Hi Bill, Thanks for answering.
I did solve the problem. My client certificate is not self-signed (as I pointed out in 2.-4.). So I have a certificate signed by my CA. The problem was solved by setting CATALINA_OPTS system variable before starting Tomcat: set CATALINA_OPTS=-Djavax.net.ssl.trustStore=server.truststore where "server.truststore" contains only imported CA certificate. It seems that Tomcat doesn't use %JAVA_HOME%\jre\lib\security\cacerts as a truststore by default (I did import CA cert into the cacerts) as I understood from previous discussions. Thanks! Dmitry. BB> From your 1., your client cert is self-signed, not signed by your CA cert. BB> Since this amounts to telling the server "I am Dmitry, because I said so", BB> it's a security-risk to accept self-signed client certs, so most HTTPS BB> servers won't accept them. (Of course, it is also the same security-risk to BB> accept self-signed server-certs. However, there is a big difference between BB> clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to BB> agree to accept it ;-). BB> The easiest thing would be to get a Thawte client-cert (since you don't have BB> to pay for it), and use that instead of your self-signed one. For testing, BB> that is what I do (except that I use my Verisign cert, since my employer BB> pays for that one :). At least with Sun's JSSE, Thawte's Root cert is BB> installed in cacerts by default. Setting up your own CA is only needed if BB> you have to hand out your own client-certs when you move to production. BB> "Dmitry S.Rogulin" <[EMAIL PROTECTED]> wrote in message BB> news:[EMAIL PROTECTED] >> >> But (as I pointed out in 3.,4. and 6) I have client cert and CA cert. >> The latter I imported to the cacert. >> I tried to do the same without Tomact but with very simple HTTP(s) >> server and got the same result. So I suggest that I did something >> wrong with creating/importing certs. >> >> But what's wrong? >> >> BB> You can't generally use a self-signed client cert with JSSE (you can >> BB> configure PureTLS to accept it, but another bug means that you'd have BB> to >> BB> wait for 4.1.26). The work-around is way too much trouble for the BB> sysadmin, >> BB> and I don't feel like being an enabler for a true hideous design. So, >> BB> you'll just have to read the JSSE docs for yourself ;-). >> >> BB> If you need to issue your own client-certs, I'd suggest setting up BB> your own >> BB> CA (with OpenSSL or otherwise), and import your CA's cert into BB> cacerts. You >> BB> can then hand out client certs, and Tomcat will accept them. >> >> BB> "Dmitry S.Rogulin" wrote in message >> BB> news:[EMAIL PROTECTED] >> >> Hello all, >> >> >> >> Sorry for the previous e-mail. %) >> >> >> >> This theme was discussed about month ago. I tried to use what I've >> >> found but I'm still having a problem... >> >> >> >> I'm trying to do SSL client authentication with Tomcat 4.1.18 >> BB> (clientAuth="true"). >> >> >> >> 1. I've generated a client certificate using keytool: >> >> keytool -genkey -alias tomcat-cl -keyalg RSA -keystore BB> client.keystore >> >> >> >> 2. Then I created Certificate Signing Request: >> >> keytool -certreq -keyalg RSA -alias tomcat-cl -file >> BB> certreq.csr -keystore client.keystore >> >> >> >> 3. I sent it to CA and got a signed certificate and CA Certificate. >> >> 4. I imported them to the client keystore: >> >> keytool -import -alias root -keystore client.keystore -file cacert >> >> keytool -import -alias tomcat-cl -keystore client.keystore -file >> BB> usercert >> >> >> >> 5. I exported server certificate and imported it as a trusted to the >> >> trusted keystore: >> >> keytool -import -trustcacerts -alias tomcat -file BB> server.cer -keystore >> BB> trust.keystore >> >> >> >> 6. I imported CA Certificate to "\jre\lib\security\cacerts" : >> >> keytool -import -file cacert -keystore >> BB> %java_home%\jre\lib\security\cacerts -storepass changeit >> >> >> >> I'm running Tomcat and test client on the same machine. >> >> Server keystore: %USERHOME%\.keystore >> >> Client keystore: %USERHOME%\client.keystore >> >> Client trusted keystore: %USERHOME%\trust.keystore >> >> >> >> Test Client: >> >> ******************************************** >> >> import java.net.*; >> >> import java.io.*; >> >> import java.util.*; >> >> import java.security.*; >> >> import javax.net.ssl.*; >> >> >> >> public class SimpleClient { >> >> >> >> public static void main(String[] args) { >> >> System.setProperty("javax.net.ssl.trustStore", >> BB> System.getProperty("user.home")+File.separator +"trust.keystore"); >> >> >> >> System.setProperty("javax.net.ssl.keyStore", >> BB> System.getProperty("user.home")+File.separator +"client.keystore"); >> >> System.setProperty("javax.net.ssl.keyStorePassword", >> BB> "changeit"); >> >> >> >> InputStream is = null; >> >> OutputStream os = new ByteArrayOutputStream(); >> >> >> >> try { >> >> URL url = new >> BB> URL("https://localhost:8443/readme.txt"); >> >> >> >> try { >> >> is = url.openStream(); >> >> >> >> byte[] buffer = new byte[4096]; >> >> int bytes_read; >> >> while((bytes_read = is.read(buffer)) >> BB> != -1) >> >> os.write(buffer, 0, BB> bytes_read); >> >> >> >> System.out.println(os.toString()); >> >> >> >> } catch (Exception e) { e.printStackTrace(); } >> >> finally { >> >> try { >> >> is.close(); >> >> os.close(); >> >> } catch (IOException e) { >> BB> e.printStackTrace(); } >> >> } >> >> >> >> } catch (Exception e) { e.printStackTrace(); } >> >> >> >> >> >> } >> >> } >> >> ******************************************** >> >> >> >> With [clientAuth="false"] it works fine, but with [clientAuth="true"] >> >> it gives an error: >> >> >> >> java.net.SocketException: Software caused connection abort: recv failed >> >> at java.net.SocketInputStream.socketRead0(Native Method) >> >> at java.net.SocketInputStream.read(SocketInputStream.java:129) >> >> at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) >> >> at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) >> >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) >> >> >> >> What did I do in a wrong way? >> >> >> >> Thanks in advance. >> >> >> >> Best regards, >> >> Dmitry. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]