SSL configuration and X509Certificate in java and tomcat 5

Question

Hi i have configured SSL in tomcat 5.5, server.xml entry is as below.

**

<Connector port="6922" maxHttpHeaderSize="8192"
   maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" scheme="https" secure="true"
   keystoreFile="/home/mrsx/cert/keystore.keystore"
   keystorePass="XXXX"
   truststoreFile="/home/mrsx/cert/keystore.keystore"
   truststorePass="XXXXX" clientAuth="true" sslProtocol="TLS" />

**

When CLient is trying to access application, application is throwing exception because of "javax.servlet.request.X509Certificate" parameter in request is NULL.

i have created a keystore and imported CA certs to the keystore.. Can any one please tell me why i am Getting NULL certificates. I have not imported any client certificates in keystore.

Are you actually trying to setup Client Authentication? If so I would assume the client isn't passing a Certificate or is passing a null certificate. — Krrose27, Jun 02 '12 at 18:35
yes... Application checks and validates certificate from request parameter. i wanted to know any configuration i am missing here.. .From local host also i am getting the same exception.. i am just callling url from client programm — Nagesh Hello, Jun 02 '12 at 19:26

score 0 · Answer 1 · answered Jun 03 '12 at 06:13

0

Based on what you have given above, the

SSLEnabled="true"

statement is missing.

If that does not help, try adding ssl debugging on the client side and you should be able to obtain some more details.

answered Jun 03 '12 at 06:13

souser

5,868
5
35
50

i got one solution... can any one please confirm this, i have to export cert from server keystore and import into client keystore, same way for client, export client cert from client keystore and import into server keystore.. then restart the server.. last step is to mention keystoe and truststre in client programm.. – Nagesh Hello Jun 04 '12 at 06:05
Did you not mention that you had already performed those tasks ? If the keys are self-signed, you will definitely have to import them into your keystores. – souser Jun 04 '12 at 06:08
i was not done these steps before, so i din't mention that, i have certificates which signed by CA(comodo), i got 3 certs(root, intermediate and other), i imported those in keystore. When client tries to access the service, application throws exception(because of x509certificate parameter in null), so i tried the export and import steps – Nagesh Hello Jun 04 '12 at 06:47
in the question i mentioned that.. i imported CA signed certs to keystore.. in the above comment.. i was mentioned about creating client keystore and exporting cert from that and importing into server truststore – Nagesh Hello Jun 04 '12 at 06:53
If your certs are signed by a common CA, you need to ensure 1. the CA certs (root + intermediate) are on the trust store (both server + client). 4. If you plan to access it over a browser, the browser needs to have these certs imported too 3. The signed certs are imported into the keystore (one for server and one for client). – souser Jun 04 '12 at 06:53
ok.. so if we install comodo certs on both client and server, below steps are not required? 1. Export the Client’s Public Certificate and Import it in to the Server’s Keystore 2. Export the Server’s Public Certificate and Import it in to the Client’s Keystore – Nagesh Hello Jun 04 '12 at 07:40
ok.. we are getting the below exception... com.xerox.xcs.common.postxml.IllegalAccessException: Client certificate required for access to this service! None was given! so.. what may be the problem..if there is any link which provide me the complete flow? am i missing somthing here? – Nagesh Hello Jun 05 '12 at 05:50
Please list out contents of your keystore and truststore – souser Jun 05 '12 at 07:29
please find the list from keystore: inter, Jun 4, 2012, trustedCertEntry, Certificate fingerprint (MD5): D2:67:C6:D1:75:3D:75:E7:8D:44:A5:00:61:45:4A:3D gatedev.websrvs.xerox.com, Jun 4, 2012, trustedCertEntry, Certificate fingerprint (MD5): D2:4F:C9:D1:C4:1B:82:6B:F9:B8:B8:6D:8E:5F:F8:6A root, Jun 4, 2012, trustedCertEntry, Certificate fingerprint (MD5): DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE usa0300uz1222.apps.mc.xerox.com, Jun 4, 2012, keyEntry, Certificate fingerprint (MD5): A4:B3:9C:8F:5F:0F:85:CF:9E:F9:3D:43:68:0C:0B:E2 – Nagesh Hello Jun 05 '12 at 10:57
please confirm that the code in server.xml is correct... which is there in the Question.. – Nagesh Hello Jun 05 '12 at 15:24

pd40 · Answer 2 · 2012-06-03T16:30:53.250

0

As @Krroae27 pointed out, you have enabled two way SSL/TLS:

clientAuth="true"

Only do this if you expect clients to provide credentials using certificates. If you are going to do this you usually need to setup a Realm configuration like tomcat-users.xml that will map client certificates to a local principal.

edited Jun 03 '12 at 16:30

answered Jun 03 '12 at 15:59

pd40

3,187
3
20
29

i got one solution... can any one please confirm this, i have to export cert from server keystore and import into client keystore, same way for client, export client cert from client keystore and import into server keystore.. then restart the server.. last step is to mention keystoe and truststre in client programm – Nagesh Hello Jun 04 '12 at 06:07

SSL configuration and X509Certificate in java and tomcat 5

2 Answers2