tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josué Alcalde González <jalca...@csa.es>
Subject Re: Apache2 + tomcat6 + SSL with client certificate
Date Fri, 05 Oct 2007 08:33:56 GMT
Finally, debugging an with try-error I have got the correct
configuration.

------------------------------------------------------
<VirtualHost *:443>
        ServerAdmin jalcalde@csa.es
        ServerSignature On

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem
        SSLVerifyClient optional_no_ca
        SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
+SSLv2:+EXP:+eNULL
        SSLOptions  +ExportCertData +StdEnvVars

        JkExtractSSL On
        JkMount /ovt ajp13_worker
        JkMount /ovt/* ajp13_worker
</VirtualHost>
--------------------------------------------------------

And then, this attributes are available in request:
"javax.servlet.request.X509Certificate"
"javax.servlet.request.ssl_session"
"javax.servlet.request.cipher_suite"

For example:

request.getAttribute("javax.servlet.request.cipher_suite");

Hope it helps.


El vie, 05-10-2007 a las 09:08 +0200, Josué Alcalde González escribió:
> Hello.
> 
> I would like to get some advise about a new application I am developing.
> 
> It needs SSL with client certificate and it will be written in java and
> deployed in Tomcat 6 with java 6.
> 
> The server will be shared with other applications in java, php and
> perhaps other.
> 
> Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat
> 6.0 and a mod_jk 1.2.14.
> 
> There are some applications writen in php and a java aplication. The
> java application is served by apache using mod_jk. It uses SSL but it
> doesn't need client certificate. SSL is only configured in Apache.
> Tomcat 6 uses normal connections (8080, 8009) which are closed.
> 
> This works perfectly but my next application will need client auth using
> a X509Certificate and I need a way to get it in my Servlets.
> 
> I have read some documentation in google and I have try it.
> 
> First, I configured a Virtual Host with Apache
> 
> ---------------------------------------------------------
> <VirtualHost *:443>
>         ServerAdmin jalcalde@csa.es
>         ServerSignature On
> 
>         SSLEngine On
>         SSLCertificateFile /etc/apache2/ssl/apache.pem
>         SSLVerifyClient optional_no_ca
> 
>         JkExtractSSL On
>         JkMount /ovt ajp13_worker
>         JkMount /ovt/* ajp13_worker
> </VirtualHost>
> ---------------------------------------------------------
> 
> Then, I made a Servlet to try it:
> 
> -----------------------------------------------------------
> // Display the cipher suite in use
> String cipherSuite = (String)
> request.getAttribute("javax.net.ssl.cipher_suite");
> out.println("Cipher Suite: " + cipherSuite);
> 
> // Display the client's certificates, if there are any
> if (cipherSuite != null) {
>   X509Certificate certChain[] =  (X509Certificate[])
> request.getAttribute("javax.net.ssl.peer_certificates");
>   if (certChain != null) {
>     for (int i = 0; i < certChain.length; i++) {
>       out.println ("Client Certificate [" + i + "] = " +
> certChain[i].toString());
>    }
> }
> -----------------------------------------------------------
> 
> And it didn't work. CipherSuite is always null.
> 
> I haven't configured anything in tomcat. As I have read, it should work
> but it is obvious I am missing something.
> 
> I would like to manage SSL with Apache better than using java keystores,
> if it is possible. 
> 
> Also, I would like to have an application which does not need apache to
> work and which works perfectly in tomcat standalone.
> 
> 
-- 
_______________________________________________
Josué Alcalde González
jalcalde@csa.es
Dpto. Desarrollo

CSA - Centro Regional de Servicios Avanzados
C/ López Bravo, 1
Pol. Ind. Villalonquéjar (Burgos)

Tel. (+34) 947 256 250
Fax. (+34) 947 256 583

Web: http://www.csa.es



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message