Wednesday, March 28, 2012

Client authentication with SSL certificates in Tomcat

Place something like this in server.xml file:

      <Connector port="8443" 

           protocol="HTTP/1.1" 
           SSLEnabled="true"
           maxThreads="150" 

           scheme="https" 
           secure="true"
           sslProtocol="TLS"
           keystorePass="pass"
           keystoreFile="/data/miteff/someserver/server1.jks"
           truststoreFile="/data/miteff/eshop/MiteffRootCa.jks"
           truststorePass="pass"
           keyAlias="www.miteff.com"
           clientAuth="want"
           SSLVerifyClient="optional"
           SSLCACertificateFile="/data/miteff/someserver/MiteffRootCA.pem"
       />


Attention: clientAuth parameter, in Tomcat 6.0 can get value "want", so it accepts connections with and wothout certificates. The application could decide what to do with the two types of clients internally. Take attention Tomcat 6.0 COULD NOT understand option clientAuth="optional". I suppose it was valid sometime, but now it is not.

No comments:

Post a Comment