Hi Yann,
        Based on certificate I'm using I'm getting different error. 

Below is my vhose entry.

<VirtualHost *>
    ServerName Virtual:443
    SetEnv vhostname virtual
    Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure" 
    Include <PROXY FILE>
Include /u/applic/tc/HTTP/config/conf/secure.conf
    SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
    SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
SSLProxyEngine on
SSLProxyCACertificateFile /tmp/was.crt
SSLProxyVerify require
SSLProxyVerifyDepth  2

From beginning All I was looking for is mutual authentication between Apache 
and Websphere application server.
I've added Apachecertificate Root certificate in WAS which is 3rd party signed.
I'm getting issues from beginning while adding WAS certificate on Apache.
As WAS is selfsigned certificate I've expoerted WAS certificate in der format 
and converted into pem and placed it in /tmp/was.crt,  I see below error in 
logs. And in access logs I see 502 proxy error.
Seems like its failing to validate selfsigned certificate.

[Mon Feb 12 10:01:11.595469 2018] [ssl:error] [pid 33084:tid 140082866366208] 
[remote WASSErver:PORT] AH02039: Certificate Verification: Error (19): self 
signed certificate in certificate chain
[Mon Feb 12 10:01:11.596379 2018] [proxy_http:error] [pid 33084:tid 
140082866366208] (103)Software caused connection abort: [client XXXX:xxxx] 
AH01102: error reading status line from remote server WASSErver:PORT
[Mon Feb 12 10:01:11.596418 2018] [proxy:error] [pid 33084:tid 140082866366208] 
[client XXXX;xxx] AH00898: Error reading from remote server returned by /XXXX

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nkna...@wal-mart.com
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: 
Middleware ServiceNow Change Control Policy :: 
Middleware Customer Page:: 

-----Original Message-----
From: Yann Ylavic [mailto:ylavic....@gmail.com] 
Sent: Monday, February 12, 2018 9:54 AM
To: users@httpd.apache.org
Subject: EXT: Re: [users@httpd] Mutual authentication between Apache HTTP 
server and an application server.


On Mon, Feb 12, 2018 at 2:25 PM, Naveen Nandyala - Vendor 
<naveen.nandy...@walmart.com> wrote:>
> [Mon Feb 12 07:22:12.631833 2018] [ssl:warn] [pid 21729:tid 
> 139998669920000] AH02268: Proxy client certificate callback:
> (Virtual:443) downstream server wanted client certificate but none are 
> configured

This is a different problem, here the Websphere Server is asking for a client 
certificate (the proxy's) signed by one of its configured CAs for client 
authentication (i.e. in SSLCACertificateFile/Path or SSLCADNRequestFile/Path).
Since no client certificate corresponds on the proxy side (i.e. in 
SSLProxyMachineCertificateFile/Path), this log is issued.

As Eric said, you should take each issue one by one, above is about the 
Websphere authenticating the proxy, you should first try to make the proxy 
authenticate the Websphere (see below).

> Was wondering if Apache(Client) don't connect to Websphere (Server) if 
> Websphere uses a Self-signed certificate?

The Apache proxy will connect, but you can't ask it to authenticate the 
WebSphere server in this case, there is no CA to verify the WebSphere 
certificate against.
You previously said "was.crt" was the root certificate (meaning the one which 
signed the Websphere server certificate), if it's not the case it can't help in 
the proxy authenticating the server.


To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to