|
Home > Archive > WebSphere HTTP Server > July 2004 > Configuring SSL v3.0
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Configuring SSL v3.0
|
|
| ricardocesartrevisan 2004-07-21, 6:04 pm |
| Hello everybody!!!
I have an webapp, developed and running well on an environment mounted
with Apache 1.3 + Mod_SSL + Mod_Jk + Tomcat.
Now, I need to put this application on WebSphere App. Server with IHS.
This app. after some verifications, can request a X509 authentication or not.
In my solution, I configured a VirtualHost listening on 443 that have a especific Directory that requests a client certificate.
So, the user starts a connection by SSLv2.0 and then can be redirected to this "especific" directory where he must have a valid client certificate.
This kind of configuration is running well on Apache with Mod_SSL, like the code as follows:
########################################
########################################
###
#httpd.conf -> Apache 1.3 with Mod_SSL
# mapping /Logon on HTTPS
Alias /Logon "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon"
<Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon">
</Directory>
# mapping /Logon/secure on HTTPS V3.0 (Client Authentication)
Alias /security "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security"
<Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security">
SSLVerifyClient require
SSLVerifyDepth 5
</Directory>
JkMount /Logon/* ajp13
########################################
########################################
###
Trying to create the same environment on IHS, and follow the documentation I knew that
the tag SSLClientAuth could not create the same situation that we had on Pure-Apache. The IBM-SSL-Module
defines that SSLClientAuth has only VirtualHost scope. To resolve this case, I've tryied to divide it on two VirtualHosts.
The first, without client authentication, and second requiring the certificate. Like follows:
########################################
########################################
###
NameVirtualHost 172.19.31.179:443
Keyfile /tmp/trevisan.kdb
SSLStashfile /tmp/trevisan.sth
<VirtualHost 172.19.31.179:443>
ServerName withoutcertificate
DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
SSLEnable
SSLServerCert SERVERCRT
SSLClientAuth 0
</VirtualHost>
<VirtualHost 172.19.31.179:443>
ServerName withcertificate
DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
SSLEnable
SSLServerCert SERVERCRT
SSLClientAuth 1
</VirtualHost>
########################################
########################################
###
But, It doesn't work. Related with SSLClientAuth, the IHS always assumes the first configuration, ignoring the request for
client authentication even calling "withcertificate" VirtualHost. Suppose that I change the positions, declaring first the
"withcertificate" VH. So, the window that requests the client certificate appears for the two VirtualHosts.
Trying to use the IHS with Mod_SSL and IBM plug-in to WSAD, I found problems related with DSO and EAPI.
I really need a way to reproduce the Pure-Apache configuration on IHS.
Any critic and suggestion, will be very appreciated.
Thank you.
| |
| Sunit Patke 2004-07-21, 6:04 pm |
| Looks like you are comparing Apache 1.3 setup with IHS 2.0.47 (Apache 2.x).
Also repeating the virtualHost does not solve your problem.
Sunit
"ricardocesartrevisan" <rc.trevisan@uol.com.br> wrote in message
news:1589410420.1090445224694.JavaMail.wasadmin@swg3ws003...
> Hello everybody!!!
> I have an webapp, developed and running well on an environment mounted
> with Apache 1.3 + Mod_SSL + Mod_Jk + Tomcat.
>
> Now, I need to put this application on WebSphere App. Server with IHS.
> This app. after some verifications, can request a X509 authentication or
not.
> In my solution, I configured a VirtualHost listening on 443 that have a
especific Directory that requests a client certificate.
> So, the user starts a connection by SSLv2.0 and then can be redirected to
this "especific" directory where he must have a valid client certificate.
>
>
> This kind of configuration is running well on Apache with Mod_SSL, like
the code as follows:
>
########################################
####################################
#######
> #httpd.conf -> Apache 1.3 with Mod_SSL
> # mapping /Logon on HTTPS
> Alias /Logon "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon"
> <Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon">
> </Directory>
>
> # mapping /Logon/secure on HTTPS V3.0 (Client Authentication)
> Alias /security "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security"
> <Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security">
> SSLVerifyClient require
> SSLVerifyDepth 5
> </Directory>
>
> JkMount /Logon/* ajp13
>
########################################
####################################
#######
>
>
>
>
> Trying to create the same environment on IHS, and follow the documentation
I knew that
> the tag SSLClientAuth could not create the same situation that we had on
Pure-Apache. The IBM-SSL-Module
> defines that SSLClientAuth has only VirtualHost scope. To resolve this
case, I've tryied to divide it on two VirtualHosts.
> The first, without client authentication, and second requiring the
certificate. Like follows:
>
>
########################################
####################################
#######
> NameVirtualHost 172.19.31.179:443
>
> Keyfile /tmp/trevisan.kdb
> SSLStashfile /tmp/trevisan.sth
>
> <VirtualHost 172.19.31.179:443>
> ServerName withoutcertificate
> DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
> SSLEnable
> SSLServerCert SERVERCRT
> SSLClientAuth 0
> </VirtualHost>
>
> <VirtualHost 172.19.31.179:443>
> ServerName withcertificate
> DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
> SSLEnable
> SSLServerCert SERVERCRT
> SSLClientAuth 1
> </VirtualHost>
>
########################################
####################################
#######
>
> But, It doesn't work. Related with SSLClientAuth, the IHS always assumes
the first configuration, ignoring the request for
> client authentication even calling "withcertificate" VirtualHost. Suppose
that I change the positions, declaring first the
> "withcertificate" VH. So, the window that requests the client certificate
appears for the two VirtualHosts.
>
>
> Trying to use the IHS with Mod_SSL and IBM plug-in to WSAD, I found
problems related with DSO and EAPI.
>
> I really need a way to reproduce the Pure-Apache configuration on IHS.
> Any critic and suggestion, will be very appreciated.
>
> Thank you.
>
|
|
|
|
|