Anyone, I am having a little difficulty setting up Tomcat (4.0.1) to perform client authentication (actually mutual). For our purposes we are happy to use the MemoryRealm and perform authentication of a client's certificate against tomcat users in this realm.
I intialially posted this to the 'user' newsgroup, but have had no responses. But this I guess is more related to the specific implementation of the authentication. The question is what do you put in the user name attribute in conf/tomcat-users.xml? I saw a post which indicated this must be the "SubjectDN" of the certificate - but what exactly is this? I exported the Digital ID from Netscape and imported it into the Certificates snap-in in MMC so I could see it's details, the Subject field is as follows - E = [EMAIL PROTECTED] CN = Joe Bloggs OU = Digital ID Class 1 - Netscape OU = Persona Not Validated OU = www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98 OU = VeriSign Trust Network O = VeriSign, Inc. I set this as the user, but got the usual "Cannot authenticate with the provided credentials" message - equally I tried combinations of some of the fields. So this would not appear to be correct, but I cannot tell whether this is formatting (i.e. quoted, escaped - how?) in the user name attribute or that I am doing something wrong??? Can you confirm that the client certificate must only be installed on the client browser and not imported into the JSSE keystore? I can't imagine you would have to do this - but would like to make sure. If anyone knows how to configure this correctly, or indeed whether Tomcat is erally able to do this - I would be very grateful. The rest of my config is as follows - Cheers, JP conf\server.xml ... <Realm className="org.apache.catalina.realm.MemoryRealm" /> ... <Context path="/FXE" docBase="FXE" debug="1" reloadable="true"/> ... conf\tomcat-users.xml <tomcat-users> <user name="tomcat" password="tomcat" roles="tomcat" /> <user name="role1" password="tomcat" roles="role1" /> <user name="both" password="tomcat" roles="tomcat,role1" /> <user name="[EMAIL PROTECTED], CN=Joe Bloggs, OU=Digital ID Class 1 - Netscape, OU=Persona Not Validated, OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98, OU=VeriSign Trust Network, O = VeriSign, Inc." password="tomcat" roles="tomcat"/> </tomcat-users> FXE\WEB-INF\web.xml <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <display-name>AServlet</display-name> <servlet> <servlet-name>TheServlet</servlet-name> <servlet-class>com.rbsfm.fxe.TheServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>TheServlet</servlet-name> <url-pattern>/TheServlet</url-pattern> </servlet-mapping> <security-constraint> <display-name>Role based security constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/TheServlet</url-pattern> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name>tomcat</role-name> </security-role> </web-app> Jon-Paul Stanford eCommerce Development - Financial Markets The Royal Bank of Scotland 135 Bishopsgate London EC2M 3UR Tel: 020 7375 5360 ******************************************************************** Visit our Internet site at http://www.rbsmarkets.com This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorised to retain, read, copy or disseminate this message or any part of it. ******************************************************************** -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>