Tadek’s Blog

Setting up a connector in /var/lib/tomcat4/conf/server.xml

<Connector className=”org.apache.catalina.connector.http.HttpConnector” port=”8443″ minProcessors=”5″ maxProcessors=”75″ enableLookups=”true” acceptCount=”10″ debug=”0″ scheme=”https” secure=”true”> <Factory className=”org.apache.catalina.net.SSLServerSocketFactory” clientAuth=”true” protocol=”TLS” keystoreFile=”/home/pie/bla/keystore” keystorePass=”changeit”/> </Connector>

Setting up trusted certificates (other than cacerts somewhere in Java): export CATALINA_OPTS=”-Djavax.net.ssl.trustStore=/home/pie/bla/ca -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.debug=ssl”

BTW: Tomcat5 allows to specify trusted certs in server.xml directly.

The last one produces a very usable debug information in the log file. It’s useful together with s_client to debug this setup. Setting which webapplications require SSL can be done in web.xml by setting: <security-constraint> <web-resource-collection> <web-resource-name>TestServlet</web-resource-name> <description></description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name>manager</role-name> </security-role>

Well, this should be it, but the DN of the certificate should match to tomcat-users.xml. There’s a few issues though – aparently CLIENT-CERT only works with MemoryRealm (again server.xml), which essentially means that the certificate has to be defined in tomcat-users.xml. The username is a certificate DN (something line CN=bla, OU=bla, C=bla). It works, but:

The username has to be exactly as it appears on the certificate, e.g. <user username=”CN=user123, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU” password=”dontcare” roles=”manager”/> Any other variations are likely not to work. Note that the order of DN is very important and no fields can be omitted. The space after commas are important as well.

MemoryRealm: <Realm className = “org.apache.catalina.realm.MemoryRealm” debug=”9″/>

For testing purposes: 1. added ssl connector in /var/lib/tomcat4/conf/server.xml. 2. changed Realm to MemoryRealm. 3. changed /usr/share/tomcat4/server/webapps/manager/WEB-INF/web.xml to CLIENT-CERT. 4. Added the above line to tomcat-users.xml 5. Imported the certificate in Mozilla. 6. Started Tomcat pointing to trustedcerts, and.

It works with /manager – VOILA!

This entry was posted on Wednesday, November 24th, 2004 at 8:31 pm and is filed under Security, Tips&Tricks. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.