Our installations have been working fine for several years, but we're having to replace the existing 32-bit Windows servers with 64-bit Windows servers, and I'm trying to take advantage of this effort to simply the configuration... we inherited this with IIS in front of Tomcat, using the Jakarta ISAPI Filter , with no good reason given for doing it this way. (the majority of our content is served from a java app, no need to have a more robust web server in front of this for static content that I can see....) by removing IIS so Tomcat stands alone.
Getting the default (none APR) connector working has been pretty easy...we've had some other projects needing similar (.jks cert file) setups for the server certs, CA certs etc... However, I've been concerned that client cert revocation checks would contribute to network congestion as it appears that ONLY CRLs are available to use with this connector.... Apparently the APR connector also supports OCSP checks.... I've tried configuring this as an APR connector.. after some time with this.... I seem to have the certs in the correct format for both the server cert and the client cert CA's - connections occur, no errors. HOWEVER - I have code in several JSP files (eg, server-side) using request.getAttribute("javax.servlet.request.X509Certificate") this is working fine using IE 8 and IE 9, but not with FireFox 26.0 - where it returns NULL. Using Wireshark, I don't see any noticable difference in the server's response to the browser... and the browser responds in each case, with the client cert I select as well as it's issuer. (I currently have only the two Root certs in the SSLCACertificateFile and this seems to be working fine). After fighting this for a while, I retreated... set up IIS 7.5 and the 64-bit Jakarta ISAPI Filter and have this working, but again, I'd prefer to dump IIS, so I've returned to this; Still works fine with IE 9 (and presumably IE 8). SOMETIMES, selecting one of my two available certs results in request.getAttribute returning the cert information... (FireFox 26, WIndows 7, ActivCard client), but usually not. Wireshark on both server and workstation hasn't helped me... I thought perhaps certificate revocation checking was failing - in fact, the only place I see this happening is on FireFox, where apparently it issues an OCSP request back to the tomcat server (I would have thought it would go directly to the URL listed in the cert for OCSP or CRL checks) and receives a "GOOD" response. I don't seem to see ANY OCSP requests issued by the server... or any CRL requests... I don't know if any additional configuration is needed to enable OCSP checking in Tomcat with the APR connector.. I've enabled logging with tomcat's logging.properties without seeing anything interesting... don't see how to log what the APR stuff is doing, but looking at the source, it appears there isn't much logging code in there... from the server.xml file (each entry on it's own line here to make it more readable): ------------ <!-- APR SSL Coyote HTTP/1.1 Connector --> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="443" scheme="https" secure="true" URIEncoding="UTF-8" connectionTimeout="20000" maxThreads="200" minSpareThreads="25" SSLEnabled="true" SSLCertificateFile="./conf/crt.pem" SSLCertificateKeyFile="./conf/key.pem" SSLPassword="xxxxxxx" SSLCACertificateFile="./conf/ca-roots.pem" SSLProtocol="TLSv1" SSLVerifyClient="require" SSLVerifyDepth="10" /> Any ideas?