Forum Discussion

maintenance_ssi's avatar
maintenance_ssi
Icon for Nimbostratus rankNimbostratus
Sep 18, 2018

F5, HTTPD and Mod_jk and Tomcat full HTTPS

Hi,

 

I have the following architecture :

 

Client => F5 => HTTPD => Mod_jk => Tomcat 8 IE : HTTPS -> HTTPS-> HTTPS -> AJP/13 -> AJP/13/SSL Connector

 

My application asks to the browser client a certificate to authenticate.

 

The previous solution was to attach the client certificate to the header and, I don't know how, build a X509 Object with. But the previous application was running on jBoss and there was no httpd server between F5 and him.

 

Do you think that there is a solution to make it works without using a level 4 SSL proxy ?

 

(I've build a tomcat application that show header values and they are OK, but the attribute java.security.cert.X509Certificate is always null, except if I bypass F5)

 

thank you very much,

 

Best regards

 

Yann Boulanger

 

  • We also try to let tomcat build the connection without wrapping anything on tomcat level Thank you,

     

    Yann

     

  • I'm thinking java.security.cert.X509Certificate would only get populated if httpd was actually consuming the client certificate. There are probably a few options here:

     

    • Configure the new mode_jk/tomcat services to consume the certificate as an HTTP header. This was likely done by base64-encoding the client's certificate in PEM form and simply passing as a header.

       

    • Use APM to do the client side certificate auth, then do Kerberos on the server side.

       

    • Use the Client Certificate Constrained Delegation (C3D) function, available in 13.1, to forge a client certificate to the server. In this approach, the F5 consumes and validates the client certificate, and then a local CA cert/key re-issues a client certificate to the backend server, copying all of the necessary attributes from the original client cert. The server just needs to trust the local CA. This also allows you to explicitly decrypt and re-encrypt the traffic at the F5. Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/4.html