RE: need help setting up tomcat with ssl client authentication
I changed server.xml to: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true keystoreFile=/server.ks keystorePass=MC126801$ keystoreType=JKS keyAlias=tomcat truststoreFile=/server.ks truststorePass=MC126801$ truststoreType=JKS sslProtocol=TLS / and now it works with all clients, firefox, openssl s_client, and php client thanks for you all your help, its much appreciated :) From: users-return-214184-racarlson=mediacomcc@tomcat.apache.org [users-return-214184-racarlson=mediacomcc@tomcat.apache.org] On Behalf Of Christopher Schultz [ch...@christopherschultz.net] Sent: Wednesday, June 30, 2010 9:40 PM To: Tomcat Users List Subject: Re: need help setting up tomcat with ssl client authentication -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ralph, On 6/30/2010 5:07 PM, Ralph Carlson wrote: (d) have client Authorization on - with it off tomcat ssl works just fine, when its turned on I get this error so far I have been following the steps listed in this tomcat user group message http://marc.info/?l=tomcat-userm=106293430225790w=2 Try something a bit more recent than 2003. I was able to get client certs working with my own CA, and I was manually checking the client cert instead of having Tomcat do it. However, if your code can do it, so can Tomcat. Try reading-through this thread: http://markmail.org/message/kzxsamuiu6bldjmv Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true keystoreFile=/server.ks keystorePass=[...] sslProtocol=TLS / I think you also need a truststoreFile and friends. Try re-reading the Connector documentation at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html specifically looking for client cert. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr8f0ACgkQ9CaO5/Lv0PDFxQCcDrMdAJbl0adm44Dgnyd6fWqV aPEAnjPNCOXwmU847G/7IvZuBU9hnK2A =mNS+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: need help setting up tomcat with ssl client authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ralph, On 7/1/2010 9:28 AM, Ralph Carlson wrote: I changed server.xml to: Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true keystoreFile=/server.ks keystorePass=MC126801$ keystoreType=JKS keyAlias=tomcat truststoreFile=/server.ks truststorePass=MC126801$ truststoreType=JKS sslProtocol=TLS / and now it works with all clients, firefox, openssl s_client, and php client thanks for you all your help, its much appreciated :) Glad you got it working. I might separate the keystore from the truststore, just to give you greater flexibility. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwsnSwACgkQ9CaO5/Lv0PA7TgCeMiz/a7dBr/GJudFzWam2K+MG wj0An0l+M/7SNSYi2TOsDpcv+ljp251Z =XwZa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: need help setting up tomcat with ssl client authentication
On 30/06/2010 22:07, Ralph Carlson wrote: tomcat version 6.0.20 os: windows xp sp3 professional edition sun java jdk 1.5.11 I am trying to do the following (a) create a certificate authority and self sign server and client certificates using openssl and keytool (b) import the keytool keystore into tomcat (c) verify the certificate chaing using openssl verify (which does work and returns ok for all 3 certificates) (d) have client Authorization on - with it off tomcat ssl works just fine, when its turned on I get this error Which error? What is in the Tomcat logs when the problem occurs? so far I have been following the steps listed in this tomcat user group message http://marc.info/?l=tomcat-userm=106293430225790w=2 How did you configure Tomcat to use the certificates in (b)? What is your Tomcat Connector config in server.xml? p but get this message from openssl s_client -cert c:\ssl\client\client.pem -CAfile c:\ssl\ca\ca.pem -connect localhost:443 3772:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46 3772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188: and these messages from firefox (after importing the certificate) initially 'sslv3 alert certificate unknown' , then just 'SSL peer was not expecting a handshake message it received' after a few tries does anyone know how to do this or has anyone done this before, thanks for you help in advance - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
RE: need help setting up tomcat with ssl client authentication
the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl) Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true keystoreFile=/server.ks keystorePass=MC126801$ sslProtocol=TLS / I configured the tomcat keystore as follows (openssl commands included): [1] create folders c:\ssl\ca, c:\ssl\server and c:\ssl\client and ca.srl with 02 [2] openssl req -new -newkey rsa:1024 -nodes -out c:\ssl\ca\ca.csr -keyout c:\ssl\ca\ca.key -config C:\ssl\openssl.cnf country=US state=newyork city=fishkill organization_name=myca organization_unit=myca common_name=myca email=racarl...@medaicomcc.com [3] openssl x509 -trustout -signkey c:\ssl\ca\ca.key -days 365 -req -in c:\ssl\ca\ca.csr -out c:\ssl\ca\ca.pem [4] keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file C:\ssl\ca\ca.pem -alias my_ca **[5] keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore C:\ssl\server\server.ks -storetype JKS What is your first and last name? myserver.localhost.com What is the name of your organizational unit? mycompany What is the name of your organization? mycompany What is the name of your City or Locality? fishkill What is the name of your State or Province? newyork What is the two-letter country code for this unit? US **[6] keytool -certreq -keyalg RSA -alias tomcat -file C:\ssl\server\server.csr -keystore C:\ssl\server\server.ks [7] amend the text which reads NEW CERTIFICATE REQUEST to CERTIFICATE REQUEST [8] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key -CAserial C:\ssl\ca\ca.srl -req -in C:\ssl\server\server.csr -out C:\ssl\server\server.crt -days 365 **[9] keytool -import -alias tomcat -keystore C:\ssl\server\server.ks -trustcacerts -file C:\ssl\server\server.crt **[10] keytool -import -alias my_ca -keystore C:\ssl\server\server.ks -trustcacerts -file C:\ssl\ca\ca.pem [11] openssl req -new -newkey rsa:512 -nodes -out C:\ssl\client\client1.req -keyout C:\ssl\client\client1.key Country Name ? US State or Province Name ? newyork Locality Name (eg, city) ? fishkill Organization Name ? mycompany Organizational Unit Name ? mycompany Common Name (eg, YOUR name) ? localhost -- this value is in tomcat-users.xml Email Address ? racarl...@mediacomcc.com [12] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key -CAserial C:\ssl\ca\ca.srl -req -in C:\ssl\client\client1.req -out C:\ssl\client\client1.pem -days 365 [13] openssl pkcs12 -export -clcerts -in C:\ssl\client\client1.pem -inkey C:\ssl\client\client1.key -out C:\ssl\client\client1.p12 -name my_client_certificate I also tried importing the client.pem and apache.pem from below into the keystore (not change in error) openssl pkcs12 -in c:\ssl\client\client1.p12 -out c:\ssl\client\apache.pem -nodes -passin pass:MC126801$ From: users-return-214164-racarlson=mediacomcc@tomcat.apache.org [users-return-214164-racarlson=mediacomcc@tomcat.apache.org] On Behalf Of Pid [...@pidster.com] Sent: Wednesday, June 30, 2010 5:25 PM To: Tomcat Users List Subject: Re: need help setting up tomcat with ssl client authentication On 30/06/2010 22:07, Ralph Carlson wrote: tomcat version 6.0.20 os: windows xp sp3 professional edition sun java jdk 1.5.11 I am trying to do the following (a) create a certificate authority and self sign server and client certificates using openssl and keytool (b) import the keytool keystore into tomcat (c) verify the certificate chaing using openssl verify (which does work and returns ok for all 3 certificates) (d) have client Authorization on - with it off tomcat ssl works just fine, when its turned on I get this error Which error? What is in the Tomcat logs when the problem occurs? so far I have been following the steps listed in this tomcat user group message http://marc.info/?l=tomcat-userm=106293430225790w=2 How did you configure Tomcat to use the certificates in (b)? What is your Tomcat Connector config in server.xml? p but get this message from openssl s_client -cert c:\ssl\client\client.pem -CAfile c:\ssl\ca\ca.pem -connect localhost:443 3772:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46 3772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188: and these messages from firefox (after importing the certificate) initially 'sslv3 alert certificate unknown' , then just 'SSL peer was not expecting a handshake message it received' after a few tries does anyone know how to do this or has anyone done this before, thanks for you help in advance
Re: need help setting up tomcat with ssl client authentication
On 30/06/2010 23:45, Ralph Carlson wrote: the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl) Are you using APR? This path: keystoreFile=/server.ks doesn't appear to match this path: C:\ssl\server\server.ks Are there any errors in the logs, or displayed on the console, when Tomcat starts up? (How are you starting the server, as a service, or using startup.bat?) p signature.asc Description: OpenPGP digital signature
RE: need help setting up tomcat with ssl client authentication
I am starting and stopping tomcat using startup.bat and shutdown.bat from the command line I am not using the apr I copied /server.ks into c:\tomcat folder in an attempt to get it working if I change it to a fake name it throws an error so I think its reading it the console looks like: Jun 30, 2010 7:46:25 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performanc e in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.5.0_17\bin;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32; C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Co re-Static;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Java\jdk1.5 .0_17\bin;C:\openssl\bin; Jun 30, 2010 7:46:25 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Jun 30, 2010 7:46:27 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Jun 30, 2010 7:46:27 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2248 ms Jun 30, 2010 7:46:27 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Jun 30, 2010 7:46:27 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.20 Jun 30, 2010 7:46:28 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Jun 30, 2010 7:46:28 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-443 Jun 30, 2010 7:46:28 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Jun 30, 2010 7:46:28 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/15 config=null Jun 30, 2010 7:46:28 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1274 ms From: users-return-214173-racarlson=mediacomcc@tomcat.apache.org [users-return-214173-racarlson=mediacomcc@tomcat.apache.org] On Behalf Of Pid [...@pidster.com] Sent: Wednesday, June 30, 2010 7:19 PM To: Tomcat Users List Subject: Re: need help setting up tomcat with ssl client authentication On 30/06/2010 23:45, Ralph Carlson wrote: the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl) Are you using APR? This path: keystoreFile=/server.ks doesn't appear to match this path: C:\ssl\server\server.ks Are there any errors in the logs, or displayed on the console, when Tomcat starts up? (How are you starting the server, as a service, or using startup.bat?) p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: need help setting up tomcat with ssl client authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ralph, On 6/30/2010 5:07 PM, Ralph Carlson wrote: (d) have client Authorization on - with it off tomcat ssl works just fine, when its turned on I get this error so far I have been following the steps listed in this tomcat user group message http://marc.info/?l=tomcat-userm=106293430225790w=2 Try something a bit more recent than 2003. I was able to get client certs working with my own CA, and I was manually checking the client cert instead of having Tomcat do it. However, if your code can do it, so can Tomcat. Try reading-through this thread: http://markmail.org/message/kzxsamuiu6bldjmv Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=true keystoreFile=/server.ks keystorePass=[...] sslProtocol=TLS / I think you also need a truststoreFile and friends. Try re-reading the Connector documentation at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html specifically looking for client cert. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr8f0ACgkQ9CaO5/Lv0PDFxQCcDrMdAJbl0adm44Dgnyd6fWqV aPEAnjPNCOXwmU847G/7IvZuBU9hnK2A =mNS+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
