Configure Tomcat for TLS client authentication in Protocol Gateway
This article describes how to configure Tomcat for TLS client authentication in Protocol Gateway. TLS client authentication is a prerequisite for EST, ACME and Certificate Manager REST API.
Prerequsites
Certificate Manager must be installed. See Install Certificate Manager.
Protocol Gateway must be installed. See Install Protocol Gateway.
Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.
Step-by-step instruction
Create system token procedure for P12
Create a PKCS#12 token procedure Ior REST API devices, according to Create token procedure in Certificate Manager with the following settings:
Set Procedure name to System Token Procedure P12.
In Storage profile, select PKCS12.
In Issuer certificates, check Store all.
For more information, see Create token procedure in Certificate Manager.
Issue Tomcat TLS server certificate
A TLS soft token is needed for Tomcat from the PKCS#12 token procedure that was created:
Issue a software token, according to Issue software token in Certificate Manager with the following settings:
Set File for Media to \Nexus\Tomcat\conf\localhost-rsa.p12.
In Procedure name, select System Token Procedure P12.
In Common Name, enter cm.local.
Create Trust store for Tomcat
Open KeyStore Explorer.
Click Create a new KeyStore.
In New KeyStore Type, check JKS.
Click Tools > Import Trusted Certificate and select System CA.cer.
Save the keystore as \Nexus\Tomcat\conf\trusted.jks in the same directory as the file localhost-rsa.p12 that you just created.
Check Tomcat configuration
Tomcat must be configured for TLS both without client authentication (for the cacert endpoint) and TLS with client authentication (for certificate requests).
Open \Nexus\Tomcat\conf\server.xml for editing.
Configure connectors for TLS with client authentication and TLS without client authentication (with
clientAuth
set totrue
andfalse
, respectively.
EST configuration
For use with the EST protocol, there must be a connector with clientAuth
set to false
. since the /cacerts
endpoint must NOT be protected behind client authentication.
For both connectors, set the following parameters:
Set
keystoreFile
toconf/localhost-rsa.p12
.Set
keystorePass
to the configured PIN oflocalhost-rsa.p12
.Set
truststoreFile
toconf/trusted.jks
.Set
truststorePass
to the configured PIN oftrusted.jks
.
Example for Tomcat version 9 and 10
Example for Tomcat 9: server.xml - Tomcat connector with client authentication
<Connector
port="8444"
protocol="HTTP/1.1"
SSLEnabled="true"
maxPostSize="-1"
scheme="https"
secure="true">
<SSLHostConfig
ciphers="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
honorCipherOrder="true"
sslProtocol="TLSv1.3"
protocols="TLSv1.2,+TLSv1.3"
certificateVerification="required"
truststoreFile="conf/trusted.jks"
truststorePassword="changeit"
truststoreType="JKS"
>
<Certificate
certificateKeystoreFile="conf/Nexus-Server_Certificate.p12"
certificateKeystorePassword="1234"
certificateKeystoreType="PKCS12"
/>
</SSLHostConfig>
</Connector>
Restart Tomcat
Restart the Tomcat service.