Apache2 + tomcat6 + SSL with client certificate
Hello. I would like to get some advise about a new application I am developing. It needs SSL with client certificate and it will be written in java and deployed in Tomcat 6 with java 6. The server will be shared with other applications in java, php and perhaps other. Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat 6.0 and a mod_jk 1.2.14. There are some applications writen in php and a java aplication. The java application is served by apache using mod_jk. It uses SSL but it doesn't need client certificate. SSL is only configured in Apache. Tomcat 6 uses normal connections (8080, 8009) which are closed. This works perfectly but my next application will need client auth using a X509Certificate and I need a way to get it in my Servlets. I have read some documentation in google and I have try it. First, I configured a Virtual Host with Apache - VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] ServerSignature On SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLVerifyClient optional_no_ca JkExtractSSL On JkMount /ovt ajp13_worker JkMount /ovt/* ajp13_worker /VirtualHost - Then, I made a Servlet to try it: --- // Display the cipher suite in use String cipherSuite = (String) request.getAttribute(javax.net.ssl.cipher_suite); out.println(Cipher Suite: + cipherSuite); // Display the client's certificates, if there are any if (cipherSuite != null) { X509Certificate certChain[] = (X509Certificate[]) request.getAttribute(javax.net.ssl.peer_certificates); if (certChain != null) { for (int i = 0; i certChain.length; i++) { out.println (Client Certificate [ + i + ] = + certChain[i].toString()); } } --- And it didn't work. CipherSuite is always null. I haven't configured anything in tomcat. As I have read, it should work but it is obvious I am missing something. I would like to manage SSL with Apache better than using java keystores, if it is possible. Also, I would like to have an application which does not need apache to work and which works perfectly in tomcat standalone. -- ___ Josué Alcalde González [EMAIL PROTECTED] Dpto. Desarrollo CSA - Centro Regional de Servicios Avanzados C/ López Bravo, 1 Pol. Ind. Villalonquéjar (Burgos) Tel. (+34) 947 256 250 Fax. (+34) 947 256 583 Web: http://www.csa.es - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache2 + tomcat6 + SSL with client certificate
Finally, debugging an with try-error I have got the correct configuration. -- VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] ServerSignature On SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLVerifyClient optional_no_ca SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW: +SSLv2:+EXP:+eNULL SSLOptions +ExportCertData +StdEnvVars JkExtractSSL On JkMount /ovt ajp13_worker JkMount /ovt/* ajp13_worker /VirtualHost And then, this attributes are available in request: javax.servlet.request.X509Certificate javax.servlet.request.ssl_session javax.servlet.request.cipher_suite For example: request.getAttribute(javax.servlet.request.cipher_suite); Hope it helps. El vie, 05-10-2007 a las 09:08 +0200, Josué Alcalde González escribió: Hello. I would like to get some advise about a new application I am developing. It needs SSL with client certificate and it will be written in java and deployed in Tomcat 6 with java 6. The server will be shared with other applications in java, php and perhaps other. Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat 6.0 and a mod_jk 1.2.14. There are some applications writen in php and a java aplication. The java application is served by apache using mod_jk. It uses SSL but it doesn't need client certificate. SSL is only configured in Apache. Tomcat 6 uses normal connections (8080, 8009) which are closed. This works perfectly but my next application will need client auth using a X509Certificate and I need a way to get it in my Servlets. I have read some documentation in google and I have try it. First, I configured a Virtual Host with Apache - VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] ServerSignature On SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLVerifyClient optional_no_ca JkExtractSSL On JkMount /ovt ajp13_worker JkMount /ovt/* ajp13_worker /VirtualHost - Then, I made a Servlet to try it: --- // Display the cipher suite in use String cipherSuite = (String) request.getAttribute(javax.net.ssl.cipher_suite); out.println(Cipher Suite: + cipherSuite); // Display the client's certificates, if there are any if (cipherSuite != null) { X509Certificate certChain[] = (X509Certificate[]) request.getAttribute(javax.net.ssl.peer_certificates); if (certChain != null) { for (int i = 0; i certChain.length; i++) { out.println (Client Certificate [ + i + ] = + certChain[i].toString()); } } --- And it didn't work. CipherSuite is always null. I haven't configured anything in tomcat. As I have read, it should work but it is obvious I am missing something. I would like to manage SSL with Apache better than using java keystores, if it is possible. Also, I would like to have an application which does not need apache to work and which works perfectly in tomcat standalone. -- ___ Josué Alcalde González [EMAIL PROTECTED] Dpto. Desarrollo CSA - Centro Regional de Servicios Avanzados C/ López Bravo, 1 Pol. Ind. Villalonquéjar (Burgos) Tel. (+34) 947 256 250 Fax. (+34) 947 256 583 Web: http://www.csa.es - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Apache2 + tomcat6 + SSL with client certificate
Josué Alcalde González [EMAIL PROTECTED] kirjoitti: Hello. I would like to get some advise about a new application I am developing. It needs SSL with client certificate and it will be written in java and deployed in Tomcat 6 with java 6. The server will be shared with other applications in java, php and perhaps other. Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat 6.0 and a mod_jk 1.2.14. There are some applications writen in php and a java aplication. The java application is served by apache using mod_jk. It uses SSL but it doesn't need client certificate. SSL is only configured in Apache. Tomcat 6 uses normal connections (8080, 8009) which are closed. This works perfectly but my next application will need client auth using a X509Certificate and I need a way to get it in my Servlets. I have read some documentation in google and I have try it. First, I configured a Virtual Host with Apache - VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] ServerSignature On SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLVerifyClient optional_no_ca JkExtractSSL On JkMount /ovt ajp13_worker JkMount /ovt/* ajp13_worker /VirtualHost - Then, I made a Servlet to try it: --- // Display the cipher suite in use String cipherSuite = (String) request.getAttribute(javax.net.ssl.cipher_suite); out.println(Cipher Suite: + cipherSuite); // Display the client's certificates, if there are any if (cipherSuite != null) { X509Certificate certChain[] = (X509Certificate[]) request.getAttribute(javax.net.ssl.peer_certificates); if (certChain != null) { for (int i = 0; i certChain.length; i++) { out.println (Client Certificate [ + i + ] = + certChain[i].toString()); } } --- And it didn't work. CipherSuite is always null. I haven't configured anything in tomcat. As I have read, it should work but it is obvious I am missing something. I would like to manage SSL with Apache better than using java keystores, if it is possible. Also, I would like to have an application which does not need apache to work and which works perfectly in tomcat standalone. -- ___ Josué Alcalde González [EMAIL PROTECTED] Dpto. Desarrollo CSA - Centro Regional de Servicios Avanzados C/ López Bravo, 1 Pol. Ind. Villalonquéjar (Burgos) Tel. (+34) 947 256 250 Fax. (+34) 947 256 583 Web: http://www.csa.es - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] never used apache in that way, but myself using SSL in tomcat on port 8443, I Have a redirect port setup in the config section for port 8080, which points to 8443(SSL) and the application runs on that port, secured. About X509 I have no idea. in case you are not bound to use X509 you can use SSL out of the box with tomcat. You need to generate the certificate, set redirect port for(so that a hit to your applicatio goes to 8443 and not 8080(youdon't want both). setup your application to use ssl (in web.xml). Have a look at the documentation on tomcat in the tomcat docs(section SSL, it is explained there in detail).hope this helps G - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]