Solved

Configuring Apache to pass SSL-related variables to Tomcat/mod_jk2

Posted on 2004-08-18
5
4,270 Views
Last Modified: 2010-10-05
Hi,

I have a server configured with Apache 2.0.something, Tomcat, and mod_jk2.

Apache is configured to require SSL client certificates.

Almost everything seems to be working, but I want to have some JSPs that access some of the information in the client certificates to do authentication and some reporting.

I've tried various things in my JSPs, but whenever I try to access any of the SSL-related stuff from the request...., I am getting a null return.

I've tested with cgi-bin/printenv.pl, and that shows ALL of the SSL-related variables:

COMSPEC="C:\WINNT\system32\cmd.exe"
DOCUMENT_ROOT="E:/Apache/htdocs"
DOWNGRADE_1_0="1"
FORCE_RESPONSE_1_0="1"
GATEWAY_INTERFACE="CGI/1.1"
HTTPS="on"
HTTP_ACCEPT="image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-us"
HTTP_CONNECTION="Keep-Alive"
HTTP_HOST="jimnew.test.com"
HTTP_USER_AGENT="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
NOKEEPALIVE="1"
PATH="C:\j2sdk1.4.2_04\bin;E:\oracle\ora92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;e:\Utility;C:\Program Files\ATI Technologies\ATI Control Panel;E:\Program Files\FME Suite"
PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH"
QUERY_STRING=""
REMOTE_ADDR="192.168.0.120"
REMOTE_PORT="2282"
REQUEST_METHOD="GET"
REQUEST_URI="/cgi-bin/printenv.pl"
SCRIPT_FILENAME="E:/Apache/cgi-bin/PRINTENV.PL"
SCRIPT_NAME="/cgi-bin/printenv.pl"
SERVER_ADDR="192.168.0.120"
SERVER_ADMIN="you@example.com"
SERVER_NAME="jimnew.test.com"
SERVER_PORT="443"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.0.50 (Win32) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4 Server at jimnew.test.com Port 443</address>\n"
SERVER_SOFTWARE="Apache/2.0.50 (Win32) mod_ssl/2.0.50 OpenSSL/0.9.7d mod_jk2/2.0.4"
SSL_CIPHER="RC4-MD5"
SSL_CIPHER_ALGKEYSIZE="128"
SSL_CIPHER_EXPORT="false"
SSL_CIPHER_USEKEYSIZE="128"
SSL_CLIENT_A_KEY="rsaEncryption"
SSL_CLIENT_A_SIG="md5WithRSAEncryption"
SSL_CLIENT_I_DN="/C=US/ST=VA/L=Oakton/O=JimCo/OU=Test Dept/CN=Certificate Manager"
SSL_CLIENT_I_DN_C="US"
SSL_CLIENT_I_DN_CN="Certificate Manager"
SSL_CLIENT_I_DN_L="Oakton"
SSL_CLIENT_I_DN_O="JimCo"
SSL_CLIENT_I_DN_OU="Test Dept"
SSL_CLIENT_I_DN_ST="VA"
SSL_CLIENT_M_SERIAL="04"
SSL_CLIENT_M_VERSION="3"
SSL_CLIENT_S_DN="/C=US/O=Jimco/OU=Test Dept/UID=admin/CN=CMS Agent/emailAddress=admin@foo.com"
SSL_CLIENT_S_DN_C="US"
SSL_CLIENT_S_DN_CN="CMS Agent"
SSL_CLIENT_S_DN_EMAIL="admin@foo.com"
SSL_CLIENT_S_DN_O="Jimco"
SSL_CLIENT_S_DN_OU="Test Dept"
SSL_CLIENT_VERIFY="SUCCESS"
SSL_CLIENT_V_END="Jun 29 02:13:07 2005 GMT"
SSL_CLIENT_V_START="Jun 29 02:13:07 2004 GMT"
SSL_PROTOCOL="SSLv3"
SSL_SERVER_A_KEY="rsaEncryption"
SSL_SERVER_A_SIG="sha1WithRSAEncryption"
SSL_SERVER_I_DN="/C=US/ST=VA/L=Oakton/O=JimCo/OU=Test Dept/CN=Certificate Manager"
SSL_SERVER_I_DN_C="US"
SSL_SERVER_I_DN_CN="Certificate Manager"
SSL_SERVER_I_DN_L="Oakton"
SSL_SERVER_I_DN_O="JimCo"
SSL_SERVER_I_DN_OU="Test Dept"
SSL_SERVER_I_DN_ST="VA"
SSL_SERVER_M_SERIAL="0B"
SSL_SERVER_M_VERSION="3"
SSL_SERVER_S_DN="/CN=jimnew.test.com/OU=Test Dept/O=JimCo-STest/L=Oakton/ST=VA/C=US"
SSL_SERVER_S_DN_C="US"
SSL_SERVER_S_DN_CN="jimnew.test.com"
SSL_SERVER_S_DN_L="Oakton"
SSL_SERVER_S_DN_O="JimCo"
SSL_SERVER_S_DN_OU="Test Dept"
SSL_SERVER_S_DN_ST="VA"
SSL_SERVER_V_END="Jan 26 01:25:03 2005 GMT"
SSL_SERVER_V_START="Jul 30 01:25:03 2004 GMT"
SSL_SESSION_ID="FCF2B14658A2A7D92075CA2B99259153C654161C3C2B502D1E980E1EEC86C5A0"
SSL_UNCLEAN_SHUTDOWN="1"
SSL_VERSION_INTERFACE="mod_ssl/2.0.50"
SSL_VERSION_LIBRARY="OpenSSL/0.9.7d"
SYSTEMROOT="C:\WINNT"
WINDIR="C:\WINNT"

But, no matter what, I can't retrieve any of the SSL information from request in my JSPs.  I've even ported a SnoopServlet.java example from Sun, and it doesn't show any of the SSL variables, so I'm kind of convinced that:

1) Apache has the SSL certificate information
2) Apache seems to be passing the SSL certificate information
3) Somewhere between mod_jk2 and Tomcat, the SSL certificate information is being dropped.

My questions:

1) What do I need to do to configure Apache+Tomcat+mod_jk2 to allow Apache to pass the SSL related information on to Tomcat?

2) Does anyone have any ideas about how I might go about debugging this?  

I thought that I had seen somewhere that you could add something like "AjpEnvVars" to some configuration file, and I'm thinking I need to do that, but I can't find the reference any more.

Here's my SSL.CONF:

#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#

#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
# Note: This must come before the <IfDefine SSL> container to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#<IfDefine SSL>

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  exec:e:\apache\conf\passphrase.bat

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shmht:logs/ssl_scache(512000)
#SSLSessionCache        shmcb:logs/ssl_scache(512000)
SSLSessionCache         dbm:logs\ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
#SSLMutex  file:logs\ssl_mutex
SSLMutex default

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "e:\apache\htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog logs\error_log
TransferLog logs\access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
SSLCertificateFile ssl\server-certificate.crt
#SSLCertificateFile conf\ssl.crt\server-dsa.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile ssl\server-certificate.key
#SSLCertificateKeyFile conf\ssl.key\server-dsa.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile conf\ssl.crt\ca.crt
SSLCertificateChainFile ssl\server-certificate.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath ssl
SSLCACertificateFile ssl\ca-certificate.crt

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth  5

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(jsp|cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "e:\apache\cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
<Directory "E:\Tomcat\jakarta-tomcat-5.0.27\webapps\ROOT">
    SSLOptions +StdEnvVars
</Directory>
<Directory "E:\Tomcat\jakarta-tomcat-5.0.27\webapps\ROOT\jsp-examples">
    SSLOptions +StdEnvVars +ExportCertData +CompatEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs\ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

#</IfDefine>


Thanks.  I really hope that someone here can help :(!!!

Jim
0
Comment
Question by:jimcpl
  • 2
5 Comments
 
LVL 23

Expert Comment

by:rama_krishna580
ID: 11837803
0
 
LVL 1

Author Comment

by:jimcpl
ID: 11838173
Hi R.K.,

Thanks, for responding.  I think I've been to some or all of those sites, but they don't address the problem that I'm having.

But, I think that I may have just found the answer a bit ago.  It looks like there's a compile directive called "EAPI" which is needed when Apache (and mod_ssl, and mod_jk/jk2) is compiled when SSL is used, and it looks like the binaries that I have were not compiled with that directive.  So, I'm now trying to find a binary distribution for Apache, mod_ssl, and mod_jk or mod_jk2 that were compiled with "--EAPI".

If anyone out there has one, or knows where to find one, please post!!

Jim
0
 
LVL 23

Accepted Solution

by:
rama_krishna580 earned 250 total points
ID: 11851977
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A web service (http://en.wikipedia.org/wiki/Web_service) is a software related technology that facilitates machine-to-machine interaction over a network. This article helps beginners in creating and consuming a web service using the ColdFusion Ma…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question