subject:"Client Certificates with Tomcat"

Using Client Certificates in tomcat-4.0.1

2003-11-11 Thread Michael Jeffrey Tucker

Hi,

  I am prototyping a modification to an existing Tomcast system on Linux
that will now use client certificates for authentication, but I have been
having trouble getting to the pointer where connecting to the site with a
web browser prompts for a certificate. I have been incrementally building
up my web.xml and server.xml files, so it's possible that I missed
something, though I have done my best to keep them as simple as possible.

  Things appear to be working properly if I switch the auth-method field
of the web.xml file from CLIENT-CERT to BASIC and set the clientAuth field
in the appropriate Connector's Factory (in server.xml) to false. I am
currently using the org.apache.catalina.net.SSLServerSocketFactory class.

  If I went users to present a certificate, is it appropriate to have the
auth-method as CLIENT-CERT and the clientAuth field as true? Or am I
already hosed at that point? The behavior I am seeing is an immediate 404
error on IE6. Under Firebird I get a slightly more descriptive message --
it pops up a box that reports:

localbox has received an incorrect or unexpected message. Error Code:
-12227

Is there an existing HOWTO that describes in detail how to
configure Tomcat to require client certificates? If not, can anyone
suggest any example scripts that work?

Thanks,
Mike

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Client Certificates on Tomcat 3.3.1

2002-08-21 Thread Rodrigo Ruiz


Ok, a step forward

After some changes in my certificates, I have a client that successfully
sends its certificates to the server.

From the browser, it doesn't connect at all (no certificate pop ups, and no
connection stablished)

Explorer requests now raise the following exception in Tomcat:

Thread-17, WRITE:  SSL v3.0 Handshake, length = 2825
Thread-17, READ:  SSL v3.0 Alert, length = 2
Thread-17, RECV SSLv3 ALERT:  warning, no_certificate
SSL -- handshake alert:  no_certificate
Thread-17, SEND SSL v3.0 ALERT:  fatal, description = handshake_failure
Thread-17, WRITE:  SSL v3.0 Alert, length = 2
PoolTcpEndpoint: Handshake failed
javax.net.ssl.SSLException: javax.net.ssl.SSLProtocolException: handshake
alert:  no_certificate
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:61)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
...

But my java client does the handshake correctly. I am using the same
certificates in both cases, any idea about the problem with Explorer?

The java client is working with BASIC authorization level. It still doesn't
work with CLIENT-CERT.

- Original Message -
From: Tathagat (London) [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, August 20, 2002 6:02 PM
Subject: RE: Client Certificates on Tomcat 3.3.1


 1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU
 CONNECT TO THE SERVER?

 If not you have to include your client side certificate store into your
 $JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with
 -trustcacerts option

 I use.

 keytool -import -alias drkw_root -file InvestmentBankCA_root.pem
 -trustcacerts -keystore cacerts -v

 Tell me if you see the certificates already pop up when you connect to the
 website, then I will try to find if anything else is going wrong.

 cheers
 Tathagat

 -Original Message-
 From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, August 20, 2002 17:54
 To: Tomcat Users List
 Subject: Re: Client Certificates on Tomcat 3.3.1


 Tathagat, at this moment I am generating my own self-signed server and
 client certificates :-P

 I have no .pem files, as I don't rely on any third provider. The keystore
I
 am using in my server has the following entries:

 thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
 thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
 verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
 thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
 thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
 verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
 verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
 verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
 thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
 verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
 tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry,

 The last entry is my own server certificate.

 From this point, using the KeyMan tool, I do this:

 1. Create an empty keystore
 2. Import the server certificate as a CA certificate into this new
keystore
 3. Create a new key pair
 4. Create a .csr file
 5. From the server keystore, create a certificate for this .csr (it
creates
 a .cer file with a X509 certificate chain)
 6. Create a PKCS #12 token
 7. Import the .cer created at point 5
 8. Save the token (as a .pfx file)

 Once I have this file, I import the server certificate in the trusted CA
 provider store (I can do this directly from the pop-up window that shows
the
 browser on server connection).

 Finally, I import the .pfx file into Explorer.

 Is it enough importing the server certificate, or do I have to generate a
 .pem file for my server certificate? If so, which tool should I have to
use?

 Now it seems to connect to the server, but it still receives an HTTP 401
 error message.

 My web-app has activated the CLIENT-CERT authentication scheme. If I relax
 this to BASIC, all seems to work fine. The browser shows the user/password
 dialog box, and I am in :-)

 Could it be a problem related to the realm? How do you specified the list
of
 valid users? In CLIENT-CERT mode, you don't have user/password info.

 Thanks a lot!

 - Original Message -
 From: Tathagat (London) [EMAIL PROTECTED]
 To: 'Tomcat Users List' [EMAIL PROTECTED]
 Sent: Tuesday, August 20, 2002 5:14 PM
 Subject: RE: Client Certificates on Tomcat 3.3.1


  ok,
  what you have to do is put the certificate provider into your java's
  security file.
 
  keytool -import blah blah (options)
 
  what you have

Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Rodrigo Ruiz


Hi all,

I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap
client.

My soap service simply prints out some request data, and also the content of

request.getAttribute(javax.servlet.request.X509Certificate)

Following some example code I found on Internet (I'm not sure this code
should function)

I have followed the instructions in the xml.apache.org FAQ, and generated
all certificates with keytool.

Firstly, I configured tomcat with clientAuth set to false, and used a basic
authentication scheme in my web-app. It worked fine. When connecting through
my client, the service prints the next info:

Authorization: BASIC
Remote User: tomcat
Secured: true
Principal: tomcat
No client certificate is available

If I set clientAuth to true, it still works, but it keeps showing the No
client certificate available message.

The big problem comes when I configure my web-app to use CLIENT-CERT
authorization scheme.
It simply returns a 401 error code.

Any one can help me, please??

Thanks in advance,
Rodrigo Ruiz Aguayo

PS: Following is the bat file I'm using to generate the keystores:

del server.keystore
del client.keystore

copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore
copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore

REM Change default passwords
keytool -storepasswd -keystore server.keystore -storepass changeit -new
123456
keytool -storepasswd -keystore client.keystore -storepass changeit -new
123456

REM Create server.keystore
keytool -genkey -alias tomcat-sv -dname
CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
RSA -keypass 123456 -storepass 123456 -keystore server.keystore
keytool -export -alias tomcat-sv -storepass 123456 -file
server.cer -keystore server.keystore

REM Import server certificate as a trusted CA in the client keystore
keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
client.keystore -keypass 123456 -storepass 123456

REM Create client keystore
keytool -genkey -alias rruiz -dname
CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
RSA -keypass 123456 -storepass 123456 -keystore client.keystore
keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore
client.keystore

keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore
server.keystore -keypass 123456 -storepass 123456


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

RE: Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Tathagat (London)


okay, I have faced so many problems on this.. and finally could do it!
Please answer the following questions.

First question: The certificates that you are using on your machine (as
client), where do you get them from?

Second: When you connect the server (https://localhost:8443) or whatever),
does your certificate pops up?

cheers
Tathagat

-Original Message-
From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 20, 2002 11:42
To: [EMAIL PROTECTED]
Subject: Client Certificates on Tomcat 3.3.1


Hi all,

I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap
client.

My soap service simply prints out some request data, and also the content of

request.getAttribute(javax.servlet.request.X509Certificate)

Following some example code I found on Internet (I'm not sure this code
should function)

I have followed the instructions in the xml.apache.org FAQ, and generated
all certificates with keytool.

Firstly, I configured tomcat with clientAuth set to false, and used a basic
authentication scheme in my web-app. It worked fine. When connecting through
my client, the service prints the next info:

Authorization: BASIC
Remote User: tomcat
Secured: true
Principal: tomcat
No client certificate is available

If I set clientAuth to true, it still works, but it keeps showing the No
client certificate available message.

The big problem comes when I configure my web-app to use CLIENT-CERT
authorization scheme.
It simply returns a 401 error code.

Any one can help me, please??

Thanks in advance,
Rodrigo Ruiz Aguayo

PS: Following is the bat file I'm using to generate the keystores:

del server.keystore
del client.keystore

copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore
copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore

REM Change default passwords
keytool -storepasswd -keystore server.keystore -storepass changeit -new
123456
keytool -storepasswd -keystore client.keystore -storepass changeit -new
123456

REM Create server.keystore
keytool -genkey -alias tomcat-sv -dname
CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
RSA -keypass 123456 -storepass 123456 -keystore server.keystore
keytool -export -alias tomcat-sv -storepass 123456 -file
server.cer -keystore server.keystore

REM Import server certificate as a trusted CA in the client keystore
keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
client.keystore -keypass 123456 -storepass 123456

REM Create client keystore
keytool -genkey -alias rruiz -dname
CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
RSA -keypass 123456 -storepass 123456 -keystore client.keystore
keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore
client.keystore

keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore
server.keystore -keypass 123456 -storepass 123456


--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]


--
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
--


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Rodrigo Ruiz

- Original Message -
From: Tathagat (London) [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, August 20, 2002 3:22 PM
Subject: RE: Client Certificates on Tomcat 3.3.1

 okay, I have faced so many problems on this.. and finally could do it!
 Please answer the following questions.

 First question: The certificates that you are using on your machine (as
 client), where do you get them from?

I create them with KeyMan from IBM. I have tried to create a X509 Chain,
signed with my server key,
and also a .PFX file with the same characteristics. None seemed to work.
In fact, when I import the certificates into Explorer, it places them into
the Medium CA Providers Tab, and not in the Personal repository. Is it ok?

 Second: When you connect the server (https://localhost:8443) or whatever),
 does your certificate pops up?

The browser only pops up the server certificate, not the client one.
It looks like it does not send my client certificate at all.

 cheers
 Tathagat

 -Original Message-
 From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, August 20, 2002 11:42
 To: [EMAIL PROTECTED]
 Subject: Client Certificates on Tomcat 3.3.1

 Hi all,

 I'm trying to setup a secure connection between Tomcat 3.3.1 and a java
soap
 client.

 My soap service simply prints out some request data, and also the content
of

 request.getAttribute(javax.servlet.request.X509Certificate)

 Following some example code I found on Internet (I'm not sure this code
 should function)

 I have followed the instructions in the xml.apache.org FAQ, and generated
 all certificates with keytool.

 Firstly, I configured tomcat with clientAuth set to false, and used a
basic
 authentication scheme in my web-app. It worked fine. When connecting
through
 my client, the service prints the next info:

 Authorization: BASIC
 Remote User: tomcat
 Secured: true
 Principal: tomcat
 No client certificate is available

 If I set clientAuth to true, it still works, but it keeps showing the No
 client certificate available message.

 The big problem comes when I configure my web-app to use CLIENT-CERT
 authorization scheme.
 It simply returns a 401 error code.

 Any one can help me, please??

 Thanks in advance,
 Rodrigo Ruiz Aguayo

 PS: Following is the bat file I'm using to generate the keystores:

 del server.keystore
 del client.keystore

 copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore
 copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore

 REM Change default passwords
 keytool -storepasswd -keystore server.keystore -storepass changeit -new
 123456
 keytool -storepasswd -keystore client.keystore -storepass changeit -new
 123456

 REM Create server.keystore
 keytool -genkey -alias tomcat-sv -dname
 CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
 RSA -keypass 123456 -storepass 123456 -keystore server.keystore
 keytool -export -alias tomcat-sv -storepass 123456 -file
 server.cer -keystore server.keystore

 REM Import server certificate as a trusted CA in the client keystore
 keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
 client.keystore -keypass 123456 -storepass 123456

 REM Create client keystore
 keytool -genkey -alias rruiz -dname
 CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
 RSA -keypass 123456 -storepass 123456 -keystore client.keystore
 keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore
 client.keystore

 keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore
 server.keystore -keypass 123456 -storepass 123456

 --
 To unsubscribe, e-mail:
 mailto:[EMAIL PROTECTED]
 For additional commands, e-mail:
 mailto:[EMAIL PROTECTED]

 --
 If you have received this e-mail in error or wish to read our e-mail
 disclaimer statement and monitoring policy, please refer to
 http://www.drkw.com/disc/email/ or contact the sender.
 --

 --
 To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
 For additional commands, e-mail:
mailto:[EMAIL PROTECTED]

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

RE: Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Tathagat (London)


ok,
what you have to do is put the certificate provider into your java's
security file.

keytool -import blah blah (options)

what you have to import are .PEM files which you get from the certificate
providers. Then IE will popup your certificates. Please read keytool
documentation on sun site and most things will be clear of my mail.

cheers
Tathagat

-Original Message-
From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 20, 2002 16:59
To: Tomcat Users List
Subject: Re: Client Certificates on Tomcat 3.3.1



- Original Message -
From: Tathagat (London) [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, August 20, 2002 3:22 PM
Subject: RE: Client Certificates on Tomcat 3.3.1


 okay, I have faced so many problems on this.. and finally could do it!
 Please answer the following questions.

 First question: The certificates that you are using on your machine (as
 client), where do you get them from?

I create them with KeyMan from IBM. I have tried to create a X509 Chain,
signed with my server key,
and also a .PFX file with the same characteristics. None seemed to work.
In fact, when I import the certificates into Explorer, it places them into
the Medium CA Providers Tab, and not in the Personal repository. Is it ok?


 Second: When you connect the server (https://localhost:8443) or whatever),
 does your certificate pops up?

The browser only pops up the server certificate, not the client one.
It looks like it does not send my client certificate at all.


 cheers
 Tathagat

 -Original Message-
 From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, August 20, 2002 11:42
 To: [EMAIL PROTECTED]
 Subject: Client Certificates on Tomcat 3.3.1


 Hi all,

 I'm trying to setup a secure connection between Tomcat 3.3.1 and a java
soap
 client.

 My soap service simply prints out some request data, and also the content
of

 request.getAttribute(javax.servlet.request.X509Certificate)

 Following some example code I found on Internet (I'm not sure this code
 should function)

 I have followed the instructions in the xml.apache.org FAQ, and generated
 all certificates with keytool.

 Firstly, I configured tomcat with clientAuth set to false, and used a
basic
 authentication scheme in my web-app. It worked fine. When connecting
through
 my client, the service prints the next info:

 Authorization: BASIC
 Remote User: tomcat
 Secured: true
 Principal: tomcat
 No client certificate is available

 If I set clientAuth to true, it still works, but it keeps showing the No
 client certificate available message.

 The big problem comes when I configure my web-app to use CLIENT-CERT
 authorization scheme.
 It simply returns a 401 error code.

 Any one can help me, please??

 Thanks in advance,
 Rodrigo Ruiz Aguayo

 PS: Following is the bat file I'm using to generate the keystores:

 del server.keystore
 del client.keystore

 copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore
 copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore

 REM Change default passwords
 keytool -storepasswd -keystore server.keystore -storepass changeit -new
 123456
 keytool -storepasswd -keystore client.keystore -storepass changeit -new
 123456

 REM Create server.keystore
 keytool -genkey -alias tomcat-sv -dname
 CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
 RSA -keypass 123456 -storepass 123456 -keystore server.keystore
 keytool -export -alias tomcat-sv -storepass 123456 -file
 server.cer -keystore server.keystore

 REM Import server certificate as a trusted CA in the client keystore
 keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
 client.keystore -keypass 123456 -storepass 123456

 REM Create client keystore
 keytool -genkey -alias rruiz -dname
 CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg
 RSA -keypass 123456 -storepass 123456 -keystore client.keystore
 keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore
 client.keystore

 keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore
 server.keystore -keypass 123456 -storepass 123456


 --
 To unsubscribe, e-mail:
 mailto:[EMAIL PROTECTED]
 For additional commands, e-mail:
 mailto:[EMAIL PROTECTED]


 --
 If you have received this e-mail in error or wish to read our e-mail
 disclaimer statement and monitoring policy, please refer to
 http://www.drkw.com/disc/email/ or contact the sender.
 --


 --
 To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
 For additional commands, e-mail:
mailto:[EMAIL PROTECTED]




--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]


--
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement

Re: Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Rodrigo Ruiz


Tathagat, at this moment I am generating my own self-signed server and
client certificates :-P

I have no .pem files, as I don't rely on any third provider. The keystore I
am using in my server has the following entries:

thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry,

The last entry is my own server certificate.

From this point, using the KeyMan tool, I do this:

1. Create an empty keystore
2. Import the server certificate as a CA certificate into this new keystore
3. Create a new key pair
4. Create a .csr file
5. From the server keystore, create a certificate for this .csr (it creates
a .cer file with a X509 certificate chain)
6. Create a PKCS #12 token
7. Import the .cer created at point 5
8. Save the token (as a .pfx file)

Once I have this file, I import the server certificate in the trusted CA
provider store (I can do this directly from the pop-up window that shows the
browser on server connection).

Finally, I import the .pfx file into Explorer.

Is it enough importing the server certificate, or do I have to generate a
.pem file for my server certificate? If so, which tool should I have to use?

Now it seems to connect to the server, but it still receives an HTTP 401
error message.

My web-app has activated the CLIENT-CERT authentication scheme. If I relax
this to BASIC, all seems to work fine. The browser shows the user/password
dialog box, and I am in :-)

Could it be a problem related to the realm? How do you specified the list of
valid users? In CLIENT-CERT mode, you don't have user/password info.

Thanks a lot!

- Original Message -
From: Tathagat (London) [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, August 20, 2002 5:14 PM
Subject: RE: Client Certificates on Tomcat 3.3.1


 ok,
 what you have to do is put the certificate provider into your java's
 security file.

 keytool -import blah blah (options)

 what you have to import are .PEM files which you get from the
certificate
 providers. Then IE will popup your certificates. Please read keytool
 documentation on sun site and most things will be clear of my mail.

 cheers
 Tathagat



--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

RE: Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Tathagat (London)


1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU
CONNECT TO THE SERVER?

If not you have to include your client side certificate store into your
$JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with
-trustcacerts option

I use.

keytool -import -alias drkw_root -file InvestmentBankCA_root.pem
-trustcacerts -keystore cacerts -v

Tell me if you see the certificates already pop up when you connect to the
website, then I will try to find if anything else is going wrong.

cheers
Tathagat

-Original Message-
From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 20, 2002 17:54
To: Tomcat Users List
Subject: Re: Client Certificates on Tomcat 3.3.1


Tathagat, at this moment I am generating my own self-signed server and
client certificates :-P

I have no .pem files, as I don't rely on any third provider. The keystore I
am using in my server has the following entries:

thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry,

The last entry is my own server certificate.

From this point, using the KeyMan tool, I do this:

1. Create an empty keystore
2. Import the server certificate as a CA certificate into this new keystore
3. Create a new key pair
4. Create a .csr file
5. From the server keystore, create a certificate for this .csr (it creates
a .cer file with a X509 certificate chain)
6. Create a PKCS #12 token
7. Import the .cer created at point 5
8. Save the token (as a .pfx file)

Once I have this file, I import the server certificate in the trusted CA
provider store (I can do this directly from the pop-up window that shows the
browser on server connection).

Finally, I import the .pfx file into Explorer.

Is it enough importing the server certificate, or do I have to generate a
.pem file for my server certificate? If so, which tool should I have to use?

Now it seems to connect to the server, but it still receives an HTTP 401
error message.

My web-app has activated the CLIENT-CERT authentication scheme. If I relax
this to BASIC, all seems to work fine. The browser shows the user/password
dialog box, and I am in :-)

Could it be a problem related to the realm? How do you specified the list of
valid users? In CLIENT-CERT mode, you don't have user/password info.

Thanks a lot!

- Original Message -
From: Tathagat (London) [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, August 20, 2002 5:14 PM
Subject: RE: Client Certificates on Tomcat 3.3.1


 ok,
 what you have to do is put the certificate provider into your java's
 security file.

 keytool -import blah blah (options)

 what you have to import are .PEM files which you get from the
certificate
 providers. Then IE will popup your certificates. Please read keytool
 documentation on sun site and most things will be clear of my mail.

 cheers
 Tathagat



--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]


--
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
--


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

RE: Client Certificates on Tomcat 3.3.1

2002-08-20 Thread Tathagat (London)


Also regarding PEM file, I get it from the authority who generates the my
certificates (for the whole of my organization).  So I don't generate PEM
files. Please look in google how to get them yourself.

cheers
Tathagat

-Original Message-
From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 20, 2002 17:54
To: Tomcat Users List
Subject: Re: Client Certificates on Tomcat 3.3.1


Tathagat, at this moment I am generating my own self-signed server and
client certificates :-P

I have no .pem files, as I don't rely on any third provider. The keystore I
am using in my server has the following entries:

thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry,

The last entry is my own server certificate.

From this point, using the KeyMan tool, I do this:

1. Create an empty keystore
2. Import the server certificate as a CA certificate into this new keystore
3. Create a new key pair
4. Create a .csr file
5. From the server keystore, create a certificate for this .csr (it creates
a .cer file with a X509 certificate chain)
6. Create a PKCS #12 token
7. Import the .cer created at point 5
8. Save the token (as a .pfx file)

Once I have this file, I import the server certificate in the trusted CA
provider store (I can do this directly from the pop-up window that shows the
browser on server connection).

Finally, I import the .pfx file into Explorer.

Is it enough importing the server certificate, or do I have to generate a
.pem file for my server certificate? If so, which tool should I have to use?

Now it seems to connect to the server, but it still receives an HTTP 401
error message.

My web-app has activated the CLIENT-CERT authentication scheme. If I relax
this to BASIC, all seems to work fine. The browser shows the user/password
dialog box, and I am in :-)

Could it be a problem related to the realm? How do you specified the list of
valid users? In CLIENT-CERT mode, you don't have user/password info.

Thanks a lot!

- Original Message -
From: Tathagat (London) [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, August 20, 2002 5:14 PM
Subject: RE: Client Certificates on Tomcat 3.3.1


 ok,
 what you have to do is put the certificate provider into your java's
 security file.

 keytool -import blah blah (options)

 what you have to import are .PEM files which you get from the
certificate
 providers. Then IE will popup your certificates. Please read keytool
 documentation on sun site and most things will be clear of my mail.

 cheers
 Tathagat



--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]


--
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
--


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Client Certificates with Tomcat

2002-07-16 Thread Tathagat (London)


Hi All,
I am working with Tomcat 4. I do all the steps provided in server.xml vis:
__
Step 2: Generate Client and Server Certificates
It is necessary to generate a Certificate for the client and the server.
These Certificates are then imported into a keystore, to which the client
and server connect. 
The keystore acts as a database for security certificates. 
You are going to use the keytool utility in the JDK to do these tasks (see
Sun's documentation for more information on this tool). 
Step 2a: Generate a Server Key and Certificate
Launch keytool from a shell (or command prompt) to generate your public and
private key. 
Note that the Certificate and keystore files will be generated in the
directory you run keytool from. 
Use keytool as follows: 
keytool -genkey -alias tomcat-sv -dname CN=[Common Name],OU=[Organisation
Unit], O=[Organisation Name], L=[Locality], S=[State Name], C=[Two-Letter
Country Code] -keyalg RSA -keypass [private key password] -storepass
[keystore password] -keystore [keystore file name] 

For example, to generate a keystore (in file server.keystore) for server
soapsvr.test.tcd.ie using password changeit (for both the keystore and the
certificate) in the Computer Engineering group at Trinity College Dublin,
Ireland, one would type the following: keytool -genkey -alias tomcat-sv
-dname CN=soapsvr.test.tcd.ie, OU=ComputerEngineering, O=Trinity College
Dublin, L=Dublin, S=Dublin, C=IE -keyalg RSA -keypass changeit -storepass
changeit -keystore server.keystore 

Note that 

The RSA algorithm is used to generate certificates. 
Ensure that the 'CN' field that you specify when you create the server
certificate matches the name of the machine on which you're running tomcat,
or your browser will complain about certificate name mis-matches (not a
problem on a test server, a big problem on a production server!). 
Step 2b: Export the Server Certificate
From command prompt run this command to export your certificate from the
keystore into an external file (we do this so we can import the certificate
into the client's keystore as a trusted certificate). 
keytool -export -alias tomcat-sv -storepass changeit -file server.cer
-keystore server.keystore 


If everything works, you should now have a file called server.cer which
contains your server's certificate. 
Step 2c: Generate a Client Key and Certificate
This step is very similar to the generation of the server key and
certificate - it uses the same keytool tool with different parameters. 
Note that the keystore file name has changed (it is now client.keystore).
Use keytool as follows: 
keytool -genkey -alias tomcat-cl -dname CN=Client,OU=TRL, O=IBM,
L=Yamato-shi, S=Kanagawa-ken, C=JP -keyalg RSA -keypass changeit -storepass
changeit -keystore client.keystore 

Step 2d: Export the Client Certificate
This step is very similar to the export of the server certificate - it uses
the same keytool tool with different parameters: 
keytool -export -alias tomcat-cl -storepass changeit -file client.cer
-keystore client.keystore 


If everything works, you should now have a file called client.cer which
contains your client's certificate. 
Step 2e: Import the Certificates into the Keystores
We want the client certificate to be added to the server's keystore, and the
server's certificate to be added to the client's keystore. 
Doing this will mean that the client and server trust one another. 
Import the server certificate into the client's keystore: 
keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
client.keystore -keypass changeit -storepass changeit 
Import the client certificate into the server's keystore: keytool -import -v
-trustcacerts -alias tomcat -file client.cer -keystore server.keystore
-keypass changeit -storepass changeit
__

as long as I keep clientAuth=false in server.xml it runs fine.

But when I make it true, it looks for the client certificate, which it
obviousely can't find. How do I get the client certificate from above. What
is client.cer then?

Any clues appreciated.

Thanks and Regards
Tathagat

GBS - Legal Services
Phone: +49 (0) 69 263 16854
Fax:  +49 (0) 69 263 16540
Mobile: +49 (0) 160 98589882
Private Email: [EMAIL PROTECTED]



--
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
--


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Client Certificates with Tomcat

2002-07-15 Thread Tathagat (London)


Hi All,
I am working with Tomcat 4. I do all the steps provided in server.xml vis:
__
Step 2: Generate Client and Server Certificates
It is necessary to generate a Certificate for the client and the server.
These Certificates are then imported into a keystore, to which the client
and server connect. 
The keystore acts as a database for security certificates. 
You are going to use the keytool utility in the JDK to do these tasks (see
Sun's documentation for more information on this tool). 
Step 2a: Generate a Server Key and Certificate
Launch keytool from a shell (or command prompt) to generate your public and
private key. 
Note that the Certificate and keystore files will be generated in the
directory you run keytool from. 
Use keytool as follows: 
keytool -genkey -alias tomcat-sv -dname CN=[Common Name],OU=[Organisation
Unit], O=[Organisation Name], L=[Locality], S=[State Name], C=[Two-Letter
Country Code] -keyalg RSA -keypass [private key password] -storepass
[keystore password] -keystore [keystore file name] 

For example, to generate a keystore (in file server.keystore) for server
soapsvr.test.tcd.ie using password changeit (for both the keystore and the
certificate) in the Computer Engineering group at Trinity College Dublin,
Ireland, one would type the following: keytool -genkey -alias tomcat-sv
-dname CN=soapsvr.test.tcd.ie, OU=ComputerEngineering, O=Trinity College
Dublin, L=Dublin, S=Dublin, C=IE -keyalg RSA -keypass changeit -storepass
changeit -keystore server.keystore 

Note that 

The RSA algorithm is used to generate certificates. 
Ensure that the 'CN' field that you specify when you create the server
certificate matches the name of the machine on which you're running tomcat,
or your browser will complain about certificate name mis-matches (not a
problem on a test server, a big problem on a production server!). 
Step 2b: Export the Server Certificate
From command prompt run this command to export your certificate from the
keystore into an external file (we do this so we can import the certificate
into the client's keystore as a trusted certificate). 
keytool -export -alias tomcat-sv -storepass changeit -file server.cer
-keystore server.keystore 


If everything works, you should now have a file called server.cer which
contains your server's certificate. 
Step 2c: Generate a Client Key and Certificate
This step is very similar to the generation of the server key and
certificate - it uses the same keytool tool with different parameters. 
Note that the keystore file name has changed (it is now client.keystore).
Use keytool as follows: 
keytool -genkey -alias tomcat-cl -dname CN=Client,OU=TRL, O=IBM,
L=Yamato-shi, S=Kanagawa-ken, C=JP -keyalg RSA -keypass changeit -storepass
changeit -keystore client.keystore 

Step 2d: Export the Client Certificate
This step is very similar to the export of the server certificate - it uses
the same keytool tool with different parameters: 
keytool -export -alias tomcat-cl -storepass changeit -file client.cer
-keystore client.keystore 


If everything works, you should now have a file called client.cer which
contains your client's certificate. 
Step 2e: Import the Certificates into the Keystores
We want the client certificate to be added to the server's keystore, and the
server's certificate to be added to the client's keystore. 
Doing this will mean that the client and server trust one another. 
Import the server certificate into the client's keystore: 
keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
client.keystore -keypass changeit -storepass changeit 
Import the client certificate into the server's keystore: keytool -import -v
-trustcacerts -alias tomcat -file client.cer -keystore server.keystore
-keypass changeit -storepass changeit
__

as long as I keep clientAuth=false in server.xml it runs fine.

But when I make it true, it looks for the client certificate, which it
obviousely can't find. How do I get the client certificate from above. What
is client.cer then?

Any clues appreciated.

Thanks and Regards
Tathagat

GBS - Legal Services
Phone: +49 (0) 69 263 16854
Fax:  +49 (0) 69 263 16540
Mobile: +49 (0) 160 98589882
Private Email: [EMAIL PROTECTED]



--
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
--


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Using Client Certificates in tomcat-4.0.1

Re: Client Certificates on Tomcat 3.3.1

Client Certificates on Tomcat 3.3.1

RE: Client Certificates on Tomcat 3.3.1

Re: Client Certificates on Tomcat 3.3.1

RE: Client Certificates on Tomcat 3.3.1

Re: Client Certificates on Tomcat 3.3.1

RE: Client Certificates on Tomcat 3.3.1

RE: Client Certificates on Tomcat 3.3.1

Client Certificates with Tomcat

Client Certificates with Tomcat

11 matches

Site Navigation

Mail list logo

Footer information