You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tapio Niemi <ta...@necora.fi> on 2011/10/28 14:31:23 UTC
Adding SSL information into access log
Hi,
How do I configure Tomcat to put certain information related to SSL
request into access log? In particular, I need to log the client
certificate's O, OU, and CN fields, or if that's not possible, at least
the serial number of the certificate.
For example, in Apache httpd I can do:
LogFormat "%h %{SSL_CLIENT_M_SERIAL}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x"
I already tried:
pattern="%{SSL_CLIENT_M_SERIAL}r %h %l %u %t "%r" %s %b"
on access log valce configuration, which caused server not to start, and
pattern="%{CLIENT_AUTH}r %h %l %u %t "%r" %s %b",
which just causes "-" to appear on the log.
Also tried %{SSL_CLIENT_M_SERIAL}x and s with varying results.
I've been searching FAQ, Howtos, Access Log Valve reference and even
some of the javadocs for answer to no avail without direct answer, only
being able to make guesses how this would work. I'm running Tomcat
7.0.22 configured to require client certificate authentication, which
itself is working fine.
Thanks in advance!
-Tapio Niemi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Adding SSL information into access log
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/14 Tapio Niemi <ta...@necora.fi>:
>>
>> If you can't find a standard request attribute that meets your needs,
>> you could always write a Filter (or Valve, if it's necessary to run
>> before the AccessLogValve) that puts anything you want into the
>> request for logging purposes.
>
> Now this is great advice. That is exactly what I ended up doing. I wrote a
> filter that sets a custom request attribute with all the needed data and
> then use that in AccessLogValve configuration. Works great, and doesn't
> require that much knowledge of Tomcat internals that i thought it might. Can
> recommend this solution to anyone with similar needs. Not contributing my
> filter publicly however, since the code is not very generic; it gives
> internal server error on non-SSL request (quite easy to fix if required)
> plus some minor concerns.
>
If you want, you can contribute it to the FAQ,
http://wiki.apache.org/tomcat/FAQ/Logging
That code does not need to be production quality.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Adding SSL information into access log
Posted by Tapio Niemi <ta...@necora.fi>.
Hi!
> I already tried: pattern="%{SSL_CLIENT_M_SERIAL}r %h %l %u %t
> "%r" %s %b" on access log valce configuration, which
> caused server not to start
> That shouldn't have happened: Tomcat should start with the above log
> pattern.
And it does; was some kind of temporary glitch which you get when you do
stop-start-configure-use browser-stop-start in a rapid sequence.
>> , and pattern="%{CLIENT_AUTH}r %h %l %u %t"%r" %s %b",
>> which just causes "-" to appear on the log.
> That's because "CLIENT_AUTH" doesn't appear to be a request attribute.
Yep, it's a field in a some class I can't anymore remember which I used
to make a guess.
>> Also tried %{SSL_CLIENT_M_SERIAL}x and s with varying results.
> Why did you try that? Just guessing?
Yes, just guessing.
>
> If you can't find a standard request attribute that meets your needs,
> you could always write a Filter (or Valve, if it's necessary to run
> before the AccessLogValve) that puts anything you want into the
> request for logging purposes.
Now this is great advice. That is exactly what I ended up doing. I wrote
a filter that sets a custom request attribute with all the needed data
and then use that in AccessLogValve configuration. Works great, and
doesn't require that much knowledge of Tomcat internals that i thought
it might. Can recommend this solution to anyone with similar needs. Not
contributing my filter publicly however, since the code is not very
generic; it gives internal server error on non-SSL request (quite easy
to fix if required) plus some minor concerns.
-Tapio Niemi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Adding SSL information into access log
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tapio,
On 10/28/2011 8:31 AM, Tapio Niemi wrote:
> How do I configure Tomcat to put certain information related to
> SSL request into access log? In particular, I need to log the
> client certificate's O, OU, and CN fields, or if that's not
> possible, at least the serial number of the certificate.
>
> For example, in Apache httpd I can do:
>
> LogFormat "%h %{SSL_CLIENT_M_SERIAL}x %{SSL_PROTOCOL}x
> %{SSL_CIPHER}x"
>
> I already tried: pattern="%{SSL_CLIENT_M_SERIAL}r %h %l %u %t
> "%r" %s %b" on access log valce configuration, which
> caused server not to start
That shouldn't have happened: Tomcat should start with the above log
pattern.
> , and pattern="%{CLIENT_AUTH}r %h %l %u %t "%r" %s %b",
> which just causes "-" to appear on the log.
That's because "CLIENT_AUTH" doesn't appear to be a request attribute.
> Also tried %{SSL_CLIENT_M_SERIAL}x and s with varying results.
Why did you try that? Just guessing?
> I've been searching FAQ, Howtos, Access Log Valve reference and
> even some of the javadocs for answer to no avail without direct
> answer, only being able to make guesses how this would work.
The servlet spec 3.0, section 3.8 is titled "SSL Attributes". You
could start there.
If you can't find a standard request attribute that meets your needs,
you could always write a Filter (or Valve, if it's necessary to run
before the AccessLogValve) that puts anything you want into the
request for logging purposes.
- -chris
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6rFHMACgkQ9CaO5/Lv0PAFMwCffudP6f4zt5w0NfeNNE7QKCTX
CioAoICulhqpxO5vn5ugNKfHDYUWQHrE
=DgCs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org