tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chong Yu Meng <chon...@cymulacrum.net>
Subject Re: apache2 + ssl + tomcat4.1.24 + mod_jk2
Date Thu, 15 May 2003 15:01:01 GMT
Hi Duccio !

I would have thought that SSL authentication was handled by Apache, not 
by Tomcat. Which means that if you can get Apache to handle CLIENT-CERT 
authentication alone (i.e. without Tomcat), just add Tomcat with no 
special configurations.

Or am I really off the mark here ? Gurus ?

Regards,
pascal chong




Duccio Fallani wrote:

> hi all,
>
> When I use https with Apache2 client authentication all is ok,
> but if I add CLIENT-CERT authentication on Tomcat I got this
> error (from catalina.out):
>
> May 15, 2003 1:28:12 PM org.apache.jk.server.JkCoyoteHandler action
> SEVERE: Certificate convertion failed
> java.security.cert.CertificateException: Unable to initialize, 
> java.io.IOException: DerInputStream.getLength(): lengthTag=89, too big.
>         at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:287)
>         at 
> sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94) 
>
>         at 
> java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)

>
>         at 
> org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
>         at org.apache.coyote.Response.action(Response.java:222)
>         at 
> org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310) 
>
>         at 
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
>         at 
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
>         at 
> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
>         at 
> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
>         at 
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562) 
>
>         at 
> org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
>         at 
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619) 
>
>         at java.lang.Thread.run(Thread.java:536)
> Caused by: java.io.IOException: DerInputStream.getLength(): 
> lengthTag=89, too big.
>         at 
> sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
>         at 
> sun.security.util.DerInputStream.getLength(DerInputStream.java:487)
>         at sun.security.util.DerValue.<init>(DerValue.java:233)
>         at 
> sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369)
>         at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1568)
>         at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
>         ... 13 more
>
> It seems that Coyote can't import certicate from mod_jk2 because 
> invalid format...
>
> any ideas ??
>
> thanks....
>
>
> My configuration is:
>
> httpd.conf
> ----------------------------------------------------
> <VirtualHost ....>
> ...
>     LogLevel debug
>
>     SSLEngine on
>     SSLCertificateFile /usr/local/apache2/conf/ssl.crt/aaaa.pem
>     SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/aaaa.decrypt
>     SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/cacert.pem
>     SSLVerifyDepth 5
>     SSLProtocol +SSLv3 +TLSv1
>     SSLCipherSuite ALL:!MD5:!DES:!ADH:!DSS:!EXP
>     SSLOptions +FakeBasicAuth +ExportCertData +OptRenegotiate
>
>     <Location "/admin">
>         SSLVerifyClient require
>         SSLRequireSSL
>         AuthName           "SSL Authentication"
>         AuthType           Basic
>         AuthUserFile       /usr/local/apache2/conf/httpd.passwd
>         require            valid-user
>     </Location>
>
> </VirtualHost>
> ----------------------------------------------------
>
> worker2.properties
> ----------------------------------------------------
> ...
>
> # define the worker
> [ajp13:localhost:8009]
> channel=channel.socket:localhost:8009
>
> # Uri mapping
> [uri:collabdev.bitlab.net/*.jsp]
> worker=ajp13:localhost:8009
> ----------------------------------------------------
>
>
> server.xml
> ----------------------------------------------------
> ...
>     <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
>     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>                port="8009" minProcessors="5" maxProcessors="75"
>                enableLookups="true" redirectPort="8443"
>                acceptCount="10" debug="1" connectionTimeout="0"
>                useURIValidationHack="false"
>                
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler">
>     </Connector>
> ...
> ----------------------------------------------------
>
> web.xml
> ----------------------------------------------------
> ...
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Admin</web-resource-name>
>       <url-pattern>/admin/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>        <role-name>admincert</role-name>
>     </auth-constraint>
>   </security-constraint>
>
>   <login-config>
>     <auth-method>CLIENT-CERT</auth-method>
>   </login-config>
> ...
> ----------------------------------------------------
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message