DevHeads.net

Mutual authentication between Apache HTTP server and an application server.

Hi,

I'm using Apache HTTP server as a webserver and Websphere application server as an Application server. Apache is using Proxy to redirect requests from Apache to Websphere. On my websphere side security is enabled, and its looking for mutual authentication. Could you please help me with where I can add my Application server's root certificate on Apache end?

Could you please let me know how can I add websphere certificate in my Apache. I've tried using "SSLProxyMachineCertificateFile" and "SSLProxyMachineCertificatePath" which points to Websphere applicaton server certificate. But its not working and I'm getting below error.

[Sat Feb 10 19:34:38.426645 2018] [ssl:warn] [pid 60369:tid 140460446177024] AH02268: Proxy client certificate callback: (XXXXX:443) downstream server wanted client certificate but none are configured
[Sat Feb 10 19:34:38.429477 2018] [proxy_http:error] [pid 60369:tid 140460446177024] (103)Software caused connection abort: [client XXXXXXX] AH01102: error reading status line from remote server XXXXXX.
[Sat Feb 10 19:34:38.429523 2018] [proxy:error] [pid 60369:tid 140460446177024] [client XXXXXXXX] AH00898: Error reading from remote server returned by /XXXXXXX

Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@wal-mart.com<mailto:nknandy@wal-mart.com>
SLACK Channel:: middleware_l2
[cid:image001. ... at 01D26CB2 dot 5110A6F0]
Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

Comments

Re: Mutual authentication between Apache HTTP serv

By Eric Covener at 02/11/2018 - 12:52

On Sun, Feb 11, 2018 at 12:47 PM, Naveen Nandyala - Vendor <

​That's the right way to specify a client certificate. But it shouldn't be
"websphere's certificate" it should be a certificate that identifies your
webserver and is trusted by your application server.

[Sat Feb 10 19:34:38.429477 2018] [proxy_http:error] [pid 60369:tid

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/11/2018 - 13:33

On Apache I’m using 3rd party signed certificate. And I’ve added Apache root certificate to WAS truststore to trust my Apache. Similar way I want to add my WAS certificate to Apache to trust my Application server. On WAS end I’m having a self-signed certificate.

Below two parameters determine my Apache server certificate this contains certificate of my virtual which end user access.

SSLCertificateFile /u/applic/tc/HTTP/config/ssl/virtual.pem
SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/virtual.key

I’m struckup on how can I add my websphere certificate on to Apache truststore.

Earlier I was using IBM HTTP server and Plugin instead of Apache where I’ve kdb file where I used to add Websphere server personal certificate to signer certificates of HIS in kdb file. But in Apache as I use pem and key files unable to find exactly where I can add websphere certificate for mutual authentication.

From Apache documentation I see it doesn’t support encrypted private keys.

Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@wal-mart.com<mailto:nknandy@wal-mart.com>
SLACK Channel:: middleware_l2
[cid:image001. ... at 01D26CB2 dot 5110A6F0]
Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On Sun, Feb 11, 2018 at 12:47 PM, Naveen Nandyala - Vendor <Naveen. ... at walmart dot com<mailto:Naveen. ... at walmart dot com>> wrote:
Hi,

I’m using Apache HTTP server as a webserver and Websphere application server as an Application server. Apache is using Proxy to redirect requests from Apache to Websphere. On my websphere side security is enabled, and its looking for mutual authentication. Could you please help me with where I can add my Application server’s root certificate on Apache end?

Could you please let me know how can I add websphere certificate in my Apache. I’ve tried using “
​​
SSLProxyMachineCertificateFile” and “SSLProxyMachineCertificatePath” which points to Websphere applicaton server certificate. But its not working and I’m getting below error.

​That's the right way to specify a client certificate. But it shouldn't be "websphere's certificate" it should be a certificate that identifies your webserver and is trusted by your application server.

[Sat Feb 10 19:34:38.426645 2018] [ssl:warn] [pid 60369:tid 140460446177024] AH02268: Proxy client certificate callback: (XXXXX:443) downstream server wanted client certificate but none are configured

​Was

SSLProxyMachineCertificateFile set? Did it have a key and a cert in it?

[Sat Feb 10 19:34:38.429477 2018] [proxy_http:error] [pid 60369:tid 140460446177024] (103)Software caused connection abort: [client XXXXXXX] AH01102: error reading status line from remote server XXXXXX.
[Sat Feb 10 19:34:38.429523 2018] [proxy:error] [pid 60369:tid 140460446177024] [client XXXXXXXX] AH00898: Error reading from remote server returned by /XXXXXXX

​This is just the abrupt closure of the connection due to WAS not finding a client certificate.

Re: Mutual authentication between Apache HTTP serv

By Eric Covener at 02/11/2018 - 13:38

On Sun, Feb 11, 2018 at 1:33 PM, Naveen Nandyala - Vendor <

​You seem to be jumping back and forth between distinctly different
problems. I suggest tackling one problem at a time, e.g. getting the
trust right w/o client authentication.