尝试使用智能卡对Tomcat进行身份验证

时间:2019-02-18 19:56:26

标签: tomcat smartcard

在server.xml文件中,我的Tomcat服务器具有有效的SSL配置:

<Connector port="58443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" compression="2048" clientAuth="false"
    sslProtocol="TLSv1.2" URIEncoding="UTF-8" sslEnabledProtocols="TLSv1.2"
    keystoreFile="conf/keystore" keystorePass="changeit"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    maxSwallowSize="0"/>

我想要求使用智能卡才能访问服务器。我找到了Enable Tomcat server for Smart card Authentication,并尝试根据自己的情况调整说明。我使用Windows certmgr来获取智能卡的证书,并将其安装在密钥库文件中:

keytool -importcert -file 'My SecureBadge Basic G2.cer' -keystore ./keystore -alias rootca
keytool -importcert -file 'My Hardware Root CA.cer' -keystore ./keystore -alias serverca

我的密钥库现在包含以下3个条目:

rootca, Feb 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 2D:70:FE:85:F9:C6:7F:E8:13:9A:73:A9:A1:2D:32:24:1A:EC:EC:5B
serverca, Feb 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 5B:E5:34:32:FB:2B:50:1E:FB:DE:CD:E9:C7:55:1F:08:2B:5D:5D:C6
mysslcert, Jan 16, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 2A:B4:24:7D:2F:E1:E4:E3:E0:7C:90:00:87:88:91:DD:15:39:EC:D8

然后我添加了第二个连接器进行测试:

<Connector port="59443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" compression="2048" clientAuth="true"
    secure="true" SSLVerifyClient="require" SSLEngine="on"
    sslProtocol="TLSv1.2" URIEncoding="UTF-8" sslEnabledProtocols="TLSv1.2"
    keystoreFile="conf/keystore" keystorePass="changeit"
    truststoreFile="conf/keystore" truststorePass="changeit"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    maxSwallowSize="0"/>

当我尝试连接时,出现一个弹出窗口:

Please enter the master password for the Oberthur ID One v7PIV PIV pro...

我不知道该密码。尝试输入PIN码无效。有任何想法吗?我想知道是否需要做更多事情来告诉Tomcat我的根CA。

1 个答案:

答案 0 :(得分:0)

我主要是通过将密钥存储分为两部分来工作的。现在,实际的密钥存储区仅包含SSL证书,另一个称为“ piv-truststore”,并且仅包含智能卡证书。这似乎正在工作。我会得到同样的提示,要求“输入主密码”,但现在它接受我的PIN码(当且仅当将智能卡插入读卡器时)。

<Connector port="59443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" compression="2048" clientAuth="true"
    secure="true" SSLVerifyClient="require" SSLEngine="on" 
    sslProtocol="TLSv1.2" URIEncoding="UTF-8" sslEnabledProtocols="TLSv1.2"
    keystoreFile="conf/keystore" keystorePass="changeit"
    truststoreFile="conf/piv-truststore" truststorePass="changeit"
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    maxSwallowSize="0"/>

还有一个问题,就是我仍然被提示使用密码登录。我怀疑我需要建立一个特殊的领域或将完成AD身份验证的东西。

相关问题
最新问题