users@glassfish.java.net

IIS + sun-passthrough.dll + GlassFish Mutual Authentication

From: <glassfish_at_javadesktop.org>
Date: Wed, 26 Aug 2009 10:58:17 PDT

Hi All,

I am struggling to get this working, and would be grateful if anyone could provide some insight please.

[b][Configuration][/b]

32-bit Windows 2003 Server with IIS 6.0 (tried both with IIS running in IIS 5.0 isolation mode and in IIS 6.0 mode)
32-bit Centos 5.2 Linux Server with Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)
sun-passthrough.dll + Load balancer aslb 9.1.1-b12


[b][Background][/b]

I managed to set up communication between IIS and GlassFish using cleartext HTTP at first, then HTTPS. That works fine.


[b][Issue][/b]

I would like to use SSL Mutual Authentication so that GlassFish requests a client certificate from IIS/Sun-Passthrough, but as soon as I enable Client Authentication on GlassFish, the communication between the two fails.
Please note that I can successfully access the application on GlassFish by connecting to it directly and using a Client certificate I installed in my browser. I generated the client certificate using my with my own CA, which GlassFish trusts as it's also the CA that signed its certificate.

I'm finding it hard to debug this:
 - nothing is logged in my lb.log file, despite my having granted the IIS_WPG group write + modify access to it and (out of desperation) the Sun-Passthrough virtual directory (I tried log-level={INFO, DEBUG, FINE, FINEST})
 - the only entries logged when I first try to access the URI that should redirect to GlassFish are in %WINDIR%\system32\LogFiles\iis_error.log, and they are:

 WARNING (2184): : lb.runtime: RNTM2019: Daemon <listener URL> has been intialized.
 WARNING (2184): : lb.runtime: ROUT1014: Non-idempotent request <mapped URI> cannot be retried.
 WARNING (2184): : lb.runtime: RNTM2024: Daemon <listener URL> is unhealthy.
 WARNING (2184): : lb.runtime: RNTM2030: Daemon Monitor : <listener URL> : could be because daemon is down

I have used Wireshark and started GlassFish with -Djavax.net.debug=ssl, but not being a TLS expert all I can gather is that IIS/the sun-passthrough.dll is not sending the client certificate to GlassFish.
The question really is do I tell it which one to use?


- Using the NSS certutil and pk12util I imported the CA, GlassFish and client certificates in the load balancer's security database under sec_db_files.

C:\Inetpub\wwwroot\sun-passthrough>certutil -L -d sec_db_files
certauth CT,C,c
glassfish P,P,P
iispasshtrough u,u,u

That didn't make any difference.

I would be really grateful if anyone could please shed some light on this matter.

FYI my loadbalancer.xml resembles the following:

----- 8< --------- [loadbalancer.xml] ------ 8< -------
<!DOCTYPE loadbalancer PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Application Server 7.1//EN" "sun-loadbalancer_1_2.dtd">
<loadbalancer>
    <cluster name="cluster1" policy="round-robin">
        <instance name="instance1" enabled="true" disable-timeout-in-minutes="60" listeners="https://centos.mydomain.com:8182" weight="100"/>
        <web-module context-root="fc" enabled="true" disable-timeout-in-minutes="60" error-url="sun-http-lberror.html" />
        <health-checker url="/" interval-in-seconds="10" timeout-in-seconds="30" />
    </cluster>

    <property name="reload-poll-interval-in-seconds" value="60"/>
    <property name="response-timeout-in-seconds" value="300"/>
    <property name="https-routing" value="true"/>
    <property name="require-monitor-data" value="false"/>
    <property name="active-healthcheck-enabled" value="false"/>
    <property name="number-healthcheck-retries" value="3"/>
    <property name="rewrite-location" value="true"/>
    <property name="secure" value="true" />
</loadbalancer>
----- 8< --------- [loadbalancer.xml] ------ 8< -------

Many thanks,

[b]Federico G. CIGOGNINI[/b]
[Message sent by forum member 'fcigognini' (fcigognini_at_yahoo.com)]

http://forums.java.net/jive/thread.jspa?messageID=362031