Thanks Yann,
I tried this and it works. I'm using 3rd party signed certificate on
Proxy end. I'll try with self-signed certificate for proxy and will check the
same.
Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nkna...@wal-mart.com
SLACK Channel:: middleware_l2
Middleware ServiceNow Service Catalog Task Policy::
https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy
Middleware ServiceNow Change Control Policy ::
https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy
Middleware Customer Page::
https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx
-----Original Message-----
From: Yann Ylavic [mailto:ylavic....@gmail.com]
Sent: Monday, February 12, 2018 2:43 PM
To: users@httpd.apache.org
Subject: EXT: Re: [users@httpd] Mutual authentication between Apache HTTP
server and an application server.
On Mon, Feb 12, 2018 at 7:38 PM, Naveen Nandyala - Vendor
<naveen.nandy...@walmart.com> wrote:>
> When using Apache + Proxy + WAS
>
> Browser --> Apache --> Proxy --> WAS
Apache and Proxy are the same instance, the is Apache httpd doing SSL on its
client side with the Browser, and also doing SSL on its backend side with the
WAS. There is no authentication between Apache and Proxy, same sofware/process.
>
> I need to request a certificate for Apache and pass that using
> SSLCertificateFile and SSLCertificateKeyFile.
Right, this is the SSL on the client side of Apache httpd.
It needs a certificate (SSLCertificateFile) and its key
(SSLCertificateKeyFile), and the certificate should be signed by a CA trusted
by browsers.
You can put all the certificate chain a single file and use it for
SSLCertificateFile: this is the concatenation of the server certificate
followed the CA(s) in order of signing (i.e. root certificate last).
> I need to request a certificate for Proxy and include both key and CA
> in single file and add it in SSLProxyMachineCertificateFile.
You need a certificate (and its key) for Apache httpd on its Proxy/backend
side, but the signing CA is not needed here.
SSLProxyMachineCertificateFile should contain the concatenation of this
*certificate* (not the CA) and its key.
This is the identity of the Proxy as seen/verified by the WAS.
On the Proxy side, you also need to indicate which CA signed the WAS
certificate, so that it can be verified (this is how the Proxy authenticates
the WAS). Since the WAS certificate is self-signed, it's also the CA so simply
use it for SSLProxyCACertificateFile.
> Then add Proxy certificate CA to WAS truststore and enable
> SSLClientAuth=required on WAS end?
You could also use a(nother) self signed certificate for the Proxy (as you do
for the WAS), but I don't know if the WAS trustore accepts self-signed
certificates. If not, you indeed need to set the CA which signed the Proxy
certificate in the truststore, though this CA doesn't need to be trusted by
third-parties, it could be a dedicated CA you created by yourself and used to
sign the Proxy certificate.
>
> In this way I can enable mutual auth between Apache - Proxy.
Not needed per above.
> And mutual Auth between Proxy - WAS?
Yes, the proxy will authenticate the WAS thanks to WAS CA (in
SSLProxyCACertificateFile), and the WAS will authenticate the Proxy thanks to
the Proxy CA (in the truststore).
>
> After I disabled client auth required on WAS end I'm able to make a
> call between Apache and WAS.
OK, it's only missing the Proxy authentication now.
> Now I need to request a new certificate for proxy and point it to
> SSLProxyMachineCertificateFile?
Yes, generate a new certificate (and CA eventually), and use that per above.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
