Hi, I actually don't think that this can work at all. With SSL/TLS client certificate authentication the authentication is performed during the SSL handshake on socket level. The whole communication is encrypted and only the two communication partners will be able to decrypt it. If there are three parties involved there are actually two ways to do this:
1. The middle party is only acting as a proxy. In this case encryption is between the other two communication partners and the middle part has no way to read or change the data at all (just forward it). That's what is happening if you use a HTTP proxy for HTTPS. You might be able to use some mina stuff on socket level for the reverse proxy thing, however I don't really think that camel is the best solution for a reverse proxy on socket level. 2. The middle party is terminating the TLS connections. In this case two TLS handshakes take place, one between the client and the camel system, and one between the camel system and the server. TLS based authentication of the client will be possible between the client and the camel system, but not between the camel system and the server. You might be able to get the client certificate within the Camel route, but you will not be able to authenticate to the server with it, because that would also require the secret key of the client on the camel system (where it is not supposed to be). There are other methods to do an authentication of a web service via a proxy like WS-Security, however these methods are not based on HTTPS and would require changes in the web service itself. Best regards Stephan Siano -----Original Message----- From: Willem jiang [mailto:willem.ji...@gmail.com] Sent: Mittwoch, 22. Mai 2013 04:13 To: users@camel.apache.org Subject: Re: SSL : Server Certs and Client certificate passthrough Yeah, it is very complex, I don't think current camel-cxf can support it out of box. Can I know more detail about the web service that you proxy with Camel? Why do you need to pass the clients request with re-attached key to the back service? Can you just pass the client id of something and let camel route use the fixed private key to send the request to back service? -- Willem Jiang Red Hat, Inc. FuseSource is now part of Red Hat Web: http://www.fusesource.com | http://www.redhat.com Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English) http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese) Twitter: willemjiang Weibo: 姜宁willem On Wednesday, May 22, 2013 at 5:08 AM, RTernier wrote: > My camel app is running pretty well, however it's using our unsecured > webservice platform for development and PoC. I now need to change it so it > works with our server certificates (x509) and use client certificate > passthrough. We encrypt with the server cert. and use client certificates as > a lock/key pair to get access. > > -Clients require the private key installed > -The Server camel is on (currently windows) requires the private key > installed. > -Client sends public key, Camel will accept it, and then re-attach/re-send > (find the key from a store) and pass that key onto the other end point. > > I'm not sure how all this will play out though. My current dev environment > is on Windows, however this will be released onto a Linux box running > Apache. > > Some of the routes I have in Camel/Spring are a reverse-proxy, and it > requires the certificate to be re-attached, where others are a bit more > complex - I'm hoping to figure out how to do the reverse-proxy part first. > > Are there any documents or papers on how this will work with Camel? Or any > hints? > > Cheers. > > > > > > -- > View this message in context: > http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925.html > Sent from the Camel - Users mailing list archive at Nabble.com > (http://Nabble.com).
