-
-
2. Re: JB farm and Client Cert auth
I'm not sure about apache load balancing configuration. I should use mod_cluster or other mod_proxy? I should use ajp or http transport. could you provide more details apache configuration, proxy + ssl.
-
3. Re: JB farm and Client Cert auth
mod_proxy or mod_cluster:
1 - static configuration mod_proxy
2 - dynamic configuration.
AJP or HTTP
Here is hard to decide if you don't need to encrypt the data between httpd and AS use AJP otherwise use HTTP
SSL proxy is describe in mod_ssl httpd documentation. A minimal configuration can be found at https://community.jboss.org/wiki/EncryptHttpdTC
-
4. Re: JB farm and Client Cert auth
I try it, but without success I have found something http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
I'm lost what I should do :-(
-
5. Re: JB farm and Client Cert auth
The first thing you need to do is to set up mod_ssl correctly and get httpd to ask for the client certificate (you need to import the client certificate in the browser) and configure mod_ssl to accept the certificate then next you need to forward that information to the JB farm (and for that AJP is more easy to configure).
you need to understand that using client certificate requires to get the certificate request signed by a certificate authority (openssl has a small utility for that).
According to my notes (on fedora):
+++
1 - Create a new CA:
/etc/pki/tls/misc/CA -newca
(CA in /etc/pki/CA).2 - Create a new request:
/etc/pki/tls/misc/CA -newreq
(that creates a file named newreq.pem)3 - Separe the request and the private key:
Put key in key.pem and request in newreq.pem4 - Sign the request:
/etc/pki/tls/misc/CA -signreq
(that creates a file named newcert.pem)5 - openssl pkcs12 -export -inkey newkey.pem -in newcert.pem -out test.p12
test.p12 can be imported in the browser.+++
then the cacert.pem needs to be add to the directory specified by
SSLCACertificatePath (or usecacert.pem forSSLCACertificateFile).
