Could this potentially be caused by
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
But not using Tomcat Native?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
> -----Original Message-----
> From: Thomas Hoffmann (Speed4Trade GmbH)
> <thomas.hoffm...@speed4trade.com.INVALID>
> Sent: Wednesday, July 13, 2022 11:28 AM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> mod-proxy setup
>
> Hello,
>
> > -----Ursprüngliche Nachricht-----
> > Von: jonmcalexan...@wellsfargo.com.INVALID
> > <jonmcalexan...@wellsfargo.com.INVALID>
> > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > An: users@tomcat.apache.org
> > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Here is the error we are getting. The login form, hosted by Tomcat,
> > does a POST to the /login/login.fcc for siteminder which is on the
> > HTTPD server and is not behind the proxypass or proxypassreverse.
> >
> > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > 13:12:49.399
> > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) <class>
> > PDT|12
> > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: <app>
> > Unable to get Channel Secure Session: Unable to perform siteminder
> > handshake
> > java.lang.Exception: Unable to perform siteminder handshake
> >
> > Our SiteMinder team is telling us it's not their issue. Again, this
> > POST worked fine when using mod_jk and SSL wasn't enabled for
> connection on Tomcat.
> >
> > Thanks,
> >
>
> This error message is most likely thrown by the application and not by
> tomcat.
> The underlying error would be important including the full stack below.
> Are there some "caused by" Exceptions below?
> Otherwise the siteminder application is hiding the underlying Exception.
>
>
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -----Original Message-----
> > > From: jonmcalexan...@wellsfargo.com.INVALID
> > > <jonmcalexan...@wellsfargo.com.INVALID>
> > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > To: users@tomcat.apache.org
> > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > getting passed correctly. Still trying to figure this one out.
> > >
> > > Thanks,
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action
> > > based on this message or any information herein. If you have
> > > received this message in error, please advise the sender immediately
> > > by reply e-mail and delete this message. Thank you for your cooperation.
> > >
> > > > -----Original Message-----
> > > > From: Christopher Schultz <ch...@christopherschultz.net>
> > > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > > To: users@tomcat.apache.org
> > > > Subject: Re: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > Jon,
> > > >
> > > > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > > > Chris,
> > > > >
> > > > > Moving this discussion to here. Yes, it appears that I broke
> > > > > something when
> > > > setting up the Tomcat Connector for the mod-proxy that is now
> > > > affecting, somehow, the SSL communication with the Site Minder
> > > > services. Here is the connector we added below.
> > > >
> > > > The only reason I can think of that would cause your Tomcat TLS
> > > > connector configuration to affect your SiteMinder thing is if you
> > > > are trying to specify the javax.net.ssl.trustStore system property
> > > > for the entire JVM, and allowing Tomcat to inherit that.
> > > >
> > > > > Temporarily have set certificateVerification to optional to see
> > > > > if it was something with the communication between HTTPD and
> Tomcat.
> > > > >
> > > > > <Connector port="8305"
> > > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > > maxThreads="100"
> > > > > compression="on" scheme="https" SSLEnabled="true"
> secure="true">
> > > > >
> > > > > <SSLHostConfig protocols="TLSv1.2"
> > > > certificateVerification="optional" truststoreFile=""
> > truststorePassword=""
> > > > truststoreType="JKS"
> > > > >
> > > > > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > > >
> > > > Assuming truststoreFile is not actually _blank_, then this should be
> > > > fine.
> > > >
> > > > >
> > > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > > > > TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> > > > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > > > >
> > > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> > > > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> > > > > TLS_DHE_RSA_WITH_AES_128_CCM,
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> > > > > TLS_DHE_RSA_WITH_AES_128_CCM_8,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> > > > >
> > > > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > > > >
> > > > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> > > > >
> > > > > <Certificate
> > > > > Type="RSA" certificateKeystoreFile="<certificate>.pfx"
> > > > > certificateKeystorePassword="" certificateKeystoreType="pkcs12"
> > > > > />
> > > >
> > > > Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything
> > > > for you, since you are using only an RSA key.
> > > >
> > > > Is your SiteMinder client code using its own special trust store
> > > > and key
> > > store?
> > > > If you are getting a handshake failure (mentioned in your message
> > > > to dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
> > > > Received fatal alert: bad_certificate error"), you might want to
> > > > start looking there. The problem is very unlikely to be your
> > > > Tomcat configuration or anything related to it, unless you use the
> > > > same key store and trust store for both.
> > > >
> > > > -chris
> > > >
> > > > ------------------------------------------------------------------
> > > > --
> > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
