httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] Mutual authentication between Apache HTTP server and an application server.
Date Mon, 12 Feb 2018 17:36:20 GMT
On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor
<Naveen.Nandyala@walmart.com> wrote:
>
> Below is my vhose entry.
>
> <VirtualHost *>
>     ServerName Virtual:443
>     SetEnv vhostname virtual
>     Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
>     Include <PROXY FILE>
> Include /u/applic/tc/HTTP/config/conf/secure.conf
>     SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
>     SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
> SSLProxyEngine on
> SSLProxyCACertificateFile /tmp/was.crt
> SSLProxyVerify require
> SSLProxyVerifyDepth  2
> </VirtualHost>
>
> From beginning All I was looking for is mutual authentication between Apache and Websphere
application server.
> I've added Apachecertificate Root certificate in WAS which is 3rd party signed.

For now there is no SSLProxyMachineCertificateFile in your
configuration (because we asked you to care only about the proxy
authenticating the server), so in the meantime you should also disable
SSLVerifyClient on the Websphere side (otherwise it will ask for a
client certificate which the proxy doesn't provide yet).

I tried the above with a self signed cert for
SSLProxyCACertificateFile and it worked.

Once it also works in your case, you can then configure the proxy to
send its certificate+key when requested to:
- SSLProxyMachineCertificateFile /path/to/proxy.crt+key

And re-enable client authentication on the websphere:
- SSLVerifyClient on
- SSLCACertificateFile /path/to/proxy.ca.crt


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message