Hi Allan, Hi List,
I see the topic is much more complicated as I first thought. I think my
main problem comes from the fact that what my customers (those
farmer guys) want breaks what is the basis of the technical SSL
implementation: terminating the SSL communication in the middle
but in the same instance use the certificates to authenticate each
other :(
>> This application server is essentially SAP XI (an XML driven data
>> exchanger)
>> and the client is a so called Business Connector. It is actually the
>> client, the BC, that wants to pass some data about harvested stuff like
>> grain or so to the XI so that they get written into the SAP system. Bye
>> the way, the client is a PDA that sits on top of some tractor on some field
>> in the countryside.
>
>ok, all of this is way out of my league ;)
>> exchanger)
>> and the client is a so called Business Connector. It is actually the
>> client, the BC, that wants to pass some data about harvested stuff like
>> grain or so to the XI so that they get written into the SAP system. Bye
>> the way, the client is a PDA that sits on top of some tractor on some field
>> in the countryside.
>
>ok, all of this is way out of my league ;)
Of mine too. I'm a security consultant :-)
>but it still sounds as it is the actual application server that is
>handling the validation of a given client certificate (and not some of
>your custom made code).
to be honest there is no such thing as custom made code on the appserver
site :-(
>if that is the case i have no idea how you would
>let the client - the BC - pass the cert in a manner so the backend would
> be forced to validate it, sorry.
>let the client - the BC - pass the cert in a manner so the backend would
> be forced to validate it, sorry.
well, the application server - the XI - is highly configurable. I'm in parallel at
the XI developer list and asked those guys if there is a chance to change
the XI so that it takes the client certificate from the RequestHeader.
Let's see how those guys at SAP are dealing with my inquiry
>> The application server (XI) is a system with high security requirements and
>> can therefor not be placed in a normal DMZ but is needed to be secured by
>> the proxy.
>
>hmm ok, so it is actually strictly necessary to run ssl on apache
>(reverse proxy)? i gather you cannot bypass apache on https in your set
>up ? and since you run the backend with ssl you sort of have a "double"
>ssl connection in certain circumstances.
>
>would it be possible to this (i am asking the list too) ?
>
>client connects on ssl to apache with client certificate.
>apache forwards request to, say, a cgi program. program connects to
>backend via ssl and pass client certificate data on behalf of the
>original client. backend validates client certificate and send some kind
>of response. program picks up data from response and now sends an http
>redirect to the original client request. the redirected page will
>contain the backend response/data.
>i guess im thinking pretty traditional web environment, not tractor
>environment.
lol
>> what i don't understand at this point, is why you want the validating
>> done at the backend at all, when you could have all this done at the
>> frontend.
>
>
> Because the XI requires authentication bevor it would let anyone talk to
> it..
> And there are different frontends that have access to different data -
> the application server needs to distinguish them.
>
>
>and it is not possible to have all the different frontend hit apache
>first i reckon, like:
>
>some client -> whatever frontend -> apache (reverse proxy) -> backend
well, the traffic goes like
+--+ +--------+ +----+
(BC) -----> | apache | ------> | XI |
+--+ +--------+ +----+
and both, BC and XI, are to think they are talking to each other directly
