Hi all, Probably the FW can be configured to not terminate the SSL connection. It should act as a pass-through.
But since few months we noticed that Tomcat is not requesting the client certificate anymore (Tomcat to Tomcat, the browsers always receive a certificate request). It complete the handshake so the SSL communication is established but no certificate is sent. If I got this right is because something has been changed in a later revision in Java 8. To force Tomcat to request the client certificate we had to set clientAuth to true. Just my 2 cents. Kind Regards, Diego Macca Senior IT Specialist DG-IS/EDA - Executional Domain Applications EUROPEAN CENTRAL BANK Tel.: +49 (69) 1344 6991 E-mail: diego.ma...@ecb.europa.eu www.ecb.europa.eu www.youtube.com/ecbeuro https://twitter.com/ecb -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 02 December 2016 17:09 To: Tomcat Users List Subject: Re: Two Way SSL - SSL Offloading at load balancer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Bipin, On 12/2/16 7:27 AM, Bipin Jethwani wrote: > We use Spring security and want to use Two Way SSL for a few Jersey > based REST APIs exposed for mobile devices. SSL is offloaded at > load-balancer or apache level. > > Can we still get access to client certificate at web app level? That depends. How are you connecting your load-balancer to Tomcat. Can you configure the load-balancer to forward the TLS details to Tomcat? With httpd, both mod_jk and mod_proxy_ajp can do it natively. Using mod_proxy_httpd, you just have to make sure that the certificates are forwarded as HTTP request headers, and you'll need to configure the RemoteIPValve to unpack that information and put it into the HttpServletRequest object in a place your application might expect it to be. > On second thought we can live without having access to client cert but > can we have load-balancer or apache configured to request for client > cert only for a specific urls? No. Only the component terminating TLS can request a certificate from the client. If there is a way for you to signal to the load-balancer that you want to request a certificate, then the load-balancer can request a TLS renegotiation and ask for a client certificate at that point. > Is there a standard for this? None that I know of. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYQZySAAoJEBzwKT+lPKRYD3kP/00panFQA1oqLeU6NvAySvwc gHyxLLt4PKSRJrlrczk/ftw8czjepDQx3Z4Rk4bQ3x4EwFNcqv+DnvfBuRv0f3W8 15fzIQhRcULvkdhJ+AHWW73y3wsoRl0U1f6nAAma6nevZgbmXy3efUIWeIFZy7RY o8qLBfTy5krcPft9GMMEjGVtkWOB54NFoRe3Sp8iE1CR3jw8oGyzE2i3WdJKhsxE iFoJcnNJH65sBKwL2LtpahgaZ6YeRGa7SLcYgTkcldyfqEEd1zZYlBQTZFQh6Zy0 BEUTWz99r5klMaU0Zn7QiYfFrWkA0pF4agdFnsWElj2ZsJ2YAC+ckAsZ7Rj2oHwD s4ehb6zCGeTE/bToD4nlb1iizZuWTIlFCzhZ3d/iYNHVCnICOdt0IyPAV/cVl9iL r9htFbB6hzd05ALP5MfLzqluhP5sGhuKhBK5glda3prLP2L7b14IxbfuOGTYbgPV q7fTfLfim7veQYpZWoRIdUjqkQM9BN43AkX3HyGF15SirL9U0NEXQkiipHR0Fi3E FR3JmDcsphMV+bvHnzHeVbMEzNrai1GZhZ6Y+6IW2iRGwgWcfO4nCU10ZPGDh50H 2sW0R27nZviNHocLGgSJsmGFO98rrUHlHYXpPCn+NTFAF+zwE0S5d6qf5RFKtGWr 8xiy+1gtF7s/tSQhVlap =83a5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Any e-mail message from the European Central Bank (ECB) is sent in good faith, but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. The ECB processes personal data in line with Regulation (EC) No 45/2001 and Decision ECB/2007/1. For any further information you can consult the Data Protection Disclaimer on the ECB webpage. In case of queries, please contact the ECB Data Protection Officer (d...@ecb.europa.eu). You may also contact the European Data Protection Supervisor.