Omkar,
On 5/3/23 00:28, Patkar Omkar Anant wrote:
The server A where tomcat is running... it hosts a REST based
application (BPMN based called Camunda ... it’s a 3rd party
application).
For e.g., when an application wants to trigger a workflow or BPMN
deployed in Camunda, then they will fire the appropriate request to URL
that looks something like this: -
https://<Server A>/engine-rest/process-definition/key/<name of the process to be
invoked>
>
Now, the requirement is ..., there are several custom processes
deployed and multiple clients invoke multiple processes available with
Camunda,... hence the <name of the process to be invoked> is the dynamic
part here.
We want to apply client certificate authentication only for one of
the process that only Application B will invoke using the above URL.
This ^^^ is the important part.
Are you using a reverse-proxy, or are clients connecting directly to Tomcat?
Thus, we are looking at: -
1) Applying client certificate authentication to only a particular URL and not
for all URLs.
In order to do this, you have to tell Tomcat to "ask" for the
certificate but not require it. The configuration for this is in
conf/server.xml in the <Connector>[1] you use for you secure endpoint e.g.:
<Connector port="8443"
certificateVerification="optional"
2) How to create the trust store ? How is it different from keystore?
can I use cacerts of the java that is used by tomcat as the trust
store ?
The only difference between key stores and trust stores is how you use
them. Physically, on the disk, they are the same thing. Java can use JKS
or PKCS12 keystores, which is just a way to put multiple keys and/or
certificates into a single file.
3) Is enabling SSL mandatory for client certificate authentication ?
because we any ways will import the client certificate in the trust
store so is enabling SSL and sharing server certificate to client
required here ?
Yes. Client-certificate-based authentication is often called "mutual
authentication" because the client authenticates the server (which is
very common and what happens when you visit https://www.wikipedia.org/)
and ALSO the server authenticates the client (which is less common, and
really only used for private connections where the server knows all of
the clients who might connect). The certificates are traded back and
forth during the TLS handshake, so TLS is indeed required.
There is probably a way to use X.509 keys and certificates for mutual
authentication that doesn't involve TLS but your server and client would
have to invent a new way to do that and implement it on both sides of an
unencrypted connection.
-chris
[1] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
