Adding SSL information into access log

[Tapio Niemi <ta...@necora.fi>]

Hi,

How do I configure Tomcat to put certain information related to SSL 
request into access log? In particular, I need to log the client 
certificate's O, OU, and CN fields, or if that's not possible, at least 
the serial number of the certificate.

For example, in Apache httpd I can do:

LogFormat "%h %{SSL_CLIENT_M_SERIAL}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x"

I already tried:
pattern="%{SSL_CLIENT_M_SERIAL}r %h %l %u %t "%r" %s %b"
on access log valce configuration, which caused server not to start, and
pattern="%{CLIENT_AUTH}r %h %l %u %t "%r" %s %b",
which just causes "-" to appear on the log.
Also tried %{SSL_CLIENT_M_SERIAL}x and s with varying results.

I've been searching FAQ, Howtos, Access Log Valve reference and even 
some of the javadocs for answer to no avail without direct answer, only 
being able to make guesses how this would work. I'm running Tomcat 
7.0.22 configured to require client certificate authentication, which 
itself is working fine.

Thanks in advance!

-Tapio Niemi

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Adding SSL information into access log

[Konstantin Kolinko <kn...@gmail.com>]

2011/11/14 Tapio Niemi <ta...@necora.fi>:
>>
>> If you can't find a standard request attribute that meets your needs,
>> you could always write a Filter (or Valve, if it's necessary to run
>> before the AccessLogValve) that puts anything you want into the
>> request for logging purposes.
>
> Now this is great advice. That is exactly what I ended up doing. I wrote a
> filter that sets a custom request attribute with all the needed data and
> then use that in AccessLogValve configuration. Works great, and doesn't
> require that much knowledge of Tomcat internals that i thought it might. Can
> recommend this solution to anyone with similar needs. Not contributing my
> filter publicly however, since the code is not very generic; it gives
> internal server error on non-SSL request (quite easy to fix if required)
> plus some minor concerns.
>

If you want, you can contribute it to the FAQ,
http://wiki.apache.org/tomcat/FAQ/Logging

That code does not need to be production quality.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Adding SSL information into access log

[Tapio Niemi <ta...@necora.fi>]

Hi!
> I already tried: pattern="%{SSL_CLIENT_M_SERIAL}r %h %l %u %t
> "%r" %s %b" on access log valce configuration, which
> caused server not to start
> That shouldn't have happened: Tomcat should start with the above log
> pattern.
And it does; was some kind of temporary glitch which you get when you do 
stop-start-configure-use browser-stop-start in a rapid sequence.
>> , and pattern="%{CLIENT_AUTH}r %h %l %u %t"%r" %s %b",
>> which just causes "-" to appear on the log.
> That's because "CLIENT_AUTH" doesn't appear to be a request attribute.
Yep, it's a field in a some class I can't anymore remember which I used 
to make a guess.
>> Also tried %{SSL_CLIENT_M_SERIAL}x and s with varying results.
> Why did you try that? Just guessing?
Yes, just guessing.
>
> If you can't find a standard request attribute that meets your needs,
> you could always write a Filter (or Valve, if it's necessary to run
> before the AccessLogValve) that puts anything you want into the
> request for logging purposes.
Now this is great advice. That is exactly what I ended up doing. I wrote 
a filter that sets a custom request attribute with all the needed data 
and then use that in AccessLogValve configuration. Works great, and 
doesn't require that much knowledge of Tomcat internals that i thought 
it might. Can recommend this solution to anyone with similar needs. Not 
contributing my filter publicly however, since the code is not very 
generic; it gives internal server error on non-SSL request (quite easy 
to fix if required) plus some minor concerns.

-Tapio Niemi

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Adding SSL information into access log

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tapio,

On 10/28/2011 8:31 AM, Tapio Niemi wrote:
> How do I configure Tomcat to put certain information related to
> SSL request into access log? In particular, I need to log the
> client certificate's O, OU, and CN fields, or if that's not
> possible, at least the serial number of the certificate.
> 
> For example, in Apache httpd I can do:
> 
> LogFormat "%h %{SSL_CLIENT_M_SERIAL}x %{SSL_PROTOCOL}x
> %{SSL_CIPHER}x"
> 
> I already tried: pattern="%{SSL_CLIENT_M_SERIAL}r %h %l %u %t
> "%r" %s %b" on access log valce configuration, which
> caused server not to start

That shouldn't have happened: Tomcat should start with the above log
pattern.

> , and pattern="%{CLIENT_AUTH}r %h %l %u %t "%r" %s %b", 
> which just causes "-" to appear on the log.

That's because "CLIENT_AUTH" doesn't appear to be a request attribute.

> Also tried %{SSL_CLIENT_M_SERIAL}x and s with varying results.

Why did you try that? Just guessing?

> I've been searching FAQ, Howtos, Access Log Valve reference and
> even some of the javadocs for answer to no avail without direct
> answer, only being able to make guesses how this would work.

The servlet spec 3.0, section 3.8 is titled "SSL Attributes". You
could start there.

If you can't find a standard request attribute that meets your needs,
you could always write a Filter (or Valve, if it's necessary to run
before the AccessLogValve) that puts anything you want into the
request for logging purposes.

- -chris


- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6rFHMACgkQ9CaO5/Lv0PAFMwCffudP6f4zt5w0NfeNNE7QKCTX
CioAoICulhqpxO5vn5ugNKfHDYUWQHrE
=DgCs
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org