Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-20 Thread Christopher Schultz 

Jon,

On 7/13/22 12:16, jonmcalexan...@wellsfargo.com.INVALID wrote:

Here is the error we are getting. The login form, hosted by Tomcat, does a POST 
to the /login/login.fcc for siteminder which is on the HTTPD server and is not 
behind the proxypass or proxypassreverse.

javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399 
PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
 12 Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
  Unable to get Channel Secure Session: Unable to perform siteminder handshake
java.lang.Exception: Unable to perform siteminder handshake

Our SiteMinder team is telling us it's not their issue. Again, this POST worked 
fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.


When you migrated from mod_jk -> mod_proxy, did you arrange to have all 
SSL information forwarded over the connection? mod_jk with the AJP 
connector handles a lot of that magic for you, but mod_proxy does not by 
default.


Have a look at this presentation, starting around slide 30: 
https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http


If your users are using TLS client certs with httpd, they may not be 
sent-over to Tomcat and will therefore be unavailable for use from 
Tomcat -> SiteMinder. You can fix this with some 
SSLProxySomethingOrOther directives on the httpd side and the SSLValve 
on the Tomcat side. Note that if you aren't using SSLValve you probably 
are *also* not using RemoteIPValve, which you probably want to use.


-chris


-Original Message-
From: jonmcalexan...@wellsfargo.com.INVALID

Sent: Tuesday, July 12, 2022 5:22 PM
To: users@tomcat.apache.org
Subject: RE: [OT] issues with Tomcat to Siteminder communication post mod-
proxy setup

I'm wondering if it is having to do with the SMSESSION cookie not getting
passed correctly. Still trying to figure this one out.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Tuesday, July 12, 2022 9:16 AM
To: users@tomcat.apache.org
Subject: Re: [OT] issues with Tomcat to Siteminder communication post
mod- proxy setup

Jon,

On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:

Chris,

Moving this discussion to here. Yes, it appears that I broke
something when

setting up the Tomcat Connector for the mod-proxy that is now
affecting, somehow, the SSL communication with the Site Minder
services. Here is the connector we added below.

The only reason I can think of that would cause your Tomcat TLS
connector configuration to affect your SiteMinder thing is if you are
trying to specify the javax.net.ssl.trustStore system property for the
entire JVM, and allowing Tomcat to inherit that.


Temporarily have set certificateVerification to optional to see if
it was something with the communication between HTTPD and Tomcat.

  
maxThreads="100"

compression="on" scheme="https" SSLEnabled="true" secure="true">

  
certificateVerification="optional" truststoreFile="" truststorePassword=""
truststoreType="JKS"


ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,


Assuming truststoreFile is not actually _blank_, then this should be fine.


  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
  TLS_DHE_RSA_WITH_AES_128_CCM,
  TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
  TLS_DHE_RSA_WITH_AES_128_CCM_8,
  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">

AW: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-15 Thread Thomas Hoffmann (Speed4Trade GmbH) 
Hello,

did you hijack that  topic or is it related to that?
If it’s a new topic, please start a new thread with an according subject.

Thanks!

> -Ursprüngliche Nachricht-
> Von: Jasmin Ćatić 
> Gesendet: Freitag, 15. Juli 2022 10:56
> An: Tomcat Users List 
> Betreff: Re: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Hello,
> 
> Can someone please give me a step by step guide on how to make my
> tomcat webapp available online with a domain name.
> Thanks.
> 
> Regards,
> JC
> 
> sri, 13. srp 2022. u 18:31  napisao
> je:
> 
> > Could this potentially be caused by
> >  > className="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
> >
> > But not using Tomcat Native?
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -Original Message-
> > > From: Thomas Hoffmann (Speed4Trade GmbH)
> > > 
> > > Sent: Wednesday, July 13, 2022 11:28 AM
> > > To: Tomcat Users List 
> > > Subject: AW: [OT] issues with Tomcat to Siteminder communication
> > > post mod-proxy setup
> > >
> > > Hello,
> > >
> > > > -Ursprüngliche Nachricht-
> > > > Von: jonmcalexan...@wellsfargo.com.INVALID
> > > > 
> > > > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > > > An: users@tomcat.apache.org
> > > > Betreff: RE: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > Here is the error we are getting. The login form, hosted by
> > > > Tomcat, does a POST to the /login/login.fcc for siteminder which
> > > > is on the HTTPD server and is not behind the proxypass or
> proxypassreverse.
> > > >
> > > > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > > > 13:12:49.399
> > > > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
> > > > PDT|
> > > > PDT|12
> > > > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT:
> > > >  Unable to get Channel Secure Session: Unable to perform
> > > > siteminder handshake
> > > > java.lang.Exception: Unable to perform siteminder handshake
> > > >
> > > > Our SiteMinder team is telling us it's not their issue. Again,
> > > > this POST worked fine when using mod_jk and SSL wasn't enabled for
> > > connection on Tomcat.
> > > >
> > > > Thanks,
> > > >
> > >
> > > This error message is most likely thrown by the application and not
> > > by tomcat.
> > > The underlying error would be important including the full stack below.
> > > Are there some "caused by" Exceptions below?
> > > Otherwise the siteminder application is hiding the underlying Exception.
> > >
> > >
> > > > jonmcalexan...@wellsfargo.com
> > > > This message may contain confidential and/or privileged information.
> > > > If you are not the addressee or authorized to receive this for the
> > > > addressee, you must not use, copy, disclose, or take any action
> > > > based on this message or any information herein. If you have
> > > > received this message in error, please advise the sender
> > > > immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> > > >
> > > >
> > > > > -Original Message-
> > > > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > > > 
> > > > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > > > T

Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-15 Thread Jasmin Ćatić 
Hello,

Can someone please give me a step by step guide on how to make my tomcat
webapp available online with a domain name.
Thanks.

Regards,
JC

sri, 13. srp 2022. u 18:31  napisao
je:

> Could this potentially be caused by
>  className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
>
> But not using Tomcat Native?
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> > -Original Message-
> > From: Thomas Hoffmann (Speed4Trade GmbH)
> > 
> > Sent: Wednesday, July 13, 2022 11:28 AM
> > To: Tomcat Users List 
> > Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> > mod-proxy setup
> >
> > Hello,
> >
> > > -Ursprüngliche Nachricht-
> > > Von: jonmcalexan...@wellsfargo.com.INVALID
> > > 
> > > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > > An: users@tomcat.apache.org
> > > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > > mod- proxy setup
> > >
> > > Here is the error we are getting. The login form, hosted by Tomcat,
> > > does a POST to the /login/login.fcc for siteminder which is on the
> > > HTTPD server and is not behind the proxypass or proxypassreverse.
> > >
> > > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > > 13:12:49.399
> > > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) 
> > > PDT|12
> > > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> > > Unable to get Channel Secure Session: Unable to perform siteminder
> > > handshake
> > > java.lang.Exception: Unable to perform siteminder handshake
> > >
> > > Our SiteMinder team is telling us it's not their issue. Again, this
> > > POST worked fine when using mod_jk and SSL wasn't enabled for
> > connection on Tomcat.
> > >
> > > Thanks,
> > >
> >
> > This error message is most likely thrown by the application and not by
> > tomcat.
> > The underlying error would be important including the full stack below.
> > Are there some "caused by" Exceptions below?
> > Otherwise the siteminder application is hiding the underlying Exception.
> >
> >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action based
> > > on this message or any information herein. If you have received this
> > > message in error, please advise the sender immediately by reply e-mail
> > > and delete this message. Thank you for your cooperation.
> > >
> > >
> > > > -Original Message-
> > > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > > 
> > > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > > To: users@tomcat.apache.org
> > > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > > getting passed correctly. Still trying to figure this one out.
> > > >
> > > > Thanks,
> > > >
> > > > Dream * Excel * Explore * Inspire
> > > > Jon McAlexander
> > > > Senior Infrastructure Engineer
> > > > Asst. Vice President
> > > > He/His
> > > >
> > > > Middleware Product Engineering
> > > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > > >
> > > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > > MAC: F4469-010
> > > > Tel 515-988-2508 |

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-13 Thread jonmcalexander 
Could this potentially be caused by 


But not using Tomcat Native?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Sent: Wednesday, July 13, 2022 11:28 AM
> To: Tomcat Users List 
> Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> mod-proxy setup
> 
> Hello,
> 
> > -Ursprüngliche Nachricht-
> > Von: jonmcalexan...@wellsfargo.com.INVALID
> > 
> > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > An: users@tomcat.apache.org
> > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Here is the error we are getting. The login form, hosted by Tomcat,
> > does a POST to the /login/login.fcc for siteminder which is on the
> > HTTPD server and is not behind the proxypass or proxypassreverse.
> >
> > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > 13:12:49.399
> > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) 
> > PDT|12
> > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> > Unable to get Channel Secure Session: Unable to perform siteminder
> > handshake
> > java.lang.Exception: Unable to perform siteminder handshake
> >
> > Our SiteMinder team is telling us it's not their issue. Again, this
> > POST worked fine when using mod_jk and SSL wasn't enabled for
> connection on Tomcat.
> >
> > Thanks,
> >
> 
> This error message is most likely thrown by the application and not by
> tomcat.
> The underlying error would be important including the full stack below.
> Are there some "caused by" Exceptions below?
> Otherwise the siteminder application is hiding the underlying Exception.
> 
> 
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -Original Message-
> > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > 
> > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > To: users@tomcat.apache.org
> > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > getting passed correctly. Still trying to figure this one out.
> > >
> > > Thanks,
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action
> > > based on this message or any information herein. If you have
> > > received this message in error, please advise the sender immediately
> > > by reply e-mail and delete this message. Thank you for your cooperation.
> > >
> > > > -Original Message-
> > > > From: Christopher Schultz 
> > > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > > To: users@tomcat.apache.org
> > > > Subject: Re:

AW: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-13 Thread Thomas Hoffmann (Speed4Trade GmbH) 
Hello,

> -Ursprüngliche Nachricht-
> Von: jonmcalexan...@wellsfargo.com.INVALID
> 
> Gesendet: Mittwoch, 13. Juli 2022 18:17
> An: users@tomcat.apache.org
> Betreff: RE: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Here is the error we are getting. The login form, hosted by Tomcat, does a
> POST to the /login/login.fcc for siteminder which is on the HTTPD server and
> is not behind the proxypass or proxypassreverse.
> 
> javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399
> PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)  12
> Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
> Unable to get Channel Secure Session: Unable to perform siteminder
> handshake
> java.lang.Exception: Unable to perform siteminder handshake
> 
> Our SiteMinder team is telling us it's not their issue. Again, this POST 
> worked
> fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.
> 
> Thanks,
> 

This error message is most likely thrown by the application and not by tomcat.
The underlying error would be important including the full stack below.
Are there some "caused by" Exceptions below?
Otherwise the siteminder application is hiding the underlying Exception.

 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> 
> > -Original Message-
> > From: jonmcalexan...@wellsfargo.com.INVALID
> > 
> > Sent: Tuesday, July 12, 2022 5:22 PM
> > To: users@tomcat.apache.org
> > Subject: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > I'm wondering if it is having to do with the SMSESSION cookie not
> > getting passed correctly. Still trying to figure this one out.
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> > > -Original Message-
> > > From: Christopher Schultz 
> > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > To: users@tomcat.apache.org
> > > Subject: Re: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > Jon,
> > >
> > > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > > Chris,
> > > >
> > > > Moving this discussion to here. Yes, it appears that I broke
> > > > something when
> > > setting up the Tomcat Connector for the mod-proxy that is now
> > > affecting, somehow, the SSL communication with the Site Minder
> > > services. Here is the connector we added below.
> > >
> > > The only reason I can think of that would cause your Tomcat TLS
> > > connector configuration to affect your SiteMinder thing is if you
> > > are trying to specify the javax.net.ssl.trustStore system property
> > > for the entire JVM, and allowing Tomcat to inherit that.
> > >
> > > > Temporarily have set certificateVerification to optional to see if
> > > > it was something with the communication between HTTPD and Tomcat.
> > > >
> > > >   > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > maxThreads="100"
> > > > compression="on" scheme="https" SSLEnabled="true" secure="true">
> > > >
> > &g

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-13 Thread jonmcalexander 
Here is the error we are getting. The login form, hosted by Tomcat, does a POST 
to the /login/login.fcc for siteminder which is on the HTTPD server and is not 
behind the proxypass or proxypassreverse.

javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399 
PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
 12 Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: 
  Unable to get Channel Secure Session: Unable to perform siteminder 
handshake
java.lang.Exception: Unable to perform siteminder handshake

Our SiteMinder team is telling us it's not their issue. Again, this POST worked 
fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Tuesday, July 12, 2022 5:22 PM
> To: users@tomcat.apache.org
> Subject: RE: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> I'm wondering if it is having to do with the SMSESSION cookie not getting
> passed correctly. Still trying to figure this one out.
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: Tuesday, July 12, 2022 9:16 AM
> > To: users@tomcat.apache.org
> > Subject: Re: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Jon,
> >
> > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Chris,
> > >
> > > Moving this discussion to here. Yes, it appears that I broke
> > > something when
> > setting up the Tomcat Connector for the mod-proxy that is now
> > affecting, somehow, the SSL communication with the Site Minder
> > services. Here is the connector we added below.
> >
> > The only reason I can think of that would cause your Tomcat TLS
> > connector configuration to affect your SiteMinder thing is if you are
> > trying to specify the javax.net.ssl.trustStore system property for the
> > entire JVM, and allowing Tomcat to inherit that.
> >
> > > Temporarily have set certificateVerification to optional to see if
> > > it was something with the communication between HTTPD and Tomcat.
> > >
> > >   > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="100"
> > > compression="on" scheme="https" SSLEnabled="true" secure="true">
> > >
> > >   > certificateVerification="optional" truststoreFile="" truststorePassword=""
> > truststoreType="JKS"
> > >
> > > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> >
> > Assuming truststoreFile is not actually _blank_, then this should be fine.
> >
> > >  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > >  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > >  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> > >  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>

RE: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-12 Thread jonmcalexander 
I'm wondering if it is having to do with the SMSESSION cookie not getting 
passed correctly. Still trying to figure this one out.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, July 12, 2022 9:16 AM
> To: users@tomcat.apache.org
> Subject: Re: [OT] issues with Tomcat to Siteminder communication post mod-
> proxy setup
> 
> Jon,
> 
> On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Chris,
> >
> > Moving this discussion to here. Yes, it appears that I broke something when
> setting up the Tomcat Connector for the mod-proxy that is now affecting,
> somehow, the SSL communication with the Site Minder services. Here is the
> connector we added below.
> 
> The only reason I can think of that would cause your Tomcat TLS connector
> configuration to affect your SiteMinder thing is if you are trying to specify 
> the
> javax.net.ssl.trustStore system property for the entire JVM, and allowing
> Tomcat to inherit that.
> 
> > Temporarily have set certificateVerification to optional to see if it
> > was something with the communication between HTTPD and Tomcat.
> >
> >   > protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="100"
> > compression="on" scheme="https" SSLEnabled="true" secure="true">
> >
> >   certificateVerification="optional" truststoreFile="" truststorePassword=""
> truststoreType="JKS"
> >
> > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> 
> Assuming truststoreFile is not actually _blank_, then this should be fine.
> 
> >  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> >  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> >  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> >  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> >  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> >  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> >  TLS_DHE_RSA_WITH_AES_128_CCM,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> >  TLS_DHE_RSA_WITH_AES_128_CCM_8,
> >  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> >  TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> >  
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> >
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> >
> >   > Type="RSA" certificateKeystoreFile=".pfx"
> > certificateKeystorePassword="" certificateKeystoreType="pkcs12" />
> 
> Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for you,
> since you are using only an RSA key.
> 
> Is your SiteMinder client code using its own special trust store and key 
> store?
> If you are getting a handshake failure (mentioned in your message to
> dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
> Received fatal alert: bad_certificate error"), you might want to start looking
> there. The problem is very unlikely to be your Tomcat configuration or
> anything related to it, unless you use the same key store and trust store for
> both.
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-12 Thread Christopher Schultz 

Jon,

On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:

Chris,

Moving this discussion to here. Yes, it appears that I broke something when 
setting up the Tomcat Connector for the mod-proxy that is now affecting, 
somehow, the SSL communication with the Site Minder services. Here is the 
connector we added below.


The only reason I can think of that would cause your Tomcat TLS 
connector configuration to affect your SiteMinder thing is if you are 
trying to specify the javax.net.ssl.trustStore system property for the 
entire JVM, and allowing Tomcat to inherit that.


Temporarily have set certificateVerification to optional to see if 
it was something with the communication between HTTPD and Tomcat.


 

 

Assuming truststoreFile is not actually _blank_, then this should be fine.


 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
 TLS_DHE_RSA_WITH_AES_128_CCM,
 TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
 TLS_DHE_RSA_WITH_AES_128_CCM_8,
 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">

 


Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for 
you, since you are using only an RSA key.


Is your SiteMinder client code using its own special trust store and key 
store? If you are getting a handshake failure (mentioned in your message 
to dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException: 
Received fatal alert: bad_certificate error"), you might want to start 
looking there. The problem is very unlikely to be your Tomcat 
configuration or anything related to it, unless you use the same key 
store and trust store for both.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] issues with Tomcat to Siteminder communication post mod-proxy setup

2022-07-08 Thread jonmcalexander 
Chris,

Moving this discussion to here. Yes, it appears that I broke something when 
setting up the Tomcat Connector for the mod-proxy that is now affecting, 
somehow, the SSL communication with the Site Minder services. Here is the 
connector we added below. Temporarily have set certificateVerification to 
optional to see if it was something with the communication between HTTPD and 
Tomcat.










Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Re: tomcat with SiteMinder

2019-10-11 Thread tomcat 

On 11.10.2019 05:11, Bauer, Margaret M (Peggy) wrote:

Has anyone used tomcat with SiteMinder without having a webserver in front
of it?  If so, where can I find the how to?


In the SiteMinder documentation ?
(No kidding. As I recall, they do provide examples with multiple webservers.)



thank you,

*Peggy *




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat with SiteMinder

2019-10-10 Thread Bauer, Margaret M (Peggy) 
Has anyone used tomcat with SiteMinder without having a webserver in front
of it?  If so, where can I find the how to?

thank you,

*Peggy *