I am using Apache Tomcat webapp as a client (java) to an IIS hosted webservice. I need to use SSL with client authentication. What kind of matching criteria is used by the client to send a client certificate to the Server as part of the CertificateRequest which is part of the ServerHello.
I installed the client cert in IE and access the WSDL then it prompts for the client cert and I choose the one that I installed and it works.
I can send the debug ssl dump if needed.
Ultimately, the certificate will be sent using the mechanism in the
X509KeyManagerused in theSSLContextused by theSSLSocket/SSLEngineused by the client.The default
SSLContextinitialises its key manager using thejavax.net.ssl.keyStore*system properties. (See this SO answer for the difference between "key store" and "trust store": both use the "keystore" API/storage format.)The simplest is to configure the JVM running Tomcat, within which your client/webapp is running, with these
javax.net.ssl.keyStore*properties. The defaultSSLContextwill pick it up, and it's used by default for HTTPS connections (even 3rd-parties HTTPS libraries would tend to use it).If you need something more specific for particular requests, you may need to alter the webapp code, so as to use a specific keystore (or at least choose a specific certificate) within a given
SSLContextfor that request.How you configure the JVM running Tomcat will depend on the launching script. If under Windows, this question should help, otherwise, I suspect there's a line somewhere in
catalina.shwhere you could set system properties.If you do configure the global
javax.net.ssl.keyStore*for this, this will affect the entire VM, including the connectors. To prevent your Tomcat connectors using that keystore, make sure that the<Connector />configuration does specify its ownkeyStore*attributes (so as not to use the values from the system properties).If there are multiple certificates (with private key) in your keystore, the choice should be made automatically according to the CA list send by the server within its
CertificateRequestmessage. By default, the key manager will pick up the first certificate it finds in the configured keystore that is issued by a CA in that list (or an intermediate CA). If you need something more specific (in particular if there are multiple valid candidates in your keystore), you'll need to implement your ownX509KeyManager, put the logic inchooseClientAlias, initialise anSSLContextwith it, and make whatever API making those requests use it.