>-----Original Message----- >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >Sent: Tuesday, November 28, 2006 12:08 PM >To: users@xxxxxxxxxxxxxxxx >Subject: Re: Apache, mod_jk, client >certificates, and Jetty > >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >> >> Jetty = http://www.mortbay.org/ >> > >> >Just for my curiosity: why do you need 3 Web servers: >Apache -> JBoss >> >-> Jetty ? What Jetty does that JBoss can't do? >> >> >> Jetty is the HTTP servlet engine for Jboss. >> >> Just like Tomcat is the HTTP servelet engine for Jboss 4.x > >Got you. I thought you had JBoss with Tomcat + Jetty. Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9 to be exact > >Then I'm not sure that it'd work at all because I'm not sure >that Jetty support AJP 1.3. It does, have confirmed with setting up mod_jk and doing HTTPS round trips ( IE->Apache->Jetty->Apache-IE ). There is a index.html on Jetty that I am able to see via HTTPS when using mod_jk. Jetty config file had an AJP port setting. IT is just when Jetty tries to get the client certificate in Jetty that I begin to have peblems. Why not to upgrade JBoss and >replace Jetty with Tomcat? Ahhhhh, yes, why not! Well, I can't, we are running some COTS software CRAP, and I do mean CRAP, that requires Jboss 3.0.7 and Jetty 4.2.9. I am going to try some more things this afternoon, if I get it to work, I will post the fix. Thanks much for your time and help! > >> >> Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP >> interface. >> Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in >> front of it to do the HTTP. >> >> >> > >> >> >> >> Jetty Server died, gave some bogus java error that told >you nothing >> >> >> >> >> >> > >> >> >> >> >> >> Could the way I have my ordering things in httpd.conf and >> >> >> httpd-ssl.conf be throwing something off? >> >> > >> >> >I don't thinks so. >> >> > >> >> >> >> >> >> Where the httpd-ssl.conf comes first in the httpd.conf, >> >before the >> >> >> acutual mod_jk stuff? >> >> >> >> >> > >> >> >I'd put mod_jk stuff before mod_ssl stuff. But I don't >> >think that it >> >> >matters. >> >> >> >> I will try it and see if it works, once again, thank you >> >> >> >> > >> >> >> >> >> >> Thanks for your responses, I appreciate your help >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >-----Original Message----- >> >> >> >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >> >> >> >Sent: Tuesday, November 28, 2006 10:53 AM >> >> >> >To: users@xxxxxxxxxxxxxxxx >> >> >> >Subject: Re: Apache, mod_jk, client >certificates, >> >> >> >and Jetty >> >> >> > >> >> >> >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >> >> >> >> >> >> >> >> I am trying to perform the following... >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>>>Browser_client_with_client_certificate<--https-->apache_with_mod_jk >> >>>< >> >> >>- >> >> >> >- >> >> >> >> ht >> >> >> >> tps-->Jetty >> >> >> >> >> >> >> >> Also, the browser client is passing a client >> >certificate that I >> >> >> >> want Jetty to have access to perform A&A. >> >> >> >> >> >> >> >> Browser version = IE 6 >> >> >> >> Apache version = 2.2.3 >> >> >> >> Mod_jk version = 1.2.19 >> >> >> >> Jetty version = 4.2.9 >> >> >> >> >> >> >> >> I CAN get the full round trip working under HTTPS, >> >that is not a >> >> >> >> problem. >> >> >> >> I CAN *** NOT *** get Jetty to have access to the client >> >> >> >certificate, >> >> >> >> Jetty states that it can not find the client certificate. >> >> >> >> >> >> >> >> I am confident that Jetty is configured for AJP (round trip >> >> >> >> in HTTPS work)and client certificates (when the >> >> >> >> Browser_client_with_client_certificate hits it directly, >> >> >it works). >> >> >> >> >> >> >> >> >> >> >> >> Not sure if it is a config thing on apache/mod_jk or what. >> >> >> >> >> >> >> >> >> >> >> >> Below is my Apache and mod_jk config, any ideas???... >> >> >> >> >> >> >> >> ########################################################### >> >> >> >> In my httpd.conf file I have the following... >> >> >> >> >> >> >> >> # Secure (SSL/TLS) connections Include >> >> >> >> conf/extra/httpd-ssl.conf >> >> >> >> >> >> >> >> <IfModule !mod_jk.c> >> >> >> >> >> >> >> >> #LoadModule jk_module modules/mod_jk.so >> >> >> >> LoadModule jk_module >> >> >> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so >> >> >> >> >> >> >> >> </IfModule> >> >> >> >> >> >> >> >> >> >> >> >> <IfModule mod_jk.c> >> >> >> >> >> >> >> >> JkWorkersFile "conf/worker.properties" >> >> >> >> >> >> >> >> JkLogFile "logs/mod_jk.log" >> >> >> >> >> >> >> >> JkLogLevel info >> >> >> >> >> >> >> >> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " >> >> >> >> >> >> >> >> JkOptions +ForwardKeySize +ForwardURICompat >> >> >> >> >> >> >> >> JkExtractSSL On >> >> >> >> # What is the indicator for SSL (default is HTTPS) >> >> >JkHTTPSIndicator >> >> >> >> HTTPS # What is the indicator for SSL session (default is >> >> >> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # >> >What is the >> >> >> >> indicator for client SSL cipher suit (default is >> >> >> >> SSL_CIPHER) >> >> >> >> JkCIPHERIndicator SSL_CIPHER >> >> >> >> # What is the indicator for the client SSL certificated >> >> >(default is >> >> >> >> SSL_CLIENT_CERT) >> >> >> >> JkCERTSIndicator SSL_CLIENT_CERT >> >> >> >> >> >> >> >> </IfModule> >> >> >> >> >> >> >> >> ########################################################### >> >> >> >> In my worker.properties I have... >> >> >> >> >> >> >> >> worker.list=jetty >> >> >> >> >> >> >> >> #worker.jetty.port=8009 >> >> >> >> worker.jetty.port=5309 >> >> >> >> >> >> >> >> worker.jetty.host=servera >> >> >> >> >> >> >> >> worker.jetty.type=ajp13 >> >> >> >> >> >> >> >> worker.jetty.lbfactor=1 >> >> >> >> >> >> >> >> >> >> >> >> ########################################################### >> >> >> >> In my httpd-ssl.conf I have... >> >> >> >> >> >> >> >> <VirtualHost _default_:5443> >> >> >> >> >> >> >> >> #SSLOptions +StdEnvVars +ExportCertData >> >> >> > >> >> >> >Uncomment this. >> >> >> > >> >> >> >> >> >> >> >> JkMount /* jetty >> >> >> >> >> >> >> >> # General setup for the virtual host >> >> >> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs" >> >> >> >> ServerName kftcsu14.ftc.lab:5443 ServerAdmin >you@xxxxxxxxxxx >> >> >> >> ErrorLog >/data/dir/dir/tools/web/apache/server/logs/error_log >> >> >> >> TransferLog >> >> >> >> /data/dir/dir/tools/web/apache/server/logs/access_log >> >> >> >> >> >> >> >> # SSL Engine Switch: >> >> >> >> # Enable/Disable SSL for this virtual host. >> >> >> >> SSLEngine on >> >> >> >> >> >> >> >> SSLProxyEngine on >> >> >> >> >> >> >> >> SSLCipherSuite >> >> >> >> >> >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL >> >> >> >> >> >> >> >> SSLCertificateFile >> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem >> >> >> >> SSLCertificateKeyFile >> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem >> >> >> >> >> >> >> >> SSLCACertificateFile >> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem >> >> >> >> SSLVerifyClient optional >> >> >> >> >> >> >> >> >> >> >> >> </VirtualHost> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>------------------------------------------------------------------ >> >> >- >> >> >> >> -- The official User-To-User support forum of the >Apache HTTP >> >> >> >Server Project. >> >> >> >> See <URL:http://httpd.apache.org/userslist.html> >for more info. >> >> >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> >> >> >> " from the digest: >> >users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >> >> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >>>>------------------------------------------------------------------- >> >>>- >> >> >>- >> >> >> >The official User-To-User support forum of the Apache >> >HTTP Server >> >> >> >Project. >> >> >> >See <URL:http://httpd.apache.org/userslist.html> for >more info. >> >> >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> >> >> > " from the digest: >users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >> >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> >> > >> >> >> > >> >> >> >> >> >> >> >------------------------------------------------------------------- >> >> >> -- The official User-To-User support forum of the Apache HTTP >> >> >Server Project. >> >> >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> >> >> " from the digest: >users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> >> >> >> >> >> >> > >> >> >> >>>-------------------------------------------------------------------- >> >>- >> >> >The official User-To-User support forum of the Apache >HTTP Server >> >> >Project. >> >> >See <URL:http://httpd.apache.org/userslist.html> for more info. >> >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> >> > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> > >> >> > >> >> >> >> >------------------------------------------------------------------- >> >> -- The official User-To-User support forum of the Apache HTTP >> >Server Project. >> >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> >> >> >> > >> >>--------------------------------------------------------------------- >> >The official User-To-User support forum of the Apache HTTP Server >> >Project. >> >See <URL:http://httpd.apache.org/userslist.html> for more info. >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > >> > >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP >Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP >Server Project. >See <URL:http://httpd.apache.org/userslist.html> for more info. >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|