RE: need help setting up tomcat with ssl client authentication

Thu, 01 Jul 2010 06:36:17 -0700 

I changed server.xml to:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" 
               scheme="https" 
               secure="true"
               clientAuth="true" 
               keystoreFile="/server.ks" 
               keystorePass="MC126801$"
               keystoreType="JKS"
               keyAlias="tomcat"
               truststoreFile="/server.ks"
               truststorePass="MC126801$"
               truststoreType="JKS"
               sslProtocol="TLS" />

and now it works with all clients, firefox, openssl s_client, and php client
thanks for you all your help, its much appreciated :)

________________________________________
From: users-return-214184-racarlson=mediacomcc....@tomcat.apache.org 
[users-return-214184-racarlson=mediacomcc....@tomcat.apache.org] On Behalf Of 
Christopher Schultz [ch...@christopherschultz.net]
Sent: Wednesday, June 30, 2010 9:40 PM
To: Tomcat Users List
Subject: Re: need help setting up tomcat with ssl client authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ralph,

On 6/30/2010 5:07 PM, Ralph Carlson wrote:
> (d) have client Authorization on - with it off tomcat ssl works just fine, 
> when its turned on I get this error
> so far I have been following the steps listed in this tomcat user group 
> message
> http://marc.info/?l=tomcat-user&m=106293430225790&w=2

Try something a bit more recent than 2003. I was able to get client
certs working with my own CA, and I was manually checking the client
cert instead of having Tomcat do it. However, if your code can do it, so
can Tomcat.

Try reading-through this thread:
http://markmail.org/message/kzxsamuiu6bldjmv

>     <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="true"
>                keystoreFile="/server.ks"
>                keystorePass="[...]"
>                sslProtocol="TLS" />

I think you also need a truststoreFile and friends. Try re-reading the
<Connector> documentation at
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html specifically
looking for "client cert".

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkwr8f0ACgkQ9CaO5/Lv0PDFxQCcDrMdAJbl0adm44Dgnyd6fWqV
aPEAnjPNCOXwmU847G/7IvZuBU9hnK2A
=mNS+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to