tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Duccio Fallani <duccio.fall...@tin.it>
Subject apache2 + ssl + tomcat4.1.24 + mod_jk2
Date Thu, 15 May 2003 14:35:26 GMT
hi all,

When I use https with Apache2 client authentication all is ok,
but if I add CLIENT-CERT authentication on Tomcat I got this
error (from catalina.out):

May 15, 2003 1:28:12 PM org.apache.jk.server.JkCoyoteHandler action
SEVERE: Certificate convertion failed
java.security.cert.CertificateException: Unable to initialize, 
java.io.IOException: DerInputStream.getLength(): lengthTag=89, too big.
         at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:287)
         at 
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
         at 
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
         at 
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
         at org.apache.coyote.Response.action(Response.java:222)
         at 
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)
         at 
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
         at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
         at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
         at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:619)
         at java.lang.Thread.run(Thread.java:536)
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=89, 
too big.
         at sun.security.util.DerInputStream.getLength(DerInputStream.java:513)
         at sun.security.util.DerInputStream.getLength(DerInputStream.java:487)
         at sun.security.util.DerValue.<init>(DerValue.java:233)
         at 
sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369)
         at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1568)
         at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:284)
         ... 13 more

It seems that Coyote can't import certicate from mod_jk2 because invalid 
format...

any ideas ??

thanks....


My configuration is:

httpd.conf
----------------------------------------------------
<VirtualHost ....>
...
     LogLevel debug

     SSLEngine on
     SSLCertificateFile /usr/local/apache2/conf/ssl.crt/aaaa.pem
     SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/aaaa.decrypt
     SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/cacert.pem
     SSLVerifyDepth 5
     SSLProtocol +SSLv3 +TLSv1
     SSLCipherSuite ALL:!MD5:!DES:!ADH:!DSS:!EXP
     SSLOptions +FakeBasicAuth +ExportCertData +OptRenegotiate

     <Location "/admin">
         SSLVerifyClient require
         SSLRequireSSL
         AuthName           "SSL Authentication"
         AuthType           Basic
         AuthUserFile       /usr/local/apache2/conf/httpd.passwd
         require            valid-user
     </Location>

</VirtualHost>
----------------------------------------------------

worker2.properties
----------------------------------------------------
...

# define the worker
[ajp13:localhost:8009]
channel=channel.socket:localhost:8009

# Uri mapping
[uri:collabdev.bitlab.net/*.jsp]
worker=ajp13:localhost:8009
----------------------------------------------------


server.xml
----------------------------------------------------
...
     <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -->
     <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
                port="8009" minProcessors="5" maxProcessors="75"
                enableLookups="true" redirectPort="8443"
                acceptCount="10" debug="1" connectionTimeout="0"
                useURIValidationHack="false"
                protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler">
     </Connector>
...
----------------------------------------------------

web.xml
----------------------------------------------------
...
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Admin</web-resource-name>
       <url-pattern>/admin/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>admincert</role-name>
     </auth-constraint>
   </security-constraint>

   <login-config>
     <auth-method>CLIENT-CERT</auth-method>
   </login-config>
...
----------------------------------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message