIS's HTTP proxy to use a client
>> certificate.
> 
> Do you know how to configure it ? I mean, IIS does the reverse
> proxy things but I need it also to send the present to Tomcat.

I don't know at all how to configure it, unfortunately.

Do you need to have IIS *forward* the actual client's certificate to
Tomcat, or do you want to use a static client cert just from IIS? If
you want to forward the cert, you might find this useful:
https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-wit
h-client-certificate/

>>> I usually do it very well with Apache but this time I'm
>>> requested to put in front of Tomcat an IIS webserver.
> 
>> I'm sorry I can't help with this, but I'd be interested in 
>> hearing the solution. There are a number of people here who with 
>> with IIS. If nobody answers after a while, I'll see if I can
>> find someone through $work who might be able to answer.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYh8oaAAoJEBzwKT+lPKRYQlYQAKUQR0U7jHwJbvKHycp4mFO5
H0vS5EQdALDCWeTrgWJXaL7J28ianlJCCTcdbUn8WS8NvQRv6zEgK3A81rDWATLt
nxNCbmU4l6G9vsH/ux4fNqz5t75RtTLnnnwW4Y3D1iXQEKJGAY6z42sy4hxhEFlL
OEg11WY37/X3K0U2xeYlfvOxWk4iCblMWYAsAMJe3rAtIJg2padTv78/ZQOw+eZ1
IR3vBtXf9Ez22i21Dtiyxmz3LsLAAMWYlSKPhuEnO6Rj0/P2TPaS9+uo+6u2DwYa
w2wHLbBUo0zwv2ETdDmkMhSqkhQpuVobj0BzlePzBJNA3sEqXUrF9R+cys793ZOi
MjCQOnWEhax0ub3P6UuIbxa1EkeWgaZyHPBhKtUWO1h1pyKUo63sIdpKa56A1Z7w
hQc5+i6e/bpj3rqeT+zQWQLvs1jkdtE7fCvw+cyuvkLqt7ZPOJQQcnK4JmXjFUWJ
az9lVz3ehSVfhs74UyMm1aHZNnBS03TroIwQHAOXqOtcBP5kfJoMJpVZpR/e7j1I
uFcs9X4++SPiLSWYmrqS2zeBnoelnIV6lXhqA8keAoiu0ywZhRwnpSGyk12ID5H2
489aDC/6joDmuUG8JGtCsy3aSTdLSnCCg5h4OAG3J4fYXN4+8nRRz58bo+VWC6dU
qMs2/iXD7OXHA2/X+qIu
=gYnf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Mutual certificate authentication between Tomcat and MS IIS

Posted by "Macca, Diego" <Di...@ecb.int>.

Thanks Chris for your comments.

Kind Regards,

Diego Macca
Senior IT Specialist

DG-IS/EDA - Executional Domain Applications
EUROPEAN CENTRAL BANK
Tel.: +49 (69) 1344 6991
E-mail: Diego.Macca@ecb.europa.eu
www.ecb.europa.eu
www.youtube.com/ecbeuro
https://twitter.com/ecb

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 24 January 2017 17:06
To: Tomcat Users List
Subject: Re: Mutual certificate authentication between Tomcat and MS IIS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diego,

On 1/24/17 8:24 AM, Macca, Diego wrote:
> Has somebody of you ever tried to configure certificate mutual
> authentication between a MS IIS webserver and a Tomcat instance ?

>>You want IIS to present a client certificate to Tomcat? Tomcat shouldn't have a problem with that.

Yes, that's what I need. Tomcat does not have any problem and it works well with Apache. It seems that IIS is not able to present the certificate when I configure it as reverse proxy (so when it should act as a client).

> Does somebody know if this is even possible in IIS ?

>>You'd have to configure IIS's HTTP proxy to use a client certificate.

Do you know how to configure it ? I mean, IIS does the reverse proxy things but I need it also to send the present to Tomcat.

> I usually do it very well with Apache but this time I'm requested to
> put in front of Tomcat an IIS webserver.

>>I'm sorry I can't help with this, but I'd be interested in hearing the solution. There are a number of people here who with with IIS. If nobody answers after a while, I'll see if I can find someone through $work who might be able to answer.

Thanks a lot.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYh3t2AAoJEBzwKT+lPKRYQFoQAK6G8aCrFTtwiWun0BJZawDy
7ZYTjT2l6gcyAFLfJCShLeY0QpvE4QS9UL2hvHFZyn99UnXmKSzEf81xaN8JX7Pp
rkWRnk1H1vdxb0KxRB6lDVsESqFOd3Pzq/+aJzvHrPbjYH6uFf8to0hmhG2A0uUe
SQepkh0CZUHAzzSeJD5NBl3vLhSuaPZEp/oY/SW4E9RSsbPaaWtAXePWXS2R8OpH
PqdE/MLvUG9vr8MCT/0SGzziiMwAQz/+l3sqPZzsCD/5iyOk/v0vvtQrioBSiO1R
69y+bC8FeVqZWjDGPv6MVD8wm9ii4UOuQaWun4mrUq3e3s3GGW/opd1sJVBlZG9I
cMvpg8NvrA19HJ9Xy57uKQSpM4TDfzPPPuhNInrPLXalBKz3AzxdocQYoT4b3EiW
HiJ+ynal0VPA+93aDUS/ZepGsI1WG6nB77Yfon1sn6LBPVKGoFIu4GRWZMTadbp0
L5+jVvqprFejGsJpepnleF+hOBkMJbJgjF/C2Np2JPV49uHODfz8m/SbPFXKepht
mV6N9ws10LEaoKdEVul4zTm/gZgqTKJtotR0BQ57hW/Mt0pFlAILxH3X4q1f32hB
kTHRTnotcULMAxUAs7tzcqFCeZ9Lzh5ijB8C755QyxLNqHsrYkgl4QjF4aHobkag
V+J+K3ayq6WaiYAE9m4O
=Q7UB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Any e-mail message from the European Central Bank (ECB) is sent in good faith, but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. The ECB processes personal data in line with Regulation (EC) No 45/2001 and Decision ECB/2007/1. For any further information you can consult the Data Protection Disclaimer on the ECB webpage. In case of queries, please contact the ECB Data Protection Officer (dpo@ecb.europa.eu). You may also contact the European Data Protection Supervisor.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Mutual certificate authentication between Tomcat and MS IIS

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diego,

On 1/24/17 8:24 AM, Macca, Diego wrote:
> Has somebody of you ever tried to configure certificate mutual 
> authentication between a MS IIS webserver and a Tomcat instance ?

You want IIS to present a client certificate to Tomcat? Tomcat
shouldn't have a problem with that.

> Does somebody know if this is even possible in IIS ?

You'd have to configure IIS's HTTP proxy to use a client certificate.

> I usually do it very well with Apache but this time I'm requested
> to put in front of Tomcat an IIS webserver.

I'm sorry I can't help with this, but I'd be interested in hearing the
solution. There are a number of people here who with with IIS. If
nobody answers after a while, I'll see if I can find someone through
$work who might be able to answer.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYh3t2AAoJEBzwKT+lPKRYQFoQAK6G8aCrFTtwiWun0BJZawDy
7ZYTjT2l6gcyAFLfJCShLeY0QpvE4QS9UL2hvHFZyn99UnXmKSzEf81xaN8JX7Pp
rkWRnk1H1vdxb0KxRB6lDVsESqFOd3Pzq/+aJzvHrPbjYH6uFf8to0hmhG2A0uUe
SQepkh0CZUHAzzSeJD5NBl3vLhSuaPZEp/oY/SW4E9RSsbPaaWtAXePWXS2R8OpH
PqdE/MLvUG9vr8MCT/0SGzziiMwAQz/+l3sqPZzsCD/5iyOk/v0vvtQrioBSiO1R
69y+bC8FeVqZWjDGPv6MVD8wm9ii4UOuQaWun4mrUq3e3s3GGW/opd1sJVBlZG9I
cMvpg8NvrA19HJ9Xy57uKQSpM4TDfzPPPuhNInrPLXalBKz3AzxdocQYoT4b3EiW
HiJ+ynal0VPA+93aDUS/ZepGsI1WG6nB77Yfon1sn6LBPVKGoFIu4GRWZMTadbp0
L5+jVvqprFejGsJpepnleF+hOBkMJbJgjF/C2Np2JPV49uHODfz8m/SbPFXKepht
mV6N9ws10LEaoKdEVul4zTm/gZgqTKJtotR0BQ57hW/Mt0pFlAILxH3X4q1f32hB
kTHRTnotcULMAxUAs7tzcqFCeZ9Lzh5ijB8C755QyxLNqHsrYkgl4QjF4aHobkag
V+J+K3ayq6WaiYAE9m4O
=Q7UB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org