You can set the javax.net.debug=ALL system property before starting tomcat. This may give you some insight to the problem.
export CATALINA_OPTS="-Djavax.net.debug=ALL" Then restart tomcat. -----Original Message----- From: Karli Christoph (CSE) [mailto:[EMAIL PROTECTED] Sent: 22 July 2003 16:53 To: 'Tomcat Users List' Subject: RE: achieving a clients (browsers) certificate in a webapp that's the point.. with the following code String certAttribute = "javax.servlet.request.X509Certificate"; X509Certificate certificate[] = (java.security.cert.X509Certificate[]) request.getAttribute(certAttribute); for (Enumeration e = request.getAttributeNames(); e.hasMoreElements();) { System.out.println("attribute: " + e.nextElement()); } we just can achieve the following attributes: attribute: javax.servlet.include.servlet_path attribute: javax.servlet.include.context_path attribute: javax.servlet.request.cipher_suite attribute: javax.servlet.request.key_size attribute: javax.servlet.include.request_uri any other ideas? -----Original Message----- From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED] Sent: Dienstag, 22. Juli 2003 17:39 To: 'Tomcat Users List' Subject: RE: achieving a clients (browsers) certificate in a webapp The 'javax.servlet.request.X509Certificate' request property will give you the client certificate chain. It contains an array of java.security.cert.X509Certificate Objects. Element [0] is the client certificate, Element [1] is the CA for the client certificate etc. -----Original Message----- From: Karli Christoph (CSE) [mailto:[EMAIL PROTECTED] Sent: 22 July 2003 16:04 To: 'Tomcat Users List' Subject: achieving a clients (browsers) certificate in a webapp now this seems like a big task! we've been trying to achieve a clients certificate from the request-object, which failed because there is no parameter for achieving the x509Certificate installed in the browser of the client out of the request-object (javax.servlet.ServletRequest). the certification of the server works fine, except the fact that the server-name on the certificate doesn't match the actual server-name of the webserver (we're about to change the server-name) anyway, we've spend the whole day - but we had no chance to figure out where the problem's hidden. what we use: jdk 1.3 apache 2.0.45 with openssl tomcat 4.1.24 mod_jk connector other hint: - https connection works on the webapp important parts of the configuration files: ******* configuration of ssl.conf looks like this: <IfDefine SSL> Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin <VirtualHost _default_:443> DocumentRoot "/opt/httpd-2.0.45/htdocs" #ServerName new.host.name:443 ServerName servername.is.ok:443 ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /opt/httpd-2.0.45/conf/ssl.crt/server.crt SSLCertificateKeyFile /opt/httpd-2.0.45/conf/ssl.key/server.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/opt/httpd-2.0.45/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> ******* configuration of httpd.conf looks like this: ... # # Bring in additional module-specific configurations # <IfModule mod_ssl.c> Include conf/ssl.conf </IfModule> ... JkWorkersFile /opt/jakarta/conf/jk/workers.properties JkLogFile /opt/jakarta/logs/mod_jk.log JkLogLevel debug JkMount /examples ajp13 JkMount /examples/* ajp13 ... ******* configuration of server.xml looks like this: ... <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true" useURIValidationHack="false"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile=".keystore" keystorePass="xxxxx" /> </Connector> <!-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8009" minProcessors="5" maxProcessors="75" enableLookups="true" redirectPort="8443" acceptCount="10" debug="0" connectionTimeout="0" useURIValidationHack="false" protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/> ... ******* just anyone? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]