DevHeads.net

Mutual authentication between Apache HTTP server and an application server.

Hi,

I'm using Apache HTTP server as a webserver and Websphere application server as an Application server. Apache is using Proxy to redirect requests from Apache to Websphere. On my websphere side security is enabled, and its looking for mutual authentication. Could you please help me with where I can add my Application server's root certificate on Apache end?

Could you please let me know how can I add websphere certificate in my Apache. I've tried using "SSLProxyMachineCertificateFile" and "SSLProxyMachineCertificatePath" which points to Websphere applicaton server certificate. But its not working and I'm getting below error.

[Sat Feb 10 19:34:38.426645 2018] [ssl:warn] [pid 60369:tid 140460446177024] AH02268: Proxy client certificate callback: (XXXXX:443) downstream server wanted client certificate but none are configured
[Sat Feb 10 19:34:38.429477 2018] [proxy_http:error] [pid 60369:tid 140460446177024] (103)Software caused connection abort: [client XXXXXXX] AH01102: error reading status line from remote server XXXXXX.
[Sat Feb 10 19:34:38.429523 2018] [proxy:error] [pid 60369:tid 140460446177024] [client XXXXXXXX] AH00898: Error reading from remote server returned by /XXXXXXX

Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@wal-mart.com<mailto:nknandy@wal-mart.com>
SLACK Channel:: middleware_l2
[cid:image001. ... at 01D26CB2 dot 5110A6F0]
Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

Comments

Re: Mutual authentication between Apache HTTP serv

By Eric Covener at 02/12/2018 - 14:19

On Sun, Feb 11, 2018 at 12:47 PM, Naveen Nandyala - Vendor <

​Out of curiosity, why mod_proxy instead of the WebSphere plugin?

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/12/2018 - 14:25

We have huge environment and we have seen some issue with merge plugin across multiple WAS cells and clusters and its becoming more complicated to merge plugin. So we are looking for alternate solution as Apache + Proxy instead of Apache + Plugin.

Warm Regards,
Naveen Kumar Reddy N

On Sun, Feb 11, 2018 at 12:47 PM, Naveen Nandyala - Vendor <Naveen. ... at walmart dot com<mailto:Naveen. ... at walmart dot com>> wrote:
Hi,

I’m using Apache HTTP server as a webserver and Websphere application server as an Application server. Apache is using Proxy to redirect requests from Apache to Websphere. On my websphere side security is enabled, and its looking for mutual authentication. Could you please help me with where I can add my Application server’s root certificate on Apache end?

​Out of curiosity, why mod_proxy instead of the WebSphere plugin?

Re: Mutual authentication between Apache HTTP serv

By Eric Covener at 02/11/2018 - 13:52

On Sun, Feb 11, 2018 at 12:47 PM, Naveen Nandyala - Vendor <

​That's the right way to specify a client certificate. But it shouldn't be
"websphere's certificate" it should be a certificate that identifies your
webserver and is trusted by your application server.

[Sat Feb 10 19:34:38.429477 2018] [proxy_http:error] [pid 60369:tid

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/11/2018 - 14:33

On Apache I’m using 3rd party signed certificate. And I’ve added Apache root certificate to WAS truststore to trust my Apache. Similar way I want to add my WAS certificate to Apache to trust my Application server. On WAS end I’m having a self-signed certificate.

Below two parameters determine my Apache server certificate this contains certificate of my virtual which end user access.

SSLCertificateFile /u/applic/tc/HTTP/config/ssl/virtual.pem
SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/virtual.key

I’m struckup on how can I add my websphere certificate on to Apache truststore.

Earlier I was using IBM HTTP server and Plugin instead of Apache where I’ve kdb file where I used to add Websphere server personal certificate to signer certificates of HIS in kdb file. But in Apache as I use pem and key files unable to find exactly where I can add websphere certificate for mutual authentication.

From Apache documentation I see it doesn’t support encrypted private keys.

Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@wal-mart.com<mailto:nknandy@wal-mart.com>
SLACK Channel:: middleware_l2
[cid:image001. ... at 01D26CB2 dot 5110A6F0]
Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On Sun, Feb 11, 2018 at 12:47 PM, Naveen Nandyala - Vendor <Naveen. ... at walmart dot com<mailto:Naveen. ... at walmart dot com>> wrote:
Hi,

I’m using Apache HTTP server as a webserver and Websphere application server as an Application server. Apache is using Proxy to redirect requests from Apache to Websphere. On my websphere side security is enabled, and its looking for mutual authentication. Could you please help me with where I can add my Application server’s root certificate on Apache end?

Could you please let me know how can I add websphere certificate in my Apache. I’ve tried using “
​​
SSLProxyMachineCertificateFile” and “SSLProxyMachineCertificatePath” which points to Websphere applicaton server certificate. But its not working and I’m getting below error.

​That's the right way to specify a client certificate. But it shouldn't be "websphere's certificate" it should be a certificate that identifies your webserver and is trusted by your application server.

[Sat Feb 10 19:34:38.426645 2018] [ssl:warn] [pid 60369:tid 140460446177024] AH02268: Proxy client certificate callback: (XXXXX:443) downstream server wanted client certificate but none are configured

​Was

SSLProxyMachineCertificateFile set? Did it have a key and a cert in it?

[Sat Feb 10 19:34:38.429477 2018] [proxy_http:error] [pid 60369:tid 140460446177024] (103)Software caused connection abort: [client XXXXXXX] AH01102: error reading status line from remote server XXXXXX.
[Sat Feb 10 19:34:38.429523 2018] [proxy:error] [pid 60369:tid 140460446177024] [client XXXXXXXX] AH00898: Error reading from remote server returned by /XXXXXXX

​This is just the abrupt closure of the connection due to WAS not finding a client certificate.

Re: Mutual authentication between Apache HTTP serv

By Eric Covener at 02/11/2018 - 14:38

On Sun, Feb 11, 2018 at 1:33 PM, Naveen Nandyala - Vendor <

​You seem to be jumping back and forth between distinctly different
problems. I suggest tackling one problem at a time, e.g. getting the
trust right w/o client authentication.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/11/2018 - 14:50

Yep, I’m looking for trust between my webserver and Appserver w/o client authentication. I’m not worried about trust between my web browser and webserver as I’m not looking for that now.

Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@wal-mart.com<mailto:nknandy@wal-mart.com>
SLACK Channel:: middleware_l2
[cid:image001. ... at 01D26CB2 dot 5110A6F0]
Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On Sun, Feb 11, 2018 at 1:33 PM, Naveen Nandyala - Vendor <Naveen. ... at walmart dot com<mailto:Naveen. ... at walmart dot com>> wrote:
On Apache I’m using 3rd party signed certificate. And I’ve added Apache root certificate to WAS truststore to trust my Apache. Similar way I want to add my WAS certificate to Apache to trust my Application server. On WAS end I’m having a self-signed certificate.

Below two parameters determine my Apache server certificate this contains certificate of my virtual which end user access.

SSLCertificateFile /u/applic/tc/HTTP/config/ssl/virtual.pem
SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/virtual.key

I’m struckup on how can I add my websphere certificate on to Apache truststore.

Earlier I was using IBM HTTP server and Plugin instead of Apache where I’ve kdb file where I used to add Websphere server personal certificate to signer certificates of HIS in kdb file. But in Apache as I use pem and key files unable to find exactly where I can add websphere certificate for mutual authentication.

From Apache documentation I see it doesn’t support encrypted private keys.

​You seem to be jumping back and forth between distinctly different problems. I suggest tackling one problem at a time, e.g. getting the trust right w/o client authentication.

Re: Mutual authentication between Apache HTTP serv

By Eric Covener at 02/11/2018 - 14:53

On Sun, Feb 11, 2018 at 1:50 PM, Naveen Nandyala - Vendor <

​That's just
<a href="https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslproxycacertificatefile" title="https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslproxycacertificatefile">https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslproxycacertific...</a>
pointing to the CA that signed your application server certs.

Emphasis on the "proxy" in these directive names for the backside
connection.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/11/2018 - 20:30

Thank you Eric,

I’ve added below values and I see below error message in logs.

[Sun Feb 11 18:26:32.055662 2018] [ssl:error] [pid 43131:tid 140388278904576] [remote XXXXX:xxx] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain
[Sun Feb 11 18:26:32.055896 2018] [proxy_http:error] [pid 43131:tid 140388278904576] (103)Software caused connection abort: [client XXXXX:XXX] AH01102: error reading status line from remote server XXXX:xxx
[Sun Feb 11 18:26:32.055921 2018] [proxy:error] [pid 43131:tid 140388278904576] [client 10.246.8.176:27615] AH00898: Error reading from remote server returned by /xxxx

Values Added ::

SSLProxyEngine on
SSLProxyCACertificateFile /tmp/was.crt
SSLProxyVerify require
SSLProxyVerifyDepth 2

/tmp/was.crt was created as below.

Extracted root certificate from WAS.
Converted .cer file to crt using below command.

openssl x509 -inform PEM -in was.cer -out was.crt

Warm Regards,
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: nknandy@wal-mart.com<mailto:nknandy@wal-mart.com>
SLACK Channel:: middleware_l2
[cid:image001. ... at 01D26CB2 dot 5110A6F0]
Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On Sun, Feb 11, 2018 at 1:50 PM, Naveen Nandyala - Vendor <Naveen. ... at walmart dot com<mailto:Naveen. ... at walmart dot com>> wrote:
Yep, I’m looking for trust between my webserver and Appserver w/o client authentication. I’m not worried about trust between my web browser and webserver as I’m not looking for that now.

​That's just <a href="https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslproxycacertificatefile" title="https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslproxycacertificatefile">https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslproxycacertific...</a> pointing to the CA that signed your application server certs.

Emphasis on the "proxy" in these directive names for the backside connection.

Re: Mutual authentication between Apache HTTP serv

By Yann Ylavic at 02/12/2018 - 04:31

Hi,

On Mon, Feb 12, 2018 at 1:30 AM, Naveen Nandyala - Vendor
<Naveen. ... at walmart dot com> wrote:
Isn't "was.cer" rather in DER format? The above command is a no-op,
and you probably want PEM for the certificate used on the proxy, so
maybe :
$ openssl x509 -inform DER -in was.cer -outform PEM -out was.crt
?

Regards,
Yann.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/12/2018 - 09:25

Hi Yann,

Earlier I've downloaded Websphere Server Root certificate in Base-64 format. So I was using inform as pem as DER is not working.

Not I've downloaded in DER format and ran below command that you gave. After restarting my apache and when I try to access url I see below error.

[Mon Feb 12 07:22:12.631833 2018] [ssl:warn] [pid 21729:tid 139998669920000] AH02268: Proxy client certificate callback: (Virtual:443) downstream server wanted client certificate but none are configured
[Mon Feb 12 07:22:12.644376 2018] [proxy_http:error] [pid 21729:tid 139998669920000] (103)Software caused connection abort: [client 10.246.8.176:53774] AH01102: error reading status line from remote server WASSERVER:PORT
[Mon Feb 12 07:22:12.644411 2018] [proxy:error] [pid 21729:tid 139998669920000] [client 10.246.8.176:53774] AH00898: Error reading from remote server returned by /URI

Was wondering if Apache(Client) don't connect to Websphere (Server) if Websphere uses a Self-signed certificate?

Warm Regards, 
Naveen Kumar Reddy N

Hi,

On Mon, Feb 12, 2018 at 1:30 AM, Naveen Nandyala - Vendor <Naveen. ... at walmart dot com> wrote:
Isn't "was.cer" rather in DER format? The above command is a no-op, and you probably want PEM for the certificate used on the proxy, so maybe :
$ openssl x509 -inform DER -in was.cer -outform PEM -out was.crt ?

Regards,
Yann.

Re: Mutual authentication between Apache HTTP serv

By Yann Ylavic at 02/12/2018 - 11:53

Hi,

On Mon, Feb 12, 2018 at 2:25 PM, Naveen Nandyala - Vendor
This is a different problem, here the Websphere Server is asking for a
client certificate (the proxy's) signed by one of its configured CAs
for client authentication (i.e. in SSLCACertificateFile/Path or
SSLCADNRequestFile/Path).
Since no client certificate corresponds on the proxy side (i.e. in
SSLProxyMachineCertificateFile/Path), this log is issued.

As Eric said, you should take each issue one by one, above is about
the Websphere authenticating the proxy, you should first try to make
the proxy authenticate the Websphere (see below).

The Apache proxy will connect, but you can't ask it to authenticate
the WebSphere server in this case, there is no CA to verify the
WebSphere certificate against.
You previously said "was.crt" was the root certificate (meaning the
one which signed the Websphere server certificate), if it's not the
case it can't help in the proxy authenticating the server.

Regards,
Yann.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/12/2018 - 12:16

Hi Yann,

Based on certificate I'm using I'm getting different error.

Below is my vhose entry.

<VirtualHost *>
ServerName Virtual:443
SetEnv vhostname virtual
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; HttpOnly;secure" env=BALANCER_ROUTE_CHANGED
Include <PROXY FILE>
Include /u/applic/tc/HTTP/config/conf/secure.conf
SSLCertificateFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.pem
SSLCertificateKeyFile /u/applic/tc/HTTP/config/ssl/Apachecertificate.key
SSLProxyEngine on
SSLProxyCACertificateFile /tmp/was.crt
SSLProxyVerify require
SSLProxyVerifyDepth 2
</VirtualHost>

From beginning All I was looking for is mutual authentication between Apache and Websphere application server.
I've added Apachecertificate Root certificate in WAS which is 3rd party signed.
I'm getting issues from beginning while adding WAS certificate on Apache.
As WAS is selfsigned certificate I've expoerted WAS certificate in der format and converted into pem and placed it in /tmp/was.crt, I see below error in logs. And in access logs I see 502 proxy error.
Seems like its failing to validate selfsigned certificate.

[Mon Feb 12 10:01:11.595469 2018] [ssl:error] [pid 33084:tid 140082866366208] [remote WASSErver:PORT] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain
[Mon Feb 12 10:01:11.596379 2018] [proxy_http:error] [pid 33084:tid 140082866366208] (103)Software caused connection abort: [client XXXX:xxxx] AH01102: error reading status line from remote server WASSErver:PORT
[Mon Feb 12 10:01:11.596418 2018] [proxy:error] [pid 33084:tid 140082866366208] [client XXXX;xxx] AH00898: Error reading from remote server returned by /XXXX

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: <a href="mailto:nknandy@wal-mart.com">nknandy@wal-mart.com</a>
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

Hi,

This is a different problem, here the Websphere Server is asking for a client certificate (the proxy's) signed by one of its configured CAs for client authentication (i.e. in SSLCACertificateFile/Path or SSLCADNRequestFile/Path).
Since no client certificate corresponds on the proxy side (i.e. in SSLProxyMachineCertificateFile/Path), this log is issued.

As Eric said, you should take each issue one by one, above is about the Websphere authenticating the proxy, you should first try to make the proxy authenticate the Websphere (see below).

The Apache proxy will connect, but you can't ask it to authenticate the WebSphere server in this case, there is no CA to verify the WebSphere certificate against.
You previously said "was.crt" was the root certificate (meaning the one which signed the Websphere server certificate), if it's not the case it can't help in the proxy authenticating the server.

Regards,
Yann.

Re: Mutual authentication between Apache HTTP serv

By Yann Ylavic at 02/12/2018 - 13:36

On Mon, Feb 12, 2018 at 5:16 PM, Naveen Nandyala - Vendor
<Naveen. ... at walmart dot com> wrote:
For now there is no SSLProxyMachineCertificateFile in your
configuration (because we asked you to care only about the proxy
authenticating the server), so in the meantime you should also disable
SSLVerifyClient on the Websphere side (otherwise it will ask for a
client certificate which the proxy doesn't provide yet).

I tried the above with a self signed cert for
SSLProxyCACertificateFile and it worked.

Once it also works in your case, you can then configure the proxy to
send its certificate+key when requested to:
- SSLProxyMachineCertificateFile /path/to/proxy.crt+key

And re-enable client authentication on the websphere:
- SSLVerifyClient on
- SSLCACertificateFile /path/to/proxy.ca.crt

Regards,
Yann.

Re: Mutual authentication between Apache HTTP serv

By Yann Ylavic at 02/12/2018 - 13:45

On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <ylavic. ... at gmail dot com> wrote:
Obviously the proxy doesn't send its key, here "proxy.crt+key" means
both should be concatenated in the same file for the proxy to load
them.

While here "proxy.ca.crt" means the concatenation of "proxy.crt" and
the CA which signed it.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/12/2018 - 14:38

Thank Yann,

From this I could understand below. Could you please confirm in my understanding is correct?

When using IHS + Plugin + WAS.

Browser --> IHS --> Plugin --> WAS

We used to enable mutual auth between IHS and Plugin by exchanging their keys, Mutual auth between Plugin and WAS by exchanging their keys.
If we want to enable mutual auth between browser and IHS we added " SSLClientAuth = required" in conf file and added client certificates in HIS kdb.

When using Apache + Proxy + WAS

Browser --> Apache --> Proxy --> WAS

I need to request a certificate for Apache and pass that using SSLCertificateFile and SSLCertificateKeyFile.
I need to request a certificate for Proxy and include both key and CA in single file and add it in SSLProxyMachineCertificateFile.
Then add Proxy certificate CA to WAS truststore and enable SSLClientAuth=required on WAS end?

In this way I can enable mutual auth between Apache - Proxy.
And mutual Auth between Proxy - WAS?

After I disabled client auth required on WAS end I'm able to make a call between Apache and WAS. Now I need to request a new certificate for proxy and point it to SSLProxyMachineCertificateFile?
Please correct me if I'm doing something wrong.

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: <a href="mailto:nknandy@wal-mart.com">nknandy@wal-mart.com</a>
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On Mon, Feb 12, 2018 at 6:36 PM, Yann Ylavic <ylavic. ... at gmail dot com> wrote:
Obviously the proxy doesn't send its key, here "proxy.crt+key" means both should be concatenated in the same file for the proxy to load them.

While here "proxy.ca.crt" means the concatenation of "proxy.crt" and the CA which signed it.

Re: Mutual authentication between Apache HTTP serv

By Yann Ylavic at 02/12/2018 - 16:43

On Mon, Feb 12, 2018 at 7:38 PM, Naveen Nandyala - Vendor
On the Proxy side, you also need to indicate which CA signed the WAS
certificate, so that it can be verified (this is how the Proxy
authenticates the WAS). Since the WAS certificate is self-signed, it's
also the CA so simply use it for SSLProxyCACertificateFile.

OK, it's only missing the Proxy authentication now.

Yes, generate a new certificate (and CA eventually), and use that per above.

Regards,
Yann.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/16/2018 - 19:35

Thanks You All,

I was able to do a mutual authentication between Apache and WAS and I was able to use Self signed certificate on Proxy end.

I'm having same virtual used for 3 applications. All of this three applications are called using individual proxy files. Can I restrict mutual authentication to only one application instead of all 3 apps configured under this virtual?

Out of three apps I've only one needs mutual authentication rest two don't require. By enabling this other two apps are failing looking for certificate.

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: <a href="mailto:nknandy@wal-mart.com">nknandy@wal-mart.com</a>
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On the Proxy side, you also need to indicate which CA signed the WAS certificate, so that it can be verified (this is how the Proxy authenticates the WAS). Since the WAS certificate is self-signed, it's also the CA so simply use it for SSLProxyCACertificateFile.

OK, it's only missing the Proxy authentication now.

Yes, generate a new certificate (and CA eventually), and use that per above.

Regards,
Yann.

Mutual authentication between Apache HTTP server a

By Naveen Nandyala... at 02/12/2018 - 16:50

Thanks Yann,

I tried this and it works. I'm using 3rd party signed certificate on Proxy end. I'll try with self-signed certificate for proxy and will check the same.

Warm Regards, 
Naveen Kumar Reddy N
IBM Middleware WAS-MQ Tower Lead ( WalMart )
Toll Free Number - 866-912-0282(B),855-755-9356(H)
Mail: <a href="mailto:nknandy@wal-mart.com">nknandy@wal-mart.com</a>
SLACK Channel:: middleware_l2

Middleware ServiceNow Service Catalog Task Policy:: <a href="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Task+Catalog+Policy">https://collaboration.wal-mart.com/display/IPSMW/Service+Now+Service+Tas...</a>
Middleware ServiceNow Change Control Policy :: <a href="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy" title="https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy">https://collaboration.wal-mart.com/display/IPSMW/Change+Control+Policy</a>
Middleware Customer Page:: <a href="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx" title="https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx">https://teams.wal-mart.com/sites/Middleware/Customers/Pages/default.aspx</a>

On the Proxy side, you also need to indicate which CA signed the WAS certificate, so that it can be verified (this is how the Proxy authenticates the WAS). Since the WAS certificate is self-signed, it's also the CA so simply use it for SSLProxyCACertificateFile.

OK, it's only missing the Proxy authentication now.

Yes, generate a new certificate (and CA eventually), and use that per above.

Regards,
Yann.