Configuring SSL v3.0
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > WebSphere > WebSphere HTTP Server > Configuring SSL v3.0




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Configuring SSL v3.0  
ricardocesartrevisan


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
07-21-04 11:04 PM

Hello everybody!!!
I have an webapp, developed and running well on an environment mounted
with Apache 1.3 + Mod_SSL + Mod_Jk + Tomcat.

Now, I need to put this application on WebSphere App. Server with IHS.
This app. after some verifications, can request a X509 authentication or not
.
In my solution, I configured a VirtualHost listening on 443 that have a espe
cific Directory that requests a client certificate.
So, the user starts a connection by SSLv2.0 and then can be redirected to th
is "especific" directory where he must have a valid client certificate.


This kind of configuration is running well on Apache with Mod_SSL, like the 
code as follows:
 ########################################
####################################
#######
#httpd.conf -> Apache 1.3 with Mod_SSL
# mapping /Logon on HTTPS
Alias /Logon "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon"
<Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon">
</Directory>

# mapping /Logon/secure on HTTPS V3.0 (Client Authentication)
Alias /security "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security"
<Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security">
SSLVerifyClient      require
SSLVerifyDepth       5
</Directory>

JkMount /Logon/* ajp13
 ########################################
####################################
#######




Trying to create the same environment on IHS, and follow the documentation I
 knew that
the tag SSLClientAuth could not create the same situation that we had on Pur
e-Apache. The IBM-SSL-Module
defines that SSLClientAuth has only VirtualHost scope. To resolve this case,
 I've tryied to divide it on two VirtualHosts.
The first, without client authentication, and second requiring the certifica
te. Like follows:

 ########################################
####################################
#######
NameVirtualHost 172.19.31.179:443

Keyfile /tmp/trevisan.kdb
SSLStashfile /tmp/trevisan.sth

<VirtualHost 172.19.31.179:443>
ServerName withoutcertificate
DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
SSLEnable
SSLServerCert   SERVERCRT
SSLClientAuth   0
</VirtualHost>

<VirtualHost 172.19.31.179:443>
ServerName withcertificate
DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
SSLEnable
SSLServerCert   SERVERCRT
SSLClientAuth   1
</VirtualHost>
 ########################################
####################################
#######

But, It doesn't work. Related with SSLClientAuth, the IHS always assumes the
 first configuration, ignoring the request for
client authentication even calling "withcertificate" VirtualHost. Suppose th
at I change the positions, declaring first the
"withcertificate" VH. So, the window that requests the client certificate ap
pears for the two VirtualHosts.


Trying to use the IHS with Mod_SSL and IBM plug-in to WSAD, I found problems
 related with DSO and EAPI.

I really need a way to reproduce the Pure-Apache configuration on IHS.
Any critic and suggestion, will be very appreciated.

Thank you.




[ Post a follow-up to this message ]



    Re: Configuring SSL v3.0  
Sunit Patke


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
07-21-04 11:04 PM

Looks like you are comparing Apache 1.3 setup with IHS 2.0.47 (Apache 2.x).
Also repeating the virtualHost does not solve your problem.

Sunit

"ricardocesartrevisan" <rc.trevisan@uol.com.br> wrote in message
news:1589410420.1090445224694.JavaMail.wasadmin@swg3ws003...
> Hello everybody!!!
> I have an webapp, developed and running well on an environment mounted
> with Apache 1.3 + Mod_SSL + Mod_Jk + Tomcat.
>
> Now, I need to put this application on WebSphere App. Server with IHS.
> This app. after some verifications, can request a X509 authentication or
not.
> In my solution, I configured a VirtualHost listening on 443 that have a
especific Directory that requests a client certificate.
> So, the user starts a connection by SSLv2.0 and then can be redirected to
this "especific" directory where he must have a valid client certificate.
>
>
> This kind of configuration is running well on Apache with Mod_SSL, like
the code as follows:
>
 ########################################
####################################
#######
> #httpd.conf -> Apache 1.3 with Mod_SSL
> # mapping /Logon on HTTPS
> Alias /Logon "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon"
> <Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon">
> </Directory>
>
> # mapping /Logon/secure on HTTPS V3.0 (Client Authentication)
> Alias /security "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security"
> <Directory "/usr/java/jakarta-tomcat-4.1.30/webapps/Logon/security">
>     SSLVerifyClient      require
>     SSLVerifyDepth       5
> </Directory>
>
> JkMount /Logon/* ajp13
>
 ########################################
####################################
#######
>
>
>
>
> Trying to create the same environment on IHS, and follow the documentation
I knew that
> the tag SSLClientAuth could not create the same situation that we had on
Pure-Apache. The IBM-SSL-Module
> defines that SSLClientAuth has only VirtualHost scope. To resolve this
case, I've tryied to divide it on two VirtualHosts.
> The first, without client authentication, and second requiring the
certificate. Like follows:
>
>
 ########################################
####################################
#######
> NameVirtualHost 172.19.31.179:443
>
> Keyfile /tmp/trevisan.kdb
> SSLStashfile /tmp/trevisan.sth
>
> <VirtualHost 172.19.31.179:443>
>         ServerName withoutcertificate
>         DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
>         SSLEnable
>         SSLServerCert   SERVERCRT
>         SSLClientAuth   0
> </VirtualHost>
>
> <VirtualHost 172.19.31.179:443>
>         ServerName withcertificate
>         DocumentRoot "/opt/IBMIHS2.0.47/htdocs/en_US/trevisan"
>         SSLEnable
>         SSLServerCert   SERVERCRT
>         SSLClientAuth   1
> </VirtualHost>
>
 ########################################
####################################
#######
>
> But, It doesn't work. Related with SSLClientAuth, the IHS always assumes
the first configuration, ignoring the request for
> client authentication even calling "withcertificate" VirtualHost. Suppose
that I change the positions, declaring first the
> "withcertificate" VH. So, the window that requests the client certificate
appears for the two VirtualHosts.
>
>
> Trying to use the IHS with Mod_SSL and IBM plug-in to WSAD, I found
problems related with DSO and EAPI.
>
> I really need a way to reproduce the Pure-Apache configuration on IHS.
> Any critic and suggestion, will be very appreciated.
>
> Thank you.
>




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 11:16 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register