I have tomcat configured with clientAuth="want" , so that user can login with with CERT or without it . Now we have
exposed REST service on seperate context and want service must be called with client CERT , so we have written
authentication filter for rest service and we are checking whether user has called service with CERT or not as below
request.getAttribute(javax.servlet.request.X509Certificate);
So is it enough to check the only certificate is present in the request or do we also have to validate that certificate? Since our understanding is tomcat validates at handshake level and will not allow the invalid certificate to pass through?
Does tomcat only validate cert against trustStore or it validates all aspects like expiry, issuer?
Does tomcat validate whether the certificate is revoked or not?
Tomcat will not pass the request to you unless the certificate is valid, so you're good there.
It can also check if it's revoked, but you'll need to specify revocation list for that to work (SSLCARevocationFile).
Related
I have a server as rest API in spring boot and client is Rest Template present in another spring boot application. Currently, in order to enable https,I have configured server.ssl related properties inside application.proeprties file of server like keystore and truststore details. (It's 2Way SSL)
I want my server to reject expired certificate presented by client.Currently, server is not checking validity date of client certificate automatically.
I am using keystore and truststore in jks format.
How to reject expired client certificates??? I am not able to find code.
As per my understanding,
In case of Client Authentication,
Server request the certificate from the client and then after the certificate verification handshake happens.
I just want to know, what does Server do in the certificate verification:
1) It only verifies that the certificate is valid i.e. the user is the true owner of the certificate.
2) It verifies user is the true owner of the certificate and also check the authentication and authorization.
So 1 or 2 ?
In the simple ways my question is : SSLAuthentication is part of handshake or is something which comes into picture after handshake ?
It is up to the peers if the full validation of the certificates is done before the handshake on the wire is finished or not. Usually server certificate validation is done before the handshake if finished and client certificate validation is done at least partially.
But especially in the case of client certificates it might be that the web application running at the server has additional requirements, for example that the certificate is not only signed by a specific CA but that the subject matches an existing use found in the database and maybe that the fingerprint of the certificate is as stored in the database. In this case the verification is usually only completed after the TLS handshake is finished since only then the web application specific logic is executed.
... what does Server do in the certificate verification: 1) It only verifies that the certificate is valid i.e. the user is the true owner of the certificate. 2) It verifies user is the true owner of the certificate and also check the authentication and authorization.
It is checked inside the TLS handshake that the client owns the private key to the public key in the certificate. It is commonly also checked that the certificate is signed by a trusted CA, although there might be scenarios where this check is not done and instead it is checked after the handshake that the certificate has the expected fingerprint. Authorization is usually not checked inside the TLS handshake since the TLS stack has usually no idea yet what kind of resource gets accessed and if the specific user authenticated by the certificate is authorized to access this resource.
How to configure TOMCAT to make the browser show the installed certificates (A3; token USB) when a URL (servlet) is called?
I will retriev the X509 certificate on the servlet request parameter.
Your question is a bit difficult to understand, but I'm guessing that you want tomcat to request a certificate from a client.
If this is the case, then you will want to enable what is called mutual authentication in tomcat.
You will have to set the clientAuth attribute of your tomcat ssl connector to either want or true. The ssl connector will be found in your tomcat server.xml file.
'want' asks the client to send a certificate if it has one, but the request will go though if the client doesn't have a certificate and 'true' means the client is required to send a certificate and the request will fail if the client does not provide a certificate.
More information can be found on the tomcat website:
SSL/TLS Configuration HOW-TO
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
is it possible in spring framework to have 2 login implementation at the same time for the login page? Form login and Certificate based login (x509). I've tried either one of these method but combining them at the same time, it is hard for me to do it. Any idea how to enable these two methods? Any book or site reference that I can refer to regarding this?
Thanks
Yes, it is possible, by making the SSL client-auth optional.
Here on Baeldung is a good tutorial on enabling SSL client authentication with X.509 certificates, with forced client-auth (not good for your case, with login form fallback)
Follow that tutorial and pay attention in the application.properties file to make the client-auth want instead of need. This will make the client-server SSL handshake attempt to ask for a certificate.
server.ssl.client-auth=want
If the browser does not provide a certificate (does not have any configured or the user clicks on cancel when prompted to select a certificate from a list), the SSL handshake will be done without the client certificate, and the user will have to login with username+password
If the user chooses a certificate, the SSL handshake is done with the client certificate. The server then verifies the given certificate in the trust-store. If the certificate is valid, the SSL handshake is successfully established. Otherwise, the connection is refused by the server.
Pay attention that
only the authentication is done with the x.509 certificate. For authorization, you must provide the X509Configurer an UserDetailsService implementation, to retrieve the UserDetails for the user that just authenticated via x.509
thus, if you have a database of users with their assigned roles, even if the certificate is in the trust-store, the user might not be in the user database, so you will have to treat this possibility in your application logic. I.e. when the SSL connection is mutual, but the user is not present in the user database.
Yes it is possible. All you need is to declare x509 support in your http config:
<http ...>
...
<x509 ... />
....
</http>
and configure SSL in Tomcat.
See this entry and this thread.