Re: Connecting Tomcat5.5.9 + Apache2.0.54
I 've followed the instructions described in this link http://jakarta.apache.org/tomcat/connectors-doc/howto/apache.html and it works. httpd.conf .. LoadModule jk_module modules/mod_jk.so JkWorkersFile D:/Tomcat5.5/conf/workers.properties JkLogFile D:/Tomcat5.5/logs/mod_jk.log JkLogLevel info JkAutoAlias D:/Tomcat5.5/webapps JkMount /*.jsp worker1 JkMount /*/servlet/* worker1 worker.properties (must be created and placed in the conf directory of Tomcat) # Define 1 real worker using ajp13 worker.list=worker1 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.lbfactor=50 worker.worker1.cachesize=10 worker.worker1.cache_timeout=600 worker.worker1.socket_keepalive=1 worker.worker1.reclycle_timeout=300 finally decomment the following line in server.xml of Tomcat Connector port=8009 enableLookups=false redirectPort=8443 protocol=AJP/1.3 / I hope it helps you. Luca Ercoli - Original Message - From: [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Tuesday, May 10, 2005 1:42 PM Subject: Connecting Tomcat5.5.9 + Apache2.0.54 I had one question regarding connectors with Apache and Tomcat. I'm just playing around with configurations on my XP Laptop to get a feel for Apache. I have Apache 2.0.54 and Tomcat 5.5.9 installed and both are running fine. However, I am stuck with connecting the two so that I don't have to type in localhost:8080 in my browser and instead use mod_jk to connect the two. I have been unable to make Apache 2.0.54 work with Tomcat 5.5.9 using mod_jk (http://www.reverse.net/pub/apache/jakarta/tomcat-connectors/jk/binaries /win32/jk-1.2.12/ - using the mod_jk-1.2.12-apache-2.0.54.so file instead of DLL). The only thing different with Tomcat 5.5, as far as I know, is that the auto-generation of mod_jk.conf using the Listener elements doesn't work because the class files either don't exist or are in different locations. Has anyone found a solution/approach to connect the two? Is there anything I should be doing different? I really appreciate any help you can provide. Thanks. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
CA and Tomcat common name should be the same (localhost or better your DNS). First and Last Name of client sould the name of a Tomcat user declared in tomcat-users.xml. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, May 03, 2005 1:41 PM Subject: Re: Client Authentication Hi What kind of information do i need to put in the fields of First and Last name and Common name. Will any information do or is it required that I need to put in the server address in the client.p12 certificate.. Regards Thanks Mahesh S Kudva -Original Message- From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL Client Authentication
Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli
Re: Tomcat SSL Client Authentication
Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Tomcat version 5.5.9 (JDK 1.5.0_02 and Windows 2000 Professional). Client certificate username is a tomcat user (with which I've already successfully tested in DIGEST authentication). The strange thing is that when I set authClient to true I never see the the alert window of the server certificate (while instead appears with clientAuth = false). - Original Message - From: Darryl Wilburn [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 3:55 PM Subject: Re: Tomcat SSL Client Authentication What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
