Jon,
On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
Chris,
Moving this discussion to here. Yes, it appears that I broke something when
setting up the Tomcat Connector for the mod-proxy that is now affecting,
somehow, the SSL communication with the Site Minder services. Here is the
connector we added below.
The only reason I can think of that would cause your Tomcat TLS
connector configuration to affect your SiteMinder thing is if you are
trying to specify the javax.net.ssl.trustStore system property for the
entire JVM, and allowing Tomcat to inherit that.
Temporarily have set certificateVerification to optional to see if
it was something with the communication between HTTPD and Tomcat.
<Connector port="8305" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="100"
compression="on" scheme="https" SSLEnabled="true" secure="true">
<SSLHostConfig protocols="TLSv1.2" certificateVerification="optional"
truststoreFile="" truststorePassword="" truststoreType="JKS"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
Assuming truststoreFile is not actually _blank_, then this should be fine.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_DHE_RSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
<Certificate Type="RSA"
certificateKeystoreFile="<certificate>.pfx" certificateKeystorePassword=""
certificateKeystoreType="pkcs12" />
Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for
you, since you are using only an RSA key.
Is your SiteMinder client code using its own special trust store and key
store? If you are getting a handshake failure (mentioned in your message
to dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
Received fatal alert: bad_certificate error"), you might want to start
looking there. The problem is very unlikely to be your Tomcat
configuration or anything related to it, unless you use the same key
store and trust store for both.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org