Hi, Thanks a lot.
I just gone through the link. I understand the configuration mentioned in link would automatically read information from HTTP headers and insert it into request. >From request, I can fetch like this. request.getAttribute("javax.servlet.request.X509Certificate"); Please correct me if I am wrong. I have a scenario where I clients certificate is optional during handshake. In this case, will it have any impact on this proposed solution. Thanks & Regards, Mohan On Tue, May 31, 2016 at 5:18 PM, David Balažic <david.bala...@comtrade.com> wrote: > To make tomcat evaluate the SSL_CLIENT_CERT , you must configure a > SSLValve, see: > https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html > > > > David Balažic > > Software Engineer > > www.comtrade.com > > > > *From:* Mohanavelu Subramanian [mailto:mhnv...@gmail.com] > *Sent:* 30. May 2016 20:06 > *To:* users@httpd.apache.org > *Subject:* [users@httpd] Two way SSL authentication between apache proxy > server and tomcat > *Importance:* Low > > > > Hi All, > > > > Good Morning. > > > > I want to implement 2 way SSL authentication between apache proxy and > tomcat. I am using mod_proxy to integrate apache and tomcat. I have some > doubts in the implementation. I have done some initial analysis on this. > > > > I would create a self-signed CA certificate(CA.crt). I would create > client(apache.pem) and server certificate(tomcat.pem). Both these > certificates would be signed my CA. I add client certificate to apache > proxy server using SSLProxyMachineCertificateFile. I have configured > tomcat to refer server certificate. > > > Then I add this CA certificate into the client and server truststore. So, > during handshake, the authentication will be successful. > > 1. Is this the effective way of implementing authentication with > certificates ? I think the same client certificate can be copied by > unknown user and send request to tomcat. Could you please suggest if there > is better way implementing the authentication, if any. > > > > 2. Is it possible to sign a certificate by more than 1 CA? > > > > 3. I have my design like this. > > > > client-------------------------->apache (mod_proxy) > ----------------->tomcat > > https > https > > user.crt apache.pem > tomcat.pem > > > > I have configured mod_proxy to forward the actual client > certificate(user.crt) to tomcat via mod proxy as below: > > > > SSLProxyMachineCertificateFile apache.pem > > SSLProxyCACertificateFile CA.crt > > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > > > > I want to forward the user.crt to tomcat and in my application the user.crt > is verified. > > but the request.getAttribute("javax.servlet.request.X509Certificate"); > returns null. > > I am not getting the user.crt. Could you please give me an idea how to fetch > SSL_CLIENT_CERT in my application and parse it. > > > > Thanks in Advance. > > > > Best Regards, > > Mohan > > > > > > >