I have a tomcat server with microservice wars, one WAR that connects with another system, another system requires client authentication, and i have the certificate how to load the certificate with the communication with that system, i tried to use this certificate in the HTTPS encription but failed,
kindly advice i want to load a certififcate if the tomcat will connect with a certain URL,
i mean that the tomcat will be the client not the server,
i know how to make tomcat require client authentication as a server but if there is another system and the tomcat here is the client, how to insert the certificate in tomcat,
the application is java, and the os is linus redhat 7
i tried to inst the certificate to OS level and cacert but same
I'm at a loss since I'm not a Tomcat person. I use tomcat as a webserver for our Java application and now we are trying to integrate with one of our customers and they require Client Authentication via SSL, so they generated and issued me an SSL certificate to use it in tomcat during the communicating with their system. Unfortunately, this is as far as they support it and cannot give me any direction on how to actually use it.
So what I have is a Java application, a Tomcat app server running 8 on rehat 7, and the .p12 cert from the local CA from customer side.
now i have 2 certificates one for SSL and another as client authentication, how to define the client authentication and attache it with my communication dealing with another system, I tried to use SSLCACertificateFile attribute but no luck,
Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8446" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="fileto.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreType="PKCS12" SSLCACertificateFile="CAfileto_T.p12" SSLCACertificatePass="changeit"
Realm className="org.apache.catalina.realm.LockOutRealm"
Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"
Related
For some reason on one of my servers, SSL with mutual auth is not enforced.
The same server.xml config on another server does end up enforcing it.
So I am reaching out to you guys, do you know why this server.xml configuration allows the user to access the page WITHOUT asking for an SSL client certificate?
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
server="Apache" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="path-to-server-ssl-keystore" keystorePass="hidden"
clientAut="true" sslProtocol="TLS" truststoreFile="path-to-truststore" truststorePass="hidden"/>
My trustore contains only one Certificate (I ensured that to make sure my testing was valid), and my HMTL client is NOT configure with this certificate.
When I reach to https://URL:8444/webappname/foo.html, it works!
As you can see in the wireshark trace below, the server is not asking for the client certificate.
On the other servers, I see the server asking for a Client certificate, as shown here:
At the moment I am simply trying to ensure the mutual auth is enforced so I am expecting to see an SSL error.
Any input would be welcome, thanks in advance.
I have successfully configured Apache (2.4.7) to require a client certificate and -- as a reverse proxy -- forward the information within the certificate to a Tomcat 8 server.
When trying to accomplish the same with Spring Boot however, it fails with
The proxy server received an invalid response from an upstream server
The proxy server could not handle the request GET /myapp
and returns a HTTP 502 error code.
The relevant, working Tomcat configuration is:
<Connector SSLEnabled="true" clientAuth="want" keyAlias="myalias"
keystoreFile="mystore.jks" keystorePass="mypassword" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS" truststoreFile="mystore.jks" truststorePass="mypassword"/>
The relevant part of the Spring Boot application.properties file that won't work:
server.context-path=/myapp
server.port=8443
server.ssl.enabled=true
server.use-forward-headers=true
server.ssl.protocol=TLS
server.ssl.client-auth=need
server.ssl.key-alias=myalias
server.ssl.key-store=/path/to/mykeystore.jks
server.ssl.key-store-password=mypassword
server.ssl.key-password=mypassword
server.ssl.trust-store=/path/to/mykeystore.jks
server.ssl.trust-store-password=mypassword
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.port-header=x-forwarded-port
Note, when accessing the app directly (i.e. requesting https://myapp.company.tld:12345/myapp) it works just fine, but using the reverse proxy (i.e. https://proxy-load-balancer.company.tld:12345/myapp) throws the error above.
The port difference (12345 vs the configured 8443) is due to an intermediate Docker layer: both the reverse proxy and the application runs in a container and their open ports (443 for Apache, 8443 for Tomcat/Spring Boot) are mapped to a different port, i.e. 12345.
Ok, so this all got sorted out. First, this Spring security setting
server.ssl.client-auth=need
will always force your embedded Tomcat to ask for a certificate, so in a client=>reverse proxy=>Tomcat situation you won't be able to authenticate unless maybe you use AJP, not sure about that.
But it turned out that using
server.ssl.client-auth=want
enables the further processing of your request and what people usually do is process the certificate at the reverse proxy level and forward some information to the backend server (Tomcat, Jetty, etc.).
In the end the developers had to adapt their Spring Boot application to handle this latter mode of operation, i.e. extract data from the forwarded HTTP request's header and proceed with the authentication based on that.
I have developed a Rest service and deployed it in tomcat 8 server. It is working fine with http URL. I have a requirement to install SSL certificate for the server.
But there is already a service running on this server which has SSL certificate.
Now my questions are
1) do I need to install another SSL certificate for the same server ?
2) How do i find that previously installed certificate belongs to server or service ?
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
Kindly help me techies.
1) do I need to install another SSL certificate for the same server ?
Probably not, depending of the kind of the SSL service running. You need to stablish a connector from the SSL service to Tomcat to forward SSL requests in a path. Usually in Tomcat is done using the AJP connector and is not needed extra configuration. Check the documentation of the SSL Service
2) How do i find that previously installed certificate belongs to server or service ?
An SSL certificate is issued to a host name (Or infrequently to an IP), so it will be valid for the entire server
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
If the previous SSL service is running in the standard port 443, you will need a new port. Configure a new connector in server.xml with the port, ssl activated and the keystore with the certificate chain. See https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Our architecture is:
external users<---https--->web server(Apache HTTP server)<----->webapp server (tomcat)
We fail to pass the IBM AppScan, which is used to detect any security defects in webapp server, because it finds our tomcat server.xml file is not added the secure="yes" attribute in our port.
However the secure="yes" attribute should not be added to the tomcat server.xml file because we do not need a secure connection between web server and webapp server.
How can we fix the issue?
Are there any secure="yes" attribute can be added to the configuration file of web server(Apache HTTP server)?
Thanks & Regards,
Gordon
If your users are accessing Tomcat (indirectly) through Apache httpd using TLS (https:// URL) then it is entirely appropriate to set secure="true" in your <Connector>. This tells your web application that the request being received is secure even when it is not (e.g. you are using plain-HTTP between httpd and Tomcat).
So, if you have set scheme="https" on your <Connector> then you probably want to also set secure="true".
This is not a configuration change that you can make on the Apache httpd side... it must be done in Tomcat.
I am using jboss as the server and my java program as the client, I have modified the server.xml file in jboss to send certificate from server to the client. this happens automatically, when the requesting client has the same domain as the domain in the server keystore.
But I want the jboss server to validate the client certificate also. How can I send the client certificate to jboss and receive it in jboss?
You are trying to achieve a two way ssl so lookup "jboss two way ssl".
The steps would be similar to setting up ssl on the server ; the only difference would be that you would need to import the client cert into the server truststore (assuming the client cert is self-signed).