Client authentication in server Tomcat

1
votes

i want to configure SSL for mutual authentication.

I work with eclipse + tomcat 8.

I do this passages:

I created private keys in this way:

openssl genrsa -des3 -out client_key.pem 2048
openssl genrsa -des3 -out server_key.pem 2048

I created self-signed certificates:

openssl req -new -x509 -key client_key.pem -out client.pem -days 365 -config <path to>\openssl.cnf
openssl req -new -x509 -key server_key.pem -out server.pem -days 365 -config <path to>\openssl.cnf

I created truststore and import certificates:

keytool –importcert -trustcacerts –keystore clienttruststore.jks –storetype jks –storepass <truststore_password> -file <path-to-file>\server.pem
keytool –importcert -trustcacerts –keystore servertruststore.jks –storetype jks –storepass <server_truststore_password> -file <path-to-file>\client.pem

I combined the certificate and the private key for the server and client respectively:

openssl pkcs12 –export –inkey  client_key.pem –in client.pem –out  client.p12
openssl pkcs12 –export –inkey server_key.pem –in server.pem –out server.p12

and finally i converted the keystore in pkcs12 format:

keytool –importkeystore –srckeystore client.p12 –srcstoretype pkcs12 –destkeystore client.jks –deststoretype jks
keytool –importkeystore –srckeystore server.p12 –srcstoretype pkcs12 –destkeystore server.jks –deststoretype jks

After this, i configured configure SSL/TLS support on Tomcat. So, i configured server.xml in Servers folder and setup the connector in this way:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="path\to\server.jks" keystorePass="*******" keystoreType="JKS"
               truststoreFile="path\to\servertruststore.jks" truststorePass="********" truststoreType="JKS" />

Finally i clean and build the project.

I created a Dynamic Web Project in Eclipse that called "myproject". It works well.

The problem is that when myproject runs on server at URL https://localhost:8443/myproject Google Chrome shows the red triangle (This page is insecure (broken HTTPS)).

  1. What's wrong?
  2. Where do i put client.jks e clienttruststore.jks in my project?

This picture shows problem:

Snapshot of Chrome Page Showing Broken HTTPS

1
javatomcatauthenticationssl
On chrome are you able to add the certificate as exception?(If it doesn't make sense, could you please add a snapshot of the chrome page please to the question and I can give you the correct steps) Remember its a self signed cert. So the browser would flag it.Curious
I edit post and add snapshot. How do add the certificate as exception?Federico
Your website is already working on https but the browser is not accepting the certificate because its self signed and not signed by a recognized Certificate Authority(CA). You would require a certificate signed by a CA along with its root certificate. Try this link mulesoft.com/tcat/tomcat-ssl. Good luck.Curious

1 Answers

2
votes

  1. Your certificates are self signed, meaning they are not signed by CA, meaning Chrome cannot trust them unless you approve them manually.

  2. When generating certificate did you provide CN? It must match the hostname that you are using (in your case it's localhost), if CN doesn't match, Chrome will not allow SSL unless you approve it manually.

  3. You said you want the mutual authentication, but you configured clientAuth="false" It should be true. As for the keystore, you supposed to use the same keystore for the certificates, therefore when client connects with it's certificate, tomcat will validate that corresponding certificate is located in the keystore.

Hope it helps.