Thanks for the reply PID. I will have to post the full stack tomorrow. No error messages about the connector during startup. I think you are right though , with regard to the outbound, the applications do make requests to other servers and/or apps. The odd thing is, apache does not throw any errors even in debug mode. If apache is handling all things authentication I dont understand why tomcat would be complaining about certs. Would the response from the outbound connection be the issue? Also If I do not "force" common access cards it works fine. I will post the full stack tomorrow. Cheers!
On Fri, Jan 14, 2011 at 5:12 PM, Pid <p...@pidster.com> wrote: > On 1/14/11 10:31 PM, g f wrote: > > Hello all, > > Not sure if this is the proper area to post but here goes. > > I have a debian os running Apache 2.2.16(debian) along with tomcat > 6.0.29. I > > use mod_jk as well as mod_auth_kerb module for apache. > > > > I use common access cards and allow apache kerb module to handle all auth > > and it works just fine except when I access some of my apps that have > ajax > > calls back to the same server. Now if I force common access card in > apache I > > get errors in catalina.out as follows: > > > > javax.net.ssl.SSLHandshakeException: Received fatal alert: > > handshake_failure. > > > > Now as I said I dont do any auth at the tomcat level its all done at the > > apache level. It seems like tomcat is trying to validate the client certs > > that mod_jk is passing along. The question is, how do I tell tomcat to > > ignore the client certs? > > > > I only have the AJP connector active in tomcat and it looks like the > > following: > > > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" > > tomcatAuthentication="false" clientAuth="false" SSLVerifyClient="false" > /> > > > > Any ideas? > > Umm, that sounds odd. > > Do you get any messages about the connector during server startup? > > Do you get a stacktrace or just a log message? What is the full log > line or stack? > > > If there is an easy way to accept the client certs (even though I do > nothing > > with them) then I could do that as well. > > > > Are you sure it's not due to an outbound connection attempt from some > part of your app? > > > p > > > Thanks for any advice and sorry if this is not the correct forum for > this. > > >
