Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Hi, I have followed this procedure twice and all are failed at the browsers. Some one please help to work out a proceducre so that we can set up clientAuth="true" after clientAuth="false" worked. Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and santiago, which I cannot understand. There already has an alias "tomcat" inside the keystore. Should we use it? Thanks! P.S. I have created ,BAT file for each command. I can pack it and ship it to anyone who wants it. I may put them all together and make it as easy as a double-click. Also I can make the bash file on Linux after I get success on this. Frank Peng. == 1 - Setting up the CA - Create /home/lams/openssl to hold the CA keys, server keys and (as we want to use SSL client authentication) the client keys. - 1)Create a private key and certificate request for our CA: #openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key openssl req -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key - 2)Create a CA's self-signed certificate: #openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem -3) Import the CA certificate into the JDK certificate authorities keystore: $JAVA_HOME/bin/keytool -import -keystore £JAVA_JOME/lib/security/cacerts -file ca.pem -alias itcilo_ca - 4)Create a file to hold the CA's serial numbers. This file starts with the number "2": echo "02" > ca.srl #for Windows, echo 02 > ca.srl 2 - Setting the web server - Create /etc/tomcat to contain both the keystore and the truststore files (Truststore is a keystore in which reside all the certificates with which a user can authenticate hisself on the server). - 5)Create a keystore for the tomcat server. $JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize 1024 -keystore /etc/tomcat/server-keystore2.jks -storetype JKS - 6)Create a certificate request for the web server. $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test -file map-test.csr -keystore /etc/tomcat/server-keystore2.jks You need to edit the certificate request file slightly. Open it up in a text editor and amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" - 7)Have your CA sign your certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in map-test.csr -out map-test.crt -days 365 - 8)Import your CA certificate into your server keystore: This step is necessary because we want to use SSL client authentication. $JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem - 9)Import the signed server certificate into the server keystore: $JAVA_HOME/bin/keytool -import -alias map-test -keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt You should see a message "Certificate reply was installed in keystore". 3 - Setting up the ssl client - 10)Create a client certificate request: #openssl req -new -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key openssl req -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key -11) Have the CA sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in santiago.req -out santiago.pem -days 365 -12) Import the CA certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem - 13)Import the client certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias santiago -keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem - Generate a PKCS12 file containing the client key and certificate: openssl pkcs12 -export -clcerts -in santiago.pem -inkey santiago.key -out santiago.p12 -name "virgilio_certificate" - Import the PKCS12 file into the web browser to use as the client certificate and key (tools - internet options - contents - certificates, verify by clicking in "advanced" that "client authentication" is checked) 4 - Configure tomcat for ssl The following lines must be added to server.xml. The clientAuth parameter must be set to true as we want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Regards, Gaël
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and santiago, which I cannot understand. imagination please: map-test was the name of my host at that time, santiago was the name of one of the users used for the testing, itcilo is the acronym of my organization, that's why I named my certificate authority itcilo_ca ;-) There already has an alias "tomcat" inside the keystore. Should we use it? P.S. I have created ,BAT file for each command. I wrote what worked for me on my environment (SuSe 9.3, JRE 1.5, Tomcat 5.5.x). You give no indication on the OS/Tomcat version/ of your system but you are talking about BAT file, so I imagine it's windows, isn't it? I've no idea whether what I did could work on Windows, it should work on linux-based distribution. Anyway you really should try to read again what I wrote and understand what I'm trying to do, because I noticed a few typing mistakes in what I wrote, so copy-paste will not work. Also modify it to correspond to your system (giving name that makes sense to you). Kind regards Gaël
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Gaël Sorry, I am so lazy I did not change the names. I will change it next time. Yes, I am working on Windows. All of the command are translated into Windows commands and there is no error after I fixed some commands and type errors. The problem is that Microsoft Internet Explore and Netscape now are serious about the Root Trust Authorities. Now both of the browsers are not working with the procudure you posted. I am looking for the procedure with CAcert.org. It is free to get their certificates for a server and a client. I believe the browsers and the Tomcat really talked, they failed because the root authority problems. The error # on Netscape is 8182. If you have an Openssl solution based on you procedure, that will be great. Otherwise we have to ask help from CAcert.org. As you know I already typed all commands into Window's Batch file. It is easy to make a completely automatical program to set up everything. If you will work on OPenssl, I would assist with you to make the auto-configure program both on Windows and on Linux. That will be contribute to this community a lot. Right? Thank you again. Sorry about that again. Frank Peng. -Original Message- From: Gaël Lams <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Fri, 16 Jun 2006 13:48:03 +0200 Subject: Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"? > Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and > santiago, which I cannot understand. imagination please: map-test was the name of my host at that time, santiago was the name of one of the users used for the testing, itcilo is the acronym of my organization, that's why I named my certificate authority itcilo_ca ;-) > There already has an alias "tomcat" inside the keystore. Should we use it? > > P.S. I have created ,BAT file for each command. I wrote what worked for me on my environment (SuSe 9.3, JRE 1.5, Tomcat 5.5.x). You give no indication on the OS/Tomcat version/ of your system but you are talking about BAT file, so I imagine it's windows, isn't it? I've no idea whether what I did could work on Windows, it should work on linux-based distribution. Anyway you really should try to read again what I wrote and understand what I'm trying to do, because I noticed a few typing mistakes in what I wrote, so copy-paste will not work. Also modify it to correspond to your system (giving name that makes sense to you). Kind regards Gaël
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
The problem is that Microsoft Internet Explore and Netscape now are serious about the Root > Trust Authorities. ... I'm not sure what you mean by "serious about the Root Trust Authorities" but I tested the ssl client authentication on several computers, both inside and outside our LAN with both Internet Explorer 6 and Firefox 1.0.x and it works for me. If you don't use a trusted certificate, the "only practical" issue (see my PS for a security issue) is that the user trying to connect to that web site will be prompted by a message saying that the certificate does not come from a trusted root, and asking you whether you want to have a look at the information provided with the certificate and whether you want to accept it. Regards, Gaël PS: when you use self-signed certificates, there is also a security risk, i.e the risk of what it called a man-in-the-middle attack : an attacker could send the client his own self-signed certificate which has the same name as that in the server's self-signed certificate. The attacker then connects to the real server himself. When the client sends data to the server the attacker reads it and then sends it along to the real server.
Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"?
Yes. You are right. The procedure works. That was wrong is that I did no make the server host name and the client host name match in the certs and in the tomcat-user.xml file. Also I edited the ca.pem file a litte bit and changed it to ca.crt and imported this file into the browser's trusted root certificate. This is not shown in your procedure. A couple of openssl commands have modified because of the newer revision of openssl. I have made all commands into BATCH file and I also added the subj parameter into the command. Now when you double click the BATCH file name, you do not need to key in the domain name, you can edit in the BATCH file instead. This avoids type error. Now I can make all of the commands finish in a shot as long as the hostnames and the passwords and the keystore files name and locations are defined. This may contribute to Tomcat community. It is working with both newest Netcape and IE. I will work on the Linux the same job and change the BATCH file into bash script file. Thank you ! Frank Peng. -Original Message- From: Gaël Lams <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Mon, 19 Jun 2006 11:01:49 +0200 Subject: Re: Tomcat SSL, after clientAuth="false" worked, how to set up to "true"? > The problem is that Microsoft Internet Explore and Netscape now are serious about the Root > Trust Authorities. ... I'm not sure what you mean by "serious about the Root Trust Authorities" but I tested the ssl client authentication on several computers, both inside and outside our LAN with both Internet Explorer 6 and Firefox 1.0.x and it works for me. If you don't use a trusted certificate, the "only practical" issue (see my PS for a security issue) is that the user trying to connect to that web site will be prompted by a message saying that the certificate does not come from a trusted root, and asking you whether you want to have a look at the information provided with the certificate and whether you want to accept it. Regards, Gaël PS: when you use self-signed certificates, there is also a security risk, i.e the risk of what it called a man-in-the-middle attack : an attacker could send the client his own self-signed certificate which has the same name as that in the server's self-signed certificate. The attacker then connects to the real server himself. When the client sends data to the server the attacker reads it and then sends it along to the real server. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]