For some reason on one of my servers, SSL with mutual auth is not enforced.
The same server.xml config on another server does end up enforcing it.
So I am reaching out to you guys, do you know why this server.xml configuration allows the user to access the page WITHOUT asking for an SSL client certificate?
<Connector port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
server="Apache" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="path-to-server-ssl-keystore" keystorePass="hidden"
clientAut="true" sslProtocol="TLS" truststoreFile="path-to-truststore" truststorePass="hidden"/>
My trustore contains only one Certificate (I ensured that to make sure my testing was valid), and my HMTL client is NOT configure with this certificate.
When I reach to https://URL:8444/webappname/foo.html, it works!
As you can see in the wireshark trace below, the server is not asking for the client certificate.
On the other servers, I see the server asking for a Client certificate, as shown here:
At the moment I am simply trying to ensure the mutual auth is enforced so I am expecting to see an SSL error.
Any input would be welcome, thanks in advance.
Related
I am trying to verify if the client certificate (self-signed) which I generated with openssl is valid. I have created client certificate, client private key, client keystore, and server certificate, server private key, server keystore and server truststore.
I am trying to use the generated server key and certificate in Tomcat by putting the following in server.xml:
<Connector port="8443"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
truststoreFile="C:\New keys\Server\truststore.jks"
truststorePass="......"
keystoreFile="C:\New keys\Server\keystore_server"
keystorePass="......."
clientAuth="true"
keyAlias="......."
sslProtocol="TLS"/>
I have also added client certificate in Google Chrome.
But when I try to visit http://localhost:8443/ I get the error localhost refused to connect.
I added an inbound rule windows firewall to allow port 8443, yet, after doing this, when I test whether the port is open or closed with online tools, it shows that port 8443 is closed.
How do I open this port? Or is there anything else I can do to solve this?
I have a tomcat server with microservice wars, one WAR that connects with another system, another system requires client authentication, and i have the certificate how to load the certificate with the communication with that system, i tried to use this certificate in the HTTPS encription but failed,
kindly advice i want to load a certififcate if the tomcat will connect with a certain URL,
i mean that the tomcat will be the client not the server,
i know how to make tomcat require client authentication as a server but if there is another system and the tomcat here is the client, how to insert the certificate in tomcat,
the application is java, and the os is linus redhat 7
i tried to inst the certificate to OS level and cacert but same
I'm at a loss since I'm not a Tomcat person. I use tomcat as a webserver for our Java application and now we are trying to integrate with one of our customers and they require Client Authentication via SSL, so they generated and issued me an SSL certificate to use it in tomcat during the communicating with their system. Unfortunately, this is as far as they support it and cannot give me any direction on how to actually use it.
So what I have is a Java application, a Tomcat app server running 8 on rehat 7, and the .p12 cert from the local CA from customer side.
now i have 2 certificates one for SSL and another as client authentication, how to define the client authentication and attache it with my communication dealing with another system, I tried to use SSLCACertificateFile attribute but no luck,
Connector port="443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8446" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="fileto.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreType="PKCS12" SSLCACertificateFile="CAfileto_T.p12" SSLCACertificatePass="changeit"
Realm className="org.apache.catalina.realm.LockOutRealm"
Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"
I have successfully configured Apache (2.4.7) to require a client certificate and -- as a reverse proxy -- forward the information within the certificate to a Tomcat 8 server.
When trying to accomplish the same with Spring Boot however, it fails with
The proxy server received an invalid response from an upstream server
The proxy server could not handle the request GET /myapp
and returns a HTTP 502 error code.
The relevant, working Tomcat configuration is:
<Connector SSLEnabled="true" clientAuth="want" keyAlias="myalias"
keystoreFile="mystore.jks" keystorePass="mypassword" maxThreads="150"
port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
sslProtocol="TLS" truststoreFile="mystore.jks" truststorePass="mypassword"/>
The relevant part of the Spring Boot application.properties file that won't work:
server.context-path=/myapp
server.port=8443
server.ssl.enabled=true
server.use-forward-headers=true
server.ssl.protocol=TLS
server.ssl.client-auth=need
server.ssl.key-alias=myalias
server.ssl.key-store=/path/to/mykeystore.jks
server.ssl.key-store-password=mypassword
server.ssl.key-password=mypassword
server.ssl.trust-store=/path/to/mykeystore.jks
server.ssl.trust-store-password=mypassword
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.port-header=x-forwarded-port
Note, when accessing the app directly (i.e. requesting https://myapp.company.tld:12345/myapp) it works just fine, but using the reverse proxy (i.e. https://proxy-load-balancer.company.tld:12345/myapp) throws the error above.
The port difference (12345 vs the configured 8443) is due to an intermediate Docker layer: both the reverse proxy and the application runs in a container and their open ports (443 for Apache, 8443 for Tomcat/Spring Boot) are mapped to a different port, i.e. 12345.
Ok, so this all got sorted out. First, this Spring security setting
server.ssl.client-auth=need
will always force your embedded Tomcat to ask for a certificate, so in a client=>reverse proxy=>Tomcat situation you won't be able to authenticate unless maybe you use AJP, not sure about that.
But it turned out that using
server.ssl.client-auth=want
enables the further processing of your request and what people usually do is process the certificate at the reverse proxy level and forward some information to the backend server (Tomcat, Jetty, etc.).
In the end the developers had to adapt their Spring Boot application to handle this latter mode of operation, i.e. extract data from the forwarded HTTP request's header and proceed with the authentication based on that.
I have developed a Rest service and deployed it in tomcat 8 server. It is working fine with http URL. I have a requirement to install SSL certificate for the server.
But there is already a service running on this server which has SSL certificate.
Now my questions are
1) do I need to install another SSL certificate for the same server ?
2) How do i find that previously installed certificate belongs to server or service ?
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
Kindly help me techies.
1) do I need to install another SSL certificate for the same server ?
Probably not, depending of the kind of the SSL service running. You need to stablish a connector from the SSL service to Tomcat to forward SSL requests in a path. Usually in Tomcat is done using the AJP connector and is not needed extra configuration. Check the documentation of the SSL Service
2) How do i find that previously installed certificate belongs to server or service ?
An SSL certificate is issued to a host name (Or infrequently to an IP), so it will be valid for the entire server
3) if I install new SSL certificate what configuration changes are to be included in server.xml for port redirect ?
If the previous SSL service is running in the standard port 443, you will need a new port. Configure a new connector in server.xml with the port, ssl activated and the keystore with the certificate chain. See https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
So I know the fundamental difference between requiring an SSL cert and accepting, one means you must have an SSL certificate and the other means you don't need one.
In my IIS Manager for a certain webpage I have the this setup:
The issue that I am having is that when I set Require SSL Cert and have Client certificates set to accept/ignore I can only get to webpage using HTTPS. Now if I change it to Require, I can no longer access the webpage, even with HTTPS... so I am just trying to figure out what the difference is, and how it effects the webpage.
So maybe my question is phrased wrong... I'm not sure, my understanding on the subject is fairly limited, so any help would be appreciated.
Thanks!
Client-certificate authentication can be optional or mandatory, or not used at all.
Ignore is when it's not used at all.
Accept will take a certificate if it's presented, but will also continue with connections where the client doesn't present one.
Require only continues with connections that have a client certificate.
Client-certificate authentication is something that can only be initiated by the server in SSL/TLS, so this terminology isn't quite correct, but that's what's used in IIS.
To expand on the answer given by #Bruno. These values can be set in applicationHost.config-file or even web.config if override is allowed.
The attribute is called sslFlags and you will find the possible values as well as an example below.
None Disable SSL.
Ssl Require SSL.
SslNegotiateCert Accept client certificates for authentication.
SslRequireCert Require clients certificates for authentication.
SslMapCert Enable certificate mapping authentication.
Ssl128 Require 128-bit SSL.
Example for a site named Contoso that requires HTTPS and a client certificate trusted by the server:
<location path="Contoso">
<system.webServer>
<security>
<access sslFlags="Ssl,SslNegotiateCert,SslRequireCert">
</security>
</system.webServer>
</location>
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/access