In Apache HTTPD it is possible to create custom request logs which include the value of SSL_CLIENT_S_DN. Since the site requires mutual authentication (client certificates) this provides a good audit log of who is accessing the web server. The question is we have a large number of tomcat hosts as well and would like to do the same thing with request logs created by tomcat. I can't seem to find a way to do it though. I have looked at access valves in tomcat but can't seem to find an appropriate variable.
I've been looking here for configuration information: http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Log_Valve
Also these are tomcat instances with the HTTPS connector configured with clientAuth=True. They are not sitting behind a proxy.
How can I log the client certificate DN in a request log?
Best Answer
Not tested, but you could try with a pattern as :
Which should print the x509 certificate used by the User Agent for the authentication (with the chain). This uses the
%{xxx}rpattern fromAccessLogValvewhich prints an attributes from the request and tomcat (or the servlet api) which add that attribute (see tomcat source code on github )Problem is the
toString()method ofX509Certificateis quite verbose. I'm sure the DN is here but there is a lot more information.This is if you don't want to touch java code. If you want, you could also try to define a filter which add the exact attribute you want and print it in the log.