top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Mutual certificate authentication between Tomcat and MS IIS

0 votes
364 views

Has somebody of you ever tried to configure certificate mutual authentication between a MS IIS webserver and a Tomcat instance Does somebody know if this is even possible in IIS ?

I usually do it very well with Apache but this time I'm requested to put in front of Tomcat an IIS webserver.
Thanks in advance.

posted Jan 24, 2017 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

Has somebody of you ever tried to configure certificate mutual authentication between a MS IIS webserver and a Tomcat instance ?

You want IIS to present a client certificate to Tomcat? Tomcat shouldn't have a problem with that.

Does somebody know if this is even possible in IIS ?

You'd have to configure IIS's HTTP proxy to use a client certificate.

I usually do it very well with Apache but this time I'm requested to put in front of Tomcat an IIS webserver.

I'm sorry I can't help with this, but I'd be interested in hearing the solution.

answer Jan 24, 2017 by anonymous
Similar Questions
+1 vote

Is the PEM-based certificate configuration available for both JSSE-based and APR-based connectors in Tomcat 9 at this point? The documentation says e.g. the "certificateFile" attribute is for "OpenSSL Only", and when I try to launch Tomcat using the NIO connector and a PEM-based certificate file, Tomcat says that the keystore is corrupted (even though no keystore was actually specified).

+2 votes

My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication.

I have a requirement to check source IP address before authentication.

Right now, R' is specified in web.xml RemoteAddrFilter s, and R'' is specified in web.xml s.

The problem is, filters are executed after container-managed authentication, so login form is presented to the user before RemoteAddrFilter kicks in, and check source IP address. That is not what I need. Users outside trusted IP ranges should not be able to even know about the protected resources, let alone to guess passwords.

RemoteAddrValve, on the other hand, is called before container-managed authentication, but it does not allow specifying s.

What would be a good solution for the above requirement? Extend RemoteAddrValve with the ability to specify s?

0 votes

I have been searching for an answer to how to set this up. I find a lot of posts on session persistence but none seem to describe how to set it up. Is there a simple explanation out there that tells me how I go about setting up session persistence (with Apache, I would just set up memcached on the db server and configure the memcache module on each Apache instance to point to the memcached and it works). I don't need opcode persistence. I just want the tomcats to either a) direct all session traffic to a single node or b) make the two tomcats aware of all sessions. Can someone point me in the right direction? I am not a java coder, but if code changes need to be made, I can work through it.

...