Configure Tomcat for TLS client authentication in Protocol Gateway

This article describes how to configure Tomcat for TLS client authentication in Protocol Gateway. TLS client authentication is a prerequisite for EST, ACME and Certificate Manager REST API. 

Prerequsites

• Certificate Manager must be installed. See Install Certificate Manager.

• Protocol Gateway must be installed. See Install Protocol Gateway.

• Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.  

Step-by-step instruction

Create system token procedure for P12

Create a PKCS#12 token procedure Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings: 

1. Set Procedure name to System Token Procedure P12.

2. In Storage profile, select PKCS12.

3. In Issuer certificates, check Store all. 

For more information, see Create token procedure in Certificate Manager.

Issue Tomcat TLS server certificate

A TLS soft token is needed for Tomcat from the PKCS#12 token procedure that was created:

Issue a software token, according to Issue software token in Certificate Manager with the following settings:

1. Set File for Media to \Nexus\Tomcat\conf\localhost-rsa.p12.

2. In Procedure name, select System Token Procedure P12.

3. In Common Name, enter cm.local. 

Create Trust store for Tomcat

1. Open KeyStore Explorer.

2. Click Create a new KeyStore.

3. In New KeyStore Type, check JKS. 

4. Click Tools > Import Trusted Certificate and select System CA.cer. 

5. Save the keystore as \Nexus\Tomcat\conf\trusted.jks in the same directory as the file localhost-rsa.p12 that you just created. 

Check Tomcat configuration

Tomcat must be configured for TLS both without client authentication (for the cacert endpoint) and TLS with client authentication (for certificate requests). 

• Open \Nexus\Tomcat\conf\server.xml for editing.

• Configure connectors for TLS with client authentication and TLS without client authentication (with clientAuth set to true and false, respectively.

EST configuration

For use with the EST protocol, there must be a connector with clientAuth set to false. since the /cacerts endpoint must NOT be protected behind client authentication. 

For both connectors, set the following parameters:

• Set keystoreFile to conf/localhost-rsa.p12.

• Set keystorePass to the configured PIN of localhost-rsa.p12.

• Set truststoreFile to conf/trusted.jks.

• Set truststorePass to the configured PIN of trusted.jks.

Example for Tomcat version 9 and 10

Example for Tomcat 9: server.xml - Tomcat connector with client authentication

<Connector
        port="8444"
        protocol="HTTP/1.1"
        SSLEnabled="true"
        maxPostSize="-1"
        scheme="https"
        secure="true">
        <SSLHostConfig
            ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,
                TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
            honorCipherOrder="true"
            sslProtocol="TLSv1.3"
            protocols="TLSv1.2,+TLSv1.3"
            certificateVerification="required"
            truststoreFile="conf/trusted.jks"
            truststorePassword="changeit"
            truststoreType="JKS"
            >
            <Certificate
                certificateKeystoreFile="conf/Nexus-Server_Certificate.p12"
                certificateKeystorePassword="1234"
                certificateKeystoreType="PKCS12"
                />
        </SSLHostConfig>
    </Connector>

Restart Tomcat

Restart the Tomcat service.