any help you could give me would be greatly appreciated. I have tried the changes you specify below, and am getting the same errors. I think I am close, everything seems to work, except for getting the browser cert into my servlet.

Thank you for all of your help!!


Ramsay Domloge wrote:


"SSLVerifyClient require" in httpd.conf

Also, you will have to specify the SSLCACertificate which must have signed the user cert, and you probably want to specify the SSLVerifyDepth as "1".

If you need any further help just ask - I am getting quite familiar with the fun and games of setting up Apache SSL with Tomcat..!

Beware that there is/was a bug with Tomcat which caused Tomcat to explode when converting the certificate bytes into a Certificate object. This has been patched by Thorvald. He also was good enough to send me a patched JAR which I can send to you if you would like.

Ramsay



Mark W. Webb wrote:

I have the code that you specified working. The problem is that the request.getAttribute("javax.servlet.request.X509Certificate") call is returning null. This leads me to believe that apache is only performing server authentication. But netscape asks me for the password for the key information. If netscape is asking for this information, it must be opening up my key information to send to apache.

You mentioned that I have to configure apache to request the cert. How do I get apache to do this? I thought I would just specify +ExportCertData. Is there anything else ? I have tomcat 4.1.24 running with apache 2.0.44. thank you for your help.....

Bill Barker wrote:

Well, the basics are simple:
  import java.security.cert.X509Certificate;
     .....
  X509Certificate [] certs = (X509Certificate
[])request.getAttribute("javax.servlet.request.X509Certificate");

Now comes the hard part :-). certs[0] is always the clients certificate.
For the HTTP/1.1 connector (Coyote or otherwise), the remaining elements in
the array are the signers. For the Ajp13 connector (Coyote or otherwise),
certs.length = 1, and the signers are not available. Also, if you haven't
separately configured Apache/IIS/iPlanet to request the cert, then certs ==
null.


"Mark W. Webb" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]


I need to get the user certificate that the user's browser sends to the
server in order to set up a mutually authenticated SSL connection. Will
a non-SSL connector be able to perform this if I run tomcat with apache
2.0.44?


Does anyone have any experience with SSL and tomcat?  I am having a
really hard time with this.  I would appreciate it greatly if someone
could help me out with this.

Thank you.






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





============================================================================


A R K E M E D I A T E C H N O L O G I E S L T D VIEW POINT BASING VIEW BASINGSTOKE HAMPSHIRE RG21 4RG http://www.arkemedia.com mailto:[EMAIL PROTECTED] Tel : +44 1256 869 200 Fax : +44 1256 329 119 ============================================================================

The information in this e-mail and in any attachments is confidential and is intended solely for the attention and use of the named addressee(s). ============================================================================

If you are not the intended recipient, or a person responsible for passing it on to the intended recipient, you are not authorised to hold a copy of this information and you must therefore not disclose, copy, distribute, or retain this message or any part of it. MAILTO:[EMAIL PROTECTED] ============================================================================




--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]


--
Mark Webb
Software Engineer
Dolphin Technology
474 Phoenix Drive
Rome, NY 13441-4911

Phone : 315.838.7000 : 315.838.7024
Fax : 315.838.7096
Email : [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to