0

I have deployed liberty app on IBM cloud. I have setup custom domain and selected "request client certificate" so that clients have to send certificate to access app over TLS. I see client authentication does work, but I do not get any client certificate information in my app. This makes client certificate authentication a bit useless, as I would want to know the id of client which accessed my app. Any help/pointers appreciated.

I looked at attributes of request. Two attributes are passed in request _com.ibm.websphere.servlet.uri_non_decoded_ with value /dummyRelPath and _javax.servlet.request.cipher_suite_ with value of ECDHE-RSA-AES256-GCM-SHA384 There's no attribute with name javax.servlet.request.X509Certificate passed in request.

jeet
  • 629
  • 1
  • 4
  • 15

1 Answers1

0

Does:

X509Certificate[] certs = (X509Certificate[]) 
      request.getAttribute("javax.servlet.request.X509Certificate");`

not return any certificates?

In cloud foundry on bluemix, your client should be handshaking with a DataPower proxy. That proxy adds a custom header to indicate the TLS client cert that was provided, then it is passed through the CF gorouter, then finally passed to the JVM.

WebSphere Liberty then surfaces that through the API above.

This is communicated through the $WSCC request header. If the API returns null, it's most likely that header was dropped or never set by the infrastructure, rather than making it all the way there and the API mysteriously losing track of it. You could dump the request headers, looking for this one in particular, and maybe something will stand out (some surprise hop/proxy).

covener
  • 17,402
  • 2
  • 31
  • 45
  • It doesn't even though it seems this is convention. I also mentioned in my question that it only sends 2 attributes & that does not include this one. – jeet Feb 23 '18 at 04:55
  • Is this a cloud foundry app? Or a container service? or something else? – covener Feb 23 '18 at 11:42
  • This is a cloud foundry app using liberty for java buildpack. – jeet Feb 23 '18 at 11:49
  • I added some more background, above – covener Feb 23 '18 at 23:04
  • 1
    I printed all the headers and see that certificate is sent by header name $WSCS. Since this is not the standard way, good if this can be documented here where other important headers are listed _https://console.bluemix.net/docs/security/index.html#security_ – jeet Feb 26 '18 at 06:41