Hi,
I noticed from the archives that there was response/question from"Bobb, Kirth Andre " that i missed:
"Igor,
Just out of curiosity. Are you using other .pem files in other <location> blocks?"
I'm assuming that that question was actually for me (the OP)...
In answer to that: No, I don't have any PEM files in any other <:Location> blocks.
Also, I wanted to give some more background for why I'm trying to do this:
WebLogic comes with its own connector/Apache module for connecting from Apache-to-WebLogic backend. Its' called the "WebLogic Plugin for Apache". That plugin, when configured correctly sends an additional header to the WebLogic server, "WL-Proxy-Client-Cert", with JUST the PEM as one big string, with no new lines and the "BEGIN" and "END" strings removed.
We normally use that plugin, but have encountered a problem where when we use that for proxying certain URLs, we get really long response times (>10 seconds). In some cases, not involving proxying 2-way SSL, when I switched from using the WebLogic Plugin to mod_proxy, those long response times goes away, so I was hoping that if I could use mod_proxy in this (2-way) SSL case, to WebLogic, we could eliminate those long response times.
However, in this case now, I am.trying to proxy 2-way SSL (at the 'front' of the Apache, so when I try to use mod_proxy instead of the WL Plugin, I have to try to "simulate" the headers that the WL Plugin would normally send to the WebLogic server, and in particular. that "WL-Proxy-Client-Cert" header, containing only the actual PEM string.
So, anyway, that is WHY I'm trying to do this.
Thanks,
Jim
---- ohaya@xxxxxxx wrote:
> Igor,
>
> The backend (Weblogic) won't accept/parse it. I am sure, because in one test I did, I had a RequestHeader with a canned PEM string, without them, and that worked.
>
> Jim
>
>
> ---- Igor Cicimov <icicimov@xxxxxxxxx> wrote:
> > Those lines are part of the PEM certificate without them the cert is not
> > valid. What is the problem on the backend side with this?
> >
> >
> > On Thu, Apr 5, 2012 at 8:27 AM, <ohaya@xxxxxxx> wrote:
> >
> > > Hi,
> > >
> > > I am using Apache (2.2.x) as a proxy. The Apache is enabled for
> > > 2-way/client-authenticated SSL.
> > >
> > > In one situation (in a specific <Location> section), I need to be able to
> > > pass the PEM of the client certificate to the proxied server, with a
> > > specific HTTP header name.
> > >
> > > I've actually been able to pass the raw PEM as an HTTP header using just
> > > the RequestHeader directive:
> > >
> > > RequestHeader set "my_ssl_client_cert" "%{SSL_CLIENT_CERT}e"
> > >
> > > But, that raw PEM has the "-----BEGIN CERTIFICATE-----" and "-----END
> > > CERTIFICATE-----" strings before and after the actual certificate PEM.
> > >
> > > I've been trying to figure out how to get just the certificate PEM into
> > > the HTTP header for awhile, mostly using SetEnvIfNoCase, but when I try
> > > that, I always end up with an empty string or null in the header.
> > >
> > > Given that I seem to be able to get the PEM from the SSL_CLIENT_CERT
> > > envvar, it seems like there SHOULD be a way to get that into a request
> > > header, but I haven't been able to do that yet, and am truly stumped, so I
> > > was hoping that someone here might know how to do that?
> > >
> > > Thanks in advance,
> > > Jim
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > >
> > >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|