Could this potentially be caused by
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
But not using Tomcat Native?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
[email protected]
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
> -----Original Message-----
> From: Thomas Hoffmann (Speed4Trade GmbH)
> <[email protected]>
> Sent: Wednesday, July 13, 2022 11:28 AM
> To: Tomcat Users List <[email protected]>
> Subject: AW: [OT] issues with Tomcat to Siteminder communication post
> mod-proxy setup
>
> Hello,
>
> > -----Ursprüngliche Nachricht-----
> > Von: [email protected]
> > <[email protected]>
> > Gesendet: Mittwoch, 13. Juli 2022 18:17
> > An: [email protected]
> > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post
> > mod- proxy setup
> >
> > Here is the error we are getting. The login form, hosted by Tomcat,
> > does a POST to the /login/login.fcc for siteminder which is on the
> > HTTPD server and is not behind the proxypass or proxypassreverse.
> >
> > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12
> > 13:12:49.399
> > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) <class>
> > PDT|12
> > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: <app>
> > Unable to get Channel Secure Session: Unable to perform siteminder
> > handshake
> > java.lang.Exception: Unable to perform siteminder handshake
> >
> > Our SiteMinder team is telling us it's not their issue. Again, this
> > POST worked fine when using mod_jk and SSL wasn't enabled for
> connection on Tomcat.
> >
> > Thanks,
> >
>
> This error message is most likely thrown by the application and not by
> tomcat.
> The underlying error would be important including the full stack below.
> Are there some "caused by" Exceptions below?
> Otherwise the siteminder application is hiding the underlying Exception.
>
>
> > [email protected]
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -----Original Message-----
> > > From: [email protected]
> > > <[email protected]>
> > > Sent: Tuesday, July 12, 2022 5:22 PM
> > > To: [email protected]
> > > Subject: RE: [OT] issues with Tomcat to Siteminder communication
> > > post
> > > mod- proxy setup
> > >
> > > I'm wondering if it is having to do with the SMSESSION cookie not
> > > getting passed correctly. Still trying to figure this one out.
> > >
> > > Thanks,
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > [email protected]
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action
> > > based on this message or any information herein. If you have
> > > received this message in error, please advise the sender immediately
> > > by reply e-mail and delete this message. Thank you for your cooperation.
> > >
> > > > -----Original Message-----
> > > > From: Christopher Schultz <[email protected]>
> > > > Sent: Tuesday, July 12, 2022 9:16 AM
> > > > To: [email protected]
> > > > Subject: Re: [OT] issues with Tomcat to Siteminder communication
> > > > post
> > > > mod- proxy setup
> > > >
> > > > Jon,
> > > >
> > > > On 7/8/22 16:48, [email protected] wrote:
> > > > > Chris,
> > > > >
> > > > > Moving this discussion to here. Yes, it appears that I broke
> > > > > something when
> > > > setting up the Tomcat Connector for the mod-proxy that is now
> > > > affecting, somehow, the SSL communication with the Site Minder
> > > > services. Here is the connector we added below.
> > > >
> > > > The only reason I can think of that would cause your Tomcat TLS
> > > > connector configuration to affect your SiteMinder thing is if you
> > > > are trying to specify the javax.net.ssl.trustStore system property
> > > > for the entire JVM, and allowing Tomcat to inherit that.
> > > >
> > > > > Temporarily have set certificateVerification to optional to see
> > > > > if it was something with the communication between HTTPD and
> Tomcat.
> > > > >
> > > > > <Connector port="8305"
> > > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > > maxThreads="100"
> > > > > compression="on" scheme="https" SSLEnabled="true"
> secure="true">
> > > > >
> > > > > <SSLHostConfig protocols="TLSv1.2"
> > > > certificateVerification="optional" truststoreFile=""
> > truststorePassword=""
> > > > truststoreType="JKS"
> > > > >
> > > > > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > > >
> > > > Assuming truststoreFile is not actually _blank_, then this should be
> > > > fine.
> > > >
> > > > >
> > > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > > > > TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
> > > > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > > > >
> > > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> > > > > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
> > > > > TLS_DHE_RSA_WITH_AES_128_CCM,
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
> > > > > TLS_DHE_RSA_WITH_AES_128_CCM_8,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
> > > > >
> > > > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > > > >
> > > > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > > > >
> > > > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> > > > >
> > > > > <Certificate
> > > > > Type="RSA" certificateKeystoreFile="<certificate>.pfx"
> > > > > certificateKeystorePassword="" certificateKeystoreType="pkcs12"
> > > > > />
> > > >
> > > > Note: none of the TLS_XXX_ECDSA_* cipher suites will do anything
> > > > for you, since you are using only an RSA key.
> > > >
> > > > Is your SiteMinder client code using its own special trust store
> > > > and key
> > > store?
> > > > If you are getting a handshake failure (mentioned in your message
> > > > to dev@httpd but not here yet: "javax.net.ssl.SSLHandshakeException:
> > > > Received fatal alert: bad_certificate error"), you might want to
> > > > start looking there. The problem is very unlikely to be your
> > > > Tomcat configuration or anything related to it, unless you use the
> > > > same key store and trust store for both.
> > > >
> > > > -chris
> > > >
> > > > ------------------------------------------------------------------
> > > > --
> > > > - To unsubscribe, e-mail: [email protected]
> > > > For additional commands, e-mail: [email protected]
> > >
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: [email protected]
> > > For additional commands, e-mail: [email protected]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
