Konstantin:
Thanks for the suggestion - I'll hang on to that link.
I was ready to try running Tomcat with a debugger... the instructions I
found were for using Eclipse (which I already had set up, but not with the
TomCat source)... but I was reluctant to deal with another steep learning
curve.
Logging EVERYTHING didn't show me anything useful - except perhaps to tell
me ( by its absence) that the problem is not in Tomcat.
However, (see the other response I'll have here shortly) - I think that
Christopher Schultz has hit the nail on the head.. as you''ll see in my
response to him....
On Tue, Jan 28, 2014 at 12:11 PM, Konstantin Kolinko <knst.koli...@gmail.com
> wrote:
> 2014-01-28 John Palmer <johnpalm...@gmail.com>:
> > We have two similar production environments which use:
> > request.getAttribute("javax.servlet.request.X509Certificate")
> > for several purposes.
> >
> > These use tomcat behind IIS using the Jakarta connector (aka reverse
> proxy)
> > and have been running since 2006 and 2011 respectively without
> significant
> > issues ... other than perhaps insufficient memory (and sometimes IIS
> can't
> > talk to Tomcat and everything has to be restarted, multiple times, to
> > resolve).
> >
> > We're trying to upgrade/replace these servers with 64-bit Windows OS due
> > to memory constraints caused by the use of 32-bit OS, and these
> attributes
> > (and related SSL attributes in Tomcat) are now returning NULL in our DEV
> > environment
> >
> > Old environment:
> > IIS 5.0 on WIndows Server 2003 SP2, Jakarta Isapi Redirector 1.2.37,
> TomCat
> > 7.0.47
> >
> > (While researching "how to set up Jakarta Isapi Redirector in IIS 7.5
> with
> > a 64-bit Windows 2008" I saw multiple people reporting issues with poor
> > performance, lockups etc, and decided we would try Bon Code instead.)
> >
> > New Environment
> > IIS 7.5 on Win Server 2008 R2, Bon Code 1.0.17, TomCat 7.0.47
> >
> >
> > IIS is configured with Client Cert Required; browser is being prompted
> for
> > cert, and cert info is being sent to IIS.
> >
> > According to Bon Code logs, request headers are being populated with
> plenty
> > of information, including client cert and client issuer cert information.
> >
> > It looks like Tomcat is receiving these request headers, but is not
> > populating the request attributes related to SSL and Cert information,
> but
> > I can't see why in the logs, even after turning the logs to ALL and
> wading
> > through the copious output.
> >
> > After looking through the Tomcat source multiple times, I don't see how
> the
> > AJP connector can populate these request attributes at all - but it is in
> > our current (32-bit OS) environment.
> > -----------------------------
> > I understand that Tomcat is NOT doing the SSL connection itself - IIS is,
> > just as Apache Web Server can be made to do, but my understanding is that
> > Tomcat should be able to populate these attributes from information sent
> > with the request throught the AJP connector (eg, in the Request Headers),
> > That seems to be working wonderfully in our current environment...
> >
> > I suspect that I simply have something not configured properly - but is
> it
> > IIS 7.5, Bon Code, or Tomcat?
> >
> > After multiple attempts to resolve this I'm at a loss..
> > your help appreciated...
> > -------------------------------------------------------------------------
> >
> > Tomcat Server.xml (AJP connector):
> > <Connector URIEncoding="*UTF-8*" enableLookups=" *false*" port="*8029*"
> > protocol="*AJP/1.3*" redirectPort="*8443*" />
> > (added tomcatAuthentication=" *false*", scheme="https" secure="true"
> > without making any difference)
>
> I do not have a real answer, but if you have come this far, maybe you
> want to try
> running Tomcat under debugger? See
>
> http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> The above configuration of a <Connector> selects either a BIO or an
> APR connector (depending on presence of tcnative-1.dll). Which
> connector implementation is actually used should be visible from
> startup logs.
>
> A place of interest for a breakpoint is
> org.apache.coyote.ajp.AbstractAjpProcessor#prepareRequest().
> Look for 'case Constants.SC_A_SSL_CERT' there.
>
> Another place is AbstractAjpProcessor#action(...), see
> ActionCode.REQ_SSL_ATTRIBUTE there.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
