I'm wondering if it is having to do with the SMSESSION cookie not getting passed correctly. Still trying to figure this one out.
Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Tuesday, July 12, 2022 9:16 AM > To: users@tomcat.apache.org > Subject: Re: [OT] issues with Tomcat to Siteminder communication post mod- > proxy setup > > Jon, > > On 7/8/22 16:48, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Chris, > > > > Moving this discussion to here. Yes, it appears that I broke something when > setting up the Tomcat Connector for the mod-proxy that is now affecting, > somehow, the SSL communication with the Site Minder services. Here is the > connector we added below. > > The only reason I can think of that would cause your Tomcat TLS connector > configuration to affect your SiteMinder thing is if you are trying to specify > the > javax.net.ssl.trustStore system property for the entire JVM, and allowing > Tomcat to inherit that. > > > Temporarily have set certificateVerification to optional to see if it > > was something with the communication between HTTPD and Tomcat. > > > > <Connector port="8305" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="100" > > compression="on" scheme="https" SSLEnabled="true" secure="true"> > > > > <SSLHostConfig protocols="TLSv1.2" > certificateVerification="optional" truststoreFile="" truststorePassword="" > truststoreType="JKS" > > > > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > > Assuming truststoreFile is not actually _blank_, then this should be fine. > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > > TLS_DHE_RSA_WITH_AES_128_CCM, > > TLS_ECDHE_ECDSA_WITH_AES_128_CCM, > > TLS_DHE_RSA_WITH_AES_128_CCM_8, > > TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"> > > > > <Certificate > > Type="RSA" certificateKeystoreFile="<certificate>.pfx" > > certificateKeystorePassword="" certificateKeystoreType="pkcs12" /> > > Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything for you, > since you are using only an RSA key. > > Is your SiteMinder client code using its own special trust store and key > store? > If you are getting a handshake failure (mentioned in your message to > dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException: > Received fatal alert: bad_certificate error"), you might want to start looking > there. The problem is very unlikely to be your Tomcat configuration or > anything related to it, unless you use the same key store and trust store for > both. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
