Forum Discussion
maintenance_ssi
Nimbostratus
NimbostratusF5, HTTPD and Mod_jk and Tomcat full HTTPS
Hi,
I have the following architecture :
Client => F5 => HTTPD => Mod_jk => Tomcat 8 IE : HTTPS -> HTTPS-> HTTPS -> AJP/13 -> AJP/13/SSL Connector
My application asks to the browser client a certificate to authenticate.
The previous solution was to attach the client certificate to the header and, I don't know how, build a X509 Object with. But the previous application was running on jBoss and there was no httpd server between F5 and him.
Do you think that there is a solution to make it works without using a level 4 SSL proxy ?
(I've build a tomcat application that show header values and they are OK, but the attribute java.security.cert.X509Certificate is always null, except if I bypass F5)
thank you very much,
Best regards
Yann Boulanger
- Kevin_Stewart
Employee
I'm thinking java.security.cert.X509Certificate would only get populated if httpd was actually consuming the client certificate. There are probably a few options here:
-
Configure the new mode_jk/tomcat services to consume the certificate as an HTTP header. This was likely done by base64-encoding the client's certificate in PEM form and simply passing as a header.
-
Use APM to do the client side certificate auth, then do Kerberos on the server side.
-
Use the Client Certificate Constrained Delegation (C3D) function, available in 13.1, to forge a client certificate to the server. In this approach, the F5 consumes and validates the client certificate, and then a local CA cert/key re-issues a client certificate to the backend server, copying all of the necessary attributes from the original client cert. The server just needs to trust the local CA. This also allows you to explicitly decrypt and re-encrypt the traffic at the F5. Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/4.html
-
maintenance_ssiWe also try to let tomcat build the connection without wrapping anything on tomcat level Thank you,
Yann
