httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Apache, mod_jk, client certificates, and Jetty
Date Tue, 28 Nov 2006 16:18:27 GMT
On 11/28/06, Lucuk, Pete <pete.lucuk@ngc.com> wrote:
> I did uncomment that earlier this morning...
>
>         SSLOptions +StdEnvVars +ExportCertData
>
> And it blew up Jetty, nice huh?

Not nice at all :-) But without that Apache wont put cert data to env
and mod_jk won't see it. What is Jetty? And what do you mean by "blew
it up"? Did you get any error messages?

>
> Could the way I have my ordering things in httpd.conf and httpd-ssl.conf
> be throwing something off?

I don't thinks so.

>
> Where the httpd-ssl.conf comes first in the httpd.conf, before the
> acutual mod_jk stuff?
>

I'd put mod_jk stuff before mod_ssl stuff. But I don't think that it matters.

>
> Thanks for your responses, I appreciate your help
>
>
>
>
>
> >-----Original Message-----
> >From: Serge Dubrouski [mailto:sergeyfd@gmail.com]
> >Sent: Tuesday, November 28, 2006 10:53 AM
> >To: users@httpd.apache.org
> >Subject: Re: [users@httpd] Apache, mod_jk, client
> >certificates, and Jetty
> >
> >On 11/28/06, Lucuk, Pete <pete.lucuk@ngc.com> wrote:
> >>
> >> I am trying to perform the following...
> >>
> >>
> >Browser_client_with_client_certificate<--https-->apache_with_mod_jk<--
> >> ht
> >> tps-->Jetty
> >>
> >> Also, the browser client is passing a client certificate that I want
> >> Jetty to have access to perform A&A.
> >>
> >> Browser version = IE 6
> >> Apache version = 2.2.3
> >> Mod_jk version = 1.2.19
> >> Jetty version = 4.2.9
> >>
> >> I CAN get the full round trip working under HTTPS, that is not a
> >> problem.
> >> I CAN *** NOT *** get Jetty to have access to the client
> >certificate,
> >> Jetty states that it can not find the client certificate.
> >>
> >> I am confident that Jetty is configured for AJP (round trip in HTTPS
> >> work)and client certificates (when the
> >> Browser_client_with_client_certificate hits it directly, it works).
> >>
> >>
> >> Not sure if it is a config thing on apache/mod_jk or what.
> >>
> >>
> >> Below is my Apache and mod_jk config, any ideas???...
> >>
> >> ###########################################################
> >> In my httpd.conf file I have the following...
> >>
> >> # Secure (SSL/TLS) connections
> >> Include conf/extra/httpd-ssl.conf
> >>
> >> <IfModule !mod_jk.c>
> >>
> >>   #LoadModule jk_module  modules/mod_jk.so
> >>   LoadModule jk_module
> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so
> >>
> >> </IfModule>
> >>
> >>
> >> <IfModule mod_jk.c>
> >>
> >>   JkWorkersFile "conf/worker.properties"
> >>
> >>   JkLogFile "logs/mod_jk.log"
> >>
> >>   JkLogLevel info
> >>
> >>   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
> >>
> >>   JkOptions +ForwardKeySize +ForwardURICompat
> >>
> >> JkExtractSSL On
> >> # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator
> >> HTTPS # What is the indicator for SSL session (default is
> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the
> >> indicator for client SSL cipher suit (default is
> >> SSL_CIPHER)
> >> JkCIPHERIndicator SSL_CIPHER
> >> # What is the indicator for the client SSL certificated (default is
> >> SSL_CLIENT_CERT)
> >> JkCERTSIndicator SSL_CLIENT_CERT
> >>
> >> </IfModule>
> >>
> >> ###########################################################
> >> In my worker.properties I have...
> >>
> >> worker.list=jetty
> >>
> >> #worker.jetty.port=8009
> >> worker.jetty.port=5309
> >>
> >> worker.jetty.host=servera
> >>
> >> worker.jetty.type=ajp13
> >>
> >> worker.jetty.lbfactor=1
> >>
> >>
> >> ###########################################################
> >> In my httpd-ssl.conf I have...
> >>
> >> <VirtualHost _default_:5443>
> >>
> >> #SSLOptions +StdEnvVars +ExportCertData
> >
> >Uncomment this.
> >
> >>
> >> JkMount /* jetty
> >>
> >> #   General setup for the virtual host
> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs"
> >> ServerName kftcsu14.ftc.lab:5443
> >> ServerAdmin you@example.com
> >> ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log
> >> TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log
> >>
> >> #   SSL Engine Switch:
> >> #   Enable/Disable SSL for this virtual host.
> >> SSLEngine on
> >>
> >> SSLProxyEngine on
> >>
> >> SSLCipherSuite
> >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >>
> >> SSLCertificateFile /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem
> >> SSLCertificateKeyFile
> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem
> >>
> >> SSLCACertificateFile
> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem
> >> SSLVerifyClient optional
> >>
> >>
> >> </VirtualHost>
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP
> >Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message