Hi
Here is an update on my progress with this problem.
Using IIS V6.0 with JK 1.2.23 and Tomcat 6.0.13, I can confirm my servlet
can now receive an X509Certificate attribute!
I had two configuration problems:
1. I had not enabled "Require client certificate" flag on the IIS folder I
was using - the previous setting of "Accept client certificate" does not
forward an X509Certificate.
2. I had not been using the Local Computer certificate store from the
Windows MMC certificate snap-in - so I had been adding my Trusted Root Cert
to the wrong store.
I used a tool from Microsoft called SSLDiag to diagnose the second of my
problems.
I hope this is useful... if only to state that this is NOT a problem with
JK1.2 or Tomcat 6
Thanks to all who commented
- Simon T
Subject: Re: No X509Certificate Attribute In IIS Redirected Request
Hi Simon,
Have you figured out the problem yet? I am very interest to know.
Thanks
> On Thu, 2007-06-21 at 16:02 +0100, [EMAIL PROTECTED]
> wrote:
> > OK
> >
> > I enabled JK1 debug level logging and can see that IIS6 *is* relaying
the
> > client authenticated SSL details in the AJP stream.
> >
> > I see attributes called:
> >
> > CERT_ISSUER
> > CERT_SUBJECT
> > CERT_COOKIE
> > HTTPS_SERVER_SUBJECT
> > CERT_FLAGS
> > HTTPS_SECRETKEYSIZE
> > CERT_SERIALNUMBER
> > HTTPS_SERVER_ISSUER
> > HTTPS_KEYSIZE
> >
> > JK1 appears to ignore them!
> >
> > So is this a defect in JK 1.2.23 or something I need to 'switch-on'?
> >
> >
> > - Simon Temple
> >
> >
> >
> > 21 June 2007 15:38
> > To: users@tomcat.apache.org
> > cc:
> > From: [EMAIL PROTECTED]
> > Subject: No X509Certificate Attribute In IIS Redirected Request
> >
> >
> >
> > Hi,
> >
> > I'm using:
> >
> > IIS V6.0
> > JK 1.2.23
> > Tomcat 6.0.13
> >
> > No X509Certificate attribute is present in the request header received
by
> > my servlet when using Client Authenticated SLL with IIS6 and JK1.
> >
> > If I use Apache 2.2 with the mod_proxy modules it works fine.
> >
> > Is this a bug? If so, in what... IIS or JK1?
> >
> > Does anyone know of a workaround? Will JK2 fix my problem?
> >
> > My customer must use IIS... so replacing with Apache is not an option.
:-(
> >
> >
> > TIA
> >
> >
> > Simon Temple
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
