Parkar,
On 4/26/23 10:34, Patkar Omkar Anant wrote:
I am a bit newbie to this domain of client certificate-based
authentication. We have two applications … A(server) and B(client).
Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API
based application). Application B invokes the rest api of application
A.
Now we want to introduce client certificate-based authentication
between A and B.
Good for you. I wish more and more services would (a) offer this and (b)
actually use it.
So far based on information I have gathered from the internet all I
have got is different pieces, but I am not able to connect the dots
how to setup or configure tomcat (where A is hosted) to achieve this
requirement. >
I have been provided certificate by application B that is going to
access our application A.
Good so far. You need to configure Application A (server) with a "trust
store" which contains that certificate.
But what are realms, how to map them with the certificate provided to
us and configure that realm in tomcat, where to store the certificate
provided by client, how to enforce webapp on system A to go for
client certificate authentication etc…these dots I am not able to
connect.
You are very unlikely to need a Realm at all.
Will you be requiring a client cert for every connection, or is it only
for some users?
It would be great and appreciated, if someone can guide me the
correct sequence and steps I should follow ? … basically, help me to
connect the dots. 😊
In order to get Tomcat to request and/or process a client's TLS
certificate, you need to alter your <Connector> to include some of these:
(https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support)
truststoreFile (points to the JKS or P12 (preferred) file that contains
your trusted certificates)
certificateVerification (choose either "optional" for requesting but not
requiring it for all clients or "required" to require a certificate to
be presented by all clients)
If you just want to require all requests to present that certificate,
then you need:
certificateVerification="required"
truststoreFile="mykeystore.p12"
truststorePassword="secret"
This should do all the checking you need. You should not even have to
configure your web application to use CLIENT-CERT authentication unless
you want to be able to identify the caller from within the application.
If you want that, reply and I can explain what happens next.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
