The user needs to look something like this
<user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB" password="null" roles="tomcat,certs"/>
in tomcat-users. It must be the full DN of the user certificate.
HTH,
Mark
Mahesh S Kudva wrote:
Hi
It seems like a silly question. But I am new to SSL and Certificates as well as Tomcat.
If my machines IP is 192.168.0.1 then I access tomcat as https://192.168.0.1:8443. Keeping this mind should I give the Common Name as 192.168.0.1 ???
How do I specify the client info in the tomcat-users.xml?
<user name=mahesh password=kudva role="admin">
This is how my tomcat-users.xml file looks like.
Regards & Thanks ================ Mahesh S Kudva
-----Original Message----- From: "lercoli" <[EMAIL PROTECTED]> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> Date: Tue, 3 May 2005 14:33:46 +0200 Subject: Re: Client Authentication
CA and Tomcat common name should be the same (localhost or better your DNS). First and Last Name of client sould the name of a Tomcat user declared in tomcat-users.xml.
Luca Ercoli
----- Original Message ----- From: "Mahesh S Kudva" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Tuesday, May 03, 2005 1:41 PM
Subject: Re: Client Authentication
Hi
What kind of information do i need to put in the fields of First and
Last
name and Common name. Will any information do or is it required that
I
need to put in the server address in the client.p12 certificate..
Regards & Thanks ================ Mahesh S Kudva
-----Original Message----- From: "Mahesh S Kudva" <[EMAIL PROTECTED]> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication
Hi
I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ...
Regards & Thanks ================ Mahesh S Kudva
-----Original Message----- From: "lercoli" <[EMAIL PROTECTED]> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication
You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select
Personal
Folder.
I hope it helps you.
Luca Ercoli
----- Original Message ----- From: "Mahesh S Kudva" <[EMAIL PROTECTED]>
To: <tomcat-user@jakarta.apache.org>
Sent: Monday, May 02, 2005 5:08 PM
Subject: Client Authentication
Dear All
I've been able to setup Tomcat 5.0.30 successfully on port
8443. I
want to
use client authentication. Hence i've enabled clientAuth=true
in
server.xml
Running on Mac OS X these were the commands to create a CA and
sign
a
certificate using this CA.
Creating a new CA: 1) perl CA.pl -newca
Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa < client_req.pem > client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey
client_key.pem
-out
client.p12
For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey
server_key.pem
-out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr
-storepass
changeit
5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr
-inform
DER
-out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst..
..urity/cacerts
-file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore
-trustcacerts
-file client_cert.x509
Following these commands I dont get any errors. I then import
the
cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a
popup
requesting for the clients identity and it asks me to select a certificate and no certificates are displayed.
How can I go about this?
All suggestion and ideas are welcome.
Regards & Thanks ================ Mahesh S Kudva
------------------------------------------------------- Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
------------------------------------------------------- Robosoft Technologies - Partners in Product Development
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------- Robosoft Technologies - Partners in Product Development
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]