Hi Allan,
thanks for your reply.
I'd like to take the chance and clarify two points, just to make sure.
you said:
> the backend *code* has a access to the client certificate.
> is it your backend *webserver* or is it your backend *code* that is
> handling the validation of the client certificate ?
The backend in this case is an application server to which a client connects.
This application server is essentially SAP XI (an XML driven data exchanger)
and the client is a so called Business Connector.
It is actually the client, the BC, that wants to pass some data about
harvested stuff like grain or so to the XI so that they get written into
the SAP system.
Bye the way, the client is a PDA that sits on top of some tractor on some field
in the countryside.
The both components are talking to each other in a completely
automated manner - no user interaction at all.
The Application server requires some form of authentication for the client
to let it talk to him. Possible authentication systems are username/password
wihich is not an option here due to corporate regulations, SAP Logon
Tickets, which apache does not understand and SSL certificates.
The application server (XI) is a system with high security requirements and
can therefor not be placed in a normal DMZ but is needed to be secured by
the proxy.
> what i don't understand at this point, is why you want the validating
> done at the backend at all, when you could have all this done at the
> frontend.
Because the XI requires authentication bevor it would let anyone talk to it.
And there are different frontends that have access to different data - the
application server needs to distinguish them.
> is it really nesecary to do the webserver validation on the backend. is
> it actually possible to bypass the apache frontend and therefore access
> the backend directly (which sounds slightly insecurish)
>(the solution i described, we had https at the frontend and http at the
>backend)
I fear it is at least necessary to give the XI access to the name of the client
connecting - in whatever way. The way the system is configured at the
moment it requires a client ssl certificate!
Regards,
Christian