Java EE (Java Enterprise Edition) General Discussion

Hello,

For the moment I'm experimenting with J2EE security with Tomcat 5.

So far I was able to get BASIC authentication to work and also server Authentication (SSL with certificate).

The next step I wanted to take was to configure Tomcat to use Mutual authentication but so far without success.

Here are the steps I take:

1. Create a client keystore with one certificates using the java keytool
2. Create a server keystore with one certificate using the java keytool (my CN name is localhost and I also
use this in my test URL: https://localhost:8443)
3. Export the client certificate from the client keystore to a .cer certificate
4. Export the server certificate fomr the server keystore to a .cer certifciate
5. Import my .cer server certificate in my trust store (%JRE_HOME%\lib\security\cacerts)
Now the client should trust the server's certificate.
6. Import my .cer client certificate in my server's keystore
This way the server should trust the client.
7. In my server.xml file I have put clientAuth to true and used the -keystore parameter to point to the correct
certificate.
<Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https"
secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="c:/keys/serverKeys"
keystorePass="password"/>

As a test I also imported the 2 .cer certificates (client + server) in my IE but I don't think this is needed.

When I start tomcat and check if it is running http://localhost:8080 then this works, but when I want to use https://localhost:8443 I get the message that the page could not be displayed ...

I'm trying for several days to solve this but without success ...

Can someone help me please ?

Many thanks !

Best regards,

Tom.