You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by fr...@netscape.net on 2006/06/16 00:28:52 UTC
Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Hi,
I have followed this procedure twice and all are failed at the browsers.
Some one please help to work out a proceducre so that we can set up clientAuth="true" after clientAuth="false" worked.
Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and santiago, which I cannot understand.
There already has an alias "tomcat" inside the keystore. Should we use it?
Thanks!
P.S. I have created ,BAT file for each command. I can pack it and ship it to anyone who wants it. I may put them all together and make it as easy as a double-click. Also I can make the bash file on Linux after I get success on this.
Frank Peng.
==============================================
1 - Setting up the CA
- Create /home/lams/openssl to hold the CA keys, server keys and (as
we want to use SSL client authentication) the client keys.
- 1)Create a private key and certificate request for our CA:
#openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
openssl req -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
- 2)Create a CA's self-signed certificate:
#openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
-3) Import the CA certificate into the JDK certificate authorities
keystore:
$JAVA_HOME/bin/keytool -import -keystore
£JAVA_JOME/lib/security/cacerts -file ca.pem -alias itcilo_ca
- 4)Create a file to hold the CA's serial numbers. This file starts
with the number "2":
echo "02" > ca.srl
#for Windows, echo 02 > ca.srl
2 - Setting the web server
- Create /etc/tomcat to contain both the keystore and the truststore
files (Truststore is a keystore in which reside all the certificates
with which a user can authenticate hisself on the server).
- 5)Create a keystore for the tomcat server.
$JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize
1024 -keystore /etc/tomcat/server-keystore2.jks -storetype JKS
- 6)Create a certificate request for the web server.
$JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test -file
map-test.csr -keystore /etc/tomcat/server-keystore2.jks
You need to edit the certificate request file slightly. Open it up in
a text editor and amend the text which reads "NEW CERTIFICATE REQUEST"
to "CERTIFICATE REQUEST"
- 7)Have your CA sign your certificate request:
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
map-test.csr -out map-test.crt -days 365
- 8)Import your CA certificate into your server keystore:
This step is necessary because we want to use SSL client authentication.
$JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore
/etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem
- 9)Import the signed server certificate into the server keystore:
$JAVA_HOME/bin/keytool -import -alias map-test -keystore
/etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt
You should see a message "Certificate reply was installed in keystore".
3 - Setting up the ssl client
- 10)Create a client certificate request:
#openssl req -new -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key
openssl req -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key
-11) Have the CA sign the client certificate.
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
santiago.req -out santiago.pem -days 365
-12) Import the CA certificate into the truststore:
$JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore
/etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem
- 13)Import the client certificate into the truststore:
$JAVA_HOME/bin/keytool -import -alias santiago -keystore
/etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem
- Generate a PKCS12 file containing the client key and certificate:
openssl pkcs12 -export -clcerts -in santiago.pem -inkey santiago.key
-out santiago.p12 -name "virgilio_certificate"
- Import the PKCS12 file into the web browser to use as the client
certificate and key (tools - internet options - contents -
certificates, verify by clicking in "advanced" that "client
authentication" is checked)
4 - Configure tomcat for ssl
The following lines must be added to server.xml. The clientAuth
parameter must be set to true as we want Tomcat to require all SSL
clients to present a client Certificate in order to use this socket.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/etc/tomcat/sever-keystore.jks"
keystorePass="password"
truststoreFile="/etc/tomcat/truststore-itcilo.jks"
truststorePass="password" />
Regards,
Gaël
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Posted by fr...@netscape.net.
Yes. You are right. The procedure works. That was wrong is that I did
no make the server host name and the client host name match in the
certs and in the tomcat-user.xml file. Also I edited the ca.pem file a
litte bit and changed it to ca.crt and imported this file into the
browser's trusted root certificate. This is not shown in your
procedure. A couple of openssl commands have modified because of the
newer revision of openssl.
I have made all commands into BATCH file and I also added the subj
parameter into the command.
Now when you double click the BATCH file name, you do not need to key
in the domain name, you can edit in the BATCH file instead. This avoids
type error. Now I can make all of the commands finish in a shot as
long as the hostnames and the passwords and the keystore files name and
locations are defined. This may contribute to Tomcat community.
It is working with both newest Netcape and IE.
I will work on the Linux the same job and change the BATCH file into
bash script file.
Thank you !
Frank Peng.
-----Original Message-----
From: Gaël Lams <la...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Mon, 19 Jun 2006 11:01:49 +0200
Subject: Re: Tomcat SSL, after clientAuth="false" worked, how to set up
to "true"?
> The problem is that Microsoft Internet Explore and Netscape now are
serious about the Root > Trust Authorities. ...
I'm not sure what you mean by "serious about the Root Trust
Authorities" but I tested the ssl client authentication on several
computers, both inside and outside our LAN with both Internet Explorer
6 and Firefox 1.0.x and it works for me. If you don't use a trusted
certificate, the "only practical" issue (see my PS for a security
issue) is that the user trying to connect to that web site will be
prompted by a message saying that the certificate does not come from a
trusted root, and asking you whether you want to have a look at the
information provided with the certificate and whether you want to
accept it.
Regards,
Gaël
PS: when you use self-signed certificates, there is also a security
risk, i.e the risk of what it called a man-in-the-middle attack : an
attacker could send the client his own self-signed certificate which
has the same name as that in the server's self-signed certificate. The
attacker then connects to the real server himself. When the client
sends data to the server the attacker reads it and then sends it along
to the real server.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Posted by Gaël Lams <la...@gmail.com>.
> The problem is that Microsoft Internet Explore and Netscape now are serious about the Root > Trust Authorities. ...
I'm not sure what you mean by "serious about the Root Trust
Authorities" but I tested the ssl client authentication on several
computers, both inside and outside our LAN with both Internet Explorer
6 and Firefox 1.0.x and it works for me. If you don't use a trusted
certificate, the "only practical" issue (see my PS for a security
issue) is that the user trying to connect to that web site will be
prompted by a message saying that the certificate does not come from a
trusted root, and asking you whether you want to have a look at the
information provided with the certificate and whether you want to
accept it.
Regards,
Gaël
PS: when you use self-signed certificates, there is also a security
risk, i.e the risk of what it called a man-in-the-middle attack : an
attacker could send the client his own self-signed certificate which
has the same name as that in the server's self-signed certificate. The
attacker then connects to the real server himself. When the client
sends data to the server the attacker reads it and then sends it along
to the real server.
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Posted by fr...@netscape.net.
Gaël
Sorry, I am so lazy I did not change the names. I will change it next time.
Yes, I am working on Windows.
All of the command are translated into Windows commands and there is no error after I fixed some commands and type errors.
The problem is that Microsoft Internet Explore and Netscape now are serious about the Root Trust Authorities. Now both of the browsers are not working with the procudure you posted. I am looking for the procedure with CAcert.org. It is free to get their certificates for a server and a client.
I believe the browsers and the Tomcat really talked, they failed because the root authority problems. The error # on Netscape is 8182. If you have an Openssl solution based on you procedure, that will be great. Otherwise we have to ask help from CAcert.org.
As you know I already typed all commands into Window's Batch file. It is easy to make a completely automatical program to set up everything. If you will work on OPenssl, I would assist with you to make the auto-configure program both on Windows and on Linux. That will be contribute to this community a lot. Right?
Thank you again. Sorry about that again.
Frank Peng.
-----Original Message-----
From: Gaël Lams <la...@gmail.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Fri, 16 Jun 2006 13:48:03 +0200
Subject: Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
> Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and santiago, which I cannot understand.
imagination please: map-test was the name of my host at that time,
santiago was the name of one of the users used for the testing, itcilo
is the acronym of my organization, that's why I named my certificate
authority itcilo_ca ;-)
> There already has an alias "tomcat" inside the keystore. Should we use it?
> ....
> P.S. I have created ,BAT file for each command. ....
I wrote what worked for me on my environment (SuSe 9.3, JRE 1.5, Tomcat 5.5.x).
You give no indication on the OS/Tomcat version/.... of your system
but you are talking about BAT file, so I imagine it's windows, isn't
it? I've no idea whether what I did could work on Windows, it should
work on linux-based distribution. Anyway you really should try to read
again what I wrote and understand what I'm trying to do, because I
noticed a few typing mistakes in what I wrote, so copy-paste will not
work. Also modify it to correspond to your system (giving name that
makes sense to you).
Kind regards
Gaël
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Posted by Gaël Lams <la...@gmail.com>.
> Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and santiago, which I cannot understand.
imagination please: map-test was the name of my host at that time,
santiago was the name of one of the users used for the testing, itcilo
is the acronym of my organization, that's why I named my certificate
authority itcilo_ca ;-)
> There already has an alias "tomcat" inside the keystore. Should we use it?
> ....
> P.S. I have created ,BAT file for each command. ....
I wrote what worked for me on my environment (SuSe 9.3, JRE 1.5, Tomcat 5.5.x).
You give no indication on the OS/Tomcat version/.... of your system
but you are talking about BAT file, so I imagine it's windows, isn't
it? I've no idea whether what I did could work on Windows, it should
work on linux-based distribution. Anyway you really should try to read
again what I wrote and understand what I'm trying to do, because I
noticed a few typing mistakes in what I wrote, so copy-paste will not
work. Also modify it to correspond to your system (giving name that
makes sense to you).
Kind regards
Gaël