How to set up tomcat with server authentication and client certificate authentication enabled

最新推荐文章于 2024-08-04 09:58:47 发布
最新推荐文章于 2024-08-04 09:58:47 发布
阅读量550 收藏
点赞数
分类专栏: server 文章标签: server tomcat client certificate a
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/crystalyangbjut/article/details/77001673
版权

How to set up tomcat with server authentication and client certificate authentication enabled?

When I  do my daily work, I need to set up a server with client certificate authentication enabled. Now I record all steps for further reference.

ENV: windows7/x86, tomcat-7.0.79, jdk1.7.0_151

Generally, the steps are as follows:

  1. Create a certificate for the tomcat server. The client has to trust this certificate.
  2. Create a keystore for the tomcat server, and import the server certificate into it.
  3. Create a certificate for the client. The server has to trust this certificate.
  4. Import the client certificate into the server keystore
  5. Update the tomcat server.xml file with the correct Connector XML.

Detail steps:

1. Create certificate/keysotre for server and client

# For the following commands, set the values in parenthesis to be whatever makes sense for your environment.  The parenthesis are not necessary for the command.

# This is an all-in-one command that generates a certificate for the server and places it in a keystore file, while setting both the certifcate password and the keystore password.
# The net result is a file called "tomcat.keystore".

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=oracle,OU=java,O=oracle,L=SC,ST=California,C=US" -keystore tomcat.keystore -keypass changeit -storepass changeit

# This is the all-in-one command that generates the certificate for the client and places it in a keystore file, while setting both the certificate password and the keystore password.
# The net result is a file called "client.keystore"

keytool -genkeypair -alias clientcert -keyalg RSA -dname "CN=client,OU=java,O=oracle,L=SC,ST=California,C=US" -keypass changeit -keystore client.keystore -storepass changeit

# This command exports the client certificate.  
# The net result is a file called "client.cer" in your home directory.

keytool -exportcert -rfc -alias clientcert -file client.cer -keypass changeit -keystore client.keystore -storepass changeit

# This command imports the client certificate into the "tomcat.keystore" file.

keytool -importcert -alias clientcert -file client.cer -keystore tomcat.keystore -storepass changeit -noprompt

2. Configure your connector in the tomcat server.xml:

<Connector port="8443"
    maxThreads="150"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    truststoreFile="/full-path-to/tomcat.keystore"
    truststorePass="(password)"
    keystoreFile="/full-path-to/tomcat.keystore"
    keystorePass="(password)"
    clientAuth="true"
    keyAlias="servercert"
    sslProtocol="TLS"/>

Additionally, in the server.xml, ensure that you DO NOT have an AprLifecycleListner defined. The XML for that listener will look something like this:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

That element should be delete/commented out. The AprLifecycleListener does not get configured the same way as described above, and will not work with these instructions.

3. Test your server configuration

Start tomcat server and load the following link in your browser

https://mytomcatdomain.com:8443
You should get the standard alert from Firefox or IE about an untrusted connection because we created a self-signed certificate for our Tomcat server. Accept to proceed. You should get a "Secure Connection Failed" message. The error code is "ssl_error_bad_cert_alert". This confirms that our Tomcat server is requesting authentication from the client. The request is failing because we have not configured browser to send our trusted client certificate yet.

4. Extract a key from the client.keystore

# This extracts the client key from the client keystore

java DumpPrivateKey client.keystore changeit clientcert > clientkey.pkcs8

# This creates a client.p12 file that can be used by Firefox

openssl pkcs12 -export -in client.cer -inkey clientkey.pkcs8 -password pass:changeit -out client.p12
5. Import client.p12 to browser

For Firefox, open preferences. Click on the "Certificates" tab. Click on the "View Certificates" button. Click on the "Your Certificates" tab. Click on the "Import" button and browse to the "client.p12" file that was created previously. You should be prompted to enter the password for the client certificate.

For IE, open Internet options-> Content->Certificates->Personal. Click on the "Import" button and browse to the "client.p12" file that was created previously. You should be prompted to enter the password for the client certificate.

6. Refresh your browser page, and you should get a successful response from your Tomcat server endpoint.


crystalyangbjut
关注
专栏目录
全网详细解决Client does not support authentication protocol requested by server;consider upgrading Mysql c
念兮为美
03-06 3956
全网详细解决1251 - Client does not support authentication protocol requested by server; consider upgrading Mysql client
Docker部署SonarQube代码质量检查平台+PostgreSQL数据库
万物皆可学
06-13 1047
指定拉取postgres11版本,不要postgres:latest,因为你部署sonarqube最新版本配置的时候会发现支持的版本是11,拉取最新版本会报错。配置如下,你也可以先启动一个无挂载的sonarqube用docker cp 把配置复制出来再干掉启动的sonarqube。检查代码的时候,仓库或者本地的代码会全部存储到postgresql数据里中,所以容量尽量大点,我这给个300G。运行postgres11并挂载存储目录,映射端口,同步宿主机时间,这里用户、密码、数据库都叫sonar。
Client does not support authentication protocol requested by server; consider upgrading MySQL client
生而为人我很抱歉
09-03 2744
这说明客户端连接数据库失败,是网络都连不上,不是密码错误连不上,需要检查ip、port是否填写正确,mysql server是否启动,其次检查是否被防火墙拦截。
SQLyog连接MYSQL时报错 Client does not support authentication protocol requested by server; consider upgra
qq_61825999的博客
12-11 2563
SQLyog连接MYSQL时报错 Client does not support authentication protocol requested by server; consider upgrading MYSQL clie以下错误翻译一下大致的意思为:客户端不支持服务器请求的身份验证协议;考虑升级MYSQL客户端这是因为MYSQL8.0之后更换了加密规则为,8.0之前则为,用语句来修改密码会使用8.0默认的规则来加密,而SQLyog中找不到新的身份验证插件,加载身0份验证插件错误,因此产生以上报错。
client does not support authentication protocol requested by server;consider upgrading Mysql client
最新发布
gaoqiandr的博客
08-04 298
本文主要介绍的是如何解决远程连接MySQL出现的报错
Mysql 报错问题—客户端不支持服务器请求的认证协议
Bing_Ye_Xue_Yan的博客
09-23 8570
问题报错信息:Client does not support authentication protocol requested by server; consider upgrading MySQL client 图中翻译:客户端不支持服务器请求的认证协议;考虑升级mysql客户端 造成解决这个问题的原因是:Mysql 8.0 以后的版本账号密码加密规则是caching_sha2_password Mysql 8.0之前的版本账号密码加密规则是mysql_native_password 所以解决方法为:
Mysql 解决1251- Client does not support authentication protocol requested by server...的问题
热门推荐
pengfeng111833的专栏
04-25 2万+
一、问题描述 使用Navicat客户端连接本地mysql,报错:1251- Client does not support authentication protocol requested by server;consider upgrading Mysql client。 二、查看用户信息 打开命令行小黑屏,进入MySQL的bin目录,然后输入mysql -u root -p,输入密码,登录成功 执行SQL查询用户信息 select host,user,plugin,authenticat.
Spring Boot入门教程(四):配置文件
人不风流枉少年
03-20 4051
配置方式 每个starter都有自己默认的配置,如果需要改变默认值,可以在其他地方配置来覆盖掉默认的值,覆盖默认的配置有多种方式,每种方式的优先级也不同,如果在多个地方配置则优先使用优先级高的值,其中命令行参数优先级最高, 其中大部分参数一般都配置在属性文件application.properties中,属性文件即可以覆盖starter中默认的值,也可以自定义值 在命令行行输入的参数 SPR...
单点登录(十三)-----实战-----cas4.2.X登录启用mongodb验证方式完整流程
直到世界的尽头
02-10 5960
我们在之前的文章中中已经讲到了正确部署运行cas server 和 在cas client中配置。在此基础上 我们去掉了https的验证,启用了http访问的模式。单点登录(七)-----实战-----cas server去掉https验证但是我们之前部署的cas server,用户登录时使用的是简单的文本配置方式。deployerConfigContext.xml中的配置方式是配置的帐号密码##
Springboot - 项目的全部可配置属性及其说明
简简单单Onlinezuozuo
04-11 9054
Springboot - 项目的全部可配置属性及其说明 1.可配置的项目如下 // 包含了可配置的字段, 默认值,以及说明 // 有机会后面翻译一下 debug=false # Enable debug logs. trace=false # Enable trace logs. # LOGGING logging.config= # Location of the logging c...
Spring Boot学习总结(8)——SpringBoot Common application properties(application.properties)详解
科技D人生
05-05 3609
各种属性可以在您的application.properties/application.yml文件或命令行开关指定。下面提供了常见的Spring启动属性和引用它们的基础类的列表。 # =================================================================== # COMMON SPRING BOOT PROPERTIES # # T
网站未经过服务器认证,SMTP服务器需要安全连接或客户端未经过身份验证
weixin_35642637的博客
08-10 1865
我收到了这个错误The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.0 Must issue a STARTTLS command first. e17sm974159fak.34Web.config文件from="emailac...
IDEA连接mysql数据库权限出错 Client does not support authentication protocol requested by server; consider upg
weixin_57997644的博客
08-02 858
IDEA连接mysql数据库权限出错 Client does not support authentication protocol requested by server;
Mysql如何解决1251 client does not support问题
长缨缚苍龙
05-21 502
plugin的作用之一就是处理后的密码格式和长度是不一样的,类似于使用MD5加密和使用base64加密一样对于同一个密码处理后的格式是不一样的。如果在修改插件的时候出现错误,可现将插件改为 mysql_old_password,然后再升级成mysql_native_password。mysql官方网站提供了从mysql_old_password升级到mysql_native_password,我们可以仿照这个。第一:修改root的密码为’root’,摒弃原来的旧密码。
mysql报错1251 client does not support问题解决
树袋熊的博客
12-22 2641
linux使用docker安装mysql,连接报错1251 client does no support authentic 通过navicat工具连接mysql报错1251 client does no support authentic, 1.docker exec -it mysql /bin/bash 2.mysql -uroot -proot 3.查看用户信息 select host,u...
【MySql】Navicat 连接数据库出现1251 - Client does not support authentication protocol ...... 问题的解决方法
早知晓的博客
01-13 2万+
Navicat 连接 mysql,连接时出现问题:1251 client does not support authentication protocol requested by server
【MySql】Navicat 连接数据库出现1251 - Client does not support authentication protocol 问题的解决方法
qq_51228618的博客
04-27 2182
【MySql】Navicat 连接数据库出现1251 - Client does not support authentication protocol 问题的解决方法
The server requested authentication method unknown to the client
05-18
这个错误通常是由于MySQL客户端版本不支持MySQL服务器使用的身份验证方法引起的。一种解决方法是升级MySQL客户端版本以支持更多的身份验证方法。另一种解决方法是修改MySQL服务器以使用客户端支持的身份验证方法。你可以尝试以下步骤进行解决: 1. 升级MySQL客户端版本到最新版本。 2. 在MySQL服务器中使用以下命令查看默认的身份验证方法:`SELECT @@default_authentication_plugin;`。 3. 如果默认的身份验证方法不被客户端支持,可以在MySQL服务器配置文件中修改默认的身份验证方法。例如,在my.cnf文件中添加以下行:`default_authentication_plugin = mysql_native_password` 4. 重启MySQL服务器以使更改生效。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值