There is the ssl client authentication Sun Web Server 7.0u2 on front-end connects to the ssl client authentication Sun web server 7.0u2 on back-end via reverse proxy.

- Using the MS Internet Explorer 6, it always returns "403 forbidden" error
- But it works fine if back-end web server is not a client authentication server

Do we have any way to pass the client certificate from the front-end web server to the back-end server?

Thanks

 

 

did you check out this blog
http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_web

which describes how to store the origin server (your back end server) 's ssl certificate within reverse proxy

this might require you to do some thing like

terminate ssl at the front end (rp)
and initiate ssl been reverse proxy and origin server (back end). this is done simply by using https://<back end server name> provided the back end certificate is installed within the reverse proxy

hope this helps

 

 

Thanks for your information!

Yes, I did check this blog http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_web
but it only solves the SSL not SSL Client Authentication.

Both of these web servers have the same CA certificates.
And the reverse proxy works for the back-end SSL web server and the non-SSL web server.
It doens't work for the back-end SSL Client Authentication web server.

Thanks

 

 

http://docs.sun.com/app/docs/doc/819-2630/aebjl?a=view

 

 

After using the "forward-auth-cert" function, the browser still shows "403 Forbidden".
How can the back-end server get the client certificate?
I tried to use AuthenTrans fn="auth-passthrough", but it didn't work.

Thanks

 

 

First tell me what your requirement is , as far as I understand, you need

1. FRONT END WebServer 7.0 acting as reverse proxy, enable SSL on it.

2. BACK END WebServer 7.0 (will call it as Origin Server), enable SSL on it and make SSL Client Certificate Authentication work (where client certificate authentication means it should authenticate client certificates sent by browser).


Some references :
1. As per http://docs.sun.com/app/docs/doc/820-4841/aebjl?a=view, "forward-auth-cert" by default sends Client(browser) certificate as header "Proxy-auth-cert" to origin server.

2. As per http://forums.sun.com/thread.jspa?threadID=5397719
"By default, the reverse proxy stores the client's certificate in the "Proxy-auth-cert" HTTP header. The reverse proxy cannot, however, authenticate to the origin server using the client's certificate. That's a fundamental characteristic of public key infrastructure."

 

 

User/Message blocked

 

 

Can you share for the benefit of other customers what you did?

1) Added reverse proxy "map" SAF on one Web Server that looks somewhat like (in obj.conf):

...
NameTrans fn="map" from="/" name="reverse-proxy-/" to="/"
...
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
 
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="https://origin-server.sun.com"
</Object>

2) enabled SSL and installed server certificates on both origin server and reverse proxy web server.

3) Enabled client-auth on origin server (if using WS 7.0) in server.xml in http-listener element :

    <ssl><client-auth>required</client-auth></ssl>

4) Enabled client-auth on reverse proxy web server, in server.xml in http-listener element :

    <ssl><client-auth>required</client-auth></ssl>

Anything else?

 

 

Mike, no link sigs, please.

 

 

Here is a link to blog about enabling client authentication in reverse proxy and origin server in Sun Web Server 7.0. Its easy.