1

Can anyone tell me what is client/certificate authentication by server in tomcat, in our application we are getting certificate as part of request parameter and doing validation of certificate, does that mean we are doing client/certificate authentication? i guess we are doing certificate validation in application code which means its application level and we are not doing any client/certificate authentication at server level.. can anyone please confirm this

Ramesh PVK
  • 15,200
  • 2
  • 46
  • 50
Nagesh Hello
  • 27
  • 4

1 Answers1

2

what is client/certificate authentication by server in tomcat

It is two way SSL authentication. When SSL is enabled on the sever, the server cert should be there client trusted certs store.

Similarly, when the client/certificate authentication is enabled, the client SSL cert should be there in server trusted cert store.

we are getting certificate as part of request parameter and doing validation of certificate, does that mean we are doing client/certificate authentication?

No. That is application validation. But, who is setting in the request parameter.

NOTE: This client cert authentication is done by Container. But, the container provides the ssl properties using request parameters.

Look here to know what properties are set by the server when the connection is secure.

Community
  • 1
  • 1
Ramesh PVK
  • 15,200
  • 2
  • 46
  • 50
  • Thank you so much for the quick reply.. so will the request parameter get certificate when client request a service, even though we are not implementing Client/certificate authentication? we are implementing SSL in tomcat.. we have configured SSL connector for this, so if we set CLientAuth=false... will it work in this situation? – Nagesh Hello Jun 06 '12 at 08:05
  • No, only when clienauth is enabled, you can get this request attribute. – Ramesh PVK Jun 06 '12 at 08:39
  • thanks .. i still hv a lil doubt though! :) .. i wl give you the steps that i am doing for this .. please review n tell if thats correct --- 1. Created a directtory called D:/Xerox_Files/Misc/cert/client_CBR_1.jks locally. Exported cert frm this directory to Server's trust store. 2. The servers trust store is having 3 signed certificates, one cert created in Step 1 and one certificate request file. – Nagesh Hello Jun 06 '12 at 09:24
  • 3. Server.xml configuration --> – Nagesh Hello Jun 06 '12 at 09:28
  • @Nagesh Hello Note that the server's certificate doesn't have to be physically present in the client's truststore, or vice versa, as long as a chain of trust exists. You need to set `clientAuth` to a different value if you want the client to supply his certificate. – user207421 Jun 06 '12 at 09:32
  • We are having a java client program thorugh which we are testing this scenario. Static block in the client program -- System.setProperty("javax.net.ssl.trustStore", "D:/Xerox_Files/Misc/cert/client_CBR_1.jks"); System.setProperty("javax.net.ssl.trustStorePassword", "password"); System.setProperty("javax.net.ssl.keyStore", "D:/Xerox_Files/Misc/cert/client_CBR_1.jks"); System.setProperty("javax.net.ssl.keyStorePassword", "password"); – Nagesh Hello Jun 06 '12 at 09:32
  • @NageshHello A keystore contains a private key. It doesn't make any sense to use the same file as the keystore and the truststore. – user207421 Jun 06 '12 at 09:33
  • the code for testing -- String urlstr = "https://abc.com:0007/mrsxws/meterread"; URL xmlurl = URIUtils.resolveURI("file:\\c:\\acs-ani-test-good.xml"); post = new PostMethod(urlstr); post.setRequestBody(xmlurl.openStream()); post.setRequestHeader("Content-type","text/xml; charset=ISO-8859-1"); HttpClient httpclient = new HttpClient(); double turnAroundTime = 0d; double beforeCall = System.currentTimeMillis(); int result = httpclient.executeMethod(post); – Nagesh Hello Jun 06 '12 at 09:33
  • @EJP .. We dnt hv the server's certificate in our local keystore .. we are just importing the cert created locally(client) to the server. and what value do we need to set of ClientAuth if we want the client to supply the certificate in request param. Also plz check the above mentioned code if we are using it correctly. – Nagesh Hello Jun 06 '12 at 09:36
  • and can you also plz let us know about the Chain of trust that you spoke aboit earlier. thanks much – Nagesh Hello Jun 06 '12 at 09:37
  • @NageshHello The possible values for `clientAuth` are specified in the Tomcat documentation. – user207421 Jun 06 '12 at 09:54