Configuring Linux Tomcat Java smartcard authentication.

smuthhomelyServers

Nov 17, 2013 (3 years and 10 months ago)

148 views




Configuring Linux
Tomcat Java

web server to support Latvia’s eID
smartcard authentication.

Version

1.01


Version info


Date

Version

Changes, updates

30
.10
.2012

1.01

First public
release


Test environment


OS: Red Hat Enterprise
Linux
Server 6.2

(Santiago) as

virtual guest

on Vmw
are 7

Webserver:
Apache Tomcat

Live test demo site
:

http://
eidtsttom.pmlp.gov.lv




Java
Install
ation


Install the "jpackage
-
utils" first


yum install jpackage
-
utils


Download Java from the
Oracle

Website at

http://www.oracle.com/technetwork/java/javase/downloads/jdk7
-
downloads
-
1637583.html


and
download the one labeled with "Java SE Development Kit (JDK)".

On the following page choose Linux x64
:

jdk
-
7u6
-
linux
-
x64.rpm

Once downloaded do the following:

1.

Chmo
d +x
jdk
-
7u6
-
linux
-
x64.rpm

2.

./

jdk
-
7u6
-
linux
-
x64.rpm

This will start the installation process for the JDK. Actually there is nothing else to do anymore.
You should
check if Java is installed with:


java
-
version


If you get something like the below all is well:


java version "1.6.0_11"

Java(TM) SE Runtime Environment (build 1.6.0_11
-
b03)

Java HotSpot(TM) Client VM (build 11.0
-
b16, mixed mode,
2


sharing)


Tomcat
Install
ation


Test system uses Apache Tomcat6 v6.0.24.

To install Tomcat6 download from Red Hat Enterprise Linux Server 6.2 repository and install the followi
ng
packages:


apache
-
tomcat
-
apis
-
0.1
-
1.el6.noarch.rpm

jakarta
-
taglibs
-
standard
-
1.1.1
-
11.4.el6.noarch.rpm

tomcat6
-
6.0.24
-
33.el6.noarch.rpm

tomcat6
-
admin
-
webapps
-
6.0.24
-
33.el6.noarch.rpm

tomcat6
-
el
-
2.1
-
api
-
6.0.24
-
33.el6.noarch.rpm

tomcat6
-
jsp
-
2.1
-
api
-
6.0.24
-
33.el6.noarch.rpm

tomcat6
-
lib
-
6.0.24
-
33.el6.noarch.rpm

tomcat6
-
servlet
-
2.5
-
api
-
6.0.24
-
33.el6.noarch.rpm

tomcat6
-
webapps
-
6.0.24
-
33.el6.noarch.rpm

tomcatjss
-
2.1.0
-
2.el6.noarch.rpm

xalan
-
j2
-
2.7.0
-
9.8.el6.noarch.rpm


Please note that these packages are for Red

Hat Enterprise Linux Server 6.2 (Santiago) and some of them
may not be needed depending on your server configuration.


Tomcat web
a
pps folder

: usr/share/tomcat6/webapps/ROOT

Tomcat
c
onfiguration

f
iles
: usr/share/tomcat6/conf/server.xml


Tomcat
l
og files
: usr/share/tomcat6/logs

Catalina home : usr/share/tomcat6


W
eb certificate

installation


1.

Enter the following command:


keytool
-
keysize 2048
-
genkey
-
alias tomcat
-
keyalg RSA
-
keystore tomcat.keystore


2.

You will be prompted for a password. Tomcat uses the default password changeit.

3.

Enter Distinguished Name (DN) information:




First and last name
-

This is the Common Name: The common name is

the fully
-
qualified domain
name (FQDN), Host name, or URL
-

to which you plan to apply your certificate. Do not enter yo
ur
pe
rsonal name in this field
.



Organizational unit
-

Use this field to differentiate between divisions within an organization. For
example, "Engineering" or "Human Re
sources." If applicable, you may enter the DBA (doing
business as) name in this field.



Organization
-

The name under which your business is legally registered. The listed organization
must be the legal registrant of the domain name in the certificate requ
est. If you are enrolling as
an individual, please enter the certificate requestor's name in the Organization field, and the DBA
(doing business as) name in the Organizational Unit field.

3




City/Locality
-

Name of the city in which your organization is regi
stered/located. Please spell out
the name of the city. Do not abbreviate.



State/Province
-

Name of state or province where your organization is located. Please enter the
full name. Do not abbreviate.



Country code
-

The two
-
letter International Organizati
on for Standardization
-

(ISO
-
) format
country code for the country in which your organization is legally registered.


4.

Confirm that the Distinguished Name information is correct.


To Generate a CSR

1.

Enter the following command:

key
tool
-
certreq
-
keyalg RSA
-
alias tomcat
-
file <your file
name>.csr
-
keystore tomcat.keystore



2.

Enter the keystore password you created when generating the private key.


To install
SSL web
the certificates

(example with GoDaddy CA certs)
:


Using keytool, enter the following commands to install the certificates.


1.

Install the Root certificate:


keytool
-
import
-
alias root
-
keystore tomcat.keystore
-
trustcacerts
-
file valicert_class2_root.crt


2.

Install the first intermediate (gd_cross_intermediate.crt):


keytool
-
import

-
alias cross
-
keystore tomcat.
keystore
-
trustcacerts
-
file gd
_
cross
_
intermediate.crt


3
.

Install the issued certificate:


keytool
-
import
-
alias tomcat
-
keystore tomcat.keystore
-
trustcacerts
-
file <name of your certificate>


4. Install
eID
certificate

Root, intermediate CA certificates av
ailable here:

https://www.eparaksts.lv/en/eid
-
card/downloads/basic
-
certificates
-
for
-
smart
-
cards/



Tested and combined, converted version available here:

http://eidtstapa.pmlp.gov.lv/eid_lv.crt







keytool
-
import
-
alias eid_lv
-
keystore /etc/tomcat6/tomcat.keystore
-
trustcacerts
-
file
/
<
path>
/eid_lv.cr
t

4


After im
porting the certificates into the keystore, you need to update the server.xml file in the Tomcat
directory with the correct keystore location.


Update the following elements in server.xml
:


<?xml version='1.0' encoding='utf
-
8'?>

<Server port="8005" shutdown="SHUTDOWN">


<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />


<Listener className="org.apache.catalina.core.JasperListener" />


<L
istener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />


<Listener
className="org.apache.catalina.mbeans.ServerLifecycleListener" />


<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>


<GlobalNa
mingResources>


<Resource name="UserDatabase" auth="Container"


type="org.apache.catalina.UserDatabase"


description="User database that can be updated and saved"


factory="org.apache.catalina.users.MemoryUserDatabaseFactory"


pathname="conf/tomcat
-
users.xml" />


</GlobalNamingResources>


<Service name="Catalina">


<Connector port="8080" protocol="HTTP/1.1"


connectionTi
meout="20000"


proxyPort='80'


redirectPort="8443" />


<Connector port="8443" protocol="HTTP/1.1"


SSLEnabled="true"


maxThreads="150"


scheme="https"


secure="true"


clientAuth="true"


keystoreFile="/etc/tomcat6/tomcat.keystore"


keystorePass="password"


truststoreFile="/etc/tomcat6/tomcat.keystore"




truststorePass="password"




enableLookups="true"





SSLVe
rifyClient="require"






SSLEngine="on"





SSLVerifyDepth="3"




sslProtocol="TLS"


proxyPort='443'


/>


<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


<Engine name="Catalina" defaultHost="localhost">



<Realm className="org.apache.catalina.realm.UserDatabaseRealm"


resourceName="UserDatabase"/>


<Host name="localhost" appBase="webapps"


unpackWARs="true" autoDeploy="true"


xmlValidation="false" xmlNamespaceAware="false">

5



</Host>


</Engine>


</Service>

</Server>


After you save changes to server.xml, restart Tomcat to begin using your SSL.

Your SSL Certificate is installed.


Simple
J
ava

application how to extract data from eID smartcard available here:

https://github.com/eID
-
LV/eidtsttom