Re: [users@httpd] Mutual authentication between Apache HTTP server and an application server.

Mon, 12 Feb 2018 09:45:49 -0800 

On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <ylavic....@gmail.com> wrote:
> On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor
> <naveen.nandy...@walmart.com> wrote:
>>
>> Below is my vhose entry.
>>
>> <VirtualHost *>
>>     ServerName Virtual:443
>>     SetEnv vhostname virtual
>>     Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; 
>> HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
>>     Include <PROXY FILE>
>> Include /u/applic/tc/HTTP/config/conf/secure.conf
>>     SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
>>     SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
>> SSLProxyEngine on
>> SSLProxyCACertificateFile /tmp/was.crt
>> SSLProxyVerify require
>> SSLProxyVerifyDepth  2
>> </VirtualHost>
>>
>> From beginning All I was looking for is mutual authentication between Apache 
>> and Websphere application server.
>> I've added Apachecertificate Root certificate in WAS which is 3rd party 
>> signed.
>
> For now there is no SSLProxyMachineCertificateFile in your
> configuration (because we asked you to care only about the proxy
> authenticating the server), so in the meantime you should also disable
> SSLVerifyClient on the Websphere side (otherwise it will ask for a
> client certificate which the proxy doesn't provide yet).
>
> I tried the above with a self signed cert for
> SSLProxyCACertificateFile and it worked.
>
> Once it also works in your case, you can then configure the proxy to
> send its certificate+key when requested to:
> - SSLProxyMachineCertificateFile /path/to/proxy.crt+key

Obviously the proxy doesn't send its key, here "proxy.crt+key" means
both should be concatenated in the same file for the proxy to load
them.

>
> And re-enable client authentication on the websphere:
> - SSLVerifyClient on
> - SSLCACertificateFile /path/to/proxy.ca.crt

While here "proxy.ca.crt" means the concatenation of "proxy.crt" and
the CA which signed it.

>
>
> Regards,
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to