Reputation: 133
Tomcat does not prompt certificate for web application (OpenAM)
I have been trouble shooting my set up of OpenAM for a while, still could not make it work as wanted. I wanted OpenAM to be able to to do OCSP validate authenticating user through my own copy of EJBCA. Therefore, I need tomcat prompt for user certificate and pass it to OpenAM. Visiting OpenAM from HTTPS is fine, and user can login using password (root realm in OpenAM). However, tomcat does not prompt for user certificate when visiting the realm designed for certificate login (a sub-realm in OpenAM which require certificate). Anyone has any thought on it? Here is a fragment of server.xml of my Tomcat configuration related to SSL:
<Connector port="8181" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8445" />
<Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
keystorePass="password"
truststoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
truststorePass="password"
clientAuth="want" sslProtocol="TLS" />
There is no change to web.xml file in my case. Thanks.
Here is the output of openssl s_client -connect FQDN:8445 per Bernhard's suggestion
CONNECTED(00000003)
depth=1 CN = leopardrootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
i:/CN=leopardrootCA
1 s:/CN=leopardrootCA
i:/CN=leopardrootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlzCCAwC--too_long_too_show
-----END CERTIFICATE-----
subject=/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
issuer=/CN=leopardrootCA
---
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
---
SSL handshake has read 2097 bytes and written 403 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-DSS-AES256-SHA
Session-ID: 53309AA15C218F41330C077476A3BDAE352CAFD84A503A281EA09AE884BA73D9
Session-ID-ctx:
Master-Key: EF5016A9D8236A704313720FC2E1A1B9FAC47A744F6A9B53E80BBEF8D1141476E050A71F3C50498ABEE1F790A2D76891
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1395694241
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Upvotes: 0
Views: 2585
Answers (2)
Reputation: 133
Seems the problem is related to the extended key usage of client certificate. It worth try if someone has the same situation as me. Thanks for all who helped.
Copied from my comment:
- I have found the problem.When I define the client certificate profile in EJBCA I did not choose specific extended key usage. I fixed it by choosing client authentication,SSH Client and MS smart Card logon I do not know which one takes effect but certainly one of them.
Upvotes: 0
Reputation: 2744
As you can see from the following handshake message
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
Tomcat is asking for client certificates and only accepts certificates which are issued by one of those certificate authorities.
Upvotes: 1
Related Questions
- Tomcat unable to access cert in Windows Cert store
- Tomcat SSL certificate from Windows cert manager
- SSL not working for Tomcat 8
- tomcat can't establish ssl connection
- How to configure SSL certificate on Tomcat 6?
- SSL Certificate installation issue on tomcat server
- Tomcat SSL: unable to find valid certification path to requested target
- Configuring webapp to run upon a ssl certificate on tomcat7
- Tomcat as a client. Web application on Tomcat does not use SSL client certificate
- ssl tomcat certificate error