"Michael Jeffrey Tucker" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > Some more digging revealed that what I have done so far is what is/was > intended. Back in 2000, Craig McClanahan wrote that: > > "If all you want to do is make sure the client has a valid certificate, > you don't need to use a security constraint at all -- just set the > "clientAuth" property on the Connector to true, and no requests will be > accepted without a certificate. On the other hand, if you want to use > security constraints in addition, you will need to define the user (and > associated roles) in your Realm, just as you would for any other login > method." > > All I want Tomcat to do is make sure that the client has a valid > certificate. But I also want this certificate to be accessible to my > webapps. There doesn't seem to be any discussion of how the authentication > information flows from the initial SSL connection to the JSP request > object. Is there any such information flow without security constraints? > Or am I approaching this all wrong? >
This was actually covered in another thread today :-). As Craig said, you set clientAuth="true" to force the browser to send the certificate. Then in your servlet you do: X509Certificate [] certs = (X509Certificate [])request.getAttribute("javax.servlet.request.X509Certificate"); certs[0] is the client's cert, certs[1] is the signer of certs[0], and so on. > Thanks again, > Mike > > On Wed, 12 Nov 2003, Michael Jeffrey Tucker wrote: > > > Hi, > > > > Thanks for your help. I was wondering if anyone has any suggestions for > > the following problem: I would like Tomcat to accept any SSL connection > > where it recognizes the CA for the client certificate and then provide my > > webapp access to this certificate. It turns out that I don't think I want > > to use the CLIENT-CERT auth. > > > > My current setup seems to handle the first part -- I have clientAuth set > > to true in my server.xml's SSLServerSocketFactory configuration and I have > > removed the security constraints from my app's web.xml. When I point a > > browser at the site/ssl port, I am prompted for my client certificate. So > > far, so good! > > > > The problem is that when I am not sure how to get access to the > > certificate from JSP. I have looked into the methods that are provided by > > the HttpServletRequest interface, but getAuthType(), getRemoteUser(), and > > getUserPrincipal() all return NULL. I guess this makes sense because the > > SSL certificate is not being used for apps-specific security enforcement, > > but I know that the certificate must be floating around there somewhere. > > Are there any other request-related objects that my JSP code can access > > that would give me access to the cert? Any pointers would be greatly > > appreciated! > > > > Thanks, > > Mike > > > > > > On Tue, 11 Nov 2003, Bill Barker wrote: > > > > > At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the > > > Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm > > > floating around in Bugzilla, that should be fine if you are using Sun's JVM. > > > (The Sun dependencies are basically why they are still floating :). > > > > > > Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable the > > > default DataSource), then the 'username' in tomcat-users.xml is the cert's > > > DN (aka Subject). The password can be anything you want (it is ignored for > > > CLIENT-CERT auth). > > > > > > ----- Original Message ----- > > > From: "Michael Jeffrey Tucker" <[EMAIL PROTECTED]> > > > To: "Bill Barker" <[EMAIL PROTECTED]> > > > Sent: Tuesday, November 11, 2003 8:55 PM > > > Subject: Re: Using Apache/mod_ssl certificate and private key with > > > Tomcat/keytool > > > > > > > > > > Hi Bill, > > > > > > > > Do you know of a similar howto for client authentication with ssl? I've > > > > had nothing but trouble getting a system with self-signed keys up and > > > > running. I found a post in the archives about signing your own keys, which > > > > suggests that is an OK thing to do, and I've found posts by people who > > > > have client-side authentication up. But I haven't been able to combine the > > > > two. Also, I've been doing all my debugging on the client-side with the > > > > command line version of OpenSSL -- I'd like to look at what JSSE has to > > > > say (because the catalina logs are only showing incoming connections > > > > between assigned and awaited, no more details), are there any howto's that > > > > describe the logging process in more detail that might be worth looking > > > > at? > > > > > > > > Thanks, > > > > Mike > > > > > > > > On Tue, 11 Nov 2003, Bill Barker wrote: > > > > > > > > > The Tomcat 5 ssl-howto contains an example of how to do this. It works > > > with > > > > > Tomcat 4.1.x as well. > > > > > > > > > > Long-story-short, it works by "combining" the private-key and the cert. > > > > > JSSE can use the resulting pkcs12 file as a keystore. > > > > > > > > > > "Scott Kelley" <[EMAIL PROTECTED]> wrote in message > > > > > news:[EMAIL PROTECTED] > > > > > > Hi, > > > > > > > > > > > > I have an Apache+mod_ssl+Tomcat configuration that's been working > > > > > > fine for several years. I have an SSL certificate from Verisign, and > > > > > > my httpd.conf file contains: > > > > > > > > > > > > SSLCertificateFile /path/to/server.crt > > > > > > SSLCertificateKeyFile /path/to/server.key > > > > > > > > > > > > The private key is unencrypted so that the server can restart > > > > > automatically. > > > > > > > > > > > > Now I'd like to use the same certificate and private key in a > > > > > > Tomcat-only configuration, but I can't quite figure out how to get > > > > > > these two pieces of information into keytool for tomcat to use! > > > > > > > > > > > > It's easy enough to import the certificate: > > > > > > > > > > > > keytool -import -alias tomcat -file /path/to/server.crt > > > > > > > > > > > > but I know that the private key needs to be in the keystore too, and > > > > > > I haven't been able to figure out how to get it in there! > > > > > > > > > > > > Simply trying to import it: > > > > > > > > > > > > keytool -import -alias tomcat -file /path/to/server.key > > > > > > > > > > > > gives me the message: > > > > > > > > > > > > keytool error: java.lang.Exception: Input not an X.509 > > > certificate > > > > > > > > > > > > which doesn't really surprise me because the private key is not an > > > > > > X.509 certificate! But how can I tell keytool about my private key? > > > > > > > > > > > > Can I do this? If so, how? Can I do it with just keytool? Do I need > > > > > > to use openssl to tweak something? > > > > > > > > > > > > I saw some comments in the httpd.conf file (comments added by > > > > > > mod_ssl) that suggest the certificate and the private key can be > > > > > > "combined" somehow. Is this what I need to do? If so, how do I do > > > > > > this? > > > > > > > > > > > > Or do I have to toss my old keys and generate a new CSR with keytool? > > > > > > The Tomcat tutorial on how to do that seems reasonably > > > > > > straightforward. But I would much prefer to use my existing key and > > > > > > certificate! > > > > > > > > > > > > I actually tried this for the first time two years ago. After trying > > > > > > everything I could think of, and posting to tomcat-user and getting > > > > > > no replies, I gave up and left things the way they were. Now, two > > > > > > years later, I *still* can't figure out, or find a recipe, to explain > > > > > > how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain > > > > > > Tomcat configuration! > > > > > > > > > > > > Thanks for any help. > > > > > > > > > > > > Scott > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]