Re: Apache, mod_jk, client certificates, and Jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Congratulations! See down there...

On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
GOT IT TO WORK!!!

The old Jetty 4.2.9 server was blowing up when I sent the...

        ForwardKeySize

In httpd.conf...

        JkOptions +ForwardKeySize +ForwardURICompat


ForwardKeySize was not getting parsed in Jetty and was crapping out
Jetty when sent to it.

SO, I did this in the config...

        #JkOptions +ForwardKeySize +ForwardURICompat
        JkOptions +ForwardURICompat

And of course, turned on the exporting of the SSL env in
httpd-ssl.conf...

        SSLOptions +StdEnvVars +ExportCertData

And it is working, Jetty is getting the client certificate and
performing A&A based on it.

BUT, there is one thing I did forget about, currently the AJP port that
Jetty is listening on is NOT HTTPS, I am going to try that next, BUT, at
least I am making progress.

AJP is not HTTPS but it's neither HTTP. It's a proprietary protocol
and I'm not sure that you can secure it any way besides port
forwarding through SSH. On my system I have Tomcat and Apache on th
same box so I made Tomcat listening on localhost address only and use
clear AJP. In case of separate boxes I'd try ssh tunneling for AJP.


Hope the above helps someone when they are googling for answers

>-----Original Message-----
>From: Lucuk, Pete [mailto:pete.lucuk@xxxxxxx]
>Sent: Tuesday, November 28, 2006 12:36 PM
>To: users@xxxxxxxxxxxxxxxx
>Subject: RE:  Apache, mod_jk, client
>certificates, and Jetty
>
>
>
>>-----Original Message-----
>>From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx]
>>Sent: Tuesday, November 28, 2006 12:08 PM
>>To: users@xxxxxxxxxxxxxxxx
>>Subject: Re:  Apache, mod_jk, client certificates, and
>>Jetty
>>
>>On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
>>> >> Jetty = http://www.mortbay.org/
>>> >
>>> >Just for my curiosity: why do you need 3 Web servers:
>>Apache -> JBoss
>>> >-> Jetty ? What Jetty does that JBoss can't do?
>>>
>>>
>>> Jetty is the HTTP servlet engine for Jboss.
>>>
>>> Just like Tomcat is the HTTP servelet engine for Jboss 4.x
>>
>>Got you. I thought you had JBoss with Tomcat + Jetty.
>
>Nope, the older Jbosx 3.07 exclusively used Jetty, Jetty 4.2.9
>to be exact
>
>>
>>Then I'm not sure that it'd work at all because I'm not sure
>that Jetty
>>support AJP 1.3.
>
>It does, have confirmed with setting up mod_jk and doing HTTPS
>round trips ( IE->Apache->Jetty->Apache-IE ).
>There is a index.html on Jetty that I am able to see via HTTPS
>when using mod_jk.
>Jetty config file had an AJP port setting.
>
>IT is just when Jetty tries to get the client certificate in
>Jetty that I begin to have peblems.
>
> Why not to upgrade JBoss and
>>replace Jetty with Tomcat?
>
>
>Ahhhhh, yes, why not!  Well, I can't, we are running some COTS
>software CRAP, and I do mean CRAP, that requires Jboss 3.0.7
>and Jetty 4.2.9.
>
>
>I am going to try some more things this afternoon, if I get it
>to work, I will post the fix.
>
>Thanks much for your time and help!
>
>>
>>>
>>> Without Jetty, or Tomcat for that matter, Jboss does not hav a HTTP
>>> interface.
>>> Jboss is not web server by itself, it needs Tomcat, Jetty, etc. in
>>> front of it to do the HTTP.
>>>
>>>
>>> >
>>> >>
>>> >> Jetty Server died, gave some bogus java error that told
>>you nothing
>>> >>
>>> >>
>>> >> >
>>> >> >>
>>> >> >> Could the way I have my ordering things in httpd.conf and
>>> >> >> httpd-ssl.conf be throwing something off?
>>> >> >
>>> >> >I don't thinks so.
>>> >> >
>>> >> >>
>>> >> >> Where the httpd-ssl.conf comes first in the httpd.conf,
>>> >before the
>>> >> >> acutual mod_jk stuff?
>>> >> >>
>>> >> >
>>> >> >I'd put mod_jk stuff before mod_ssl stuff. But I don't
>>> >think that it
>>> >> >matters.
>>> >>
>>> >> I will try it and see if it works, once again, thank you
>>> >>
>>> >> >
>>> >> >>
>>> >> >> Thanks for your responses, I appreciate your help
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> >-----Original Message-----
>>> >> >> >From: Serge Dubrouski [mailto:sergeyfd@xxxxxxxxx]
>>> >> >> >Sent: Tuesday, November 28, 2006 10:53 AM
>>> >> >> >To: users@xxxxxxxxxxxxxxxx
>>> >> >> >Subject: Re:  Apache, mod_jk, client
>>certificates,
>>> >> >> >and Jetty
>>> >> >> >
>>> >> >> >On 11/28/06, Lucuk, Pete <pete.lucuk@xxxxxxx> wrote:
>>> >> >> >>
>>> >> >> >> I am trying to perform the following...
>>> >> >> >>
>>> >> >> >>
>>> >> >>
>>> >>
>>>
>>>>>Browser_client_with_client_certificate<--https-->apache_with_mod_jk
>>> >>><
>>> >> >>-
>>> >> >> >-
>>> >> >> >> ht
>>> >> >> >> tps-->Jetty
>>> >> >> >>
>>> >> >> >> Also, the browser client is passing a client
>>> >certificate that I
>>> >> >> >> want Jetty to have access to perform A&A.
>>> >> >> >>
>>> >> >> >> Browser version = IE 6
>>> >> >> >> Apache version = 2.2.3
>>> >> >> >> Mod_jk version = 1.2.19
>>> >> >> >> Jetty version = 4.2.9
>>> >> >> >>
>>> >> >> >> I CAN get the full round trip working under HTTPS,
>>> >that is not a
>>> >> >> >> problem.
>>> >> >> >> I CAN *** NOT *** get Jetty to have access to the client
>>> >> >> >certificate,
>>> >> >> >> Jetty states that it can not find the client certificate.
>>> >> >> >>
>>> >> >> >> I am confident that Jetty is configured for AJP
>(round trip
>>> >> >> >> in HTTPS work)and client certificates (when the
>>> >> >> >> Browser_client_with_client_certificate hits it directly,
>>> >> >it works).
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Not sure if it is a config thing on apache/mod_jk or what.
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> Below is my Apache and mod_jk config, any ideas???...
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my httpd.conf file I have the following...
>>> >> >> >>
>>> >> >> >> # Secure (SSL/TLS) connections Include
>>> >> >> >> conf/extra/httpd-ssl.conf
>>> >> >> >>
>>> >> >> >> <IfModule !mod_jk.c>
>>> >> >> >>
>>> >> >> >>   #LoadModule jk_module  modules/mod_jk.so
>>> >> >> >>   LoadModule jk_module
>>> >> >> >> modules/mod_jk-1.2.19-apache-2.2.3-solaris-sparc.so
>>> >> >> >>
>>> >> >> >> </IfModule>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> <IfModule mod_jk.c>
>>> >> >> >>
>>> >> >> >>   JkWorkersFile "conf/worker.properties"
>>> >> >> >>
>>> >> >> >>   JkLogFile "logs/mod_jk.log"
>>> >> >> >>
>>> >> >> >>   JkLogLevel info
>>> >> >> >>
>>> >> >> >>   JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
>>> >> >> >>
>>> >> >> >>   JkOptions +ForwardKeySize +ForwardURICompat
>>> >> >> >>
>>> >> >> >> JkExtractSSL On
>>> >> >> >> # What is the indicator for SSL (default is HTTPS)
>>> >> >JkHTTPSIndicator
>>> >> >> >> HTTPS # What is the indicator for SSL session (default is
>>> >> >> >> SSL_SESSION_ID) JkSESSIONIndicator SSL_SESSION_ID #
>>> >What is the
>>> >> >> >> indicator for client SSL cipher suit (default is
>>> >> >> >> SSL_CIPHER)
>>> >> >> >> JkCIPHERIndicator SSL_CIPHER # What is the
>indicator for the
>>> >> >> >> client SSL certificated
>>> >> >(default is
>>> >> >> >> SSL_CLIENT_CERT)
>>> >> >> >> JkCERTSIndicator SSL_CLIENT_CERT
>>> >> >> >>
>>> >> >> >> </IfModule>
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my worker.properties I have...
>>> >> >> >>
>>> >> >> >> worker.list=jetty
>>> >> >> >>
>>> >> >> >> #worker.jetty.port=8009
>>> >> >> >> worker.jetty.port=5309
>>> >> >> >>
>>> >> >> >> worker.jetty.host=servera
>>> >> >> >>
>>> >> >> >> worker.jetty.type=ajp13
>>> >> >> >>
>>> >> >> >> worker.jetty.lbfactor=1
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> ###########################################################
>>> >> >> >> In my httpd-ssl.conf I have...
>>> >> >> >>
>>> >> >> >> <VirtualHost _default_:5443>
>>> >> >> >>
>>> >> >> >> #SSLOptions +StdEnvVars +ExportCertData
>>> >> >> >
>>> >> >> >Uncomment this.
>>> >> >> >
>>> >> >> >>
>>> >> >> >> JkMount /* jetty
>>> >> >> >>
>>> >> >> >> #   General setup for the virtual host
>>> >> >> >> DocumentRoot "/data/dir/dir/tools/web/apache/server/htdocs"
>>> >> >> >> ServerName kftcsu14.ftc.lab:5443 ServerAdmin
>>you@xxxxxxxxxxx
>>> >> >> >> ErrorLog
>>/data/dir/dir/tools/web/apache/server/logs/error_log
>>> >> >> >> TransferLog
>>> >> >> >> /data/dir/dir/tools/web/apache/server/logs/access_log
>>> >> >> >>
>>> >> >> >> #   SSL Engine Switch:
>>> >> >> >> #   Enable/Disable SSL for this virtual host.
>>> >> >> >> SSLEngine on
>>> >> >> >>
>>> >> >> >> SSLProxyEngine on
>>> >> >> >>
>>> >> >> >> SSLCipherSuite
>>> >> >> >>
>>> >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>> >> >> >>
>>> >> >> >> SSLCertificateFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/cacert.pem
>>> >> >> >> SSLCertificateKeyFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/privkey.pem
>>> >> >> >>
>>> >> >> >> SSLCACertificateFile
>>> >> >> >> /data/dir/dir/tools/web/apache/ssl/bin/public_ca.pem
>>> >> >> >> SSLVerifyClient optional
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> </VirtualHost>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >>
>>>------------------------------------------------------------------
>>> >> >-
>>> >> >> >> -- The official User-To-User support forum of the
>>Apache HTTP
>>> >> >> >Server Project.
>>> >> >> >> See <URL:http://httpd.apache.org/userslist.html>
>>for more info.
>>> >> >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >> >>    "   from the digest:
>>> >users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >> >> For additional commands, e-mail:
>users-help@xxxxxxxxxxxxxxxx
>>> >> >> >>
>>> >> >> >>
>>> >> >> >
>>> >> >>
>>> >>
>>>
>>>>>-------------------------------------------------------------------
>>> >>>-
>>> >> >>-
>>> >> >> >The official User-To-User support forum of the Apache
>>> >HTTP Server
>>> >> >> >Project.
>>> >> >> >See <URL:http://httpd.apache.org/userslist.html> for
>>more info.
>>> >> >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >> >   "   from the digest:
>>users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>> >> >> >
>>> >> >> >
>>> >> >>
>>> >> >>
>>> >-------------------------------------------------------------------
>>> >> >> -- The official User-To-User support forum of the Apache HTTP
>>> >> >Server Project.
>>> >> >> See <URL:http://httpd.apache.org/userslist.html> for
>more info.
>>> >> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >>    "   from the digest:
>>users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>> >> >>
>>> >> >>
>>> >> >
>>> >>
>>>
>>>>--------------------------------------------------------------------
>>> >>-
>>> >> >The official User-To-User support forum of the Apache
>>HTTP Server
>>> >> >Project.
>>> >> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >   "   from the digest:
>users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>> >> >
>>> >> >
>>> >>
>>> >>
>>-------------------------------------------------------------------
>>> >> -- The official User-To-User support forum of the Apache HTTP
>>> >Server Project.
>>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> >>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>> >>
>>> >>
>>> >
>>>
>>>---------------------------------------------------------------------
>>> >The official User-To-User support forum of the Apache HTTP Server
>>> >Project.
>>> >See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> >   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>> >
>>> >
>>>
>>>
>---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux