Tomcat 7 HTTPS and LDAP authentication issue

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat 7 HTTPS and LDAP authentication issue

John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at
 Cisco)-2
Hello,

We have an application running on Tomcat 7.0.96. The application handles authentication by accessing an internal LDAPS host by using credentials, a keystore, and the
LDAPS hostname and port from an external file from the application and from Tomcat. This works with no issues, until I enable HTTPS in Tomcat. Once I see sessions
are encrypted, users can no longer logon to the application. When I disable HTTPS the users can again authenticate in the application. We do have an Apache reverse
proxy for the application, but when Tomcat HTTPS is enabled I need to use https://hostname:8443/foo to get to the application login screen and not just https://hostname/foo.
With HTTPS disabled I can access the application with http://hostname/foo. That's obviously a config issue I need to address, but would that by why the authentication process
would be broken when HTTPS in enabled?

Thank you
-John
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 7 HTTPS and LDAP authentication issue

markt
On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK
INFORMATION INC at Cisco) wrote:
> Hello,
>
> We have an application running on Tomcat 7.0.96. The application handles authentication by accessing an internal LDAPS host by using credentials, a keystore, and the
> LDAPS hostname and port from an external file from the application and from Tomcat. This works with no issues, until I enable HTTPS in Tomcat. Once I see sessions
> are encrypted, users can no longer logon to the application. When I disable HTTPS the users can again authenticate in the application. We do have an Apache reverse
> proxy for the application, but when Tomcat HTTPS is enabled I need to use https://hostname:8443/foo to get to the application login screen and not just https://hostname/foo.
> With HTTPS disabled I can access the application with http://hostname/foo. That's obviously a config issue I need to address, but would that by why the authentication process
> would be broken when HTTPS in enabled?

How are you configuring TLS for LDAP?

How are you configuring TLS for the Connector?

I suspect that something somewhere is using the JVM wide TLS
configuration properties when it should be using LDAP / Tomcat Connector
specific settings?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Tomcat 7 HTTPS and LDAP authentication issue

John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at
 Cisco)-2
Hi Mark,

How are you configuring TLS for the Connector?

<Connector port="8443"
         scheme="https"
         secure="true"
         protocol="org.apache.coyote.http11.Http11AprProtocol"
         SSLEnabled="true"
         SSLCertificateFile="/certs/foo.crt"
         SSLCertificateKeyFile="/certs/foo.key"
         maxThreads="150"
         clientAuth="false"
         SSLProtocol="all" />

How are you configuring TLS for LDAP?

Do you mean inside Tomcat?

Thanks
-John

-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Tuesday, October 8, 2019 11:07 AM
To: [hidden email]
Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue

On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:
> Hello,
>
> We have an application running on Tomcat 7.0.96. The application
> handles authentication by accessing an internal LDAPS host by using
> credentials, a keystore, and the LDAPS hostname and port from an
> external file from the application and from Tomcat. This works with no issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, users can no longer logon to the application. When I disable HTTPS the users can again authenticate in the application. We do have an Apache reverse proxy for the application, but when Tomcat HTTPS is enabled I need to use https://hostname:8443/foo to get to the application login screen and not just https://hostname/foo.
> With HTTPS disabled I can access the application with
> http://hostname/foo. That's obviously a config issue I need to address, but would that by why the authentication process would be broken when HTTPS in enabled?

How are you configuring TLS for LDAP?

How are you configuring TLS for the Connector?

I suspect that something somewhere is using the JVM wide TLS configuration properties when it should be using LDAP / Tomcat Connector specific settings?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 7 HTTPS and LDAP authentication issue

markt
On 08/10/2019 19:52, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK
INFORMATION INC at Cisco) wrote:

> Hi Mark,
>
> How are you configuring TLS for the Connector?
>
> <Connector port="8443"
>          scheme="https"
>          secure="true"
>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>          SSLEnabled="true"
>          SSLCertificateFile="/certs/foo.crt"
>          SSLCertificateKeyFile="/certs/foo.key"
>          maxThreads="150"
>          clientAuth="false"
>          SSLProtocol="all" />
>
> How are you configuring TLS for LDAP?
>
> Do you mean inside Tomcat?

Yes. Or is the authentication happening in httpd?

Mark

>
> Thanks
> -John
>
> -----Original Message-----
> From: Mark Thomas <[hidden email]>
> Sent: Tuesday, October 8, 2019 11:07 AM
> To: [hidden email]
> Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue
>
> On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:
>> Hello,
>>
>> We have an application running on Tomcat 7.0.96. The application
>> handles authentication by accessing an internal LDAPS host by using
>> credentials, a keystore, and the LDAPS hostname and port from an
>> external file from the application and from Tomcat. This works with no issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, users can no longer logon to the application. When I disable HTTPS the users can again authenticate in the application. We do have an Apache reverse proxy for the application, but when Tomcat HTTPS is enabled I need to use https://hostname:8443/foo to get to the application login screen and not just https://hostname/foo.
>> With HTTPS disabled I can access the application with
>> http://hostname/foo. That's obviously a config issue I need to address, but would that by why the authentication process would be broken when HTTPS in enabled?
>
> How are you configuring TLS for LDAP?
>
> How are you configuring TLS for the Connector?
>
> I suspect that something somewhere is using the JVM wide TLS configuration properties when it should be using LDAP / Tomcat Connector specific settings?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Tomcat 7 HTTPS and LDAP authentication issue

John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at
 Cisco)-2
The LDAPS authentication is handled by the application using an external file not in Tomcat or the application that contains
the credentials for the generic Active Directory account accessing LDAP, the Java keystore location, and the FQDN and port of the LDAPS host.

-John

-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Tuesday, October 8, 2019 1:01 PM
To: [hidden email]
Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue

On 08/10/2019 19:52, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:

> Hi Mark,
>
> How are you configuring TLS for the Connector?
>
> <Connector port="8443"
>          scheme="https"
>          secure="true"
>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>          SSLEnabled="true"
>          SSLCertificateFile="/certs/foo.crt"
>          SSLCertificateKeyFile="/certs/foo.key"
>          maxThreads="150"
>          clientAuth="false"
>          SSLProtocol="all" />
>
> How are you configuring TLS for LDAP?
>
> Do you mean inside Tomcat?

Yes. Or is the authentication happening in httpd?

Mark

>
> Thanks
> -John
>
> -----Original Message-----
> From: Mark Thomas <[hidden email]>
> Sent: Tuesday, October 8, 2019 11:07 AM
> To: [hidden email]
> Subject: Re: Tomcat 7 HTTPS and LDAP authentication issue
>
> On 08/10/2019 18:55, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:
>> Hello,
>>
>> We have an application running on Tomcat 7.0.96. The application
>> handles authentication by accessing an internal LDAPS host by using
>> credentials, a keystore, and the LDAPS hostname and port from an
>> external file from the application and from Tomcat. This works with no issues, until I enable HTTPS in Tomcat. Once I see sessions are encrypted, users can no longer logon to the application. When I disable HTTPS the users can again authenticate in the application. We do have an Apache reverse proxy for the application, but when Tomcat HTTPS is enabled I need to use https://hostname:8443/foo to get to the application login screen and not just https://hostname/foo.
>> With HTTPS disabled I can access the application with
>> http://hostname/foo. That's obviously a config issue I need to address, but would that by why the authentication process would be broken when HTTPS in enabled?
>
> How are you configuring TLS for LDAP?
>
> How are you configuring TLS for the Connector?
>
> I suspect that something somewhere is using the JVM wide TLS configuration properties when it should be using LDAP / Tomcat Connector specific settings?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]