httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guenther, Christian" <>
Subject AW: [users@httpd] SSL termination on apache but clientcertificaterouted through
Date Thu, 15 Sep 2005 08:18:36 GMT
Hi Allan,

thanks for your reply. 

I'd like to take the chance and clarify two points, just to make sure.

you said:
> the backend *code* has a access to the client certificate.
> is it your backend *webserver* or is it your backend *code* that is
> handling the validation of the client certificate ?

The backend in this case is an application server to which a client connects.
This application server is essentially SAP XI (an XML driven data exchanger)
and the client is a so called Business Connector. 
It is actually the client, the BC, that wants to pass some data about 
harvested stuff  like grain or so to the XI so that they get written into 
the SAP system. 
Bye the way, the client is a PDA that sits on top of some tractor on some field
in the countryside.

The both components are talking to each other in a completely 
automated manner - no user interaction at all. 

The Application server requires some form of authentication for the client
to let it talk to him. Possible authentication systems are username/password
wihich is not an option here due to corporate regulations, SAP Logon
Tickets, which apache does not understand and SSL certificates.

The application server (XI) is a system with high security requirements and
can therefor not be placed in a normal DMZ but is needed to be secured by
the proxy.

> what i don't understand at this point, is why you want the validating
> done at  the backend at all, when you could have all this done at the
> frontend.

Because the XI requires authentication bevor it would let anyone talk to it..
And there are different frontends that have access to different data - the 
application server needs to distinguish them.

> is it really nesecary to do the webserver validation on the backend. is
> it actually possible to bypass the apache frontend and therefore access
> the backend directly (which sounds slightly insecurish)
>(the solution i described, we had https at the frontend and http at the

I fear it is at least necessary to give the XI access to the name of the client 
connecting - in whatever way. The way the system is configured at the 
moment it requires a client ssl certificate!


View raw message