Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup

[Christopher Schultz]

Jon,

On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
Chris,
Moving this discussion to here. Yes, it appears that I broke something when 
setting up the Tomcat Connector for the mod-proxy that is now affecting, 
somehow, the SSL communication with the Site Minder services. Here is the 
connector we added below.

The only reason I can think of that would cause your Tomcat TLS 
connector configuration to affect your SiteMinder thing is if you are 
trying to specify the javax.net.ssl.trustStore system property for the 
entire JVM, and allowing Tomcat to inherit that.

Temporarily have set certificateVerification to optional to see if 
it was something with the communication between HTTPD and Tomcat.

                 <Connector port="8305" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="100" 
compression="on" scheme="https" SSLEnabled="true" secure="true">

                                 <SSLHostConfig protocols="TLSv1.2" certificateVerification="optional" 
truststoreFile="" truststorePassword="" truststoreType="JKS"
                                 ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,

Assuming truststoreFile is not actually _blank_, then this should be fine.

                                 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                                 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                                 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
                                 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                                 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                                 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                                 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                                 TLS_DHE_RSA_WITH_AES_128_CCM,
                                 TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
                                 TLS_DHE_RSA_WITH_AES_128_CCM_8,
                                 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
                                 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                                 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
                                 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">

                                                 <Certificate Type="RSA" 
certificateKeystoreFile="<certificate>.pfx" certificateKeystorePassword="" 
certificateKeystoreType="pkcs12" />

Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for 
you, since you are using only an RSA key.

Is your SiteMinder client code using its own special trust store and key 
store? If you are getting a handshake failure (mentioned in your message 
to dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException: 
Received fatal alert: bad_certificate error"), you might want to start 
looking there. The problem is very unlikely to be your Tomcat 
configuration or anything related to it, unless you use the same key 
store and trust store for both.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org