Re: SSL Client authentication
It sounds like your client is trying to send a self-signed cert (which won't work). The client needs to send a cert that is signed by somebody in the TrustStore. tkassem [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi All, Using jboss-3.2.3-tomact 4.1.29, i've got both server and client authentication fully working. Using the same keystore and with clientAuth set to false, everything works fine, but when i set clientAuth to 'true', the server fails to authenticate my client. My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is... Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=5 scheme=https secure=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=/opt/local/.keystore keystorePass=picalo clientAuth=true protocol=SSLv3/ The log file error indicates the handshake failed - 'null cert chain'. any help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl client authentication drives me crazy
This article solved everything for me: http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html Follow it to the letter and you will get it to work. Trust me. From: Twan Munster [EMAIL PROTECTED] Reply-To: Twan Munster [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: ssl client authentication drives me crazy Date: Tue, 14 Oct 2003 09:33:26 +0200 Hello, With apache client authentication was so simple. Now my boss wants to use it for smartcard login and I have to use tomcat with cocoon. Thats why I need the client authentication with ssl to work. But I just can't fix it can anyone please help me. All examples wont work I always get errors like Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error Can somebody please tell me how to use keytool. I've got the following certificates and I use them in apache like this: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster _ Chatten met je online vrienden via MSN Messenger. http://messenger.msn.be - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl client authentication drives me crazy
Hi, And also when i use that self signed certificates, it won't work alwasy the same errors: Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error. what can it be???something wrong configured? this is my server.xml Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=c:/server.keystore keystorePass=changeit/ /Connector - Original Message - From: Kenneth Westelinck [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 9:40 AM Subject: Re: ssl client authentication drives me crazy This article solved everything for me: http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html Follow it to the letter and you will get it to work. Trust me. From: Twan Munster [EMAIL PROTECTED] Reply-To: Twan Munster [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: ssl client authentication drives me crazy Date: Tue, 14 Oct 2003 09:33:26 +0200 Hello, With apache client authentication was so simple. Now my boss wants to use it for smartcard login and I have to use tomcat with cocoon. Thats why I need the client authentication with ssl to work. But I just can't fix it can anyone please help me. All examples wont work I always get errors like Unsupported SSL v2.0 ClientHello, no cipher suites in common and handshake error Can somebody please tell me how to use keytool. I've got the following certificates and I use them in apache like this: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster _ Chatten met je online vrienden via MSN Messenger. http://messenger.msn.be - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl client authentication again
The Tomcat 5 docs have an example for this: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html Since it's just about setting up the KeyStore, this section applies to Tomcat 4 (or even Tomcat 3 :) as well. Twan Munster [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I've worked around with using apache+mod_ssl, but i'm running in several problems now so please can somebody help me with the next problem: I've always used apache http server for client authenticatien with ssl. I've installed Tomcat now voor mij jsp's. But I'm not able to get the ssl client authentication working. The problem is getting my existing certificates working in tomcat. Is apache http server it was very easy. I configured all the stuff in my httpd.conf. I also tried to get tomcat working with keytool. But ther's something I do wrong. I alwas get handshake error. Can somebody please tell me how to use keytool. I've got the following certificates: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client authentication: what goes in tomcat-users.xml?
Christopher Williams [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Following the advice from this link http://books.mcgraw-hill.com/betabooks/aug02/taylor/0072225653_ch10.html I tried to get SSL client authentication to work by setting the following entry in tomcat-users.xml: user username=CN=x, OU=y, O=z, L=a, S=b, C=c password= roles=user/ where x,y,z,etc. have real but unimportant values. Evidently Tomcat somehow matches the distinguished name from my certificate against an entry in the users file, presumably to establish the user's role. If it fails to make a match, no authentication takes place which, I guess, is why I was able to access protected pages but getUserPrincipal() was returning null. However, when I start Tomcat I get the error: GlobalResourcesLifecycleListener: Exception creating UserDatabase MBeans for UserDatabase javax.management.MalformedObjectNameException: ObjectName: Invalid (key,value) pair - username=CN=x The correct value to use is the string-value of the Certificate Subject. However, only the MemoryRealm (of the standard Tomcat Realms) works with CLIENT-CERT authentication. So you have to disable the default DatasourceRealm and enable the MemoryRealm. You also have to (at least in 4.1.27 and lower) disable the Datasource under the GlobalResources. This is because it will attempt to write back the tomcat-users.xml file without escaping the attribute values (resulting in invalid XML). Then (after fixing the damage that Tomcat has already done to your file :), what you have should work. So, what do I put in tomcat-users.xml to get client certificate authentication to work? Do I have to escape the '=' signs in some way? The main thing that you have to escape is quote ('\') characters. For example, Verisign-issued certs typically have an entry like O=Verisign, Inc.. You need to render this as O=quot;Verisign, Inc.quot;. TIA (as I really want to put this issue to bed), Chris Williams. P.S. If somebody tells me to read the FAQ, please specify WHICH FAQ. I've read hundreds over the past few days trying to get to the bottom of CLIENT-CERT auth. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client authentication woes
Christopher Williams [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] My setup: Windows XP Pro JDK 1.4.1 JWSDP 1.0 I'm hoping to get SSL client authentication working for web services. I set up Tomcat for SSL ages ago and it works fine. However, I run into multiple problems when I attempt to use SSL client authentication. I have enabled client authentication by changing the value of clientAuth in server.xml to true. I removed all security-constraint and login-config entries from my web.xml as they didn't appear to have any effect (question: am I right to do so? I've done my research on the web and there are no consistent instructions for what to do). Tomcat currently has only very light support for this, but this is orthogonal to your current problem. When I access https://localhost:8443/ in Internet Explorer, I get notified that a private key is being used and the server home page displays fine. However, when I first access the page, the following stack trace appears on Tomcat's console: PoolTcpEndpoint: Handshake failed javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake ... Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) ... 7 more ThreadPool: Caught exception executing [EMAIL PROTECTED], terminating thread java.lang.NullPointerException at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512) ... Does anybody know what the problem is here? Tomcat obviously doesn't like your client-cert, or (more likely) you don't have any. By default, only Verisign Thwate signed client certs are recoginized (at least with Sun's JVM). If this is your problem, then you need to set up a TrustStore (or import the signer into cacerts). Searching the archives for 'TrustStore' will give you an answer faster than waiting on me. The second thing is, I want to know who's accessing pages and web services. That's the whole point of authentication, right? However, when SSL client authentication is in force, the following calls all return null: request.getUserPrincipal() request.getRemoteUser() request.getAttribute(javax.servlet.request.X509Certificate) request.getAttribute(org.apache.coyote.request.X509Certificate) This seems most bizarre. At some point these calls must return non-null values as they are used in org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know whether there are any server settings to make these calls return the correct values? Ideally, I would like to have just one or two URL-patterns protected by SSL, like you do with HTTP authentication rather than it being all or nothing. Is this possible with Tomcat? This is in the FAQ. Kind regards, Chris Williams. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication
Personally, I think that the easiest way to move an Apache cert to a Tomcat cert is to export it to a pkcs12 file and use that as the keystore (of course, setting keystoreType=pkcs12 on the Factory element). Using OpenSSL, something like: $ openssl pkcs12 -export -chain -inkey server.key -in server.crt -CAfile ca.crt \ -name tomcat -caname root -out server.p12 Twan Munster [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I've always used apache http server for client authenticatien with ssl. I've installed Tomcat now voor mij jsp's. But I'm not able to get the ssl client authentication working. The problem is getting my existing certificates working in tomcat. Is apache http server it was very easy. I configured all the stuff in my httpd.conf. I also tried to get tomcat working with keytool. But ther's something I do wrong. I alwas get handshake error. Can somebody please tell me how to use keytool. I've got the following certificates: 1 server.crt = server certificate 2 ca.crt = chain certificate 3 ca-bundle.crt = lots of certificates for client authentication 4 server.key = i really don't know how to get this one in keytool Thnx Twan Munster - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
It works! Thank you - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
You have to import the root CA into the java cacerts keystore Assuming a windows-java installation in C:\j2sdk the location is: C:\j2sdk\jre\lib\security\cacerts using cd C:\j2sdk\jre\lib\security keytool -import -keystore cacerts -storepass changeit -file the-root-ca.cer did the job for me. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:24 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: SSL client authentication with tomcat 4.1.24
It works, thanks a lot for your help. - Original Message - From: Mario Ivankovits [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:36 AM Subject: Re: SSL client authentication with tomcat 4.1.24 You have to import the root CA into the java cacerts keystore Assuming a windows-java installation in C:\j2sdk the location is: C:\j2sdk\jre\lib\security\cacerts using cd C:\j2sdk\jre\lib\security keytool -import -keystore cacerts -storepass changeit -file the-root-ca.cer did the job for me. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:24 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: SSL client authentication with tomcat 4.1.24
You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL client authentication with IE 6.0
Duma, the list of certificates is empty! This means that you don't have client certificate in your client machine. -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:31 AM To: Tomcat Mailing List Subject: SSL client authentication with IE 6.0 I'm running Tomcat 4.1.24 standalone with SSL client authentication enabled.Internet Explorer 6.0 when I try to access the server pops up a window that ask me which certificate will be used for client authentication, but the list of certificates is empty! I've tested my browser on apache with mod_ssl and client authentication, and IE pops up the same window but in this case my personal certificate is present. This is the only tomcat connector configured on my PC. Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8080 minProcessors=15 maxProcessors=25 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/.keystore keystorePass=xx/ /Connector Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
Wolfgang Stein [EMAIL PROTECTED] writes: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. First, sorry for not responding earlier to this thread. My laptop died and stopped my forward momentum for a few days. This solved my problem; I had thought I needed to do something like that, but hadn't known how, exactly. Thanks a lot! -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Client authentication with standalone Tomcat
Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Palmer Sent: Tuesday, February 26, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) And I bet client certificate should be signed in specific way. Some guys mentioned that you can find some help at openSSL site. -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file. If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Gruß, Wolfgang Anton Brazhnyk wrote I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is taken from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Client authentication with standalone Tomcat
Hi Wolfgang, -Original Message- From: Wolfgang Stein [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: SSL Client authentication with standalone Tomcat Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file. If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Actually I meant importaing server certificate, since there wasn't -trustcacerts in statement with -alias tomcat. And, well, I'm not sure again... :) Client cert should be signed with sertificate of the server (not just with CA certificate) Gru?, Wolfgang Anton Brazhnyk wrote I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is taken from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. This part should read: The client browser scans his (previously imported) client certs for a matching cert issuer/signer, fills / pops up a choice dialog box to select a client cert from, and sends (?) the users selection back to the server. This choice box was usually empty in MS IE. Read my previous posting Any success with Tomcat 4.0.2 and client certificates in MS IE ? Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. You will face a difference in comparism of the ca certs between nestcape / MS IE. Gruß, Wolfgang -Ursprüngliche Nachricht- Von: Brian Palmer [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 26. Februar 2002 11:58 An: [EMAIL PROTECTED] Betreff: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL client authentication with Tomcat
Hi, when you say this feature is not supported in Tomcat 3.x, do you also mean that it is not available either for Apache+Tomcat 3.1? Thanks in advance This feature is not supported in Tomcat 3.x presently, although it is available in Tomcat 4.0 (pre-alpha nightly builds currently available). Craig McClanahan Hi to all! Does anybody know whether there is the possibility to access the SSL client certificate variables from a servlet running in Tomcat?. Thanks to all of you!