Configure Apache for SSL
Create the certificates using openssl (present in apache_home\bin) using the below steps:
openssl genrsa -des3 -out server.key 1024
openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost
openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt
Add the following in the httpd.conf file
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug
</VirtualHost>
Configure SSL between Apache and Weblogic Server
Add the following in the Location Directive
SecureProxy ON
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false
Configure Apache to Request for Client Certificate
Add the following in the Location Directive
SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData
SSLOptions +ExportCertData
Configure Weblogic Server for 2-way SSL
mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced
Apache_SSL> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
Trusted Client Principals: provide CN of the Client Certificate
Types: X509
Types: X509
Details:
Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked
Go the security realm and create a user wih the username as CN of the certificate
Add the following in the config.xml
<Server ClientCertProxyEnabled=”true”
<Server ClientCertProxyEnabled=”true”
Configure the Web Application
The Web Application should require client cert authentication.
Add the following in the web.xml
<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
Add the following in the weblogic.xml
<principal-name> CN of the certificate</principal-name>
References
1. http://www.apache-ssl.org/docs.html#SSLVerifyDepth
2. http://edocs.bea.com/wls/docs81/config_xml/Cluster.html#ClientCertProxyEnabled
3. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions
2. http://edocs.bea.com/wls/docs81/config_xml/Cluster.html#ClientCertProxyEnabled
3. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions
Posts
As we know there are many companies which are converting into Big data platform managed service. with the right direction we can definitely predict the future.
ReplyDelete