Hi Christopher,
Thank you for your help. We really appreciate it 😊 ... Apologies for late reply though, as I am communicating with my office email id, and we had leaves here I could only reply now. I will provide some more information here so that it is possible to imagine our requirement: - The server A where tomcat is running... it hosts a REST based application (BPMN based called Camunda ... it’s a 3rd party application). For e.g., when an application wants to trigger a workflow or BPMN deployed in Camunda, then they will fire the appropriate request to URL that looks something like this: - https://<Server A or machine where Camunda is deployed in tomcat>/engine-rest/process-definition/key/<name of the process to be invoked>/start<https://%3cServer%20A%20or%20machine%20where%20Camunda%20is%20deployed%20in%20tomcat%3e/engine-rest/process-definition/key/%3cname%20of%20the%20process%20to%20be%20invoked%3e/start> Now, the requirement is ..., there are several custom processes deployed and multiple clients invoke multiple processes available with Camunda,... hence the <name of the process to be invoked> is the dynamic part here. We want to apply client certificate authentication only for one of the process that only Application B will invoke using the above URL. Thus, we are looking at: - 1) Applying client certificate authentication to only a particular URL and not for all URLs. 2) How to create the trust store ? How is it different from keystore ? can I use cacerts of the java that is used by tomcat as the trust store ? 3) Is enabling SSL mandatory for client certificate authentication ? because we any ways will import the client certificate in the trust store so is enabling SSL and sharing server certificate to client required here ? Let me know if you need any more information. Thanks and Regards Omkar Patkar -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Wednesday, April 26, 2023 10:28 PM To: users@tomcat.apache.org Subject: Re: How to setup client certificate based authentication in Tomcat 9 Parkar, On 4/26/23 10:34, Patkar Omkar Anant wrote: > I am a bit newbie to this domain of client certificate-based > authentication. We have two applications … A(server) and B(client). > > Web application A runs on Apache Tomcat 9.0.52. (it’s a REST API based > application). Application B invokes the rest api of application A. > > Now we want to introduce client certificate-based authentication > between A and B. Good for you. I wish more and more services would (a) offer this and (b) actually use it. > So far based on information I have gathered from the internet all I > have got is different pieces, but I am not able to connect the dots > how to setup or configure tomcat (where A is hosted) to achieve this > requirement. > I have been provided certificate by application B that > is going to access our application A. Good so far. You need to configure Application A (server) with a "trust store" which contains that certificate. > But what are realms, how to map them with the certificate provided to > us and configure that realm in tomcat, where to store the certificate > provided by client, how to enforce webapp on system A to go for client > certificate authentication etc…these dots I am not able to connect. You are very unlikely to need a Realm at all. Will you be requiring a client cert for every connection, or is it only for some users? > It would be great and appreciated, if someone can guide me the correct > sequence and steps I should follow ? … basically, help me to connect > the dots. 😊 In order to get Tomcat to request and/or process a client's TLS certificate, you need to alter your <Connector> to include some of these: (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support) truststoreFile (points to the JKS or P12 (preferred) file that contains your trusted certificates) certificateVerification (choose either "optional" for requesting but not requiring it for all clients or "required" to require a certificate to be presented by all clients) If you just want to require all requests to present that certificate, then you need: certificateVerification="required" truststoreFile="mykeystore.p12" truststorePassword="secret" This should do all the checking you need. You should not even have to configure your web application to use CLIENT-CERT authentication unless you want to be able to identify the caller from within the application. If you want that, reply and I can explain what happens next. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
