2014-01-28 John Palmer <johnpalm...@gmail.com>:
> We have two similar production environments which use:
> request.getAttribute("javax.servlet.request.X509Certificate")
> for several purposes.
>
> These use tomcat behind IIS using the Jakarta connector (aka reverse proxy)
> and have been running since 2006 and 2011 respectively without significant
> issues ... other than perhaps insufficient memory (and sometimes IIS can't
> talk to Tomcat and everything has to be restarted, multiple times, to
> resolve).
>
> We're trying to upgrade/replace these servers with 64-bit Windows OS due
> to memory constraints caused by the use of 32-bit OS, and these attributes
> (and related SSL attributes in Tomcat) are now returning NULL in our DEV
> environment
>
> Old environment:
> IIS 5.0 on WIndows Server 2003 SP2, Jakarta Isapi Redirector 1.2.37, TomCat
> 7.0.47
>
> (While researching "how to set up Jakarta Isapi Redirector in IIS 7.5 with
> a 64-bit Windows 2008" I saw multiple people reporting issues with poor
> performance, lockups etc, and decided we would try Bon Code instead.)
>
> New Environment
> IIS 7.5 on Win Server 2008 R2, Bon Code 1.0.17, TomCat 7.0.47
>
>
> IIS is configured with Client Cert Required; browser is being prompted for
> cert, and cert info is being sent to IIS.
>
> According to Bon Code logs, request headers are being populated with plenty
> of information, including client cert and client issuer cert information.
>
> It looks like Tomcat is receiving these request headers, but is not
> populating the request attributes related to SSL and Cert information, but
> I can't see why in the logs, even after turning the logs to ALL and wading
> through the copious output.
>
> After looking through the Tomcat source multiple times, I don't see how the
> AJP connector can populate these request attributes at all - but it is in
> our current (32-bit OS) environment.
> -----------------------------
> I understand that Tomcat is NOT doing the SSL connection itself - IIS is,
> just as Apache Web Server can be made to do, but my understanding is that
> Tomcat should be able to populate these attributes from information sent
> with the request throught the AJP connector (eg, in the Request Headers),
> That seems to be working wonderfully in our current environment...
>
> I suspect that I simply have something not configured properly - but is it
> IIS 7.5, Bon Code, or Tomcat?
>
> After multiple attempts to resolve this I'm at a loss..
> your help appreciated...
> -------------------------------------------------------------------------
>
> Tomcat Server.xml (AJP connector):
> <Connector URIEncoding="*UTF-8*" enableLookups=" *false*" port="*8029*"
> protocol="*AJP/1.3*" redirectPort="*8443*" />
> (added tomcatAuthentication=" *false*", scheme="https" secure="true"
> without making any difference)
I do not have a real answer, but if you have come this far, maybe you
want to try
running Tomcat under debugger? See
http://wiki.apache.org/tomcat/FAQ/Developing#Debugging
The above configuration of a <Connector> selects either a BIO or an
APR connector (depending on presence of tcnative-1.dll). Which
connector implementation is actually used should be visible from
startup logs.
A place of interest for a breakpoint is
org.apache.coyote.ajp.AbstractAjpProcessor#prepareRequest().
Look for 'case Constants.SC_A_SSL_CERT' there.
Another place is AbstractAjpProcessor#action(...), see
ActionCode.REQ_SSL_ATTRIBUTE there.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
