一段时间以来,我一直在设置 OpenAM 时遇到问题,但仍然无法使其按预期工作。我希望 OpenAM 能够通过我自己的 EJBCA 副本执行 OCSP 验证用户身份验证。因此,我需要 tomcat 提示输入用户证书并将其传递给 OpenAM。从 HTTPS 访问 OpenAM 没问题,用户可以使用密码登录(OpenAM 中的根域)。但是,tomcat 在访问为证书登录设计的领域(OpenAM 中需要证书的子领域)时不会提示用户证书。有人对此有任何想法吗?这是与 SSL 相关的我的 Tomcat 配置的 server.xml 片段:
<Connector port="8181" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8445" />
<Connector port="8445" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
keystorePass="password"
truststoreFile="/opt/sso/apache-tomcat-7.0.52/conf/keystore"
truststorePass="password"
clientAuth="want" sslProtocol="TLS" />
在我的案例中,web.xml 文件没有变化。谢谢。
根据 Bernhard 的建议,这是 openssl s_client -connect FQDN:8445 的输出
CONNECTED(00000003)
depth=1 CN = leopardrootCA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
i:/CN=leopardrootCA
1 s:/CN=leopardrootCA
i:/CN=leopardrootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlzCCAwC--too_long_too_show
-----END CERTIFICATE-----
subject=/CN=ncw01271123114/OU=ouname/O=O-name/L=j/ST=a/C=us
issuer=/CN=leopardrootCA
---
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
---
SSL handshake has read 2097 bytes and written 403 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-DSS-AES256-SHA
Session-ID: 53309AA15C218F41330C077476A3BDAE352CAFD84A503A281EA09AE884BA73D9
Session-ID-ctx:
Master-Key: EF5016A9D8236A704313720FC2E1A1B9FAC47A744F6A9B53E80BBEF8D1141476E050A71F3C50498ABEE1F790A2D76891
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1395694241
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
最佳答案
从下面的握手信息可以看出
Acceptable client certificate CA names
/CN=leopardrootCA
/CN=ncw0127114/OU=ouname/O=O-name/L=j/ST=a/C=us
Tomcat 正在请求客户端证书,并且只接受由这些证书颁发机构之一颁发的证书。
关于Tomcat 不提示 Web 应用程序证书 (OpenAM),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22611714/