Re: Apache and client certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've been watching this forum for sometime and this question appeared here several times. So far nobody posted a solution that would allow Apache working as proxy to pass client certificate to a backend server. The only worked way was Apache ( 2.2.3) + mod_jk + Tomcat which isn't applicable to your case because you use WebSphere. I don't know if WebSphere supports AJP connectors, if it does you can try mod_jk. Otherway you can extract necessary fields from client cert and put them into environment (I suppose you use *NIX platform) then you can read them from your Java application.

On 12/29/06, Manuela.Vorazzo@xxxxxx <Manuela.Vorazzo@xxxxxx > wrote:

Probably I've to modify my application if there is no other way to send all client certificate info to my application server via proxy reverse.

Actually the web application on WebSphere is using javax.net.ssl.peer_certificates and then it extracts the first OU field.

How can I display the entire content of my request (all the data I send to the application server with the header too)?
I've tried setting Loglevel debug in my webserver configuration file but in my log I cannot recognise such information.

Please let me know

ManuciaoThanks!


 


Christian Gottschalch <masro@xxxxxxx>

28/12/2006 10.53

Please respond to
users@xxxxxxxxxxxxxxxx
To
users@xxxxxxxxxxxxxxxx
cc
Subject
Re: Apache and client certs







if you use Apache Reverse Proxy, then SSL Session will be terminated at
the Reverse Proxy and the SSL Authentication / verification is done by
reverse proxy

to transport some certificate information to your WebSphere can use:

RequestHeader set "HTTP_USER_ID" %{SSL_CLIENT_S_DN_CN}e

The WebSphere Application now can authorize the user based on http
header "HTTP_USER_ID", but your application must be able to.

You also may have a look at
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#forwardreverse

regards

Manuela.Vorazzo@xxxxxx schrieb:
>
> Hello everyone!
> I've an apache 2.2 WebServer that is working as a reverse proxy for a
> WebSphere application server that is on a separate machine.
>
> Now I have a web application that need an information that is included
> in a client certificate field (OU).
>
> I would like to know if, with apache, is possible to obtain a
> configuration where the webserver requires the client cert but doesn't
> verify it and pass it to the application server that can verify it.
>
> I have such a configuration with IBM http Server. Here there is a
> directive in the http server configuration file that let you specify
> "passthrough" value for client cert.
>
>
> Please let me know!
>
> Thanks in advance
>
> Manuela Vorazzo
>  
> \  


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux