Jon,
On 7/13/22 12:16, jonmcalexan...@wellsfargo.com.INVALID wrote:
Here is the error we are getting. The login form, hosted by Tomcat, does a POST
to the /login/login.fcc for siteminder which is on the HTTPD server and is not
behind the proxypass or proxypassreverse.
javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 13:12:49.399
PDT|SSLSocketImpl.java:1615|close the SSL connection (passive)
<class> 12 Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT:
<app> Unable to get Channel Secure Session: Unable to perform siteminder handshake
java.lang.Exception: Unable to perform siteminder handshake
Our SiteMinder team is telling us it's not their issue. Again, this POST worked
fine when using mod_jk and SSL wasn't enabled for connection on Tomcat.
When you migrated from mod_jk -> mod_proxy, did you arrange to have all
SSL information forwarded over the connection? mod_jk with the AJP
connector handles a lot of that magic for you, but mod_proxy does not by
default.
Have a look at this presentation, starting around slide 30:
https://tomcat.apache.org/presentations.html#latest-migrate-ajp-http
If your users are using TLS client certs with httpd, they may not be
sent-over to Tomcat and will therefore be unavailable for use from
Tomcat -> SiteMinder. You can fix this with some
SSLProxySomethingOrOther directives on the httpd side and the SSLValve
on the Tomcat side. Note that if you aren't using SSLValve you probably
are *also* not using RemoteIPValve, which you probably want to use.
-chris
-----Original Message-----
From: jonmcalexan...@wellsfargo.com.INVALID
<jonmcalexan...@wellsfargo.com.INVALID>
Sent: Tuesday, July 12, 2022 5:22 PM
To: users@tomcat.apache.org
Subject: RE: [OT] issues with Tomcat to Siteminder communication post mod-
proxy setup
I'm wondering if it is having to do with the SMSESSION cookie not getting
passed correctly. Still trying to figure this one out.
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, July 12, 2022 9:16 AM
To: users@tomcat.apache.org
Subject: Re: [OT] issues with Tomcat to Siteminder communication post
mod- proxy setup
Jon,
On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote:
Chris,
Moving this discussion to here. Yes, it appears that I broke
something when
setting up the Tomcat Connector for the mod-proxy that is now
affecting, somehow, the SSL communication with the Site Minder
services. Here is the connector we added below.
The only reason I can think of that would cause your Tomcat TLS
connector configuration to affect your SiteMinder thing is if you are
trying to specify the javax.net.ssl.trustStore system property for the
entire JVM, and allowing Tomcat to inherit that.
Temporarily have set certificateVerification to optional to see if
it was something with the communication between HTTPD and Tomcat.
<Connector port="8305"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="100"
compression="on" scheme="https" SSLEnabled="true" secure="true">
<SSLHostConfig protocols="TLSv1.2"
certificateVerification="optional" truststoreFile="" truststorePassword=""
truststoreType="JKS"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
Assuming truststoreFile is not actually _blank_, then this should be fine.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS_DHE_RSA_WITH_AES_128_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
<Certificate
Type="RSA" certificateKeystoreFile="<certificate>.pfx"
certificateKeystorePassword="" certificateKeystoreType="pkcs12" />
Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for
you, since you are using only an RSA key.
Is your SiteMinder client code using its own special trust store and key
store?
If you are getting a handshake failure (mentioned in your message to
dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
Received fatal alert: bad_certificate error"), you might want to start
looking there. The problem is very unlikely to be your Tomcat
configuration or anything related to it, unless you use the same key
store and trust store for both.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
