httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohanavelu Subramanian <mhnv...@gmail.com>
Subject Re: [users@httpd] Two way SSL authentication between apache proxy server and tomcat
Date Tue, 31 May 2016 12:03:18 GMT
Hi,

Thanks a lot.

I just gone through the link. I understand the configuration mentioned in
link would automatically read information from HTTP headers and insert it
into request.
>From request, I can fetch like this.

request.getAttribute("javax.servlet.request.X509Certificate");


Please correct me if I am wrong.


I have a scenario where I clients certificate is optional during
handshake. In this case, will it have any impact on this proposed
solution.


Thanks & Regards,

Mohan



On Tue, May 31, 2016 at 5:18 PM, David Balažic <david.balazic@comtrade.com>
wrote:

> To make tomcat evaluate the SSL_CLIENT_CERT , you must configure a
> SSLValve, see:
> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html
>
>
>
> David Balažic
>
> Software Engineer
>
> www.comtrade.com
>
>
>
> *From:* Mohanavelu Subramanian [mailto:mhnvelu@gmail.com]
> *Sent:* 30. May 2016 20:06
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] Two way SSL authentication between apache proxy
> server and tomcat
> *Importance:* Low
>
>
>
> Hi All,
>
>
>
> Good Morning.
>
>
>
> I want to implement 2 way SSL authentication between apache proxy and
> tomcat. I am using mod_proxy to integrate apache and tomcat. I have some
> doubts in the implementation. I have done some initial analysis on this.
>
>
>
> I would create a self-signed CA certificate(CA.crt). I would create
> client(apache.pem) and server certificate(tomcat.pem). Both these
> certificates would be signed my CA. I add client certificate to apache
> proxy server using SSLProxyMachineCertificateFile. I have configured
> tomcat to refer server certificate.
>
>
> Then I add this CA certificate into the client and server truststore. So,
> during handshake, the authentication will be successful.
>
> 1. Is this the effective way of implementing authentication with
> certificates ? I think the same client     certificate can be copied by
> unknown user and send request to tomcat. Could you please suggest if there
> is better way implementing the authentication, if any.
>
>
>
> 2. Is it possible to sign a certificate by more than 1 CA?
>
>
>
> 3. I have my design like this.
>
>
>
>     client-------------------------->apache (mod_proxy)
> ----------------->tomcat
>
>                 https
>  https
>
>                 user.crt                 apache.pem
>  tomcat.pem
>
>
>
> I have configured mod_proxy to forward the actual client
> certificate(user.crt) to tomcat via mod proxy as below:
>
>
>
> SSLProxyMachineCertificateFile apache.pem
>
> SSLProxyCACertificateFile CA.crt
>
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>
>
>
> I want to forward the user.crt to tomcat and in my application the user.crt is verified.
>
> but the request.getAttribute("javax.servlet.request.X509Certificate"); returns null.
>
> I am not getting the user.crt. Could you please give me an idea how to fetch SSL_CLIENT_CERT
in my application and parse it.
>
>
>
> Thanks in Advance.
>
>
>
> Best Regards,
>
> Mohan
>
>
>
>
>
>
>

Mime
View raw message