httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lucuk, Pete" <pete.lu...@ngc.com>
Subject RE: [users@httpd] Apache, mod_jk, client certificates, and Jetty
Date Tue, 28 Nov 2006 20:22:15 GMT
GOT IT TO WORK!!!

The old Jetty 4.2.9 server was blowing up when I sent the...

	ForwardKeySize

In httpd.conf...

	JkOptions +ForwardKeySize +ForwardURICompat


ForwardKeySize was not getting parsed in Jetty and was crapping out
Jetty when sent to it.

SO, I did this in the config...

	#JkOptions +ForwardKeySize +ForwardURICompat
	JkOptions +ForwardURICompat

And of course, turned on the exporting of the SSL env in
httpd-ssl.conf...

	SSLOptions +StdEnvVars +ExportCertData

And it is working, Jetty is getting the client certificate and
performing A&A based on it.

BUT, there is one thing I did forget about, currently the AJP port that
Jetty is listening on is NOT HTTPS, I am going to try that next, BUT, at
least I am making progress.

Hope the above helps someone when they are googling for answers

>-----Original Message-----
>From: Lucuk, Pete [mailto:pete.lucuk@ngc.com] 
>Sent: Tuesday, November 28, 2006 12:36 PM
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] Apache, mod_jk, client 
>certificates, and Jetty
>
> 
>
>>-----Original Message-----
>>From: Serge Dubrouski [mailto:sergeyfd@gmail.com]
>>Sent: Tuesday, November 28, 2006 12:08 PM
>>To: users@httpd.apache.org
>>Subject: Re: [users@httpd] Apache, mod_jk, client certificates, and 
>>Jetty
>>
>>On 11/28/06, Lucuk, Pete <pete.lucuk@ngc.com> wrote:
>>> >> Jetty = http://www.mortbay.org/
>>> >
>>> >Just for my curiosity: why do you need 3 Web servers: 
>>Apache -> JBoss
>>> >-> Jetty ? What Jetty does that JBoss can't do?
>>>
>>>
>>> Jetty is the HTTP servlet engine for Jboss.
>>>
>>> Just like Tomcat is the HTTP servelet engine for Jboss 4.x
>>
>>Got you. I thought you had JBoss with Tomcat + Jetty.
>
>Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9 
>to be exact
>
>>
>>Then I'm not sure that it'd work at all because I'm not sure 
>that Jetty 
>>support AJP 1.3.
>
>It does, have confirmed with setting up mod_jk and doing HTTPS 
>round trips ( IE->Apache->Jetty->Apache-IE ).
>There is a index.html on Jetty that I am able to see via HTTPS 
>when using mod_jk.
>Jetty config file had an AJP port setting.
>
>IT is just when Jetty tries to get the client certificate in 
>Jetty that I begin to have peblems.
>
> Why not to upgrade JBoss and 
>>replace Jetty with Tomcat?
>
>
>Ahhhhh, yes, why not!  Well, I can't, we are running some COTS 
>software CRAP, and I do mean CRAP, that requires Jboss 3.0.7 
>and Jetty 4.2.9.
>
>
>I am going to try some more things this afternoon, if I get it 
>to work, I will post the fix.
>
>Thanks much for your time and help!
>
>>
>>>
>>> Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP 
>>> interface.
>>> Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in 
>>> front of it to do the HTTP.
>>>
>>>
>>> >
>>> >>
>>> >> Jetty Server died, gave some bogus java error that told
>>you nothing
>>> >>
>>> >>
>>> >> >
>>> >> >>
>>> >> >> Could the way I have my ordering things in httpd.conf and 
>>> >> >> httpd-ssl.conf be throwing something off?
>>> >> >
>>> >> >I don't thinks so.
>>> >> >
>>> >> >>
>>> >> >> Where the httpd-ssl.conf comes first in the httpd.conf,
>>> >before the
>>> >> >> acutual mod_jk stuff?
>>> >> >>
>>> >> >
>>> >> >I'd put mod_jk stuff before mod_ssl stuff. But I don't
>>> >think that it
>>> >> >matters.
>>> >>
>>> >> I will try it and see if it works, once again, thank you
>>> >>
>>> >> >
>>> >> >>
>>> >> >> Thanks for your responses, I appreciate your help
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> >-----Original Message-----
>>> >> >> >From: Serge Dubrouski [mailto:sergeyfd@gmail.com]
>>> >> >> >Sent: Tuesday, November 28, 2006 10:53 AM
>>> >> >> >To: users@httpd.apache.org
>>> >> >> >Subject: Re: [users@httpd] Apache, mod_jk, client
>>certificates,
>>> >> >> >and Jetty
>>> >> >> >
>>> >> >> >On 11/28/06, Lucuk, Pete <pete.lucuk@ngc.com> wrote:
>>> >> >> >>
>>> >> >> >> I am trying to perform the following...
>>> >> >> >>
>>> >> >> >>
>>> >> >>
>>> >>
>>> 
>>>>>Browser_client_with_client_certificate<--https-->apache_with_mod_jk
>>> >>><
>>> >> >>-
>>> >> >> >-
>>> >> >> >> ht
>>> >> >> >> tps-->Jetty
>>> >> >> >>
>>> >> >> >> Also, the browser client is passing a client
>>> >certificate that I
>>> >> >> >> want Jetty to have access to perform A&A.
>>> >> >> >>
>>> >> >> >> Browser version = IE 6
>>> >> >> >> Apache version = 2.2.3
>>> >> >> >> Mod_jk version = 1.2.19
>>> >> >> >> Jetty version = 4.2.9
>>> >> >> >>
>>> >> >> >> I CAN get the full round trip working under HTTPS,
>>> >that is not a
>>> >> >> >> problem.
>>> >> >> >> I CAN *** NOT *** get Jetty to have access to the
client
>>> >> >> >certificate,
>>> >> >> >> Jetty states that it can not find the client certificate.
>>> >> >> >>
>>> >> >> >> I am confident that Jetty is configured for AJP 
>(round trip 
>>> >> >> >> in HTTPS work)and client certificates (when the 
>>> >> >> >> Browser_client_with_client_certificate hits it directly,
>>> >> >it works).
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Not sure if it is a config thing on apache/mod_jk
or what.
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Below is my Apache and mod_jk config, any ideas???...
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my httpd.conf file I have the following...
>>> >> >> >>
>>> >> >> >> # Secure (SSL/TLS) connections Include 
>>> >> >> >> conf/extra/httpd-ssl.conf
>>> >> >> >>
>>> >> >> >> <IfModule !mod_jk.c>
>>> >> >> >>
>>> >> >> >>   #LoadModule jk_module  modules/mod_jk.so
>>> >> >> >>   LoadModule jk_module
>>> >> >> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so
>>> >> >> >>
>>> >> >> >> </IfModule>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> <IfModule mod_jk.c>
>>> >> >> >>
>>> >> >> >>   JkWorkersFile "conf/worker.properties"
>>> >> >> >>
>>> >> >> >>   JkLogFile "logs/mod_jk.log"
>>> >> >> >>
>>> >> >> >>   JkLogLevel info
>>> >> >> >>
>>> >> >> >>   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
>>> >> >> >>
>>> >> >> >>   JkOptions +ForwardKeySize +ForwardURICompat
>>> >> >> >>
>>> >> >> >> JkExtractSSL On
>>> >> >> >> # What is the indicator for SSL (default is HTTPS)
>>> >> >JkHTTPSIndicator
>>> >> >> >> HTTPS # What is the indicator for SSL session (default
is
>>> >> >> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID
#
>>> >What is the
>>> >> >> >> indicator for client SSL cipher suit (default is
>>> >> >> >> SSL_CIPHER)
>>> >> >> >> JkCIPHERIndicator SSL_CIPHER # What is the 
>indicator for the 
>>> >> >> >> client SSL certificated
>>> >> >(default is
>>> >> >> >> SSL_CLIENT_CERT)
>>> >> >> >> JkCERTSIndicator SSL_CLIENT_CERT
>>> >> >> >>
>>> >> >> >> </IfModule>
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my worker.properties I have...
>>> >> >> >>
>>> >> >> >> worker.list=jetty
>>> >> >> >>
>>> >> >> >> #worker.jetty.port=8009
>>> >> >> >> worker.jetty.port=5309
>>> >> >> >>
>>> >> >> >> worker.jetty.host=servera
>>> >> >> >>
>>> >> >> >> worker.jetty.type=ajp13
>>> >> >> >>
>>> >> >> >> worker.jetty.lbfactor=1
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my httpd-ssl.conf I have...
>>> >> >> >>
>>> >> >> >> <VirtualHost _default_:5443>
>>> >> >> >>
>>> >> >> >> #SSLOptions +StdEnvVars +ExportCertData
>>> >> >> >
>>> >> >> >Uncomment this.
>>> >> >> >
>>> >> >> >>
>>> >> >> >> JkMount /* jetty
>>> >> >> >>
>>> >> >> >> #   General setup for the virtual host
>>> >> >> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs"
>>> >> >> >> ServerName kftcsu14.ftc.lab:5443 ServerAdmin
>>you@example.com
>>> >> >> >> ErrorLog
>>/data/dir/dir/tools/web/apache/server/logs/error_log
>>> >> >> >> TransferLog
>>> >> >> >> /data/dir/dir/tools/web/apache/server/logs/access_log
>>> >> >> >>
>>> >> >> >> #   SSL Engine Switch:
>>> >> >> >> #   Enable/Disable SSL for this virtual host.
>>> >> >> >> SSLEngine on
>>> >> >> >>
>>> >> >> >> SSLProxyEngine on
>>> >> >> >>
>>> >> >> >> SSLCipherSuite
>>> >> >> >>
>>> >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>> >> >> >>
>>> >> >> >> SSLCertificateFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem
>>> >> >> >> SSLCertificateKeyFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem
>>> >> >> >>
>>> >> >> >> SSLCACertificateFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem
>>> >> >> >> SSLVerifyClient optional
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> </VirtualHost>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >> 
>>>------------------------------------------------------------------
>>> >> >-
>>> >> >> >> -- The official User-To-User support forum of the
>>Apache HTTP
>>> >> >> >Server Project.
>>> >> >> >> See <URL:http://httpd.apache.org/userslist.html>
>>for more info.
>>> >> >> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> >> >> >>    "   from the digest:
>>> >users-digest-unsubscribe@httpd.apache.org
>>> >> >> >> For additional commands, e-mail: 
>users-help@httpd.apache.org
>>> >> >> >>
>>> >> >> >>
>>> >> >> >
>>> >> >>
>>> >>
>>> 
>>>>>-------------------------------------------------------------------
>>> >>>-
>>> >> >>-
>>> >> >> >The official User-To-User support forum of the Apache
>>> >HTTP Server
>>> >> >> >Project.
>>> >> >> >See <URL:http://httpd.apache.org/userslist.html>
for
>>more info.
>>> >> >> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> >> >> >   "   from the digest: 
>>users-digest-unsubscribe@httpd.apache.org
>>> >> >> >For additional commands, e-mail: users-help@httpd.apache.org
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >-------------------------------------------------------------------
>>> >> >> -- The official User-To-User support forum of the Apache HTTP
>>> >> >Server Project.
>>> >> >> See <URL:http://httpd.apache.org/userslist.html> for

>more info.
>>> >> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> >> >>    "   from the digest: 
>>users-digest-unsubscribe@httpd.apache.org
>>> >> >> For additional commands, e-mail: users-help@httpd.apache.org
>>> >> >>
>>> >> >>
>>> >> >
>>> >>
>>> 
>>>>--------------------------------------------------------------------
>>> >>-
>>> >> >The official User-To-User support forum of the Apache
>>HTTP Server
>>> >> >Project.
>>> >> >See <URL:http://httpd.apache.org/userslist.html> for more
info.
>>> >> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> >> >   "   from the digest: 
>users-digest-unsubscribe@httpd.apache.org
>>> >> >For additional commands, e-mail: users-help@httpd.apache.org
>>> >> >
>>> >> >
>>> >>
>>> >> 
>>-------------------------------------------------------------------
>>> >> -- The official User-To-User support forum of the Apache HTTP
>>> >Server Project.
>>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> >> For additional commands, e-mail: users-help@httpd.apache.org
>>> >>
>>> >>
>>> >
>>> 
>>>---------------------------------------------------------------------
>>> >The official User-To-User support forum of the Apache HTTP Server 
>>> >Project.
>>> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> >For additional commands, e-mail: users-help@httpd.apache.org
>>> >
>>> >
>>>
>>> 
>---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server 
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message