On Mon, Feb 12, 2018 at 7:38 PM, Naveen Nandyala - Vendor <Naveen.Nandyala@xxxxxxxxxxx> wrote:> > When using Apache + Proxy + WAS > > Browser --> Apache --> Proxy --> WAS Apache and Proxy are the same instance, the is Apache httpd doing SSL on its client side with the Browser, and also doing SSL on its backend side with the WAS. There is no authentication between Apache and Proxy, same sofware/process. > > I need to request a certificate for Apache and pass that using > SSLCertificateFile and SSLCertificateKeyFile. Right, this is the SSL on the client side of Apache httpd. It needs a certificate (SSLCertificateFile) and its key (SSLCertificateKeyFile), and the certificate should be signed by a CA trusted by browsers. You can put all the certificate chain a single file and use it for SSLCertificateFile: this is the concatenation of the server certificate followed the CA(s) in order of signing (i.e. root certificate last). > I need to request a certificate for Proxy and include both key and > CA in single file and add it in SSLProxyMachineCertificateFile. You need a certificate (and its key) for Apache httpd on its Proxy/backend side, but the signing CA is not needed here. SSLProxyMachineCertificateFile should contain the concatenation of this *certificate* (not the CA) and its key. This is the identity of the Proxy as seen/verified by the WAS. On the Proxy side, you also need to indicate which CA signed the WAS certificate, so that it can be verified (this is how the Proxy authenticates the WAS). Since the WAS certificate is self-signed, it's also the CA so simply use it for SSLProxyCACertificateFile. > Then add Proxy certificate CA to WAS truststore and enable > SSLClientAuth=required on WAS end? You could also use a(nother) self signed certificate for the Proxy (as you do for the WAS), but I don't know if the WAS trustore accepts self-signed certificates. If not, you indeed need to set the CA which signed the Proxy certificate in the truststore, though this CA doesn't need to be trusted by third-parties, it could be a dedicated CA you created by yourself and used to sign the Proxy certificate. > > In this way I can enable mutual auth between Apache - Proxy. Not needed per above. > And mutual Auth between Proxy - WAS? Yes, the proxy will authenticate the WAS thanks to WAS CA (in SSLProxyCACertificateFile), and the WAS will authenticate the Proxy thanks to the Proxy CA (in the truststore). > > After I disabled client auth required on WAS end I'm able to make a > call between Apache and WAS. OK, it's only missing the Proxy authentication now. > Now I need to request a new certificate > for proxy and point it to SSLProxyMachineCertificateFile? Yes, generate a new certificate (and CA eventually), and use that per above. Regards, Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx