[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: How to setup client certificate based authentication in Tomcat 9
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2023-05-23 15:45:36
Message-ID: 58393fda-eb96-c37e-3c72-02af09a2e444 () christopherschultz ! net
[Download RAW message or body]

Omkar,

On 5/3/23 00:28, Patkar Omkar Anant wrote:
> The server A where tomcat is running... it hosts a REST based 
> application (BPMN based called Camunda ... it's a 3rd party
> application).
> 
> For e.g., when an application wants to trigger a workflow or BPMN
> deployed in Camunda, then they will fire the appropriate request to URL
> that looks something like this: -
> 
> 
> 
> https://<Server A>/engine-rest/process-definition/key/<name of the process to be invoked>
 >
> Now, the requirement is ..., there are several custom processes
> deployed and multiple clients invoke multiple processes available with
> Camunda,... hence the <name of the process to be invoked> is the dynamic
> part here.
> 
> We want to apply client certificate authentication only for one of
> the process that only Application B will invoke using the above URL.
This ^^^ is the important part.

Are you using a reverse-proxy, or are clients connecting directly to Tomcat?

> Thus, we are looking at: -
> 
> 1) Applying client certificate authentication to only a particular URL and not for all URLs.

In order to do this, you have to tell Tomcat to "ask" for the 
certificate but not require it. The configuration for this is in 
conf/server.xml in the <Connector>[1] you use for you secure endpoint e.g.:

<Connector port="8443"
certificateVerification="optional"

> 2) How to create the trust store ? How is it different from keystore?
> can I use cacerts of the java that is used by tomcat as the trust
> store ?
The only difference between key stores and trust stores is how you use 
them. Physically, on the disk, they are the same thing. Java can use JKS 
or PKCS12 keystores, which is just a way to put multiple keys and/or 
certificates into a single file.

> 3) Is enabling SSL mandatory for client certificate authentication ?
> because we any ways will import the client certificate in the trust
> store so is enabling SSL and sharing server certificate to client
> required here ?
Yes. Client-certificate-based authentication is often called "mutual 
authentication" because the client authenticates the server (which is 
very common and what happens when you visit https://www.wikipedia.org/) 
and ALSO the server authenticates the client (which is less common, and 
really only used for private connections where the server knows all of 
the clients who might connect). The certificates are traded back and 
forth during the TLS handshake, so TLS is indeed required.

There is probably a way to use X.509 keys and certificates for mutual 
authentication that doesn't involve TLS but your server and client would 
have to invent a new way to do that and implement it on both sides of an 
unencrypted connection.

-chris


[1] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]