glassfish
  1. glassfish
  2. GLASSFISH-20694

Glassfish 4.0 and jk Unable to populate SSL attributes

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0
    • Fix Version/s: 4.1
    • Component/s: web_container
    • Labels:
      None
    • Environment:

      Glassfish 4.0 b89, Apache 2.2.22 mod_proxy_ajp

      Description

      I am using a jk enabled listener behind Apache.

      GF listener created as follows:
      % asadmin create-network-listener --jkenabled true --protocol http-listener-1 --listenerport 8009 jk-listener

      Apache httpd-ssl.conf mod_proxy_ajp
      ------------------------------------------
      ProxyPass / ajp://localhost:8009/
      ProxyPassReverse / ajp://localhost:8009/

      All seems to work fine and I can connect using SSL to Apache which proxies the requests through to Glassfish but I get the exception below in the logs (this does not happen with GF 3):

      [2013-07-10T15:06:37.929+0200] [glassfish 4.0] [WARNING] [] [org.glassfish.grizzly.http.server.util.RequestUtils] [tid: _ThreadID=53 _ThreadName=jk-listener(4)] [timeMillis: 1373461597929] [levelValue: 900] [[
      Unable to populate SSL attributes
      java.lang.IllegalStateException: SSLEngine is null
      at org.glassfish.grizzly.ssl.SSLSupportImpl.<init>(SSLSupportImpl.java:87)
      at org.glassfish.grizzly.http.server.util.RequestUtils.populateSSLAttributes(RequestUtils.java:85)
      at org.glassfish.grizzly.http.server.Request.getAttribute(Request.java:865)
      at org.apache.catalina.connector.Request.populateSSLAttributes(Request.java:4581)
      at org.apache.catalina.connector.Request.getAttributeNames(Request.java:1412)
      at org.apache.catalina.connector.RequestFacade.getAttributeNames(RequestFacade.java:367)
      at org.jboss.weld.context.beanstore.http.RequestBeanStore.getAttributeNames(RequestBeanStore.java:48)
      at org.jboss.weld.context.beanstore.AttributeBeanStore.getPrefixedAttributeNames(AttributeBeanStore.java:207)
      at org.jboss.weld.context.beanstore.AttributeBeanStore.attach(AttributeBeanStore.java:106)
      at org.jboss.weld.context.http.HttpRequestContextImpl.associate(HttpRequestContextImpl.java:52)
      at org.jboss.weld.context.http.HttpRequestContextImpl.associate(HttpRequestContextImpl.java:37)
      at org.jboss.weld.servlet.WeldListener.requestInitialized(WeldListener.java:190)
      at org.apache.catalina.core.StandardContext.fireRequestInitializedEvent(StandardContext.java:5225)
      at org.apache.catalina.core.StandardHostValve.preInvoke(StandardHostValve.java:647)
      at org.apache.catalina.core.StandardHostValve.__invoke(StandardHostValve.java:166)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
      at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
      at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
      at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
      at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
      at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
      at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
      at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
      at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
      at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
      at java.lang.Thread.run(Thread.java:724)
      ]]

        Activity

        Hide
        juliohm added a comment -

        I was finally able to get it working! After several days, one of my friends had this insight.

        SSLOptions +StdEnvVars +ExportCertData

        You need ExportCertData enabled in SSLOptions. Now the certificate shows up in the request inside glassfish.

        This is not much related to the ticket here, so I'm glad to this out of the way from this therad. Thank you very much for the help.

        Show
        juliohm added a comment - I was finally able to get it working! After several days, one of my friends had this insight. SSLOptions +StdEnvVars +ExportCertData You need ExportCertData enabled in SSLOptions. Now the certificate shows up in the request inside glassfish. This is not much related to the ticket here, so I'm glad to this out of the way from this therad. Thank you very much for the help.
        Hide
        oleksiys added a comment -

        Do you have this set?

        JkOptions +ForwardSSLCertChain 
        

        If it still doesn't work, can you pls. share your apache configuration (pls. send to oleksiys [at] java.net).

        Show
        oleksiys added a comment - Do you have this set? JkOptions +ForwardSSLCertChain If it still doesn't work, can you pls. share your apache configuration (pls. send to oleksiys [at] java.net).
        Hide
        juliohm added a comment -

        This is the basic setup I have in my VirtualHost (comments and related file paths redacted)

        <VirtualHost ...>
           ......
           JkMount /gf_forward/* ajp13_worker
           SSLEngine on
           SSLProtocol all -SSLv2
           SSLHonorCipherOrder On
           SSLCipherSuite .......
           SSLCertificateFile    /path/to/certfile
           SSLCertificateKeyFile /path/to/keyfile
           SSLCACertificateFile /path/to/ca/certfile
           SSLCARevocationFile /path/to/crlfile
           SSLVerifyClient require
           SSLVerifyDepth  10
           ......
        </VirtualHost>
        

        I just find it funny that connections are correctly directed to glassfish. I can navigate whatever service is deployed in there. For example https://myserver/gf_forward/myapp works just fine. But I can see from my server.log that the request attribute "javax.servlet.request.X509Certificate" resolves to null.

        I'm actually not sure what's going on

        Show
        juliohm added a comment - This is the basic setup I have in my VirtualHost (comments and related file paths redacted) <VirtualHost ...> ...... JkMount /gf_forward/* ajp13_worker SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ....... SSLCertificateFile /path/to/certfile SSLCertificateKeyFile /path/to/keyfile SSLCACertificateFile /path/to/ca/certfile SSLCARevocationFile /path/to/crlfile SSLVerifyClient require SSLVerifyDepth 10 ...... </VirtualHost> I just find it funny that connections are correctly directed to glassfish. I can navigate whatever service is deployed in there. For example https://myserver/gf_forward/myapp works just fine. But I can see from my server.log that the request attribute "javax.servlet.request.X509Certificate" resolves to null. I'm actually not sure what's going on
        Hide
        oleksiys added a comment -

        Client certificate should be forwarded to Glassfish as part of Jk request, so you don't need any additional listeners neither https nor http.
        But in your case you said

        request.getAttribute("javax.servlet.request.X509Certificate");
        

        return null, which IMO means Apache/mod_jk doesn't forward the certificate. Did you try to set SSLVerfyClient flag to "require"?

        Show
        oleksiys added a comment - Client certificate should be forwarded to Glassfish as part of Jk request, so you don't need any additional listeners neither https nor http. But in your case you said request.getAttribute( "javax.servlet.request.X509Certificate" ); return null, which IMO means Apache/mod_jk doesn't forward the certificate. Did you try to set SSLVerfyClient flag to "require"?
        Hide
        juliohm added a comment - - edited

        Oddly, I already have the SSL config in the VirtualHost.

        I can connect fine using a web browser and the appropriate certificates.

        I've been trying to understand how the mod_jk module works, but I can't get a grip on the concept. Since it's forwarding the SSL authentication to a backend glassfish, does the java server need to receive this through its SSL listener as well (standard port 8181)? Or are the SSL credentials simply filled within the clear HTTP listener (8080)?.

        Do I even need the same certificates in Java keystore as well as in Apache?

        Show
        juliohm added a comment - - edited Oddly, I already have the SSL config in the VirtualHost. I can connect fine using a web browser and the appropriate certificates. I've been trying to understand how the mod_jk module works, but I can't get a grip on the concept. Since it's forwarding the SSL authentication to a backend glassfish, does the java server need to receive this through its SSL listener as well (standard port 8181)? Or are the SSL credentials simply filled within the clear HTTP listener (8080)?. Do I even need the same certificates in Java keystore as well as in Apache?

          People

          • Assignee:
            oleksiys
            Reporter:
            buddypine
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: