Thank Yann,

        From this I could understand below. Could you please confirm in my 
understanding is correct?

When using IHS + Plugin + WAS.

Browser --> IHS --> Plugin --> WAS

We used to enable mutual auth between IHS and Plugin by exchanging their keys, 
Mutual auth between Plugin and WAS by exchanging their keys.
If we want to enable mutual auth between browser and IHS we added " 
SSLClientAuth = required" in conf file and added client certificates in HIS kdb.

When using Apache + Proxy + WAS

Browser --> Apache --> Proxy --> WAS

I need to request a certificate for Apache and pass that using 
SSLCertificateFile and SSLCertificateKeyFile.
I need to request a certificate  for Proxy and include both key and CA in 
single file and add it in SSLProxyMachineCertificateFile.
Then add Proxy certificate CA to WAS truststore and enable 
SSLClientAuth=required on WAS end?

In this way I can enable mutual auth between Apache - Proxy.
And mutual Auth between Proxy - WAS?

After I disabled client auth required on WAS end I'm able to make a call 
between Apache and WAS. Now I need to request a new certificate for proxy and 
point it to SSLProxyMachineCertificateFile?
Please correct me if I'm doing something wrong. 

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy::
Middleware ServiceNow Change Control Policy ::
Middleware Customer Page::

-----Original Message-----
From: Yann Ylavic [] 
Sent: Monday, February 12, 2018 11:45 AM
Subject: EXT: Re: [users@httpd] Mutual authentication between Apache HTTP 
server and an application server.

On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <> wrote:
> On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor 
> <> wrote:
>> Below is my vhose entry.
>> <VirtualHost *>
>>     ServerName Virtual:443
>>     SetEnv vhostname virtual
>>     Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; 
>> HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
>>     Include <PROXY FILE>
>> Include /u/applic/tc/HTTP/config/conf/secure.conf
>>     SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
>>     SSLCertificateKeyFile 
>> /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
>> SSLProxyEngine on
>> SSLProxyCACertificateFile /tmp/was.crt SSLProxyVerify require 
>> SSLProxyVerifyDepth  2 </VirtualHost>
>> From beginning All I was looking for is mutual authentication between Apache 
>> and Websphere application server.
>> I've added Apachecertificate Root certificate in WAS which is 3rd party 
>> signed.
> For now there is no SSLProxyMachineCertificateFile in your 
> configuration (because we asked you to care only about the proxy 
> authenticating the server), so in the meantime you should also disable 
> SSLVerifyClient on the Websphere side (otherwise it will ask for a 
> client certificate which the proxy doesn't provide yet).
> I tried the above with a self signed cert for 
> SSLProxyCACertificateFile and it worked.
> Once it also works in your case, you can then configure the proxy to 
> send its certificate+key when requested to:
> - SSLProxyMachineCertificateFile /path/to/proxy.crt+key

Obviously the proxy doesn't send its key, here "proxy.crt+key" means both 
should be concatenated in the same file for the proxy to load them.

> And re-enable client authentication on the websphere:
> - SSLVerifyClient on
> - SSLCACertificateFile /path/to/

While here "" means the concatenation of "proxy.crt" and the CA 
which signed it.

> Regards,
> Yann.

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to