[Go-essp-tech] Apache Http Proxy Configuration for esg-gateway.jpl.nasa.gov
Cinquini, Luca (3880)
Luca.Cinquini at jpl.nasa.gov
Fri Mar 18 12:46:02 MDT 2011
Hi Nathan,
I experimented again with publishing to the JPL gateway, and so far our findings (plus what I am starting to recall) confirms your findings... With the current Apache-Tomcat configuration, the user certificate does NOT seem to be transmitted from Apache to Tomcat.
So, if I use the following configuration in the ESG publisher:
hessian_service_port = 443
hessian_service_url = https://esg-gateway.jpl.nasa.gov/remote/secure/client-cert/hessian/publishingService
I get the following error in the publisher, which means the Gateway does not have a certificate and is trying to redirect the request to the login page, I believe:
File "/usr/local/cdat/lib/python2.6/site-packages/esgcet-2.7.4-py2.6.egg/esgcet/publish/publish.py", line 308, in publishDatasetList
dset, statusId, state, evname, status = publishDataset(datasetName, parentIdent, service, threddsRootURL, session)
File "/usr/local/cdat/lib/python2.6/site-packages/esgcet-2.7.4-py2.6.egg/esgcet/publish/publish.py", line 118, in publishDataset
statusId = service.createDataset(parentId, threddsURL, -1, "Published")
File "/usr/local/cdat/lib/python2.6/site-packages/esgcet-2.7.4-py2.6.egg/esgcet/publish/hessianlib.py", line 426, in __call__
return self._invoker(self._method, args)
File "/usr/local/cdat/lib/python2.6/site-packages/esgcet-2.7.4-py2.6.egg/esgcet/publish/hessianlib.py", line 537, in __invoke
raise ProtocolError(self._url, errcode, errmsg, headers)
esgcet.publish.hessianlib.ProtocolError: <ProtocolError for https://esg-gateway.jpl.nasa.gov/remote/secure/client-cert/hessian/publishingService: 302 Move
But if I use the following configuration, which queries port 9443 on the Tomcat server directly:
# Publish to NCAR Gateway
hessian_service_port = 9443
hessian_service_url = https://esg-gateway.jpl.nasa.gov/remote/secure/client-cert/hessian/publishingService
everything works fine. So, now that I recall, I did notice this problem several months ago and, after experimentation, figure out that you should publish to Tomcat directly.
I think Paul might be trying to see if he can change the Apache con to allow publishing to it directly, but in any case the above setup should allow you to publish data, and to avoid the Safari truststore problem.
thanks, Luca
On Mar 17, 2011, at 11:41 AM, Nathan Hook wrote:
> Hi Luca,
>
> Thank you for the reply.
>
> When you test publishing could you verify if you're publishing to
> either: esg-gateway.jpl.nasa.gov or jpl-esg.jpl.nasa.gov?
>
> I've tried verifying that our setup is the same as the one setup at JPL,
> but there does seem to be a communication problem between apache and tocmat.
>
> There are some software version differences, but I'm not sure those by
> themselves could be causing the problems.
>
> Here are our software versions:
> Apache/2.2.3
> Tomcat/6.0.29
> Java/6.0_23
>
> The could be issues with SSL Renegotiation...
>
> Thanks again Luca.
>
> Regards,
>
> Nathan H.
>
>
>
>
> On 3/17/2011 11:28 AM, Cinquini, Luca (3880) wrote:
>> Hi Nathan,
>> this is probably not going to be very useful, but just to give you an update...
>>
>> In the past, I have been able to publish to the JPL Gateway via the standard ESG publisher, which means that the proxy certificate was indeed getting to the Tomcat server. Yesterday I started trying to reproduce the steps to give you some debug information, but I realized I had to upgrade our datanode first. So that's what I have been doing, and as soon as I am done I can report back on the results. It might take till tomorrow since I have a few meetings this pm.
>>
>> Sorry I can't be more helpful at this time.
>>
>> thanks, Luca
>>
>> On Mar 16, 2011, at 4:52 PM, Nathan Hook wrote:
>>
>>> Hi Paul,
>>>
>>> Thank you for the very complete explanation of your environment's setup.
>>> It has been very helpful so far.
>>>
>>> I do seem to be having difficultly getting a client's x509 certificate
>>> to the tomcat server at this point. I am testing this functionality by
>>> importing a p12 certificate into my browser and then visiting a page
>>> that uses ssl.
>>>
>>> Do you happen to know of a reasonable way to debug what might be going
>>> wrong?
>>>
>>> After snooping both the Apache ssl logs and the ssl debug output of
>>> Tomcat I'm a little nervous that the client's x509 certificate is not
>>> being sent from Apache to Tomcat.
>>>
>>> Any reasonable suggestions on either what might be wrong or how to debug
>>> the situation would be greatly appreciated.
>>>
>>> Thank you for your time Paul,
>>>
>>> Nathan H.
>>>
>>>
>>> On 3/16/2011 4:16 AM, Zimdars, Paul A (3880-Affiliate) wrote:
>>>> Hi Nathan,
>>>>
>>>> Here is an overview of our site deployment:
>>>>
>>>> CentOS 5.5 x86_64
>>>> Apache HTTPD 2.2.15
>>>> OpenSSL 0.9.8k (required for SNI)
>>>> Apache Tomcat 6.0.20 (Deployed by Luca)
>>>> JDK 1.6.0_13 (Deployed by Luca)
>>>>
>>>> We first installed OpenSSL 0.9.8k in order to use SNI (Server Name Indication) which allows multiple SSL virtual hosts to share the same IP address while providing unique SSL certificates for each host. I recommend that you read more about it at the following site:
>>>>
>>>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>>>>
>>>> We have multiple SSL virtual hosts using the same IP so SNI was required for our site. We did a standard OpenSSL install with no special flags (deployed to /usr/local/openssl-0.9.8k).
>>>>
>>>> The next step involved installing Apache 2.2.15 using the OpenSSL deployment mentioned above + the following flags:
>>>>
>>>> --with-ssl=/usr/local/openssl-0.9.8k --prefix=/usr/local/apache-2.2.15 --enable-proxy --enable-ssl --enable-cgi --enable-suexec --enable-rewrite --enable-so --enable-proxy-connect --enable-proxy-http --enable-proxy-ajp --enable-ldap --enable-dav --enable-vhost-alias --enable-http --enable-unique-id
>>>>
>>>> We then configured the VHOST for esg-gateway (80,443). We tried a couple of different configurations but found that the configuration listed below worked well (we also made esg-gateway the first vhost found in httpd.conf since we had a couple of minor issues with wget if it wasn't first (wget doesn't know about SNI)):
>>>>
>>>> <VirtualHost *:80>
>>>> ServerName esg-gateway.jpl.nasa.gov
>>>> ServerAlias esg-gateway
>>>> ProxyRequests Off
>>>> ProxyPreserveHost On
>>>> <Proxy *>
>>>> AddDefaultCharset Off
>>>> Order deny,allow
>>>> Allow from all
>>>> </Proxy>
>>>> ProxyPass / http://jpl-esg.jpl.nasa.gov:9080/
>>>> ProxyPassReverse / http://jpl-esg.jpl.nasa.gov:9080/
>>>> ServerAdmin sa at list.jpl.nasa.gov
>>>> </VirtualHost>
>>>>
>>>> <VirtualHost *:443>
>>>> ServerAlias esg-gateway
>>>> SSLEngine on
>>>> SSLProxyEngine on
>>>> SSLProtocol all
>>>> ProxyRequests Off
>>>> ProxyPreserveHost On
>>>> ServerName esg-gateway.jpl.nasa.gov
>>>> SSLCipherSuite HIGH:MEDIUM
>>>> SSLCertificateFile /etc/httpd/conf/certs/esg-gw.crt
>>>> SSLCertificateKeyFile /etc/httpd/conf/certs/esg-gw.key
>>>> SSLVerifyClient optional_no_ca
>>>> SSLOptions +ExportCertData
>>>> <Proxy *>
>>>> AddDefaultCharset Off
>>>> Order deny,allow
>>>> Allow from all
>>>> </Proxy>
>>>> ProxyPass / https://esg-gateway.jpl.nasa.gov:9443/
>>>> ProxyPassReverse / https://esg-gateway.jpl.nasa.gov:9443/
>>>> ServerAdmin sa at list.jpl.nasa.gov
>>>> </VirtualHost>
>>>>
>>>> The tomcat installation was fairly standard so I won't provide details on it. The keystore was purchased from RapidSSL.com and I roughly followed the following site to create and install the keystore:
>>>>
>>>> http://www.agentbob.info/agentbob/79-AB.html
>>>>
>>>> Which provided me with our keystore that we added to Tomcat:
>>>>
>>>> Keystore type: JKS
>>>> Keystore provider: SUN
>>>>
>>>> Your keystore contains 1 entry
>>>>
>>>> 1, Mar 16, 2011, PrivateKeyEntry,
>>>> Certificate fingerprint (MD5): 82:03:51:77:CC:4B:F2:8E:44:92:21:C5:BA:FE:39:92
>>>>
>>>> I do notice that if I use safari (5.0.4) in Windows I have issues accessing esg-gateway over SSL (works fine on my Mac). I also tested using Safari on my Mac (OSX 10.6.6/5.0.4) to directly access our Tomcat installation (bypassing apache) and it fails on the SSL connection.
>>>>
>>>> Please let me know if you have any further questions or no more information.
>>>>
>>>> Thanks,
>>>> Paul
>>>> 626-824-1393
>>>> ________________________________________
>>>> From: Nathan Hook [nhook at ucar.edu]
>>>> Sent: Tuesday, March 15, 2011 11:13 AM
>>>> To: Zimdars, Paul A (3880-Affiliate)
>>>> Cc: go-essp-tech at ucar.edu
>>>> Subject: Apache Http Proxy Configuration for esg-gateway.jpl.nasa.gov
>>>>
>>>> Good Day Paul,
>>>>
>>>> My name is Nathan Hook with the National Center for Atmospheric Research
>>>> (NCAR) and I have been working with a colleague of yours Luca Cinquini
>>>> on a SSL Handshake problem with a product of ours.
>>>>
>>>> I am hoping that if you have the time available you would be able to
>>>> help me out a bit.
>>>>
>>>> Currently a collaboration that I'm working on (with Luca and others) is
>>>> having difficulties with a ssl handshake being too large for the Safari
>>>> web browser buffer and therefore causing Safari users not to access our
>>>> web application via ssl. Which, is a problem.
>>>>
>>>> Luca has mentioned that the esg-gateway.jpl.nasa.gov site is proxied
>>>> behind an Apache Http server and it seems as though that configuration
>>>> does not cause the same buffer problem for Safari that a stand alone
>>>> Apache Tomcat server does.
>>>>
>>>> Would you be willing to share with us your configuration settings for
>>>> both apache and tomcat so we can attempt to duplicate your environment
>>>> here on our test servers and see exactly what is happening during a ssl
>>>> request?
>>>>
>>>> Thank you for your time Paul.
>>>>
>>>> Regards,
>>>>
>>>> Nathan Hook
>>>>
>>>
>>> _______________________________________________
>>> GO-ESSP-TECH mailing list
>>> GO-ESSP-TECH at ucar.edu
>>> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
>>
>
> _______________________________________________
> GO-ESSP-TECH mailing list
> GO-ESSP-TECH at ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/go-essp-tech
More information about the GO-ESSP-TECH
mailing list