You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Duccio Fallani <du...@tin.it> on 2003/05/15 16:35:26 UTC
apache2 + ssl + tomcat4.1.24 + mod_jk2
hi all,
When I use https with Apache2 client authentication all is ok,
but if I add CLIENT-CERT authentication on Tomcat I got this
error (from catalina.out):
May 15, 2003 1:28:12 PM org.apache.jk.server.JkCoyoteHandler action
SEVERE: Certificate convertion failed
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: DerInputStream.getLength(): lengthTag=89, too big.
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:287)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
at
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
at org.apache.coyote.Response.action(Response.java:222)
at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=89,
too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
at sun.security.util.DerInputStream.getLength(DerInputStream.java:487)
at sun.security.util.DerValue.<init>(DerValue.java:233)
at
sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1568)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
... 13 more
It seems that Coyote can't import certicate from mod_jk2 because invalid
format...
any ideas ??
thanks....
My configuration is:
httpd.conf
----------------------------------------------------
<VirtualHost ....>
...
LogLevel debug
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/aaaa.pem
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/aaaa.decrypt
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/cacert.pem
SSLVerifyDepth 5
SSLProtocol +SSLv3 +TLSv1
SSLCipherSuite ALL:!MD5:!DES:!ADH:!DSS:!EXP
SSLOptions +FakeBasicAuth +ExportCertData +OptRenegotiate
<Location "/admin">
SSLVerifyClient require
SSLRequireSSL
AuthName "SSL Authentication"
AuthType Basic
AuthUserFile /usr/local/apache2/conf/httpd.passwd
require valid-user
</Location>
</VirtualHost>
----------------------------------------------------
worker2.properties
----------------------------------------------------
...
# define the worker
[ajp13:localhost:8009]
channel=channel.socket:localhost:8009
# Uri mapping
[uri:collabdev.bitlab.net/*.jsp]
worker=ajp13:localhost:8009
----------------------------------------------------
server.xml
----------------------------------------------------
...
<!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8009" minProcessors="5" maxProcessors="75"
enableLookups="true" redirectPort="8443"
acceptCount="10" debug="1" connectionTimeout="0"
useURIValidationHack="false"
protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler">
</Connector>
...
----------------------------------------------------
web.xml
----------------------------------------------------
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admincert</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
...
----------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: apache2 + ssl + tomcat4.1.24 + mod_jk2
Posted by Duccio Fallani <du...@bitlab.it>.
>
>I would have thought that SSL authentication was handled by Apache, not by
>Tomcat. Which means that if you can get Apache to handle CLIENT-CERT
>authentication alone (i.e. without Tomcat), just add Tomcat with no
>special configurations.
>
>Or am I really off the mark here ? Gurus ?
thanks... but I need CLIENT-CERT in Tomcat because i must know WHO is the user
that logging in !!!
Duccio
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: apache2 + ssl + tomcat4.1.24 + mod_jk2
Posted by Chong Yu Meng <ch...@cymulacrum.net>.
Hi Duccio !
I would have thought that SSL authentication was handled by Apache, not
by Tomcat. Which means that if you can get Apache to handle CLIENT-CERT
authentication alone (i.e. without Tomcat), just add Tomcat with no
special configurations.
Or am I really off the mark here ? Gurus ?
Regards,
pascal chong
Duccio Fallani wrote:
> hi all,
>
> When I use https with Apache2 client authentication all is ok,
> but if I add CLIENT-CERT authentication on Tomcat I got this
> error (from catalina.out):
>
> May 15, 2003 1:28:12 PM org.apache.jk.server.JkCoyoteHandler action
> SEVERE: Certificate convertion failed
> java.security.cert.CertificateException: Unable to initialize,
> java.io.IOException: DerInputStream.getLength(): lengthTag=89, too big.
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:287)
> at
> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
>
> at
> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
>
> at
> org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
> at org.apache.coyote.Response.action(Response.java:222)
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)
>
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
> at
> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
> at
> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
> at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
>
> at
> org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
>
> at java.lang.Thread.run(Thread.java:536)
> Caused by: java.io.IOException: DerInputStream.getLength():
> lengthTag=89, too big.
> at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:487)
> at sun.security.util.DerValue.<init>(DerValue.java:233)
> at
> sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369)
> at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1568)
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
> ... 13 more
>
> It seems that Coyote can't import certicate from mod_jk2 because
> invalid format...
>
> any ideas ??
>
> thanks....
>
>
> My configuration is:
>
> httpd.conf
> ----------------------------------------------------
> <VirtualHost ....>
> ...
> LogLevel debug
>
> SSLEngine on
> SSLCertificateFile /usr/local/apache2/conf/ssl.crt/aaaa.pem
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/aaaa.decrypt
> SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/cacert.pem
> SSLVerifyDepth 5
> SSLProtocol +SSLv3 +TLSv1
> SSLCipherSuite ALL:!MD5:!DES:!ADH:!DSS:!EXP
> SSLOptions +FakeBasicAuth +ExportCertData +OptRenegotiate
>
> <Location "/admin">
> SSLVerifyClient require
> SSLRequireSSL
> AuthName "SSL Authentication"
> AuthType Basic
> AuthUserFile /usr/local/apache2/conf/httpd.passwd
> require valid-user
> </Location>
>
> </VirtualHost>
> ----------------------------------------------------
>
> worker2.properties
> ----------------------------------------------------
> ...
>
> # define the worker
> [ajp13:localhost:8009]
> channel=channel.socket:localhost:8009
>
> # Uri mapping
> [uri:collabdev.bitlab.net/*.jsp]
> worker=ajp13:localhost:8009
> ----------------------------------------------------
>
>
> server.xml
> ----------------------------------------------------
> ...
> <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="10" debug="1" connectionTimeout="0"
> useURIValidationHack="false"
>
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler">
> </Connector>
> ...
> ----------------------------------------------------
>
> web.xml
> ----------------------------------------------------
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admincert</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> ...
> ----------------------------------------------------
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: apache2 + ssl + tomcat4.1.24 + mod_jk2
Posted by Duccio Fallani <du...@tin.it>.
>There is a bug in tomcat-jk2.jar. Check the archives for the jar file.
>Or compile the CVS to get the tomcat-jk2.jar file.
Thank you very much, Mark !!! I solve the problem...
I've lost a week of work for this !!!!
Porc... @#ยง!$&! !!!!!
Duccio
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: apache2 + ssl + tomcat4.1.24 + mod_jk2
Posted by "Mark W. Webb" <ma...@dolphtech.com>.
There is a bug in tomcat-jk2.jar. Check the archives for the jar file.
Or compile the CVS to get the tomcat-jk2.jar file.
Duccio Fallani wrote:
> hi all,
>
> When I use https with Apache2 client authentication all is ok,
> but if I add CLIENT-CERT authentication on Tomcat I got this
> error (from catalina.out):
>
> May 15, 2003 1:28:12 PM org.apache.jk.server.JkCoyoteHandler action
> SEVERE: Certificate convertion failed
> java.security.cert.CertificateException: Unable to initialize,
> java.io.IOException: DerInputStream.getLength(): lengthTag=89, too big.
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:287)
> at
> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
>
> at
> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
>
> at
> org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
> at org.apache.coyote.Response.action(Response.java:222)
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)
>
> at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
> at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
> at
> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
> at
> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
> at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
>
> at
> org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
>
> at java.lang.Thread.run(Thread.java:536)
> Caused by: java.io.IOException: DerInputStream.getLength():
> lengthTag=89, too big.
> at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
> at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:487)
> at sun.security.util.DerValue.<init>(DerValue.java:233)
> at
> sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369)
> at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1568)
> at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
> ... 13 more
>
> It seems that Coyote can't import certicate from mod_jk2 because
> invalid format...
>
> any ideas ??
>
> thanks....
>
>
> My configuration is:
>
> httpd.conf
> ----------------------------------------------------
> <VirtualHost ....>
> ...
> LogLevel debug
>
> SSLEngine on
> SSLCertificateFile /usr/local/apache2/conf/ssl.crt/aaaa.pem
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/aaaa.decrypt
> SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/cacert.pem
> SSLVerifyDepth 5
> SSLProtocol +SSLv3 +TLSv1
> SSLCipherSuite ALL:!MD5:!DES:!ADH:!DSS:!EXP
> SSLOptions +FakeBasicAuth +ExportCertData +OptRenegotiate
>
> <Location "/admin">
> SSLVerifyClient require
> SSLRequireSSL
> AuthName "SSL Authentication"
> AuthType Basic
> AuthUserFile /usr/local/apache2/conf/httpd.passwd
> require valid-user
> </Location>
>
> </VirtualHost>
> ----------------------------------------------------
>
> worker2.properties
> ----------------------------------------------------
> ...
>
> # define the worker
> [ajp13:localhost:8009]
> channel=channel.socket:localhost:8009
>
> # Uri mapping
> [uri:collabdev.bitlab.net/*.jsp]
> worker=ajp13:localhost:8009
> ----------------------------------------------------
>
>
> server.xml
> ----------------------------------------------------
> ...
> <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8009" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="10" debug="1" connectionTimeout="0"
> useURIValidationHack="false"
>
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler">
> </Connector>
> ...
> ----------------------------------------------------
>
> web.xml
> ----------------------------------------------------
> ...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admincert</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> ...
> ----------------------------------------------------
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: apache2 + ssl + tomcat4.1.24 + mod_jk2
Posted by Duccio Fallani <du...@tin.it>.
>When I use https with Apache2 client authentication all is ok,
>but if I add CLIENT-CERT authentication on Tomcat I got this
>error (from catalina.out):
I try with mod_jk too, but no work !!!!
Duccio
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org