You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Le...@cnm.co.uk on 2001/09/24 14:05:12 UTC
Tomcat 4.0 & Apache with Client Certs
Scenario
I have apache passing any calls to servlets through to Tomcat 4 via
the mod_webapp connector.
My Server certificate and my client certificates work fine to allow
specific users onto the system.
Problem....Problem....Problem....Problem....Problem....
In Tomcat 3.2.3 it was possible using AJP13 to access Client
Certificate information via
request.getAttribute("javax.servlet.request.X509Certificate") from
within my tomcat servlet. In Release 4.0 using the warp connector this
doesn`t appear to be the case. When i debug/view my request object for
it`s attributes there are none present. No CIPHER_SUITE or
X509Certificate.
Please can someone tell me how i should be accessing client
certificate information from within Tomcat 4.0 via apache.
My System
Apache-ssl 1.3
Tomcat 4.0
mod_webapp.so
Linux Redhat 7.1
Here is an extract of my httpd.conf
<VirtualHost www.xxxxxxxxxx.co.uk:443>
SSLEnable
SSLCertificateFile /usr/local/ssl/www.xxxxxxx.crt
SSLCertificateKeyFile /usr/local/ssl/www.xxxxxxx.key
SSLCACertificateFile /usr/local/ssl/xxxxxxx.pem
SSLVerifyClient 2
SSLVerifyDepth 10
SSLFakeBasicAuth
SSLExportClientCertificates
SSLCacheServerPort /usr/logs/gcache_port
SSLCacheServerPath ./bin/gcache
SSLSessionCacheTimeout 30
SSLRequiredCiphers RC4-MD5
SSLCacheServerPath ./bin/gcache
SSLCacheServerPort logs/gcache_port
SSLCacheServerRunDir /tmp
Serveradmin xxxxxx@xxxxxx
ServerName xxxxxxx
WebAppConnection warpConnection warp localhost:8008
WebAppDeploy testcert warpConnection /testcert/
</VirtualHost>
and my server.xml to receive the warp connector
<!-- Define an Apache-Connector Service -->
<Service name="Tomcat-Apache">
<Connector className="org.apache.catalina.connector.warp.WarpConnector"
port="8008" minProcessors="5" maxProcessors="75"
enableLookups="true" scheme="https" secure="true">
acceptCount="10" debug="0"/>
</Connector>
<!--
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS"/>
-->
<!-- Replace "localhost" with what your Apache "ServerName" is set
to -->
<Engine className="org.apache.catalina.connector.warp.WarpEngine"
name="Apache" defaultHost="localhost" debug="0"
appBase="webapps">
.........
Any help or advise greatly appreciated
Lee Lovell
Re: Tomcat 4.0 & Apache with Client Certs
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Ricardo wrote:
>
> This property is actually set to TRUE, but i can't get SSL properties.
Are you sure that the browser sends the CC?
Tomcat sends the list of acceptable CA's if the CC is not signed by one of the
CA (or chained) the browser won't send the CC.
Test with openssl:
openssl s_client -connect localhost:8443 -prexit
You should see something like:
+++
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Servic
+++
>
> ============================
> Ricardo Borillo Domenech
> Programació - Servei d'Informàtica
> Universitat Jaume I
> ----- Original Message -----
> From: "Craig R. McClanahan" <cr...@apache.org>
> To: <to...@jakarta.apache.org>
> Sent: Tuesday, September 25, 2001 10:13 PM
> Subject: Re: Tomcat 4.0 & Apache with Client Certs
>
> On Tue, 25 Sep 2001, Ricardo wrote:
>
> > Date: Tue, 25 Sep 2001 12:54:45 +0200
> > From: Ricardo <bo...@si.uji.es>
> > Reply-To: tomcat-user@jakarta.apache.org
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: Tomcat 4.0 & Apache with Client Certs
> >
> > I'm using Tomcat 4.0 b5 standalone with client authentication.
> > In this situation Tomcat only exports information about the CIPHER_SUITE
> and
> > KEY_SIZE ... what about client certificate ?!?!?!
> >
>
> Tomcat 4 (stand alone) will only export client certificates if you tell
> the SSL connector that you require them. To do so, change the
> "clientAuth" property to "true".
>
> > Thanks,
> > ============================
> > Ricardo Borillo Domenech
> > Programació - Servei d'Informàtica
> > Universitat Jaume I
>
> Craig McClanahan
new to servlets,problem related to jdbc connection
Posted by nikhil Jain <ni...@wiproge.gsoi.med.ge.com>.
hi all,
i am making jdbc connectioin init method of servlets , and then i am
passing connection obect in bean's constructor where i am using it to create
statement and executeQuery stuff.The idea is to use one connection in entire
project , but my problem is that i am able to pass connection object ,
statement obect is also created but when i make call to executeQuery it
throws exception from execSQL() method (some internal function which is
called by executeQuery internally ,its not in my code ).
but if i make connection in bean itself instead of passing it from servlet
it works perfectly ok , but in that case
i will have to make more number of connection.i want to use only one
connection.
if anyone can suggest other way round , it would be great help.
nikhil
-----Original Message-----
From: Ricardo [mailto:borillo@si.uji.es]
Sent: Wednesday, September 26, 2001 12:13 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: Tomcat 4.0 & Apache with Client Certs
This property is actually set to TRUE, but i can't get SSL properties.
============================
Ricardo Borillo Domenech
Programació - Servei d'Informàtica
Universitat Jaume I
----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: <to...@jakarta.apache.org>
Sent: Tuesday, September 25, 2001 10:13 PM
Subject: Re: Tomcat 4.0 & Apache with Client Certs
On Tue, 25 Sep 2001, Ricardo wrote:
> Date: Tue, 25 Sep 2001 12:54:45 +0200
> From: Ricardo <bo...@si.uji.es>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Tomcat 4.0 & Apache with Client Certs
>
> I'm using Tomcat 4.0 b5 standalone with client authentication.
> In this situation Tomcat only exports information about the CIPHER_SUITE
and
> KEY_SIZE ... what about client certificate ?!?!?!
>
Tomcat 4 (stand alone) will only export client certificates if you tell
the SSL connector that you require them. To do so, change the
"clientAuth" property to "true".
> Thanks,
> ============================
> Ricardo Borillo Domenech
> Programació - Servei d'Informàtica
> Universitat Jaume I
Craig McClanahan
Re: Tomcat 4.0 & Apache with Client Certs
Posted by Ricardo <bo...@si.uji.es>.
This property is actually set to TRUE, but i can't get SSL properties.
============================
Ricardo Borillo Domenech
Programació - Servei d'Informàtica
Universitat Jaume I
----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: <to...@jakarta.apache.org>
Sent: Tuesday, September 25, 2001 10:13 PM
Subject: Re: Tomcat 4.0 & Apache with Client Certs
On Tue, 25 Sep 2001, Ricardo wrote:
> Date: Tue, 25 Sep 2001 12:54:45 +0200
> From: Ricardo <bo...@si.uji.es>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Tomcat 4.0 & Apache with Client Certs
>
> I'm using Tomcat 4.0 b5 standalone with client authentication.
> In this situation Tomcat only exports information about the CIPHER_SUITE
and
> KEY_SIZE ... what about client certificate ?!?!?!
>
Tomcat 4 (stand alone) will only export client certificates if you tell
the SSL connector that you require them. To do so, change the
"clientAuth" property to "true".
> Thanks,
> ============================
> Ricardo Borillo Domenech
> Programació - Servei d'Informàtica
> Universitat Jaume I
Craig McClanahan
Re: Tomcat 4.0 & Apache with Client Certs
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 25 Sep 2001, Ricardo wrote:
> Date: Tue, 25 Sep 2001 12:54:45 +0200
> From: Ricardo <bo...@si.uji.es>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Tomcat 4.0 & Apache with Client Certs
>
> I'm using Tomcat 4.0 b5 standalone with client authentication.
> In this situation Tomcat only exports information about the CIPHER_SUITE and
> KEY_SIZE ... what about client certificate ?!?!?!
>
Tomcat 4 (stand alone) will only export client certificates if you tell
the SSL connector that you require them. To do so, change the
"clientAuth" property to "true".
> Thanks,
> ============================
> Ricardo Borillo Domenech
> Programació - Servei d'Informàtica
> Universitat Jaume I
Craig McClanahan
Re: Tomcat 4.0 & Apache with Client Certs
Posted by Ricardo <bo...@si.uji.es>.
I'm using Tomcat 4.0 b5 standalone with client authentication.
In this situation Tomcat only exports information about the CIPHER_SUITE and
KEY_SIZE ... what about client certificate ?!?!?!
Thanks,
============================
Ricardo Borillo Domenech
Programació - Servei d'Informàtica
Universitat Jaume I
----- Original Message -----
From: "Matias Bahlenberg" <ma...@itec.se>
To: <to...@jakarta.apache.org>
Sent: Tuesday, September 25, 2001 10:23 AM
Subject: Re: Tomcat 4.0 & Apache with Client Certs
Hi,
I have tried to get the client certificate information too, but with no
success. I use Apache 1.3.19 with Tomcat 4.0.
I have been told that when using a connector with Apache & mod_ssl it is
essential to specify "SSLOptions +StdEnvVars +ExportCertData. Otherwise
mod_ssl will not produce the neccessary environment variables for the
connector.
When I use a connector to JRun, I use the below code to get the
client-information:
----------------------------------------------------------------------------
-----------------------
java.security.cert.X509Certificate certApache = null;
String certData = request.getHeader("SSL_CLIENT_CERT");
if(certData!=null) {
ByteArrayInputStream inStream = new
ByteArrayInputStream(certData.getBytes());
java.security.cert.CertificateFactory cf =
java.security.cert.CertificateFactory.getInstance("X.509");
certApache =
(java.security.cert.X509Certificate)cf.generateCertificate(inStream);
inStream.close();
}
if(certApache!=null) {
certSubject = certApache.getSubjectDN().getName();
certIssuer = certApache.getIssuerDN().getName();
certSerialNumber = certApache.getSerialNumber().toString();
}
----------------------------------------------------------------------------
-----------------------
Unfortunately, it seems like the mod_webapp-connector (warp) does not
support the export of client certificate information. They have told me that
Tomcat 4.0 can be accessed by using the mod_jk (ajp13) as a connector. I
have not get it worked yet.
If someone makes it work, please let me (us) know....an how!!!
// Matias
----- Original Message -----
From: <Le...@cnm.co.uk>
To: <to...@jakarta.apache.org>
Sent: Monday, September 24, 2001 5:58 PM
Subject: Tomcat 4.0 & Apache with Client Certs
> Scenario
>
> I have apache passing any calls to servlets through to Tomcat 4 via
> the mod_webapp connector.
> My Server certificate and my client certificates work fine to allow
> specific users onto the system.
>
> Problem....Problem....Problem....Problem....Problem....
>
> In Tomcat 3.2.3 it was possible using AJP13 to access Client
> Certificate information via
> request.getAttribute("javax.servlet.request.X509Certificate") from
> within my tomcat servlet. In Release 4.0 using the warp connector this
> doesn`t appear to be the case. When i debug/view my request object for
> it`s attributes there are none present. No CIPHER_SUITE or
> X509Certificate.
>
> Please can someone tell me how i should be accessing client
> certificate information from within Tomcat 4.0 via apache.
>
> My System
>
> Apache-ssl 1.3
> Tomcat 4.0
> mod_webapp.so
> Linux Redhat 7.1
>
> Here is an extract of my httpd.conf
>
> <VirtualHost www.xxxxxxxxxx.co.uk:443>
> SSLEnable
> SSLCertificateFile /usr/local/ssl/www.xxxxxxx.crt
> SSLCertificateKeyFile /usr/local/ssl/www.xxxxxxx.key
> SSLCACertificateFile /usr/local/ssl/xxxxxxx.pem
> SSLVerifyClient 2
> SSLVerifyDepth 10
> SSLFakeBasicAuth
> SSLExportClientCertificates
> SSLCacheServerPort /usr/logs/gcache_port
> SSLCacheServerPath ./bin/gcache
> SSLSessionCacheTimeout 30
> SSLRequiredCiphers RC4-MD5
> SSLCacheServerPath ./bin/gcache
> SSLCacheServerPort logs/gcache_port
> SSLCacheServerRunDir /tmp
> Serveradmin xxxxxx@xxxxxx
> ServerName xxxxxxx
> WebAppConnection warpConnection warp localhost:8008
> WebAppDeploy testcert warpConnection /testcert/
> </VirtualHost>
>
> and my server.xml to receive the warp connector
>
> <!-- Define an Apache-Connector Service -->
> <Service name="Tomcat-Apache">
>
> <Connector
className="org.apache.catalina.connector.warp.WarpConnector"
> port="8008" minProcessors="5" maxProcessors="75"
> enableLookups="true" scheme="https" secure="true">
> acceptCount="10" debug="0"/>
> </Connector>
>
> <!--
> <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
> clientAuth="false" protocol="TLS"/>
> -->
>
> <!-- Replace "localhost" with what your Apache "ServerName" is set
> to -->
> <Engine className="org.apache.catalina.connector.warp.WarpEngine"
> name="Apache" defaultHost="localhost" debug="0"
> appBase="webapps">
> .........
>
> Any help or advise greatly appreciated
>
> Lee Lovell
>
Re: Tomcat 4.0 & Apache with Client Certs
Posted by Matias Bahlenberg <ma...@itec.se>.
Hi,
I have tried to get the client certificate information too, but with no success. I use Apache 1.3.19 with Tomcat 4.0.
I have been told that when using a connector with Apache & mod_ssl it is essential to specify "SSLOptions +StdEnvVars +ExportCertData. Otherwise mod_ssl will not produce the neccessary environment variables for the connector.
When I use a connector to JRun, I use the below code to get the client-information:
---------------------------------------------------------------------------------------------------
java.security.cert.X509Certificate certApache = null;
String certData = request.getHeader("SSL_CLIENT_CERT");
if(certData!=null) {
ByteArrayInputStream inStream = new ByteArrayInputStream(certData.getBytes());
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
certApache = (java.security.cert.X509Certificate)cf.generateCertificate(inStream);
inStream.close();
}
if(certApache!=null) {
certSubject = certApache.getSubjectDN().getName();
certIssuer = certApache.getIssuerDN().getName();
certSerialNumber = certApache.getSerialNumber().toString();
}
---------------------------------------------------------------------------------------------------
Unfortunately, it seems like the mod_webapp-connector (warp) does not support the export of client certificate information. They have told me that Tomcat 4.0 can be accessed by using the mod_jk (ajp13) as a connector. I have not get it worked yet.
If someone makes it work, please let me (us) know....an how!!!
// Matias
----- Original Message -----
From: <Le...@cnm.co.uk>
To: <to...@jakarta.apache.org>
Sent: Monday, September 24, 2001 5:58 PM
Subject: Tomcat 4.0 & Apache with Client Certs
> Scenario
>
> I have apache passing any calls to servlets through to Tomcat 4 via
> the mod_webapp connector.
> My Server certificate and my client certificates work fine to allow
> specific users onto the system.
>
> Problem....Problem....Problem....Problem....Problem....
>
> In Tomcat 3.2.3 it was possible using AJP13 to access Client
> Certificate information via
> request.getAttribute("javax.servlet.request.X509Certificate") from
> within my tomcat servlet. In Release 4.0 using the warp connector this
> doesn`t appear to be the case. When i debug/view my request object for
> it`s attributes there are none present. No CIPHER_SUITE or
> X509Certificate.
>
> Please can someone tell me how i should be accessing client
> certificate information from within Tomcat 4.0 via apache.
>
> My System
>
> Apache-ssl 1.3
> Tomcat 4.0
> mod_webapp.so
> Linux Redhat 7.1
>
> Here is an extract of my httpd.conf
>
> <VirtualHost www.xxxxxxxxxx.co.uk:443>
> SSLEnable
> SSLCertificateFile /usr/local/ssl/www.xxxxxxx.crt
> SSLCertificateKeyFile /usr/local/ssl/www.xxxxxxx.key
> SSLCACertificateFile /usr/local/ssl/xxxxxxx.pem
> SSLVerifyClient 2
> SSLVerifyDepth 10
> SSLFakeBasicAuth
> SSLExportClientCertificates
> SSLCacheServerPort /usr/logs/gcache_port
> SSLCacheServerPath ./bin/gcache
> SSLSessionCacheTimeout 30
> SSLRequiredCiphers RC4-MD5
> SSLCacheServerPath ./bin/gcache
> SSLCacheServerPort logs/gcache_port
> SSLCacheServerRunDir /tmp
> Serveradmin xxxxxx@xxxxxx
> ServerName xxxxxxx
> WebAppConnection warpConnection warp localhost:8008
> WebAppDeploy testcert warpConnection /testcert/
> </VirtualHost>
>
> and my server.xml to receive the warp connector
>
> <!-- Define an Apache-Connector Service -->
> <Service name="Tomcat-Apache">
>
> <Connector className="org.apache.catalina.connector.warp.WarpConnector"
> port="8008" minProcessors="5" maxProcessors="75"
> enableLookups="true" scheme="https" secure="true">
> acceptCount="10" debug="0"/>
> </Connector>
>
> <!--
> <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
> clientAuth="false" protocol="TLS"/>
> -->
>
> <!-- Replace "localhost" with what your Apache "ServerName" is set
> to -->
> <Engine className="org.apache.catalina.connector.warp.WarpEngine"
> name="Apache" defaultHost="localhost" debug="0"
> appBase="webapps">
> .........
>
> Any help or advise greatly appreciated
>
> Lee Lovell
>
Re: Tomcat 4.0 & Apache with Client Certs
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Lee.Lovell@cnm.co.uk wrote:
>
> Scenario
>
> I have apache passing any calls to servlets through to Tomcat 4 via
> the mod_webapp connector.
> My Server certificate and my client certificates work fine to allow
> specific users onto the system.
>
> Problem....Problem....Problem....Problem....Problem....
>
> In Tomcat 3.2.3 it was possible using AJP13 to access Client
> Certificate information via
> request.getAttribute("javax.servlet.request.X509Certificate") from
> within my tomcat servlet. In Release 4.0 using the warp connector this
> doesn`t appear to be the case. When i debug/view my request object for
> it`s attributes there are none present. No CIPHER_SUITE or
> X509Certificate.
Try with mod_jk of jakarta-tomcat-connectors (SSL is not yet supported in
mod_webapp).
>
> Please can someone tell me how i should be accessing client
> certificate information from within Tomcat 4.0 via apache.
>
> My System
>
> Apache-ssl 1.3
> Tomcat 4.0
> mod_webapp.so
> Linux Redhat 7.1
>
> Here is an extract of my httpd.conf
>
> <VirtualHost www.xxxxxxxxxx.co.uk:443>
> SSLEnable
> SSLCertificateFile /usr/local/ssl/www.xxxxxxx.crt
> SSLCertificateKeyFile /usr/local/ssl/www.xxxxxxx.key
> SSLCACertificateFile /usr/local/ssl/xxxxxxx.pem
> SSLVerifyClient 2
> SSLVerifyDepth 10
> SSLFakeBasicAuth
> SSLExportClientCertificates
> SSLCacheServerPort /usr/logs/gcache_port
> SSLCacheServerPath ./bin/gcache
> SSLSessionCacheTimeout 30
> SSLRequiredCiphers RC4-MD5
> SSLCacheServerPath ./bin/gcache
> SSLCacheServerPort logs/gcache_port
> SSLCacheServerRunDir /tmp
> Serveradmin xxxxxx@xxxxxx
> ServerName xxxxxxx
> WebAppConnection warpConnection warp localhost:8008
> WebAppDeploy testcert warpConnection /testcert/
> </VirtualHost>
>
> and my server.xml to receive the warp connector
>
> <!-- Define an Apache-Connector Service -->
> <Service name="Tomcat-Apache">
>
> <Connector className="org.apache.catalina.connector.warp.WarpConnector"
> port="8008" minProcessors="5" maxProcessors="75"
> enableLookups="true" scheme="https" secure="true">
> acceptCount="10" debug="0"/>
> </Connector>
>
> <!--
> <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
> clientAuth="false" protocol="TLS"/>
> -->
>
> <!-- Replace "localhost" with what your Apache "ServerName" is set
> to -->
> <Engine className="org.apache.catalina.connector.warp.WarpEngine"
> name="Apache" defaultHost="localhost" debug="0"
> appBase="webapps">
> .........
>
> Any help or advise greatly appreciated
>
> Lee Lovell