Hi,
Thanks a lot.
I just gone through the link. I understand the configuration mentioned in
link would automatically read information from HTTP headers and insert it
into request.
>From request, I can fetch like this.
request.getAttribute("javax.servlet.request.X509Certificate");
Please correct me if I am wrong.
I have a scenario where I clients certificate is optional during
handshake. In this case, will it have any impact on this proposed
solution.
Thanks & Regards,
Mohan
On Tue, May 31, 2016 at 5:18 PM, David Balažic <david.bala...@comtrade.com>
wrote:
> To make tomcat evaluate the SSL_CLIENT_CERT , you must configure a
> SSLValve, see:
> https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html
>
>
>
> David Balažic
>
> Software Engineer
>
> www.comtrade.com
>
>
>
> *From:* Mohanavelu Subramanian [mailto:mhnv...@gmail.com]
> *Sent:* 30. May 2016 20:06
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] Two way SSL authentication between apache proxy
> server and tomcat
> *Importance:* Low
>
>
>
> Hi All,
>
>
>
> Good Morning.
>
>
>
> I want to implement 2 way SSL authentication between apache proxy and
> tomcat. I am using mod_proxy to integrate apache and tomcat. I have some
> doubts in the implementation. I have done some initial analysis on this.
>
>
>
> I would create a self-signed CA certificate(CA.crt). I would create
> client(apache.pem) and server certificate(tomcat.pem). Both these
> certificates would be signed my CA. I add client certificate to apache
> proxy server using SSLProxyMachineCertificateFile. I have configured
> tomcat to refer server certificate.
>
>
> Then I add this CA certificate into the client and server truststore. So,
> during handshake, the authentication will be successful.
>
> 1. Is this the effective way of implementing authentication with
> certificates ? I think the same client certificate can be copied by
> unknown user and send request to tomcat. Could you please suggest if there
> is better way implementing the authentication, if any.
>
>
>
> 2. Is it possible to sign a certificate by more than 1 CA?
>
>
>
> 3. I have my design like this.
>
>
>
> client-------------------------->apache (mod_proxy)
> ----------------->tomcat
>
> https
> https
>
> user.crt apache.pem
> tomcat.pem
>
>
>
> I have configured mod_proxy to forward the actual client
> certificate(user.crt) to tomcat via mod proxy as below:
>
>
>
> SSLProxyMachineCertificateFile apache.pem
>
> SSLProxyCACertificateFile CA.crt
>
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
>
>
>
> I want to forward the user.crt to tomcat and in my application the user.crt
> is verified.
>
> but the request.getAttribute("javax.servlet.request.X509Certificate");
> returns null.
>
> I am not getting the user.crt. Could you please give me an idea how to fetch
> SSL_CLIENT_CERT in my application and parse it.
>
>
>
> Thanks in Advance.
>
>
>
> Best Regards,
>
> Mohan
>
>
>
>
>
>
>
