"Michael Jeffrey Tucker" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi,
>
> Some more digging revealed that what I have done so far is what is/was
> intended. Back in 2000, Craig McClanahan wrote that:
>
> "If all you want to do is make sure the client has a valid certificate,
> you don't need to use a security constraint at all -- just set the
> "clientAuth" property on the Connector to true, and no requests will be
> accepted without a certificate. On the other hand, if you want to use
> security constraints in addition, you will need to define the user (and
> associated roles) in your Realm, just as you would for any other login
> method."
>
> All I want Tomcat to do is make sure that the client has a valid
> certificate. But I also want this certificate to be accessible to my
> webapps. There doesn't seem to be any discussion of how the authentication
> information flows from the initial SSL connection to the JSP request
> object. Is there any such information flow without security constraints?
> Or am I approaching this all wrong?
>
This was actually covered in another thread today :-). As Craig said, you
set clientAuth="true" to force the browser to send the certificate. Then in
your servlet you do:
X509Certificate [] certs = (X509Certificate
[])request.getAttribute("javax.servlet.request.X509Certificate");
certs[0] is the client's cert, certs[1] is the signer of certs[0], and so
on.
> Thanks again,
> Mike
>
> On Wed, 12 Nov 2003, Michael Jeffrey Tucker wrote:
>
> > Hi,
> >
> > Thanks for your help. I was wondering if anyone has any suggestions
for
> > the following problem: I would like Tomcat to accept any SSL connection
> > where it recognizes the CA for the client certificate and then provide
my
> > webapp access to this certificate. It turns out that I don't think I
want
> > to use the CLIENT-CERT auth.
> >
> > My current setup seems to handle the first part -- I have clientAuth
set
> > to true in my server.xml's SSLServerSocketFactory configuration and I
have
> > removed the security constraints from my app's web.xml. When I point a
> > browser at the site/ssl port, I am prompted for my client certificate.
So
> > far, so good!
> >
> > The problem is that when I am not sure how to get access to the
> > certificate from JSP. I have looked into the methods that are provided
by
> > the HttpServletRequest interface, but getAuthType(), getRemoteUser(),
and
> > getUserPrincipal() all return NULL. I guess this makes sense because the
> > SSL certificate is not being used for apps-specific security
enforcement,
> > but I know that the certificate must be floating around there somewhere.
> > Are there any other request-related objects that my JSP code can access
> > that would give me access to the cert? Any pointers would be greatly
> > appreciated!
> >
> > Thanks,
> > Mike
> >
> >
> > On Tue, 11 Nov 2003, Bill Barker wrote:
> >
> > > At the moment, only MemoryRealm supports CLIENT-CERT auth (at least
from the
> > > Tomcat ships-with Realms). There are patches for JNDIRealm and
JDBCRealm
> > > floating around in Bugzilla, that should be fine if you are using
Sun's JVM.
> > > (The Sun dependencies are basically why they are still floating :).
> > >
> > > Once you have enabled MemoryRealm (and, for versions < 4.1.29, disable
the
> > > default DataSource), then the 'username' in tomcat-users.xml is the
cert's
> > > DN (aka Subject). The password can be anything you want (it is
ignored for
> > > CLIENT-CERT auth).
> > >
> > > ----- Original Message -----
> > > From: "Michael Jeffrey Tucker" <[EMAIL PROTECTED]>
> > > To: "Bill Barker" <[EMAIL PROTECTED]>
> > > Sent: Tuesday, November 11, 2003 8:55 PM
> > > Subject: Re: Using Apache/mod_ssl certificate and private key with
> > > Tomcat/keytool
> > >
> > >
> > > > Hi Bill,
> > > >
> > > > Do you know of a similar howto for client authentication with ssl?
I've
> > > > had nothing but trouble getting a system with self-signed keys up
and
> > > > running. I found a post in the archives about signing your own keys,
which
> > > > suggests that is an OK thing to do, and I've found posts by people
who
> > > > have client-side authentication up. But I haven't been able to
combine the
> > > > two. Also, I've been doing all my debugging on the client-side with
the
> > > > command line version of OpenSSL -- I'd like to look at what JSSE has
to
> > > > say (because the catalina logs are only showing incoming connections
> > > > between assigned and awaited, no more details), are there any
howto's that
> > > > describe the logging process in more detail that might be worth
looking
> > > > at?
> > > >
> > > > Thanks,
> > > > Mike
> > > >
> > > > On Tue, 11 Nov 2003, Bill Barker wrote:
> > > >
> > > > > The Tomcat 5 ssl-howto contains an example of how to do this. It
works
> > > with
> > > > > Tomcat 4.1.x as well.
> > > > >
> > > > > Long-story-short, it works by "combining" the private-key and the
cert.
> > > > > JSSE can use the resulting pkcs12 file as a keystore.
> > > > >
> > > > > "Scott Kelley" <[EMAIL PROTECTED]> wrote in message
> > > > > news:[EMAIL PROTECTED]
> > > > > > Hi,
> > > > > >
> > > > > > I have an Apache+mod_ssl+Tomcat configuration that's been
working
> > > > > > fine for several years. I have an SSL certificate from Verisign,
and
> > > > > > my httpd.conf file contains:
> > > > > >
> > > > > > SSLCertificateFile /path/to/server.crt
> > > > > > SSLCertificateKeyFile /path/to/server.key
> > > > > >
> > > > > > The private key is unencrypted so that the server can restart
> > > > > automatically.
> > > > > >
> > > > > > Now I'd like to use the same certificate and private key in a
> > > > > > Tomcat-only configuration, but I can't quite figure out how to
get
> > > > > > these two pieces of information into keytool for tomcat to use!
> > > > > >
> > > > > > It's easy enough to import the certificate:
> > > > > >
> > > > > > keytool -import -alias tomcat -file /path/to/server.crt
> > > > > >
> > > > > > but I know that the private key needs to be in the keystore too,
and
> > > > > > I haven't been able to figure out how to get it in there!
> > > > > >
> > > > > > Simply trying to import it:
> > > > > >
> > > > > > keytool -import -alias tomcat -file /path/to/server.key
> > > > > >
> > > > > > gives me the message:
> > > > > >
> > > > > > keytool error: java.lang.Exception: Input not an X.509
> > > certificate
> > > > > >
> > > > > > which doesn't really surprise me because the private key is not
an
> > > > > > X.509 certificate! But how can I tell keytool about my private
key?
> > > > > >
> > > > > > Can I do this? If so, how? Can I do it with just keytool? Do I
need
> > > > > > to use openssl to tweak something?
> > > > > >
> > > > > > I saw some comments in the httpd.conf file (comments added by
> > > > > > mod_ssl) that suggest the certificate and the private key can be
> > > > > > "combined" somehow. Is this what I need to do? If so, how do I
do
> > > > > > this?
> > > > > >
> > > > > > Or do I have to toss my old keys and generate a new CSR with
keytool?
> > > > > > The Tomcat tutorial on how to do that seems reasonably
> > > > > > straightforward. But I would much prefer to use my existing key
and
> > > > > > certificate!
> > > > > >
> > > > > > I actually tried this for the first time two years ago. After
trying
> > > > > > everything I could think of, and posting to tomcat-user and
getting
> > > > > > no replies, I gave up and left things the way they were. Now,
two
> > > > > > years later, I *still* can't figure out, or find a recipe, to
explain
> > > > > > how to migrate from an Apache/mod_ssl/Tomcat configuration to a
plain
> > > > > > Tomcat configuration!
> > > > > >
> > > > > > Thanks for any help.
> > > > > >
> > > > > > Scott
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail:
[EMAIL PROTECTED]
> > > > >
> > > > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
