Hi Yann,
Based on certificate I'm using I'm getting different error.
Below is my vhose entry.
<VirtualHost *>
ServerName Virtual:443
SetEnv vhostname virtual
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure"
env=BALANCER_ROUTE_CHANGED
Include <PROXY FILE>
Include /u/applic/tc/HTTP/config/conf/secure.conf
SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
SSLProxyEngine on
SSLProxyCACertificateFile /tmp/was.crt
SSLProxyVerify require
SSLProxyVerifyDepth 2
</VirtualHost>
From beginning All I was looking for is mutual authentication between Apache
and Websphere application server.
I've added Apachecertificate Root certificate in WAS which is 3rd party signed.
I'm getting issues from beginning while adding WAS certificate on Apache.
As WAS is selfsigned certificate I've expoerted WAS certificate in der format
and converted into pem and placed it in /tmp/was.crt, I see below error in
logs. And in access logs I see 502 proxy error.
Seems like its failing to validate selfsigned certificate.
[Mon Feb 12 10:01:11.595469 2018] [ssl:error] [pid 33084:tid 140082866366208]
[remote WASSErver:PORT] AH02039: Certificate Verification: Error (19): self
signed certificate in certificate chain
[Mon Feb 12 10:01:11.596379 2018] [proxy_http:error] [pid 33084:tid
140082866366208] (103)Software caused connection abort: [client XXXX:xxxx]
AH01102: error reading status line from remote server WASSErver:PORT
[Mon Feb 12 10:01:11.596418 2018] [proxy:error] [pid 33084:tid 140082866366208]
[client XXXX;xxx] AH00898: Error reading from remote server returned by /XXXX
Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nkna...@wal-mart.com
SLACK Channel:: middleware_l2
Middleware ServiceNow Service Catalog Task Policy::
https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy
Middleware ServiceNow Change Control Policy ::
https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy
Middleware Customer Page::
https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx
-----Original Message-----
From: Yann Ylavic [mailto:ylavic....@gmail.com]
Sent: Monday, February 12, 2018 9:54 AM
To: users@httpd.apache.org
Subject: EXT: Re: [users@httpd] Mutual authentication between Apache HTTP
server and an application server.
Hi,
On Mon, Feb 12, 2018 at 2:25 PM, Naveen Nandyala - Vendor
<naveen.nandy...@walmart.com> wrote:>
> [Mon Feb 12 07:22:12.631833 2018] [ssl:warn] [pid 21729:tid
> 139998669920000] AH02268: Proxy client certificate callback:
> (Virtual:443) downstream server wanted client certificate but none are
> configured
This is a different problem, here the Websphere Server is asking for a client
certificate (the proxy's) signed by one of its configured CAs for client
authentication (i.e. in SSLCACertificateFile/Path or SSLCADNRequestFile/Path).
Since no client certificate corresponds on the proxy side (i.e. in
SSLProxyMachineCertificateFile/Path), this log is issued.
As Eric said, you should take each issue one by one, above is about the
Websphere authenticating the proxy, you should first try to make the proxy
authenticate the Websphere (see below).
>
> Was wondering if Apache(Client) don't connect to Websphere (Server) if
> Websphere uses a Self-signed certificate?
The Apache proxy will connect, but you can't ask it to authenticate the
WebSphere server in this case, there is no CA to verify the WebSphere
certificate against.
You previously said "was.crt" was the root certificate (meaning the one which
signed the Websphere server certificate), if it's not the case it can't help in
the proxy authenticating the server.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
