You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brendan McKenna <mc...@taringold.ie> on 2001/07/04 16:35:49 UTC
Re: Accessing certificate from servlet
Hi,
I've gotten this working before, using Apache 1.3.19 and the
corresponding, earlier version of mod_ssl, but the rest of my
configuration is the same. One thing that I don't see is the
'SSLVerifyClient require' directive in your httpd.conf. I don't think
that Apache actually prompts the client for a certificate unless that's
present. Are you being prompted to select the certificate to use?
My configuration looks essentially like yours, but with a
couple of differences:
Alias /ttest "/usr/local/jakarta-tomcat-3.2.1/webapps/ttest/"
<Directory "/usr/local/jakarta-tomcat-3.2.1/webapps/ttest">
Options Indexes
<IfDefine SSL>
SSLRequireSSL
</IfDefine>
</Directory>
<IfDefine SSL>
<Directory "/usr/local/jakarta-tomcat-3.2.1/webapps/ttest/login">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 1
</Directory>
</IfDefine>
This is all in my mod_jk.conf file, but the location shouldn't
make a difference. I am requiring SSL in the /ttest directory, and SSL
with a Client Certificate in the /ttest/login directory. Netscape does
prompt me to specify the certificate to use for authentication since I
have more than one available. The SSLVerifyDepth directive (set to 1)
is appropriate in my situation, where I am using certificates generated
by a local CA (done with OpenSSL), but may not be appropriate for other
purposes -- you'll probably want to verify what exactly you need with
someone who's a bit more security-issue-literate than I am before doing
anything serious.
The reason for all the <IfDefine SSL> stuff is that the server
is sometimes brought up without SSL support for testing (this is a
development server, not a live one).
Brendan
: Hi!
: I have Apache 1.3.20 + mod_ssl 2.8.4 + Tomcat 3.2.1, using Ajp13 with
: mod_jk.
: From a servlet I need to access the SSL environment variable containing
: information about the certificate sent by the client's browser
: (SSL_CLIENT_CERT). Although I seem to have all the necessary configuration
: lines in place nothing seems to work. For instance, I have the following
: lines in httpd.conf:
:
: ----------------------------------------------------------------------------
: -------------------------------------
: SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
: <Files ~ "\.(cgi|shtml|phtml|php3?)$">
: SSLOptions +StdEnvVars +ExportCertData
: </Files>
: <Directory "/usr/local/apache/cgi-bin">
: SSLOptions +StdEnvVars +ExportCertData
: </Directory>
:
: AddModule mod_jk.c
:
: <IfModule mod_jk.c>
: JkExtractSSL On
: JkHTTPSIndicator HTTPS
: JkSESSIONIndicator SSL_SESSION_ID
: JkCIPHERIndicator SSL_CIPHER
: JkCERTSIndicator SSL_CLIENT_CERT
: JkWorkersFile /usr/local/tomcat/conf/workers.properties
: JkLogFile logs/jk.log
: JkLogLevel warn
: JkMount /*.jsp ajp13
: JkMount /servlet/* ajp13
: </IfModule>
: ----------------------------------------------------------------------------
: -------------------------------------
:
:
: Any guesses?? I would be really thankful!
:
: Best Regards,
:
: André Rocha
: ______________________________________________
: PT Inovação,S.A. Tel: +351 222 079 325
: Largo de Mompilher, 22, 2ºA Fax:+351 222 079 303
: 4050-392 Porto - Portugal acrocha@ptinovacao.pt
: http://www.ptinovacao.pt
:
:
:
--
Brendan McKenna Email: brendan.mckenna@taringold.ie
Development Strategist Phone: +353-61-338177
Taringold Ltd. Fax: +353-61-338065