tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rafael Rossetto" <waterh...@ig.com.br>
Subject Problem with Apache mod_jk + Tomcat/Jboss + Client Certificate Chain
Date Fri, 01 Feb 2008 17:17:43 GMT
Hi,

    I am trying to set up a Apache + mod_jk in front of my JBoss(using
Tomcat), to handle the http/https connections, in order to be able to
cluster JBoss. Everything works fine except when I try to validate the
client certificate in my application, I don´t get the full Certificate
Chain. Accessing directly the JBoss with the https connector it works.

   I am trying to use the following code, to figure out what is happening:
  X509Certificate cert[] =
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
  if (cert!=null) {


     log.info("Número de Certificados = "+cert.length);

     for (int i=0;i<cert.length;i++){
         log.info(i + " - "+cert[i].getSubjectDN().getName());
     }
  }
  else log.info("Certificado é nulo!");

   The log is the following:

 #consignacao# INFO  [AppUsuarioPerfilService] Número de Certificados
= 1 12:14:57,851 [TP-Processor3]
 #consignacao# INFO  [AppUsuarioPerfilService] 0 - CN=XXXXXXX:NNNNN,
OU=Analista Judiciario, OU=TRT9, OU=Cert-JUS
  Institucional - A3, OU=Autoridade Certificadora da Justica - AC-JUS,
O=ICP-Brasil, C=BR 12:14:57,852 [TP-Processor3]

    So instead of the full cert chain(should have 3 certs), I get only
the client cert(only 1 cert).

    I'm using the  JkOptions +ForwardSSLCertChain in httpd.conf.  In
ssl.conf I also use the SSLVerifyClient require(tried optional and
optional_no_ca), so the client certificate validation in Apache seems
all right to me. And the SSLOptions is SSLOptions +StdEnvVars
+ExportCertData.

    I am using RHEL5 + jboss-4.2.1.GA + httpd-2.2.3-6.el5 +
tomcat-connectors-1.2.26-src(mod_jk)
. Also tired to use the latest RHEL5 + httpd(2.2.8) compiled +
tomcat(6.0.14)  + tomcat-connectors-1.2.26-src(mod_jk) in another
environment, and got the same results.

    I could just leave the CA validation to the Apache, and validate
just the client cert ID in the application, but I already have the
error code in the application, so if I could get the whole cert chain
I would prefer.

   Does anyone know what am I doing wrong?

Thx,
Rafael

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message