堆栈内存溢出
  简体   繁体   English

Tomcat作为客户端。 Tomcat上的Web应用程序不使用SSL客户端证书

[英]Tomcat as a client. Web application on Tomcat does not use SSL client certificate

 原文  2012-09-13 08:45:02       tomcat/ web-applications/ ssl/ authentication

问题描述

I have a web application on Apache Tomcat server A. This webapp makes connection to a server B running somewhere else. 我在Apache Tomcat服务器A上有一个Web应用程序。此Webapp可以连接到在其他地方运行的服务器B。 This server B requires client authentication with SSL certificate. 该服务器B需要使用SSL证书的客户端身份验证。

What I am trying to achieve is, to make this web application on server A to use SSL client certificate to authenticate on server B. 我要实现的目标是,使服务器A上的此Web应用程序使用SSL客户端证书在服务器B上进行身份验证。

Therefore I have provided some additional JAVA_OPTS for my Tomcat Server A: 因此,我为Tomcat服务器A提供了一些附加的JAVA_OPTS: 

    -Djavax.net.ssl.trustStore=/location/keystore.jks 
    -Djavax.net.ssl.trustStorePassword=changeit 
    -Djavax.net.ssl.keyStore=/locaton/keystore.jks 
    -Djavax.net.ssl.keyStorePassword=changeit 
    -Djavax.net.debug=ssl

Now this keystore.jks contains three certificates: 现在,此keystore.jks包含三个证书:

  • CA certificate CA证书
  • Server certificate (PKCS12) This is certificate of server A 服务器证书(PKCS12)这是服务器A的证书
  • Client certificate (PKCS12) this is the client certificate I want my webapp to use. 客户端证书(PKCS12)这是我希望Web应用程序使用的客户端证书。

tomcat/logs/catalina.out gives this: tomcat / logs / catalina.out给出以下内容: 

Client write key:
0000: some hex
Server write key:
0000:some hex
... no IV used for this cipher
*** CertificateVerify
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 134
pool-1-thread-2, WRITE: TLSv1 Change Cipher Spec, length = 1
Finished
verify_data:  { data }

pool-1-thread-2, WRITE: TLSv1 Handshake, length = 32
pool-1-thread-2, READ: TLSv1 Alert, length = 2
pool-1-thread-2, RECV TLSv1 ALERT:  fatal, unsupported_certificate
pool-1-thread-2, called closeSocket()
pool-1-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
pool-1-thread-2, called close()

In order to prove the correctness of this keystore I have written a tiny java application which makes connection to the same server B with the same keystore and it successfully negotiates client certificate. 为了证明此密钥库的正确性,我编写了一个微型Java应用程序,该应用程序使用相同的密钥库连接到同一服务器B,并成功协商了客户端证书。

I have tried to change this client certificate to X509 type, but even then I am getting errors and am not able to communicate. 我试图将此客户端证书更改为X509类型,但是即使那样,我仍然遇到错误并且无法通信。

I thought maybe there is something I am missing? 我以为也许我缺少什么? Does somebody have experience with this kind of stuff? 有人对这种东西有经验吗?

Thank you 谢谢

1 个解决方案

解决方案1
 1 已采纳  2013-01-28 16:22:13

This looks to be because the client certificate is not enabled for "client authentication" usage. 这似乎是因为未启用客户端证书的“客户端身份验证”用法。 You can verify by opening the certificate and checking under "Details" tab, the "Enhanced Key Usage" field. 您可以通过打开证书并在“详细信息”选项卡下的“增强的密钥用法”字段中进行检查来进行验证。 It should have "Client Authentication" in the field. 它应该在字段中具有“客户端身份验证”。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Tomcat 和 SSL 客户端证书 - Tomcat and SSL Client certificate 在android应用中配置SSL客户端证书以在Tomcat上的Web服务器中进行客户端身份验证 - Configuring SSL client certificate in android app for client authentication in web server on tomcat Tomcat应用程序到具有客户端证书身份验证的WCF服务 - Tomcat Application to WCF Service with Client Certificate Authentication 带有客户端证书和Grails的Tomcat - Tomcat with client certificate and Grails Tomcat + SSL配置+客户端 - Tomcat + SSL configuration + Client Tomcat不会提示Web应用程序(OpenAM)的证书 - Tomcat does not prompt certificate for web application (OpenAM) 配置Apache tomcat将SSL证书发送到前端服务器(充当客户端) - Configure Apache tomcat to send SSL certificate to frontend server(act as client) Tomcat服务器/客户端自签名SSL证书 - Tomcat Server/Client Self-Signed SSL Certificate 使用Nginx和Tomcat Web应用程序进行TLS客户端身份验证 - TLS client authentication with Nginx and Tomcat web application 使用 SSL 的 Tomcat 客户端身份验证 - Tomcat Client Authentication using SSL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM