RE: Tomcat 7 HTTPS and LDAP authentication issue

Tue, 08 Oct 2019 11:52:31 -0700 

Hi Mark,

How are you configuring TLS for the Connector?

<Connector port="8443"
         scheme="https"
         secure="true"
         protocol="org.apache.coyote.http11.Http11AprProtocol"
         SSLEnabled="true"
         SSLCertificateFile="/certs/foo.crt"
         SSLCertificateKeyFile="/certs/foo.key"
         maxThreads="150"
         clientAuth="false"
         SSLProtocol="all" />

How are you configuring TLS for LDAP?

Do you mean inside Tomcat? 

Thanks
-John 

-----Original Message-----
From: Mark Thomas <[email protected]> 
Sent: Tuesday, October 8, 2019 11:07 AM
To: [email protected]
Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue

On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK 
INFORMATION INC at Cisco) wrote:
> Hello,
> 
> We have an application running on Tomcat 7.0.96. The application 
> handles authentication by accessing an internal LDAPS host by using 
> credentials, a keystore, and the LDAPS hostname and port from an 
> external file from the application and from Tomcat. This works with no 
> issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, 
> users can no longer logon to the application. When I disable HTTPS the users 
> can again authenticate in the application. We do have an Apache reverse proxy 
> for the application, but when Tomcat HTTPS is enabled I need to use 
> https://hostname:8443/foo to get to the application login screen and not just 
> https://hostname/foo.
> With HTTPS disabled I can access the application with 
> http://hostname/foo. That's obviously a config issue I need to address, but 
> would that by why the authentication process would be broken when HTTPS in 
> enabled?

How are you configuring TLS for LDAP?

How are you configuring TLS for the Connector?

I suspect that something somewhere is using the JVM wide TLS configuration 
properties when it should be using LDAP / Tomcat Connector specific settings?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
  • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
    • ... Mark Thomas
      • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
        • ... Mark Thomas
          • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)

Reply via email to