Tomcat client side authentication.

Hi All,

I have been trying to get 2 way ssl communication working in tomcat
for a few days now with no luck. Here is the nature of the problem:

Tomcat uses java keystores to hold its certs and keys. When i create a
cert using the openssl tool(use CA.pl to create a ca and then a server
cert signed by that ca), and import the cert into tomcats keystore ,I
get the following error:

<error snippet>
...
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate corresponds
to the SSL cipher suites which are enabled.
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocket
Factory.java:154)
at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.j
ava:387)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:557
)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.
java:683)
at java.lang.Thread.run(Thread.java:534)
Aug 12, 2004 10:56:23 PM org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket
WARNING: Reinitializing ServerSocket
trustStore is: /opt/j2sdk1.4.2_05/jre/lib/security/cacerts
trustStore type is : jks
init truststore
...
</error snippet>

if I issue the following command with keytool to generate a test
keystore:

keytool -genkey -dname "cn=localhost, ou=xxx, o=xxxx, c=US" -alias
tomcat  -keystore keystore  -validity 360

I get a keystore that allows me to do the server side of ssl,but I
cannot
find a way to extract a p12 from this keystore so that I can then
import the
cert into a browser...I think this is probably not the way to go
anyways,so...
sorry for the long winded post,but I would greatly appreciate any help
on this!

Thanks in advance,
Sean

Did anyone get a solution to this problem?

(a different sean)

Hi,

first: 
you must use "selfcert" option (see KeyTool ref guide at http://java.sun.com/j2se/
1....32/keytool.html) when create the CA key, that must be s
elf-signed for tomcat to work

second: when HTTP-S GET/POST is done, tomcat check for CA key/certificate in
 the  Java Keytool store (with "tomcat" alias), and prompt the certificate t
o the client; you must accept the same to obtain an SSL session start (or im
port it, first, in the client as you have done)

third: client authentication, that must be enable in tomcat configuration, n
eed a X509 valid certificate on the client side that was signed with the CA 
certificate key that you have stored in server; after connection and SSL ses
sion started, a "challenge" auth. server-client take place, and server (tomc
at) check the certificate received from the client with its CA cert.

so, you must create a valid X509 cert. for the client and signed that with t
he CA certificate, then store it on the keystore

for tools and examples:
http://www.bouncycastle.org/
http://www.openssl.org/

bye

P.S. sorry for my bad english...

I have been trying to do this as well. So far I've been partially successful
. Here are my insights so far:

1. I started out using openssl to create my own CA root certificate (this is
 a self-signed certificate used to sign other server and user certificates).
2. I then created a server certificate for my tomcat server. This consisted 
of creating a certificate request, and then signing that request to form a s
igned certificate.
3. I then created a Java Keystore using keytool which will be used by tomcat
.
4. Imported the root certificate (of my CA) into that keystore (under myca a
lias).
5. Then imported the new server certificate (signed by my CA) into the same 
keystore.
6. I then configured tomcat to use that keystore (set keystoreFile=mykeystor
efile, keystorePass=mypassword and keystoreType="JKS").
7. Installed the root certificate of my CA in my FireFox browser (just wante
d to point out I'm using this great new browser!) and in my IE too, to make 
sure things work for others too.
8. Unfortunately, when I started tomcat, I encountered the same error that w
as specified above ("No available certificate corresponds..."). Note that th
is does not happen because of the client - this occurs right on tomcat-start
up! which means it fails to understand our certificates for some reason.
9. Now this is when things get tricky, I noticed...
10. I noticed that tomcat also supports the PKCS12 format for the keystore, 
so I converted my server certificate to a PKCS12 format (using openssl pkcs1
2 command). Made sure the "-chain" option is specified (tomcat caused me tro
uble when missing).
11. Started tomcat and violla!
12. Pointed my browser to my tomcat url and things actually worked! (works i
n IE too...)
13. I'm now working on the two-way authentication (so that the server will r
ecognize the client) and will post more when that is successful (right now I
'm downright pessimistic due to the complexity of this stuff [atleast for se
curity newcomers like me ;-)])

Cheers,
     Arik.