Migration Solutions for ColdFusion Applications to ASP.NET
New Atlanta Product Forums Profile | Search | Login | RSS
New Topic Reply   Previous Page  Page: 1   Next Page

Thread: Fix for Client Certificate based 413 errors.
Created on: 07/12/12 04:00 PM Replies: 1

Joined: 04/08/11
Posts: 17
Fix for Client Certificate based 413 errors.
07/12/12 4:00 PM

Hi we ran into an issue and found a fix for it that we wanted to share here incase anyone else runs into it.

We are using IIS 7 and the latest version of ServletExec running under Java 7 on a window server 2008 box (64bit). Our site is secured with ssl and is set to accepts client certificates. Users are authenticated using client certificates from CAC cards.

We have two processes that return ‘large’ amounts of data from the client. One is a page that allows a user to upload files. And the other captures electronic “signatures” (large strings stored as hidden inputs in a form that are transmitted via a standard POST request).

We were getting HTTP 413 errors “request entity is too large” when issues requests from these pages with large amounts of data. By looking at this link (http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7e0d74d3-ca01-4d36-8ac7-6b2ca03fd383.mspx?mfr=true ) we implemented the following to fix this: We set the value of the UploadReadAheadSize metabase property to 100K and this stopped these 413 errors, however this caused issues where java CPU utilization ramped up and didn’t go back down. When one of these large requests was made the request was never returned and CPU utilization never went back down. Looking at the ServletExec admin console we saw that when the request was initiated a current request showed up in the Monitor Request page and it stayed in the current request column until the session expired. Even after the session expired the CPU utilization stayed high. Removing the UploadReadAheadSize property allowed us to upload small files without the issue. There was an clear connection between the UploadReadAheadSize property being set and the runaway CPU issue that ServletExec was having.

One of the causes listed in the error message states "The Web Server cannot service the request because it is trying to negotiate a client certificate but the request entity is too large". The resolution for that issue was to set the value of clientcertnegotiation=enable. Getting this set on IIS 7 was a bit involved. The following but be run via a command prompt:

netsh http show sslcert

NOTE You will need these settings for the next set of commands.

To delete the current settings (you cannot change existing settings, you have to delete and readd)
netsh http delete sslcert <ipaddress>:<port>

The IP address and port are obtained from the show command results.
Example: netsh http delete sslcert

To add the cert settings back in correctly:
netsh http add sslcert ipport=<ipaddress>:<port> certhash=<certificate hash from the show> appid=<application ID from the show including the {} brackets> certstorename=<store name from show> clientcertnegotiation=enable

With this in place and the UploadReadAheadSize removed we were no longer having the 413 errors and ServletExec was able to handle the requests without having the CPU blow up.

If anyone else runs into this issue hopefully this will help.
Link | Top | Bottom

Joined: 03/06/14
Posts: 1
RE: Fix for Client Certificate based 413 errors.
03/06/14 12:43 AM

Thank you so much for posting this. We've been hitting our heads against a brick wall for 2 days until we found this!

Thanks again!!
Link | Top | Bottom

New Post
Please login to post a response.

company media information terms of use privacy policy contact us
This page was dynamically built on the BlueDragon CFML Engine