Timothy
> Am 09.01.2025 um 17:15 schrieb Timothy Resh <[email protected]>:
>
> The following is a configuration that we have used to set up the Client
> Authorization to work in Tomcat. We use introspection
> the IntrospectionUtils.PropertySource to decipher the password and set the
> following environment variables
>
> System.setProperty("javax.net.ssl.keyStore", keyStorePath);
> System.setProperty("javax.net.ssl.keyStorePassword", clearText);
> System.setProperty("javax.net.ssl.trustStore", trustStorePath);
> System.setProperty("javax.net.ssl.trustStorePassword", clearText);
>
> and then we use this connector configuration.
>
> <Connector URIEncoding="UTF-8"
> port="8443"
> address="10.2.110.235"
> maxThreads="300"
> maxConnections="300"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> scheme="https" secure="true" SSLEnabled="true"
> SSLProtocol="TLSv1.2"
> SSLCipherSuite="-ALL ..... this has all the ciphers"
>
> SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
> C:\Certificate\Keystore\Tomcat xxx Vessel.p12)}"
> SSLCertificateChainFile="C:\Certificate\Public
> Key\WSD-2DNX4M3.xxx.com.cer"
> SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.xxx.com.cer"
> SSLCertificateKeyFile="C:\Certificate\Private
> Key\WSD-2DNX4M3.xxx.com.key"
> SSLVerifyClient="optional"
>
> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> SSLCACertificatePath="C:\Certificates\CA\"
> />
>
I'm not sure that all these parameters are available.
Which version of Tomcat do you use?
I have switched to the new config with SSLHostConfig long time ago.
I also use client auth and this works:
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="tomcat.xxxx.xxx"
protocols="+TLSv1.2,+TLSv1.3"
certificateVerification="required"
caCertificateFile="${catalina.base}/conf/ssl/chain.xxx.crt.pem"
disableCompression="true"
disableSessionTickets="true"
ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM"
>
certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl">
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/tomcat.key"
certificateFile="${catalina.base}/conf/ssl/tomcat.crt"
certificateChainFile="${catalina.base}/conf/ssl/int.xxx.crt.pem"
type="RSA" />
</SSLHostConfig>
I guess the most significant config is caCertificateFile that contains the
complete chain (Intermediates before ROOT). I do use pem certificate files but
in another connector I also use jks/p12 - yet without client auth.
HTH
Peter
> The last two settings SSLCACertificateFile and SSLCACertificatePath appear
> to not work. We have a Certificate "DODxxx" intermediate in the
> SSLCACertificatePath directory and it does not present itself to the client.
> We have also tried putting it in the SSLCACertificateFile and that does not
> work either.
> The only way to get it to work is to put it in the TrustStore/Keystore.
>
> Did this type of configuration work on Tomcat? What changes do you suggest
> to get this to work with at least an external "intermediate.ca" file with
> all the"DODxxx" intermediates concatenated in the file.
>
>
> Regards
>
> Tnmothy Resh
