Hi All,
Good Morning.
I want to implement 2 way SSL authentication between apache proxy and
tomcat. I am using mod_proxy to integrate apache and tomcat. I have some
doubts in the implementation. I have done some initial analysis on this.
I would create a self-signed CA certificate(CA.crt). I would create
client(apache.pem) and server certificate(tomcat.pem). Both these
certificates would be signed my CA. I add client certificate to apache
proxy server using SSLProxyMachineCertificateFile. I have configured tomcat
to refer server certificate.
Then I add this CA certificate into the client and server truststore. So,
during handshake, the authentication will be successful.
1. Is this the effective way of implementing authentication with
certificates ? I think the same client certificate can be copied by
unknown user and send request to tomcat. Could you please suggest if there
is better way implementing the authentication, if any.
2. Is it possible to sign a certificate by more than 1 CA?
3. I have my design like this.
client-------------------------->apache (mod_proxy)
----------------->tomcat
https
https
user.crt apache.pem
tomcat.pem
I have configured mod_proxy to forward the actual client
certificate(user.crt) to tomcat via mod proxy as below:
SSLProxyMachineCertificateFile apache.pem
SSLProxyCACertificateFile CA.crt
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
I want to forward the user.crt to tomcat and in my application the
user.crt is verified.
but the request.getAttribute("javax.servlet.request.X509Certificate");
returns null.
I am not getting the user.crt. Could you please give me an idea how to
fetch SSL_CLIENT_CERT in my application and parse it.
Thanks in Advance.
Best Regards,
Mohan
