Tomcat – Mutual authentication over SSL

In my previous home banking system, I had a typical Client-Server certificate system. In this article I would like to describe that system and how it works.

We’ll use an auto-generated certification for this aim. You’ll never have to use this in production enviroment….never!

Security and certification are very huge arguments and they are well discussed either on official website and in blog like this one. In this article we face the issue in very practice way. You can find other references about this argument at the bottom of this article.

The idea is to verify the user credential through client certificate. Obviously, the server must import the client certificate as trust certificate.

Let’s get to see how it’s possible.

First, a diagram for show what happens when a resource has been requested.

This diagram take an inspiration from official Java documentation website (http://docs.oracle.com/javaee/6/tutorial/doc/glien.html).

We need keytool for generating a key pair. First, the server key.


"C:\Program Files\Java\jdk1.7.0_04\bin\keytool.exe" -genkey -v -alias tomcat -keyalg RSA -validity 3650 -keystore C:\eclipse-A2\workspace\ssl\tomcat.keystore -dname "CN=localhost, OU=Developer, O=Fireworks, L=Milan, ST=Italy, C=IT" -storepass serverpassword -keypass serverpassword

Next the client key.


"C:\Program Files\Java\jdk1.7.0_04\bin\keytool.exe" -genkey -v -alias developerKey -keyalg RSA -storetype PKCS12 -keystore developer.p12 -dname "CN=James Leg, OU=Solution, O=Fireworks, L=Milan, ST=Italy, C=IT" -storepass developassword -keypass developassword

Now we need to export the certification from the client key and then add to server key store.


"C:\Program Files\Java\jdk1.7.0_04\bin\keytool.exe" -export -alias developerKey -keystore developer.p12 -storetype PKCS12 -storepass developassword -rfc -file developer.cer
"C:\Program Files\Java\jdk1.7.0_04\bin\keytool.exe" -import -v -file developer.cer -keystore tomcat.keystore -storepass serverpassword

You can look inside the certification key named tomcat.keystore to check the client and server keys.


"C:\Program Files\Java\jdk1.7.0_04\bin\keytool.exe" -list -v -keystore tomcat.keystore -storepass serverpassword

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: tomcat
Creation date: 22-giu-2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=Developer, O=Fireworks, L=Milan, ST=Italy, C=IT
Issuer: CN=localhost, OU=Developer, O=Fireworks, L=Milan, ST=Italy, C=IT
Serial number: 593abf5a
Valid from: Fri Jun 22 11:29:25 CEST 2012 until: Mon Jun 20 11:29:25 CEST 2022
Certificate fingerprints:
         MD5:  96:F3:BB:04:33:0E:B5:22:70:1D:56:AF:C6:73:B2:87
         SHA1: A9:1A:08:6C:1D:54:E4:03:C9:FB:6D:49:78:AA:BA:99:2E:20:4B:48
         SHA256: 68:CE:C8:94:7B:04:D3:8C:A4:CA:63:86:BF:5F:59:0F:65:CE:59:D7:A4:
D2:05:4F:13:9F:1C:F7:73:15:B2:CE
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 05 3C E0 43 4F 59 11   F8 90 1C 6A B4 B0 81 F9  S.<.COY....j....
0010: 24 C3 D0 FF                                        $...
]
]

&nbsp;

*******************************************
*******************************************
Alias name: mykey
Creation date: 22-giu-2012
Entry type: trustedCertEntry

Owner: CN=James Leg, OU=Solution, O=Fireworks, L=Milan, ST=Italy, C=IT
Issuer: CN=James Leg, OU=Solution, O=Fireworks, L=Milan, ST=Italy, C=IT
Serial number: 648f3586
Valid from: Fri Jun 22 11:29:53 CEST 2012 until: Thu Sep 20 11:29:53 CEST 2012
Certificate fingerprints:
         MD5:  39:E0:4D:06:DC:64:24:55:DA:3D:C8:91:D8:A0:91:28
         SHA1: BF:24:97:D3:C6:D0:B1:2F:77:04:FE:77:EF:0E:A3:04:3C:20:AD:B3
         SHA256: 11:AA:34:A3:C9:7F:5C:43:BF:52:2C:29:49:11:09:77:F2:C6:98:FE:19:
F8:74:3D:CE:7C:3F:50:2D:C6:F9:38
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B3 38 BB AA 29 B9 88 C1   83 96 29 79 60 37 01 8C  .8..).....)y`7..
0010: FC EE 8D 3D                                        ...=
]
]

&nbsp;

*******************************************
*******************************************

Now it’s time to configurate Tomcat server in 2 tasks.

The first is enabling the SSL connector (uncommented the connector from server.xml):


<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     keystoreFile="C:/eclipse-A2/workspace/ssl/tomcat.keystore" keystorePass="serverpassword"
     truststoreFile="C:/eclipse-A2/workspace/ssl/tomcat.keystore" truststorePass="serverpassword"
     clientAuth="true" sslProtocol="TLS" />

The last is adding your credential into the tomcat’s file (tomcat-users.xml).


<user username="CN=James Leg, OU=Solution, O=Fireworks, L=Milan, S=Italy, C=IT" password="null" roles="admin" />

Before tomcat run and browse our ssl site, we should install the client certification into the browser. For IE you have only to click the developer.p12 files and follow the instructions. For Mozilla Firefox, you have to install it under Tools->Options->Advanced->Encryption-View Certificates and then import button.

Now, it’s time to run.

Use a tomcat example to navigate a web app

https://localhost:8443/examples/jsp/jsp2/el/basic-arithmetic.jsp

 The result, if everything is ok, should be to view the page under SSL. You’ll see the certification error because it’s not a valid certificate released by a valid certification authority.

 Anyway this is a normal behaviour. You can change it, specially in production enviroment, with a valid certificate.

 Another way is to install the certification root as “trusted root certification authorities”. It’s enough click on certificate, click install Certificate button and then install it at location “trusted root certification authorities”. You can find it as “localhost” (I’ve installed the server certificate, not the client!).

If you try to remove it you’ll see a page not found message in internet explorer and error “ssl_error_bad_cert_alert” in firefox.

I think I’ve said everything about the above example. A big thanks for Michael Vorburger’s Blog site and the article about this issue (http://www.vorburger.ch/blog1/2006/08/setting-up-two-way-mutual-ssl-with.html)

To be fair, I’ve tried to make this example with glassfish but I’ve still got some problems to set the Nickname alias into the administration console. I hope to find a solution and share that here.

Another resource are available at:

Advertisements

One thought on “Tomcat – Mutual authentication over SSL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s