-----begin pgp signed message-----
hash: sha1
pass ssl certificate to weblogic cluster through apache proxy under
ssl
this paper will introduce how to pass certficate to weblogic cluster
through apache proxy under ssl.
before you read this paper, please read another blog of mine( but not
necessary).
<
>
http://www.blogjava.net/security/archive/2007/01/07/weblogicclusterwithapacheproxyunderssl.html
as fas as we know, apache proxy wouldn't support two way ssl with
weblogic managed server, so
we should let weblogic managed server work under one way ssl
mode(see <> for
more information).
ie client -> apache proxy -> weblogic cluster(managed server)
below are the configuration:
[httpd.conf]
################################
# added to httpd.conf by david.turing
################################
loadmodule weblogic_module modules/mod_wl_20.so
loadmodule ssl_module modules/mod_ssl.so
include conf/ssl.conf
sethandler weblogic-handler
sethandler weblogic-handler
weblogiccluster sourcesite:8002,destsite:8002,destsite:8004
secureproxy on
trustedcafile c:\certgen\cs\cs.pem
requiresslhostmatch false
debug all
wllogfile c:\apache\logs\wls_proxy_server.txt
[ssl.conf]
################################
# added to ssl.conf by david.turing
################################
documentroot "c:/apache/htdocs"
servername adserver:8002
serveradmin openssl@163.com
errorlog logs/error_log
transferlog logs/access_log
sslengine on
sslciphersuite
all:!adh:!export56:rc4 rsa: high: medium: low: sslv2: exp: enull
sslcertificatefile conf/ssl.key/adserver_ug.crt
sslcertificatekeyfile conf/ssl.key/adserver_ug_key.pem
sslcertificatechainfile conf/ssl.key/adserver_ug_chain.crt
sslcacertificatefile conf/ssl.key/adserver_ug_chain.crt
ssloptions exportcertdata
sslverifyclient require
sslverifydepth 10
ssloptions stdenvvars
ssloptions stdenvvars
setenvif user-agent ".*msie.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
customlog logs/ssl_request_log \
"%t %h %{ssl_protocol}x %{ssl_cipher}x \"%r\" %b"
let me introduce some thing about apache ssl:
1) sslcacertificatefile is the certificate that will present to
client before the ssl context is build.
2) ie client will then analyse that certificate and know which
identity should send to apache proxy
for authentication( make sure that client had been import the correct
pfx/p12 into ie)
3) if client have more one certificate identity, then ie will pop up
a small windows to let us choose
which certificate(we already had a related private key for this
certificate) we want to use for ssl
- -handshake.
4) then if we choose to use one, we pass the selected certificate to
apache proxy server.
note:
if you turn on the log for weblogic apache plugin, then you will get
these:
- ------------------------------------------------------------
sat jan 13 17:17:16 2007 hdrs to
wls:[referer]=[http://adserver/ssl/]
sat jan 13 17:17:16 2007 hdrs to
wls:[accept-language]=[zh-cn,en-us;q=0.5]
sat jan 13 17:17:16 2007 hdrs to wls:[accept-encoding]=[gzip,
deflate]
sat jan 13 17:17:16 2007 hdrs to wls:[user-agent]=[mozilla/4.0
(compatible; msie 6.0; windows nt 5.1; sv1; .net clr 1.1.4322;
infopath.1; .net clr 2.0.50727)]
sat jan 13 17:17:16 2007 hdrs to wls:[host]=[adserver:8002]
sat jan 13 17:17:16 2007 hdrs to
wls:[cookie]=[jsessionid=fyj2gg6tv2qyn23c6vyl1gxwlsyt0xnpqxwhvtvmm5bsylwcvdd4!-527265336]
sat jan 13 17:17:16 2007 hdrs to wls:[connection]=[keep-alive]
sat jan 13 17:17:16 2007 hdrs to wls:[wl-proxy-ssl]=[true]
sat jan 13 17:17:16 2007 hdrs to
wls:[wl-proxy-client-cert]=[miic3jccacagawibagibczanbgkqhkig9w0baqqfadbxmqswcqydvqqdewjduze
lmakga1uebhmcq04xczajbgnvbactakdamqswcqydvqqiewjhrdelmakga1uechmcq1mxdzanbgnvbastbk9ou0lurtedmbsgcsqgs
ib3dqejaryozgh1yw5nqgjlys5jb20whhcnmdcwmtexmdc1mzq0whcnmdkwmtewmdc1mzq0wjb4mriweaydvqqdewlmsvhjqu9nsu4xc
zajbgnvbaytaknomqswcqydvqqhewjhwjelmakga1uecbmcr0qxczajbgnvbaotakntmqwwcgydvqqlewncruexidaebgkqhkig9w0
bcqewewxpeglhb21pbkbizweuy29tmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdi1jfi3hk4etmpzrcjzseyirw2wjl8sydyz7laiyiptool4x
4wkazd4gamgobbps7dhgpq7vh3qxzje6i0pw4ar7tk9r9usghobevvedvbv7pw94z96jliavgkms/gqlzfs7sokzv/ghpx3xjy1yyi4udytttfss9yhmgafrzhbwidaqabma0gcsqgsib3dqebbauaa4ibaqbw1ykxmihez9l0 awgky3r6zcbm8pd0s 7fvn4ktynkemcv
xbcl4ngemdpjccmo8oxholghvkqwemf0eohdi6vtwyskyhz5amek88hy7clap3masrulwkm5lspwcbbdpxk2ds36mtdxqudzx3vsbwjbns/
rbxo12dtybnleczjmizlvq647ahgwtrhzwzr/h/7qoohpebb714amcrvtx4a6scyxszorso kyvybotpd4nwxubhlwzohahjzdio 2viqj/
n1nabwnbgpv0adedljelurnrocus2mljjoflssorulfllvawngvfztyeksw6a9rug9x66n1txnh7dtjq]
- ------------------------------------------------------------
the cerficate is already encoded in to request header
[wl-proxy-client-cert].
until now, apache proxy server get what it wanted---certificate.
before the client pass the certificate to backend(weblogic cluster),
the apache proxy server has been build
the ssl connection with weblogic server(one way ssl , not two way
ssl).
on apache server(2.0), we turn on the "ssloptions exportcertdata"
which equals "sslexportclientcertificates"
under apache 1.3
this parameter make apahce proxy server known that the client hope to
pass certificate to weblogic server under ssl.
is those configuration enough? not yet. because weblogic server is
not prepare to accept client proxy certificate. that
means when apache proxy pass certificates of other clients, weblogic
won't accept them.
then we should turn on the [ client cert proxy enabled ] on weblogic
managed server throught weblogic server console.
it seems you can do that through:
dizzyclusterdomain> clusters> dizzycluster
general -> client cert proxy enabled, click it.
do that on all weblogic managed server in the weblogic cluster !
reboot your weblogic managed servers.
that's ok. now that your weblogic cluster can accept client's
certificates.
write a simple jsp(or use):
<%@ page language="java" contenttype="text/html; charset=iso-8859-1"
pageencoding="iso-8859-1"%>
<%@ page import="java.security.cert.*" %>
"http://www.w3.org/tr/html4/loose.dtd">
simple test of apache plugin with weblogic cluster under<br />ssl
hello, david.turing.
<%
string certstr="";
x509certificate[] certs =
(x509certificate[]) request.getattribute(
"javax.servlet.request.x509certificate");
if(certs!=null)
{
x509certificate mycert=(x509certificate)certs[0];
//out.println("has cert from client!");
certstr=mycert.tostring();
}
else
out.println("could not get certificate from client!");
%>
your certificate(javax.servlet.request.x509certificate) is encode as:
<%=certstr%>
-----begin pgp signature-----
version: gnupg v1.2.1 (mingw32) - winpt 0.7.96rc1
comment: www.pgp.org.cn
id8dbqffqy1gtapfuvwgl08raq4zakci0f6dbcfio lxxerxdzse5yibaacfu0gg
lmylwgktft1emzmnals9lgq=
=ku43
-----end pgp signature-----