tags:

views:

1145

answers:

2
Q: 

Tomcat Client Authentication using SSL

I'm at a loss, since I'm not a Tomcat person. I need to use a 3rd party's web service and they require Client Authentication via SSL, so they generated and issued me an SSL certificate. Unfortunately this is as far as they support it and cannot give me any direction on how to actually use it. I'm stuck using this 3rd party so unfortunately I have to put up with their lack of support.

So what I have is a Java application that a vendor is supplying for us (who apparently has never had to deal with this), a Tomcat app server running 6.0.20 on CentOS 5.3, and the SSL cert from the 3rd party.

What all do I need to do at this point? All I can find online is how to set up a keystore so that my app can use Client Authentication against things connecting to it, not for when it needs to connect out to someone else, or how to use SSL over port 8443 (which I know how to do already and have set up).

A: 

Here's the really long answer: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

Don't take my word for it, but I believe that, as a client, client auth will automatically be performed when the server requests it.

If configuring tomcat is the question, have you read http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html? In particular, note the clientAuth attribute of the Connector element.

Jeremy Huiskamp  2009-10-12 02:40:28
So all I have to do is generate a keystore (without using a Port attribute I guess) and when my app access the 3rd party (say, via SOAP), it will pick up the request for the SSL authentication and send along the client SSL I have?
dragonmantank  2009-10-12 02:46:10
If they gave you a certificate that you have to use to connect to them, they should also have given you a private key. Normally, you'd generate both, keep the private key and send them a copy of the certificate to put on their server. But yeah, get that private key and certificate into a keystore, get the certificate for their server into a truststore and put those into an SSLContext for generating ssl sockets.
Jeremy Huiskamp  2009-10-23 06:33:46
+1  A: 

I don't know that this is about configuring Tomcat, other than to be able to pass in system properties to a web application running in Tomcat.

The vendor that supplies the web application really should be able to tell you how to get the client connection from their software to use a specific client certificate when making an SSL connection to a remote web service.

For instance, they could have their application implement a custom KeyManager for SSL connections that is able to look up the client certificate and private key from a configurable location.

If they haven't done that, they are probably using the default SunX509 KeyManager.

For the default KeyManager, you can apparently use keytool to create a keystore containing the client certificate and private key the certificate describes. Then you can specify that key store using the following system parameters:

-Djavax.net.ssl.keyStore="/path/to/keystore"
-Djavax.net.ssl.keyStorePassword="<password>"

You will need to configure Tomcat to pass in these properties.

William Rose  2009-10-12 02:45:45

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL