Hi Angel, I encountered the same problem as you with Tomcat 5.5.27, so I upgraded to latest Tomcat to get rid of the certification error.
https://issues.apache.org/bugzilla/show_bug.cgi?id=37869 is bug report on certification error. Thank you. On 17 January 2011 22:14, amcereijo cereijo <amcere...@gmail.com> wrote: > Hi, > > > I´m trying to configure the tomcat for mutual authentication with server > and client using certificate. > > I have a tomcat 5.5.26 and a java web application (web service) under JVM > 1.5 > > I did the next: > > > > I generated two certificates with keytool, one for client and other for > server. > > I created a cacerts importing for the server, the client certificate and > for the client, importing the server certificate. > > > > In my web application (web service), I configure the web.xml like this > > *<**security-constraint**>*** > > * **<**web-resource-collection**>*** > > * **<**web-resource-name**>**webservice**</** > web-resource-name**>*** > > * > **<**url-pattern**>**/webservice**</**url-pattern**>*** > > * **<**http-method**>**POST**</**http-method**>*** > > * **</**web-resource-collection**>*** > > * *** > > * **<**auth-constraint**>*** > > * **<**role-name**>**webservice**</**role-name**>*** > > * **</**auth-constraint**>*** > > * *** > > * **<**user-data-constraint**>*** > > * **<**transport-guarantee**>**CONFIDENTIAL**</** > transport-guarantee**>*** > > * **</**user-data-constraint**>*** > > * *** > > * **</**security-constraint**>*** > > * * > > * **<**login-config**>*** > > * **<!-- auth-method>BASIC</auth-method -->*** > > * **<**auth-method**>**CLIENT-CERT**</**auth-method**>*** > > * **<**realm-name**>**webservice** </**realm-name**>*** > > * **</**login-config**>*** > > * * > > * **<**security-role**>*** > > * **<**role-name**>**webservice**</**role-name**>*** > > * **</**security-role**>*** > > > > I configure the server.xml adding > > *<Connector port="8443" maxHttpHeaderSize="8192"* > > * protocol="HTTP/1.1"* > > * SSLEnabled="true"* > > * maxThreads="150" > minSpareThreads="25" maxSpareThreads="75"* > > * enableLookups="false" > disableUploadTimeout="true"* > > * acceptCount="100" > scheme="https" secure="true"* > > * clientAuth="true" > sslProtocol="TLS" * > > * keystoreFile="C:\Archivos > de > programa\Apache Software Foundation\Tomcat 5.5\conf\tomcatserver.keystore"* > > * keystorePass="tomcat"* > > * > keyAlias="tomcatcertlocalhost"* > > * keypass="tomcat"* > > * truststoreFile="C:\Archivos > de programa\Apache Software Foundation\Tomcat > 5.5\conf\tomcatservercacerts.keystore"* > > * truststorePass="tomcat"* > > */>* > > > > I add in tomcat-users.xml the following > > *<role rolename="webservice"/>* > > *<user username="CN=client, OU=client, O=client, L=Madrid, ST=Madrid, C=ES" > password="null" roles="webservice"/>* > > > > When I execute my client for call the webservice, I put the properties > > *System.setProperty(**"javax.net.ssl.trustStore"**,**"C:/Program > Files/Apache Software Foundation/Tomcat > 5.5/conf/truststore.keystore"**);*** > > * System.setProperty(**"javax.net.ssl.trustStorePassword"**,** > "tomcat"**);*** > > * *** > > * > System.setProperty(**"javax.net.ssl.keyStore"**, > **"C:/OpenSSL-Win32/bin/ssl/client/client1.p12"**);*** > > * System.setProperty(** > "javax.net.ssl.keyStorePassword"**,**"tomcat"**);*** > > * System.setProperty(** > "javax.net.ssl.keyStoreType"**,**"PKCS12"**);* > > > > In server logs I get the error: > > > *17-ene-2011 13:20:34 org.apache.coyote.http11.Http11Processor action* > > *ADVERTENCIA: Exception getting SSL attributes* > > *javax.net.ssl.SSLHandshakeException: null cert chain* > > * at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown > Source)* > > * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown > Source)* > > * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)* > > * at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)* > > * at > com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(Unknown > Source)* > > * at > com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown > Source) > * > > * at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown > Source)* > > * at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > Source)* > > * at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > Source)* > > * at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown > Source)* > > * at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown > Source)* > > * at java.io.InputStream.read(Unknown Source)* > > * at > > org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:88) > * > > * at > > org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) > * > > * at > > org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) > * > > * at > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131)* > > * at org.apache.coyote.Request.action(Request.java:349)* > > * at > > org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) > * > > * at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) > * > > * at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > * > > * at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) > * > > * at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) > * > > * at > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)* > > * at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)* > > * at > > org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) > * > > * at > > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) > * > > * at > > org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) > * > > * at > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) > * > > * at java.lang.Thread.run(Unknown Source)* > > > > > > I also prove different configurations and I never get good result. Only > with > user and password I get successful result (putting BASIC authentication > instead of CLIENT-CERT). > > > > Thanks, regards. Ángel. >