Our installations have been working fine for several years, but we're
having to replace the existing 32-bit Windows servers with 64-bit Windows
servers,
and I'm trying to take advantage of this effort to simply the
configuration...
we inherited this with IIS in front of Tomcat, using the Jakarta ISAPI
Filter , with no good reason given for doing it this way. (the majority of
our content is served from a java app, no need to have a more robust web
server in front of this for static content that I can see....)
by removing IIS so Tomcat stands alone.
Getting the default (none APR) connector working has been pretty
easy...we've had some other projects needing similar (.jks cert file)
setups for the server certs, CA certs etc...
However, I've been concerned that client cert revocation checks would
contribute to network congestion as it appears that ONLY CRLs are available
to use with this connector....
Apparently the APR connector also supports OCSP checks....
I've tried configuring this as an APR connector.. after some time with
this.... I seem to have the certs in the correct format for both the server
cert and the client cert CA's - connections occur, no errors.
HOWEVER - I have code in several JSP files (eg, server-side) using
request.getAttribute("javax.servlet.request.X509Certificate")
this is working fine using IE 8 and IE 9, but not with FireFox 26.0 - where
it returns NULL.
Using Wireshark, I don't see any noticable difference in the server's
response to the browser... and the browser responds in each case, with the
client cert I select as well as it's issuer. (I currently have only the two
Root certs in the SSLCACertificateFile and this seems to be working fine).
After fighting this for a while, I retreated...
set up IIS 7.5 and the 64-bit Jakarta ISAPI Filter and have this working,
but again, I'd prefer to dump IIS, so I've returned to this;
Still works fine with IE 9 (and presumably IE 8).
SOMETIMES, selecting one of my two available certs results in
request.getAttribute returning the cert information... (FireFox 26, WIndows
7, ActivCard client), but usually not.
Wireshark on both server and workstation hasn't helped me...
I thought perhaps certificate revocation checking was failing - in fact,
the only place I see this happening is on FireFox, where apparently it
issues an OCSP request back to the tomcat server (I would have thought it
would go directly to the URL listed in the cert for OCSP or CRL checks) and
receives a "GOOD" response. I don't seem to see ANY OCSP requests issued by
the server... or any CRL requests...
I don't know if any additional configuration is needed to enable OCSP
checking in Tomcat with the APR connector..
I've enabled logging with tomcat's logging.properties without seeing
anything interesting... don't see how to log what the APR stuff is doing,
but looking at the source, it appears there isn't much logging code in
there...
from the server.xml file (each entry on it's own line here to make it more
readable):
------------
<!-- APR SSL Coyote HTTP/1.1 Connector -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="443"
scheme="https"
secure="true"
URIEncoding="UTF-8"
connectionTimeout="20000"
maxThreads="200"
minSpareThreads="25"
SSLEnabled="true"
SSLCertificateFile="./conf/crt.pem"
SSLCertificateKeyFile="./conf/key.pem"
SSLPassword="xxxxxxx"
SSLCACertificateFile="./conf/ca-roots.pem"
SSLProtocol="TLSv1"
SSLVerifyClient="require"
SSLVerifyDepth="10"
/>
Any ideas?
