6.1 Setup Client-cert Authentication

Information

Client-cert authentication requires each client connecting to the server to have a certificate to authenticate. This is generally regarded as stronger authentication than a password as it requires the client to have the certificate and not just a password.

Rationale:

Certificate based authentication is more secure than password based authentication.

Solution

In the Connector element, set the clientAuth to true and, in Tomcat 8.5.x, set the certificateVerification to required

<Connector
port='8443' minProcessors='5' maxProcessors='75'
enableLookups='true' disableUploadTimeout='true'
acceptCount='100' debug='0' scheme='https' secure='true';
clientAuth='true' sslProtocol='TLS'/>
...
<Connector ...>
<SSLHostConfig
certificateVerification='required'
/>

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Unix

Control ID: 337c0727cbc26dfc35612ecd63e278712f5c7c7d5ac6fceb7c57dafb3001eaf5