RE: Apache, mod_jk, client certificates, and Jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 

>-----Original Message-----
>From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] 
>Sent: Tuesday, November 28, 2006 11:18 AM
>To: users@xxxxxxxxxxxxxxxx
>Subject: Re:  Apache, mod_jk, client 
>certificates, and Jetty
>
>On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
>> I did uncomment that earlier this morning...
>>
>>         SSLOptions +StdEnvVars +ExportCertData
>>
>> And it blew up Jetty, nice huh?
>
>Not nice at all :-) But without that Apache wont put cert data 
>to env and mod_jk won't see it. What is Jetty? And what do you 
>mean by "blew it up"? Did you get any error messages?

Jetty = http://www.mortbay.org/

Jetty Server died, gave some bogus java error that told you nothing


>
>>
>> Could the way I have my ordering things in httpd.conf and 
>> httpd-ssl.conf be throwing something off?
>
>I don't thinks so.
>
>>
>> Where the httpd-ssl.conf comes first in the httpd.conf, before the 
>> acutual mod_jk stuff?
>>
>
>I'd put mod_jk stuff before mod_ssl stuff. But I don't think 
>that it matters.

I will try it and see if it works, once again, thank you

>
>>
>> Thanks for your responses, I appreciate your help
>>
>>
>>
>>
>>
>> >-----Original Message-----
>> >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx]
>> >Sent: Tuesday, November 28, 2006 10:53 AM
>> >To: users@xxxxxxxxxxxxxxxx
>> >Subject: Re:  Apache, mod_jk, client certificates, and 
>> >Jetty
>> >
>> >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
>> >>
>> >> I am trying to perform the following...
>> >>
>> >>
>> 
>>Browser_client_with_client_certificate<--https-->apache_with_mod_jk<-
>> >-
>> >> ht
>> >> tps-->Jetty
>> >>
>> >> Also, the browser client is passing a client certificate that I 
>> >> want Jetty to have access to perform A&A.
>> >>
>> >> Browser version = IE 6
>> >> Apache version = 2.2.3
>> >> Mod_jk version = 1.2.19
>> >> Jetty version = 4.2.9
>> >>
>> >> I CAN get the full round trip working under HTTPS, that is not a 
>> >> problem.
>> >> I CAN *** NOT *** get Jetty to have access to the client
>> >certificate,
>> >> Jetty states that it can not find the client certificate.
>> >>
>> >> I am confident that Jetty is configured for AJP (round trip in 
>> >> HTTPS work)and client certificates (when the 
>> >> Browser_client_with_client_certificate hits it directly, 
>it works).
>> >>
>> >>
>> >> Not sure if it is a config thing on apache/mod_jk or what.
>> >>
>> >>
>> >> Below is my Apache and mod_jk config, any ideas???...
>> >>
>> >> ###########################################################
>> >> In my httpd.conf file I have the following...
>> >>
>> >> # Secure (SSL/TLS) connections
>> >> Include conf/extra/httpd-ssl.conf
>> >>
>> >> <IfModule !mod_jk.c>
>> >>
>> >>   #LoadModule jk_module  modules/mod_jk.so
>> >>   LoadModule jk_module
>> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so
>> >>
>> >> </IfModule>
>> >>
>> >>
>> >> <IfModule mod_jk.c>
>> >>
>> >>   JkWorkersFile "conf/worker.properties"
>> >>
>> >>   JkLogFile "logs/mod_jk.log"
>> >>
>> >>   JkLogLevel info
>> >>
>> >>   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
>> >>
>> >>   JkOptions +ForwardKeySize +ForwardURICompat
>> >>
>> >> JkExtractSSL On
>> >> # What is the indicator for SSL (default is HTTPS) 
>JkHTTPSIndicator 
>> >> HTTPS # What is the indicator for SSL session (default is
>> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # What is the 
>> >> indicator for client SSL cipher suit (default is
>> >> SSL_CIPHER)
>> >> JkCIPHERIndicator SSL_CIPHER
>> >> # What is the indicator for the client SSL certificated 
>(default is
>> >> SSL_CLIENT_CERT)
>> >> JkCERTSIndicator SSL_CLIENT_CERT
>> >>
>> >> </IfModule>
>> >>
>> >> ###########################################################
>> >> In my worker.properties I have...
>> >>
>> >> worker.list=jetty
>> >>
>> >> #worker.jetty.port=8009
>> >> worker.jetty.port=5309
>> >>
>> >> worker.jetty.host=servera
>> >>
>> >> worker.jetty.type=ajp13
>> >>
>> >> worker.jetty.lbfactor=1
>> >>
>> >>
>> >> ###########################################################
>> >> In my httpd-ssl.conf I have...
>> >>
>> >> <VirtualHost _default_:5443>
>> >>
>> >> #SSLOptions +StdEnvVars +ExportCertData
>> >
>> >Uncomment this.
>> >
>> >>
>> >> JkMount /* jetty
>> >>
>> >> #   General setup for the virtual host
>> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs"
>> >> ServerName kftcsu14.ftc.lab:5443
>> >> ServerAdmin you@xxxxxxxxxxx
>> >> ErrorLog /data/dir/dir/tools/web/apache/server/logs/error_log
>> >> TransferLog /data/dir/dir/tools/web/apache/server/logs/access_log
>> >>
>> >> #   SSL Engine Switch:
>> >> #   Enable/Disable SSL for this virtual host.
>> >> SSLEngine on
>> >>
>> >> SSLProxyEngine on
>> >>
>> >> SSLCipherSuite
>> >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>> >>
>> >> SSLCertificateFile 
>> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem
>> >> SSLCertificateKeyFile
>> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem
>> >>
>> >> SSLCACertificateFile
>> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem
>> >> SSLVerifyClient optional
>> >>
>> >>
>> >> </VirtualHost>
>> >>
>> >>
>> >>
>> >> 
>-------------------------------------------------------------------
>> >> -- The official User-To-User support forum of the Apache HTTP
>> >Server Project.
>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> >>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>> >>
>> >>
>> >
>> 
>>---------------------------------------------------------------------
>> >The official User-To-User support forum of the Apache HTTP Server 
>> >Project.
>> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> >   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP 
>Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux