mutual authentication

 

I have a couple of java servlets which need to be secured with Mutual authentication with X509 certificates. I used the information from here to implement mutual authentication and it works fine on my machine.

Now our integration environment has BigIP for load balancing traffic to weblogic. The SSL is terminated at BigIP and it forwards the https request to weblogic using an internal certificate instead of the client's certificate it got with the original https request. So mutual auth is not working.

The BigIP team says they can put the client's certificate in the HTTP header (SSL_CLIENT_CERT), and I am not sure how to configure weblogic to read client's cert from http header.

Do I need to write a custom Identity assertion provider and configure it in weblogic?? Is this the best approach or do I have any other option?

Any help on this is greatly appreciated!!

It is necessary to configure the identity asserter if you are using two way ssl to verify the client identity

and to use it to restrict access to application.If you are using two way ssl with signed CA(Verisign etc.) it

will be only used for trust -not for authentication or any type of application access restriction.

Check below link for detail clarification on above

http://www.oracle.com/technetwork/articles/damo-howto-091164.html.

You can follow your steps for configuring the X509 Certificate Authentication for weblogic server.

Along with above you need to follow below steps

1) Make sure that BIG IP handles client certitifcate and client key which can be configured in the HTTPS monitor in BiG IP.

2) Configure the BIG-IP to insert a header named WL-Proxy-SSL: with a value of true into each request.

3) Enable weblogic proxy plugin tab in

AdminConsole —> Servers —-> [Your_Server_Name] —> Configuration [Tab] —> General [Sub-Tab]

  • Click on “Advanced” Link
  • Check the CheckBox in this Page “WebLogic Plug-In Enabled”

    • Above changes will help in undersatnding the weblogic that request coming from BIG IP was initially the SSL enabled.

    Check below link for configuring WL-Proxy-SSL with BIGIP

    https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4443.html?sr=10058313

    链接地址: http://www.djcxy.com/p/21818.html

    上一篇: 客户端证书认证

    下一篇: 相互认证