GOT IT TO WORK!!! The old Jetty 4.2.9 server was blowing up when I sent the... ForwardKeySize In httpd.conf... JkOptions +ForwardKeySize +ForwardURICompat ForwardKeySize was not getting parsed in Jetty and was crapping out Jetty when sent to it. SO, I did this in the config... #JkOptions +ForwardKeySize +ForwardURICompat JkOptions +ForwardURICompat And of course, turned on the exporting of the SSL env in httpd-ssl.conf... SSLOptions +StdEnvVars +ExportCertData And it is working, Jetty is getting the client certificate and performing A&A based on it. BUT, there is one thing I did forget about, currently the AJP port that Jetty is listening on is NOT HTTPS, I am going to try that next, BUT, at least I am making progress. Hope the above helps someone when they are googling for answers >-----Original Message----- >From: Lucuk, Pete [mailto:pete.lucuk@xxxxxxx] >Sent: Tuesday, November 28, 2006 12:36 PM >To: users@xxxxxxxxxxxxxxxx >Subject: RE: Apache, mod_jk, client >certificates, and Jetty > > > >>-----Original Message----- >>From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >>Sent: Tuesday, November 28, 2006 12:08 PM >>To: users@xxxxxxxxxxxxxxxx >>Subject: Re: Apache, mod_jk, client certificates, and >>Jetty >> >>On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >>> >> Jetty = http://www.mortbay.org/ >>> > >>> >Just for my curiosity: why do you need 3 Web servers: >>Apache -> JBoss >>> >-> Jetty ? What Jetty does that JBoss can't do? >>> >>> >>> Jetty is the HTTP servlet engine for Jboss. >>> >>> Just like Tomcat is the HTTP servelet engine for Jboss 4.x >> >>Got you. I thought you had JBoss with Tomcat + Jetty. > >Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9 >to be exact > >> >>Then I'm not sure that it'd work at all because I'm not sure >that Jetty >>support AJP 1.3. > >It does, have confirmed with setting up mod_jk and doing HTTPS >round trips ( IE->Apache->Jetty->Apache-IE ). >There is a index.html on Jetty that I am able to see via HTTPS >when using mod_jk. >Jetty config file had an AJP port setting. > >IT is just when Jetty tries to get the client certificate in >Jetty that I begin to have peblems. > > Why not to upgrade JBoss and >>replace Jetty with Tomcat? > > >Ahhhhh, yes, why not! Well, I can't, we are running some COTS >software CRAP, and I do mean CRAP, that requires Jboss 3.0.7 >and Jetty 4.2.9. > > >I am going to try some more things this afternoon, if I get it >to work, I will post the fix. > >Thanks much for your time and help! > >> >>> >>> Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP >>> interface. >>> Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in >>> front of it to do the HTTP. >>> >>> >>> > >>> >> >>> >> Jetty Server died, gave some bogus java error that told >>you nothing >>> >> >>> >> >>> >> > >>> >> >> >>> >> >> Could the way I have my ordering things in httpd.conf and >>> >> >> httpd-ssl.conf be throwing something off? >>> >> > >>> >> >I don't thinks so. >>> >> > >>> >> >> >>> >> >> Where the httpd-ssl.conf comes first in the httpd.conf, >>> >before the >>> >> >> acutual mod_jk stuff? >>> >> >> >>> >> > >>> >> >I'd put mod_jk stuff before mod_ssl stuff. But I don't >>> >think that it >>> >> >matters. >>> >> >>> >> I will try it and see if it works, once again, thank you >>> >> >>> >> > >>> >> >> >>> >> >> Thanks for your responses, I appreciate your help >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >-----Original Message----- >>> >> >> >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx] >>> >> >> >Sent: Tuesday, November 28, 2006 10:53 AM >>> >> >> >To: users@xxxxxxxxxxxxxxxx >>> >> >> >Subject: Re: Apache, mod_jk, client >>certificates, >>> >> >> >and Jetty >>> >> >> > >>> >> >> >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote: >>> >> >> >> >>> >> >> >> I am trying to perform the following... >>> >> >> >> >>> >> >> >> >>> >> >> >>> >> >>> >>>>>Browser_client_with_client_certificate<--https-->apache_with_mod_jk >>> >>>< >>> >> >>- >>> >> >> >- >>> >> >> >> ht >>> >> >> >> tps-->Jetty >>> >> >> >> >>> >> >> >> Also, the browser client is passing a client >>> >certificate that I >>> >> >> >> want Jetty to have access to perform A&A. >>> >> >> >> >>> >> >> >> Browser version = IE 6 >>> >> >> >> Apache version = 2.2.3 >>> >> >> >> Mod_jk version = 1.2.19 >>> >> >> >> Jetty version = 4.2.9 >>> >> >> >> >>> >> >> >> I CAN get the full round trip working under HTTPS, >>> >that is not a >>> >> >> >> problem. >>> >> >> >> I CAN *** NOT *** get Jetty to have access to the client >>> >> >> >certificate, >>> >> >> >> Jetty states that it can not find the client certificate. >>> >> >> >> >>> >> >> >> I am confident that Jetty is configured for AJP >(round trip >>> >> >> >> in HTTPS work)and client certificates (when the >>> >> >> >> Browser_client_with_client_certificate hits it directly, >>> >> >it works). >>> >> >> >> >>> >> >> >> >>> >> >> >> Not sure if it is a config thing on apache/mod_jk or what. >>> >> >> >> >>> >> >> >> >>> >> >> >> Below is my Apache and mod_jk config, any ideas???... >>> >> >> >> >>> >> >> >> ########################################################### >>> >> >> >> In my httpd.conf file I have the following... >>> >> >> >> >>> >> >> >> # Secure (SSL/TLS) connections Include >>> >> >> >> conf/extra/httpd-ssl.conf >>> >> >> >> >>> >> >> >> <IfModule !mod_jk.c> >>> >> >> >> >>> >> >> >> #LoadModule jk_module modules/mod_jk.so >>> >> >> >> LoadModule jk_module >>> >> >> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so >>> >> >> >> >>> >> >> >> </IfModule> >>> >> >> >> >>> >> >> >> >>> >> >> >> <IfModule mod_jk.c> >>> >> >> >> >>> >> >> >> JkWorkersFile "conf/worker.properties" >>> >> >> >> >>> >> >> >> JkLogFile "logs/mod_jk.log" >>> >> >> >> >>> >> >> >> JkLogLevel info >>> >> >> >> >>> >> >> >> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " >>> >> >> >> >>> >> >> >> JkOptions +ForwardKeySize +ForwardURICompat >>> >> >> >> >>> >> >> >> JkExtractSSL On >>> >> >> >> # What is the indicator for SSL (default is HTTPS) >>> >> >JkHTTPSIndicator >>> >> >> >> HTTPS # What is the indicator for SSL session (default is >>> >> >> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID # >>> >What is the >>> >> >> >> indicator for client SSL cipher suit (default is >>> >> >> >> SSL_CIPHER) >>> >> >> >> JkCIPHERIndicator SSL_CIPHER # What is the >indicator for the >>> >> >> >> client SSL certificated >>> >> >(default is >>> >> >> >> SSL_CLIENT_CERT) >>> >> >> >> JkCERTSIndicator SSL_CLIENT_CERT >>> >> >> >> >>> >> >> >> </IfModule> >>> >> >> >> >>> >> >> >> ########################################################### >>> >> >> >> In my worker.properties I have... >>> >> >> >> >>> >> >> >> worker.list=jetty >>> >> >> >> >>> >> >> >> #worker.jetty.port=8009 >>> >> >> >> worker.jetty.port=5309 >>> >> >> >> >>> >> >> >> worker.jetty.host=servera >>> >> >> >> >>> >> >> >> worker.jetty.type=ajp13 >>> >> >> >> >>> >> >> >> worker.jetty.lbfactor=1 >>> >> >> >> >>> >> >> >> >>> >> >> >> ########################################################### >>> >> >> >> In my httpd-ssl.conf I have... >>> >> >> >> >>> >> >> >> <VirtualHost _default_:5443> >>> >> >> >> >>> >> >> >> #SSLOptions +StdEnvVars +ExportCertData >>> >> >> > >>> >> >> >Uncomment this. >>> >> >> > >>> >> >> >> >>> >> >> >> JkMount /* jetty >>> >> >> >> >>> >> >> >> # General setup for the virtual host >>> >> >> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs" >>> >> >> >> ServerName kftcsu14.ftc.lab:5443 ServerAdmin >>you@xxxxxxxxxxx >>> >> >> >> ErrorLog >>/data/dir/dir/tools/web/apache/server/logs/error_log >>> >> >> >> TransferLog >>> >> >> >> /data/dir/dir/tools/web/apache/server/logs/access_log >>> >> >> >> >>> >> >> >> # SSL Engine Switch: >>> >> >> >> # Enable/Disable SSL for this virtual host. >>> >> >> >> SSLEngine on >>> >> >> >> >>> >> >> >> SSLProxyEngine on >>> >> >> >> >>> >> >> >> SSLCipherSuite >>> >> >> >> >>> >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL >>> >> >> >> >>> >> >> >> SSLCertificateFile >>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem >>> >> >> >> SSLCertificateKeyFile >>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem >>> >> >> >> >>> >> >> >> SSLCACertificateFile >>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem >>> >> >> >> SSLVerifyClient optional >>> >> >> >> >>> >> >> >> >>> >> >> >> </VirtualHost> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> >>> >> >>>------------------------------------------------------------------ >>> >> >- >>> >> >> >> -- The official User-To-User support forum of the >>Apache HTTP >>> >> >> >Server Project. >>> >> >> >> See <URL:http://httpd.apache.org/userslist.html> >>for more info. >>> >> >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >> >> " from the digest: >>> >users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >> >> For additional commands, e-mail: >users-help@xxxxxxxxxxxxxxxx >>> >> >> >> >>> >> >> >> >>> >> >> > >>> >> >> >>> >> >>> >>>>>------------------------------------------------------------------- >>> >>>- >>> >> >>- >>> >> >> >The official User-To-User support forum of the Apache >>> >HTTP Server >>> >> >> >Project. >>> >> >> >See <URL:http://httpd.apache.org/userslist.html> for >>more info. >>> >> >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >> > " from the digest: >>users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >> >> > >>> >> >> > >>> >> >> >>> >> >> >>> >------------------------------------------------------------------- >>> >> >> -- The official User-To-User support forum of the Apache HTTP >>> >> >Server Project. >>> >> >> See <URL:http://httpd.apache.org/userslist.html> for >more info. >>> >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >> " from the digest: >>users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >> >> >>> >> >> >>> >> > >>> >> >>> >>>>-------------------------------------------------------------------- >>> >>- >>> >> >The official User-To-User support forum of the Apache >>HTTP Server >>> >> >Project. >>> >> >See <URL:http://httpd.apache.org/userslist.html> for more info. >>> >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> >> > " from the digest: >users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >> > >>> >> > >>> >> >>> >> >>------------------------------------------------------------------- >>> >> -- The official User-To-User support forum of the Apache HTTP >>> >Server Project. >>> >> See <URL:http://httpd.apache.org/userslist.html> for more info. >>> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >> >>> >> >>> > >>> >>>--------------------------------------------------------------------- >>> >The official User-To-User support forum of the Apache HTTP Server >>> >Project. >>> >See <URL:http://httpd.apache.org/userslist.html> for more info. >>> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> > >>> > >>> >>> >--------------------------------------------------------------------- >>> The official User-To-User support forum of the Apache HTTP >>Server Project. >>> See <URL:http://httpd.apache.org/userslist.html> for more info. >>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >>> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >>> >>> >> >>--------------------------------------------------------------------- >>The official User-To-User support forum of the Apache HTTP Server >>Project. >>See <URL:http://httpd.apache.org/userslist.html> for more info. >>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP >Server Project. >See <URL:http://httpd.apache.org/userslist.html> for more info. >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|