Mutual authentication on Tomcat 5

Similar Messages

• SSL mutual authentication with Tomcat and IE

  Hi,
  I am trying to set up mutual ssl with Tomcat.
  Everything works fine on the server but I cannot authenticate the client.
  The client is my internet explorer browser. This is what I have tried.
  -Generated an ssl server certificate using keytool.
  -Generated a certificate for the client
  -exported it to a .cer file
  -imported it to a truststore and moved it into the cacerts file
  I have verified this because tomcat lists my client certificate as a trusted
  one at start up.
  After this I installed the .cer file into IE and tried accessing the server.
  Handshake fails: "bad_certificate"
  I have searched all around the net trying to find someone who had done something like this, could not find anything. Can anyone please help me through this setup.
  -thanks

  Oh I find that there is different code base of WLS 7.0.0!!
  - WLS 7.0.0 of Mai 2002 is propagating the principal correctly with SSL
  mutual authentication.
  - WLS 7.0.0 of Juli 2002 is NOT propagating anymore! (the patch is appliable
  to this)
  Obviously BEA published different nightly builds of the same WLS 7.0.0 on
  the web.
  Is this normal?
  Regards
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  I think that SP1 has a bug: it cannot propagate the principal when SSL
  mutual
  authentication is used. I fixed it with a small patch. Now the principalis
  propagated
  correctly with SSL mutual authentication on WLS 7.0.1 (WLS 7.0.0 isworking
  without patch).
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  Hi all
  I make SSL mutual authentication work between 2 WLS 7.0 servers.
  As I upgrade to WLS 7.0 SP1 the principal propagation doesn't workanymore:
  the principal on the target WLS is always "anonymous"!
  Is this a bug or is there something new to parametrize?
  Regards
  Alain Hsiung

• Client Code not connecting to WebLogic 8.1 with Mutual Authentication

  I am trying to connect to a WebLogic 8.1 web services application. The weblogic instance has mutual authentication enabled, so the client needs to send a certificate when it does an SSL handshake with the server. I am trying to connect with standalone Java JUnit tests. Both the web services and the JUnit tests are using Apache Axis 1.4.0. I've obtained what I believe to be the appropriate certificates from the weblogic administrator that configured the mutual authentication. There is a certificate for the machine I'm trying to connect to, and two other certificates in the chain (three certificates all together, including the root). I've tried several different methods of putting those three certificates in keystores and trust keystores, reading in those keystores in my java code, and connecting to the web services, and I always end up with the same error in the WebLogic server logs. "Certificate chain receved from <ip address> was incomplete."
  Here is an example of my code:
  I initialize like so:
       Properties tempProperties = // (here is where I obtain my properties from a properties file... code removed for security reasons)
       System.setProperty("javax.net.ssl.trustStore", tempProperties.getProperty("trust.keystore.file"));
       System.setProperty("javax.net.ssl.trustStorePassword", tempProperties.getProperty("trust.keystore.password"));
       System.setProperty("javax.net.ssl.trustStoreType", "jks");
       System.setProperty("javax.net.ssl.keyStore", tempProperties.getProperty("keystore.file"));
       System.setProperty("javax.net.ssl.keyStorePassword", tempProperties.getProperty("keystore.password"));                         System.setProperty("javax.net.ssl.keyStoreType", "jks");
       System.setProperty ( "java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol" );
       Security.addProvider ( new com.sun.net.ssl.internal.ssl.Provider ( ) );
  I bind to the appropriate port and locate the service, etc. using auto-generated methods descendant from Apache Axis. No matter what I try, I get the same results. The client says: main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  The server log says: Certificate chain received from <ip address> was incomplete.
  I've even tried implementing a custom SSL handler as described here http://alweb.homeip.net/dw0rm/dblog/?p=38, and I can verify by stepping into my code that everything gets initialized and set up correctly, and that all three certificates in the chain that I need are obtained from my keystore, but I still get the same error on the client and the server. I've enabled ssl handshake debugging on my client and I can see the whole certificate chain being output to the debug console.
  Any idea what I might be doing wrong?

  My guess would be that the server is not able to validate your certificate. Make sure that the CA for your certificate is trusted by WLS.
  I always like to debug something like this by add -Djavax.net.debug=ssl to both the client and server. It should give you a complete picture of what is going on.
  Edited by: joshbregmanoracle on May 20, 2009 8:49 PM

• Has anyone got Client (Mutual) Authentication to work with 6.0 SP2?

  I 've been unsuccessful and was just wondering if anyone has done it...
  Kirk

  The questions is "Where do you get a root ca file for a verisign trial client cert?" I've looked everywere on verisign's site without luck. BEA support emailed me one but can't remember where/how they
  got it....
  Kirk
  Paul Ferwerda wrote:
  I think that the Server Certificate Chain File Name contains a sequential list of certificates, the first of which was used to sign the cert in the "Server Certificate File Name" and the last is self-
  signed (ie a root ca). There is a minimum of 1 cert required in the Server Certificate Chain File Name (which would be the self-signed cert that signed the cert in the Server Certificate File
  Name file. As you walk through the certs in the Server Certificate Chain File Name each cert is expected to be signed by the following cert (if there is one) and the last one must be self-
  signed.
  The Trusted CA file on the other hand is a collection of self-signed CAs on which no validation is performed and no relationship is assumed between the certs in that file. My guess is that
  the code expects that each cert in the Trusted CA list is self-signed.
  So the Server Certificate Chain File Name contains a chain and the Trusted CA File Name contains unordered self-signed certs.
  Paul F.
  On Thu, 2 Aug 2001 18:52:38 +0200, "Bart Jenkins" <[email protected]> wrote:
  Kirk,
  The PEM file we grabbed from the Verisign site worked in the "Server
  Certificate Chain file name" entry but NOT in the "Trusted CA File Name"
  entry. The guy at support in BEA thought it should have worked for both.
  I'm sure I could append the "Trusted CA chain" to the PEM file that I'm
  using for "Server Certificate Chain File name" and then I could use one file
  for both...
  Could you post yours or send it me via Email so I can have a backup? I'd be
  curious to compare your rootCA list with mine. I'll use whichever has the
  most entries. If my list has more rootCA certs in it I'll pass it along.
  ok?
  'preciate it.
  Bart Jenkins
  [email protected]
  "Kirk Everett" <[email protected]> wrote in message
  news:[email protected]...
  So if the one you got off verisign didn't work, where did you get the onethat
  worked? The one BEA sent me works for mutual auth.
  Kirk
  Bart Jenkins wrote:
  Kirk,
  My security expert found it buried deep in the Verisign site. Have
  you
  successfully tested the Mutual Authentication? The root CA we found onthe
  Verisign Site allowed us to connect via HTTPS but failed on the 2-way
  authentication.....test it...
  I actually mailed the .PEM file we found from Verisign to BEA support
  because I also had an issue open on this with them...it would be funnyif
  they then turned around and mailed it to you...
  If you get stopped...give me a shout...
  good luck
  Bart Jenkins
  Globeflow SA
  [email protected]
  "Kirk Everett" <[email protected]> wrote in message
  news:[email protected]...
  Thanks. I finally got it working yesterday. Apparently, I was not
  using
  the
  correct root ca. Support
  mailed me the root ca they were using and everything works fine now.The
  problem is that I still
  don't know where on Verisign's site to go to get the root ca. Where
  did
  you
  get yours from?
  Kirk
  Bart Jenkins wrote:
  Kirk,
  I've finally got it working today. I've got a Class 3 Verisign
  certificate on the WLS 6 server and a personal Verisign Class 1 cert
  on
  the
  client browser (IE 5.5) and am able to connect via HTTPS in 2-way,mutual
  authentication. Tell me where you are blocked and I'll try to help.
  Bart Jenkins, CTO
  Globeflow SA
  [email protected]
  "Kirk Everett" <[email protected]> wrote in message
  news:[email protected]...
  I 've been unsuccessful and was just wondering if anyone has done
  it...
  Kirk

• Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

  In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
  Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

  Hi,
  Sorry, I could not understand what your are trying to do with iWS.
  Could you please berifly explain your question. So that I can help you.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• HTTPService SSL mutual authentication

  I can use HTTPService to access a secure web server via.
  HTTPS. The SSL is configured to do a mutual authentication: both
  server and client needs to send their certificate to each other.
  Where should I put client certificate so that HTTPService can fint
  it?
  Is Flex3 using browser's certificate management system? or
  has its own?

  Oh I find that there is different code base of WLS 7.0.0!!
  - WLS 7.0.0 of Mai 2002 is propagating the principal correctly with SSL
  mutual authentication.
  - WLS 7.0.0 of Juli 2002 is NOT propagating anymore! (the patch is appliable
  to this)
  Obviously BEA published different nightly builds of the same WLS 7.0.0 on
  the web.
  Is this normal?
  Regards
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  I think that SP1 has a bug: it cannot propagate the principal when SSL
  mutual
  authentication is used. I fixed it with a small patch. Now the principalis
  propagated
  correctly with SSL mutual authentication on WLS 7.0.1 (WLS 7.0.0 isworking
  without patch).
  Alain Hsiung
  "Alain Hsiung" <[email protected]> wrote in message
  news:[email protected]..
  Hi all
  I make SSL mutual authentication work between 2 WLS 7.0 servers.
  As I upgrade to WLS 7.0 SP1 the principal propagation doesn't workanymore:
  the principal on the target WLS is always "anonymous"!
  Is this a bug or is there something new to parametrize?
  Regards
  Alain Hsiung

• TLS mutual authentication and Separate default SMTP routes per listener - IronPort c370

  Dear all ,
  We have two IronPort C370 ESAs , formed in a cluster.
  We are in a need to route e-mails targeted to a special group using TLS Required/Verify.
  I have two questions :
  1.  Is TLS mutual authentication possible on both incoming and outgoing ?
  2.  Due to the nature of the TLS need the existing listener cannot be used. So I created a new listener and respective filters to decide when the recipient requirements are met. The new listener is going to be configured with a policy specifying TLS required/verify. Problem is that  there is always a default SMTP route pointing specifically to a cloud service rather than directly to the Internet while for the new listener usedns is required. Is it possible to have two different default SMTP routes assigned to different listeners ?
  Thanks and kind regards ,
  Gino.
  PS : Please bear with me and questions. I am making my first steps in Iron Port administration.

  I have made some sort of progress but I would also like to have your expert opinions.
  I have came to understand that in order to present TLS mutual authentication for the incoming traffic I will just have to trust the sender(s) CA ( containing SANs etc for both the SMTP domain and the ESA itself ) while if I spread own SANs to the counterparts I will also have TLS mutual authentication on the outgoing traffic as well. Issue is that I will have to declare it in destination controls and it cannot be generic.
  Is there any way to make TLS required/verify with mutual authentication the default without having to set destination contol(s) ?
  As for my second question I have came to understand that the additional listener is not an aditional MTA and concequently I cannot have separate default SMTP route ( default = what is called as "ALL" in IronPort ). Still if anyone knows something more it would be really helpful if it was shared.

• Mutual Authentication - J2ME

  Hi there,
  I've been looking into J2ME quite a bit over the past few months. I'm looking to build a secure connection for a prototype and wanted to use SSL. I know MIDP 2.0 supports this (even though on some devices it may be buggy)
  Could anyone tell me if it's possible to mutually authenticate on a J2ME application. Are there API's? available?
  I've been looking around online and haven't been able to find any J2ME examples or documentation that suggested it was possible - I'm struggling to see why it wouldnt be supported though.
  Any information welcome!
  Many thanks
  Chris

  "Thomas Christen" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  Im trying to setup mutual authentication in an environment with 'Entrust'as
  security provider.
  I found several examples how to use JSSE (and indirectly how to use
  JSSE-Implementation form Entrust) for outgoing SSL connections as well as
  for WebServices - but I have a simple Java client whitch needs to connectto
  the App-Server (using EJB's) and usually does this with
  Environment.getIntialContext(); I have found also an example how to setup
  the Credentials (in this a case a Certificate) but the example (from BEA)
  requires a PEM-File- but I havn't a PEM-File and I have no access to the
  users private key. All I can do (and allowed to do) is using the
  SSL-Implementation from Entrust (whitch will have access to all thosekeys).
  >
  So how do I tell the Environment to use my specific JSSE implementation ?
  I don't believe there is any way to replace the JSSE implementation with
  a WLS t3 client. You may be able to do something with an iiop thin client
  with WLS 8.1 as it uses sun jsse and it might be replaceable.

• Mutual Authentication client for Web Service

  Hi,
  How I can tell java to use this particular client certificate in mutual authentication.
  I have two certificates
  1) cacert.pem and
  2) client.pem (includes private key),
  client.pem is signed by cacert.pem and also contains the private key. I have the wsdl file for the webservice that I have to call and I can generate java wrappers of it using wsdl2java.
  Infact I just called web services that used Server-Only SSL/TLS authentication, in that case I just had to add root/CA certificate (in cer format) in the JREs cacerts file and used https for the webservice url, and all worked file
  Now I can't understand what to do for mutual authentication.
  Thanks in advance.
  Sohaib

  Hi,
  How I can tell java to use this particular client certificate in mutual authentication.
  I have two certificates
  1) cacert.pem and
  2) client.pem (includes private key),
  client.pem is signed by cacert.pem and also contains the private key. I have the wsdl file for the webservice that I have to call and I can generate java wrappers of it using wsdl2java.
  Infact I just called web services that used Server-Only SSL/TLS authentication, in that case I just had to add root/CA certificate (in cer format) in the JREs cacerts file and used https for the webservice url, and all worked file
  Now I can't understand what to do for mutual authentication.
  Thanks in advance.
  Sohaib

• User Name- and Password-Based Mutual Authentication

  Hi,
  The J2EE 1.4 Tutorial Update 1 shows an example of Client-Certificate Authentication over HTTP/SSL with JAX-RPC, but no User Name- and Password-Based Mutual Authentication example.
  Does this work the same? Does the client need a certificate for User Name- and Password-Based Mutual Authentication?
  I created my own self-signed certificate and imported it using the keytool. When I use my client to connect to my JAX-RPC web service, I get the following error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found.
  It seems that no trusted certificate is found... on the client side?! How do I specify the client certificate at the client side? I created a client certificate and added it to the keystore in the application server...
  If somebody should have an example of User Name- and Password-Based Mutual Authentication, I'd really apreciate it.
  Thanks, d3m0.

  Hi,
  I've almost the same problem.In an application based on Java Web Start, i try to attack a web service through HTTPS. Before the call of the web services, the client have discussed with the server through HTTPS, so the user have already accept the certificate (i use self-signed certificate too), i get the same exception.
  At the begining i've used classes from axis. I've found that axis doesn't want to support non trusted certificate. Some workaround were that the client access the private key of the server ... not really secure. So i've tried to use the JAX-RPC classes, always the exception.
  For the moment , we don't want to use trusted certificate and don't want to install on each user workstation the server certificate. I continue to investigate, if someone have some solution ? What i don't understand is why i've this exception altough i'm in a secure environment (JWS + user accepts the untrusted certificate).
  Sorry, i've never work on User Name- and Password-Based Mutual Authentication, but i think your exception come because of self-signed certificate.
  Regard,
  Pierre.

• Form Based Authentication in Tomcat, getting login and password

  Sorry for my English.
  How I can guess login and password strings of an user, from error page (JSP)using "Form Based Authentication of Tomcat"?
  I need know it to lock the count each 3 error tries (if login is ok but
  password is bad, insteed).
  Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of
  HttpServletRequest interface have this result: If no user has been
  authenticated, returns null, false and null respectly. For this reason, they aren't utils for me.
  If I don�t know login what user writed, I can't lock his/her count.
  Exist solution for this? Thanks

  hi i am also facing the same problem. could u please tell me how u overcame the situation ?
  u will reallly pull me out of my troubles
  thanx in advance
  [email protected]

• Form Based Authentication on Tomcat with custom index.jsp page...

  Hi there ppl,
  I've got Form Based Authentication working correctly on my Tomcat server but I want to override the default generated index.jsp after successfully logging on. I've tried placing my own index.jsp in the directory that's restricted, but its only overridden by the default one when successfully logged on which displays:
  "Authentication Mechanism FORM"
  This means having to navigate by typing the url in the address bar to another page which is gets really annoying afterawhile.
  Any help on this would be much appreciated,
  thanks already

  Yes there's a default generated index.jsp page that I'm having trouble overriding with one of my own. Have you used Form Based Authentication before? To do so you have edit the WEB-INF/web.xml file by adding:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Secure Area</web-resource-name>
  <url-pattern>/test/secure/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin</role-name>
  </auth-constraint>      
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/test/secure/loginpage.jsp</form-login-page>
  <form-error-page>/test/secure/errorpage.jsp</form-error-page>
  </form-login-config>
  </login-config>
  When you attempt to first go to any page in my /test/secure/ directory you get redirected to the /test/secure/loginpage.jsp where you have to login as a tomcat user, when succesfully logged on you get redirected to an index.jsp page which is NOT the one I created in test/secure/index.jsp. Even when I type in the url to go to my own test/secure/index.jsp I still don't get my own one that exists there, but instead get the default one that's generated that displays:
  "Authentication Mechanism FORM".
  Hope that makes more sense.
  I've tried restarting tomcat but it makes no difference.

• Mutual authentication for Web services in BPEL

  Hi Guys,
  We have to call a few web services in bpel and our partners would want us to mutually authenticate the data that is exchanged.
  So that mean they provide us with a certificate file and we provide them with a certificate file.
  We have been using client certificates in our cacerts file and encrypting the request we send using that but we are not too sure how to set up a key in bpel so that we can decrypt the responses of the webservices.
  Does anybody have any idea how to do it. It would be a great help.
  Cheers
  Sandeep

  I would suggets to read the online tutorial:
  http://www.oracle.com/technology/products/ias/bpel/index.html
  and try one of the tutorials:
  2-Minute Product Tour
  BPEL: Learn by Example (PDF)
  Quick Start Tutorial - JDeveloper 10g (PDF)
  Quick Start Tutorial - Eclipse (PDF)

• Mutual authentication & null cert chain exception

  Hi,
  I am conteniously recieving "null cert chain" error. When my ssl enabled client mutually authenticate with ssl enabled server. The server refuse to accept client whose certificate is saved as a 'trustedCertEntry' in server's key store. The server throws "null cert chain" exception.
  When I run the same client/server by setting setClientAuthentication(false) then both works very well.
  The process I had followed is as follows:
  - Create a key store for client
  - Create a key store for server
  - Create a key for client
  - Create a key for server
  - Export client key
  - Export server key
  - Import key of server as 'trustedcacert' in client
  - Import key of client as 'trustedcacert' in server
  - Run Client & Server
  Any ideas whats wrong in it ???
  Thanx in advance,
  Humayun.

  Hi,
  I am conteniously recieving "null cert chain" error. When my ssl enabled client mutually authenticate with ssl enabled server. The server refuse to accept client whose certificate is saved as a 'trustedCertEntry' in server's key store. The server throws "null cert chain" exception.
  When I run the same client/server by setting setClientAuthentication(false) then both works very well.
  The process I had followed is as follows:
  - Create a key store for client
  - Create a key store for server
  - Create a key for client
  - Create a key for server
  - Export client key
  - Export server key
  - Import key of server as 'trustedcacert' in client
  - Import key of client as 'trustedcacert' in server
  - Run Client & Server
  Any ideas whats wrong in it ???
  Thanx in advance,
  Humayun.

• Mutual authentication

  Hi,
  I wrote a little web service with weblogic workshop and a standalone client application
  that exchanges information with that web-service, using the jar that weblogic
  workshop generates, and webserviceclient.jar .
  Now I have to secure the communication between the two of them by implementing
  two-way authentication with certificates. (SSL)
  Does any body have a simple example of how to do that with workshop?.
  There are plenty of examples of how to do that with a completely self-written
  web-service and a completely self-written client-application, but that's not what
  I'm looking for.
  Thanks,
  Noella

  Hi,
  I wrote a little web service with weblogic workshop and a standalone client application
  that exchanges information with that web-service, using the jar that weblogic
  workshop generates, and webserviceclient.jar .
  Now I have to secure the communication between the two of them by implementing
  two-way authentication with certificates. (SSL)
  Does any body have a simple example of how to do that with workshop?.
  There are plenty of examples of how to do that with a completely self-written
  web-service and a completely self-written client-application, but that's not what
  I'm looking for.
  Thanks,
  Noella