Mutual authentication between Apache HTTP server and an application server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Yann,
	
	Based on certificate I'm using I'm getting different error. 

Below is my vhose entry.

<VirtualHost *>
    ServerName Virtual:443
    SetEnv vhostname virtual
    Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
    Include <PROXY FILE>
Include /u/applic/tc/HTTP/config/conf/secure.conf
    SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
    SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
SSLProxyEngine on
SSLProxyCACertificateFile /tmp/was.crt
SSLProxyVerify require
SSLProxyVerifyDepth  2
</VirtualHost>

>From beginning All I was looking for is mutual authentication between Apache and Websphere application server.
I've added Apachecertificate Root certificate in WAS which is 3rd party signed.
I'm getting issues from beginning while adding WAS certificate on Apache.
As WAS is selfsigned certificate I've expoerted WAS certificate in der format and converted into pem and placed it in /tmp/was.crt,  I see below error in logs. And in access logs I see 502 proxy error.
Seems like its failing to validate selfsigned certificate.

[Mon Feb 12 10:01:11.595469 2018] [ssl:error] [pid 33084:tid 140082866366208] [remote WASSErver:PORT] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain
[Mon Feb 12 10:01:11.596379 2018] [proxy_http:error] [pid 33084:tid 140082866366208] (103)Software caused connection abort: [client XXXX:xxxx] AH01102: error reading status line from remote server WASSErver:PORT
[Mon Feb 12 10:01:11.596418 2018] [proxy:error] [pid 33084:tid 140082866366208] [client XXXX;xxx] AH00898: Error reading from remote server returned by /XXXX



Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@xxxxxxxxxxxx
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy
Middleware ServiceNow Change Control Policy :: https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy
Middleware Customer Page:: https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx


-----Original Message-----
From: Yann Ylavic [mailto:ylavic.dev@xxxxxxxxx] 
Sent: Monday, February 12, 2018 9:54 AM
To: users@xxxxxxxxxxxxxxxx
Subject: EXT: Re:  Mutual authentication between Apache HTTP server and an application server.

Hi,

On Mon, Feb 12, 2018 at 2:25 PM, Naveen Nandyala - Vendor <Naveen.Nandyala@xxxxxxxxxxx> wrote:>
> [Mon Feb 12 07:22:12.631833 2018] [ssl:warn] [pid 21729:tid 
> 139998669920000] AH02268: Proxy client certificate callback:
> (Virtual:443) downstream server wanted client certificate but none are 
> configured

This is a different problem, here the Websphere Server is asking for a client certificate (the proxy's) signed by one of its configured CAs for client authentication (i.e. in SSLCACertificateFile/Path or SSLCADNRequestFile/Path).
Since no client certificate corresponds on the proxy side (i.e. in SSLProxyMachineCertificateFile/Path), this log is issued.

As Eric said, you should take each issue one by one, above is about the Websphere authenticating the proxy, you should first try to make the proxy authenticate the Websphere (see below).

>
> Was wondering if Apache(Client) don't connect to Websphere (Server) if 
> Websphere uses a Self-signed certificate?

The Apache proxy will connect, but you can't ask it to authenticate the WebSphere server in this case, there is no CA to verify the WebSphere certificate against.
You previously said "was.crt" was the root certificate (meaning the one which signed the Websphere server certificate), if it's not the case it can't help in the proxy authenticating the server.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux