Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm floating around in Bugzilla, that should be fine if you are using Sun's JVM. (The Sun dependencies are basically why they are still floating :). Once you have enabled MemoryRealm (and, for versions 4.1.29, disable the default DataSource), then the 'username' in tomcat-users.xml is the cert's DN (aka Subject). The password can be anything you want (it is ignored for CLIENT-CERT auth). - Original Message - From: Michael Jeffrey Tucker [EMAIL PROTECTED] To: Bill Barker [EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 8:55 PM Subject: Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool Hi Bill, Do you know of a similar howto for client authentication with ssl? I've had nothing but trouble getting a system with self-signed keys up and running. I found a post in the archives about signing your own keys, which suggests that is an OK thing to do, and I've found posts by people who have client-side authentication up. But I haven't been able to combine the two. Also, I've been doing all my debugging on the client-side with the command line version of OpenSSL -- I'd like to look at what JSSE has to say (because the catalina logs are only showing incoming connections between assigned and awaited, no more details), are there any howto's that describe the logging process in more detail that might be worth looking at? Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: The Tomcat 5 ssl-howto contains an example of how to do this. It works with Tomcat 4.1.x as well. Long-story-short, it works by combining the private-key and the cert. JSSE can use the resulting pkcs12 file as a keystore. Scott Kelley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have an Apache+mod_ssl+Tomcat configuration that's been working fine for several years. I have an SSL certificate from Verisign, and my httpd.conf file contains: SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key The private key is unencrypted so that the server can restart automatically. Now I'd like to use the same certificate and private key in a Tomcat-only configuration, but I can't quite figure out how to get these two pieces of information into keytool for tomcat to use! It's easy enough to import the certificate: keytool -import -alias tomcat -file /path/to/server.crt but I know that the private key needs to be in the keystore too, and I haven't been able to figure out how to get it in there! Simply trying to import it: keytool -import -alias tomcat -file /path/to/server.key gives me the message: keytool error: java.lang.Exception: Input not an X.509 certificate which doesn't really surprise me because the private key is not an X.509 certificate! But how can I tell keytool about my private key? Can I do this? If so, how? Can I do it with just keytool? Do I need to use openssl to tweak something? I saw some comments in the httpd.conf file (comments added by mod_ssl) that suggest the certificate and the private key can be combined somehow. Is this what I need to do? If so, how do I do this? Or do I have to toss my old keys and generate a new CSR with keytool? The Tomcat tutorial on how to do that seems reasonably straightforward. But I would much prefer to use my existing key and certificate! I actually tried this for the first time two years ago. After trying everything I could think of, and posting to tomcat-user and getting no replies, I gave up and left things the way they were. Now, two years later, I *still* can't figure out, or find a recipe, to explain how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain Tomcat configuration! Thanks for any help. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail
Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
Hi, Thanks for your help. I was wondering if anyone has any suggestions for the following problem: I would like Tomcat to accept any SSL connection where it recognizes the CA for the client certificate and then provide my webapp access to this certificate. It turns out that I don't think I want to use the CLIENT-CERT auth. My current setup seems to handle the first part -- I have clientAuth set to true in my server.xml's SSLServerSocketFactory configuration and I have removed the security constraints from my app's web.xml. When I point a browser at the site/ssl port, I am prompted for my client certificate. So far, so good! The problem is that when I am not sure how to get access to the certificate from JSP. I have looked into the methods that are provided by the HttpServletRequest interface, but getAuthType(), getRemoteUser(), and getUserPrincipal() all return NULL. I guess this makes sense because the SSL certificate is not being used for apps-specific security enforcement, but I know that the certificate must be floating around there somewhere. Are there any other request-related objects that my JSP code can access that would give me access to the cert? Any pointers would be greatly appreciated! Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm floating around in Bugzilla, that should be fine if you are using Sun's JVM. (The Sun dependencies are basically why they are still floating :). Once you have enabled MemoryRealm (and, for versions 4.1.29, disable the default DataSource), then the 'username' in tomcat-users.xml is the cert's DN (aka Subject). The password can be anything you want (it is ignored for CLIENT-CERT auth). - Original Message - From: Michael Jeffrey Tucker [EMAIL PROTECTED] To: Bill Barker [EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 8:55 PM Subject: Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool Hi Bill, Do you know of a similar howto for client authentication with ssl? I've had nothing but trouble getting a system with self-signed keys up and running. I found a post in the archives about signing your own keys, which suggests that is an OK thing to do, and I've found posts by people who have client-side authentication up. But I haven't been able to combine the two. Also, I've been doing all my debugging on the client-side with the command line version of OpenSSL -- I'd like to look at what JSSE has to say (because the catalina logs are only showing incoming connections between assigned and awaited, no more details), are there any howto's that describe the logging process in more detail that might be worth looking at? Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: The Tomcat 5 ssl-howto contains an example of how to do this. It works with Tomcat 4.1.x as well. Long-story-short, it works by combining the private-key and the cert. JSSE can use the resulting pkcs12 file as a keystore. Scott Kelley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have an Apache+mod_ssl+Tomcat configuration that's been working fine for several years. I have an SSL certificate from Verisign, and my httpd.conf file contains: SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key The private key is unencrypted so that the server can restart automatically. Now I'd like to use the same certificate and private key in a Tomcat-only configuration, but I can't quite figure out how to get these two pieces of information into keytool for tomcat to use! It's easy enough to import the certificate: keytool -import -alias tomcat -file /path/to/server.crt but I know that the private key needs to be in the keystore too, and I haven't been able to figure out how to get it in there! Simply trying to import it: keytool -import -alias tomcat -file /path/to/server.key gives me the message: keytool error: java.lang.Exception: Input not an X.509 certificate which doesn't really surprise me because the private key is not an X.509 certificate! But how can I tell keytool about my private key? Can I do this? If so, how? Can I do it with just keytool? Do I need to use openssl to tweak something? I saw some comments in the httpd.conf file (comments added by mod_ssl) that suggest the certificate and the private key can be combined somehow. Is this what I need to do? If so, how do I do this? Or do I have to toss my old keys and generate a new CSR with keytool? The Tomcat tutorial on how to do that seems reasonably straightforward. But I would much prefer to use my existing key and certificate! I
Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
Hi, Some more digging revealed that what I have done so far is what is/was intended. Back in 2000, Craig McClanahan wrote that: If all you want to do is make sure the client has a valid certificate, you don't need to use a security constraint at all -- just set the clientAuth property on the Connector to true, and no requests will be accepted without a certificate. On the other hand, if you want to use security constraints in addition, you will need to define the user (and associated roles) in your Realm, just as you would for any other login method. All I want Tomcat to do is make sure that the client has a valid certificate. But I also want this certificate to be accessible to my webapps. There doesn't seem to be any discussion of how the authentication information flows from the initial SSL connection to the JSP request object. Is there any such information flow without security constraints? Or am I approaching this all wrong? Thanks again, Mike On Wed, 12 Nov 2003, Michael Jeffrey Tucker wrote: Hi, Thanks for your help. I was wondering if anyone has any suggestions for the following problem: I would like Tomcat to accept any SSL connection where it recognizes the CA for the client certificate and then provide my webapp access to this certificate. It turns out that I don't think I want to use the CLIENT-CERT auth. My current setup seems to handle the first part -- I have clientAuth set to true in my server.xml's SSLServerSocketFactory configuration and I have removed the security constraints from my app's web.xml. When I point a browser at the site/ssl port, I am prompted for my client certificate. So far, so good! The problem is that when I am not sure how to get access to the certificate from JSP. I have looked into the methods that are provided by the HttpServletRequest interface, but getAuthType(), getRemoteUser(), and getUserPrincipal() all return NULL. I guess this makes sense because the SSL certificate is not being used for apps-specific security enforcement, but I know that the certificate must be floating around there somewhere. Are there any other request-related objects that my JSP code can access that would give me access to the cert? Any pointers would be greatly appreciated! Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm floating around in Bugzilla, that should be fine if you are using Sun's JVM. (The Sun dependencies are basically why they are still floating :). Once you have enabled MemoryRealm (and, for versions 4.1.29, disable the default DataSource), then the 'username' in tomcat-users.xml is the cert's DN (aka Subject). The password can be anything you want (it is ignored for CLIENT-CERT auth). - Original Message - From: Michael Jeffrey Tucker [EMAIL PROTECTED] To: Bill Barker [EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 8:55 PM Subject: Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool Hi Bill, Do you know of a similar howto for client authentication with ssl? I've had nothing but trouble getting a system with self-signed keys up and running. I found a post in the archives about signing your own keys, which suggests that is an OK thing to do, and I've found posts by people who have client-side authentication up. But I haven't been able to combine the two. Also, I've been doing all my debugging on the client-side with the command line version of OpenSSL -- I'd like to look at what JSSE has to say (because the catalina logs are only showing incoming connections between assigned and awaited, no more details), are there any howto's that describe the logging process in more detail that might be worth looking at? Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: The Tomcat 5 ssl-howto contains an example of how to do this. It works with Tomcat 4.1.x as well. Long-story-short, it works by combining the private-key and the cert. JSSE can use the resulting pkcs12 file as a keystore. Scott Kelley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have an Apache+mod_ssl+Tomcat configuration that's been working fine for several years. I have an SSL certificate from Verisign, and my httpd.conf file contains: SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key The private key is unencrypted so that the server can restart automatically. Now I'd like to use the same certificate and private key in a Tomcat-only configuration, but I can't quite figure out how to get these two pieces of information into keytool for tomcat to use! It's easy enough to import the certificate: keytool -import
Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
Michael Jeffrey Tucker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, Some more digging revealed that what I have done so far is what is/was intended. Back in 2000, Craig McClanahan wrote that: If all you want to do is make sure the client has a valid certificate, you don't need to use a security constraint at all -- just set the clientAuth property on the Connector to true, and no requests will be accepted without a certificate. On the other hand, if you want to use security constraints in addition, you will need to define the user (and associated roles) in your Realm, just as you would for any other login method. All I want Tomcat to do is make sure that the client has a valid certificate. But I also want this certificate to be accessible to my webapps. There doesn't seem to be any discussion of how the authentication information flows from the initial SSL connection to the JSP request object. Is there any such information flow without security constraints? Or am I approaching this all wrong? This was actually covered in another thread today :-). As Craig said, you set clientAuth=true to force the browser to send the certificate. Then in your servlet you do: X509Certificate [] certs = (X509Certificate [])request.getAttribute(javax.servlet.request.X509Certificate); certs[0] is the client's cert, certs[1] is the signer of certs[0], and so on. Thanks again, Mike On Wed, 12 Nov 2003, Michael Jeffrey Tucker wrote: Hi, Thanks for your help. I was wondering if anyone has any suggestions for the following problem: I would like Tomcat to accept any SSL connection where it recognizes the CA for the client certificate and then provide my webapp access to this certificate. It turns out that I don't think I want to use the CLIENT-CERT auth. My current setup seems to handle the first part -- I have clientAuth set to true in my server.xml's SSLServerSocketFactory configuration and I have removed the security constraints from my app's web.xml. When I point a browser at the site/ssl port, I am prompted for my client certificate. So far, so good! The problem is that when I am not sure how to get access to the certificate from JSP. I have looked into the methods that are provided by the HttpServletRequest interface, but getAuthType(), getRemoteUser(), and getUserPrincipal() all return NULL. I guess this makes sense because the SSL certificate is not being used for apps-specific security enforcement, but I know that the certificate must be floating around there somewhere. Are there any other request-related objects that my JSP code can access that would give me access to the cert? Any pointers would be greatly appreciated! Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: At the moment, only MemoryRealm supports CLIENT-CERT auth (at least from the Tomcat ships-with Realms). There are patches for JNDIRealm and JDBCRealm floating around in Bugzilla, that should be fine if you are using Sun's JVM. (The Sun dependencies are basically why they are still floating :). Once you have enabled MemoryRealm (and, for versions 4.1.29, disable the default DataSource), then the 'username' in tomcat-users.xml is the cert's DN (aka Subject). The password can be anything you want (it is ignored for CLIENT-CERT auth). - Original Message - From: Michael Jeffrey Tucker [EMAIL PROTECTED] To: Bill Barker [EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 8:55 PM Subject: Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool Hi Bill, Do you know of a similar howto for client authentication with ssl? I've had nothing but trouble getting a system with self-signed keys up and running. I found a post in the archives about signing your own keys, which suggests that is an OK thing to do, and I've found posts by people who have client-side authentication up. But I haven't been able to combine the two. Also, I've been doing all my debugging on the client-side with the command line version of OpenSSL -- I'd like to look at what JSSE has to say (because the catalina logs are only showing incoming connections between assigned and awaited, no more details), are there any howto's that describe the logging process in more detail that might be worth looking at? Thanks, Mike On Tue, 11 Nov 2003, Bill Barker wrote: The Tomcat 5 ssl-howto contains an example of how to do this. It works with Tomcat 4.1.x as well. Long-story-short, it works by combining the private-key and the cert. JSSE can use the resulting pkcs12 file as a keystore. Scott Kelley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have an Apache+mod_ssl+Tomcat configuration that's been working fine for several years. I have an SSL
Using Apache/mod_ssl certificate and private key with Tomcat/keytool
Hi, I have an Apache+mod_ssl+Tomcat configuration that's been working fine for several years. I have an SSL certificate from Verisign, and my httpd.conf file contains: SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key The private key is unencrypted so that the server can restart automatically. Now I'd like to use the same certificate and private key in a Tomcat-only configuration, but I can't quite figure out how to get these two pieces of information into keytool for tomcat to use! It's easy enough to import the certificate: keytool -import -alias tomcat -file /path/to/server.crt but I know that the private key needs to be in the keystore too, and I haven't been able to figure out how to get it in there! Simply trying to import it: keytool -import -alias tomcat -file /path/to/server.key gives me the message: keytool error: java.lang.Exception: Input not an X.509 certificate which doesn't really surprise me because the private key is not an X.509 certificate! But how can I tell keytool about my private key? Can I do this? If so, how? Can I do it with just keytool? Do I need to use openssl to tweak something? I saw some comments in the httpd.conf file (comments added by mod_ssl) that suggest the certificate and the private key can be combined somehow. Is this what I need to do? If so, how do I do this? Or do I have to toss my old keys and generate a new CSR with keytool? The Tomcat tutorial on how to do that seems reasonably straightforward. But I would much prefer to use my existing key and certificate! I actually tried this for the first time two years ago. After trying everything I could think of, and posting to tomcat-user and getting no replies, I gave up and left things the way they were. Now, two years later, I *still* can't figure out, or find a recipe, to explain how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain Tomcat configuration! Thanks for any help. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using Apache/mod_ssl certificate and private key with Tomcat/keytool
The Tomcat 5 ssl-howto contains an example of how to do this. It works with Tomcat 4.1.x as well. Long-story-short, it works by combining the private-key and the cert. JSSE can use the resulting pkcs12 file as a keystore. Scott Kelley [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi, I have an Apache+mod_ssl+Tomcat configuration that's been working fine for several years. I have an SSL certificate from Verisign, and my httpd.conf file contains: SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key The private key is unencrypted so that the server can restart automatically. Now I'd like to use the same certificate and private key in a Tomcat-only configuration, but I can't quite figure out how to get these two pieces of information into keytool for tomcat to use! It's easy enough to import the certificate: keytool -import -alias tomcat -file /path/to/server.crt but I know that the private key needs to be in the keystore too, and I haven't been able to figure out how to get it in there! Simply trying to import it: keytool -import -alias tomcat -file /path/to/server.key gives me the message: keytool error: java.lang.Exception: Input not an X.509 certificate which doesn't really surprise me because the private key is not an X.509 certificate! But how can I tell keytool about my private key? Can I do this? If so, how? Can I do it with just keytool? Do I need to use openssl to tweak something? I saw some comments in the httpd.conf file (comments added by mod_ssl) that suggest the certificate and the private key can be combined somehow. Is this what I need to do? If so, how do I do this? Or do I have to toss my old keys and generate a new CSR with keytool? The Tomcat tutorial on how to do that seems reasonably straightforward. But I would much prefer to use my existing key and certificate! I actually tried this for the first time two years ago. After trying everything I could think of, and posting to tomcat-user and getting no replies, I gave up and left things the way they were. Now, two years later, I *still* can't figure out, or find a recipe, to explain how to migrate from an Apache/mod_ssl/Tomcat configuration to a plain Tomcat configuration! Thanks for any help. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
apache /mod_ssl/tomcat/struts
I'm new to to ssl on three tier, esp. with struts involved does struts or apache need to be configured? I would assume mod_ssl would take into account that a certain document location is secure but since it is not static content coming back from Tomcat, I am uncertain how this would work. any clarification would be appreciated. Best, Stephen Schaubach
RE: apache /mod_ssl/tomcat/struts
the easiest way is: Apache(with mod_ssl) -- mod_jk -- Tomcat with Struts have apache handle all the http/https requests and simple forward them to Tomcat. Filip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: apache /mod_ssl/tomcat/struts I'm new to to ssl on three tier, esp. with struts involved does struts or apache need to be configured? I would assume mod_ssl would take into account that a certain document location is secure but since it is not static content coming back from Tomcat, I am uncertain how this would work. any clarification would be appreciated. Best, Stephen Schaubach - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: apache /mod_ssl/tomcat/struts
Thanks, I hope you don't mind me writing you directly. so, changing apache httpd.conf to use a location/ of the secure files is what I am having trouble with. If the document is a webpage.do (struts) file and is expected in /dir1/securearea/ , will the mod_jk2 take care of this?? everything just happens or is there some mod_jk2 config I should do? I am using mod_jk2, fyi thanks again Best, Stephen Schaubach -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:54 PM To: Tomcat Users List Subject: RE: apache /mod_ssl/tomcat/struts Importance: Low the easiest way is: Apache(with mod_ssl) -- mod_jk -- Tomcat with Struts have apache handle all the http/https requests and simple forward them to Tomcat. Filip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: apache /mod_ssl/tomcat/struts I'm new to to ssl on three tier, esp. with struts involved does struts or apache need to be configured? I would assume mod_ssl would take into account that a certain document location is secure but since it is not static content coming back from Tomcat, I am uncertain how this would work. any clarification would be appreciated. Best, Stephen Schaubach - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: apache /mod_ssl/tomcat/struts
yes, it will work perfectly without any problems. not sure why you need to change the location tag. instead what you will need to do is to setup your jk.properties and mod_jk.conf to forward requests to Tomcat, and the request URL will work fine with struts. we are using struts in our environment, and it looks just like that. Filip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 5:08 PM To: [EMAIL PROTECTED] Subject: RE: apache /mod_ssl/tomcat/struts Thanks, I hope you don't mind me writing you directly. so, changing apache httpd.conf to use a location/ of the secure files is what I am having trouble with. If the document is a webpage.do (struts) file and is expected in /dir1/securearea/ , will the mod_jk2 take care of this?? everything just happens or is there some mod_jk2 config I should do? I am using mod_jk2, fyi thanks again Best, Stephen Schaubach -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:54 PM To: Tomcat Users List Subject: RE: apache /mod_ssl/tomcat/struts Importance: Low the easiest way is: Apache(with mod_ssl) -- mod_jk -- Tomcat with Struts have apache handle all the http/https requests and simple forward them to Tomcat. Filip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: apache /mod_ssl/tomcat/struts I'm new to to ssl on three tier, esp. with struts involved does struts or apache need to be configured? I would assume mod_ssl would take into account that a certain document location is secure but since it is not static content coming back from Tomcat, I am uncertain how this would work. any clarification would be appreciated. Best, Stephen Schaubach - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: apache /mod_ssl/tomcat/struts
Hello, Filip. Can secure connections be enforced declaratively when using apache/mod_ssl/mod_jk/tomcat? If so, where (and how) can it be done? httpd.conf? server.xml? web.xml? Or does detecting an insecure connection have to be done within the web application? As in... if(!request.isSecure()) response.sendRedirect... -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 18:12 To: Tomcat Users List Subject: RE: apache /mod_ssl/tomcat/struts yes, it will work perfectly without any problems. not sure why you need to change the location tag. instead what you will need to do is to setup your jk.properties and mod_jk.conf to forward requests to Tomcat, and the request URL will work fine with struts. we are using struts in our environment, and it looks just like that. Filip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 5:08 PM To: [EMAIL PROTECTED] Subject: RE: apache /mod_ssl/tomcat/struts Thanks, I hope you don't mind me writing you directly. so, changing apache httpd.conf to use a location/ of the secure files is what I am having trouble with. If the document is a webpage.do (struts) file and is expected in /dir1/securearea/ , will the mod_jk2 take care of this?? everything just happens or is there some mod_jk2 config I should do? I am using mod_jk2, fyi thanks again Best, Stephen Schaubach -Original Message- From: Filip Hanik [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:54 PM To: Tomcat Users List Subject: RE: apache /mod_ssl/tomcat/struts Importance: Low the easiest way is: Apache(with mod_ssl) -- mod_jk -- Tomcat with Struts have apache handle all the http/https requests and simple forward them to Tomcat. Filip -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: apache /mod_ssl/tomcat/struts I'm new to to ssl on three tier, esp. with struts involved does struts or apache need to be configured? I would assume mod_ssl would take into account that a certain document location is secure but since it is not static content coming back from Tomcat, I am uncertain how this would work. any clarification would be appreciated. Best, Stephen Schaubach - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Apache + mod_ssl - Install/config
Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. SO, I got mod_ssl from the site and installed it using #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later when I check if my APACHE was configured for SSL by using: # ./httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c suexec: disabled; invalid wrapper /kit/bin/suexec # As Seen above, MOD_SSL Module is NOT LISTED above. When I Installed/configured (as shown above) I did not receive any ERROR - but still could NOT see if MOD_SSL was configured? Any suggestions/hints _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
SSL environment variables from apache mod_ssl
I desperately need the SSL environment variables like HTTPS or HTTPS_KEYSIZE, which should be delivered from mod_ssl to the JSP engine, after Apache has established a HTTPS connection. Especially I have to check the actual key size. In tomcat-ssl-howto.html it is described how to adjust httpd.conf. Although I follow the guidelines, nothing happens. Is there something to be taken care of on the Tomcat side? If I copy the JkExtractSSL etc. commands into the VirtualHost section, there is no Tomcat connection at all (no interceptor initiated, JSP source is delivered unprocessed). Any ideas? We use Tomcat 3.3, Apache 1.3.22, mod_ssl 2.8.5 on Solaris 5.7, JDK 1.2.2. Gerd Kersten ...Extract of the httpd.conf .. IfDefine SSL ## ## SSL Environment variables [added by gke] ## # Should mod_jk send SSL information to Tomcat (default is On) JkExtractSSL On # What is the indicator for SSL (default is HTTPS) JkHTTPSIndicator HTTPS # What is the indicator for SSL session (default is SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) JkCIPHERIndicator SSL_CIPHER # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT) JkCERTSIndicator SSL_CLIENT_CERT ## ## SSL Virtual Host Context ## VirtualHost _default_:443 # General setup for the virtual host DocumentRoot /usr/local/www ServerName ipent01.mydomain.de ServerAdmin [EMAIL PROTECTED] #ErrorLog /usr/local/httpd/logs/error_log #TransferLog /usr/local/httpd/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on [...] # jsp added [gke, 16.05.02] Files ~ \.(cgi|shtml|phtml|php3?|jsp)$ SSLOptions +StdEnvVars +ExportCertData #SSLOptions +StdEnvVars /Files Directory /usr/local/httpd/cgi-bin SSLOptions +StdEnvVars /Directory [...] /VirtualHost /IfDefine -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: apache + mod_SSL + tomcat
Hi, -Original Message- From: Cressatti, Dominique [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 7:38 PM To: Tomcat Users List Subject: apache + mod_SSL + tomcat Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? If you leave Tomcat listening on 8080 then yes it can be. So, you just have to modify your server.xml and disable HttpConnector. Dom Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: apache + mod_SSL + tomcat
I never saw an answer go by to the below question and was curious what it would be. Does no one now the answer Dean Cressatti, Dominique wrote: Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? Dom -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: apache + mod_SSL + tomcat
my guess is yes, if you do not check in jsp/servlets are on https (request.isSecure()) and if you are allowing users to port 8080 (block it). my guess... :) -Original Message- From: Dean Hiller [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 7:33 AM To: Tomcat Users List Subject: Re: apache + mod_SSL + tomcat I never saw an answer go by to the below question and was curious what it would be. Does no one now the answer Dean Cressatti, Dominique wrote: Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? Dom -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: apache + mod_SSL + tomcat
Anton Brazhnyk answered it. I followed his advice. I basically commented out the HttpConnector running on port 8080 and that was it. From that point I can't an http connection on port 8080 but I can still access my app on port 80 (normal http) and port 443 (https). One point that was made by somebody else what about the connection between apache and tomcat? Either mod_jk on port 8009 (or 8007) or mod_webapp on port 8008. As far as I know those connectors are not ssl enabled. Dom -Original Message- From: Dean Hiller [mailto:[EMAIL PROTECTED]] Sent: 06 February 2002 13:33 To: Tomcat Users List Subject: Re: apache + mod_SSL + tomcat I never saw an answer go by to the below question and was curious what it would be. Does no one now the answer Dean Cressatti, Dominique wrote: Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? Dom -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: apache + mod_SSL + tomcat
I think there is a way to solve the problem without shutting down port 8080. Someone please verify this is true. If I use a servlet, my servlet can determine if the connection is from 8443 or 8080 and if it is from 8080 can deny the user access right away. Is this correct? I was kind of waiting on an answer like this. thanks, Dean -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: apache + mod_SSL + tomcat
...my servlet can determine if the connection is from 8443 or 8080.. While not much clued up about java (but having seen a few examples) I would think its possible. Then again why would you like to do it at the servlet level? Why would you want to keep port 8080 opened when 80, 443 or 8443 are? Dom -Original Message- From: Dean Hiller [mailto:[EMAIL PROTECTED]] Sent: 06 February 2002 14:50 To: Tomcat Users List Subject: Re: apache + mod_SSL + tomcat I think there is a way to solve the problem without shutting down port 8080. Someone please verify this is true. If I use a servlet, my servlet can determine if the connection is from 8443 or 8080 and if it is from 8080 can deny the user access right away. Is this correct? I was kind of waiting on an answer like this. thanks, Dean -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: apache + mod_SSL + tomcat
Hi, -Original Message- From: Cressatti, Dominique [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 4:00 PM To: Tomcat Users List Subject: RE: apache + mod_SSL + tomcat Anton Brazhnyk answered it. I followed his advice. I basically commented out the HttpConnector running on port 8080 and that was it. From that point I can't an http connection on port 8080 but I can still access my app on port 80 (normal http) and port 443 (https). So, do you want SSL-only for entire web application? append something like following to your web.xml security-constraint web-resource-collection web-resource-nameEntire application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method /web-resource-collection user-data-constraint descriptionUser data constraint description/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint One point that was made by somebody else what about the connection between apache and tomcat? Either mod_jk on port 8009 (or 8007) or mod_webapp on port 8008. As far as I know those connectors are not ssl enabled. These tasks are for your firewall :) Dom Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: apache + mod_SSL + tomcat
In my app, we don't need everything to run over SSL and we are not using apache so we only have ports 80 and 8443. I changed the default 8080 to 80 and should have probably changed 8443 to 443. When SSL is not necessary, we don't use it as it slows down the downloading of the pages. Dean -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: apache + mod_SSL + tomcat
thanks for the xml Anton that is much better than putting the code in the servlet, and is easy to expand to a per servlet/html page basis. thanks, Dean -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: apache + mod_SSL + tomcat
Dom, Do you think you could give some of us a few pointers on how you got mod_SSL and tomcat to work? That would be awesome. Thanks. Charlie -Original Message- From: Cressatti, Dominique [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 12:38 PM To: Tomcat Users List Subject: apache + mod_SSL + tomcat Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? Dom -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
apache + mod_SSL + tomcat
Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? Dom
RE: apache + mod_SSL + tomcat
Well... like I said I deserve not credit on that subject it worked straight out the box. Am using RH 7.2, I made sure I installed openSSL and mod_SSL. I pointed my browser to https://localhost:443 and is worked (there was even a preconfigured certificat) Like I said I deserve no credits. Dom -Original Message- From: Charles N. Harvey III [mailto:[EMAIL PROTECTED]] Sent: 05 February 2002 17:44 To: Tomcat Users List Subject: RE: apache + mod_SSL + tomcat Dom, Do you think you could give some of us a few pointers on how you got mod_SSL and tomcat to work? That would be awesome. Thanks. Charlie -Original Message- From: Cressatti, Dominique [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 12:38 PM To: Tomcat Users List Subject: apache + mod_SSL + tomcat Hi, I've got apache + mod_SSL + tomcat working (I don't deserve that much credit as mod_ssl worked right out the box) but I wonder couldn't the security bypassed, like for example accessing the page on port 8080 instead of port 443 ? Dom -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: apache + mod_SSL + tomcat
I thought tomcat was on 8443 by default. Are you sure you are pointing at tomcat, or do you have another webserver running on port 443, since that is the default that most webservers use when starting up. tomcat is the exception running on 8443 thanks, Dean -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Apache+mod_ssl and Tomcat+ssl
Hello all We are using Apache+mod_ssl in DMZ-Internet. We have a Firewall between DMZ and our Intranet. Tomcat 3.2 is in Intranet installed. Can we have Tomcat to perform SSL with Apache-Server too but through a Firewall? Apache server have to be authenticated through a Certificate in order to pass through the internal Firewall. We want one end-to-end SSL connection between the client and our Tomcat behind Firewall in Intranet. Any suggestions are welcome. Thanks, Adrian -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Apache + mod_ssl === Tomcat + JSSE
Hi, I have created a CA with openssl and I generate client and server certificates. I install this certificates in Apache (directories /ssl.cert and /ssl.key) and it works, but how can i do the same in tomcat (keytool) to use this certificates... My question is how can import certificate and key to the keystore in tomcat. Thaks a lot, Ricardo Borillo Domenech Programació - Servei d'Informàtica Universitat Jaume I
RE: Apache + mod_ssl === Tomcat + JSSE
try to import the certificates into your kaystore file with keytool -import -trustcacerts ++ -Original Message- From: Ricardo [mailto:[EMAIL PROTECTED]] Sent: 5. september 2001 12:02 To: [EMAIL PROTECTED] Subject: Apache + mod_ssl === Tomcat + JSSE Hi, I have created a CA with openssl and I generate client and server certificates. I install this certificates in Apache (directories /ssl.cert and /ssl.key) and it works, but how can i do the same in tomcat (keytool) to use this certificates... My question is how can import certificate and key to the keystore in tomcat. Thaks a lot, Ricardo Borillo Domenech Programació - Servei d'Informàtica Universitat Jaume I
Re: Apache + mod_ssl === Tomcat + JSSE
I can import the certificate... but what about the key ?? When your configure tomcat to work with SSL you have to execute --- keytool -genkey -alias tomcat ... I would like to import my key (or something ???) with this alias. Thanks a lot, Ricardo Borillo Domenech Programació - Servei d'Informàtica Universitat Jaume I - Original Message - From: Eirik Yksnøy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 05, 2001 12:23 PM Subject: RE: Apache + mod_ssl === Tomcat + JSSE try to import the certificates into your kaystore file with keytool -import -trustcacerts ++ -Original Message- From: Ricardo [mailto:[EMAIL PROTECTED]] Sent: 5. september 2001 12:02 To: [EMAIL PROTECTED] Subject: Apache + mod_ssl === Tomcat + JSSE Hi, I have created a CA with openssl and I generate client and server certificates. I install this certificates in Apache (directories /ssl.cert and /ssl.key) and it works, but how can i do the same in tomcat (keytool) to use this certificates... My question is how can import certificate and key to the keystore in tomcat. Thaks a lot, Ricardo Borillo Domenech Programació - Servei d'Informàtica Universitat Jaume I
User Authentication Apache+mod_ssl+Tomcat 3.2.3
Hello all, I am using the above config and have a JDBC realm set-up using FORM based login. What I want to know is: 1. Is it possible to get the login page to use SSL (https or 443 port) and once the user is validated continue on the standard (http 80 port)? 2. If so, is there any documentation with regards to this? Thanks Asar - Visit our Internet site at http://www.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
AW: URI Rewritng using Apache/mod_ssl..the old story
Hi guys, i have been following this subject around for a while. In the 3.2.2 final version of Tomcat URL rewritting also does not work in standalone mode (port 80). This seems really, really strange ... I wonder what these programmers are doing. Have you heard about a solution ? Tassilo -Ursprungliche Nachricht- Von: Wolle [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 30. Mai 2001 08:50 An: tomcatDev; tomcatUser Betreff: URI Rewritng using Apache/mod_ssl..the old story I have just installed TC3.2.2 final, and URI Rewiting won't work over mod_ssl and apache. without ssl it works fine, also. I have set the TOMCAT_HOME and the JAVA_HOME... but it won't work Or isn't it fixed on TC3.2.2 ?? When I install the two external classes from jdk jsse.jar and jnet.jar in tomcat/lib and start it with an environment variable like bleow (old bug #578 walkaround) it will work. The only thing that's gone is that I don't have to patch the HttpServletResponseFacade.java file out of tomcat/lib/webserver.jar... I've indeed tested this behavior with the standard class to test the sessiontracking whoch comes with tomcat. Greetings and thanks for inconvenience, Michael plz wrote back Marc Saegesser wrote: A change very similar to what you propose for HttpServletResponseFacade.java was already made for Tomcat 3.2.2b4. There are two conditions that I know of where URL rewritting won't work. If you using AJP12 and an SSL port other than 443 then Tomcat won't be told that the connection is secure and will think that that the URL scheme is HTTP not HTTPS. HttpServletResponseFacade checks that the scheme of the URL to be encoded and the scheme of the current request are the same. To encode an HTTPS url you must be on an HTTPS request. [Note: I'm sure I really understand this requirement, but its been this way for a long time.] So the two ways I know of for URL rewriting to fail are if you using AJP12 and SSL on something other than 443 or if your encoding an HTTPS URL during an HTTP request. Are either of these true for your case? To help diagnose this, could you access the SnoopServlet that comes with Tomcat via your SSL connection and post the results. This page will indicate whether Tomcat thinks the request is secure or not, and if it thinks the URL scheme is HTTPS. Thanks, we'll get this worked out. -Original Message- From: Wolle [mailto:[EMAIL PROTECTED]] Sent: Friday, May 04, 2001 5:19 AM To: [EMAIL PROTECTED]; GOMEZ Henri Subject: Re: TC 3.2.2b4 URI Rewriting with mod_ssl Hello, sorry I just wake up ;-) Wolle wrote: GOMEZ Henri wrote: That is a known Bug ,see http://nagoya.apache.org/bugzilla/show_bug.cgi?id=578 Marc has said, that he has fixed in the current release TC3.2.2b4, but it won't work. What should I describe now ? The workaround was Fixed by costin in TC 3.3 since 01/04/22 11:56:03 so I have all these things in TC3.2.2b4, fill it be insert in TC3.2.2 final ? not fill - new sentence so I have to do all these things in TC3.2.2b4, will it be completly insert in TC3.2.2 final ? 1. install the jnet.jar and jsse.jar in the ROMCAT/lib dir. 2.set the TOMCAT_OPTS =-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol 3. Modify the HttpServletResponseFacade.java: retrieving revision 1.6.2.3 diff -u -r1.6.2.3 HttpServletResponseFacade.java --- src/share/org/apache/tomcat/facade/HttpServletResponseFacade.java 2001/03/06 17:38:13 1.6.2.3 +++ src/share/org/apache/tomcat/facade/HttpServletResponseFacade.java 2001/03/20 13:29:41 @@ -353,10 +353,14 @@ return (false); if (!request.getServerName().equalsIgnoreCase(url.getHost())) return (false); -// Set the URL port to HTTP default if not available before comparing +// Set the URL port to protocol default if not available before comparing int urlPort = url.getPort(); if (urlPort == -1) { -urlPort = 80; +if(http.equalsIgnoreCase(url.getProtocol())) { +urlPort = 80; +} else if (https.equalsIgnoreCase(url.getProtocol())) { +urlPort = 443; +} } if (request.getServerPort() != urlPort) return (false); That code need to be commited in 3.2.2b4 only this, or the other two step also ? only this, or the other two steps also ? I have made this with TC3.2.2b2 and TC3.2.2b3, and this works. Then it doesn't matter if you use the ajp12 or ajp13 Protocol (I have read that this is important to use ajp13) You need ajp13 to get some SSL web-server vars. so please help, You provide a patch which may be included in tomcat and must be reviewed by Marc for approval
Apache+mod_ssl
Hai,How to use MOD_SSL with apache for win32 plat form.. subbu
Re: Apache+mod_ssl
Hi, Subbu Try this: http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat-ssl-howto.html Regards, Noel Lecaros subbu wrote: Hai,How to use MOD_SSL with apache for win32 plat form.. subbu
Apache mod_SSL and Tomcat using mod_jk
Hello , I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module - mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated Thanks in advance, Charlie
Apache mod_ssl and knowing crypto bit length
What's the trick for retriving the number of crypto bits used in SSL from a JSP/servlet if I'm using Apache mod_ssl with OpenSSL? The mod_ssl log file ssl_engine_log shows the Protocol, Cipher and bit length. When I use the environment variable SSL_CIPHER, it doesn't include the number of bits, only something like RC4-MD5 We'd like to provide a warning to customers who are using a sub-128 bit browser. Thanks, David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Apache mod_ssl and knowing crypto bit length
The mod_ssl log file ssl_engine_log shows the Protocol, Cipher and bit length. When I use the environment variable SSL_CIPHER, it doesn't include the number of bits, only something like RC4-MD5 A quick check of modssl.org shows that the environment variable is called SSL_CIPHER_USEKEYSIZE (I think this is what I want). My httpd.conf does export +StdEnvVars, but when Tomcat mod_jk.conf file documents several mappings for environment variables, but the choice is limited and doesn't include SSL_CIPHER_USEKEYSIZE. I did configure apache with "JkExtractSSL On" and the SSLOptions include +StdEvnVars (not +ExportCertData because I don't care about client certs). Would I extract these using request.getHeader() ? David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Success at last - Tomcat+Apache+mod_ssl
I finally got tomcat to serve up the proper web pages with mod_ssl in the picture. For those who may not remember, here is what I was attempting to accomplish:Tomcat and Apache sharing the same document root: /apache/htdocs/pub for http, and /apache/htdocs/secure for https. The problem seemed to boil down to the fact that the "" context could only be established once for an IP address, irrespective of which ports the requests came in on. So while HTML pages were correctly served up from the appropriate directory from Apache, tomcat would only let me establish one "" context and thus only one docBase, with the result that when I asked for a secure page like https://www/myserver.com/jsptest.jsp, tomcat would give me the page out of the pub directory, not out of the secure one. My solution to this problem was to use two copies of Tomcat, once with a docBase of /apache/htdocs/pub using ajp12, and the other with a docBase of /apache/htdocs/secure using the ajp13 connector. Because I have two instances of tomcat running, I had to modify one of them to put ajp12 on a non-default port; I moved it from 8007 to 8008. I also couldn't include the default workers.properties file, but had to handcraft one. But it is finally working. Craig, you might want to consider allowing tomcat to be started with specified server.xml and workers.properties files. As it is, I had to install tomcat twice. Guy Rouillier 571-226-1229 [EMAIL PROTECTED] Domino Networks 2950 Gallows Road Falls Church, VA 22042
AW: Apache mod_SSL and Tomcat using mod_jk
# SSLOptions +FakeBasicAuth # # List the ciphers that the client is permitted to negotiate. See the source # for a definitive list. For example: # #SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA # # These two can be used per-directory to require or ban ciphers. Note that (at # least in the current version) Apache-SSL will not attempt to renegotiate if a # cipher is banned (or not required). # #SSLRequireCipher #SSLBanCipher # # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown # # Custom logging # CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # # ab hier Text von MS # VirtualHost www.prot-gemeinde.ch:80 ServerName www.prot-gemeinde.ch ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/prot-gemeinde_error.log CustomLog logs/prot-gemeinde_access.log common DocumentRoot D:/WebSpace/ApacheSSL/tomcat/webapps/Prototyp DirectoryIndex Formular.htm Directory "D:/WebSpace/ApacheSSL/tomcat/webapps/Prototyp" Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all /Directory JkMount /*.jsp ajp13 JkMount /servlet/* ajp13 ScriptAlias /cgi-bin/ "D:/WebSpace/Prototyp/Version10/cgi-bin/" Directory "D:/WebSpace/Prototyp/Version10/cgi-bin" AllowOverride None Options None /Directory /VirtualHost #--- - VirtualHost www.snakeoil.dom:443 #--- - SSLOptions +StdEnvVars +ExportCertData SSLEngine on ServerName www.snakeoil.dom ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/snake_error.log CustomLog logs/snake_access.log common DocumentRoot D:/WebSpace/ApacheSSL/tomcat/webapps/securesite Directory "D:/WebSpace/ApacheSSL/tomcat/webapps/securesite" Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all /Directory JkMount /*.jsp ajp13 JkMount /servlet/* ajp13 Directory "D:/WebSpace/ApacheSSL/tomcat/webapps/securesite/WEB-INF" Options none Deny from all /Directory /VirtualHost -Ursprngliche Nachricht- Von: Pete Ehli [SMTP:[EMAIL PROTECTED]] Gesendet am:Dienstag, 16. Januar 2001 08:34 An: [EMAIL PROTECTED] Betreff:Apache mod_SSL and Tomcat using mod_jk Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated - Pete - [EMAIL PROTECTED] Datei: ATT00010.html - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Apache mod_SSL and Tomcat using mod_jk
-Message d'origine- De: Pete Ehli [mailto:[EMAIL PROTECTED]] Date: mardi 16 janvier 2001 08:34 : [EMAIL PROTECTED] Objet: Apache mod_SSL and Tomcat using mod_jk Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I've just done that ... (absolute beginer) I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) same for me... it seems to works anyway... note that I had to install JSSE 102 from sun java site... I've put it into the JRE 1.3 as documented (jar in lib/ext) and changed the security provider list in some properties file as documented... For tomcat servlet/jsp to be able to call-back HTTPS as a client I had to add a -D... that sets the implementor of URL... documented in JSSE also... I also had to set the keystore of jsse extract from tomcat.bat: :runServer rem Running Tomcat in this window if "%2" == "-security" goto runSecure %_RUNJAVA% %TOMCAT_OPTS% -Dtomcat.home="%TOMCAT_HOME%" -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/conf/ssl/cacerts" -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol org.apache.tomcat.startup.Tomcat %2 %3 %4 %5 %6 %7 %8 %9 goto cleanup I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module I had to use the snakeoil certificates an keys as documented... all is configured in a virtual host on port 443... the last problem is tha the snakeoil certificate have a /CN= different from my host DNS name (sure, it is a dummy certificate), and thus the HTTPS URL connector refuse to trust an HTTPS server whose certificat CN is different from it's DNS name... I've found example of config files on the web... note the the ifdefined SSL does not works with the apache/mod_ssl found on mod_ssl.org... I have used the IfModule mod_ssl.c I've put parts of the config files at the end... mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated if some one can explai me how to generate a good server certificat with openssl or keytool... 8) -- here is the SSL config included at the end of the httpd.conf in apache ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## LoadModule ssl_module modules/ApacheModuleSSL.dll IfModule mod_ssl.c Listen 8000 Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshm:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. #SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones
RE: Apache mod_SSL and Tomcat using mod_jk
Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I've just done that ... (absolute beginer) I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile it with -DEAPI) The module as been compiled on a Standard Apache and you want it to run on a EAPI Apache (ie using mod_ssl). If you're using a Linux Redhat or compatible take a look at my RPM at :ftp://ftp.falsehope.com/home/gomez/tomcat/ or at http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/rpms/ same for me... it seems to works anyway... note that I had to install JSSE 102 from sun java site... I've put it into the JRE 1.3 as documented (jar in lib/ext) and changed the security provider list in some properties file as documented... For tomcat servlet/jsp to be able to call-back HTTPS as a client I had to add a -D... that sets the implementor of URL... documented in JSSE also... I also had to set the keystore of jsse extract from tomcat.bat: :runServer rem Running Tomcat in this window if "%2" == "-security" goto runSecure %_RUNJAVA% %TOMCAT_OPTS% -Dtomcat.home="%TOMCAT_HOME%" -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/conf/ssl/cacerts" -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol org.apache.tomcat.startup.Tomcat %2 %3 %4 %5 %6 %7 %8 %9 goto cleanup I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module I had to use the snakeoil certificates an keys as documented... all is configured in a virtual host on port 443... the last problem is tha the snakeoil certificate have a /CN= different from my host DNS name (sure, it is a dummy certificate), and thus the HTTPS URL connector refuse to trust an HTTPS server whose certificat CN is different from it's DNS name... I've found example of config files on the web... note the the ifdefined SSL does not works with the apache/mod_ssl found on mod_ssl.org... I have used the IfModule mod_ssl.c I've put parts of the config files at the end... mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated if some one can explai me how to generate a good server certificat with openssl or keytool... 8) -- here is the SSL config included at the end of the httpd.conf in apache ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## LoadModule ssl_module modules/ApacheModuleSSL.dll IfModule mod_ssl.c Listen 8000 Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshm:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. #SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for sym
Apache mod_SSL and Tomcat using mod_jk
Hello I am new to Apache and am using mod_ssl Apache server connected with Tomcat via the mod_jk module - I get the following warning when starting Apache after I start tomcat "Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, this module might crash under EAPI! (Please recompile itwith -DEAPI) I am trying to get Apache and Tomcat to use SSL . I don't have a certificate configured and get the following error "localhost:443 should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile]" Can someone point me to the exact directions on how to configure a certificate and also will this module mod_jk work with the version of Apache I am using - Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip and Tomcat 3.2.1 I have configured this via the documentation in Tomcat. Any ideas or suggestion on where to go form here would be much appreciated - Pete - [EMAIL PROTECTED]