You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Fredrik Lagerblad <fr...@ausystem.se> on 2002/08/27 19:37:25 UTC
Question/problem with AJP13Connector for Tomcat + IPlanet + SSL.
Hi All.
I'm in a project where we use IPlanet Web Server 4.1 together with Tomcat
4.0.4 using SSL, connecting them together with the nsapi_redirector and the
AJP13 Connector.
Initally we just couldn't get it to work using SSL, the AJPConnector stated
in the log that it couldn't convert the certificate supplied by the web
server.
After a lot of digging in the Connector's code, and modifying it to log
more, I found the problem.
The supplied certificate came as base64-encoded (PEM) to the AJP13Connector,
but it seemed to expect a DER-encoded one.
(org.apache.ajp.RequestHandler.java:347, also see the snippet below)
Since it uses the standard "X509" CertificateFactory, which seem NOT (?!) to
support PEM/base64-encoded certificates, it failed to create the
certificate, and hence not putting it in the request.
I was able to solve it by modifying the implementation of the certificate
conversion routine:
first I simply check whether the certificate seem to be base64-encoded, and
if so decode it before letting the "standard code" generate the certificate.
With that little patch to the tomcat-ajp.jar, everything now works fine.
(I was also able to overcome the problem by adding a new Security Provider,
that could decode PEM X509-certificates, but that's not a viable solution)
So my question is: is this a bug in the Connector (i.e. the RequestHandler
class) that it cannot handle base64-encoded certificates, or is it IPlanet
(or the nsapi_redirector) that is supplying the certificate in the
wrong(base64) format ??
Has anyone else experienced this ??
I'd really prefer not having to supply my own patch to Tomcat with every
distribution of our system, so any input or suggestions are welcome.
Best regards,
Fredrik.
[org.apache.ajp.RequestHandler.java:]
[...]
// Transform the string into certificate.
String certString = msg.getString();
byte[] certData = certString.getBytes();
ByteArrayInputStream bais = new ByteArrayInputStream(certData);
// Fill the first element.
X509Certificate jsseCerts[] = null;
try {
CertificateFactory cf =
CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)
cf.generateCertificate(bais);
jsseCerts = new X509Certificate[1];
jsseCerts[0] = cert;
} catch(java.security.cert.CertificateException e) {
log("Certificate convertion failed" + e );
}
req.setAttribute("javax.servlet.request.X509Certificate", jsseCerts);
[...]
> Fredrik Lagerblad
> AU-System AB
> Box 47612,117 94 Stockholm
> Tel. +46-8-5791 1114, Mobil +46-70-305 1114
> Fax. +46-8-19 33 22
> fredrik.lagerblad@ausystem.se
> http://www.ausystem.se
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>