[英]Tomcat does not prompt certificate for web application (OpenAM)
I have been trouble shooting my set up of OpenAM for a while, still could not make it work as wanted. 一段时间以来,我一直在拍摄我的OpenAM设置时遇到麻烦,但仍然无法按需运行。 I wanted OpenAM to be able to to do OCSP validate authenticating user through my own copy of EJBCA.
我希望OpenAM能够通过我自己的EJBCA副本进行OCSP验证用户身份验证。 Therefore, I need tomcat prompt for user certificate and pass it to OpenAM.
因此,我需要tomcat提示输入用户证书,并将其传递给OpenAM。 Visiting OpenAM from HTTPS is fine, and user can login using password (root realm in OpenAM).
从HTTPS访问OpenAM很好,用户可以使用密码(OpenAM中的根领域)登录。 However, tomcat does not prompt for user certificate when visiting the realm designed for certificate login (a sub-realm in OpenAM which require certificate).
但是,tomcat在访问设计用于证书登录的领域(OpenAM中的一个需要证书的子领域)时不会提示用户证书。 Anyone has any thought on it?
有人对此有任何想法吗? Here is a fragment of
server.xml
of my Tomcat configuration related to SSL: 这是我的与SSL相关的Tomcat配置的
server.xml
片段:
<Connector port="8181" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8445" />
<Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
keystorePass="password"
truststoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
truststorePass="password"
clientAuth="want" sslProtocol="TLS" />
There is no change to web.xml
file in my case. 在我的情况下,
web.xml
文件没有任何更改。 Thanks. 谢谢。
Here is the output of openssl s_client -connect FQDN:8445
per Bernhard's suggestion 这是每个Bernhard建议的
openssl s_client -connect FQDN:8445
的输出
CONNECTED(00000003)
depth=1 CN = leopardrootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
i:/CN=leopardrootCA
1 s:/CN=leopardrootCA
i:/CN=leopardrootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlzCCAwC--too_long_too_show
-----END CERTIFICATE-----
subject=/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
issuer=/CN=leopardrootCA
---
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
---
SSL handshake has read 2097 bytes and written 403 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-DSS-AES256-SHA
Session-ID: 53309AA15C218F41330C077476A3BDAE352CAFD84A503A281EA09AE884BA73D9
Session-ID-ctx:
Master-Key: EF5016A9D8236A704313720FC2E1A1B9FAC47A744F6A9B53E80BBEF8D1141476E050A71F3C50498ABEE1F790A2D76891
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1395694241
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
As you can see from the following handshake message 从以下握手消息中可以看到
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
Tomcat is asking for client certificates and only accepts certificates which are issued by one of those certificate authorities. Tomcat正在请求客户机证书,并且仅接受由那些证书颁发机构之一颁发的证书。
Seems the problem is related to the extended key usage
of client certificate. 似乎该问题与客户端证书的
extended key usage
有关。 It worth try if someone has the same situation as me. 如果有人和我一样的情况,值得尝试。 Thanks for all who helped.
感谢所有提供帮助的人。
Copied from my comment: 从我的评论中复制:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.