To make tomcat evaluate the SSL_CLIENT_CERT , you must configure a SSLValve, see: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html David Balažic Software Engineer www.comtrade.com From: Mohanavelu Subramanian [mailto:mhnvelu@xxxxxxxxx]
Hi All, Good Morning. I want to implement 2 way SSL authentication between apache proxy and tomcat. I am using mod_proxy to integrate apache and tomcat. I have some doubts in the implementation. I have done some initial analysis on this. I would create a self-signed CA certificate(CA.crt). I would create client(apache.pem) and server certificate(tomcat.pem). Both these certificates would be signed my CA. I add client certificate to apache proxy server using SSLProxyMachineCertificateFile.
I have configured tomcat to refer server certificate. Then I add this CA certificate into the client and server truststore. So, during handshake, the authentication will be successful. 1. Is this the effective way of implementing authentication with certificates ? I think the same client certificate can be copied by unknown user and send request to tomcat. Could you please suggest if there is better way implementing
the authentication, if any. 2. Is it possible to sign a certificate by more than 1 CA? 3. I have my design like this. client-------------------------->apache (mod_proxy) ----------------->tomcat https https user.crt apache.pem tomcat.pem I have configured mod_proxy to forward the actual client certificate(user.crt) to tomcat via mod proxy as below: SSLProxyMachineCertificateFile apache.pem
SSLProxyCACertificateFile CA.crt
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
I want to forward the user.crt to tomcat and in my application the user.crt is verified.
but the request.getAttribute("javax.servlet.request.X509Certificate"); returns null.
I am not getting the user.crt. Could you please give me an idea how to fetch SSL_CLIENT_CERT in my application and parse it.
Thanks in Advance.
Best Regards,
Mohan
|