0

I wanted to secure an application I developed recently, and I following mkyong's tutorial.

It worked only for tomcat manager's pages.

Indeed, I use the <transport-guarantee>CONFIDENTIAL</transport-guarantee> with <auth-method>CLIENT-CERT</auth-method>.

At the beginning, I wasn't sure about mkyong's certificate, so I followed instructions in maximporges.

I keep getting error code 401.

When I change auth-method from CLIENT-CERT to BASIC, I am prompted to enter login and password, I enter a user's credentials that exists in tomcat-users.xml, and it works.

I tried to add a user in tomcat-users.xml like <user username="CN=xxxx xxx xxx, O=knmi, O=users, O=dutchgrid" password="null" roles="abc" /> I duplicate the exact same information entered previously for the certificate, but doesn't work.

I think the server can't find the client's certificate

Note: I had to change protocol="HTTP/1.1" to protocol="org.apache.coyote.http11.Http11AprProtocol" in server.xml to avoid getting ERR_BAD_SSL_CLIENT_AUTH_CERT.

Mohamed Ennahdi El Idrissi
  • 2,931
  • 2
  • 19
  • 32

1 Answers1

1

[Response from comments]

To stablish a secure connection you do not need a client certificate. Here you are a simple tutorial http://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/

If you want a 'green bar' I suggest buy an SSL certificate instead of generating one

Tomcat tag in web.xml is not needed. See Is security-constraint configuration for Tomcat mandatory?

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

To force HTTPS disable the http connector, usually on port 8080. Then, only the https connector will be reachable

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142