I am mostly following this page:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
I used this command to create the keystore
keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat6/keystore
and answered the prompts
Then i edited my server.xml file and uncommented/edited this line
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/tomcat6/keystore"
keystorePass="tomcat" />
then I go to the web.xml file for my project and add this into the file
<security-constraint>
<web-resource-collection>
<web-resource-name>Security</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
When I try to run my webapp I am met with this:
Unable to connect
Firefox can't establish a connection to the server at localhost:8443.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
If I comment out the lines I've added to my web.xml file, the webapp works fine. My log file in /var/lib/tomcat6/logs says nothing. I can't figure out if this is a problem with my keystore file, my server.xml file or my web.xml file.... Any assistance is appreciated
I am using tomcat 6 on ubuntu.
Edit: I changed my server.xml to
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/tomcat6/keystore"
keystorePass="tomcat" />
incase there was an issue with it being autoconfigured to "APR" as suggested by the tomcat tutorial (not sure if I have that or how to find out if I do). However I am still getting the same error.
Well, I'm an idiot...
I was under the impression that netbeans was restarting my server for me, because eclipse used to know when files that required restarting were changed and it would restart the server for you. Apparently netbeans doesn't have that functionality. Once I've manually restarted the server using the script at /etc/init.d/tomcat6 then everything worked..
Thanks for your help anyway pascal, your questions help me think about what other problems I might be running in to.
I just tested the same setup with a vanilla Tomcat on Ubuntu and :
I generated a keystore
I uncommented the SSL connector in server.xml and pointed on my keystore
I added the security constraint in the web.xml of my-webapp to force the use of SSL
And accessing https://localhost:8443/my-webapp just works on my machine(c).
Are you accessing the application using the right protocol i.e. https:// (notice the s in https)?
By the way, I would recommend to set the redirectPort=8443 attribute in the non-SSL connector so that http://localhost:8080/my-webapp gets redirected to https://localhost:8443/my-webapp.
Related
I’m using Tomcat 9.0.19 and trying to enable X.509 cert.-based client authentication (AKA I&A) for a particular Web application.
In summary, the Tomcat works for an application that has basic I&A enabled over one-way TLS. When accessing the Web application that has certificate-based I&A, Tomcat does not seem to request a client certificate as part of the Server Hello message, prior to sending Server Hello Done and it later fails the authentication check:
02-Jan-2020 13:00:40.371 FINE [https-jsse-nio-443-exec-10] org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate Looking up certificates
02-Jan-2020 13:00:40.830 FINE [https-jsse-nio-443-exec-10] org.apache.catalina.authenticator.SSLAuthenticator.doAuthenticate No certificates included with this request
Traced the TLS flow in Wireshark and saw the TLS 1.2 handshake. Shortly after encrypted data is exchanged, the Tomcat sends an “Encrypted Alert” message and the socket is closed. Trying to contact the Tomcat from the browser, doing a GET. The browser does not prompt me to select a certificate, which also seems to point to Tomcat not requesting it from the browser.
Any help will be greatly appreciated!
More Details:
We have a set of certificates for the Tomcat and the client, issued by an Intermediate CA, which is signed (issued) by a Root CA. The trust stores have been setup on both sides (client and server) as well as key stores with the right certs/keys in them. The Web application is setup to require certificate I&A (web.xml):
<security-constraint>
<web-resource-collection>
<web-resource-name>All by default</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>OTService</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
</login-config>
The OTService role is setup in the Tomcat-Users.xml, along with a single user account:
Now, the Connector in server.xml is configured as follows:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="100" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/apache-tomcat-9.0.19/conf/km/keyStore.jks"
certificateKeystorePassword="PASSWORD"
certificateKeyAlias="tomcat"
type="RSA" />
truststoreFile="/apache-tomcat-9.0.19/conf/km/trust_store.jks"
truststorePass="PASSWORD"
truststoreType="JKS"
certificateVerification="required"
clientAuth="true"
protocols="TLSv1.2"
</SSLHostConfig>
</Connector>
Any ideas why Tomcat would not request a client certificate?
The first issue that I discovered was that Tomcat ignored the Connector->SSLHostConfig settings for the trust store and used the JRE default trust store anyway. The way I discovered it was to have a browser save the negotiated TLS session key to a file (Google SSLKEYLOGFILE), then configured the Wireshark to use that file, captured the browser-Tomcat session and then was able to see every message in plaintext.
Next, I discovered that Tomcat was actually asking for a client cert., but the list of accepted Root CAs it was sending was from the default JRE cacerts file, not from the file specified by the truststoreFile attribute. Can have Tomcat use a different file across the board by adding a setenv.sh file to the Tomcat bin directory with Java properties to override default trust store location.
Now, I was in business, the browser was able to complete the TLS handshake, but then the authentication and authorization steps were failing. I finally determinate that the proper way to provide the cert. subject field in tomcat_users.xml file was not "CN=OU Client, OU=Control Systems, O=IoTOY, L=Scottsdale, S=AZ, C=US", but "CN=OU Client, OU=Control Systems, O=IoTOY, L=Scottsdale, ST=AZ, C=US". Finally, I had 2-way TLS working.
One thing to keep in mind is if anything running on the Tomcat attempts to connect over TLS to another system that uses commercial CA certs, it will fail because the truststore you're using now does not have commercial Root CAs' certs. One way to remediate it is to make a copy of the default JRE cacerts file and add your system-specific CA cert(s) to it and point to it from the setenv.sh file noted above.
When you have:
<Connector ...>
<SSLHostConfig>
<Certificate A=1 B=2 C=3 />
D=4 E=5 F=6
</SSLHostConfig>
</Connector>
then A,B,C are attributes of the Certificate object but D,E,F are NOT attributes of the SSLHostConfig object -- they are XML content which is different. Attributes need to be put IN THE TAG:
<Connector ... >
<SSLHostConfig certificateVerification="required" truststoreFile=... >
<Certificate ...keystore... />
</SSLHostConfig>
</Connector>
and that does cert-request on the initial handshake as desired (for me, tested on tomcat 9.0.14).
Problem summary:
I am trying to run symmetric ds on tomcat with ssl. Setup details
1). MasterNode M1: running on tomcat.
2). Cleint node C1: running on tomcat.
I am able to run symmetricds on tomcat without ssl. This setup works fine all sync happens.
Now when I am trying to run tomcat with following setting for ssl, it gives bad_certificate error on client node:
connection setting on Master node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
connector setting on Client node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
Note: If I run Master node tomcat with clientAuth=false then everything works fine. On further debugging I found that client is not providing its certificate during TLS handshake. Following is error: Experts please help what config I need to do so that client provide certificate:
Error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
Upgrade to SymmetricDS 3.8.31. There was an issue that was fixed that allows for client TLS authentication now:
http://www.symmetricds.org/issues/view.php?id=2886
I've got a stop-ship problem that is driving me crazy. I hope that one of you experts out there can help.
I'm running the latest release version of TomEE+ (1.6.0.2) and the latest version of Java 8 (build 1.8.0_05-b13). No matter what I try, the following line of code in my HttpServlet always returns null.
X509Certificate certs[] = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
I initially assumed that I had specified the attribute name incorrectly, so to diagnose the problem, I decided to take a look at the full list of attributes using the following:
Enumeration<String> enums = request.getAttributeNames();
However that showed me were only two attributes: one for the cipher suite and the other for the key strength.
I read the other articles and verified that my connector was correct and that it had the clientAuth attribute set properly. Here's the connector:
<Connector port="4449" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLSv1.2"
SSLCertificateFile="/etc/unipagos/certs/pay.crt"
SSLCertificateKeyFile="/etc/unipagos/certs/pay.key"
SSLVerifyClient="required"
SSLHonorCipherOrder="true"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"/>
The connection seems to work, however using openssl s_client with -msg shows that the server isn't asking for the client certificate.
Why is the server not asking for a client certificate? What am I doing wrong?
I have a working connector configuration for tomee and server is requesting client cert.
you can try
<Connector port="7443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
SSLProtocol="TLSv1.2"
SSLVerifyClient="require"
SSLCertificateFile="/opt/_cdrom_apache/certs/ec-dev-apr.pem"
SSLCertificateKeyFile="/opt/_cdrom_apache/certs/ec-dev.key"
SSLCACertificateFile="/opt/_cdrom_apache/certs/CA.pem"
/>
Note: I will be answering my own question... just wanted to add this tidbit to the collective wisdom of The Internets.
I've successfully configured certificate authentication on my JBoss 5.1.0.GA server, largely with the help of the information on this page: http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html
I have one context (let's call it /openContext) that doesn't require any authentication, and another context (let's call it /securedContext) that requires client certificate authentication (i.e., it's configured to use CLIENT-CERT in web.xml). When using JBoss's default web connector, this works splendidly. I can hit http://myhost/openContext and I'm not prompted for a certificate, but when I hit http://myhost/securedContext, I'm prompted for a client certificate as I'd expect.
However, when I install JBossWeb Native and use APR as my web connector, I'm no longer prompted for a certificate when I hit http://myhost/securedContext.
My APR connector config in server.xml looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
/>
I've also tried adding the SSLVerifyClient parameter to that configuration and setting it to optional, but that prompts for a certificate in both /openContext and /securedContext, which isn't the behavior I want.
How can I get JBoss with APR to require certificate authentication for one web context, but not another web context?
What worked for me was to just add a whole new web connector, and have clients use that alternate port for the secured web context. My connectors config now looks like:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
/>
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8543" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="true"
SSLProtocol="SSLv3+TLSv1"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
SSLRandomSeed="/dev/urandom"
SSLCertificateFile="/etc/pki/tls/certs/mycert.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/mycert.key"
SSLPassword="mypasswordwhichiassureyouisbetterthanthisone"
SSLCACertificateFile="/etc/pki/tls/certs/clientCAs.crt"
SSLVerifyClient="require"
/>
Now, if I hit http://myhost:8443/openContext, I'm not prompted for a certificate, but when I hit http://myhost:8543/securedContext, I am prompted for a certificate. Of course, I can still access either web app with the "wrong" port, but the consequences are negligible for my purposes. If a client hits http://myhost:8443/securedContext, they simply get an HTTP authentication error. If a client hits http://myhost:8543/openContext, they're prompted for a client certificate. If they provide one, great (though I don't care who you are), and if they don't provide one or provide an invalid one, they get an HTTP auth error (they should have used the correct port in the first place).
I'm pretty sure there's an alternative way to get this working without requiring a second connector by putting httpd in front of JBoss and doing some clever configuration there, but this worked well enough for my purposes.
I used this 3 easy steps tutorial to setup SSL on Tomcat 6. I did it step by step. I've even changed the <connector> to be the same as in the tutorial. Unfortunately after restarting Tomcat and running the project i had ssl_error_rx_record_too_long error
here is what I did:
Run command keytool -genkey -alias techtracer -keypass ttadmin -keystore techtracer.bin -storepass ttadmin in java bin folder
answer questions
copy the techtracer.bin file into tomcats webapps directory
modify tomcats conf/server.xml file as follows
`
<Connector port=”8443″
maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″
enableLookups=”true” disableUploadTimeout=”true”
acceptCount=”100″ debug=”0″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”../webapps/techtracer.bin”
keystorePass=”ttadmin” />
`
5.modify web.xml file in jsf app as follows
add this code:
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
in addition typing https://localhost:8443/ in the browser results with outcome "The connection was terminated while the page was loading". I don't know what causes this problem. Please show me the right direction. Thank You in advance
Resolved:
Run command keytool -genkey -alias tomcat -keyalg RSA in java bin folder
answer questions
modify tomcats conf/server.xml file as follows
`
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:/Users/Szajba/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
`
5.modify web.xml file in jsf app as follows
add this code:
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Works fine for me. Remember to change the password