Re: Error to create the keystores
Hi. Can you perform requsts over SSL without client authentication? Is there a certificate installed in the browser signed by any root certificate in cacerts? Regards. jazorin wrote: Hi. I have a web server Tomcat 4.1.18 and it works fine. My problem is when I create the keystore tomcat of manual form. I have created two Java methods: addCertToKeyStore and addPKToKeyStore. I realize the following step to create my own keystore: - I add CA certificate in JDK keystore: ($JAVA_HOME/jre/lib/security/cacerts). - I add Server certificate in Tomcat keystore: ($TOMCAT_HOME/conf/keystore). - I add Server private key in Tomcat keystore. These steps works fine (I don't obtain any error). When I open a connection in a navigator I obtain the following error: Can't show the page. Am I realizing some error to configure the keystores?? Regards. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm CLIENT-CERT Authentication
Hi, i use already the client-cert method and a suitable security-role. May i made a mistake during build? How can be ensured that tomcat make use of the new authenticate method? thanks Patrick jazorin wrote: Hi. You need to add to the web.xml file the following lines: login-config auth-methodCLIENT-CERT/auth-method /login-config When you try to connect to the protected resource, the navigator will request a client certificate. Regards. -- Hi, i tried the following: + Add the mehtod authenticate(...) to the File JDBCRealm.java + build a Tomcat distribution + replace the catalina.jar with the new version (on an other machine) + add role-namefull DN/role-name to the web.xml + insert into table users ('DN','DN') + insert into table user_roles ('DN','DN') Then i try to connect with a browser to the protected ressource and the browser requests login and password. Any suggestions? thanks Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JDBCRealm CLIENT-CERT Authentication
Hi, i tried the following: + Add the mehtod authenticate(...) to the File JDBCRealm.java + build a Tomcat distribution + replace the catalina.jar with the new version (on an other machine) + add role-namefull DN/role-name to the web.xml + insert into table users ('DN','DN') + insert into table user_roles ('DN','DN') Then i try to connect with a browser to the protected ressource and the browser requests login and password. Any suggestions? thanks Patrick jazorin wrote: Hi. You can to implement a JDBCRealm with client certificates modifying the org.apache.catalina.realm.JDBCRealm class. You need add the public Principal authenticate(X509Certificate[] cert) method. Inside, you have to include the following lines: import java.security.cert.X509Certificate; Connection dbConnection = null; try { // Obtain DN from client certificate. String dn = cert[0].getSubjectDN().getName(); // Ensure that we have an open database connection dbConnection = open(); // Acquire a Principal object for this user Principal principal = authenticate(dbConnection, dn, dn); // Release the database connection we just used release(dbConnection); // Return the Principal (if any) return (principal); } catch (SQLException e) { // Log the problem for posterity log(sm.getString(jdbcRealm.exception), e); // Close the connection so that it gets reopened next time if (dbConnection != null) close(dbConnection); // Return not authenticated for this request return (null); } In authenticate(dbConnection,dn,dn); - first dn = name of user (login) and second dn = credentials. These credentials can to be the OU of the certificate, etc. With the previous example you have to put in role-name of web.xml the full DN, and you need to create a user in BD with username = DN full and credentials = DN full. Luck!! - At 16:44 13/03/2003 +0100, you wrote: Hello, is it correct that only Memory- and JNDIRealm can perform the mapping between the DN included in a certificate and a users role? Because of the lack of dynamic changes in MemoryRealm, i want to replace it with a JDBCRealm. Is there any information available how to implement a JDBCRealm that authenticates users by CLIENT-CERT. thanks in advance Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JDBCRealm CLIENT-CERT Authentication
Hello, is it correct that only Memory- and JNDIRealm can perform the mapping between the DN included in a certificate and a users role? Because of the lack of dynamic changes in MemoryRealm, i want to replace it with a JDBCRealm. Is there any information available how to implement a JDBCRealm that authenticates users by CLIENT-CERT. thanks in advance Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Realm Implementations and CLIENT-CERT Authentication
Hello, is it correct that only Memory- and JNDIRealm can perform the mapping between the DN included in a certificate and a users role? Because of the lack of dynamic changes in MemoryRealm, i want to replace it with a JDBCRealm. Is there any information available how to implement a JDBCRealm that authenticates users by CLIENT-CERT. thanks in advance Patrick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]