>-----Original Message----- >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >Sent: Tuesday, November 28, 2006 11:18 AM >To: users@xxxxxxxxxxxxxxxx >Subject: Re: Apache, mod_jk, client >certificates, and Jetty > >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >> I did uncomment that earlier this morning... >> >> SSLOptions +StdEnvVars +ExportCertData >> >> And it blew up Jetty, nice huh? > >Not nice at all :-) But without that Apache wont put cert data >to env and mod_jk won't see it. What is Jetty? And what do you >mean by "blew it up"? Did you get any error messages? Jetty = http://www.mortbay.org/ Jetty Server died, gave some bogus java error that told you nothing > >> >> Could the way I have my ordering things in httpd.conf and >> httpd-ssl.conf be throwing something off? > >I don't thinks so. > >> >> Where the httpd-ssl.conf comes first in the httpd.conf, before the >> acutual mod_jk stuff? >> > >I'd put mod_jk stuff before mod_ssl stuff. But I don't think >that it matters. I will try it and see if it works, once again, thank you > >> >> Thanks for your responses, I appreciate your help >> >> >> >> >> >> >-----Original Message----- >> >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >> >Sent: Tuesday, November 28, 2006 10:53 AM >> >To: users@xxxxxxxxxxxxxxxx >> >Subject: Re: Apache, mod_jk, client certificates, and >> >Jetty >> > >> >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >> >> >> >> I am trying to perform the following... >> >> >> >> >> >>Browser_client_with_client_certificate<--https-->apache_with_mod_jk<- >> >- >> >> ht >> >> tps-->Jetty >> >> >> >> Also, the browser client is passing a client certificate that I >> >> want Jetty to have access to perform A&A. >> >> >> >> Browser version = IE 6 >> >> Apache version = 2.2.3 >> >> Mod_jk version = 1.2.19 >> >> Jetty version = 4.2.9 >> >> >> >> I CAN get the full round trip working under HTTPS, that is not a >> >> problem. >> >> I CAN *** NOT *** get Jetty to have access to the client >> >certificate, >> >> Jetty states that it can not find the client certificate. >> >> >> >> I am confident that Jetty is configured for AJP (round trip in >> >> HTTPS work)and client certificates (when the >> >> Browser_client_with_client_certificate hits it directly, >it works). >> >> >> >> >> >> Not sure if it is a config thing on apache/mod_jk or what. >> >> >> >> >> >> Below is my Apache and mod_jk config, any ideas???... >> >> >> >> ########################################################### >> >> In my httpd.conf file I have the following... >> >> >> >> # Secure (SSL/TLS) connections >> >> Include conf/extra/httpd-ssl.conf >> >> >> >> <IfModule !mod_jk.c> >> >> >> >> #LoadModule jk_module modules/mod_jk.so >> >> LoadModule jk_module >> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so >> >> >> >> </IfModule> >> >> >> >> >> >> <IfModule mod_jk.c> >> >> >> >> JkWorkersFile "conf/worker.properties" >> >> >> >> JkLogFile "logs/mod_jk.log" >> >> >> >> JkLogLevel info >> >> >> >> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " >> >> >> >> JkOptions +ForwardKeySize +ForwardURICompat >> >> >> >> JkExtractSSL On >> >> # What is the indicator for SSL (default is HTTPS) >JkHTTPSIndicator >> >> HTTPS # What is the indicator for SSL session (default is >> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the >> >> indicator for client SSL cipher suit (default is >> >> SSL_CIPHER) >> >> JkCIPHERIndicator SSL_CIPHER >> >> # What is the indicator for the client SSL certificated >(default is >> >> SSL_CLIENT_CERT) >> >> JkCERTSIndicator SSL_CLIENT_CERT >> >> >> >> </IfModule> >> >> >> >> ########################################################### >> >> In my worker.properties I have... >> >> >> >> worker.list=jetty >> >> >> >> #worker.jetty.port=8009 >> >> worker.jetty.port=5309 >> >> >> >> worker.jetty.host=servera >> >> >> >> worker.jetty.type=ajp13 >> >> >> >> worker.jetty.lbfactor=1 >> >> >> >> >> >> ########################################################### >> >> In my httpd-ssl.conf I have... >> >> >> >> <VirtualHost _default_:5443> >> >> >> >> #SSLOptions +StdEnvVars +ExportCertData >> > >> >Uncomment this. >> > >> >> >> >> JkMount /* jetty >> >> >> >> # General setup for the virtual host >> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs" >> >> ServerName kftcsu14.ftc.lab:5443 >> >> ServerAdmin you@xxxxxxxxxxx >> >> ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log >> >> TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log >> >> >> >> # SSL Engine Switch: >> >> # Enable/Disable SSL for this virtual host. >> >> SSLEngine on >> >> >> >> SSLProxyEngine on >> >> >> >> SSLCipherSuite >> >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL >> >> >> >> SSLCertificateFile >> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem >> >> SSLCertificateKeyFile >> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem >> >> >> >> SSLCACertificateFile >> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem >> >> SSLVerifyClient optional >> >> >> >> >> >> </VirtualHost> >> >> >> >> >> >> >> >> >------------------------------------------------------------------- >> >> -- The official User-To-User support forum of the Apache HTTP >> >Server Project. >> >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> >> >> >> > >> >>--------------------------------------------------------------------- >> >The official User-To-User support forum of the Apache HTTP Server >> >Project. >> >See <URL:http://httpd.apache.org/userslist.html> for more info. >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > >> > >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP >Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP >Server Project. >See <URL:http://httpd.apache.org/userslist.html> for more info. >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|