Finally I got Tomcat working with Machine Certificate Storage.
Finally, I got a configuration that works with Certificate Storage. It is very
specific, and I couldn't find any other until date.
It works, but in our environment there is a required manual step yet. I think
it should be configured in Windows and is common for all programs requesting
private key not special for Tomcat.
A dialog of Windows Security is shown asking to allow access, similar to UAC
but for certificates.
[cid:7f0b2dfc-8c60-492c-8c42-24d84e6c7917]
The server.xml configuration used is
<Connector port="8443"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreType="Windows-MY-LOCALMACHINE"
certificateKeystoreFile=""
certificateKeyAlias="tomcat"/>
</SSLHostConfig>
</Connector>
I continue my research trying to use different ciphers and properties, because
I won't be able to use the standard without the . It is clear for me, that
different internals libraries are used in Tomcat, so when I use the only the it
doesn't work and it won't find the key in the storage.
For the purpose of the initial question, I consider this solutions as valid, as
Tomcat is able to work with the Windows Local Machine Certificate Storage.
Solution versions:
* JDK 11.0.20+ or JDK version with fixed bug
https://bugs.openjdk.org/browse/JDK-8286790
* Tested with Tomcat 9.0.63
* Tested in Windows 2019
Thank you for your support. Hope this information is useful to crate a Use Case
in the wiki.
Some doubts are in the air yet, but it is essentially possible for Tomcat to
work with this.
Two questions thats remaining for the future:
*
How to disable or bypass the Windows Security dialog? Is it possible to disable
for specific Users/Services?
*
Why if I use keyStoreType="windows-my-localmachine" directly in <connector> it
doesn't find the certificate?
________________________________
De: Gavioto π΅ <[email protected]>
Enviado: martes, 25 de junio de 2024 15:27
Para: [email protected] <[email protected]>
Asunto: RE: How to configure Tomcat with a Managed Service Account when using
LocalMachine certificates for TLS
- how are are starting Tomcat?
ββββββTomcat is starting as a service with "Domain\account1$" (Managed Service
Account)
- is Tomcat installed as a Windows service?
ββββββYes
- which account is Tomcat running under?
ββββββ"Domain\account1$" (Managed Service Account) It is not a normal domain
account used for the service. Secure group managed service accounts -
Microsoft Entra | Microsoft
Learn<https://learn.microsoft.com/en-us/entra/architecture/service-accounts-group-managed#assess-gmsa-security-posture>
Regarding the mean of "user" I'm referring to the user who is running the
Tomcat Service. In this case, the Managed Service Account.
________________________________
De: Mark Thomas <[email protected]>
Enviado: martes, 25 de junio de 2024 12:51
Para: [email protected] <[email protected]>
Asunto: Re: How to configure Tomcat with a Managed Service Account when using
LocalMachine certificates for TLS
A few questions:
- how are are starting Tomcat?
- is Tomcat installed as a Windows service?
- which account is Tomcat running under?
There are a few references to "user" in your question. It is not clear
if this is:
- the user administering a Tomcat service
- a user that is starting Tomcat from the command line
- the user that the Tomcat service is running as
- something else
Mark
On 25/06/2024 11:30, Alberto Corral wrote:
> Hello!
>
> After some research, docs, and test, I didn't found an answer to my issue.
>
> I'm writing to the list because I have to configure a probably not very
> common Tomcat configuration and didn't found correct configuration of if it
> is posible to do it.
> Also I didn't find previous information or examples on internet and the wiki.
>
> There is a similar question in Server Fault
> https://serverfault.com/questions/1161457/can-i-use-certificates-in-the-local-machine-from-a-managed-service-account,
> but not solved yet.
>
> The configuration has been also involved with a JDK recent bug-fix (but 10
> years old), but this part is fixed using latest available JDK versions.
> So I think it would be valuable to document an Use Case based on real
> experience that can be both, tested in future versions, and also useful for
> future users, available in the wiki or official docs :-)
>
> May be what's I'm trying to do is not really possible, but need to know if
> this is a Tomcat limitation or a Windows one.
>
> My actual configuration
>
> Server version name: Apache Tomcat/9.0.65
> Server version number: 9.0.65.0
> Server built: Jul 14 2022 12:28:53 UTC
> Architecture: amd64
> OS Version: 10.0
> OS Name: Windows Server 2019
> JVM Vendor: Eclipse Adoptium
> JVM Version: 11.0.23+9
> Java Home:
> C:\OpenJDK11U-jdk_x64_windows_hotspot_11.0.23_9\jdk-11.0.23+9
>
> Actual secure configuration used:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> server="Unknown"
> maxThreads="150" scheme="https" secure="true"
> enableLookups="true"
> KeystoreType="Windows-MY-LOCALMACHINE"
> clientAuth="false" sslProtocol="TLS"
> KeystoreFile=""
> KeyAlias="tomcat" />
>
>
> Configuration:
> - The certificate is in the LOCALMACHINE Windows Storage and allows read
> access to the user "account1$" which is an AD Managed Service Account.
> -
>
> Facts:
> - If the user have read access but not local admin, then the previous stack
> trace is generated.
> - If I give local Admin rights to the service account, it seems can access to
> the Certificate Storage, in other case, the previous Stack Trace is generated.
> - Unless I gave local Admin rights, apache opens port 8443, but doesn't
> respond to requests on 8443 when testing and no error in logs appears.
>
> What is the question is "How to configure Tomcat with a Managed Service
> Account when using LocalMachine certificates for TLS"
>
> Notes:
> - JDK 11.0.20+ is required due a well known bug that has been backported from
> JDK 21 [JDK-6782021] It is not possible to read local computer certificates
> with the SunMSCAPI provider - Java Bug System
> (openjdk.org<http://openjdk.org/>)
> (https://bugs.openjdk.org/browse/JDK-6782021) and [JDK-8303520] It is not
> possible to read local computer certificates with the SunMSCAPI provider -
> Java Bug System (openjdk.org<http://openjdk.org/>)
> (https://bugs.openjdk.org/browse/JDK-8303520)
>
> Next program can help to check different configurations, and it works when
> the certificate has read permission for the user who is running it.
>
> // JDK8313367test.java - Simple test case to demonstrate OpenJDK defect
> JDK-8313367
> // References:
> // * https://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8313367
> // *
> https://stackoverflow.com/questions/75255985/java-keystore-type-windows-my-root-localmachine-requires-administrator-permissio
>
> /*
> Here is the command line to run the test using JDK 11.0.20+, 17.0.20+ or
> 20.0.2+
> java --add-modules=jdk.crypto.mscapi
> --add-exports=jdk.crypto.mscapi/sun.security.mscapi=ALL-UNNAMED
> JDK8313367test.java
> */
>
> import java.io.*;
> import java.security.KeyStore;
> import java.security.Security;
> import java.util.Enumeration;
> import sun.security.mscapi.SunMSCAPI;
>
> public class JDK8313367test {
> public static void main(String[] args) {
> try {
> Security.addProvider(new SunMSCAPI());
> KeyStore keyStore =
> KeyStore.getInstance("Windows-My-LOCALMACHINE");
> // When running as non-elevated, the SunMSCAPI provider,
> enhanced with JDK-6782021, incorrectly
> // triggers system error 5 "Access is denied" when
> attempting to load the keystore when invoking the following method:
> keyStore.load(null, null);
> Enumeration<String> aliases = keyStore.aliases();
> // Print Friendly Names, a.k.a. aliases, of each
> certificate in the keystore
> for (int i = 0 ; aliases.hasMoreElements() ; i++) {
> System.out.println( aliases.nextElement() );
> }
> } catch (Exception e) {
> throw new RuntimeException(e);
> }
> }
> }
>
> Pending tests:
> - What I haven't tested, but it is an idea to test, is to launch this code
> from Tomcat and validate if it works (It isn't possible to run a CLI program
> using a Managed Service Account as per my knowledge). In case this test
> succeeds, it would mean the program flow in tomcat side is doing something
> different with ACL or something.
> Thank you in advance for your support.
> Please, send me back any question or clarification about the Use Case I could
> miss.
> /Gavioto
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
