Hi All, I am working with Tomcat 4. I do all the steps provided in server.xml vis: __________________________________________________________ Step 2: Generate Client and Server Certificates It is necessary to generate a Certificate for the client and the server. These Certificates are then imported into a keystore, to which the client and server connect. The keystore acts as a database for security certificates. You are going to use the keytool utility in the JDK to do these tasks (see Sun's documentation for more information on this tool). Step 2a: Generate a Server Key and Certificate Launch keytool from a shell (or command prompt) to generate your public and private key. Note that the Certificate and keystore files will be generated in the directory you run keytool from. Use keytool as follows: keytool -genkey -alias tomcat-sv -dname "CN=[Common Name],OU=[Organisation Unit], O=[Organisation Name], L=[Locality], S=[State Name], C=[Two-Letter Country Code]" -keyalg RSA -keypass [private key password] -storepass [keystore password] -keystore [keystore file name]
For example, to generate a keystore (in file server.keystore) for server soapsvr.test.tcd.ie using password changeit (for both the keystore and the certificate) in the Computer Engineering group at Trinity College Dublin, Ireland, one would type the following: keytool -genkey -alias tomcat-sv -dname "CN=soapsvr.test.tcd.ie, OU=ComputerEngineering, O=Trinity College Dublin, L=Dublin, S=Dublin, C=IE" -keyalg RSA -keypass changeit -storepass changeit -keystore server.keystore Note that The RSA algorithm is used to generate certificates. Ensure that the 'CN' field that you specify when you create the server certificate matches the name of the machine on which you're running tomcat, or your browser will complain about certificate name mis-matches (not a problem on a test server, a big problem on a production server!). Step 2b: Export the Server Certificate >From command prompt run this command to export your certificate from the keystore into an external file (we do this so we can import the certificate into the client's keystore as a trusted certificate). keytool -export -alias tomcat-sv -storepass changeit -file server.cer -keystore server.keystore If everything works, you should now have a file called server.cer which contains your server's certificate. Step 2c: Generate a Client Key and Certificate This step is very similar to the generation of the server key and certificate - it uses the same keytool tool with different parameters. Note that the keystore file name has changed (it is now client.keystore). Use keytool as follows: keytool -genkey -alias tomcat-cl -dname "CN=Client,OU=TRL, O=IBM, L=Yamato-shi, S=Kanagawa-ken, C=JP" -keyalg RSA -keypass changeit -storepass changeit -keystore client.keystore Step 2d: Export the Client Certificate This step is very similar to the export of the server certificate - it uses the same keytool tool with different parameters: keytool -export -alias tomcat-cl -storepass changeit -file client.cer -keystore client.keystore If everything works, you should now have a file called client.cer which contains your client's certificate. Step 2e: Import the Certificates into the Keystores We want the client certificate to be added to the server's keystore, and the server's certificate to be added to the client's keystore. Doing this will mean that the client and server trust one another. Import the server certificate into the client's keystore: keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass changeit -storepass changeit Import the client certificate into the server's keystore: keytool -import -v -trustcacerts -alias tomcat -file client.cer -keystore server.keystore -keypass changeit -storepass changeit __________________________________________________________ as long as I keep clientAuth="false" in server.xml it runs fine. But when I make it true, it looks for the client certificate, which it obviousely can't find. How do I get the client certificate from above. What is client.cer then? Any clues appreciated. Thanks and Regards Tathagat GBS - Legal Services Phone: +49 (0) 69 263 16854 Fax: +49 (0) 69 263 16540 Mobile: +49 (0) 160 98589882 Private Email: [EMAIL PROTECTED] ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>