Home > Archive > Java Security > October 2004 > Tomcat client side authentication.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Tomcat client side authentication.
|
|
|
| Hi All,
I have been trying to get 2 way ssl communication working in tomcat
for a few days now with no luck. Here is the nature of the problem:
Tomcat uses java keystores to hold its certs and keys. When i create a
cert using the openssl tool(use CA.pl to create a ca and then a server
cert signed by that ca), and import the cert into tomcats keystore ,I
get the following error:
<error snippet>
....
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate corresponds
to the SSL cipher suites which are enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:154)
at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:387)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:557)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
Aug 12, 2004 10:56:23 PM org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket
WARNING: Reinitializing ServerSocket
trustStore is: /opt/j2sdk1.4.2_05/jre/lib/security/cacerts
trustStore type is : jks
init truststore
....
</error snippet>
if I issue the following command with keytool to generate a test
keystore:
keytool -genkey -dname "cn=localhost, ou=xxx, o=xxxx, c=US" -alias
tomcat -keystore keystore -validity 360
I get a keystore that allows me to do the server side of ssl,but I
cannot
find a way to extract a p12 from this keystore so that I can then
import the
cert into a browser...I think this is probably not the way to go
anyways,so...
sorry for the long winded post,but I would greatly appreciate any help
on this!
Thanks in advance,
Sean
| |
| sean_scullion 2004-09-13, 12:54 pm |
| Did anyone get a solution to this problem?
(a different sean) | |
|
| Hi,
first:
you must use "selfcert" option (see KeyTool ref guide at http://java.sun.com/j2se/1.3/docs/t...32/keytool.html) when create the CA key, that must be self-signed for tomcat to work
second: when HTTP-S GET/POST is done, tomcat check for CA key/certificate in the Java Keytool store (with "tomcat" alias), and prompt the certificate to the client; you must accept the same to obtain an SSL session start (or import it, first, in the client as you have done)
third: client authentication, that must be enable in tomcat configuration, need a X509 valid certificate on the client side that was signed with the CA certificate key that you have stored in server; after connection and SSL session started, a "challenge" auth. server-client take place, and server (tomcat) check the certificate received from the client with its CA cert.
so, you must create a valid X509 cert. for the client and signed that with the CA certificate, then store it on the keystore
for tools and examples:
http://www.bouncycastle.org/
http://www.openssl.org/
bye
P.S. sorry for my bad english... | |
| arikkfir 2004-10-04, 9:50 am |
| I have been trying to do this as well. So far I've been partially successful. Here are my insights so far:
1. I started out using openssl to create my own CA root certificate (this is a self-signed certificate used to sign other server and user certificates).
2. I then created a server certificate for my tomcat server. This consisted of creating a certificate request, and then signing that request to form a signed certificate.
3. I then created a Java Keystore using keytool which will be used by tomcat.
4. Imported the root certificate (of my CA) into that keystore (under myca alias).
5. Then imported the new server certificate (signed by my CA) into the same keystore.
6. I then configured tomcat to use that keystore (set keystoreFile=mykeystorefile, keystorePass=mypassword and keystoreType="JKS").
7. Installed the root certificate of my CA in my FireFox browser (just wanted to point out I'm using this great new browser!) and in my IE too, to make sure things work for others too.
8. Unfortunately, when I started tomcat, I encountered the same error that was specified above ("No available certificate corresponds..."). Note that this does not happen because of the client - this occurs right on tomcat-startup! which means it fails to understand our certificates for some reason.
9. Now this is when things get tricky, I noticed...
10. I noticed that tomcat also supports the PKCS12 format for the keystore, so I converted my server certificate to a PKCS12 format (using openssl pkcs12 command). Made sure the "-chain" option is specified (tomcat caused me trouble when missing).
11. Started tomcat and violla!
12. Pointed my browser to my tomcat url and things actually worked! (works in IE too...)
13. I'm now working on the two-way authentication (so that the server will recognize the client) and will post more when that is successful (right now I'm downright pessimistic due to the complexity of this stuff [atleast for security newcomers like me ;-)])
Cheers,
Arik. |
|
|
|
|