stackoom
  简体   繁体   中英

Tomcat as a client. Web application on Tomcat does not use SSL client certificate

 原文  2012-09-13 08:45:02       tomcat/ web-applications/ ssl/ authentication

Question

I have a web application on Apache Tomcat server A. This webapp makes connection to a server B running somewhere else. This server B requires client authentication with SSL certificate.

What I am trying to achieve is, to make this web application on server A to use SSL client certificate to authenticate on server B.

Therefore I have provided some additional JAVA_OPTS for my Tomcat Server A: 

    -Djavax.net.ssl.trustStore=/location/keystore.jks 
    -Djavax.net.ssl.trustStorePassword=changeit 
    -Djavax.net.ssl.keyStore=/locaton/keystore.jks 
    -Djavax.net.ssl.keyStorePassword=changeit 
    -Djavax.net.debug=ssl

Now this keystore.jks contains three certificates:

  • CA certificate
  • Server certificate (PKCS12) This is certificate of server A
  • Client certificate (PKCS12) this is the client certificate I want my webapp to use.

tomcat/logs/catalina.out gives this: 

Client write key:
0000: some hex
Server write key:
0000:some hex
... no IV used for this cipher
*** CertificateVerify
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 134
pool-1-thread-2, WRITE: TLSv1 Change Cipher Spec, length = 1
Finished
verify_data:  { data }

pool-1-thread-2, WRITE: TLSv1 Handshake, length = 32
pool-1-thread-2, READ: TLSv1 Alert, length = 2
pool-1-thread-2, RECV TLSv1 ALERT:  fatal, unsupported_certificate
pool-1-thread-2, called closeSocket()
pool-1-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
pool-1-thread-2, called close()

In order to prove the correctness of this keystore I have written a tiny java application which makes connection to the same server B with the same keystore and it successfully negotiates client certificate.

I have tried to change this client certificate to X509 type, but even then I am getting errors and am not able to communicate.

I thought maybe there is something I am missing? Does somebody have experience with this kind of stuff?

Thank you

1 answers

solution1
 1 ACCPTED  2013-01-28 16:22:13

This looks to be because the client certificate is not enabled for "client authentication" usage. You can verify by opening the certificate and checking under "Details" tab, the "Enhanced Key Usage" field. It should have "Client Authentication" in the field.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Tomcat and SSL Client certificate Configuring SSL client certificate in android app for client authentication in web server on tomcat Tomcat Application to WCF Service with Client Certificate Authentication Tomcat with client certificate and Grails Tomcat + SSL configuration + Client Tomcat does not prompt certificate for web application (OpenAM) Configure Apache tomcat to send SSL certificate to frontend server(act as client) Tomcat Server/Client Self-Signed SSL Certificate TLS client authentication with Nginx and Tomcat web application Tomcat Client Authentication using SSL
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM