I am trying to enable client-authentication on a Tomcat 9.0.90 instance (running on Windows).
I was able to easily get server-authenticated/1-way SSL working, but I have been struggling to get the client-authentication working.
I am testing by using:
openssl s_client -connect <host>:8443 -debug
and then looking for the list of acceptable CAs messages, but I only see:
No client certificate CA names sent
Here's the configuration for the 8443 port in server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
>
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/CERTS/tcat.xxx.com.jks"
certificateKeystorePassword="password"
type="RSA"
certificateKeyAlias="tcat.xxx.com"
truststoreFile="conf/CERTS/JLCA.jks"
truststorePass="password"
truststoreType="JKS"
clientAuth="true"
certificateVerification="required"
/>
</SSLHostConfig>
</Connector>
It's been a while since I've worked with Tomcat, but I don't remember ever having so much difficulty getting this (client authentication) set up before :( !!!
Can any one tell me what the problem might be??
Thanks, Jim
P.S. FYI, I actually started this whole exercise with Tomcat 10.1.25, but it got so messed up, I decided to try Tomcat 9, because I saw some posts that said it was easier to get working. At this point, I'd really just like to get the client cert working :)... I don't have any specific requirement for any version of Tomcat.
EDIT: I was just doing more testing and noticed these lines in the catalina log file during the Tomcat startup:
WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [truststoreFile] to [conf/CERTS/JLCA.jks]
02-Jul-2024 23:47:27.543 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [truststorePassword] to [password]
02-Jul-2024 23:47:27.543 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [truststorePass] to [password]
02-Jul-2024 23:47:27.544 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [truststoreType] to [JKS]
02-Jul-2024 23:47:27.544 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [clientAuth] to [required]
Does anyone know if that is "normal", and also is it saying that those properties are not being set, and, if so, "Why not?"???
EDIT 2: I was checking the tomcat /manager app and when I click on "Trusted certificates per Connector", it is saying:
Connector["https-openssl-nio-8443"]-_default_ ==> Certificate information cannot be obtained from this connector at runtime
EDIT 3: Made changes per dave_thompson:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
scheme="https" secure="true"
maxParameterCount="1000"
>
<SSLHostConfig
truststoreFile="conf/CERTS/JLCA.jks"
truststorePassword="password"
truststorePass="password"
truststoreType="JKS"
certificateVerification="optional"
>
<Certificate certificateKeystoreFile="conf/CERTS/tcat.xxx.com.jks"
certificateKeystorePassword="password"
type="RSA"
certificateKeyAlias="tcat.xxx.com"
/>
</SSLHostConfig>
</Connector>
and it worked - openssl s_client has:
Acceptable client certificate CA names
/C=US/O=JLO/OU=JLOU/CN=JLCA
ALSO slightly off-topic there was another, unrelated problem - because I am running Tomcat as a service, it does not use setenv.bat, so I had to use an app, tomcat9w.exe, to edit to select the JDK 11 JVM.
truststore*
andclientVerification
are on SSLHostConfig not Certificate andclientAuth
is obsolete; before 8.5 it was used onConnector
only in JSSE mode (while APR usedSSLVerifyClient
)