Hi, Ok, so you actually do not really want to forward an SSL handshake or the certificate, but you want to select the client certificate you use for authentication based on the authenticated user of the request. I actually haven't done that (only selected the certificate used for client authentication based on a route). If you use Camel-CXF for the web service you might come up with some tricky implementation of the SSL KeyManager os the SSLSocketFactory used in the HTTP Conduit of CXF to achieve this, but I actually never tried dynamic authentication. CXF will also try to cache SSL sessions (there is also a parameter for that).
Best regards Stephan -----Original Message----- From: RTernier [mailto:ryan_tern...@hotmail.com] Sent: Mittwoch, 22. Mai 2013 18:09 To: users@camel.apache.org Subject: RE: SSL : Server Certs and Client certificate passthrough Thanks for the responses guys. Willem - you're 2nd point is actually how we do it. Our reverse proxy is connecting to our own back end in a more secure zone. Effectively what I need: *Client sends the message* Client sends a SOAP message to our Camel-Reverse Proxy. The connection will terminate. This message is encrypted with a SSL Server Certificate from our certificate authority, and it also comes with a client certificate which gives them access to our server. *Reverse Proxy (Camel Implementation)* Camel will receive the message from the client, look at the client certificate that was attached and then re-attach the same one from it's own store, or another one based on a mapping. This is a generic reverse proxy. This is an allowed and valid secure architecture - and we own our own certificate authority which governs multiple certificates - our clients use our certificates when they connect to us. The clients never create their own certificates - we issue them to them. For an example: client will send a SOAP message to / http://myserver.gov.ca/RP01/MCCI_001001001/ where camel is listening. Camel will take the message, do some work on it, and re-route it to: /http://mybroker.gov.ca/BR01/MCCI_001001001/ The server Camel is on will have access to our certificate authority. I'm just not sure how to wire it all up. I'm developing this on a windows box, which is probably an issue as I'm not sure if windows boxes can use the same key store a linux box can with java. -- View this message in context: http://camel.465427.n5.nabble.com/SSL-Server-Certs-and-Client-certificate-passthrough-tp5732925p5732972.html Sent from the Camel - Users mailing list archive at Nabble.com.
