httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Balažic <david.bala...@comtrade.com>
Subject RE: [users@httpd] Two way SSL authentication between apache proxy server and tomcat
Date Tue, 31 May 2016 11:48:57 GMT
To make tomcat evaluate the SSL_CLIENT_CERT , you must configure a SSLValve, see: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html

David Balažic
Software Engineer
www.comtrade.com

From: Mohanavelu Subramanian [mailto:mhnvelu@gmail.com]
Sent: 30. May 2016 20:06
To: users@httpd.apache.org
Subject: [users@httpd] Two way SSL authentication between apache proxy server and tomcat
Importance: Low

Hi All,

Good Morning.

I want to implement 2 way SSL authentication between apache proxy and tomcat. I am using mod_proxy
to integrate apache and tomcat. I have some doubts in the implementation. I have done some
initial analysis on this.

I would create a self-signed CA certificate(CA.crt). I would create client(apache.pem) and
server certificate(tomcat.pem). Both these certificates would be signed my CA. I add client
certificate to apache proxy server using SSLProxyMachineCertificateFile. I have configured
tomcat to refer server certificate.

Then I add this CA certificate into the client and server truststore. So, during handshake,
the authentication will be successful.
1. Is this the effective way of implementing authentication with certificates ? I think the
same client     certificate can be copied by unknown user and send request to tomcat. Could
you please suggest if there is better way implementing the authentication, if any.

2. Is it possible to sign a certificate by more than 1 CA?

3. I have my design like this.

    client-------------------------->apache (mod_proxy) ----------------->tomcat
                https                                                      https
                user.crt                 apache.pem                tomcat.pem

I have configured mod_proxy to forward the actual client certificate(user.crt) to tomcat via
mod proxy as below:


SSLProxyMachineCertificateFile apache.pem

SSLProxyCACertificateFile CA.crt

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"



I want to forward the user.crt to tomcat and in my application the user.crt is verified.

but the request.getAttribute("javax.servlet.request.X509Certificate"); returns null.

I am not getting the user.crt. Could you please give me an idea how to fetch SSL_CLIENT_CERT
in my application and parse it.



Thanks in Advance.



Best Regards,

Mohan





Mime
View raw message