-
1. SSLPeerUnverifiedException "Error getting client certs" jbos
starksm64 Dec 9, 2004 11:44 AM (in response to tcherel)Basically, can not get jboss https to work.
It is not a browser issue since it can get https pages
from a vast number of website - its a jboss config issue.
Using JBoss-3.2.5
In
jboss/server/default/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml
Note: 1) if one does not set the "SSLImplementation"
then it assumse one is using the "puretsl" implementation and if
one does not have it around, then one gets a class not found issue, and
2) the attribute name MUST be "SSLImplementation", it can not be, for
example, "sslImplementation" because jboss does not match setter/getter
methods by first lower-casing both strings ... no, jboss only lower-cases
the first character of the attribute name in the xml file....
Near the top of the log, the Digester reads all of the attributes:
2004-12-06 16:45:42,036 DEBUG [BeanUtils] jboss.web:service=WebServer
EmbeddedCatalina4.1.x -
BeanUtils.populate(org.apache.coyote.tomcat4.CoyoteServerSocketFactory@48f675,
{protocol=TLS, keystorePass=tc-ssl, clientAuth=false,
SSLImplementation=org.apache.tomcat.util.net.jsse.JSSEImplementation,
keystoreFile=/usr/local/ED/app/jboss/server/cs/conf/server.keystore,
className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory})
From the log I get:
2004-12-06 16:46:15,850 INFO [Engine] - CoyoteConnector Coyote can't register
jmx for protocol
2004-12-06 16:46:15,867 INFO [Http11Protocol] - Starting Coyote HTTP/1.1 on
port 50080
2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soLinger: -1
2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
2004-12-06 16:46:15,867 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute jkHome:
/usr/local/ED/app/jboss/server/default
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute port: 50443
2004-12-06 16:46:15,868 DEBUG [Http11Protocol] - Attribute maxThreads: 20
2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute minSpareThreads: 5
2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute maxSpareThreads: 5
2004-12-06 16:46:15,869 DEBUG [Http11Protocol] - Attribute backlog: 10
2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute tcpNoDelay: true
2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soLinger: -1
2004-12-06 16:46:15,870 DEBUG [Http11Protocol] - Attribute soTimeout: 60000
2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute timeout: 300000
2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute serverSoTimeout: 0
2004-12-06 16:46:15,871 DEBUG [Http11Protocol] - Attribute
maxKeepAliveRequests: 100
2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute
tomcatAuthentication: true
2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute compression: off
2004-12-06 16:46:15,872 DEBUG [Http11Protocol] - Attribute address: /0.0.0.0
2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute secure: true
2004-12-06 16:46:15,873 DEBUG [Http11Protocol] - Attribute algorithm: null
2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute keystore:
/usr/local/ED/app/jboss/server/default/conf/server.keystore
2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute randomfile:
/home/myhome/random.pem
2004-12-06 16:46:15,874 DEBUG [Http11Protocol] - Attribute rootfile:
/home/myhome/root.pem
2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute keystoreType: JKS
2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute protocol: TLS
2004-12-06 16:46:15,875 DEBUG [Http11Protocol] - Attribute sslImplementation:
org.apache.tomcat.util.net.jsse.JSSEImplementation
2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - Truststore = null
2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - TrustPass = tc-ssl
2004-12-06 16:46:16,091 DEBUG [JSSESocketFactory] - trustType = JKS
Note that the keystore was picked up from the jboss-service.xml
file.
Also, note that the "clientAuth" was not picked up!!!!!!!
I assume that this is printed by code in the class
org/apache/coyote/tomcat4/CoyoteConnector.java:
IntrospectionUtils.setProperty(protocolHandler, "jkHome",
System.getProperty("catalina.base"));
// Set attributes
IntrospectionUtils.setProperty(protocolHandler, "port", "" + port);
IntrospectionUtils.setProperty(protocolHandler, "maxThreads",
"" + maxProcessors);
IntrospectionUtils.setProperty(protocolHandler, "minSpareThreads",
"" + minProcessors);
IntrospectionUtils.setProperty(protocolHandler, "maxSpareThreads",
"" + maxSpareProcessors);
IntrospectionUtils.setProperty(protocolHandler, "backlog",
"" + acceptCount);
IntrospectionUtils.setProperty(protocolHandler, "tcpNoDelay",
"" + tcpNoDelay);
IntrospectionUtils.setProperty(protocolHandler, "soLinger",
"" + connectionLinger);
IntrospectionUtils.setProperty(protocolHandler, "soTimeout",
"" + connectionTimeout);
IntrospectionUtils.setProperty(protocolHandler, "timeout",
"" + connectionUploadTimeout);
IntrospectionUtils.setProperty(protocolHandler, "serverSoTimeout",
"" + serverSocketTimeout);
IntrospectionUtils.setProperty(protocolHandler, "disableUploadTimeout",
"" + disableUploadTimeout);
IntrospectionUtils.setProperty(protocolHandler, "maxKeepAliveRequests",
"" + maxKeepAliveRequests);
IntrospectionUtils.setProperty(protocolHandler, "tomcatAuthentication",
"" + tomcatAuthentication);
IntrospectionUtils.setProperty(protocolHandler, "compression",
compression);
if (address != null) {
IntrospectionUtils.setProperty(protocolHandler, "address",
address);
}
// Configure secure socket factory
if (factory instanceof CoyoteServerSocketFactory) {
IntrospectionUtils.setProperty(protocolHandler, "secure",
"" + true);
CoyoteServerSocketFactory ssf =
(CoyoteServerSocketFactory) factory;
IntrospectionUtils.setProperty(protocolHandler, "algorithm",
ssf.getAlgorithm());
IntrospectionUtils.setProperty(protocolHandler, "clientauth",
ssf.getClientAuth());
IntrospectionUtils.setProperty(protocolHandler, "keystore",
ssf.getKeystoreFile());
IntrospectionUtils.setProperty(protocolHandler, "randomfile",
ssf.getRandomFile());
IntrospectionUtils.setProperty(protocolHandler, "rootfile",
ssf.getRootFile());
IntrospectionUtils.setProperty(protocolHandler, "keypass",
ssf.getKeystorePass());
IntrospectionUtils.setProperty(protocolHandler, "keytype",
ssf.getKeystoreType());
IntrospectionUtils.setProperty(protocolHandler, "protocol",
ssf.getProtocol());
IntrospectionUtils.setProperty(protocolHandler,
"sSLImplementation",
ssf.getSSLImplementation());
} else {
IntrospectionUtils.setProperty(protocolHandler, "secure",
"" + false);
}
Again, note that the "clientauth" value is not printed.
Finally, when the brower is pointed at:
https://myhost:50443/jmx-console
the following appears in the log:
2004-12-06 16:46:58,298 DEBUG [JSSE14Support] - Error getting client certs
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(DashoA12275)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.getX509Certificates(JSSE14Support.java:151)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:166)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1007)
at org.apache.coyote.Response.action(Response.java:226)
at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:314)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:197)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:833)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:711)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:687)
at java.lang.Thread.run(Thread.java:534)
2004-12-06 16:46:58,325 INFO [Engine] - StandardHost[localhost]: MAPPING
configuration error for request URI
2004-12-06 16:46:58,326 INFO [Engine] - StandardHost[localhost]: MAPPING
configuration error for request URI
If you do not have logging set to DEBUG, all you get is the "MAPPING"
INFO log ...
So, the Http11Processor in its "action" method is has been passed
the value "ActionCode.ACTION_REQ_SSL_CERTIFICATE".
Please, whats going on?
How does one tell jboss to look at the "clientAuth=false" attribute?
Thanks
One would think that accessing JBoss via https would be easier to configure.