GOT IT TO WORK!!!
The old Jetty 4.2.9 server was blowing up when I sent the...
ForwardKeySize
In httpd.conf...
JkOptions +ForwardKeySize +ForwardURICompat
ForwardKeySize was not getting parsed in Jetty and was crapping out
Jetty when sent to it.
SO, I did this in the config...
#JkOptions +ForwardKeySize +ForwardURICompat
JkOptions +ForwardURICompat
And of course, turned on the exporting of the SSL env in
httpd-ssl.conf...
SSLOptions +StdEnvVars +ExportCertData
And it is working, Jetty is getting the client certificate and
performing A&A based on it.
BUT, there is one thing I did forget about, currently the AJP port that
Jetty is listening on is NOT HTTPS, I am going to try that next, BUT, at
least I am making progress.
Hope the above helps someone when they are googling for answers
>-----Original Message-----
>From: Lucuk, Pete [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, November 28, 2006 12:36 PM
>To: [email protected]
>Subject: RE: [EMAIL PROTECTED] Apache, mod_jk, client
>certificates, and Jetty
>
>
>
>>-----Original Message-----
>>From: Serge Dubrouski [mailto:[EMAIL PROTECTED]
>>Sent: Tuesday, November 28, 2006 12:08 PM
>>To: [email protected]
>>Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client certificates, and
>>Jetty
>>
>>On 11/28/06, Lucuk, Pete <[EMAIL PROTECTED]> wrote:
>>> >> Jetty = http://www.mortbay.org/
>>> >
>>> >Just for my curiosity: why do you need 3 Web servers:
>>Apache -> JBoss
>>> >-> Jetty ? What Jetty does that JBoss can't do?
>>>
>>>
>>> Jetty is the HTTP servlet engine for Jboss.
>>>
>>> Just like Tomcat is the HTTP servelet engine for Jboss 4.x
>>
>>Got you. I thought you had JBoss with Tomcat + Jetty.
>
>Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9
>to be exact
>
>>
>>Then I'm not sure that it'd work at all because I'm not sure
>that Jetty
>>support AJP 1.3.
>
>It does, have confirmed with setting up mod_jk and doing HTTPS
>round trips ( IE->Apache->Jetty->Apache-IE ).
>There is a index.html on Jetty that I am able to see via HTTPS
>when using mod_jk.
>Jetty config file had an AJP port setting.
>
>IT is just when Jetty tries to get the client certificate in
>Jetty that I begin to have peblems.
>
> Why not to upgrade JBoss and
>>replace Jetty with Tomcat?
>
>
>Ahhhhh, yes, why not! Well, I can't, we are running some COTS
>software CRAP, and I do mean CRAP, that requires Jboss 3.0.7
>and Jetty 4.2.9.
>
>
>I am going to try some more things this afternoon, if I get it
>to work, I will post the fix.
>
>Thanks much for your time and help!
>
>>
>>>
>>> Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP
>>> interface.
>>> Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in
>>> front of it to do the HTTP.
>>>
>>>
>>> >
>>> >>
>>> >> Jetty Server died, gave some bogus java error that told
>>you nothing
>>> >>
>>> >>
>>> >> >
>>> >> >>
>>> >> >> Could the way I have my ordering things in httpd.conf and
>>> >> >> httpd-ssl.conf be throwing something off?
>>> >> >
>>> >> >I don't thinks so.
>>> >> >
>>> >> >>
>>> >> >> Where the httpd-ssl.conf comes first in the httpd.conf,
>>> >before the
>>> >> >> acutual mod_jk stuff?
>>> >> >>
>>> >> >
>>> >> >I'd put mod_jk stuff before mod_ssl stuff. But I don't
>>> >think that it
>>> >> >matters.
>>> >>
>>> >> I will try it and see if it works, once again, thank you
>>> >>
>>> >> >
>>> >> >>
>>> >> >> Thanks for your responses, I appreciate your help
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> >-----Original Message-----
>>> >> >> >From: Serge Dubrouski [mailto:[EMAIL PROTECTED]
>>> >> >> >Sent: Tuesday, November 28, 2006 10:53 AM
>>> >> >> >To: [email protected]
>>> >> >> >Subject: Re: [EMAIL PROTECTED] Apache, mod_jk, client
>>certificates,
>>> >> >> >and Jetty
>>> >> >> >
>>> >> >> >On 11/28/06, Lucuk, Pete <[EMAIL PROTECTED]> wrote:
>>> >> >> >>
>>> >> >> >> I am trying to perform the following...
>>> >> >> >>
>>> >> >> >>
>>> >> >>
>>> >>
>>>
>>>>>Browser_client_with_client_certificate<--https-->apache_with_mod_jk
>>> >>><
>>> >> >>-
>>> >> >> >-
>>> >> >> >> ht
>>> >> >> >> tps-->Jetty
>>> >> >> >>
>>> >> >> >> Also, the browser client is passing a client
>>> >certificate that I
>>> >> >> >> want Jetty to have access to perform A&A.
>>> >> >> >>
>>> >> >> >> Browser version = IE 6
>>> >> >> >> Apache version = 2.2.3
>>> >> >> >> Mod_jk version = 1.2.19
>>> >> >> >> Jetty version = 4.2.9
>>> >> >> >>
>>> >> >> >> I CAN get the full round trip working under HTTPS,
>>> >that is not a
>>> >> >> >> problem.
>>> >> >> >> I CAN *** NOT *** get Jetty to have access to the client
>>> >> >> >certificate,
>>> >> >> >> Jetty states that it can not find the client certificate.
>>> >> >> >>
>>> >> >> >> I am confident that Jetty is configured for AJP
>(round trip
>>> >> >> >> in HTTPS work)and client certificates (when the
>>> >> >> >> Browser_client_with_client_certificate hits it directly,
>>> >> >it works).
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Not sure if it is a config thing on apache/mod_jk or what.
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Below is my Apache and mod_jk config, any ideas???...
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my httpd.conf file I have the following...
>>> >> >> >>
>>> >> >> >> # Secure (SSL/TLS) connections Include
>>> >> >> >> conf/extra/httpd-ssl.conf
>>> >> >> >>
>>> >> >> >> <IfModule !mod_jk.c>
>>> >> >> >>
>>> >> >> >> #LoadModule jk_module modules/mod_jk.so
>>> >> >> >> LoadModule jk_module
>>> >> >> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so
>>> >> >> >>
>>> >> >> >> </IfModule>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> <IfModule mod_jk.c>
>>> >> >> >>
>>> >> >> >> JkWorkersFile "conf/worker.properties"
>>> >> >> >>
>>> >> >> >> JkLogFile "logs/mod_jk.log"
>>> >> >> >>
>>> >> >> >> JkLogLevel info
>>> >> >> >>
>>> >> >> >> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
>>> >> >> >>
>>> >> >> >> JkOptions +ForwardKeySize +ForwardURICompat
>>> >> >> >>
>>> >> >> >> JkExtractSSL On
>>> >> >> >> # What is the indicator for SSL (default is HTTPS)
>>> >> >JkHTTPSIndicator
>>> >> >> >> HTTPS # What is the indicator for SSL session (default is
>>> >> >> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID #
>>> >What is the
>>> >> >> >> indicator for client SSL cipher suit (default is
>>> >> >> >> SSL_CIPHER)
>>> >> >> >> JkCIPHERIndicator SSL_CIPHER # What is the
>indicator for the
>>> >> >> >> client SSL certificated
>>> >> >(default is
>>> >> >> >> SSL_CLIENT_CERT)
>>> >> >> >> JkCERTSIndicator SSL_CLIENT_CERT
>>> >> >> >>
>>> >> >> >> </IfModule>
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my worker.properties I have...
>>> >> >> >>
>>> >> >> >> worker.list=jetty
>>> >> >> >>
>>> >> >> >> #worker.jetty.port=8009
>>> >> >> >> worker.jetty.port=5309
>>> >> >> >>
>>> >> >> >> worker.jetty.host=servera
>>> >> >> >>
>>> >> >> >> worker.jetty.type=ajp13
>>> >> >> >>
>>> >> >> >> worker.jetty.lbfactor=1
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my httpd-ssl.conf I have...
>>> >> >> >>
>>> >> >> >> <VirtualHost _default_:5443>
>>> >> >> >>
>>> >> >> >> #SSLOptions +StdEnvVars +ExportCertData
>>> >> >> >
>>> >> >> >Uncomment this.
>>> >> >> >
>>> >> >> >>
>>> >> >> >> JkMount /* jetty
>>> >> >> >>
>>> >> >> >> # General setup for the virtual host
>>> >> >> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs"
>>> >> >> >> ServerName kftcsu14.ftc.lab:5443 ServerAdmin
>>[EMAIL PROTECTED]
>>> >> >> >> ErrorLog
>>/data/dir/dir/tools/web/apache/server/logs/error_log
>>> >> >> >> TransferLog
>>> >> >> >> /data/dir/dir/tools/web/apache/server/logs/access_log
>>> >> >> >>
>>> >> >> >> # SSL Engine Switch:
>>> >> >> >> # Enable/Disable SSL for this virtual host.
>>> >> >> >> SSLEngine on
>>> >> >> >>
>>> >> >> >> SSLProxyEngine on
>>> >> >> >>
>>> >> >> >> SSLCipherSuite
>>> >> >> >>
>>> >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>> >> >> >>
>>> >> >> >> SSLCertificateFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem
>>> >> >> >> SSLCertificateKeyFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem
>>> >> >> >>
>>> >> >> >> SSLCACertificateFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem
>>> >> >> >> SSLVerifyClient optional
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> </VirtualHost>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >>
>>>------------------------------------------------------------------
>>> >> >-
>>> >> >> >> -- The official User-To-User support forum of the
>>Apache HTTP
>>> >> >> >Server Project.
>>> >> >> >> See <URL:http://httpd.apache.org/userslist.html>
>>for more info.
>>> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> >> >> >> " from the digest:
>>> >[EMAIL PROTECTED]
>>> >> >> >> For additional commands, e-mail:
>[EMAIL PROTECTED]
>>> >> >> >>
>>> >> >> >>
>>> >> >> >
>>> >> >>
>>> >>
>>>
>>>>>-------------------------------------------------------------------
>>> >>>-
>>> >> >>-
>>> >> >> >The official User-To-User support forum of the Apache
>>> >HTTP Server
>>> >> >> >Project.
>>> >> >> >See <URL:http://httpd.apache.org/userslist.html> for
>>more info.
>>> >> >> >To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> >> >> > " from the digest:
>>[EMAIL PROTECTED]
>>> >> >> >For additional commands, e-mail: [EMAIL PROTECTED]
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >-------------------------------------------------------------------
>>> >> >> -- The official User-To-User support forum of the Apache HTTP
>>> >> >Server Project.
>>> >> >> See <URL:http://httpd.apache.org/userslist.html> for
>more info.
>>> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> >> >> " from the digest:
>>[EMAIL PROTECTED]
>>> >> >> For additional commands, e-mail: [EMAIL PROTECTED]
>>> >> >>
>>> >> >>
>>> >> >
>>> >>
>>>
>>>>--------------------------------------------------------------------
>>> >>-
>>> >> >The official User-To-User support forum of the Apache
>>HTTP Server
>>> >> >Project.
>>> >> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >> >To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> >> > " from the digest:
>[EMAIL PROTECTED]
>>> >> >For additional commands, e-mail: [EMAIL PROTECTED]
>>> >> >
>>> >> >
>>> >>
>>> >>
>>-------------------------------------------------------------------
>>> >> -- The official User-To-User support forum of the Apache HTTP
>>> >Server Project.
>>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> >> " from the digest: [EMAIL PROTECTED]
>>> >> For additional commands, e-mail: [EMAIL PROTECTED]
>>> >>
>>> >>
>>> >
>>>
>>>---------------------------------------------------------------------
>>> >The official User-To-User support forum of the Apache HTTP Server
>>> >Project.
>>> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> > " from the digest: [EMAIL PROTECTED]
>>> >For additional commands, e-mail: [EMAIL PROTECTED]
>>> >
>>> >
>>>
>>>
>---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> " from the digest: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>> " from the digest: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: [EMAIL PROTECTED]
> " from the digest: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
