1

My goal is to increase my test server security by requiring the server to demand a client certificate.

Tomcat server.xml (conf/server.xml) contains:

<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       scheme="https" secure="true" SSLEnabled="true"
       port="443"
       clientAuth="true"
       keyAlias="posh"
       maxThreads="200" acceptCount="100"
       minSpareThreads="5" maxSpareThreads="75"
       keystoreFile="conf/keystore.jks"
       keystoreType="JKS" keystorePass="somePassword"
       enableLookups="true" disableUploadTimeout="true"
       truststoreFile="conf/keystore.jks"
       truststoreType="JKS" truststorePass="somePassword"
       SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
       sslProtocol="TLS"/>

Tomcat web.xml (conf/web.xml) contains:

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
  version="3.1">
...
<user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Everything</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>
...
</web-app>

No errors appear in my catalina log:

... 26-Jan-2016 15:29:59.023 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 26-Jan-2016 15:29:59.420 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-443"] 26-Jan-2016 15:29:59.421 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"] 26-Jan-2016 15:29:59.422 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 24056 ms

Not sure if this matters at this point, but the conf/keystore.jks yields the following list:

root@Posh:/opt/tomcat/conf# keytool -list -keystore keystore.jks -storepass somePassword

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

posh, Jan 26, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 0F:DA:1D:B3:5C:37:60:D0:46:8B:7C:DE:F3:96:2E:DE:A2:4E:2F:B5
clientcert, Jan 26, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 42:16:28:7E:17:2D:6C:B4:61:F4:8D:DA:B7:6E:90:E4:9F:3E:FC:83

My Tomcat 8 configuration is otherwise out-of-box running as tomcat user on Ubuntu 14.04 under authbind().

A client connecting to the site can accept the server certificate and freely access all deployed application without an client certificate.

I was hoping that Tomcat would "require" a client certificate from every client before allowing access to applications.

How can I change the configuration to require/demand a client certificate to access any/all applications on the site?

davejal
  • 6,009
  • 10
  • 39
  • 82
Paul Headley
  • 11
  • 2
  • Looks like it should work. The properties starting 'SSL' only apply to the APR native connector that uses OpenSSL, which you aren't using. Try removing them. – user207421 Jan 27 '16 at 02:45
  • EJP - thanks. I've been hacking at this. Removing the "SSL*" stuff didn't seem to matter, same error anyway. I decide to start over and gen the private key from keytool rather than mixing a key gen'd from OpenSSL. The new key worked. Thanks again. – Paul Headley Feb 02 '16 at 02:05

0 Answers0