You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Ma...@tamgroup.com on 2000/07/28 02:17:24 UTC
mod_jk, SSL and client certs
Hi everyone,
it seems I'm not the only one who needs SSL with Tomcat (looking at earlier
postings). In that context I have several related problems:
I was trying to configure the mod_jk DLL on a Windows NT machine but it
wouldn't work (error message: the application or DLL is not a valid
Windows NT image). I am trying to run it within the IBM HTTP server
(which basically is the Apache server) because I want to use SSL with
servlets for client authentication.
I remember having similar problems with the JServ DLL a while ago until
somebody posted a zipped version of the DLL on the download site. Is
there a chance that the file got corrupted during the upload or download
process? Could somebody zip and post the mod_jk DLL to Apache's Web site
(or mail me a working one since I don't have MS VC++ 6)?
What I want to do eventually is to use the Apache server as a gateway to
pass the SSL client certificate to my servlet. Does anybody have any sample
code for working with certificates in a servlet?
Any help would be appreciated,
Markus
=====================================================================
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message
=====================================================================
Markus Breilmann markus.breilmann@tamgroup.com
Director of Technology tel: +1.415.455.5770
The Tamalpais Group, Inc. fax: +1.415.455.5771
11 Belle Avenue web: www.tamgroup.com
CA 94960 San Anselmo, USA
PGP Fingerprint: 96E7 8096 E893 F6FD A60B 97F3 7F5D 941D
Re: mod_jk, SSL and client certs
Posted by Christophe Warland <cw...@mail.com>.
You need also to add the SSL directives to your apache\conf\httpd.conf file. Here
are mine:
ErrorLog logs/ssl/error.log
TransferLog logs/ssl/access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLVerifyClient optional
SSLCACertificateFile "C:/www/cert/ca.crt"
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLCertificateFile "C:/www/cert/server.crt"
SSLCertificateKeyFile "C:/www/cert/server.key"
Christophe Warland wrote:
> Hi Markus,
>
> I am happy my DLL worked for you. I copy the newsgroup on this reply because
> it might be helpful for someone else out there.
>
> I have been able to access the client certificate in Tomcat through the
> following settings (non-exhaustive list):
>
> - in tomcat/conf/server.xml, add the following:
> <!-- Apache AJP13 support. -->
> <Connector className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler"
> value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
> <Parameter name="port" value="8009"/>
> </Connector>
>
> <!-- add your webapp>
> <Context path="/tintagel" docBase="c:/www/docs/cwarland.com/tintagel"
> debug="0" reloadable="true" >
> </Context>
>
> - in tomcat/conf/worker.properties:
> worker.list=ajp12, ajp13
> worker.ajp13.port=8009
> worker.ajp13.host=localhost
> worker.ajp13.type=ajp13
>
> - in apache/conf/httpd.conf:
> LoadModule jk_module modules/mod_jk.dll
> <IfModule mod_jk.c>
> JkWorkersFile c:/www/conf/workers.properties
> JkLogFile logs/jk.log
> JkLogLevel warn
> JkMount /*.jsp ajp13
> Alias /tintagel C:\www\docs\cwarland.com\tintagel
> <Location /tintagel/WEB-INF/ >
> AllowOverride None
> deny from all
> </Location>
> JkMount /tintagel/cert ajp13
> </IfModule>
>
> - in C:\www\docs\cwarland.com\tintagel\WEB-INF\server.xml:
> <servlet>
> <servlet-name>
> cert
> </servlet-name>
> <servlet-class>
> com.s1.exc.test.https.CertServlet
> </servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>
> cert
> </servlet-name>
> <url-pattern>
> /cert
> </url-pattern>
> </servlet-mapping>
>
> - in com.s1.exc.test.https.CertServlet:
> Object o = request.getAttribute("javax.servlet.request.X509Certificate");
>
> Depending on the Servlet engine, this object "o" might be a String
> (Tomcat3.2-dev), a X509Certificate (Netscape ES) or something else. I don't
> know what the current Tomcat3.2b2 returns because my code implicitly tests
> for the class name of "o" and does the appropriate transaformation into a
> X509Certificate object without outputing any debug info.
>
> Good luck, and tell us how things are working for you!
>
> Cheers,
>
> Christophe
>
> Markus.Breilmann@tamgroup.com wrote:
>
> > Hi Christophe,
> >
> > that did it! Thanks for your help!
> >
> > Have you used SSL with mod_jk? The client certificate doesn't seem to get
> > passed through to Tomcat...
> >
> > Markus
> >
> > =====================================================================
> > This email message is for the sole use of the intended recipient(s)
> > and may contain confidential and privileged information. Any
> > unauthorized review, use, disclosure or distribution is prohibited.
> > If you are not the intended recipient, please contact the sender by
> > reply email and destroy all copies of the original message
> > =====================================================================
> > Markus Breilmann markus.breilmann@tamgroup.com
> > Director of Technology tel: +1.415.455.5770
> > The Tamalpais Group, Inc. fax: +1.415.455.5771
> > 11 Belle Avenue web: www.tamgroup.com
> > CA 94960 San Anselmo, USA
> > PGP Fingerprint: 96E7 8096 E893 F6FD A60B 97F3 7F5D 941D
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--
--------------------------------------------------------------------
Christophe Warland S1 Corporation
R&T Engineer Technology Center
christophe.warland@s1.com 705 Westech Drive
Phone: +1 678 421-4015 Norcross, GA 30092
Fax: +1 253 399-5709 U.S.A.
--------------------------------------------------------------------
"If you're looney enough to run a file of unknown origin
with a .vbs extension, that would be referred to as Darwinism."
-- a Slashdot user, June 2000
Darwin Awards: http://www.darwinawards.com
Slashdot info: http://google.com/search?q=slashdot
VBS in action: http://google.com/search?q=vbs&btnI=I'm_feeling_lucky
Re: mod_jk, SSL and client certs
Posted by Christophe Warland <cw...@mail.com>.
Hi Markus,
I am happy my DLL worked for you. I copy the newsgroup on this reply because
it might be helpful for someone else out there.
I have been able to access the client certificate in Tomcat through the
following settings (non-exhaustive list):
- in tomcat/conf/server.xml, add the following:
<!-- Apache AJP13 support. -->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
<Parameter name="port" value="8009"/>
</Connector>
<!-- add your webapp>
<Context path="/tintagel" docBase="c:/www/docs/cwarland.com/tintagel"
debug="0" reloadable="true" >
</Context>
- in tomcat/conf/worker.properties:
worker.list=ajp12, ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
- in apache/conf/httpd.conf:
LoadModule jk_module modules/mod_jk.dll
<IfModule mod_jk.c>
JkWorkersFile c:/www/conf/workers.properties
JkLogFile logs/jk.log
JkLogLevel warn
JkMount /*.jsp ajp13
Alias /tintagel C:\www\docs\cwarland.com\tintagel
<Location /tintagel/WEB-INF/ >
AllowOverride None
deny from all
</Location>
JkMount /tintagel/cert ajp13
</IfModule>
- in C:\www\docs\cwarland.com\tintagel\WEB-INF\server.xml:
<servlet>
<servlet-name>
cert
</servlet-name>
<servlet-class>
com.s1.exc.test.https.CertServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>
cert
</servlet-name>
<url-pattern>
/cert
</url-pattern>
</servlet-mapping>
- in com.s1.exc.test.https.CertServlet:
Object o = request.getAttribute("javax.servlet.request.X509Certificate");
Depending on the Servlet engine, this object "o" might be a String
(Tomcat3.2-dev), a X509Certificate (Netscape ES) or something else. I don't
know what the current Tomcat3.2b2 returns because my code implicitly tests
for the class name of "o" and does the appropriate transaformation into a
X509Certificate object without outputing any debug info.
Good luck, and tell us how things are working for you!
Cheers,
Christophe
Markus.Breilmann@tamgroup.com wrote:
> Hi Christophe,
>
> that did it! Thanks for your help!
>
> Have you used SSL with mod_jk? The client certificate doesn't seem to get
> passed through to Tomcat...
>
> Markus
>
> =====================================================================
> This email message is for the sole use of the intended recipient(s)
> and may contain confidential and privileged information. Any
> unauthorized review, use, disclosure or distribution is prohibited.
> If you are not the intended recipient, please contact the sender by
> reply email and destroy all copies of the original message
> =====================================================================
> Markus Breilmann markus.breilmann@tamgroup.com
> Director of Technology tel: +1.415.455.5770
> The Tamalpais Group, Inc. fax: +1.415.455.5771
> 11 Belle Avenue web: www.tamgroup.com
> CA 94960 San Anselmo, USA
> PGP Fingerprint: 96E7 8096 E893 F6FD A60B 97F3 7F5D 941D
Re: mod_jk, SSL and client certs
Posted by Christophe Warland <cw...@mail.com>.
I also noticed that the mod_jk DLL was corrupted when I downloaded it through
Netscape. I thought I would have to try with other tools but didn't care much
because I already have my own working version, built one month ago. I am
emailing it to you in a private email.
I am using the webserver 1.0 release from www.opensa.org. Unfortunately, their
site has been down for the last couple of days/weeks.
Christophe
Markus.Breilmann@tamgroup.com wrote:
> Hi everyone,
>
> it seems I'm not the only one who needs SSL with Tomcat (looking at earlier
> postings). In that context I have several related problems:
>
> I was trying to configure the mod_jk DLL on a Windows NT machine but it
> wouldn't work (error message: the application or DLL is not a valid
> Windows NT image). I am trying to run it within the IBM HTTP server
> (which basically is the Apache server) because I want to use SSL with
> servlets for client authentication.
>
> I remember having similar problems with the JServ DLL a while ago until
> somebody posted a zipped version of the DLL on the download site. Is
> there a chance that the file got corrupted during the upload or download
> process? Could somebody zip and post the mod_jk DLL to Apache's Web site
> (or mail me a working one since I don't have MS VC++ 6)?
>
> What I want to do eventually is to use the Apache server as a gateway to
> pass the SSL client certificate to my servlet. Does anybody have any sample
> code for working with certificates in a servlet?
>
> Any help would be appreciated,
>
> Markus
>
> =====================================================================
> This email message is for the sole use of the intended recipient(s)
> and may contain confidential and privileged information. Any
> unauthorized review, use, disclosure or distribution is prohibited.
> If you are not the intended recipient, please contact the sender by
> reply email and destroy all copies of the original message
> =====================================================================
> Markus Breilmann markus.breilmann@tamgroup.com
> Director of Technology tel: +1.415.455.5770
> The Tamalpais Group, Inc. fax: +1.415.455.5771
> 11 Belle Avenue web: www.tamgroup.com
> CA 94960 San Anselmo, USA
> PGP Fingerprint: 96E7 8096 E893 F6FD A60B 97F3 7F5D 941D
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--
--------------------------------------------------------------------
Christophe Warland S1 Corporation
R&T Engineer Technology Center
christophe.warland@s1.com 705 Westech Drive
Phone: +1 678 421-4015 Norcross, GA 30092
Fax: +1 253 399-5709 U.S.A.
--------------------------------------------------------------------
"If you're looney enough to run a file of unknown origin
with a .vbs extension, that would be referred to as Darwinism."
-- a Slashdot user, June 2000
Darwin Awards: http://www.darwinawards.com
Slashdot info: http://google.com/search?q=slashdot
VBS in action: http://google.com/search?q=vbs&btnI=I'm_feeling_lucky