Win a copy of Five Lines of Code this week in the OO, Patterns, UML and Refactoring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Tomcat SSL .Enabling Client authentication with tomcat

Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to set up mutual authentication with tomcat.

I am able set up only server authentication by using java keytool and setting clientAuth="false".

now i want to set tup client authnetication i set the clientAuth="true"

created keystore with self signed certificates for both server and client..
set the ssl keystore path to this key store .
i enables ssl log for tomcat.

what i see is the log shows only entry for tomcat key entry. for the server certificate.

it does not show the client certificate.

I m sure my keystore has client certificate.
i know this when i lsited the entries in the key store.
$ keytool -list -keystore tomcat2.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

roopa, Jul 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): AD:D8:7B:88:5F:D0:A2:3E:6B:E4:8C:6D:29:CC:B5:A2
tomcat, Jul 24, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): 34:52:19:6D:3C:06:A8:91:12:4B:F2:1A:B7:1E:5D:4A
mykey, Jul 24, 2009, trustedCertEntry,
Certificate fingerprint (MD5): DE:A7:59:23:09:FF:BC:C4:EC:5B:73:6C:BB:B9:ED:25

I also imported the p12 client certificate into the web browser and tried. it did not work.

I see it that tomcat itself is not able to load the certificate named with alias roopa here.

Where could i go wrong.?

I also tried to import these self signed client certificates into cacerts.jks .it loads all commercial CA certificates but not the self signed client certificates i created.
to work with tomcat the client certificates have to be
CA certified??.

all the information i got from website show that these steps should be enough to make client authentication work.

But its not working for me here..

Here is my server.xml conf.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" scheme="https" secure="true"
debug="5" clientAuth="true" keystoreFile="c:\Roopa\test\tomcat2.keystore" keystorePass="roopanov14" truststorefile="c:\Roopa\test\tomcat2.keystore" truststorepass="roopanov14" sslProtocol="TLS" />.

the password and the path to keystore are correct.

it is loading entry for tomcat.

but not the client certificate entries..

can anybody tell me whats going on where i m going wrong.??


Saloon Keeper
Posts: 22248
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can very definitely use self-signed certs with Tomcat. I'm doing that myself.

I can't see anything immediately wrong with what you listed, but there is (as I understand it) an issue with HTTP itself in that for a given IP address, only one cert can be honored, even if ithe IP address supporting multiple hostnames (virtual hosts).
Ranch Hand
Posts: 165
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

How did you enable the ssl logging?

Did you get the client authentication working on Tomcat?

I am so glad to see this posting!

straws are for suckers. tiny ads are for attractive people.
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic