mod_jk is a bit old ... now there's proxy_ajp with apache 2.2 . Anyway,
SSL configuration took me a long time to debug . So I've written a
personnal Doc on this base on the CAS SSL "theorie" that you'll fin here:
http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates
http://www-public.it-sudparis.eu/~procacci/wiki/bin/view/Documentations/InstallCasv3C5#5.4%20Certification%20avec%20la%20PKI%20IT
Our case was specific, because we run our own PKI with 3 levels of
certificates hierarchie, so trustore on the cas server side was our
problem , specifically when using proxy-cas clients !.
On the apache side, classical ssl.conf made it run without difficulties.
SSLCertificateFile /etc/pki/tls/certs/server_tmsp_long.pem # server
certificate
SSLCertificateKeyFile /etc/pki/tls/private/server_tmsp.key # private key
SSLCertificateChainFile /etc/pki/tls/certs/ca-chain-institut-telecom.crt
# our pki bundle
SSLCACertificateFile /etc/pki/tls/certs/itrootca.crt # CA root
SSLVerifyDepth 10 # large enough !
About 8443 -> 443 redirection, we now use xinetd redirection
capabilities instead of mod_jk/proxy_ajp, cf
[EMAIL PROTECTED] /etc/xinetd.d]# cat cas
# default: off
service https
{
disable = no
socket_type = stream
wait = no
user = root
bind = 157.159.11.110
redirect = 157.159.11.110 8443
log_on_failure += ATTEMPT
}
if it helps ...
Guss, Erik wrote:
> Hi,
> I'm trying to work out SSL issues. My environment is apache
> 2.3/mod_jk/mod_ssl passing cas requests to tomcat CAS server on port
> 8080 via worker config in apache. This works as per the install docs
> via the https:// protocol.
>
> When I try to use a cas client other than a browser, i.e. - apache
> mod_auth_cas, the error log says "Unable to perform SSL handshake with
> (cas server)".
>
> I've seen conflicting documentation on this issue. The tomcat install
> docs indicate that if running tomcat "behind" apache via mod_jk, then
> only apache needs SSL functionality. There are also docs for
> mod_auth_cas which explain how to configure the client mod_auth_cas
> with the CA cert of the cas server, but only when tomcat is
> ssl-enabled, not running behind apache-ssl. I've tried adding the
> apache-ssl CA cert to the client machine, with no better results.
>
> Has anyone configured mod_auth_cas against an apache-ssl server
> working via mod_jk to tomcat/CAS behind it?
>
> Thanks, Erik Guss - Montana State Univ.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
