Tomcat - Two Way SSL as Server

Mon, 14 Nov 2016 10:27:33 -0800 

Hi All,

I'm trying to implement two way SSL on a new web service that we are building 
and I'm having some issues.

First some info on  the environment.

Server version: Apache Tomcat/8.0.36
Server built:   Jun 9 2016 13:55:50 UTC
Server number:  8.0.36.0
OS Name:        Linux
OS Version:     3.10.0-514.el7.x86_64
Architecture:   amd64
JVM Version:    1.8.0_111-b14
JVM Vendor:     Oracle Corporation

We use an internal certificate authority to sign all of our certificates. So 
all the client certificates are signed by our internal root. When I trust the 
root certificate in the client trust store everything works. All client 
certificates signed by the internal root work.

However, if I remove the root certificate from the client trust store, and add 
individual client certificates instead I get a cert chain error.
________________________________
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 
107108750176335210433834926983330116805775068919227166974389735341685270962458
  public y coord: 
93195725734236902743006469378087068209149058097948526490562555560744449337507
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, 
SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, 
SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, 
SHA1withDSA
Cert Authorities:
<CN=Client, OU=Information Technology, O=Company, L=Calgary, ST=Alberta, C=CA>
*** ServerHelloDone
http-nio2-8443-exec-4, WRITE: TLSv1.2 Handshake, length = 4482
http-nio2-8443-exec-2, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
http-nio2-8443-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
http-nio2-8443-exec-2, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate
http-nio2-8443-exec-2, WRITE: TLSv1.2 Alert, length = 2
http-nio2-8443-exec-2, fatal: engine already closed.  Rethrowing 
javax.net.ssl.SSLHandshakeException: null cert chain
http-nio2-8443-exec-2, called closeOutbound()
http-nio2-8443-exec-2, closeOutboundInternal()
________________________________
This is an issue for us as we can't have all the client certificates in the 
company granted access to this endpoint, it kind of defeats the purpose.

The company root certificate is in another trust store used on server startup. 
Here are my configs.

Server.xml connector:
________________________________
   <Connector protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               port="8443" maxThreads="24" minSpareThreads="4" 
maxSpareThreads="4" acceptCount="1000" server=" "
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="certs/servercert.jks" keystorePass=" 
CrazyPasswordHere"
               clientAuth="true" 
truststoreFile="/usr/local/tomcat/certs/clienttrust.jks" 
truststorePass="CrazyPasswordHere"
               sslEnabledProtocols="TLSv1.2" sslProtocol="TLS"
               
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
               
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
               useServerCipherSuitesOrder="true" compression="on" 
compressionMinSize="2048"
               
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"
 />
________________________________
Systemd init:
________________________________
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat
After=syslog.target network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/usr/local/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/usr/local/tomcat
Environment=CATALINA_BASE=/usr/local/tomcat
Environment='CATALINA_OPTS= -Xms2048M -Xmx2048M -server -XX:+UseParallelGC \
-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=8090 \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.password.file=/usr/local/tomcat/conf/jmxremote.password
 \
-Dcom.sun.management.jmxremote.access.file=/usr/local/tomcat/conf/jmxremote.access
 \
-Djavax.net.debug=SSL \
-Djavax.net.ssl.trustStore=/usr/local/tomcat/certs/servertrust.jks \
-Djavax.net.ssl.trustStorePassword=CrazyPasswordHere \
-Djavax.net.ssl.keyStore=/usr/local/tomcat/certs/serverclient.jks \
-Djavax.net.ssl.keyStorePassword=CrazyPasswordHere '
Environment='JAVA_OPTS=-Djava.awt.headless=true 
-Djava.security.egd=file:/dev/./urandom'

ExecStart=/usr/local/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID

User=tomcat
Group=tomcat

[Install]
WantedBy=multi-user.target
________________________________

Thanks!

Robert Sulliman

Reply via email to