Thanks Yann,

        I tried this and it works. I'm using 3rd party signed certificate on 
Proxy end.  I'll try with self-signed certificate for proxy and will check the 

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy::
Middleware ServiceNow Change Control Policy ::
Middleware Customer Page::

-----Original Message-----
From: Yann Ylavic [] 
Sent: Monday, February 12, 2018 2:43 PM
Subject: EXT: Re: [users@httpd] Mutual authentication between Apache HTTP 
server and an application server.

On Mon, Feb 12, 2018 at 7:38 PM, Naveen Nandyala - Vendor 
<> wrote:>
> When using Apache + Proxy + WAS
> Browser --> Apache --> Proxy --> WAS
Apache and Proxy are the same instance, the is Apache httpd doing SSL on its 
client side with the Browser, and also doing SSL on its backend side with the 
WAS. There is no authentication between Apache and Proxy, same sofware/process.

> I need to request a certificate for Apache and pass that using 
> SSLCertificateFile and SSLCertificateKeyFile.
Right, this is the SSL on the client side of Apache httpd.
It needs a certificate (SSLCertificateFile) and its key 
(SSLCertificateKeyFile), and the certificate should be signed by a CA trusted 
by browsers.
You can put all the certificate chain a single file and use it for
SSLCertificateFile: this is the concatenation of the server certificate 
followed the CA(s) in order of signing (i.e. root certificate last).

> I need to request a certificate  for Proxy and include both key and CA 
> in single file and add it in SSLProxyMachineCertificateFile.
You need a certificate (and its key) for Apache httpd on its Proxy/backend 
side, but the signing CA is not needed here.
SSLProxyMachineCertificateFile should contain the concatenation of this 
*certificate* (not the CA) and its key.
This is the identity of the Proxy as seen/verified by the WAS.

On the Proxy side, you also need to indicate which CA signed the WAS 
certificate, so that it can be verified (this is how the Proxy authenticates 
the WAS). Since the WAS certificate is self-signed, it's also the CA so simply 
use it for SSLProxyCACertificateFile.

> Then add Proxy certificate CA to WAS truststore and enable 
> SSLClientAuth=required on WAS end?
You could also use a(nother) self signed certificate for the Proxy (as you do 
for the WAS), but I don't know if the WAS trustore accepts self-signed 
certificates. If not, you indeed need to set the CA which signed the Proxy 
certificate in the truststore, though this CA doesn't need to be trusted by 
third-parties, it could be a dedicated CA you created by yourself and used to 
sign the Proxy certificate.

> In this way I can enable mutual auth between Apache - Proxy.
Not needed per above.

> And mutual Auth between Proxy - WAS?
Yes, the proxy will authenticate the WAS thanks to WAS CA (in 
SSLProxyCACertificateFile), and the WAS will authenticate the Proxy thanks to 
the Proxy CA (in the truststore).

> After I disabled client auth required on WAS end I'm able to make a 
> call between Apache and WAS.

OK, it's only missing the Proxy authentication now.

> Now I need to request a new certificate for proxy and point it to 
> SSLProxyMachineCertificateFile?

Yes, generate a new certificate (and CA eventually), and use that per above.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to