RE: Tomcat 7 HTTPS and LDAP authentication issue
The LDAPS authentication is handled by the application using an external file not in Tomcat or the application that contains the credentials for the generic Active Directory account accessing LDAP, the Java keystore location, and the FQDN and port of the LDAPS host. -John -Original Message- From: Mark Thomas Sent: Tuesday, October 8, 2019 1:01 PM To: users@tomcat.apache.org Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue On 08/10/2019 19:52, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hi Mark, > > How are you configuring TLS for the Connector? > > scheme="https" > secure="true" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > SSLCertificateFile="/certs/foo.crt" > SSLCertificateKeyFile="/certs/foo.key" > maxThreads="150" > clientAuth="false" > SSLProtocol="all" /> > > How are you configuring TLS for LDAP? > > Do you mean inside Tomcat? Yes. Or is the authentication happening in httpd? Mark > > Thanks > -John > > -Original Message- > From: Mark Thomas > Sent: Tuesday, October 8, 2019 11:07 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue > > On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK > INFORMATION INC at Cisco) wrote: >> Hello, >> >> We have an application running on Tomcat 7.0.96. The application >> handles authentication by accessing an internal LDAPS host by using >> credentials, a keystore, and the LDAPS hostname and port from an >> external file from the application and from Tomcat. This works with no >> issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, >> users can no longer logon to the application. When I disable HTTPS the users >> can again authenticate in the application. We do have an Apache reverse >> proxy for the application, but when Tomcat HTTPS is enabled I need to use >> https://hostname:8443/foo to get to the application login screen and not >> just https://hostname/foo. >> With HTTPS disabled I can access the application with >> http://hostname/foo. That's obviously a config issue I need to address, but >> would that by why the authentication process would be broken when HTTPS in >> enabled? > > How are you configuring TLS for LDAP? > > How are you configuring TLS for the Connector? > > I suspect that something somewhere is using the JVM wide TLS configuration > properties when it should be using LDAP / Tomcat Connector specific settings? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 HTTPS and LDAP authentication issue
On 08/10/2019 19:52, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hi Mark, > > How are you configuring TLS for the Connector? > > scheme="https" > secure="true" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > SSLCertificateFile="/certs/foo.crt" > SSLCertificateKeyFile="/certs/foo.key" > maxThreads="150" > clientAuth="false" > SSLProtocol="all" /> > > How are you configuring TLS for LDAP? > > Do you mean inside Tomcat? Yes. Or is the authentication happening in httpd? Mark > > Thanks > -John > > -Original Message- > From: Mark Thomas > Sent: Tuesday, October 8, 2019 11:07 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue > > On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK > INFORMATION INC at Cisco) wrote: >> Hello, >> >> We have an application running on Tomcat 7.0.96. The application >> handles authentication by accessing an internal LDAPS host by using >> credentials, a keystore, and the LDAPS hostname and port from an >> external file from the application and from Tomcat. This works with no >> issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, >> users can no longer logon to the application. When I disable HTTPS the users >> can again authenticate in the application. We do have an Apache reverse >> proxy for the application, but when Tomcat HTTPS is enabled I need to use >> https://hostname:8443/foo to get to the application login screen and not >> just https://hostname/foo. >> With HTTPS disabled I can access the application with >> http://hostname/foo. That's obviously a config issue I need to address, but >> would that by why the authentication process would be broken when HTTPS in >> enabled? > > How are you configuring TLS for LDAP? > > How are you configuring TLS for the Connector? > > I suspect that something somewhere is using the JVM wide TLS configuration > properties when it should be using LDAP / Tomcat Connector specific settings? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 HTTPS and LDAP authentication issue
Hi Mark, How are you configuring TLS for the Connector? How are you configuring TLS for LDAP? Do you mean inside Tomcat? Thanks -John -Original Message- From: Mark Thomas Sent: Tuesday, October 8, 2019 11:07 AM To: users@tomcat.apache.org Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > We have an application running on Tomcat 7.0.96. The application > handles authentication by accessing an internal LDAPS host by using > credentials, a keystore, and the LDAPS hostname and port from an > external file from the application and from Tomcat. This works with no > issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, > users can no longer logon to the application. When I disable HTTPS the users > can again authenticate in the application. We do have an Apache reverse proxy > for the application, but when Tomcat HTTPS is enabled I need to use > https://hostname:8443/foo to get to the application login screen and not just > https://hostname/foo. > With HTTPS disabled I can access the application with > http://hostname/foo. That's obviously a config issue I need to address, but > would that by why the authentication process would be broken when HTTPS in > enabled? How are you configuring TLS for LDAP? How are you configuring TLS for the Connector? I suspect that something somewhere is using the JVM wide TLS configuration properties when it should be using LDAP / Tomcat Connector specific settings? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 HTTPS and LDAP authentication issue
On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Hello, > > We have an application running on Tomcat 7.0.96. The application handles > authentication by accessing an internal LDAPS host by using credentials, a > keystore, and the > LDAPS hostname and port from an external file from the application and from > Tomcat. This works with no issues, until I enable HTTPS in Tomcat. Once I see > sessions > are encrypted, users can no longer logon to the application. When I disable > HTTPS the users can again authenticate in the application. We do have an > Apache reverse > proxy for the application, but when Tomcat HTTPS is enabled I need to use > https://hostname:8443/foo to get to the application login screen and not just > https://hostname/foo. > With HTTPS disabled I can access the application with http://hostname/foo. > That's obviously a config issue I need to address, but would that by why the > authentication process > would be broken when HTTPS in enabled? How are you configuring TLS for LDAP? How are you configuring TLS for the Connector? I suspect that something somewhere is using the JVM wide TLS configuration properties when it should be using LDAP / Tomcat Connector specific settings? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
