Hello,
I'm trying to get Tomcat 4.1.24 working with CLIENT-CERT authentication and
am having some difficulty. Would someone please assist me? Thanks in
advance ..
I have performed the following steps:
1. Using keytool I created a keystore named server.keystore to contain the
server certificate.
2. Using keytool I created a self-signed certificate (for localhost) in the
server keystore (aliased as tomcat)
3. Enabled SSL in the server.xml file.
At this point I tested the SSL connection and everything is working ..
4. Obtained a client (email) certificate from Thawte and installed it in
Internet Explorer.
5. Downloaded the root certificates from the Thawte website
6. Tried to add them to the cacerts file located in the
%JAVA_HOME%\JRE\LIB\SECURITY folder but they already existed so I cancelled.
7. Set clientAuth="true" in the server.xml file.
8. Changed my script that starts tomcat so that it reference the cacerts
file in the %JAVA_HOME%\JRE\LIB\SECURITY folder as the truststore.
9. configured the relevant portion of the web.xml file as shown below
------------------------ WEB.XML ----------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>The Entire Web
Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
---------------------------------------------------------------
10. Configured the tomcat-users.xml file as shown below ..
------------------------ tomcat-users.xml ----------------------------
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="user" description="Authenticated User"/>
<role rolename="manager" description="Tomcat Manager"/>
<role rolename="admin" description="Tomcat Administrator"/>
<user username="administrator" password="password" roles="admin,manager"/>
<user username="[EMAIL PROTECTED], CN=Thawte Freemail
Member" password="null" roles="user"/>
</tomcat-users>
---------------------------------------------------------------
Note: I obtained the last username from the client certificate that I am
trying to connect with by examining the certificates submitted by the client
and calling certificates[0].getSubjectDN().getName(). I also tried to
remove the password="null" attribute from the user tag and tomcat keeps
putting it back in when I restart.
11. I'm pretty certain that I must add the client certificate to a location
where the server may find it. Thus, I imported it as a trusted certificate
to the server.keystore. Now that keystore has two entries: one keypair for
tomcat and one trusted certificate for the client.
At this point I tried to hit my tomcat server using https. Internet
Explorer prompts me to choose a certificate. I select my personal
certificate and click ok. Tomcat responds with the message that it cannot
authenticate with the provided credentials.
If I change my authentication to BASIC and the username in the
tomcat-users.xml file to have a simple username / password combo .. it
works.
The funny thing is that if I leave the authentication type as CLIENT-CERT
and do not specify a security constraint in my web.xml file, it lets my
browser through. All I care about is the ability to allow only certain
clients .. not have separate roles for different clients. So, I thought
that I could just remove the trusted client certificate from the
server.keystore and it would then NOT allow my client to access the server.
Unfortunately, this did not work. Even without the trusted certificate in
the server.keystore my browser was still able to call pages on the server.
Does anyone have any idea why I cannot authenticate a user to a specific
role using CLIENT-CERT authentication? I would greatly appreciate any and
all assistance you can offer ..
Thanks,
Pat Farrell
[EMAIL PROTECTED]
***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
