By Date:	<-- -->
By Thread:	<-- -->

Tomcat SSL, how to set up with clientAuth="true".

From: frankpeng (at) netscape.net
Date: Thu, 15 Jun 2006 22:24:36 -0400

Hi, List!
 
I have set up a SSL connection for my Tomcat 5.5.17 to a database connection using SSL. 
In my CATALINA_OPTS, there are some parameters to define where the store files are. It is like this:
-Djavax.net.ssl.keyStore=<the keystore file>
-Djavax.net.ssl.keyStorePassword=<the password>
 
The JDBC driver works fine with the database in SSL.
 
Also I have set up an one-way https. So I have another keystore file in /tomcat/conf/server-keystore2.jks
 
in my server.xml I set up like this:
 
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
 
It worked when I https://breakevilaxis.org
 
Then I finished all steps made by marc in the following link without any error message,
 
http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2
 
Now the server.xml is like this.
 
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
truststoreFile="d:\tomcat\conf\truststore-itcilo.jks" 
truststorePass="changeit" 
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
 
Also I made an entry in the tomcat-user.xml
<user username="Frank Peng" password="tomcat" roles="tomcat"/>
This is the Common Name I used when I create client's certificate with openssl.
 
When I import the santiago.p12 file into both IE and netscape, both says successfully.
But in the IE, in the Certificate Informaton says, "The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.
 
I also followed the step 4 and delete the TRUSTED word and saved ca.pem as ca.crt and imported into browswer's root certficate authorities. There is nothing wrong with this. 
 
Now, when I hit https://breakevilaxis.org, it comes out the regular blank page.
 
"The page cannot be displayed"
 
On netscape, it says the connection was refused.
When I was creating the santiago.p12 file, I was asked to type an export password. I used this password when I imported the p12 file into netscape. But I did not ask this password when I imported this p12 into IE. But both IE and Netscape cannot reach the web site.
 
Locally, when I created the tomcat server keystore, I used 192.168.0.90, which is the server I am running, to be the CN and OU. Then on another computer I typed https://192.168.0.90, it won't work. It works with http://192.168.0.90. Somebody said, the CN and OU must match the domain name you type after the https. But still it did not work.
 
Please help to figure out what is wrong.
 
Frank Peng.

Follow-Ups:
- Tomcat SSL, how to set up with clientAuth="true".
  - From: frankpeng (at) netscape.net

References:
- Apache with Tomcat and session affinity problem
  - From: "Sharma, Siddharth" <Siddharth.Sharma (at) Staples.com>

Prev by Date: flushing system.out
Next by Date: Tomcat SSL, how to set up with clientAuth="true".
Previous by thread: Apache with Tomcat and session affinity problem
Next by thread: Tomcat SSL, how to set up with clientAuth="true".
Index(es):
- Main
- Thread