Finally, debugging an with try-error I have got the correct
configuration.
------------------------------------------------------
<VirtualHost *:443>
ServerAdmin [EMAIL PROTECTED]
ServerSignature On
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
+SSLv2:+EXP:+eNULL
SSLOptions +ExportCertData +StdEnvVars
JkExtractSSL On
JkMount /ovt ajp13_worker
JkMount /ovt/* ajp13_worker
</VirtualHost>
--------------------------------------------------------
And then, this attributes are available in request:
"javax.servlet.request.X509Certificate"
"javax.servlet.request.ssl_session"
"javax.servlet.request.cipher_suite"
For example:
request.getAttribute("javax.servlet.request.cipher_suite");
Hope it helps.
El vie, 05-10-2007 a las 09:08 +0200, Josué Alcalde González escribió:
> Hello.
>
> I would like to get some advise about a new application I am developing.
>
> It needs SSL with client certificate and it will be written in java and
> deployed in Tomcat 6 with java 6.
>
> The server will be shared with other applications in java, php and
> perhaps other.
>
> Now, it is a ubuntu 6.06 server with an apache 2.0 instalation, a tomcat
> 6.0 and a mod_jk 1.2.14.
>
> There are some applications writen in php and a java aplication. The
> java application is served by apache using mod_jk. It uses SSL but it
> doesn't need client certificate. SSL is only configured in Apache.
> Tomcat 6 uses normal connections (8080, 8009) which are closed.
>
> This works perfectly but my next application will need client auth using
> a X509Certificate and I need a way to get it in my Servlets.
>
> I have read some documentation in google and I have try it.
>
> First, I configured a Virtual Host with Apache
>
> ---------------------------------------------------------
> <VirtualHost *:443>
> ServerAdmin [EMAIL PROTECTED]
> ServerSignature On
>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/apache.pem
> SSLVerifyClient optional_no_ca
>
> JkExtractSSL On
> JkMount /ovt ajp13_worker
> JkMount /ovt/* ajp13_worker
> </VirtualHost>
> ---------------------------------------------------------
>
> Then, I made a Servlet to try it:
>
> -----------------------------------------------------------
> // Display the cipher suite in use
> String cipherSuite = (String)
> request.getAttribute("javax.net.ssl.cipher_suite");
> out.println("Cipher Suite: " + cipherSuite);
>
> // Display the client's certificates, if there are any
> if (cipherSuite != null) {
> X509Certificate certChain[] = (X509Certificate[])
> request.getAttribute("javax.net.ssl.peer_certificates");
> if (certChain != null) {
> for (int i = 0; i < certChain.length; i++) {
> out.println ("Client Certificate [" + i + "] = " +
> certChain[i].toString());
> }
> }
> -----------------------------------------------------------
>
> And it didn't work. CipherSuite is always null.
>
> I haven't configured anything in tomcat. As I have read, it should work
> but it is obvious I am missing something.
>
> I would like to manage SSL with Apache better than using java keystores,
> if it is possible.
>
> Also, I would like to have an application which does not need apache to
> work and which works perfectly in tomcat standalone.
>
>
--
_______________________________________________
Josué Alcalde González
[EMAIL PROTECTED]
Dpto. Desarrollo
CSA - Centro Regional de Servicios Avanzados
C/ López Bravo, 1
Pol. Ind. Villalonquéjar (Burgos)
Tel. (+34) 947 256 250
Fax. (+34) 947 256 583
Web: http://www.csa.es
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
