Hi Suzan,
I'm not very familiar with this issue, but I have tried several things out
along this line.
1) What servlet engine are you using? This affects the way you access the
client certificate information.
2) I think you have to force the client browser to submit the certificate
information by configuring apache to require a certificate as follows:
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
3) As I'm aware of, if you are using JServ, the only way for the web server
to hand over the SSL variables using the following SSLOptions in your apache
configuration:
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/1.3.12/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</Directory "yourDirectoryRequiringClientCertificate">
SSLOptions +StdEnvVars
</Directory>
4) Again if you are using JServ, you have to configure it to support the
handover of SSL variables in jserv.conf:
ApJServEnvVar SSL_SESSION_ID SSL_SESSION_ID
ApJServEnvVar SSL_SERVER_CERTIFICATE SSL_SERVER_CERTIFICATE
ApJServEnvVar SSL_CLIENT_CERTIFICATE SSL_CLIENT_CERTIFICATE
ApJServEnvVar SSL_PROTOCOL SSL_PROTOCOL
4) And finally, the following link demonstrate the retriving of SSL
variables (not certificate) using servlet:
https://ma-planete.net/servlets/SuperSnoop
<https://ma-planete.net/servlets/SuperSnoop>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ed Yu, IBM Certified Specialist - AIX System Administrator
Information Technology Manager,
University of South Carolina,
Advanced Solutions Group, Physics Dept.,
Columbia, SC 29208
Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED]
-----Original Message-----
From: suzan ehdaie [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 02, 2000 1:46 PM
To: [EMAIL PROTECTED]
Subject: Trying to retrieve the verisign certificate from a java servlet
Hello,
I have installed a verisign certificate on the web browser under my
name. Upon sending a request from the Netscape web browser to
a certain java servlet, this certificate needs to be passed along with
this request. I want to retrieve this certificate from the java servlet
where the request is going to, however, the certificate object in java
is null. I have 3 questions:
1. How can I make sure that the certificate is being sent with the request?
2. If the certificate is being sent with the request, is the process in
which
to retrieve the certificate correct??
here is the java code sample that I am using:
//need to get the certificate from the request.
//if this certificate is in the database table for
//a particular partner, then we accept this request.
String cipherSuite = (String)
req.getAttribute("javax.net.ssl.cipher_suite");
Util.debug("Cipher Suite: " + cipherSuite);
if (cipherSuite != null)
{
X509Certificate certChain[] =
(X509Certificate[])
req.getAttribute("javax.net.ssl.peer_certificates");
if (certChain != null)
{
for (int i=0; i< certChain.length; i++) {
Util.debug("Client Certificate [" + i + "] = " +
certChain[i].toString());
}
}
}
3. We are using apache web server and the httpd.conf is configured with:
SSLVerifyClient none
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
<Location /bin/ThirdPartyInterface>
SSLVerifyClient require
#SSLOptions +ExportCertData
#SSLOptions +FakeBasicAuth +ExportCertData
SSLVerifyDepth 10
</Location>
Any feedback is greatly appreciated.
--suzan
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
