Re: Tomcat 4.0 & Apache with Client Certs

Tue, 25 Sep 2001 03:26:09 -0700 

I'm using Tomcat 4.0 b5 standalone with client authentication.
In this situation Tomcat only exports information about the CIPHER_SUITE and
KEY_SIZE ... what about client certificate ?!?!?!

Thanks,
============================
Ricardo Borillo Domenech
Programaciķ - Servei d'Informātica
Universitat Jaume I
----- Original Message -----
From: "Matias Bahlenberg" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 10:23 AM
Subject: Re: Tomcat 4.0 & Apache with Client Certs


Hi,

I have tried to get the client certificate information too, but with no
success. I use Apache 1.3.19 with Tomcat 4.0.

I have been told that when using a connector with Apache & mod_ssl it is
essential to specify "SSLOptions +StdEnvVars +ExportCertData. Otherwise
mod_ssl will not produce the neccessary environment variables for the
connector.

When I use a connector to JRun, I use the below code to get the
client-information:
----------------------------------------------------------------------------
-----------------------
java.security.cert.X509Certificate certApache = null;
String certData = request.getHeader("SSL_CLIENT_CERT");
if(certData!=null) {
ByteArrayInputStream inStream  = new
ByteArrayInputStream(certData.getBytes());
java.security.cert.CertificateFactory cf =
java.security.cert.CertificateFactory.getInstance("X.509");
certApache =
(java.security.cert.X509Certificate)cf.generateCertificate(inStream);
inStream.close();
}

if(certApache!=null) {
certSubject      = certApache.getSubjectDN().getName();
certIssuer       = certApache.getIssuerDN().getName();
certSerialNumber = certApache.getSerialNumber().toString();
}
----------------------------------------------------------------------------
-----------------------

Unfortunately, it seems like the mod_webapp-connector (warp) does not
support the export of client certificate information. They have told me that
Tomcat 4.0 can be accessed by using the mod_jk (ajp13) as a connector. I
have not get it worked yet.

If someone makes it work, please let me (us) know....an how!!!

// Matias


----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 24, 2001 5:58 PM
Subject: Tomcat 4.0 & Apache with Client Certs


> Scenario
>
> I have apache passing any calls to servlets through to Tomcat 4 via
> the mod_webapp connector.
> My Server certificate and my client certificates work fine to allow
> specific users onto the system.
>
> Problem....Problem....Problem....Problem....Problem....
>
> In Tomcat 3.2.3 it was possible using AJP13 to access Client
> Certificate information via
> request.getAttribute("javax.servlet.request.X509Certificate") from
> within my tomcat servlet. In Release 4.0 using the warp connector this
> doesn`t appear to be the case. When i debug/view my request object for
> it`s attributes there are none present. No CIPHER_SUITE or
> X509Certificate.
>
> Please can someone tell me how i should be accessing client
> certificate information from within Tomcat 4.0 via apache.
>
> My System
>
> Apache-ssl 1.3
> Tomcat 4.0
> mod_webapp.so
> Linux Redhat 7.1
>
> Here is an extract of my httpd.conf
>
> <VirtualHost www.xxxxxxxxxx.co.uk:443>
>         SSLEnable
>         SSLCertificateFile /usr/local/ssl/www.xxxxxxx.crt
>         SSLCertificateKeyFile /usr/local/ssl/www.xxxxxxx.key
>         SSLCACertificateFile /usr/local/ssl/xxxxxxx.pem
>         SSLVerifyClient 2
>         SSLVerifyDepth 10
>         SSLFakeBasicAuth
>         SSLExportClientCertificates
>         SSLCacheServerPort /usr/logs/gcache_port
>         SSLCacheServerPath ./bin/gcache
>         SSLSessionCacheTimeout 30
>         SSLRequiredCiphers RC4-MD5
>         SSLCacheServerPath ./bin/gcache
>         SSLCacheServerPort logs/gcache_port
>         SSLCacheServerRunDir /tmp
>         Serveradmin xxxxxx@xxxxxx
>         ServerName xxxxxxx
>         WebAppConnection warpConnection warp localhost:8008
>         WebAppDeploy testcert warpConnection /testcert/
> </VirtualHost>
>
> and my server.xml to receive the warp connector
>
>   <!-- Define an Apache-Connector Service -->
>   <Service name="Tomcat-Apache">
>
>     <Connector
className="org.apache.catalina.connector.warp.WarpConnector"
>      port="8008" minProcessors="5" maxProcessors="75"
>      enableLookups="true" scheme="https" secure="true">
>      acceptCount="10" debug="0"/>
>     </Connector>
>
>     <!--
>      <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
>      clientAuth="false" protocol="TLS"/>
>     -->
>
>     <!-- Replace "localhost" with what your Apache "ServerName" is set
> to -->
>     <Engine className="org.apache.catalina.connector.warp.WarpEngine"
>      name="Apache" defaultHost="localhost" debug="0"
> appBase="webapps">
>         .........
>
> Any help or advise greatly appreciated
>
> Lee Lovell
>

Reply via email to