Certificate Login When Using SSL-enabled
Proxy
You can use an SSL-enabled proxy server in front of the J2EE Engine to handle client requests to it. You can then perform client certificate verification on the proxy server. Consequently, the proxy attaches the public key of the client certificate to the request and forwards it to the HTTP Provider Service on the J2EE Engine. The latter accepts the request and logs the client without additional verification.
The default communication protocol that the proxy uses to forward the client request to the J2EE Engine is SSL. In this case, the J2EE Engine verifies the certificate of the proxy server (used for establishing the SSL connection) against a list of trusted proxy certificates. This list is given as a value of the ProxyServersCertificates property of the HTTP Provider Service running on the server process. Each certificate is specified by its subject DN name. If the subject DN name of the proxy server certificate matches one specified in the list, then HTTP Provider Service will accept any client certificate that the proxy forwards with the request. If no match is found, the corresponding headers of the requests that concern the certificates are ignored.
If the proxy server forwards the client certificates to the J2EE Engine via HTTP, they are ignored by default. To enable certificates forwarding via HTTP, you should set the AcceptClientCertWithoutSSL property of the HTTP Provider Service running on the server process to true.
If you set the AcceptClientCertWithoutSSL property to true, then J2EE Engine will always accept the client certificate forwarded via HTTP, as it is not able to verify the certificate’s origin in this case.
When the proxy server forwards the client certificate, a servlet running in the J2EE Engine Web Container gets notion of it by the javax.servlet.request.ForwardedX509Certificate request attribute. The value of the attribute is an array of X509Certificate objects. The javax.servlet.request.X509Certificate attribute contains the proxy server’s certificate (if the proxy server and the J2EE Engine communicate using SSL). If they communicate using HTTP, then this attribute has a value of null.
Client Certificate Header
The public key of the client certificate is forwarded to the J2EE Engine in an HTTP request header. That is, the proxy server appends one additional header to the original client request before forwarding it to the HTTP Provider Service. The name of the header is given by the ClientCertificateHeaderName property of HTTP Provider Service running on server process. The value of the header represents the Base64 encoded public key of the client certificate.
If the
proxy server is ICM, then the client certificate public key is passed to the
J2EE Engine in a separate block of data according to the J2EE Engine –
ICM communication protocol as described in
Communication Between
ICM and J2EE Engine.
You need to restrict the SSL port so that it is accessible with the certificate of the trusted proxy server only. You can do this by configuring the SSL Provider Service using the Visual Administrator tool.
For more information on how to configure SSL on the J2EE Engine, see the documentation of SSL Provider Service.
Other SSL-related HTTP Headers
The J2EE Engine introduces specific HTTP headers that are used by the SSL-enabled proxy to forward client authentication information. These properties are:
Property Name |
Description |
ClientCertificateChainHeaderPrefix |
Specifies the prefix of the name of the header that is used for forwarding the certificate chain the client certificate is part of. |
ClientCipherSuiteHeaderName |
Specifies the cipher suite that the client used for the secure communication with the J2EE Engine. |
ClientKeySizeHeaderName |
Specifies the name of the header that contains information about the size of the client key that was used to encrypt data. |
You can configure them using the Visual Administrator tool. To do this, you must edit the corresponding properties on the Properties tab of the HTTP Provider Service running on the server process. For more information about the default values of the properties, see HTTP Provider Service.
Example of a Certificate Chain
Assume that the client certificate is part of a certificate chain with n certificates. Then, the client certificate is transmitted as a value of the ClientCertificateChainHeader header; its parent certificate is transmitted as a value of the ClientCertificateChainHeaderPrefix1 header; the root certificate is transmitted as a value of the ClientCertificateChainHeaderPrefixN-1 header.