Re: Two way SSL authentication between apache proxy server and tomcat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Thanks a lot.

I just gone through the link. I understand the configuration mentioned in link would automatically read information from HTTP headers and insert it into request.
From request, I can fetch like this.
request.getAttribute("javax.servlet.request.X509Certificate");

Please correct me if I am wrong.

I have a scenario where I clients certificate is optional during handshake. In this case, will it have any impact on this proposed solution.

Thanks & Regards,
Mohan


On Tue, May 31, 2016 at 5:18 PM, David Balažic <david.balazic@xxxxxxxxxxxx> wrote:

To make tomcat evaluate the SSL_CLIENT_CERT , you must configure a SSLValve, see: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html

 

David Balažic

Software Engineer

www.comtrade.com

 

From: Mohanavelu Subramanian [mailto:mhnvelu@xxxxxxxxx]
Sent: 30. May 2016 20:06
To: users@xxxxxxxxxxxxxxxx
Subject: Two way SSL authentication between apache proxy server and tomcat
Importance: Low

 

Hi All,

 

Good Morning.

 

I want to implement 2 way SSL authentication between apache proxy and tomcat. I am using mod_proxy to integrate apache and tomcat. I have some doubts in the implementation. I have done some initial analysis on this.

 

I would create a self-signed CA certificate(CA.crt). I would create client(apache.pem) and server certificate(tomcat.pem). Both these certificates would be signed my CA. I add client certificate to apache proxy server using SSLProxyMachineCertificateFile. I have configured tomcat to refer server certificate.
 

Then I add this CA certificate into the client and server truststore. So, during handshake, the authentication will be successful. 

1. Is this the effective way of implementing authentication with certificates ? I think the same client     certificate can be copied by unknown user and send request to tomcat. Could you please suggest if there is better way implementing the authentication, if any.

 

2. Is it possible to sign a certificate by more than 1 CA?

 

3. I have my design like this.

 

    client-------------------------->apache (mod_proxy) ----------------->tomcat

                https                                                      https

                user.crt                 apache.pem                tomcat.pem

 

I have configured mod_proxy to forward the actual client certificate(user.crt) to tomcat via mod proxy as below:

 

SSLProxyMachineCertificateFile apache.pem
SSLProxyCACertificateFile CA.crt
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
 
I want to forward the user.crt to tomcat and in my application the user.crt is verified.
but the request.getAttribute("javax.servlet.request.X509Certificate"); returns null.
I am not getting the user.crt. Could you please give me an idea how to fetch SSL_CLIENT_CERT in my application and parse it.
 
Thanks in Advance.
 
Best Regards,
Mohan
 
 

 


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux