I am using java application to send request to a URL. I have an apache server in the middle. So my application sends request to the apache server and the apache server then sends request to the actual server with which I want to communicate.
The server side has sent us a .cer certificate file which should be presented at the time of SSL handshake. The server side is not ready to share the private key (.key) file with us. How do I configure the certificate in the apache httpd config.
Currently I have below configuration at httpd side
httpd.conf
< VirtualHost apache-server-IP:443 >
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/httpd/conf/test.cer (certificate file provided by server side)
ProxyPass /api https://ServerIP:ServerPort/api/oauth/token
ProxyPassReverse /api https://ServerIP:ServerPort/api/oauth/token
< /VirtualHost >
I make a hit to the apache server using the URL (http://apache-server-ip:443/api/oauth/token) , which in turn sends request on https to actual server using proxypass.
I'm getting internal server error 500 from the server side.
Can anyone suggest how to configure the certificate in apache without using private key but only for presenting the certificate to the server.
Related
I am deploying Angular on Nginx & Apache http server (as reverse proxy web servers) in my UAT environment with the backend being on spring boot on Apache Tomcat (encrypted with https for the java REST apis), I have noticed that Nginx was configured as reverse proxy much easier than Apache BUT that was largely because Apache didn't trust the Java APIs certificate (as it is self signed, so this seems correct)
Can someone explain why this happened? I trust that Nginx is secure but I want to know why it allowed this self signed certificate while Apache by default blocked it (only allowed it with SSLProxyVerify none)?
Nginx config (related part):
location /api {
proxy_pass https://192.168.170.78:7002/;
}
Apache config (the related part):
# SSL proxy config
SSLProxyEngine on
# Why this must be present for the apache to connect to the backend but not for nginx?
SSLProxyCheckPeerName off
# the (proxy) redirection rules for the server
ProxyPass /api/ https://192.168.170.78:7002/
ProxyPassReverse /api/ https://192.168.170.78:7002/
I have configured an application where the load balancer will do an ssl offloading, all request from will come to https://application.com and it will internally redirect to apache port 80. I have saml configured with shibboleth in apache and it expects its destination URL as https. As apache always get the request on port 80 it is creating problem. It is complaining the destination expected is https://application.com but got http://applcation.com is there a way in apache to give the server name as https in apache, I tried using canonical name but no luck.
I set as below in my configuration
ServerName https://application.com
UseCanonicalName On
Please let me know if there is any other way to set this.
Why dont you set up an ssl vhost for shibboleth and use it ? You can go for selfsigned certificates for your ssl connection between webserver and LB.
How to configure TOMCAT to make the browser show the installed certificates (A3; token USB) when a URL (servlet) is called?
I will retriev the X509 certificate on the servlet request parameter.
Your question is a bit difficult to understand, but I'm guessing that you want tomcat to request a certificate from a client.
If this is the case, then you will want to enable what is called mutual authentication in tomcat.
You will have to set the clientAuth attribute of your tomcat ssl connector to either want or true. The ssl connector will be found in your tomcat server.xml file.
'want' asks the client to send a certificate if it has one, but the request will go though if the client doesn't have a certificate and 'true' means the client is required to send a certificate and the request will fail if the client does not provide a certificate.
More information can be found on the tomcat website:
SSL/TLS Configuration HOW-TO
I built a Web-Service application in Jdeveloper 11.1.1.7 and deployed it on weblogic 10.3.6 with all Key-store and SSL configuration.
SSl Configuration:
Use Server Certs : Checked
Two Way Client Cert Behavior: Client Certs Not Requested. [That is means it is one-way ssl.
Correct me if that wrong]
SSL Listen Port Enabled: Checked
Key-store Configuration:
Custom Identity and Custom Trust. The file path has been specified for those custom key store
A sample client application has been created and everything seems to be fine; I mean the client can not access the server application without specifying the trust store file location where the server certificate is stored and it is trusted at the client end.
By the server certificate I mean the same certificate that has been configured in server Key-store Configuration
for your information the client application referring to trust store as follow:
System.setProperty("javax.net.ssl.trustStore",[Trust-store location goes here]);
System.setProperty("javax.net.ssl.trustStorePassword", [password goes here]);
Till now nothing wrong. Next is the problem details:
For the purpose of testing I tried to access the deployed web-service application using the SoapUI (open source software). What is confusing is the request has been sent, accepted at the server and proceed without specifying any thing for server certificate nor trust store location in SoapUI project configuration !!
Why the SOAP request has been accepted from SoapUI without referring to server certificate? The request should be rejected in this case.
My experience with SoapUI is that it is quite lenient. For example, if it doesn't check if the CN of server certificate matches the fully qualified domain name in the URL. In your case, your server most likely uses a CA signed certificate. Most of the root and intermediate certificates of well known CA's (e.g. VeriSign/Symantec) are already included in the default truststores for most systems. If your server had used a self-signed certificate, then SoapUI would have incurred SSL error unless you import the self-signed certificates into the truststore of the host where SoapUI is running.
I have a certificate. pfx to access a webservice.
I followed the steps listed on this page
When looking at the xml sent is encrypted.
But the server returns me the message:
The page requires a client certificate
.........
HTTP/1.1 403 Forbidden
.......
Server Microsoft-IIS/6.0
I can see the definition of this server from the browser if I have this certificate installed (the certificate is correct).
Also I have to use username and password to see the definition of service.
In the Trustor I have the server certificate.
I'm programming in java and use axis, any ideas why I am getting this error?
You need to configure your Axis client to inclue a client certificate with your outgoing request. This is different from server certificates which are more common. This post gives good info on setting up client certs in Java:
This is the solution:
System.setProperty(“javax.net.ssl.keyStore”, “path/keystore.jks”);
System.setProperty(“javax.net.ssl.keyStorePassword”, “pass”);
System.setProperty(“javax.net.ssl.keyStoreType”, “PKCS12″);
System.setProperty(“javax.net.ssl.trustStore”, “path/trusstore.jks”);
System.setProperty(“javax.net.ssl.trustStorePassword”, “pass”);
System.setProperty(“com.sun.net.ssl.dhKeyExchangeFix”, “true”);