[8.0.x] Missing javax.servlet.request.X509Certificate attribute

[grgrzybek]

See https://stackoverflow.com/questions/76496603/getting-javax-servlet-request-x509certificate-as-null-in-httpsfilter-class-after

[GaneshramU91]

We were using below 3pps.

ID │ State │ Lvl │ Version │ Location ────┼──────────┼─────┼───────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0 │ Active │ 0 │ 3.18.0.v20220516-2155 │ System Bundle 1 │ Resolved │ 1 │ 4.4.3 │ mvn:org.apache.karaf.features/org.apache.karaf.features.extension/4.4.3 2 │ Active │ 5 │ 2.6.12 │ mvn:org.ops4j.pax.url/pax-url-aether/2.6.12 3 │ Active │ 5 │ 1.2.4 │ mvn:org.apache.felix/org.apache.felix.metatype/1.2.4 4 │ Active │ 5 │ 4.4.3 │ mvn:org.apache.karaf.services/org.apache.karaf.services.eventadmin/4.4.3 5 │ Active │ 8 │ 2.2.0 │ mvn:org.ops4j.pax.logging/pax-logging-api/2.2.0 6 │ Active │ 8 │ 2.4.0 │ mvn:org.fusesource.jansi/jansi/2.4.0 7 │ Active │ 8 │ 2.2.0 │ mvn:org.ops4j.pax.logging/pax-logging-logback/2.2.0 8 │ Active │ 9 │ 1.2.0.202109301733 │ mvn:org.osgi/org.osgi.util.function/1.2.0 9 │ Active │ 9 │ 1.2.0.202109301733 │ mvn:org.osgi/org.osgi.util.promise/1.2.0 10 │ Active │ 9 │ 1.0.2 │ mvn:org.apache.felix/org.apache.felix.coordinator/1.0.2 11 │ Active │ 9 │ 1.0.14 │ mvn:org.apache.felix/org.apache.felix.converter/1.0.14 12 │ Active │ 10 │ 1.9.26 │ mvn:org.apache.felix/org.apache.felix.configadmin/1.9.26 13 │ Active │ 11 │ 4.4.3 │ mvn:org.apache.karaf.config/org.apache.karaf.config.core/4.4.3 14 │ Active │ 11 │ 1.0.16 │ mvn:org.apache.felix/org.apache.felix.configurator/1.0.16 15 │ Active │ 11 │ 1.2.6 │ mvn:org.apache.felix/org.apache.felix.configadmin.plugin.interpolation/1.2.6 16 │ Active │ 11 │ 1.2.14 │ mvn:org.apache.sling/org.apache.sling.commons.johnzon/1.2.14 17 │ Active │ 11 │ 1.0.6 │ mvn:org.apache.felix/org.apache.felix.cm.json/1.0.6 18 │ Active │ 12 │ 3.7.4 │ mvn:org.apache.felix/org.apache.felix.fileinstall/3.7.4 19 │ Active │ 15 │ 4.4.3 │ mvn:org.apache.karaf.features/org.apache.karaf.features.core/4.4.3 20 │ Active │ 30 │ 1.70 │ mvn:org.bouncycastle/bcpkix-jdk15on/1.70 21 │ Active │ 30 │ 1.70 │ mvn:org.bouncycastle/bcprov-jdk15on/1.70 22 │ Active │ 30 │ 1.70 │ mvn:org.bouncycastle/bcutil-jdk15on/1.70 32 │ Active │ 50 │ 4.1.63.Final │ mvn:io.netty/netty-transport-native-epoll/4.1.63.Final 33 │ Active │ 50 │ 4.1.63.Final │ mvn:io.netty/netty-transport-native-unix-common/4.1.63.Final 35 │ Active │ 30 │ 4.0.0 │ mvn:jakarta.servlet/jakarta.servlet-api/4.0.4 36 │ Active │ 30 │ 3.0.3 │ mvn:jakarta.el/jakarta.el-api/3.0.3 37 │ Active │ 30 │ 1.1.2 │ mvn:jakarta.websocket/jakarta.websocket-api/1.1.2 38 │ Active │ 20 │ 1.0.1 │ mvn:org.apache.aries.blueprint/org.apache.aries.blueprint.api/1.0.1 39 │ Active │ 20 │ 1.3.2 │ mvn:org.apache.aries.blueprint/org.apache.aries.blueprint.cm/1.3.2 40 │ Active │ 20 │ 1.10.3 │ mvn:org.apache.aries.blueprint/org.apache.aries.blueprint.core/1.10.3 41 │ Resolved │ 20 │ 1.0.0 │ mvn:org.apache.aries.blueprint/org.apache.aries.blueprint.core.compatibility/1.0.0 42 │ Active │ 30 │ 1.1.5 │ mvn:org.apache.aries.jmx/org.apache.aries.jmx.api/1.1.5 43 │ Active │ 30 │ 1.2.0 │ mvn:org.apache.aries.jmx/org.apache.aries.jmx.blueprint.api/1.2.0 44 │ Active │ 30 │ 1.2.0 │ mvn:org.apache.aries.jmx/org.apache.aries.jmx.blueprint.core/1.2.0 45 │ Active │ 30 │ 1.1.8 │ mvn:org.apache.aries.jmx/org.apache.aries.jmx.core/1.1.8 46 │ Active │ 30 │ 1.2.0 │ mvn:org.apache.aries.jmx/org.apache.aries.jmx.whiteboard/1.2.0 47 │ Active │ 20 │ 1.1.13 │ mvn:org.apache.aries.proxy/org.apache.aries.proxy/1.1.13 48 │ Active │ 20 │ 1.1.3 │ mvn:org.apache.aries/org.apache.aries.util/1.1.3 49 │ Active │ 30 │ 2.2.4 │ mvn:org.apache.felix/org.apache.felix.scr/2.2.4 50 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.bundle/org.apache.karaf.bundle.blueprintstate/4.4.3 51 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.bundle/org.apache.karaf.bundle.core/4.4.3 52 │ Active │ 24 │ 4.4.3 │ mvn:org.apache.karaf.deployer/org.apache.karaf.deployer.blueprint/4.4.3 53 │ Active │ 26 │ 4.4.3 │ mvn:org.apache.karaf.deployer/org.apache.karaf.deployer.features/4.4.3 54 │ Active │ 24 │ 4.4.3 │ mvn:org.apache.karaf.deployer/org.apache.karaf.deployer.kar/4.4.3 55 │ Active │ 24 │ 4.4.3 │ mvn:org.apache.karaf.deployer/org.apache.karaf.deployer.wrap/4.4.3 56 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.diagnostic/org.apache.karaf.diagnostic.core/4.4.3 57 │ Active │ 80 │ 4.4.3 │ mvn:org.apache.karaf/org.apache.karaf.event/4.4.3 58 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.features/org.apache.karaf.features.command/4.4.3 59 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.http/org.apache.karaf.http.core/4.4.3 60 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.instance/org.apache.karaf.instance.core/4.4.3 61 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.jaas/org.apache.karaf.jaas.command/4.4.3 62 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.jaas/org.apache.karaf.jaas.config/4.4.3 63 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.jaas/org.apache.karaf.jaas.modules/4.4.3 64 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.kar/org.apache.karaf.kar.core/4.4.3 65 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.log/org.apache.karaf.log.core/4.4.3 66 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.management/org.apache.karaf.management.server/4.4.3 67 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.package/org.apache.karaf.package.core/4.4.3 68 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.scr/org.apache.karaf.scr.management/4.4.3 69 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.scr/org.apache.karaf.scr.state/4.4.3 70 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.service/org.apache.karaf.service.core/4.4.3 71 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.shell/org.apache.karaf.shell.commands/4.4.3 72 │ Resolved │ 30 │ 4.4.3 │ mvn:org.apache.karaf.shell/org.apache.karaf.shell.console/4.4.3 73 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.shell/org.apache.karaf.shell.core/4.4.3 74 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.shell/org.apache.karaf.shell.ssh/4.4.3 75 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.shell/org.apache.karaf.shell.table/4.4.3 76 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.system/org.apache.karaf.system.core/4.4.3 77 │ Active │ 30 │ 4.4.3 │ mvn:org.apache.karaf.web/org.apache.karaf.web.core/4.4.3 78 │ Active │ 30 │ 2.9.2 │ mvn:org.apache.sshd/sshd-osgi/2.9.2 79 │ Active │ 30 │ 2.9.2 │ mvn:org.apache.sshd/sshd-scp/2.9.2 80 │ Active │ 30 │ 2.9.2 │ mvn:org.apache.sshd/sshd-sftp/2.9.2 81 │ Active │ 30 │ 3.26.0.v20210609-0549 │ mvn:org.eclipse.jdt/ecj/3.26.0 82 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-client/9.4.50.v20221201 83 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-continuation/9.4.50.v20221201 84 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-http/9.4.50.v20221201 85 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-io/9.4.50.v20221201 86 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-jaas/9.4.50.v20221201 87 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-jmx/9.4.50.v20221201 88 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-security/9.4.50.v20221201 89 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-server/9.4.50.v20221201 90 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-servlet/9.4.50.v20221201 91 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-servlets/9.4.50.v20221201 92 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-util/9.4.50.v20221201 93 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-util-ajax/9.4.50.v20221201 94 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty/jetty-xml/9.4.50.v20221201 95 │ Active │ 30 │ 3.21.0 │ mvn:org.jline/jline/3.21.0 96 │ Active │ 20 │ 9.4.0 │ mvn:org.ow2.asm/asm/9.4 97 │ Active │ 20 │ 9.4.0 │ mvn:org.ow2.asm/asm-commons/9.4 98 │ Active │ 20 │ 9.4.0 │ mvn:org.ow2.asm/asm-tree/9.4 99 │ Active │ 20 │ 9.4.0 │ mvn:org.ow2.asm/asm-analysis/9.4 100 │ Active │ 20 │ 9.4.0 │ mvn:org.ow2.asm/asm-util/9.4 101 │ Active │ 30 │ 2.6.12 │ mvn:org.ops4j.pax.url/pax-url-war/2.6.12/jar/uber 102 │ Active │ 10 │ 2.6.12 │ mvn:org.ops4j.pax.url/pax-url-wrap/2.6.12/jar/uber 103 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-api/8.0.15 104 │ Resolved │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-compatibility-el2/8.0.15 105 │ Resolved │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-compatibility-servlet31/8.0.15 106 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-extender-war/8.0.15 107 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-jetty/8.0.15 108 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-jsp/8.0.15 109 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-runtime/8.0.15 110 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-spi/8.0.15 111 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-tomcat-common/8.0.15 112 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-websocket/8.0.15 113 │ Active │ 30 │ 1.5.0.202109301733 │ mvn:org.osgi/org.osgi.service.component/1.5.0 235 │ Active │ 80 │ 2.14.1 │ file:data/.../bundles/com.fasterxml.jackson.dataformat.jackson-dataformat-yaml-2.14.1.jar 236 │ Active │ 80 │ 2.14.1 │ file:data/.../bundles/com.fasterxml.jackson.datatype.jackson-datatype-jsr310-2.14.1.jar 238 │ Active │ 80 │ 2.14.1 │ file:data/.../bundles/com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider-2.14.1.jar 275 │ Active │ 80 │ 1.4.0.1 │ file:data/.../bundles/org.apache.servicemix.bundles.org.apache.servicemix.bundles.jakarta-regexp-1.4_1.jar 276 │ Active │ 80 │ 0.9.0.0_1 │ file:data/.../org.apache.servicemix.bundles.org.apache.servicemix.bundles.kafka-clients-0.9.0.0_1.jar 277 │ Active │ 80 │ 7.7.1.1 │ file:data/.../bundles/org.apache.servicemix.bundles.org.apache.servicemix.bundles.lucene-7.7.1_1.jar 278 │ Active │ 80 │ 7.7.1.1 │ file:data/... 279 │ Active │ 80 │ 7.7.1.1 │ file:data/.../bundles/org.apache.servicemix.bundles.org.apache.servicemix.bundles.lucene-queries-7.7.1_1.jar 280 │ Active │ 80 │ 7.7.1.1 │ file:data/.../org.apache.servicemix.bundles.org.apache.servicemix.bundles.lucene-queryparser-7.7.1_1.jar 281 │ Active │ 80 │ 7.7.1.1 │ file:data/.../bundles/org.apache.servicemix.bundles.org.apache.servicemix.bundles.lucene-sandbox-7.7.1_1.jar 283 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty.http2/http2-common/9.4.50.v20221201 284 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty.http2/http2-hpack/9.4.50.v20221201 285 │ Active │ 30 │ 9.4.50.v20221201 │ mvn:org.eclipse.jetty.http2/http2-server/9.4.50.v20221201 291 │ Active │ 80 │ 2.38.0 │ file:data/.../bundles/org.glassfish.jersey.containers.jersey-container-servlet-2.38.jar 292 │ Active │ 80 │ 2.38.0 │ file:data/.../bundles/org.glassfish.jersey.containers.jersey-container-servlet-core-2.38.jar 301 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-deployer/8.0.15 302 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-extender-whiteboard/8.0.15 303 │ Active │ 30 │ 8.0.15 │ mvn:org.ops4j.pax.web/pax-web-karaf/8.0.15

[grgrzybek]

In Karaf, when you install pax-web-jetty feature you should get template configuration (org.ops4j.pax.web.cfg):

# non secure connector configuration
org.osgi.service.http.enabled = true
org.osgi.service.http.port = 8181

# secure connector configuration
org.osgi.service.http.secure.enabled = false
#org.osgi.service.http.port.secure = 8443
#org.ops4j.pax.web.ssl.truststore = ${karaf.etc}/server.keystore
#org.ops4j.pax.web.ssl.truststore.password = passw0rd
#org.ops4j.pax.web.ssl.truststore.type = JKS
#org.ops4j.pax.web.ssl.keystore = ${karaf.etc}/server.keystore
#org.ops4j.pax.web.ssl.keystore.password = passw0rd
#org.ops4j.pax.web.ssl.keystore.type = JKS
#org.ops4j.pax.web.ssl.key.password = passw0rd
#org.ops4j.pax.web.ssl.key.alias = server
#org.ops4j.pax.web.ssl.clientauth.needed = false
#org.ops4j.pax.web.ssl.protocols.included = TLSv1.3
#org.ops4j.pax.web.ssl.protocol = TLSv1.3
#org.ops4j.pax.web.ssl.protocols.included = TLSv1.2 TLSv1.3
#org.ops4j.pax.web.ssl.ciphersuites.included = TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384
#org.ops4j.pax.web.ssl.secureRandom.algorithm = NativePRNGNonBlocking
#org.ops4j.pax.web.ssl.renegotiationAllowed = true
#org.ops4j.pax.web.ssl.session.enabled = true

# external Jetty configuration file where Jetty-specific beans may be declared
#org.ops4j.pax.web.config.file = ${karaf.etc}/jetty.xml
# optional Jetty context configuration file applied to all web contexts
# see https://www.eclipse.org/jetty/documentation/jetty-9/index.html#using-basic-descriptor-files
#org.ops4j.pax.web.context.file = ${karaf.etc}/jetty-web.xml

# SameSite attribute configuration for session cookie (possible values: none, lax, strict)
# Important: when using OpenID Connect / Oauth2 (e.g., Keycloak) SameSite=strict won't work, because
# the Keycloak redirected response after authentication should contain JSESSIONID cookie
#org.ops4j.pax.web.session.cookie.sameSite = strict

# this is a root directory for all the context-specific directories managed by Pax Web
javax.servlet.context.tempdir = ${karaf.data}/pax-web/tmp

Please use the above as template to configure certificates and keys.

You can then use openssl to check the connection:

$ openssl s_client -connect localhost:8443 -debug -msg

[GaneshramU91]

we need to mention #org.ops4j.pax.web.ssl.clientauth.needed = true right to make client cert validation happen? because its happening in old karaf version for us.

[GaneshramU91]

we were using TLSv1.2 and updated pax web cfg props as listed above but still getting below,

• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
• CApath: none
• NSS: client certificate not found (nickname not specified)
• NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
• SSL peer cannot verify your certificate.
• Closing connection 0 curl: (58) NSS: client certificate not found (nickname not specified)

[grgrzybek]

I don't think certificate validation was mandatory in Pax Web 7....

NSS error is (may be) related to FIPS settings, because NSS library should not be used by Karaf at all. Did you check openssl s_client?

[GaneshramU91]

Getting this error on openssl,

openssl s_client -connect localhost:13443

socket: Bad file descriptor connect:errno=9

Could you pls share link where it is mentioned cert validation is not mandatory? Also we use pax web 8.0.15 for your info.

[GaneshramU91]

Also we tried with clientauth.needed property value as false. but still we see get java.servlet.request.x509certificate property null only while executing curl call. because we do client cert validation and it got in to nullpointerexception then.

[grgrzybek]

Can you try running this test? https://github.com/ops4j/org.ops4j.pax.web/blob/pax-web-8.0.x/pax-web-itest/pax-web-itest-server/src/test/java/org/ops4j/pax/web/itest/server/controller/ServerControllerBasicConfigurationTest.java

Just clone the repo, checkout pax-web-8.0.x branch, build everything with mvn clean install -DskipTests and then run the test with:

mvn clean verify -f pax-web-itest/pax-web-itest-server -Dtest=ServerControllerBasicConfigurationTest

?

[GaneshramU91]

HI ,

Now it works after we redeployed with pax web property changes freshly in our cluster machine again and restarted karaf. It looks like org.ops4j.pax.web.ssl.clientauth.needed = true made the trick for us. Thanks a lot for active support on this. This helped us a lot.

Thanks.

[grgrzybek]

Thanks for your feedback! I'm closing this issue then ;)