Skip to main content
Skip table of contents

Configure Tomcat for TLS client authentication in Protocol Gateway

This article describes how to configure Tomcat for TLS client authentication in Protocol Gateway. TLS client authentication is a prerequisite for EST, ACME and Certificate Manager REST API. 

Prerequisites

The following prerequisites apply:

Step-by-step instruction

Create system token procedure for P12

Create a PKCS#12 token procedure Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings: 

  1. Set Procedure name to System Token Procedure P12.
  2. In Storage profile, select PKCS12.
  3. In Issuer certificates, check Store all

For more information, see Create token procedure in Certificate Manager.

Issue Tomcat TLS server certificate

A TLS soft token is needed for Tomcat from the PKCS#12 token procedure that was created:

Issue a software token, according to Issue software token in Certificate Manager with the following settings:

  1. Set File for Media to \Nexus\Tomcat\conf\localhost-rsa.p12.
  2. In Procedure name, select System Token Procedure P12.
  3. In Common Name, enter cm.local
Create Trust store for Tomcat

To create a keystore: 

  1. Open KeyStore Explorer.
  2. Click Create a new KeyStore.
  3. In New KeyStore Type, check JKS
  4. Click Tools > Import Trusted Certificate and select System CA.cer
  5. Save the keystore as \Nexus\Tomcat\conf\trusted.jks in the same directory as the file localhost-rsa.p12 that you just created. 

Check Tomcat configuration

Tomcat must be configured for TLS both without client authentication (for the cacert endpoint) and TLS with client authentication (for certificate requests). 

  • Open \Nexus\Tomcat\conf\server.xml for editing.
  • Configure connectors for TLS with client authentication and TLS without client authentication (with clientAuth set to true and false, respectively.

    EST configuration

    For use with the EST protocol, there must be a connector with clientAuth set to false. since the /cacerts endpoint must NOT be protected behind client authentication. 

    For both connectors, set the following parameters:

    1. Set keystoreFile to conf/localhost-rsa.p12.
    2. Set keystorePass to the configured PIN of localhost-rsa.p12.
    3. Set truststoreFile to conf/trusted.jks.
    4. Set truststorePass to the configured PIN of trusted.jks.


Example for Tomcat version 9 and 10

Example for Tomcat 9: server.xml - Tomcat connector with client authentication

CODE
<Connector
        port="8444"
        protocol="HTTP/1.1"
        SSLEnabled="true"
        maxPostSize="-1"
        scheme="https"
        secure="true">
        <SSLHostConfig
            ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,
                TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
            honorCipherOrder="true"
            sslProtocol="TLSv1.3"
            protocols="TLSv1.2,+TLSv1.3"
            certificateVerification="required"
            truststoreFile="conf/trusted.jks"
            truststorePassword="changeit"
            truststoreType="JKS"
            >
            <Certificate
                certificateKeystoreFile="conf/Nexus-Server_Certificate.p12"
                certificateKeystorePassword="1234"
                certificateKeystoreType="PKCS12"
                />
        </SSLHostConfig>
    </Connector>
Restart Tomcat
  • Restart the Tomcat service. 


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.