<rt id="bn8ez"></rt>
<label id="bn8ez"></label>

  • <span id="bn8ez"></span>

    <label id="bn8ez"><meter id="bn8ez"></meter></label>

    David.Turing's blog

     

    [原創] Pass SSL Certificate to Weblogic Cluster through Apache Proxy under SSL

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Pass SSL Certificate to Weblogic Cluster through Apache Proxy under
    SSL

    This Paper will introduce how to pass certficate to Weblogic Cluster
    through Apache Proxy under SSL.
    Before you read this paper, please read another blog of mine( but not
    necessary).

    <<Apache Proxy with Weblogic Cluster under SSL>>
    http://www.tkk7.com/security/archive/2007/01/07/WeblogicClusterWithApacheProxyUnderSSL.html

    As fas as we know,? Apache proxy wouldn't support? two way SSL with
    Weblogic Managed Server, so
    ?we should let weblogic managed server work under one way ssl
    mode(see <<weblogic security in action>> for
    more information).

    IE Client? ->? Apache Proxy -> Weblogic Cluster(Managed Server)

    Below are the Configuration:

    [Httpd.conf]
    ################################
    # Added to Httpd.conf by David.Turing
    ################################
    LoadModule weblogic_module modules/mod_wl_20.so
    LoadModule ssl_module modules/mod_ssl.so

    <IfModule mod_ssl.c>
    ??? Include conf/ssl.conf
    </IfModule>

    <Location "/examplesWebApp">
    ? SetHandler weblogic-handler
    </Location>

    <Location "/ssl">
    ? SetHandler weblogic-handler
    </Location>

    <IfModule mod_weblogic.c>
    WebLogicCluster sourcesite:8002,destsite:8002,destsite:8004
    SecureProxy ON
    TrustedCAFile C:\CertGen\CS\cs.pem
    RequireSSLHostMatch false

    Debug ALL
    WLLogFile C:\apache\logs\wls_proxy_server.txt
    </IfModule>

    [ssl.conf]
    ################################
    # Added to ssl.conf by David.Turing
    ################################
    <VirtualHost _default_:8002>
    DocumentRoot "c:/apache/htdocs"
    ServerName adserver:8002
    ServerAdmin openssl@163.com
    ErrorLog logs/error_log
    TransferLog logs/access_log
    SSLEngine on
    SSLCipherSuite
    ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile conf/ssl.key/adserver_ug.crt
    SSLCertificateKeyFile conf/ssl.key/adserver_ug_key.pem
    SSLCertificateChainFile conf/ssl.key/adserver_ug_chain.crt
    SSLCACertificateFile conf/ssl.key/adserver_ug_chain.crt
    SSLOptions +ExportCertData
    SSLVerifyClient require
    SSLVerifyDepth? 10

    <FilesMatch "\.(cgi|shtml|phtml|php3?)$">
    ??? SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "c:/apache/cgi">
    ??? SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" \
    ???????? nokeepalive ssl-unclean-shutdown \
    ???????? downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
    ????????? "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>?


    Let me introduce some thing about Apache SSL:
    1)? SSLCACertificateFile is the certificate that will present to
    client before the SSL Context is build.
    2)? IE Client will then analyse that certificate and know which
    Identity should send to Apache Proxy
    for authentication( make sure that client had been import the correct
    PFX/P12 into IE)
    3) If client have more one certificate Identity, then IE will pop up
    a small windows to let us choose
    which certificate(we already had a related private key for this
    certificate) we want to use for SSL
    - -HandShake.
    4) Then if we choose to use one, we pass the selected certificate to
    Apache Proxy Server.
    Note:
    if you turn on the Log for Weblogic Apache Plugin, then you will get
    these:
    - ------------------------------------------------------------
    Sat Jan 13 17:17:16 2007 Hdrs to
    WLS:[Referer]=[http://adserver/ssl/]
    Sat Jan 13 17:17:16 2007 Hdrs to
    WLS:[Accept-Language]=[zh-cn,en-us;q=0.5]
    Sat Jan 13 17:17:16 2007 Hdrs to WLS:[Accept-Encoding]=[gzip,
    deflate]
    Sat Jan 13 17:17:16 2007 Hdrs to WLS:[User-Agent]=[Mozilla/4.0
    (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;
    InfoPath.1; .NET CLR 2.0.50727)]
    Sat Jan 13 17:17:16 2007 Hdrs to WLS:[Host]=[adserver:8002]
    Sat Jan 13 17:17:16 2007 Hdrs to
    WLS:[Cookie]=[JSESSIONID=Fyj2GG6Tv2qyN23C6vyL1gxWlSyt0XNpQXWHvTvmm5BSylWCvdd4!-527265336]
    Sat Jan 13 17:17:16 2007 Hdrs to WLS:[Connection]=[Keep-Alive]
    Sat Jan 13 17:17:16 2007 Hdrs to WLS:[WL-Proxy-SSL]=[true]
    Sat Jan 13 17:17:16 2007 Hdrs to
    WLS:[WL-Proxy-Client-Cert]=[MIIC3jCCAcagAwIBAgIBCzANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQDEwJDUzE
    LMAkGA1UEBhMCQ04xCzAJBgNVBAcTAkdaMQswCQYDVQQIEwJHRDELMAkGA1UEChMCQ1MxDzANBgNVBAsTBk9OU0lURTEdMBsGCSqGS
    Ib3DQEJARYOZGh1YW5nQGJlYS5jb20wHhcNMDcwMTExMDc1MzQ0WhcNMDkwMTEwMDc1MzQ0WjB4MRIwEAYDVQQDEwlMSVhJQU9NSU4xC
    zAJBgNVBAYTAkNOMQswCQYDVQQHEwJHWjELMAkGA1UECBMCR0QxCzAJBgNVBAoTAkNTMQwwCgYDVQQLEwNCRUExIDAeBgkqhkiG9w0
    BCQEWEWxpeGlhb21pbkBiZWEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDi1JFi3hk4eTMPZrCjZSeYirw2wjL8sYdyz7lAiyIPtooL4X
    4wkAzD4gamGobBpS7DhGPQ7vH3Qxzje6I0PW4ar7tK9r9USghOBEVVedvbV7pw94z96jlIaVgkMs/gQlZFs7soKZV/gHpx3xjY1YyI4uDYttTFSs9YhMgAfRZHBwIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQBw1YKxMIHez9l0+awGkY3R6zcBM8PD0S+7fvn4KtyNKemcV
    +xBCl4NgEmdPjCCmo8OXHoLghvKQWEMF0EohDI6vtwYSkYHZ5amEk88hy7CLAp3maSRuLWKm5LsPwcbbDPxK2DS36mtDxQudZx3VSBWJBNS/
    RBxo12dtybnLEcZjmiZLVQ647aHgWtRHzWzR/H/7qooHpebB714aMCRVTX4A6ScYxsZoRsO+KYvYBotPD4nwXuBhLwzOHAhJZdIo+2VIQj/
    N1nabwnbgpv0AdeDLJeLUrnRoCUs2MLJJOfLssOruLFllvAwngvFZTYekSw6a9rug9X66n1txNH7DtjQ]
    - ------------------------------------------------------------
    the cerficate is already encoded in to request header
    [WL-Proxy-Client-Cert].
    Until now,? Apache Proxy Server get what it wanted---certificate.

    Before the client pass the certificate to backend(Weblogic Cluster),
    the apache proxy server has been build
    the SSL connection with weblogic server(one way ssl , not two way
    ssl).

    On Apache Server(2.0), we turn on the "SSLOptions +ExportCertData"
    which equals "SSLExportClientCertificates"
    under Apache 1.3
    This parameter make Apahce Proxy Server known that the client hope to
    pass Certificate to Weblogic Server under SSL.

    Is those configuration enough? Not Yet.? Because Weblogic Server is
    not prepare to accept Client Proxy Certificate. That
    means when apache proxy pass certificates of other clients, weblogic
    won't accept them.

    Then we should turn on the [ Client Cert Proxy Enabled ] on weblogic
    managed server throught Weblogic Server Console.
    It seems you can do that through:
    dizzyClusterDomain> Clusters> dizzyCluster
    General -> Client Cert Proxy Enabled,? Click it.
    Do that on all weblogic managed server in the weblogic cluster !
    Reboot your Weblogic Managed Servers.

    That's OK. Now that your weblogic Cluster can accept client's
    certificates.

    Write a simple JSP(or use):

    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    ??? pageEncoding="ISO-8859-1"%>
    <%@ page import="java.security.cert.*" %>

    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <meta http-equiv="Content-Type" content="text/html;
    charset=ISO-8859-1">
    <title>Simple Test of Apache Plugin with Weblogic Cluster Under
    SSL</title>
    </head>
    <body>
    Hello,? David.Turing.
    <br>

    <%
    ??? String certstr="";
    ??? X509Certificate[]? certs? =?
    ??? (X509Certificate[])? request.getAttribute(
    "javax.servlet.request.X509Certificate");
    ??? if(certs!=null)
    ??? {
    ??? ??? X509Certificate mycert=(X509Certificate)certs[0];
    ??? ??? //out.println("Has Cert from Client!");
    ??? ??? certstr=mycert.toString();
    ??? }
    ??? else
    ??? ??? out.println("could not get certificate from client!");
    ???
    %>
    Your Certificate(javax.servlet.request.X509Certificate) is Encode As:

    <br>
    <%=certstr%>
    </body>
    </html>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1
    Comment: www.pgp.org.cn

    iD8DBQFFqY1gTaPfUVwGl08RAq4ZAKCI0F6dbcFIo+LxXERxDZse5YIbAACfU0GG
    lmyLWgKTfT1emzMNAls9LgQ=
    =kU43
    -----END PGP SIGNATURE-----

    posted on 2007-01-13 19:19 david.turing 閱讀(5420) 評論(0)  編輯  收藏 所屬分類: Security領域

    導航

    統計

    常用鏈接

    留言簿(110)

    我參與的團隊

    隨筆分類(126)

    隨筆檔案(155)

    文章分類(9)

    文章檔案(19)

    相冊

    搜索

    積分與排名

    最新隨筆

    最新評論

    閱讀排行榜

    評論排行榜

    主站蜘蛛池模板: 亚洲熟妇无码另类久久久| 亚洲成AV人片在线观看ww| 亚洲AV无码乱码在线观看代蜜桃| 国产成人免费永久播放视频平台| 99久久久国产精品免费牛牛| 黄色a级片免费看| 久久久久亚洲AV无码专区体验| 国产在线a不卡免费视频| 含羞草国产亚洲精品岁国产精品| 在线免费观看一级毛片| 亚洲AV无码欧洲AV无码网站| 51午夜精品免费视频| 久久亚洲精精品中文字幕| 老司机在线免费视频| sihu国产精品永久免费| 精品久久久久久无码免费| 精品无码国产污污污免费网站| 国产午夜鲁丝片AV无码免费 | 亚洲麻豆精品国偷自产在线91| 美女免费视频一区二区| 亚洲人成电影网站国产精品| 最近免费中文字幕MV在线视频3 | 亚洲综合av永久无码精品一区二区| 一区二区三区免费高清视频| 国产亚洲AV无码AV男人的天堂| 日韩精品在线免费观看| 亚洲国产成人超福利久久精品| 女性自慰aⅴ片高清免费| 无码免费又爽又高潮喷水的视频 | 亚洲综合无码一区二区三区| 免费看韩国黄a片在线观看| 三级片免费观看久久| 亚洲成在人线av| 成人性生交大片免费看无遮挡| 特级毛片免费播放| 亚洲色图校园春色| 成人永久福利免费观看| 免费一级毛片无毒不卡| 亚洲性无码AV中文字幕| 国产午夜亚洲精品理论片不卡| 91香焦国产线观看看免费|