axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodrigo Ruiz <rr...@gridsystems.com>
Subject Re: Proxying SSL certificates
Date Wed, 17 Dec 2003 09:21:10 GMT
Yes, I know, and I agree with you :_( , but security is important in 
this particular project, and one requirement is to not open security 
holes in a server (the backend) that is currently considered to be 
reasonably secure.

As the frontend is designed to be placed at any point on Internet, and 
not necessarily in the same intranet as the backend server, 
communications between both must be secured. And as the presented 
information is sensitive, communication with the browser must be also 
secured.

I think I will have to give up and duplicate client certificates on both 
servers. If I am right, the information obtained from the browser 
certificate chain will not be enough for stablishing a secure connection 
with the backend server, as it lacks the key necessary to encrypt / 
decrypt the messages :-(

If this is the case, I will have another problem, as the default JSSE 
provider is meant to be used by a single user per application, and I 
have a server with a different user per thread. But I will open another 
thread for this ;-)

Thanks anyway,
Rodrigo Ruiz

Rick Kellogg wrote:

>Rodrigo,
>
>It has been my experience you will not find the performance acceptable.
>Using SSL once is expensive.  Multiple passes will really hurt.  Just my
>opinion.
>
>Rick
>
>
>-----Original Message-----
>From: Rodrigo Ruiz [mailto:rruiz@gridsystems.com] 
>Sent: Tuesday, December 16, 2003 9:30 AM
>To: axis-user@ws.apache.org
>Subject: Proxying SSL certificates
>
>Hi all,
>
>I am developing a web service(I will call it frontend) that must act as 
>a client for a second web service(backend). The backend service expects 
>a user certificate for authentication purposes, and I would like to 
>configure the frontend service to also require a user certificate, and 
>use the incoming certificate as the credentials for the backend.  Is 
>this possible?
>
>Thanks in advance,
>Rodrigo Ruiz
>
>
>  
>


Mime
View raw message