Re: Tomcat 4 + ssl + client authentication
Client cert verification is done against the TrustStore, not the KeyStore. Tomcat 5 has some improvements for this. Tomcat 4 is still a bit limited. I have no idea what is goin wrong. Can someone tell me how to make this work? Assuming that you don't want to just import the signing cert into cacerts (see the JSSE docs for how to do this), then you need to have something like: CATALINA_OPTS=-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net .ssl.trustStorePassword=myTrustStorePassword At the moment, your TrustStore file has to be in the same format as your KeyStore file (a nasty limitation that I haven't gotten around to fixing :). Yep, done that. Yesterday after sending this mail I was able to get it to work authenticating using the imported client key in Mozilla and putting the signed client key in this truststore. So it is working now using Mozilla (nice). So now I found out there is a keyStore property as well (stupid me), and I was able to authenticate using my Java client against the server (nice again). If someone is interested in the code, this is the client part (just for testing): System.setProperty(javax.net.ssl.trustStore, f:/client.keystore); System.setProperty(javax.net.ssl.keyStore, f:/client.keystore); System.setProperty(javax.net.ssl.keyStorePassword,changeit); HttpClient httpclient = new HttpClient(); Protocol myhttps = new Protocol( https, new StrictSSLProtocolSocketFactory(false), 8443); httpclient.getHostConfiguration().setHost(myhost, 8443, myhttps); GetMethod httpget = new GetMethod(/); httpclient.executeMethod(httpget); with StrictSSLProtocolSocketFactory the same code as the sample code you can download from the Apache/HTTPClient site. One question though ... suppose the client keyStore has different keys, how can one tell to the code to use key A or key B (for the moment there's only one key in this keyStore). Using mozilla it is simple, he just asks which key to use. Thank you for your help. regards, Kenneth _ Mis onze Back To School special niet! http://www.msn.be/backtoschool - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4 + ssl + client authentication
Hi all, I've been searching the internet for 2 days now and still haven't found a solution for my problem. I am trying to set up a Tomcat 4 server running in HTTPS mode, contacted by a client written in Java. The client is using HTTPClient from apache. I have done everything the document at http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes. If I disable client authentication in the tomcat config, the client is able to comunicate with the server. If I enable the authentication the client aborts with the following exception: java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read at java.net.SocketInputStream.socketRead0(Native Method) ... I enabled all possible debugging on the Tomcat server and this is part of what I found in the console: Thread-10, WRITE: SSL v3.1 Handshake, length = 625 Thread-10, READ: SSL v3.1 Handshake, length = 141 *** Certificate chain *** Thread-10, SEND SSL v3.1 ALERT: fatal, description = bad_certificate Thread-10, WRITE: SSL v3.1 Alert, length = 2 The client's certificate cannot be bad. It was signed with the server's key and it's in the server's keystore. I have no idea what is goin wrong. Can someone tell me how to make this work? MTIA regards, Kenneth _ Op zoek naar makkelijk recept? http://www.msn.be/culinair - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4 + ssl + client authentication
Kenneth Westelinck [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, I've been searching the internet for 2 days now and still haven't found a solution for my problem. I am trying to set up a Tomcat 4 server running in HTTPS mode, contacted by a client written in Java. The client is using HTTPClient from apache. I have done everything the document at http://ws.apache.org/soap/docs/install/FAQ_Tomcat_SOAP_SSL.html describes. If I disable client authentication in the tomcat config, the client is able to comunicate with the server. If I enable the authentication the client aborts with the following exception: java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read at java.net.SocketInputStream.socketRead0(Native Method) ... I enabled all possible debugging on the Tomcat server and this is part of what I found in the console: Thread-10, WRITE: SSL v3.1 Handshake, length = 625 Thread-10, READ: SSL v3.1 Handshake, length = 141 *** Certificate chain *** Thread-10, SEND SSL v3.1 ALERT: fatal, description = bad_certificate Thread-10, WRITE: SSL v3.1 Alert, length = 2 The client's certificate cannot be bad. It was signed with the server's key and it's in the server's keystore. Client cert verification is done against the TrustStore, not the KeyStore. Tomcat 5 has some improvements for this. Tomcat 4 is still a bit limited. I have no idea what is goin wrong. Can someone tell me how to make this work? Assuming that you don't want to just import the signing cert into cacerts (see the JSSE docs for how to do this), then you need to have something like: CATALINA_OPTS=-Djavax.net.ssl.trustStore=/path/to/my/truststore -Djavax.net .ssl.trustStorePassword=myTrustStorePassword At the moment, your TrustStore file has to be in the same format as your KeyStore file (a nasty limitation that I haven't gotten around to fixing :). MTIA regards, Kenneth _ Op zoek naar makkelijk recept? http://www.msn.be/culinair - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4 - SSL - Client Authentication
Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - SSL - Client Authentication
Have you checked the permissions to the directory where your keystore is held? The process running the webserver must of course be able to read the keystore. - CB Shiva.Devaguptapu wrote: Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- . . . / This Cabinet is formd of Gold / And Pearl Crystal shining bright And within it opens into a World / . . . Another England there I saw / Another London with its Tower Another Thames other Hills / And another pleasant Surrey Bower . . . - from The Crystal Cabinet, a poem by William Blake. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - SSL - Client Authentication
Yes. Read and write as well. -Original Message- From: Christopher Mark Balz [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 2:58 PM To: Tomcat Users List Subject: Re: Tomcat 4 - SSL - Client Authentication Have you checked the permissions to the directory where your keystore is held? The process running the webserver must of course be able to read the keystore. - CB Shiva.Devaguptapu wrote: Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- . . . / This Cabinet is formd of Gold / And Pearl Crystal shining bright And within it opens into a World / . . . Another England there I saw / Another London with its Tower Another Thames other Hills / And another pleasant Surrey Bower . . . - from The Crystal Cabinet, a poem by William Blake. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat 4 - SSL - Client Authentication
Hi, I am using Tomcat 4 on a linux system. I am trying to enable SSL with client authentication enabled. I want the client to be the Internet Explorer, running on Win2K, my desktop. I found the following steps on the net and tried. * Create keys on the server * Create the certificate on the server * Uncomment the required part in the server.xml of Tomcat * Enter appropriate values for the attributes in server.xml as : Connector className=org.apache.catalina.connector.http.HttpConnector port=8453 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=/home/shiva/tomcat/keystore/server.keystore keystorePass=changeit clientAuth=true protocol=TLS/ /Connector * Create keys on the client * Create the certificate on the client * Import the cliet certificate on the server * Import the client certificate into Internet Explorer Now I started tomcat and I tried to access from the IE, the URL https://192.168.200.12:8453 - then the Client Authentication dialog box appears without any certificates in the list, as a result I cannot select any certificate, and if I click on OK button, it says page cannot be displayed. I also tried importing the client certificate into $JAVA_HOME/jre/lib/security/cacerts on the serverand even that did not solve the problem and even I tried importing the server certificate on the client side into $JAVA_HOME/jre/lib/security/cacerts and into IE as well and even after the problem is not solved. I am including all the commands I used to perform the above steps. Can anyone help me out in getting this done. Thanks in advance, Shiva. = Commnands used = ***For generating server keys on Linux*** keytool -genkey -alias tomcat-sv \ -keyalg RSA -keypass changeit \ -storepass changeit \ -keystore $CATALINA_HOME/keystore/server.keystore ***this keystore directory is created by me*** --- ***For generating server cetificate on Linux*** keytool -export -alias tomcat-sv \ -storepass changeit \ -file server.cer \ -keystore $CATALINA_HOME/keystore/server.keystore --- ***For generating client keys on Win2K*** keytool -genkey -alias tomcat-cl ^ -keyalg RSA -keypass changeit ^ -storepass changeit ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For generating client cetificate on Win2K*** keytool -export -alias tomcat-cl ^ -storepass changeit ^ -file C:\ssltest\client.cer ^ -keystore C:\ssltest\mykeystore\client.keystore --- ***For importing the client certificate on the server*** keytool -import -v -trustcacerts \ -alias tomcat -file client.cer \ -keypass changeit \ -storepass changeit \ -keystore /home/lotto/lotto/utilities/tomcat/keystore/server.keystore = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]