tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christophe Warland <cwa_mail...@mail.com>
Subject Re: mod_jk, SSL and client certs
Date Fri, 28 Jul 2000 18:49:41 GMT

You need also to add the SSL directives to your apache\conf\httpd.conf file. Here
are mine:

ErrorLog logs/ssl/error.log
TransferLog logs/ssl/access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLVerifyClient optional
SSLCACertificateFile "C:/www/cert/ca.crt"
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLCertificateFile "C:/www/cert/server.crt"
SSLCertificateKeyFile "C:/www/cert/server.key"

Christophe Warland wrote:

> Hi Markus,
>
> I am happy my DLL worked for you. I copy the newsgroup on this reply because
> it might be helpful for someone else out there.
>
> I have been able to access the client certificate in Tomcat through the
> following settings (non-exhaustive list):
>
> - in tomcat/conf/server.xml, add the following:
>         <!-- Apache AJP13 support.  -->
>         <Connector className="org.apache.tomcat.service.PoolTcpConnector">
>             <Parameter name="handler"
>        value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
>             <Parameter name="port" value="8009"/>
>         </Connector>
>
>         <!-- add your webapp>
>         <Context path="/tintagel" docBase="c:/www/docs/cwarland.com/tintagel"
> debug="0" reloadable="true" >
>         </Context>
>
> - in tomcat/conf/worker.properties:
>       worker.list=ajp12, ajp13
>       worker.ajp13.port=8009
>       worker.ajp13.host=localhost
>       worker.ajp13.type=ajp13
>
> - in apache/conf/httpd.conf:
> LoadModule jk_module modules/mod_jk.dll
> <IfModule mod_jk.c>
>   JkWorkersFile c:/www/conf/workers.properties
>   JkLogFile  logs/jk.log
>   JkLogLevel warn
>   JkMount /*.jsp ajp13
>   Alias /tintagel C:\www\docs\cwarland.com\tintagel
>   <Location /tintagel/WEB-INF/ >
>         AllowOverride None
>         deny from all
>   </Location>
>   JkMount /tintagel/cert ajp13
> </IfModule>
>
> - in C:\www\docs\cwarland.com\tintagel\WEB-INF\server.xml:
>     <servlet>
>         <servlet-name>
>             cert
>         </servlet-name>
>         <servlet-class>
>             com.s1.exc.test.https.CertServlet
>         </servlet-class>
>     </servlet>
>     <servlet-mapping>
>         <servlet-name>
>             cert
>         </servlet-name>
>         <url-pattern>
>             /cert
>         </url-pattern>
>     </servlet-mapping>
>
> - in com.s1.exc.test.https.CertServlet:
>     Object o = request.getAttribute("javax.servlet.request.X509Certificate");
>
> Depending on the Servlet engine, this object "o" might be a String
> (Tomcat3.2-dev), a X509Certificate (Netscape ES) or something else. I don't
> know what the current Tomcat3.2b2 returns because my code implicitly tests
> for the class name of "o" and does the appropriate transaformation into a
> X509Certificate object without outputing any debug info.
>
> Good luck, and tell us how things are working for you!
>
> Cheers,
>
> Christophe
>
> Markus.Breilmann@tamgroup.com wrote:
>
> > Hi Christophe,
> >
> > that did it! Thanks for your help!
> >
> > Have you used SSL with mod_jk? The client certificate doesn't seem to get
> > passed through to Tomcat...
> >
> > Markus
> >
> > =====================================================================
> > This email message is for the sole use of the intended recipient(s)
> > and may contain confidential and privileged information. Any
> > unauthorized review, use, disclosure or distribution is prohibited.
> > If you are not the intended recipient, please contact the sender by
> > reply email and destroy all copies of the original message
> > =====================================================================
> > Markus Breilmann                        markus.breilmann@tamgroup.com
> > Director of Technology                           tel: +1.415.455.5770
> > The Tamalpais Group, Inc.                        fax: +1.415.455.5771
> > 11 Belle Avenue                                 web: www.tamgroup.com
> > CA 94960 San Anselmo, USA
> > PGP Fingerprint:             96E7 8096 E893 F6FD  A60B 97F3 7F5D 941D
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

--

--------------------------------------------------------------------
Christophe Warland                   S1 Corporation
R&T Engineer                         Technology Center
christophe.warland@s1.com            705 Westech Drive
Phone: +1 678 421-4015               Norcross, GA 30092
Fax:   +1 253 399-5709               U.S.A.
--------------------------------------------------------------------
   "If you're looney enough to run a file of unknown origin
 with a .vbs extension, that would be referred to as Darwinism."
       -- a Slashdot user, June 2000

Darwin Awards: http://www.darwinawards.com
Slashdot info: http://google.com/search?q=slashdot
VBS in action: http://google.com/search?q=vbs&btnI=I'm_feeling_lucky



Mime
View raw message