You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Balgeman, Timothy E (Tim)" <ba...@alcatel-lucent.com> on 2008/09/08 18:49:04 UTC

SSL https clientAuth debugging assistance

We have just started using Tomcat.  We are using version 5.5.26.

I was able to set up Tomcat and get it running with our application.  I
also have enabled SSL:
   <Connector port="18443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="conf/keystore" keyAlias="tomcat" />

I have one user that needs use to authenticate their client.  I have
this working on our development system (added their certificate to our
keystore) but following the same process to our test box is failing.
The client (which I don't have access to) is giving a very generic error
message.

Is there a way that I can see why the client is failing the connection
(i.e. certificate doesn't match client, certificate expired, ...) or get
more debugging information from the Tomcat side?

Thanks
Tim

RE: SSL https clientAuth debugging assistance

Posted by "Balgeman, Timothy E (Tim)" <ba...@alcatel-lucent.com>.

Thank you Martin for your reply.

I installed the log4j and it is logging information when I shutdown
tomcat, but no other time.  I have also tried messing with the
java.util.logging but an getting nowhere with that.

I am using the default log4j.properties as mentioned on the tomcat web
pages.  I expected more stuff in the log file and was hoping for SSL
connection information.  Am I off base?
Tim



-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Monday, September 08, 2008 12:43 PM
To: Tomcat Users List
Subject: RE: SSL https clientAuth debugging assistance


implement a logger so you can trace whats going on
http://tomcat.apache.org/tomcat-5.5-doc/logging.html

also in %TOMCAT_HOME/conf/server.xml crankup the debug attribute on your
<Connector statement
debug="5"
http://tomcat.apache.org/tomcat-4.0-doc/config/http11.html
and you'll see lots of messages in tomcat console

HTH
Martin 
______________________________________________ 
Disclaimer and confidentiality note 
Everything in this e-mail and any attachments relates to the official
business of Sender. This transmission is of a confidential nature and
Sender does not endorse distribution to any party other than intended
recipient. Sender does not necessarily endorse content contained within
this transmission. 


> Subject: SSL https clientAuth debugging assistance
> Date: Mon, 8 Sep 2008 11:49:04 -0500
> From: balgeman@alcatel-lucent.com
> To: users@tomcat.apache.org
> 
> We have just started using Tomcat.  We are using version 5.5.26.
> 
> I was able to set up Tomcat and get it running with our application.
I
> also have enabled SSL:
>    <Connector port="18443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="conf/keystore" keyAlias="tomcat" />
> 
> I have one user that needs use to authenticate their client.  I have
> this working on our development system (added their certificate to our
> keystore) but following the same process to our test box is failing.
> The client (which I don't have access to) is giving a very generic
error
> message.
> 
> Is there a way that I can see why the client is failing the connection
> (i.e. certificate doesn't match client, certificate expired, ...) or
get
> more debugging information from the Tomcat side?
> 
> Thanks
> Tim

_________________________________________________________________
See how Windows connects the people, information, and fun that are part
of your life.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: SSL https clientAuth debugging assistance

Posted by Martin Gainty <mg...@hotmail.com>.

implement a logger so you can trace whats going on
http://tomcat.apache.org/tomcat-5.5-doc/logging.html

also in %TOMCAT_HOME/conf/server.xml crankup the debug attribute on your <Connector statement
debug="5"
http://tomcat.apache.org/tomcat-4.0-doc/config/http11.html
and you'll see lots of messages in tomcat console

HTH
Martin 
______________________________________________ 
Disclaimer and confidentiality note 
Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. 


> Subject: SSL https clientAuth debugging assistance
> Date: Mon, 8 Sep 2008 11:49:04 -0500
> From: balgeman@alcatel-lucent.com
> To: users@tomcat.apache.org
> 
> We have just started using Tomcat.  We are using version 5.5.26.
> 
> I was able to set up Tomcat and get it running with our application.  I
> also have enabled SSL:
>    <Connector port="18443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="conf/keystore" keyAlias="tomcat" />
> 
> I have one user that needs use to authenticate their client.  I have
> this working on our development system (added their certificate to our
> keystore) but following the same process to our test box is failing.
> The client (which I don't have access to) is giving a very generic error
> message.
> 
> Is there a way that I can see why the client is failing the connection
> (i.e. certificate doesn't match client, certificate expired, ...) or get
> more debugging information from the Tomcat side?
> 
> Thanks
> Tim

_________________________________________________________________
See how Windows connects the people, information, and fun that are part of your life.
http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/