-
1. Re: SSL Client certificate authentication
pcolot Jun 26, 2002 5:45 PM (in response to wdrai)Hi,
I just used SSL client and server authentification with Jboss 3 / Tomcat 4 / Sun JDK 1.4 / Sun, NT, (previous bundle on 98, XP).
I just configured the embedded Tomcat 4 server by extending the configuration included inside the tomcat4-service.xml (cf attached file). This configuration is extracted from the tomcat4 SSL Howto documentation.
I define a new connector to handle SSL protocol.
This configuration handle https://myServer:8443/MyApp
The server key used is the alias tomcat inside my keystore located in the embbedded Catalina configuration (cf attribute keystoreFile and keystorePass).(To manage your keystore cf Sun Keytool documentation). I only used a self-cert key for test purpose.
To activate the SSL client authentification, set clientAuth="true".
To access to myServer through SSL, you now have to insert, inside your keystore, the public SSL client certificate allowed to access your server and to register your private key inside the accessing browser.
I tried to apply the same delegation pattern to the tomcat realm configuration part but without success.
If you need a application login logic, you have to integrate JAAS schema. I have not yet tested this part but an example is described in the secure servlet section of http://www.jboss.org/online-manual/HTML/ch11s78.html
I suppose the principal you are going to receive after the SSL handshake is going to be the client alias. To match this against your LDAP server both Tomcat4 (cf tomcat realm reference) and jboss3 (cf jboss custom module reference) contain predefined services.
references :
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
http://www.jboss.org/online-manual/HTML/ch07s17.html
By the way, don't forget to suppress your http standard connector when going in production {;>
I hope this is helping you a little.
Best
PCO -
2. Re: SSL Client certificate authentication
pcolot Jun 26, 2002 5:48 PM (in response to wdrai)I hope this time the file is going to stay linked
PCO -
3. Re: SSL Client certificate authentication
wdrai Jun 29, 2002 9:31 AM (in response to wdrai)Thanks, I will try this