0

I have a couple of java servlets which need to be secured with Mutual authentication with X509 certificates. I used the information from here to implement mutual authentication and it works fine on my machine.

Now our integration environment has BigIP for load balancing traffic to weblogic. The SSL is terminated at BigIP and it forwards the https request to weblogic using an internal certificate instead of the client's certificate it got with the original https request. So mutual auth is not working.

The BigIP team says they can put the client's certificate in the HTTP header (SSL_CLIENT_CERT), and I am not sure how to configure weblogic to read client's cert from http header.

Do I need to write a custom Identity assertion provider and configure it in weblogic?? Is this the best approach or do I have any other option?

Any help on this is greatly appreciated!!

Guru
  • 155
  • 10

1 Answers1

1

It is necessary to configure the identity asserter if you are using two way ssl to verify the client identity

and to use it to restrict access to application.If you are using two way ssl with signed CA(Verisign etc.) it

will be only used for trust -not for authentication or any type of application access restriction.

Check below link for detail clarification on above

http://www.oracle.com/technetwork/articles/damo-howto-091164.html.

You can follow your steps for configuring the X509 Certificate Authentication for weblogic server.

Along with above you need to follow below steps

1) Make sure that BIG IP handles client certitifcate and client key which can be configured in the HTTPS monitor in BiG IP.

2) Configure the BIG-IP to insert a header named WL-Proxy-SSL: with a value of true into each request.

3) Enable weblogic proxy plugin tab in

AdminConsole —> Servers —-> [Your_Server_Name] —> Configuration [Tab] —> General [Sub-Tab]

  • Click on “Advanced” Link
  • Check the CheckBox in this Page “WebLogic Plug-In Enabled”

Above changes will help in undersatnding the weblogic that request coming from BIG IP was initially the SSL enabled.

Check below link for configuring WL-Proxy-SSL with BIGIP

https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4443.html?sr=10058313

Man-I-n-MiddLeWare
  • 131
  • 1
  • 7
  • Thank you for your reply! I was successful in setting up 2-way SSL and make weblogic authenticate the request based on certificate's CN with a corresponding user created via weblogic admin console. This works if the client's cert was availabe to weblogic during SSL handshake (standard https way). In my case it doesnt get client cert, but an internal dummy cert. So my actual question (as in my OP) is, the client's cert is not available in standard way, but bigip team puts it in http header. How do I make weblogic read http header and then parse CN to map it to a user in its user repository? – Guru Jun 16 '15 at 02:28