AW: AW: [users@httpd] SSL termination on apache butclientcertificateroutedthrough

["Guenther, Christian" <Ch...@realtech.com>]

Hi Allan,  Hi List,

I see the topic is much more complicated as I first thought. I think my 
main problem comes from the fact that what my customers (those 
farmer guys) want breaks what is the basis of the technical SSL
implementation: terminating the SSL communication in the middle
but in the same instance use the certificates to authenticate each 
other :(

>> This application server is essentially SAP XI (an XML driven data 
>> exchanger)
>> and the client is a so called Business Connector. It is actually the 
>> client, the BC, that wants to pass some data about harvested stuff  like 
>> grain or so to the XI so that they get written into the SAP system. Bye 
>> the way, the client is a PDA that sits on top of some tractor on some field
>> in the countryside.
>
>ok, all of this is way out of my league ;)
Of mine too. I'm a security consultant :-)

>but it still sounds as it is the actual application server that is 
>handling the validation of a given client certificate (and not some of 
>your custom made code). 

to be honest there is no such thing as custom made code on the appserver
site :-(

>if that is the case i have no idea how you would 
>let the client - the BC - pass the cert in a manner so the backend would 
> be forced to validate it, sorry.

well, the application server - the XI - is highly configurable. I'm in parallel at 
the XI developer list and asked those guys if there is a chance to change
the XI so that it takes the client certificate from the RequestHeader.
Let's see how those guys at SAP are dealing with my inquiry

>> The application server (XI) is a system with high security requirements and
>> can therefor not be placed in a normal DMZ but is needed to be secured by
>> the proxy.
>
>hmm ok, so it is actually strictly necessary to run ssl on apache 
>(reverse proxy)? i gather you cannot bypass apache on https in your set 
>up ? and since you run the backend with ssl you sort of have a "double" 
>ssl connection in certain circumstances.
>
>would it be possible to this (i am asking the list too) ?
>
>client connects on ssl to apache with client certificate.
>apache forwards request to, say, a cgi program. program connects to 
>backend via ssl and pass client certificate data on behalf of the 
>original client. backend validates client certificate and send some kind 
>of response. program picks up data from response and now sends an http 
>redirect to the original client request. the redirected page will 
>contain the backend response/data.

>i guess im thinking pretty traditional web environment, not tractor 
>environment.
lol


>> what i don't understand at this point, is why you want the validating
>> done at  the backend at all, when you could have all this done at the
>> frontend.
> 
> 
> Because the XI requires authentication bevor it would let anyone talk to 
> it..
> And there are different frontends that have access to different data - 
> the application server needs to distinguish them.
>
>
>and it is not possible to have all the different frontend hit apache 
>first i reckon, like:
>
>some client -> whatever frontend -> apache (reverse proxy) -> backend

well, the traffic goes like

  +--+        +--------+         +----+
  (BC) -----> | apache | ------> | XI |
  +--+        +--------+         +----+

and both, BC and XI, are to think they are talking to each other directly