On Mon, Feb 12, 2018 at 7:38 PM, Naveen Nandyala - Vendor
<naveen.nandy...@walmart.com> wrote:>
> When using Apache + Proxy + WAS
> Browser --> Apache --> Proxy --> WAS
Apache and Proxy are the same instance, the is Apache httpd doing SSL
on its client side with the Browser, and also doing SSL on its backend
side with the WAS. There is no authentication between Apache and
Proxy, same sofware/process.

> I need to request a certificate for Apache and pass that using
> SSLCertificateFile and SSLCertificateKeyFile.
Right, this is the SSL on the client side of Apache httpd.
It needs a certificate (SSLCertificateFile) and its key
(SSLCertificateKeyFile), and the certificate should be signed by a CA
trusted by browsers.
You can put all the certificate chain a single file and use it for
SSLCertificateFile: this is the concatenation of the server
certificate followed the CA(s) in order of signing (i.e. root
certificate last).

> I need to request a certificate  for Proxy and include both key and
> CA in single file and add it in SSLProxyMachineCertificateFile.
You need a certificate (and its key) for Apache httpd on its
Proxy/backend side, but the signing CA is not needed here.
SSLProxyMachineCertificateFile should contain the concatenation of
this *certificate* (not the CA) and its key.
This is the identity of the Proxy as seen/verified by the WAS.

On the Proxy side, you also need to indicate which CA signed the WAS
certificate, so that it can be verified (this is how the Proxy
authenticates the WAS). Since the WAS certificate is self-signed, it's
also the CA so simply use it for SSLProxyCACertificateFile.

> Then add Proxy certificate CA to WAS truststore and enable
> SSLClientAuth=required on WAS end?
You could also use a(nother) self signed certificate for the Proxy (as
you do for the WAS), but I don't know if the WAS trustore accepts
self-signed certificates. If not, you indeed need to set the CA which
signed the Proxy certificate in the truststore, though this CA doesn't
need to be trusted by third-parties, it could be a dedicated CA you
created by yourself and used to sign the Proxy certificate.

> In this way I can enable mutual auth between Apache - Proxy.
Not needed per above.

> And mutual Auth between Proxy - WAS?
Yes, the proxy will authenticate the WAS thanks to WAS CA (in
SSLProxyCACertificateFile), and the WAS will authenticate the Proxy
thanks to the Proxy CA (in the truststore).

> After I disabled client auth required on WAS end I'm able to make a
> call between Apache and WAS.

OK, it's only missing the Proxy authentication now.

> Now I need to request a new certificate
> for proxy and point it to SSLProxyMachineCertificateFile?

Yes, generate a new certificate (and CA eventually), and use that per above.


To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to