Re: Mutual authentication between Apache HTTP server and an application server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
> On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor
> <Naveen.Nandyala@xxxxxxxxxxx> wrote:
>>
>> Below is my vhose entry.
>>
>> <VirtualHost *>
>>     ServerName Virtual:443
>>     SetEnv vhostname virtual
>>     Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
>>     Include <PROXY FILE>
>> Include /u/applic/tc/HTTP/config/conf/secure.conf
>>     SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
>>     SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
>> SSLProxyEngine on
>> SSLProxyCACertificateFile /tmp/was.crt
>> SSLProxyVerify require
>> SSLProxyVerifyDepth  2
>> </VirtualHost>
>>
>> From beginning All I was looking for is mutual authentication between Apache and Websphere application server.
>> I've added Apachecertificate Root certificate in WAS which is 3rd party signed.
>
> For now there is no SSLProxyMachineCertificateFile in your
> configuration (because we asked you to care only about the proxy
> authenticating the server), so in the meantime you should also disable
> SSLVerifyClient on the Websphere side (otherwise it will ask for a
> client certificate which the proxy doesn't provide yet).
>
> I tried the above with a self signed cert for
> SSLProxyCACertificateFile and it worked.
>
> Once it also works in your case, you can then configure the proxy to
> send its certificate+key when requested to:
> - SSLProxyMachineCertificateFile /path/to/proxy.crt+key

Obviously the proxy doesn't send its key, here "proxy.crt+key" means
both should be concatenated in the same file for the proxy to load
them.

>
> And re-enable client authentication on the websphere:
> - SSLVerifyClient on
> - SSLCACertificateFile /path/to/proxy.ca.crt

While here "proxy.ca.crt" means the concatenation of "proxy.crt" and
the CA which signed it.

>
>
> Regards,
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux