You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by lercoli <le...@dynaproc.com> on 2005/04/27 10:38:23 UTC
Tomcat SSL Client Authentication
Hello
I've configured Tomcat SSL Client Authentication with these settings :
web.xml
.......
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
.........
server.xml
.........
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
.......
Client certificate (client.cer) is installed in my IE Browser (version 6.0.28).
When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate.
I accept and my webapp index page appears.
So why I don't see a window for client authentication ?
And why I 've the same behaviour also when I remove the client.cer from my Browser ?
It seems that client-certification doesn't work.
Any help would be greatly appreciated.
Thank You
Luca Ercoli
Re: Tomcat SSL Client Authentication
Posted by ohaya <oh...@cox.net>.
Hi,
Sorry if that didn't help.
Here's what I have in server.xml (I don't remember if I had to change
anything outside of server.xml to enable client authentication):
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
className="org.apache.coyote.tomcat5.CoyoteConnector"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="e:\tomcat\jakart~1.27\ssl\servercertificate.keystore"
keystoreType="PKCS12"
truststoreFile="C:\Documents and
Settings\Administrator\.keystore"
truststorePass="XXXXXXX"
truststoreType="JKS"
/>
Jim
P.S. When I was doing this (which was awhile ago), I didn't find any
way to get Tomcat to check for client cert revocations (i.e., CRL
checking). I don't know if that has changed at all since then.
lercoli wrote:
>
> Hi Jim
>
> I've tried with clientAuth = true but server certificate window doesn't
> appear and I get page not found error.
>
> ----- Original Message -----
> From: "ohaya" <oh...@cox.net>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Wednesday, April 27, 2005 12:49 PM
> Subject: Re: Tomcat SSL Client Authentication
>
> > Hi,
> >
> > I believe that the "clientAuth" needs to be set to "true" in the
> > server.xml.
> >
> > Jim
> >
> >
> >
> > lercoli wrote:
> > >
> > > Hello
> > >
> > > I've configured Tomcat SSL Client Authentication with these settings :
> > >
> > > web.xml
> > >
> > > .......
> > > <security-constraint>
> > >
> > > <web-resource-collection>
> > >
> > > <web-resource-name>Entire Application</web-resource-name>
> > >
> > > <url-pattern>/*</url-pattern>
> > >
> > > <http-method>GET</http-method>
> > >
> > > <http-method>POST</http-method>
> > >
> > > </web-resource-collection>
> > >
> > > <user-data-constraint>
> > >
> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > >
> > > </user-data-constraint>
> > >
> > > </security-constraint>
> > >
> > > <login-config>
> > >
> > > <auth-method>CLIENT-CERT</auth-method>
> > >
> > > </login-config>
> > >
> > > .........
> > >
> > > server.xml
> > >
> > > .........
> > >
> > > <Connector port="8443" maxHttpHeaderSize="8192"
> > >
> > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > >
> > > enableLookups="false" disableUploadTimeout="true"
> > >
> > > acceptCount="100" scheme="https" secure="true"
> > >
> > > clientAuth="false" sslProtocol="TLS"
> > >
> > > keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
> > >
> > > truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
> > >
> > > .......
> > >
> > > Client certificate (client.cer) is installed in my IE Browser (version
> 6.0.28).
> > >
> > > When I invoke htpps://localhost:8443/myweapp appears a window that asks
> me to accept the server certificate.
> > >
> > > I accept and my webapp index page appears.
> > >
> > > So why I don't see a window for client authentication ?
> > >
> > > And why I 've the same behaviour also when I remove the client.cer from
> my Browser ?
> > >
> > > It seems that client-certification doesn't work.
> > >
> > > Any help would be greatly appreciated.
> > >
> > > Thank You
> > >
> > > Luca Ercoli
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat SSL Client Authentication
Posted by lercoli <le...@dynaproc.com>.
Hi Jim
I've tried with clientAuth = true but server certificate window doesn't
appear and I get page not found error.
----- Original Message -----
From: "ohaya" <oh...@cox.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, April 27, 2005 12:49 PM
Subject: Re: Tomcat SSL Client Authentication
> Hi,
>
> I believe that the "clientAuth" needs to be set to "true" in the
> server.xml.
>
> Jim
>
>
>
> lercoli wrote:
> >
> > Hello
> >
> > I've configured Tomcat SSL Client Authentication with these settings :
> >
> > web.xml
> >
> > .......
> > <security-constraint>
> >
> > <web-resource-collection>
> >
> > <web-resource-name>Entire Application</web-resource-name>
> >
> > <url-pattern>/*</url-pattern>
> >
> > <http-method>GET</http-method>
> >
> > <http-method>POST</http-method>
> >
> > </web-resource-collection>
> >
> > <user-data-constraint>
> >
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >
> > </user-data-constraint>
> >
> > </security-constraint>
> >
> > <login-config>
> >
> > <auth-method>CLIENT-CERT</auth-method>
> >
> > </login-config>
> >
> > .........
> >
> > server.xml
> >
> > .........
> >
> > <Connector port="8443" maxHttpHeaderSize="8192"
> >
> > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> >
> > enableLookups="false" disableUploadTimeout="true"
> >
> > acceptCount="100" scheme="https" secure="true"
> >
> > clientAuth="false" sslProtocol="TLS"
> >
> > keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
> >
> > truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
> >
> > .......
> >
> > Client certificate (client.cer) is installed in my IE Browser (version
6.0.28).
> >
> > When I invoke htpps://localhost:8443/myweapp appears a window that asks
me to accept the server certificate.
> >
> > I accept and my webapp index page appears.
> >
> > So why I don't see a window for client authentication ?
> >
> > And why I 've the same behaviour also when I remove the client.cer from
my Browser ?
> >
> > It seems that client-certification doesn't work.
> >
> > Any help would be greatly appreciated.
> >
> > Thank You
> >
> > Luca Ercoli
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat SSL Client Authentication
Posted by ohaya <oh...@cox.net>.
Hi,
I believe that the "clientAuth" needs to be set to "true" in the
server.xml.
Jim
lercoli wrote:
>
> Hello
>
> I've configured Tomcat SSL Client Authentication with these settings :
>
> web.xml
>
> .......
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>Entire Application</web-resource-name>
>
> <url-pattern>/*</url-pattern>
>
> <http-method>GET</http-method>
>
> <http-method>POST</http-method>
>
> </web-resource-collection>
>
> <user-data-constraint>
>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>
> </user-data-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>CLIENT-CERT</auth-method>
>
> </login-config>
>
> .........
>
> server.xml
>
> .........
>
> <Connector port="8443" maxHttpHeaderSize="8192"
>
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>
> enableLookups="false" disableUploadTimeout="true"
>
> acceptCount="100" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
>
> keystoreFile="D:\jdk1.5.0_02\bin\keystore.jks" keystorePass="changeit"
>
> truststoreFile="D:\jdk1.5.0_02\bin\cacerts.jks" />
>
> .......
>
> Client certificate (client.cer) is installed in my IE Browser (version 6.0.28).
>
> When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate.
>
> I accept and my webapp index page appears.
>
> So why I don't see a window for client authentication ?
>
> And why I 've the same behaviour also when I remove the client.cer from my Browser ?
>
> It seems that client-certification doesn't work.
>
> Any help would be greatly appreciated.
>
> Thank You
>
> Luca Ercoli
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org