Mutual authentication between Apache HTTP server and an application server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank Yann,

	From this I could understand below. Could you please confirm in my understanding is correct?

When using IHS + Plugin + WAS.

Browser --> IHS --> Plugin --> WAS

We used to enable mutual auth between IHS and Plugin by exchanging their keys, Mutual auth between Plugin and WAS by exchanging their keys.
If we want to enable mutual auth between browser and IHS we added " SSLClientAuth = required" in conf file and added client certificates in HIS kdb.


When using Apache + Proxy + WAS

Browser --> Apache --> Proxy --> WAS

I need to request a certificate for Apache and pass that using SSLCertificateFile and SSLCertificateKeyFile.
I need to request a certificate  for Proxy and include both key and CA in single file and add it in SSLProxyMachineCertificateFile.
Then add Proxy certificate CA to WAS truststore and enable SSLClientAuth=required on WAS end?

In this way I can enable mutual auth between Apache - Proxy.
And mutual Auth between Proxy - WAS?

After I disabled client auth required on WAS end I'm able to make a call between Apache and WAS. Now I need to request a new certificate for proxy and point it to SSLProxyMachineCertificateFile?
Please correct me if I'm doing something wrong. 


Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@xxxxxxxxxxxx
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy
Middleware ServiceNow Change Control Policy :: https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy
Middleware Customer Page:: https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx


-----Original Message-----
From: Yann Ylavic [mailto:ylavic.dev@xxxxxxxxx] 
Sent: Monday, February 12, 2018 11:45 AM
To: users@xxxxxxxxxxxxxxxx
Subject: EXT: Re:  Mutual authentication between Apache HTTP server and an application server.

On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
> On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor 
> <Naveen.Nandyala@xxxxxxxxxxx> wrote:
>>
>> Below is my vhose entry.
>>
>> <VirtualHost *>
>>     ServerName Virtual:443
>>     SetEnv vhostname virtual
>>     Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
>>     Include <PROXY FILE>
>> Include /u/applic/tc/HTTP/config/conf/secure.conf
>>     SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
>>     SSLCertificateKeyFile 
>> /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
>> SSLProxyEngine on
>> SSLProxyCACertificateFile /tmp/was.crt SSLProxyVerify require 
>> SSLProxyVerifyDepth  2 </VirtualHost>
>>
>> From beginning All I was looking for is mutual authentication between Apache and Websphere application server.
>> I've added Apachecertificate Root certificate in WAS which is 3rd party signed.
>
> For now there is no SSLProxyMachineCertificateFile in your 
> configuration (because we asked you to care only about the proxy 
> authenticating the server), so in the meantime you should also disable 
> SSLVerifyClient on the Websphere side (otherwise it will ask for a 
> client certificate which the proxy doesn't provide yet).
>
> I tried the above with a self signed cert for 
> SSLProxyCACertificateFile and it worked.
>
> Once it also works in your case, you can then configure the proxy to 
> send its certificate+key when requested to:
> - SSLProxyMachineCertificateFile /path/to/proxy.crt+key

Obviously the proxy doesn't send its key, here "proxy.crt+key" means both should be concatenated in the same file for the proxy to load them.

>
> And re-enable client authentication on the websphere:
> - SSLVerifyClient on
> - SSLCACertificateFile /path/to/proxy.ca.crt

While here "proxy.ca.crt" means the concatenation of "proxy.crt" and the CA which signed it.

>
>
> Regards,
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux