1 Reply Latest reply on Jun 19, 2002 3:56 PM by Yanik Crépeau

    SSL -  X509CertificateChain - Tomcat - JAAS

    georg Newbie

      This this a "General" Question.

      I plan to use X509Certificates and SSL-Client authentication to authenticate people.

      But I don't want that the client (p.e. tomcat) is responsible for the whole handshake process (as ist is when using tomcat I think).

      I really want that there is the SSLClient that starts the Handshake (SSLClient) and that there is my Server (Jboss-SSLServerSocket) that permits or denies the client(keystore is there and so on) to create a SSL Session.

      Has Anybody done this so far? How can this work with tomcat? How may I make a SSL Connection with tomcat while using the SSL-key/certificatestore on the jboss server?

      Has anybody written such authentification modules? As far as I know Java 1.4 implements a SSL Implementation (JSSE).

      Cheerio

      Georg

        • 1. Re: SSL -  X509CertificateChain - Tomcat - JAAS
          Yanik Crépeau Newbie

          I have checked the source code of Jetty provided as module of jboss-all. I have also checked the Tomcat (3.x) source code.

          According to the Servlet-JSP doc, an authentication-method named CLIENT-CERT could be supported. Other authentifcation-method are BASIC, FORM, DIGEST.

          Unless I have made a big mistake, neither Jetty nor Tomcat (at least version 3.x) supports the CLIENT-CERT authentication method.

          Having such authentication implemented in JBoss implies either a patch to the Jetty/Tomcat code OR something (an EJB, a JavaBean or ...) that would take care of request/response and starts the SSL client-authentication process using the https protocol.

          I have serious doubts if the latter is possible. I assume that server-side SSL authentication that has been done when your servlet/jsp page starts has "closed" the SSL handshake process. I am not sure if there is some way to re-open it, asking to the remote browser, "oh, by the way, would you mind to send me the client certificate?".