Tomcat Client Authentication using SSL

Question

I'm at a loss, since I'm not a Tomcat person. I need to use a 3rd party's web service and they require Client Authentication via SSL, so they generated and issued me an SSL certificate. Unfortunately this is as far as they support it and cannot give me any direction on how to actually use it. I'm stuck using this 3rd party so unfortunately I have to put up with their lack of support.

So what I have is a Java application that a vendor is supplying for us (who apparently has never had to deal with this), a Tomcat app server running 6.0.20 on CentOS 5.3, and the SSL cert from the 3rd party.

What all do I need to do at this point? All I can find online is how to set up a keystore so that my app can use Client Authentication against things connecting to it, not for when it needs to connect out to someone else, or how to use SSL over port 8443 (which I know how to do already and have set up).

Answer 1

Update:

Try following way to enable the client authentication in Tomcat.

To make tomcat take advantages of Client Authentication, we require three certificates. i.e A Server Certificate for Tomcat, Client Certificate for the browser and Certificate of the CA which will sign both the above mentioned certificates. Here, I'll show how to do it in Windows.

There are two ways.

1. You should have a CSR file i.e. a Certificate Signing Request. You can submit it to the Certificate Authority like Verisign or Comodo or many other like them. They'll provide you the certificate. Or

2. You can create your own Certificate Authority and sign the certificates. But it is recommended to do this for personal use only.

You should have Java and OpenSSL installed to perform the below steps.

To generate the Certificate Signing Request, you should have the key. To generate the key type the following command in CMD.

openssl genrsa -out Serverkey.key 1024

This will generate a file "Serverkey.key". The key size is 1024. You can give it as per your requirement.

Now generate the CSR file with the help of following command.

openssl req -new -key Serverkey.key -out ServerReq.csr -config /path/to/openssl.cnf

Once you execute this command, you'll be asked to give some information. After that, you'll find the CSR file in your directory. You can submit this file to the CA. In case, you are doing this for your personal use, and you want to have your own CA, create a key and CSR for your CA with the help of above given two commands. After you have your CSR for CA, you can sign with the CA's key with the help of following command.

openssl x509 -req -days 365 -in CAReq.csr -signkey CAKey.key -out CA.crt

Once you have the CA certificate, you can use it to sign other certificates.

openssl x509 -req -days 365 -CA CA.crt -CAkey CAKey.key -CAcreateserial -in ServerReq.csr -out Server.crt

You can use the same command for client certificate as well.

The browser which is our client here, will accept the P12 format certificate. P12 format is a file which contains your certificate as well as the key.

To conver the CRT to P12 use the following command.

openssl pkcs12 -export -in Server.crt -inkey ServerKey.key -chain -CAfile CA.crt -out ServerCert.p12

In tomcat, there is one truststore which will have the CA's certificate and another is a keystore which will have server's key and certificate (p12 file).

For importing CA's certificate to truststore use the following command.

keytool -import -alias CertAuth -keystore caCerts.jks -file CA.crt

You can give alias as whatever you want. Note the password that you give when asked after executing the above command. We'll use that password in the server.xml file. Same applies for the below command.

For importing the p12 format certificate to the keystore use the following command.

keytool -importkeystore -destkeystore tomcat.keystore -srckeystore -ServerCert.p12 -srcstoretype PKCS12 -alias 1

Now, change the tomcat's server.xml as following.

<Connector port="8443" 
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true" scheme="https" secure="true"
           truststoreFile="path/to/truststorefile" truststorePass="password" 
           keystoreFile="path/to/keystorefile" keystorePass="password"
           clientAuth="true" sslProtocol="TLS"
           />

Now, import the Client's P12 format certificate to the browser. Then, start the tomcat server and try to access https://localhost:8443. You can visit the blog for the detailed version of this answer. Hope this helps.

Answer 2

Here's the really long answer: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

Don't take my word for it, but I believe that, as a client, client auth will automatically be performed when the server requests it.

If configuring tomcat is the question, have you read http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html? In particular, note the clientAuth attribute of the Connector element.

Answer 3

I don't know that this is about configuring Tomcat, other than to be able to pass in system properties to a web application running in Tomcat.

The vendor that supplies the web application really should be able to tell you how to get the client connection from their software to use a specific client certificate when making an SSL connection to a remote web service.

For instance, they could have their application implement a custom KeyManager for SSL connections that is able to look up the client certificate and private key from a configurable location.

If they haven't done that, they are probably using the default SunX509 KeyManager.

For the default KeyManager, you can apparently use keytool to create a keystore containing the client certificate and private key the certificate describes. Then you can specify that key store using the following system parameters:

-Djavax.net.ssl.keyStore="/path/to/keystore"
-Djavax.net.ssl.keyStorePassword="<password>"

You will need to configure Tomcat to pass in these properties.