Hi All,
I am struggling to get this working, and would be grateful if anyone could provide some insight please.
[b][Configuration][/b]
32-bit Windows 2003 Server with IIS 6.0 (tried both with IIS running in IIS 5.0 isolation mode and in IIS 6.0 mode)
32-bit Centos 5.2 Linux Server with Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)
sun-passthrough.dll + Load balancer aslb 9.1.1-b12
[b][Background][/b]
I managed to set up communication between IIS and GlassFish using cleartext HTTP at first, then HTTPS. That works fine.
[b][Issue][/b]
I would like to use SSL Mutual Authentication so that GlassFish requests a client certificate from IIS/Sun-Passthrough, but as soon as I enable Client Authentication on GlassFish, the communication between the two fails.
Please note that I can successfully access the application on GlassFish by connecting to it directly and using a Client certificate I installed in my browser. I generated the client certificate using my with my own CA, which GlassFish trusts as it's also the CA that signed its certificate.
I'm finding it hard to debug this:
- nothing is logged in my lb.log file, despite my having granted the IIS_WPG group write + modify access to it and (out of desperation) the Sun-Passthrough virtual directory (I tried log-level={INFO, DEBUG, FINE, FINEST})
- the only entries logged when I first try to access the URI that should redirect to GlassFish are in %WINDIR%\system32\LogFiles\iis_error.log, and they are:
WARNING (2184): : lb.runtime: RNTM2019: Daemon <listener URL> has been intialized.
WARNING (2184): : lb.runtime: ROUT1014: Non-idempotent request <mapped URI> cannot be retried.
WARNING (2184): : lb.runtime: RNTM2024: Daemon <listener URL> is unhealthy.
WARNING (2184): : lb.runtime: RNTM2030: Daemon Monitor : <listener URL> : could be because daemon is down
I have used Wireshark and started GlassFish with -Djavax.net.debug=ssl, but not being a TLS expert all I can gather is that IIS/the sun-passthrough.dll is not sending the client certificate to GlassFish.
The question really is do I tell it which one to use?
- Using the NSS certutil and pk12util I imported the CA, GlassFish and client certificates in the load balancer's security database under sec_db_files.
C:\Inetpub\wwwroot\sun-passthrough>certutil -L -d sec_db_files
certauth CT,C,c
glassfish P,P,P
iispasshtrough u,u,u
That didn't make any difference.
I would be really grateful if anyone could please shed some light on this matter.
FYI my loadbalancer.xml resembles the following:
----- 8< --------- [loadbalancer.xml] ------ 8< -------
<!DOCTYPE loadbalancer PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Application Server 7.1//EN" "sun-loadbalancer_1_2.dtd">
<loadbalancer>
<cluster name="cluster1" policy="round-robin">
<instance name="instance1" enabled="true" disable-timeout-in-minutes="60" listeners="
https://centos.mydomain.com:8182" weight="100"/>
<web-module context-root="fc" enabled="true" disable-timeout-in-minutes="60" error-url="sun-http-lberror.html" />
<health-checker url="/" interval-in-seconds="10" timeout-in-seconds="30" />
</cluster>
<property name="reload-poll-interval-in-seconds" value="60"/>
<property name="response-timeout-in-seconds" value="300"/>
<property name="https-routing" value="true"/>
<property name="require-monitor-data" value="false"/>
<property name="active-healthcheck-enabled" value="false"/>
<property name="number-healthcheck-retries" value="3"/>
<property name="rewrite-location" value="true"/>
<property name="secure" value="true" />
</loadbalancer>
----- 8< --------- [loadbalancer.xml] ------ 8< -------
Many thanks,
[b]Federico G. CIGOGNINI[/b]
[Message sent by forum member 'fcigognini' (fcigognini_at_yahoo.com)]
http://forums.java.net/jive/thread.jspa?messageID=362031