Apache2 + tomcat6 + SSL with client certificate

2007-10-05 Thread Josué Alcalde González 
Hello.

I would like to get some advise about a new application I am developing.

It needs SSL with client certificate and it will be written in java and
deployed in Tomcat 6 with java 6.

The server will be shared with other applications in java, php and
perhaps other.

Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat
6.0 and a mod_jk 1.2.14.

There are some applications writen in php and a java aplication. The
java application is served by apache using mod_jk. It uses SSL but it
doesn't need client certificate. SSL is only configured in Apache.
Tomcat 6 uses normal connections (8080, 8009) which are closed.

This works perfectly but my next application will need client auth using
a X509Certificate and I need a way to get it in my Servlets.

I have read some documentation in google and I have try it.

First, I configured a Virtual Host with Apache

-
VirtualHost *:443
ServerAdmin [EMAIL PROTECTED]
ServerSignature On

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca

JkExtractSSL On
JkMount /ovt ajp13_worker
JkMount /ovt/* ajp13_worker
/VirtualHost
-

Then, I made a Servlet to try it:

---
// Display the cipher suite in use
String cipherSuite = (String)
request.getAttribute(javax.net.ssl.cipher_suite);
out.println(Cipher Suite:  + cipherSuite);

// Display the client's certificates, if there are any
if (cipherSuite != null) {
  X509Certificate certChain[] =  (X509Certificate[])
request.getAttribute(javax.net.ssl.peer_certificates);
  if (certChain != null) {
for (int i = 0; i  certChain.length; i++) {
  out.println (Client Certificate [ + i + ] =  +
certChain[i].toString());
   }
}
---

And it didn't work. CipherSuite is always null.

I haven't configured anything in tomcat. As I have read, it should work
but it is obvious I am missing something.

I would like to manage SSL with Apache better than using java keystores,
if it is possible. 

Also, I would like to have an application which does not need apache to
work and which works perfectly in tomcat standalone.


-- 
___
Josué Alcalde González
[EMAIL PROTECTED]
Dpto. Desarrollo

CSA - Centro Regional de Servicios Avanzados
C/ López Bravo, 1
Pol. Ind. Villalonquéjar (Burgos)

Tel. (+34) 947 256 250
Fax. (+34) 947 256 583

Web: http://www.csa.es



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Apache2 + tomcat6 + SSL with client certificate

2007-10-05 Thread Josué Alcalde González 
Finally, debugging an with try-error I have got the correct
configuration.

--
VirtualHost *:443
ServerAdmin [EMAIL PROTECTED]
ServerSignature On

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
+SSLv2:+EXP:+eNULL
SSLOptions  +ExportCertData +StdEnvVars

JkExtractSSL On
JkMount /ovt ajp13_worker
JkMount /ovt/* ajp13_worker
/VirtualHost


And then, this attributes are available in request:
javax.servlet.request.X509Certificate
javax.servlet.request.ssl_session
javax.servlet.request.cipher_suite

For example:

request.getAttribute(javax.servlet.request.cipher_suite);

Hope it helps.


El vie, 05-10-2007 a las 09:08 +0200, Josué Alcalde González escribió:
 Hello.
 
 I would like to get some advise about a new application I am developing.
 
 It needs SSL with client certificate and it will be written in java and
 deployed in Tomcat 6 with java 6.
 
 The server will be shared with other applications in java, php and
 perhaps other.
 
 Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat
 6.0 and a mod_jk 1.2.14.
 
 There are some applications writen in php and a java aplication. The
 java application is served by apache using mod_jk. It uses SSL but it
 doesn't need client certificate. SSL is only configured in Apache.
 Tomcat 6 uses normal connections (8080, 8009) which are closed.
 
 This works perfectly but my next application will need client auth using
 a X509Certificate and I need a way to get it in my Servlets.
 
 I have read some documentation in google and I have try it.
 
 First, I configured a Virtual Host with Apache
 
 -
 VirtualHost *:443
 ServerAdmin [EMAIL PROTECTED]
 ServerSignature On
 
 SSLEngine On
 SSLCertificateFile /etc/apache2/ssl/apache.pem
 SSLVerifyClient optional_no_ca
 
 JkExtractSSL On
 JkMount /ovt ajp13_worker
 JkMount /ovt/* ajp13_worker
 /VirtualHost
 -
 
 Then, I made a Servlet to try it:
 
 ---
 // Display the cipher suite in use
 String cipherSuite = (String)
 request.getAttribute(javax.net.ssl.cipher_suite);
 out.println(Cipher Suite:  + cipherSuite);
 
 // Display the client's certificates, if there are any
 if (cipherSuite != null) {
   X509Certificate certChain[] =  (X509Certificate[])
 request.getAttribute(javax.net.ssl.peer_certificates);
   if (certChain != null) {
 for (int i = 0; i  certChain.length; i++) {
   out.println (Client Certificate [ + i + ] =  +
 certChain[i].toString());
}
 }
 ---
 
 And it didn't work. CipherSuite is always null.
 
 I haven't configured anything in tomcat. As I have read, it should work
 but it is obvious I am missing something.
 
 I would like to manage SSL with Apache better than using java keystores,
 if it is possible. 
 
 Also, I would like to have an application which does not need apache to
 work and which works perfectly in tomcat standalone.
 
 
-- 
___
Josué Alcalde González
[EMAIL PROTECTED]
Dpto. Desarrollo

CSA - Centro Regional de Servicios Avanzados
C/ López Bravo, 1
Pol. Ind. Villalonquéjar (Burgos)

Tel. (+34) 947 256 250
Fax. (+34) 947 256 583

Web: http://www.csa.es



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Apache2 + tomcat6 + SSL with client certificate

2007-10-05 Thread bob . smith 
Josué Alcalde González [EMAIL PROTECTED] kirjoitti: 

Hello.

I would like to get some advise about a new application I am developing.

It needs SSL with client certificate and it will be written in java and
deployed in Tomcat 6 with java 6.

The server will be shared with other applications in java, php and
perhaps other.

Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat
6.0 and a mod_jk 1.2.14.

There are some applications writen in php and a java aplication. The
java application is served by apache using mod_jk. It uses SSL but it
doesn't need client certificate. SSL is only configured in Apache.
Tomcat 6 uses normal connections (8080, 8009) which are closed.

This works perfectly but my next application will need client auth using
a X509Certificate and I need a way to get it in my Servlets.

I have read some documentation in google and I have try it.

First, I configured a Virtual Host with Apache

-
VirtualHost *:443
ServerAdmin [EMAIL PROTECTED]
ServerSignature On

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca

JkExtractSSL On
JkMount /ovt ajp13_worker
JkMount /ovt/* ajp13_worker
/VirtualHost
-

Then, I made a Servlet to try it:

---
// Display the cipher suite in use
String cipherSuite = (String)
request.getAttribute(javax.net.ssl.cipher_suite);
out.println(Cipher Suite:  + cipherSuite);

// Display the client's certificates, if there are any
if (cipherSuite != null) {
  X509Certificate certChain[] =  (X509Certificate[])
request.getAttribute(javax.net.ssl.peer_certificates);
  if (certChain != null) {
for (int i = 0; i  certChain.length; i++) {
  out.println (Client Certificate [ + i + ] =  +
certChain[i].toString());
   }
}
---

And it didn't work. CipherSuite is always null.

I haven't configured anything in tomcat. As I have read, it should work
but it is obvious I am missing something.

I would like to manage SSL with Apache better than using java keystores,
if it is possible. 


Also, I would like to have an application which does not need apache to
work and which works perfectly in tomcat standalone.


--
___
Josué Alcalde González
[EMAIL PROTECTED]
Dpto. Desarrollo

CSA - Centro Regional de Servicios Avanzados
C/ López Bravo, 1
Pol. Ind. Villalonquéjar (Burgos)

Tel. (+34) 947 256 250
Fax. (+34) 947 256 583

Web: http://www.csa.es



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



never used apache in that way, but myself using SSL in tomcat on port 8443, I 
Have a redirect port setup in the config section for port 8080, which points to 
8443(SSL) and the application runs on that port, secured. About X509 I have no 
idea. in case you are not bound to use X509 you can use SSL out of the box with 
tomcat. You need to generate the certificate, set redirect port for(so that a 
hit to your applicatio goes to 8443 and not 8080(youdon't want both). setup 
your application to use ssl (in web.xml). Have a look at the documentation on 
tomcat in the tomcat docs(section SSL, it is explained there in detail).hope 
this helps

G

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]