User Auth with SSL in Tomcat

1. Create a JKS store with the server cert, key, and CA in it

2. Activate the containers https server, setting clientAuth="true", keystoreFile and truststoreFile, even if they are the same file. Without truststore we can't check certificates.

       <Connector port="8443" maxHttpHeaderSize="8192"
                  maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                  enableLookups="false" disableUploadTimeout="true"
                  acceptCount="100" scheme="https" secure="true"
                  clientAuth="true" sslProtocol="TLS" 
                   truststoreFile="conf/singer.jks"
                   keystoreFile="conf/singer.jks" keystorePass="tomcat"/>
   

3. Create a client cert from the same CA to test with.

4. Setup a jsp page in the ROOT context

   <%@ page
         import="java.security.cert.X509Certificate"
   %>
   <%
   X509Certificate[] cert = ((X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate"));
   
   for (int i = 0 ; i < cert.length ; i++ ) {
       out.println("<p>"+cert[i].getSubjectDN()+"</p>");
   }
   %>
   

5. wget the page using the client certs

   wget --no-check-certificate --certificate=usercert.pem --private-key=userkey.pem https://localhost:8443/test.jsp