Mailing List Archive

Jon,

On 7/7/22 16:56, jonmcalexander.wellsfargo.com via dev wrote:
> Seem to have an issue with mod-proxy and making the JSESSIONID and the
> SMSESSION cookie sticky. How can this be done? This setup was working
> with mod-jk, but when moving to mod-proxy over https it’s not working.
> We are configured to use mutual authentication between apache and tomcat
> (for proxy only), but with the certificateVerification set to required
> in Tomcat, we are getting a
> java.base/sun.security.ssl.Alert.createSSLException and with setting it
> to optional, we are getting a javax.net.ssl.SSLHandshakeException:
> Received fatal alert: bad_certificate error (extensive).

Did you double-check the client and server certs to make sure they
haven't expired or anything silly like that?

It sounds like you are reporting multiple problems, here.

Which one is most urgent/problematic? We'll solve one thing at a time.

-chris

Hi Christopher, nice to see a familiar name. :-)

Currently we have it down to a SSL Handshake Failure between the Tomcat server and the SiteMinder server.

com.wellsfargo.mortgage.feature.wff.authorization.login.mvc.UserLoginChannelSecureHelper 08 Jul 2022 08:06:39,505 ERROR [https-jsse-nio-8305-exec-6]: DEVT: ilonline: Unable to get Channel Secure Session: Unable to perform siteminder handshake
java.lang.Exception: Unable to perform siteminder handshake

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


> -----Original Message-----
> From: Christopher Schultz <chris@christopherschultz.net>
> Sent: Friday, July 8, 2022 10:03 AM
> To: dev@httpd.apache.org
> Subject: Re: mod-proxy with sticky JSESSIONID and SiteMinder.
>
> Jon,
>
> On 7/7/22 16:56, jonmcalexander.wellsfargo.com via dev wrote:
> > Seem to have an issue with mod-proxy and making the JSESSIONID and the
> > SMSESSION cookie sticky. How can this be done? This setup was working
> > with mod-jk, but when moving to mod-proxy over https it’s not working.
> > We are configured to use mutual authentication between apache and
> > tomcat (for proxy only), but with the certificateVerification set to
> > required in Tomcat, we are getting a
> > java.base/sun.security.ssl.Alert.createSSLException and with setting
> > it to optional, we are getting a javax.net.ssl.SSLHandshakeException:
> > Received fatal alert: bad_certificate error (extensive).
>
> Did you double-check the client and server certs to make sure they haven't
> expired or anything silly like that?
>
> It sounds like you are reporting multiple problems, here.
>
> Which one is most urgent/problematic? We'll solve one thing at a time.
>
> -chris

Jon,

On 7/8/22 11:30, jonmcalexander.wellsfargo.com via dev wrote:
> Hi Christopher, nice to see a familiar name. :-)
>
> Currently we have it down to a SSL Handshake Failure between the Tomcat server and the SiteMinder server.
>
> com.wellsfargo.mortgage.feature.wff.authorization.login.mvc.UserLoginChannelSecureHelper 08 Jul 2022 08:06:39,505 ERROR [https-jsse-nio-8305-exec-6]: DEVT: ilonline: Unable to get Channel Secure Session: Unable to perform siteminder handshake
> java.lang.Exception: Unable to perform siteminder handshake

Any more detail, other than a stack trace? Did you check your certs?

This looks like the Tomcat side of the connection, since it's a Java
stack trace. Is this what happens when mod_proxy connects to Tomcat, or
is this your application or some other component reaching-out from
Tomcat to elsewhere? I ask because Tomcat is unlikely to emit an error
message saying "Unable to perform siteminder handshake".

Another dumb question: I've been assuming we are talking about:

client (e.g. browser) -> mod_proxy -> Tomcat -> application

This is because you said "this was working with mod_jk" and mod_jk
doesn't do forward-proxying, only reverse-proxying.

But the error message suggests that this has nothing to do with the
connection from httpd / mod_proxy -> Tomcat.

-chris

>> -----Original Message-----
>> From: Christopher Schultz <chris@christopherschultz.net>
>> Sent: Friday, July 8, 2022 10:03 AM
>> To: dev@httpd.apache.org
>> Subject: Re: mod-proxy with sticky JSESSIONID and SiteMinder.
>>
>> Jon,
>>
>> On 7/7/22 16:56, jonmcalexander.wellsfargo.com via dev wrote:
>>> Seem to have an issue with mod-proxy and making the JSESSIONID and the
>>> SMSESSION cookie sticky. How can this be done? This setup was working
>>> with mod-jk, but when moving to mod-proxy over https it’s not working.
>>> We are configured to use mutual authentication between apache and
>>> tomcat (for proxy only), but with the certificateVerification set to
>>> required in Tomcat, we are getting a
>>> java.base/sun.security.ssl.Alert.createSSLException and with setting
>>> it to optional, we are getting a javax.net.ssl.SSLHandshakeException:
>>> Received fatal alert: bad_certificate error (extensive).
>>
>> Did you double-check the client and server certs to make sure they haven't
>> expired or anything silly like that?
>>
>> It sounds like you are reporting multiple problems, here.
>>
>> Which one is most urgent/problematic? We'll solve one thing at a time.
>>
>> -chris

Chris
> -----Original Message-----
> From: Christopher Schultz <chris@christopherschultz.net>
> Sent: Friday, July 8, 2022 10:46 AM
> To: dev@httpd.apache.org
> Subject: Re: mod-proxy with sticky JSESSIONID and SiteMinder.
>
> Jon,
>
> On 7/8/22 11:30, jonmcalexander.wellsfargo.com via dev wrote:
> > Hi Christopher, nice to see a familiar name. :-)
> >
> > Currently we have it down to a SSL Handshake Failure between the Tomcat
> server and the SiteMinder server.
> >
> > com.wellsfargo.mortgage.feature.wff.authorization.login.mvc.UserLoginC
> > hannelSecureHelper 08 Jul 2022 08:06:39,505 ERROR
> > [https-jsse-nio-8305-exec-6]: DEVT: ilonline: Unable to get Channel
> > Secure Session: Unable to perform siteminder handshake
> > java.lang.Exception: Unable to perform siteminder handshake
>
> Any more detail, other than a stack trace? Did you check your certs?

This gives the most information without going into all the sub lines. Don't know what to scrub/not scrub from that. :-)
Yes, checked the cert that is being presented in the proxy section for httpd:

SSLProxyCACertificateFile
SSLProxyMachineCertificateFile

These are formatted correct.

>
> This looks like the Tomcat side of the connection, since it's a Java stack trace.
> Is this what happens when mod_proxy connects to Tomcat, or is this your
> application or some other component reaching-out from Tomcat to
> elsewhere? I ask because Tomcat is unlikely to emit an error message saying
> "Unable to perform siteminder handshake".

Yes, this is after configuring mod_proxy to replace mod_jk. The web and tomcat used to communicate over AJP and didn't have any other connector. An SSL connector was added to Tomcat for the mod_proxy.

>
> Another dumb question: I've been assuming we are talking about:
>
> client (e.g. browser) -> mod_proxy -> Tomcat -> application

The application on Tomcat does the communicating to SiteMinder with the credentials from the .fcc siteminder stuff.

>
> This is because you said "this was working with mod_jk" and mod_jk doesn't
> do forward-proxying, only reverse-proxying.

Apparently something with the mod_proxy is working right as the login page comes up. This is not hosted on the Apache HTTPD.

>
> But the error message suggests that this has nothing to do with the
> connection from httpd / mod_proxy -> Tomcat.
>
> -chris
>
> >> -----Original Message-----
> >> From: Christopher Schultz <chris@christopherschultz.net>
> >> Sent: Friday, July 8, 2022 10:03 AM
> >> To: dev@httpd.apache.org
> >> Subject: Re: mod-proxy with sticky JSESSIONID and SiteMinder.
> >>
> >> Jon,
> >>
> >> On 7/7/22 16:56, jonmcalexander.wellsfargo.com via dev wrote:
> >>> Seem to have an issue with mod-proxy and making the JSESSIONID and
> >>> the SMSESSION cookie sticky. How can this be done? This setup was
> >>> working with mod-jk, but when moving to mod-proxy over https it’s not
> working.
> >>> We are configured to use mutual authentication between apache and
> >>> tomcat (for proxy only), but with the certificateVerification set to
> >>> required in Tomcat, we are getting a
> >>> java.base/sun.security.ssl.Alert.createSSLException and with setting
> >>> it to optional, we are getting a javax.net.ssl.SSLHandshakeException:
> >>> Received fatal alert: bad_certificate error (extensive).
> >>
> >> Did you double-check the client and server certs to make sure they
> >> haven't expired or anything silly like that?
> >>
> >> It sounds like you are reporting multiple problems, here.
> >>
> >> Which one is most urgent/problematic? We'll solve one thing at a time.
> >>
> >> -chris


Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.

Jon,

On 7/8/22 13:52, jonmcalexander.wellsfargo.com via dev wrote:
>> Another dumb question: I've been assuming we are talking about:
>>
>> client (e.g. browser) -> mod_proxy -> Tomcat -> application
>
> The application on Tomcat does the communicating to SiteMinder with
> the credentials from the .fcc siteminder stuff.
Then the problem is between the application and SiteMinder, and has
nothing to do with either Tomcat or mod_proxy.

>> This is because you said "this was working with mod_jk" and mod_jk
>> doesn't do forward-proxying, only reverse-proxying.
>
> Apparently something with the mod_proxy is working right as the login
> page comes up. This is not hosted on the Apache HTTPD.
Further corroborating evidence. Your mod_proxy->Tomcat setup is probably
working as expected.

Since it's likely Java-specific, feel free to move this conversation to
users@tomcat, but mark it as [OT] since it's not a problem with Tomcat.
I have a thought that you may have configured something in a way that
could have affected your SiteMinder configuration, but I won't pollute
the dev@http list with it.

BTW next time, ask on users@httpd.apache.org. This is the dev list, to
discuss development, not get user-help.

-chris

Wilco!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


> -----Original Message-----
> From: Christopher Schultz <chris@christopherschultz.net>
> Sent: Friday, July 8, 2022 3:35 PM
> To: dev@httpd.apache.org
> Subject: Re: mod-proxy with sticky JSESSIONID and SiteMinder.
>
> Jon,
>
> On 7/8/22 13:52, jonmcalexander.wellsfargo.com via dev wrote:
> >> Another dumb question: I've been assuming we are talking about:
> >>
> >> client (e.g. browser) -> mod_proxy -> Tomcat -> application
> >
> > The application on Tomcat does the communicating to SiteMinder with
> > the credentials from the .fcc siteminder stuff.
> Then the problem is between the application and SiteMinder, and has
> nothing to do with either Tomcat or mod_proxy.
>
> >> This is because you said "this was working with mod_jk" and mod_jk
> >> doesn't do forward-proxying, only reverse-proxying.
> >
> > Apparently something with the mod_proxy is working right as the login
> > page comes up. This is not hosted on the Apache HTTPD.
> Further corroborating evidence. Your mod_proxy->Tomcat setup is probably
> working as expected.
>
> Since it's likely Java-specific, feel free to move this conversation to
> users@tomcat, but mark it as [OT] since it's not a problem with Tomcat.
> I have a thought that you may have configured something in a way that could
> have affected your SiteMinder configuration, but I won't pollute the
> dev@http list with it.
>
> BTW next time, ask on users@httpd.apache.org. This is the dev list, to discuss
> development, not get user-help.
>
> -chris