But (as I pointed out in 3.,4. and 6) I have client cert and CA cert. The latter I imported to the cacert. I tried to do the same without Tomact but with very simple HTTP(s) server and got the same result. So I suggest that I did something wrong with creating/importing certs.
But what's wrong? BB> You can't generally use a self-signed client cert with JSSE (you can BB> configure PureTLS to accept it, but another bug means that you'd have to BB> wait for 4.1.26). The work-around is way too much trouble for the sysadmin, BB> and I don't feel like being an enabler for a true hideous design. So, BB> you'll just have to read the JSSE docs for yourself ;-). BB> If you need to issue your own client-certs, I'd suggest setting up your own BB> CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You BB> can then hand out client certs, and Tomcat will accept them. BB> "Dmitry S.Rogulin" wrote in message BB> news:[EMAIL PROTECTED] >> Hello all, >> >> Sorry for the previous e-mail. %) >> >> This theme was discussed about month ago. I tried to use what I've >> found but I'm still having a problem... >> >> I'm trying to do SSL client authentication with Tomcat 4.1.18 BB> (clientAuth="true"). >> >> 1. I've generated a client certificate using keytool: >> keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore >> >> 2. Then I created Certificate Signing Request: >> keytool -certreq -keyalg RSA -alias tomcat-cl -file BB> certreq.csr -keystore client.keystore >> >> 3. I sent it to CA and got a signed certificate and CA Certificate. >> 4. I imported them to the client keystore: >> keytool -import -alias root -keystore client.keystore -file cacert >> keytool -import -alias tomcat-cl -keystore client.keystore -file BB> usercert >> >> 5. I exported server certificate and imported it as a trusted to the >> trusted keystore: >> keytool -import -trustcacerts -alias tomcat -file server.cer -keystore BB> trust.keystore >> >> 6. I imported CA Certificate to "\jre\lib\security\cacerts" : >> keytool -import -file cacert -keystore BB> %java_home%\jre\lib\security\cacerts -storepass changeit >> >> I'm running Tomcat and test client on the same machine. >> Server keystore: %USERHOME%\.keystore >> Client keystore: %USERHOME%\client.keystore >> Client trusted keystore: %USERHOME%\trust.keystore >> >> Test Client: >> ******************************************** >> import java.net.*; >> import java.io.*; >> import java.util.*; >> import java.security.*; >> import javax.net.ssl.*; >> >> public class SimpleClient { >> >> public static void main(String[] args) { >> System.setProperty("javax.net.ssl.trustStore", BB> System.getProperty("user.home")+File.separator +"trust.keystore"); >> >> System.setProperty("javax.net.ssl.keyStore", BB> System.getProperty("user.home")+File.separator +"client.keystore"); >> System.setProperty("javax.net.ssl.keyStorePassword", BB> "changeit"); >> >> InputStream is = null; >> OutputStream os = new ByteArrayOutputStream(); >> >> try { >> URL url = new BB> URL("https://localhost:8443/readme.txt";); >> >> try { >> is = url.openStream(); >> >> byte[] buffer = new byte[4096]; >> int bytes_read; >> while((bytes_read = is.read(buffer)) BB> != -1) >> os.write(buffer, 0, bytes_read); >> >> System.out.println(os.toString()); >> >> } catch (Exception e) { e.printStackTrace(); } >> finally { >> try { >> is.close(); >> os.close(); >> } catch (IOException e) { BB> e.printStackTrace(); } >> } >> >> } catch (Exception e) { e.printStackTrace(); } >> >> >> } >> } >> ******************************************** >> >> With [clientAuth="false"] it works fine, but with [clientAuth="true"] >> it gives an error: >> >> java.net.SocketException: Software caused connection abort: recv failed >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.read(SocketInputStream.java:129) >> at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) >> at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) >> >> What did I do in a wrong way? >> >> Thanks in advance. >> >> Best regards, >> Dmitry. BB> --------------------------------------------------------------------- BB> To unsubscribe, e-mail: [EMAIL PROTECTED] BB> For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
