Tomcat不会提示Web应用程序(OpenAM)的证书
[英]Tomcat does not prompt certificate for web application (OpenAM)
问题描述
I have been trouble shooting my set up of OpenAM for a while, still could not make it work as wanted. 
一段时间以来,我一直在拍摄我的OpenAM设置时遇到麻烦,但仍然无法按需运行。 I wanted OpenAM to be able to to do OCSP validate authenticating user through my own copy of EJBCA. 我希望OpenAM能够通过我自己的EJBCA副本进行OCSP验证用户身份验证。 Therefore, I need tomcat prompt for user certificate and pass it to OpenAM. 因此,我需要tomcat提示输入用户证书,并将其传递给OpenAM。 Visiting OpenAM from HTTPS is fine, and user can login using password (root realm in OpenAM). 从HTTPS访问OpenAM很好,用户可以使用密码(OpenAM中的根领域)登录。 However, tomcat does not prompt for user certificate when visiting the realm designed for certificate login (a sub-realm in OpenAM which require certificate). 但是,tomcat在访问设计用于证书登录的领域(OpenAM中的一个需要证书的子领域)时不会提示用户证书。 Anyone has any thought on it? 有人对此有任何想法吗? Here is a fragment of server.xml of my Tomcat configuration related to SSL: 这是我的与SSL相关的Tomcat配置的server.xml片段:
<Connector port="8181" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8445" />
<Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
keystorePass="password"
truststoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
truststorePass="password"
clientAuth="want" sslProtocol="TLS" />
There is no change to web.xml file in my case. 在我的情况下, web.xml文件没有任何更改。 Thanks. 谢谢。
Here is the output of openssl s_client -connect FQDN:8445 per Bernhard's suggestion 这是每个Bernhard建议的openssl s_client -connect FQDN:8445的输出
CONNECTED(00000003)
depth=1 CN = leopardrootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
i:/CN=leopardrootCA
1 s:/CN=leopardrootCA
i:/CN=leopardrootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlzCCAwC--too_long_too_show
-----END CERTIFICATE-----
subject=/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
issuer=/CN=leopardrootCA
---
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
---
SSL handshake has read 2097 bytes and written 403 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-DSS-AES256-SHA
Session-ID: 53309AA15C218F41330C077476A3BDAE352CAFD84A503A281EA09AE884BA73D9
Session-ID-ctx:
Master-Key: EF5016A9D8236A704313720FC2E1A1B9FAC47A744F6A9B53E80BBEF8D1141476E050A71F3C50498ABEE1F790A2D76891
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1395694241
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
2 个解决方案
解决方案1
1 2014-03-25 07:50:44
As you can see from the following handshake message 从以下握手消息中可以看到
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
Tomcat is asking for client certificates and only accepts certificates which are issued by one of those certificate authorities. Tomcat正在请求客户机证书,并且仅接受由那些证书颁发机构之一颁发的证书。
解决方案2
0 2014-03-25 15:11:48
Seems the problem is related to the extended key usage of client certificate. 似乎该问题与客户端证书的extended key usage有关。 It worth try if someone has the same situation as me. 如果有人和我一样的情况,值得尝试。 Thanks for all who helped. 感谢所有提供帮助的人。
Copied from my comment: 从我的评论中复制:
- I have found the problem.When I define the client certificate profile in EJBCA I did not choose specific extended key usage. 我发现了问题。当我在EJBCA中定义客户端证书概要文件时,没有选择特定的扩展密钥用法。 I fixed it by choosing client authentication,SSH Client and MS smart Card logon I do not know which one takes effect but certainly one of them. 我通过选择客户端身份验证,SSH客户端和MS智能卡登录来修复它,我不知道哪个会生效,但肯定是其中之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.