I'm attempting to configure WebServer 7u3 in reverse proxy on port 80 and 443. Things seem to finally be working excpet for one problem, the 443 instance on the origin ( odd term there ) server sees the reverse proxy's certificate as the client side certificate instead of being passed the user's certificate.

The configuration has the Reverse Proxy on 443 signed by the same CA as the origin and both requiring a client certificate. When code attempts to look into the values of the user's certificate used for additional verification, it is definately the Reverse Proxy's certificate.

How do I resolve this? Surely there must be a way for the reverse proxy to pass along the certificate?

 

 

By default, the reverse proxy stores the client's certificate in the Proxy-auth-cert HTTP header.

The reverse proxy cannot, however, authenticate to the origin server using the client's certificate. That's a fundamental characteristic of public key infrastructure.

 

 

It is, though, possible to pull the user's certificate out of the Proxy-auth-cert header and put it into an X509Certificate object?

 

 

Yes, there's enough information to construct an X509Certificate from the contents of the Proxy-auth-cert header. Here's an example of how the Sun web container does it: http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/web/ProxyHandlerImpl.java?r=MAIN#l67.