1 Reply Latest reply on Aug 18, 2004 2:46 PM by Aleksandar Milanovic

    Clusters, authenticating proxy and dynamic certificate gener

    Aleksandar Milanovic Newbie

      Hello,

      I am building an application that will provide support services to client applications running on the users' machines. Communication between clients and the server is XML-RPC based and must be secure, i.e. use SSL for both client and server authentication. The server will have to be able to generate certificates for clients (it will be a certificate authority). The server will eventually work as a cluster of JBosses, but for now only one JBoss is used.

      Question:
      I've read that it is advisable to perform the SSL authentication in a separate web server (e.g. Apache) that forwards requests to the cluster. This makes sense to me, especially since I wouldn't want to replicate the SSL configuration in each app server in the cluster. However, the server has to be able to dynamically generate certificates and be able to accept them immediatelly in a subsequent client request. This means that the intermediary web server performing SSL authentication of clients must be dynamically supplied with a new client certificate that needs to be honoured. It doesn't help that the business logic performing the generation of client certificates will reside in app servers, i.e. not on the intermediary web server. Has anyone encountered this problem? How can I create this distributed architecture with the least pain, if at all?

      Thanks,
      Alex

        • 1. Re: Clusters, authenticating proxy and dynamic certificate g
          Aleksandar Milanovic Newbie

          Hello again,

          In my original posting I overlooked the fact that the server doesn't need to remember the newly generated certificate for the client. It just needs to be able to authenticate the CA for this certificate, which is the server itself.

          Knowing this simplifies everything. The authenticating proxy as well as all clients need to be equipped with the certificate of my CA to authenticate each other. The JBoss clusters don't have to know about this at all, as the requests that they accept are already "de-SSL'ed".

          Cheers,
          Alex