Geek Answers Handbook

Tomcat Client Authentication Using SSL

I am at a loss as I am not a Tomcat person. I need to use a third-party web service, and they require client authentication via SSL, so they created and issued me an SSL certificate. Unfortunately, this is the same as what they support, and cannot give me any indication of how to use it. I am stuck with using this third party, so unfortunately I have to put up with their lack of support.

So, I have a Java application that the provider provides to us (who, apparently, never had to solve this), a Tomcat application server running 6.0.20 on CentOS 5.3, and a third-party SSL certificate.

What do I need to do at this moment? All I can find on the Internet is to set up a keystore so that my application can use client authentication against objects connecting to it, and not when it needs to connect to someone else or use SSL through port 8443 (which I know how do it and set it up).

+6
ssl tomcat
source share
3 answers

Here is a really long answer: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

Do not take my word for it, but I believe that as a client, client authentication will automatically be performed when the server requests it.

If the question arises when configuring tomcat, do you read http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html ? In particular, pay attention to the clientAuth attribute of the Connector element.

+3
source share

Update:

Try the client authentication method in Tomcat.

To get tomcat to take advantage of client authentication, we need three certificates. ie Server certificate for Tomcat, client certificate for browser and CA certificate, which will sign both of the above certificates. Here I will show how to do this on Windows.

There are two ways.

1) You must have a CSR file, i.e. a certificate signing request. You can send it to a Certification Authority such as Verisign or Comodo or many others like them. They will provide you with a certificate. Or

2) You can create your own certification authority and sign certificates. But it is recommended to do this only for personal use.

You must have Java and OpenSSL installed to complete the following steps.

To create a certificate signing request, you must have a key. To generate the key, enter the following command in the CMD.

openssl genrsa -out Serverkey.key 1024

This will create the "Serverkey.key" file. The key size is 1024. You can specify it according to your requirements.

Now create the CSR file with the following command.

openssl req -new -key Serverkey.key -out ServerReq.csr -config / path / to / openssl.cnf

After executing this command, you will be asked to provide some information. After that, you will find the CSR file in your directory. You can send this file to CA. In case you do this for personal use and you want to have your own certification authority, create a key and CSR for your certification authority using the above two commands. Once you have the CSR for CA, you can sign up with the CA key with the following command.

openssl x509 -req -days 365 -in CAReq.csr -signkey CAKey.key -out CA.crt

Once you have a CA certificate, you can use it to sign other certificates.

openssl x509 -req -days 365 -CA CA.crt -CAkey CAKey.key -CAcreateserial -in ServerReq.csr -out Server.crt

You can also use the same command for the client certificate.

The browser that is our client here will accept a certificate of P12 format. The P12 format is the file that contains your certificate, as well as the key.

Use the following command to convert CRT to P12.

openssl pkcs12 -export -in Server.crt -inkey ServerKey.key -chain -CAfile CA.crt -out ServerCert.p12

In tomcat, there is one trust store in which there will be a CA certificate, and the other is a keystore that will have a server key and certificate (p12 file).

Use the following command to import the CA certificate into truststore.

keytool -import -alias CertAuth -keystore caCerts.jks -file CA.crt

You can specify an alias as you wish. Pay attention to the password that you give when asked after executing the above command. We will use this password in the server.xml file. The same applies to the command below.

Use the following command to import a p12 format certificate into the keystore.

keytool -importkeystore -destkeystore tomcat.keystore -srckeystore -ServerCert.p12 -srcstoretype PKCS12 -alias 1

Now modify the tomcat server.xml file as follows.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" truststoreFile="path/to/truststorefile" truststorePass="password" keystoreFile="path/to/keystorefile" keystorePass="password" clientAuth="true" sslProtocol="TLS" />

Now import the client P12 format certificate into the browser. Then start the tomcat server and try to access https: // localhost: 8443 . You can find a blog for a detailed version of this answer. Hope this helps.

+2
source share

I donโ€™t know what it is about setting up Tomcat, except for the ability to pass system properties to a web application running on Tomcat.

The provider who supplies the web application should really be able to tell you how to get a client connection from their software in order to use a specific client certificate when connecting SSL to a remote web service.

For example, they could implement their KeyManager application for SSL connections that can look for a client certificate and private key from a custom location.

If they did not, they probably use the KeyXManager SunX509 by default.

For the default KeyManager, you can apparently use keytool to create a keystore containing the client certificate and the private key that describes the certificate. You can then specify this keystore using the following system parameters:

 -Djavax.net.ssl.keyStore="/path/to/keystore" -Djavax.net.ssl.keyStorePassword="<password>"

You will need to configure Tomcat to pass these properties.

+1
source share

More articles:


All Articles