Thank Yann,
From this I could understand below. Could you please confirm in my
understanding is correct?
When using IHS + Plugin + WAS.
Browser --> IHS --> Plugin --> WAS
We used to enable mutual auth between IHS and Plugin by exchanging their keys,
Mutual auth between Plugin and WAS by exchanging their keys.
If we want to enable mutual auth between browser and IHS we added "
SSLClientAuth = required" in conf file and added client certificates in HIS kdb.
When using Apache + Proxy + WAS
Browser --> Apache --> Proxy --> WAS
I need to request a certificate for Apache and pass that using
SSLCertificateFile and SSLCertificateKeyFile.
I need to request a certificate for Proxy and include both key and CA in
single file and add it in SSLProxyMachineCertificateFile.
Then add Proxy certificate CA to WAS truststore and enable
SSLClientAuth=required on WAS end?
In this way I can enable mutual auth between Apache - Proxy.
And mutual Auth between Proxy - WAS?
After I disabled client auth required on WAS end I'm able to make a call
between Apache and WAS. Now I need to request a new certificate for proxy and
point it to SSLProxyMachineCertificateFile?
Please correct me if I'm doing something wrong.
Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: [email protected]
SLACK Channel:: middleware_l2
Middleware ServiceNow Service Catalog Task Policy::
https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy
Middleware ServiceNow Change Control Policy ::
https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy
Middleware Customer Page::
https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx
-----Original Message-----
From: Yann Ylavic [mailto:[email protected]]
Sent: Monday, February 12, 2018 11:45 AM
To: [email protected]
Subject: EXT: Re: [users@httpd] Mutual authentication between Apache HTTP
server and an application server.
On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <[email protected]> wrote:
> On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor
> <[email protected]> wrote:
>>
>> Below is my vhose entry.
>>
>> <VirtualHost *>
>> ServerName Virtual:443
>> SetEnv vhostname virtual
>> Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e;
>> HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
>> Include <PROXY FILE>
>> Include /u/applic/tc/HTTP/config/conf/secure.conf
>> SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
>> SSLCertificateKeyFile
>> /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
>> SSLProxyEngine on
>> SSLProxyCACertificateFile /tmp/was.crt SSLProxyVerify require
>> SSLProxyVerifyDepth 2 </VirtualHost>
>>
>> From beginning All I was looking for is mutual authentication between Apache
>> and Websphere application server.
>> I've added Apachecertificate Root certificate in WAS which is 3rd party
>> signed.
>
> For now there is no SSLProxyMachineCertificateFile in your
> configuration (because we asked you to care only about the proxy
> authenticating the server), so in the meantime you should also disable
> SSLVerifyClient on the Websphere side (otherwise it will ask for a
> client certificate which the proxy doesn't provide yet).
>
> I tried the above with a self signed cert for
> SSLProxyCACertificateFile and it worked.
>
> Once it also works in your case, you can then configure the proxy to
> send its certificate+key when requested to:
> - SSLProxyMachineCertificateFile /path/to/proxy.crt+key
Obviously the proxy doesn't send its key, here "proxy.crt+key" means both
should be concatenated in the same file for the proxy to load them.
>
> And re-enable client authentication on the websphere:
> - SSLVerifyClient on
> - SSLCACertificateFile /path/to/proxy.ca.crt
While here "proxy.ca.crt" means the concatenation of "proxy.crt" and the CA
which signed it.
>
>
> Regards,
> Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
