Application running on tomcat fails to pass client-auth when connecting to service

286 views Asked by At

I have been banging my head on a wall for some time with this and hope somebody can explain me what am I doing wrong. I have a tomcat server on which a application is deployed and is contacting another service. Everything works until the client enables client-auth on his load balancer. Tomcat ->app->lb with client auth -> endpoint Enabling handshake debug on the jvm returns this:

javax.net.ssl|FINE|0F|myScheduler-1| UTC|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|FINE|0F|myScheduler-1| UTC|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|FINE|0F|myScheduler-1| UTC|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": <empty list>
)

As far as I have read this means no certificates have been found that would fit the requirements of the client-auth. The application and the SSL port of tomcat have their defined keystore and in it keypairs for both, and while different both should pass as the client auth is only asking for a cert signed with a certain CA (they both are). And within cacerts I have all the required certificates of the CA authorities. I tried putting the certificates themselves into cacerts but the same result. Tomcat port config:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
            clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
            keystoreFile="/usr/local/tomcat/config/pkcs_keystore.jks"
            keystorePass="***************"
            keyAlias="server_alias" />

I tried connecting via a browser to the endpoint and sure enough it asked me for a certificate, I supplied it with the "server_alias" certificate and it works flawlessly so I have no idea why it wont work with tomcat.

I am a system engineer so I have no idea if this is perhaps something that has to be done within the application itself? Any help would be welcome.

0

There are 0 answers