David.Turing's blog

 

[原创] Pass SSL Certificate to Weblogic Cluster through Apache Proxy under SSL

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pass SSL Certificate to Weblogic Cluster through Apache Proxy under
SSL

This Paper will introduce how to pass certficate to Weblogic Cluster
through Apache Proxy under SSL.
Before you read this paper, please read another blog of mine( but not
necessary).

<<Apache Proxy with Weblogic Cluster under SSL>>
http://www.blogjava.net/security/archive/2007/01/07/WeblogicClusterWithApacheProxyUnderSSL.html

As fas as we know,  Apache proxy wouldn't support  two way SSL with
Weblogic Managed Server, so
 we should let weblogic managed server work under one way ssl
mode(see <<weblogic security in action>> for
more information).

IE Client  ->  Apache Proxy -> Weblogic Cluster(Managed Server)

Below are the Configuration:

[Httpd.conf]
################################
# Added to Httpd.conf by David.Turing
################################
LoadModule weblogic_module modules/mod_wl_20.so
LoadModule ssl_module modules/mod_ssl.so

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

<Location "/examplesWebApp">
  SetHandler weblogic-handler
</Location>

<Location "/ssl">
  SetHandler weblogic-handler
</Location>

<IfModule mod_weblogic.c>
WebLogicCluster sourcesite:8002,destsite:8002,destsite:8004
SecureProxy ON
TrustedCAFile C:\CertGen\CS\cs.pem
RequireSSLHostMatch false

Debug ALL
WLLogFile C:\apache\logs\wls_proxy_server.txt
</IfModule>

[ssl.conf]
################################
# Added to ssl.conf by David.Turing
################################
<VirtualHost _default_:8002>
DocumentRoot "c:/apache/htdocs"
ServerName adserver:8002
ServerAdmin openssl@163.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl.key/adserver_ug.crt
SSLCertificateKeyFile conf/ssl.key/adserver_ug_key.pem
SSLCertificateChainFile conf/ssl.key/adserver_ug_chain.crt
SSLCACertificateFile conf/ssl.key/adserver_ug_chain.crt
SSLOptions +ExportCertData
SSLVerifyClient require
SSLVerifyDepth  10

<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/apache/cgi">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost> 


Let me introduce some thing about Apache SSL:
1)  SSLCACertificateFile is the certificate that will present to
client before the SSL Context is build.
2)  IE Client will then analyse that certificate and know which
Identity should send to Apache Proxy
for authentication( make sure that client had been import the correct
PFX/P12 into IE)
3) If client have more one certificate Identity, then IE will pop up
a small windows to let us choose
which certificate(we already had a related private key for this
certificate) we want to use for SSL
- -HandShake.
4) Then if we choose to use one, we pass the selected certificate to
Apache Proxy Server.
Note:
if you turn on the Log for Weblogic Apache Plugin, then you will get
these:
- ------------------------------------------------------------
Sat Jan 13 17:17:16 2007 Hdrs to
WLS:[Referer]=[http://adserver/ssl/]
Sat Jan 13 17:17:16 2007 Hdrs to
WLS:[Accept-Language]=[zh-cn,en-us;q=0.5]
Sat Jan 13 17:17:16 2007 Hdrs to WLS:[Accept-Encoding]=[gzip,
deflate]
Sat Jan 13 17:17:16 2007 Hdrs to WLS:[User-Agent]=[Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;
InfoPath.1; .NET CLR 2.0.50727)]
Sat Jan 13 17:17:16 2007 Hdrs to WLS:[Host]=[adserver:8002]
Sat Jan 13 17:17:16 2007 Hdrs to
WLS:[Cookie]=[JSESSIONID=Fyj2GG6Tv2qyN23C6vyL1gxWlSyt0XNpQXWHvTvmm5BSylWCvdd4!-527265336]
Sat Jan 13 17:17:16 2007 Hdrs to WLS:[Connection]=[Keep-Alive]
Sat Jan 13 17:17:16 2007 Hdrs to WLS:[WL-Proxy-SSL]=[true]
Sat Jan 13 17:17:16 2007 Hdrs to
WLS:[WL-Proxy-Client-Cert]=[MIIC3jCCAcagAwIBAgIBCzANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQDEwJDUzE
LMAkGA1UEBhMCQ04xCzAJBgNVBAcTAkdaMQswCQYDVQQIEwJHRDELMAkGA1UEChMCQ1MxDzANBgNVBAsTBk9OU0lURTEdMBsGCSqGS
Ib3DQEJARYOZGh1YW5nQGJlYS5jb20wHhcNMDcwMTExMDc1MzQ0WhcNMDkwMTEwMDc1MzQ0WjB4MRIwEAYDVQQDEwlMSVhJQU9NSU4xC
zAJBgNVBAYTAkNOMQswCQYDVQQHEwJHWjELMAkGA1UECBMCR0QxCzAJBgNVBAoTAkNTMQwwCgYDVQQLEwNCRUExIDAeBgkqhkiG9w0
BCQEWEWxpeGlhb21pbkBiZWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi1JFi3hk4eTMPZrCjZSeYirw2wjL8sYdyz7lAiyIPtooL4X
4wkAzD4gamGobBpS7DhGPQ7vH3Qxzje6I0PW4ar7tK9r9USghOBEVVedvbV7pw94z96jlIaVgkMs/gQlZFs7soKZV/gHpx3xjY1YyI4uDYttTFSs9YhMgAfRZHBwIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQBw1YKxMIHez9l0+awGkY3R6zcBM8PD0S+7fvn4KtyNKemcV
+xBCl4NgEmdPjCCmo8OXHoLghvKQWEMF0EohDI6vtwYSkYHZ5amEk88hy7CLAp3maSRuLWKm5LsPwcbbDPxK2DS36mtDxQudZx3VSBWJBNS/
RBxo12dtybnLEcZjmiZLVQ647aHgWtRHzWzR/H/7qooHpebB714aMCRVTX4A6ScYxsZoRsO+KYvYBotPD4nwXuBhLwzOHAhJZdIo+2VIQj/
N1nabwnbgpv0AdeDLJeLUrnRoCUs2MLJJOfLssOruLFllvAwngvFZTYekSw6a9rug9X66n1txNH7DtjQ]
- ------------------------------------------------------------
the cerficate is already encoded in to request header
[WL-Proxy-Client-Cert].
Until now,  Apache Proxy Server get what it wanted---certificate.

Before the client pass the certificate to backend(Weblogic Cluster),
the apache proxy server has been build
the SSL connection with weblogic server(one way ssl , not two way
ssl).

On Apache Server(2.0), we turn on the "SSLOptions +ExportCertData"
which equals "SSLExportClientCertificates"
under Apache 1.3
This parameter make Apahce Proxy Server known that the client hope to
pass Certificate to Weblogic Server under SSL.

Is those configuration enough? Not Yet.  Because Weblogic Server is
not prepare to accept Client Proxy Certificate. That
means when apache proxy pass certificates of other clients, weblogic
won't accept them.

Then we should turn on the [ Client Cert Proxy Enabled ] on weblogic
managed server throught Weblogic Server Console.
It seems you can do that through:
dizzyClusterDomain> Clusters> dizzyCluster
General -> Client Cert Proxy Enabled,  Click it.
Do that on all weblogic managed server in the weblogic cluster !
Reboot your Weblogic Managed Servers.

That's OK. Now that your weblogic Cluster can accept client's
certificates.

Write a simple JSP(or use):

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ page import="java.security.cert.*" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<title>Simple Test of Apache Plugin with Weblogic Cluster Under
SSL</title>
</head>
<body>
Hello,  David.Turing.
<br>

<%
    String certstr="";
    X509Certificate[]  certs  = 
    (X509Certificate[])  request.getAttribute(
"javax.servlet.request.X509Certificate");
    if(certs!=null)
    {
        X509Certificate mycert=(X509Certificate)certs[0];
        //out.println("Has Cert from Client!");
        certstr=mycert.toString();
    }
    else
        out.println("could not get certificate from client!");
   
%>
Your Certificate(javax.servlet.request.X509Certificate) is Encode As:

<br>
<%=certstr%>
</body>
</html>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1
Comment: www.pgp.org.cn

iD8DBQFFqY1gTaPfUVwGl08RAq4ZAKCI0F6dbcFIo+LxXERxDZse5YIbAACfU0GG
lmyLWgKTfT1emzMNAls9LgQ=
=kU43
-----END PGP SIGNATURE-----

posted on 2007-01-13 19:19 david.turing 阅读(5029) 评论(0)  编辑  收藏 所属分类: Security领域


只有注册用户登录后才能发表评论。


网站导航:
 

导航

统计

常用链接

留言簿(107)

我参与的团队

随笔分类(126)

随笔档案(155)

文章分类(9)

文章档案(19)

相册

搜索

积分与排名

最新随笔

最新评论

阅读排行榜

评论排行榜