tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon.Tem...@saaconsultants.com
Subject Re: No X509Certificate Attribute In IIS Redirected Request
Date Wed, 27 Jun 2007 13:10:42 GMT

Hi

Here is an update on my progress with this problem.

Using IIS V6.0 with JK 1.2.23 and Tomcat 6.0.13, I can confirm my servlet
can now receive an X509Certificate attribute!

I had two configuration problems:

1.  I had not enabled "Require client certificate" flag on the IIS folder I
was using - the previous setting of "Accept client certificate" does not
forward an X509Certificate.

2.  I had not been using the Local Computer certificate store from the
Windows MMC certificate snap-in - so I had been adding my Trusted Root Cert
to the wrong store.

I used a tool from Microsoft called SSLDiag to diagnose the second of my
problems.

I hope this is useful... if only to state that this is NOT a problem with
JK1.2 or Tomcat 6


Thanks to all who commented


- Simon T



Subject: Re: No X509Certificate Attribute In IIS Redirected Request

Hi Simon,

      Have you figured out the problem yet? I am very interest to know.

Thanks

> On Thu, 2007-06-21 at 16:02 +0100, Simon.Temple@saaconsultants.com
> wrote:
> > OK
> >
> > I enabled JK1 debug level logging and can see that IIS6 *is* relaying
the
> > client authenticated SSL details in the AJP stream.
> >
> > I see attributes called:
> >
> >     CERT_ISSUER
> >     CERT_SUBJECT
> >     CERT_COOKIE
> >     HTTPS_SERVER_SUBJECT
> >     CERT_FLAGS
> >     HTTPS_SECRETKEYSIZE
> >     CERT_SERIALNUMBER
> >     HTTPS_SERVER_ISSUER
> >     HTTPS_KEYSIZE
> >
> > JK1 appears to ignore them!
> >
> > So is this a defect in JK 1.2.23 or something I need to 'switch-on'?
> >
> >
> > - Simon Temple
> >
> >
> >
> > 21 June 2007 15:38
> > To: users@tomcat.apache.org
> > cc:
> > From: Simon.Temple@saaconsultants.com
> > Subject: No X509Certificate Attribute In IIS Redirected Request
> >
> >
> >
> > Hi,
> >
> > I'm using:
> >
> >     IIS V6.0
> >     JK 1.2.23
> >     Tomcat 6.0.13
> >
> > No X509Certificate attribute is present in the request header received
by
> > my servlet when using Client Authenticated SLL with IIS6 and JK1.
> >
> > If I use Apache 2.2 with the mod_proxy modules it works fine.
> >
> > Is this a bug?  If so, in what... IIS or JK1?
> >
> > Does anyone know of a workaround?  Will JK2 fix my problem?
> >
> > My customer must use IIS... so replacing with Apache is not an option.
:-(
> >
> >
> > TIA
> >
> >
> > Simon Temple
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message