Konstantin: Thanks for the suggestion - I'll hang on to that link. I was ready to try running Tomcat with a debugger... the instructions I found were for using Eclipse (which I already had set up, but not with the TomCat source)... but I was reluctant to deal with another steep learning curve.
Logging EVERYTHING didn't show me anything useful - except perhaps to tell me ( by its absence) that the problem is not in Tomcat. However, (see the other response I'll have here shortly) - I think that Christopher Schultz has hit the nail on the head.. as you''ll see in my response to him.... On Tue, Jan 28, 2014 at 12:11 PM, Konstantin Kolinko <knst.koli...@gmail.com > wrote: > 2014-01-28 John Palmer <johnpalm...@gmail.com>: > > We have two similar production environments which use: > > request.getAttribute("javax.servlet.request.X509Certificate") > > for several purposes. > > > > These use tomcat behind IIS using the Jakarta connector (aka reverse > proxy) > > and have been running since 2006 and 2011 respectively without > significant > > issues ... other than perhaps insufficient memory (and sometimes IIS > can't > > talk to Tomcat and everything has to be restarted, multiple times, to > > resolve). > > > > We're trying to upgrade/replace these servers with 64-bit Windows OS due > > to memory constraints caused by the use of 32-bit OS, and these > attributes > > (and related SSL attributes in Tomcat) are now returning NULL in our DEV > > environment > > > > Old environment: > > IIS 5.0 on WIndows Server 2003 SP2, Jakarta Isapi Redirector 1.2.37, > TomCat > > 7.0.47 > > > > (While researching "how to set up Jakarta Isapi Redirector in IIS 7.5 > with > > a 64-bit Windows 2008" I saw multiple people reporting issues with poor > > performance, lockups etc, and decided we would try Bon Code instead.) > > > > New Environment > > IIS 7.5 on Win Server 2008 R2, Bon Code 1.0.17, TomCat 7.0.47 > > > > > > IIS is configured with Client Cert Required; browser is being prompted > for > > cert, and cert info is being sent to IIS. > > > > According to Bon Code logs, request headers are being populated with > plenty > > of information, including client cert and client issuer cert information. > > > > It looks like Tomcat is receiving these request headers, but is not > > populating the request attributes related to SSL and Cert information, > but > > I can't see why in the logs, even after turning the logs to ALL and > wading > > through the copious output. > > > > After looking through the Tomcat source multiple times, I don't see how > the > > AJP connector can populate these request attributes at all - but it is in > > our current (32-bit OS) environment. > > ----------------------------- > > I understand that Tomcat is NOT doing the SSL connection itself - IIS is, > > just as Apache Web Server can be made to do, but my understanding is that > > Tomcat should be able to populate these attributes from information sent > > with the request throught the AJP connector (eg, in the Request Headers), > > That seems to be working wonderfully in our current environment... > > > > I suspect that I simply have something not configured properly - but is > it > > IIS 7.5, Bon Code, or Tomcat? > > > > After multiple attempts to resolve this I'm at a loss.. > > your help appreciated... > > ------------------------------------------------------------------------- > > > > Tomcat Server.xml (AJP connector): > > <Connector URIEncoding="*UTF-8*" enableLookups=" *false*" port="*8029*" > > protocol="*AJP/1.3*" redirectPort="*8443*" /> > > (added tomcatAuthentication=" *false*", scheme="https" secure="true" > > without making any difference) > > I do not have a real answer, but if you have come this far, maybe you > want to try > running Tomcat under debugger? See > > http://wiki.apache.org/tomcat/FAQ/Developing#Debugging > > The above configuration of a <Connector> selects either a BIO or an > APR connector (depending on presence of tcnative-1.dll). Which > connector implementation is actually used should be visible from > startup logs. > > A place of interest for a breakpoint is > org.apache.coyote.ajp.AbstractAjpProcessor#prepareRequest(). > Look for 'case Constants.SC_A_SSL_CERT' there. > > Another place is AbstractAjpProcessor#action(...), see > ActionCode.REQ_SSL_ATTRIBUTE there. > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >