O
ohaya
Hi,
I have a standalone Tomcat server that I've configured for both client
and server SSL authentication. I am aware that most would say that I
should use Apache and a connector in front of Tomcat, but for a number
of reasons, I'm being forced to go the standalone Tomcat route (plus the
site will be very low-traffic).
As I indicated, I have the client and server authentication working, but
from what I can tell so far, there doesn't seem to be an inherent way to
configure Tomcat, which apparently uses JSSE for the SSL features, to do
CRL checking (i.e., checking whether client certs are in a CRL).
I have a separate mechanism/method to periodically pull a CRL file onto
the server where Tomcat is going to be running, but I'm wondering what
the best approach would be to incorporate CRL checking of the client
certs, and so I thought that I might post here in the hopes that someone
might have some ideas.
I think that I could do something like write code that would initially
check the client cert against the CRL on local drive and then set a
session variable (e.g., "authenticated"), and then have code on each
page to check whether the session variable is set or not, but this seems
like a kind of brute force approach.
I'm looking forward to any suggestions.
Thanks in advance,
Jim
P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
I'm kind of surprised that so far at least, I have seen very little in
these docs mentioning CRLs and CRL checking. I guess I would've
expected that CRL checking would've been a key requirement in any kind
of software that involves PKI.
I have a standalone Tomcat server that I've configured for both client
and server SSL authentication. I am aware that most would say that I
should use Apache and a connector in front of Tomcat, but for a number
of reasons, I'm being forced to go the standalone Tomcat route (plus the
site will be very low-traffic).
As I indicated, I have the client and server authentication working, but
from what I can tell so far, there doesn't seem to be an inherent way to
configure Tomcat, which apparently uses JSSE for the SSL features, to do
CRL checking (i.e., checking whether client certs are in a CRL).
I have a separate mechanism/method to periodically pull a CRL file onto
the server where Tomcat is going to be running, but I'm wondering what
the best approach would be to incorporate CRL checking of the client
certs, and so I thought that I might post here in the hopes that someone
might have some ideas.
I think that I could do something like write code that would initially
check the client cert against the CRL on local drive and then set a
session variable (e.g., "authenticated"), and then have code on each
page to check whether the session variable is set or not, but this seems
like a kind of brute force approach.
I'm looking forward to any suggestions.
Thanks in advance,
Jim
P.S. Since Tomcat uses JSSE, I've been reading through the JSSE docs.
I'm kind of surprised that so far at least, I have seen very little in
these docs mentioning CRLs and CRL checking. I guess I would've
expected that CRL checking would've been a key requirement in any kind
of software that involves PKI.