weblogic-相互认证-从HTTP标头读取证书
[英]weblogic - mutual authentication - read certificate from HTTP header
问题描述
I have a couple of java servlets which need to be secured with Mutual authentication with X509 certificates. 
我有几个Java Servlet,它们需要通过X509证书的相互身份验证来保护。 I used the information from here to implement mutual authentication and it works fine on my machine. 我使用这里的信息来实现相互认证,并且在我的机器上可以正常工作。
Now our integration environment has BigIP for load balancing traffic to weblogic. 现在,我们的集成环境具有BigIP,用于负载均衡到weblogic的流量。 The SSL is terminated at BigIP and it forwards the https request to weblogic using an internal certificate instead of the client's certificate it got with the original https request. SSL在BigIP处终止,它使用内部证书(而不是原始https请求获得的客户端证书)将https请求转发到weblogic。 So mutual auth is not working. 因此,相互身份验证不起作用。
The BigIP team says they can put the client's certificate in the HTTP header (SSL_CLIENT_CERT), and I am not sure how to configure weblogic to read client's cert from http header. BigIP小组表示,他们可以将客户端的证书放在HTTP标头(SSL_CLIENT_CERT)中,但我不确定如何配置weblogic以从http标头读取客户端的证书。
Do I need to write a custom Identity assertion provider and configure it in weblogic?? 我是否需要编写自定义身份声明提供程序并在weblogic中对其进行配置? Is this the best approach or do I have any other option? 这是最好的方法还是我还有其他选择?
Any help on this is greatly appreciated!! 任何帮助对此表示感谢!
1 个解决方案
解决方案1
1 2015-06-15 11:06:28
It is necessary to configure the identity asserter if you are using two way ssl to verify the client identity 如果您使用两种方式的ssl来验证客户端身份,则必须配置身份声明者
and to use it to restrict access to application.If you are using two way ssl with signed CA(Verisign etc.) it 并使用它来限制对应用程序的访问。如果您使用带有签名CA(Verisign等)的双向ssl,
will be only used for trust -not for authentication or any type of application access restriction. 将仅用于信任-不适用于身份验证或任何类型的应用程序访问限制。
Check below link for detail clarification on above 检查下面的链接以获取上面的详细说明
http://www.oracle.com/technetwork/articles/damo-howto-091164.html . http://www.oracle.com/technetwork/articles/damo-howto-091164.html 。
You can follow your steps for configuring the X509 Certificate Authentication for weblogic server. 您可以按照以下步骤为Weblogic服务器配置X509证书身份验证。
Along with above you need to follow below steps 除了上述内容,您还需要按照以下步骤操作
1) Make sure that BIG IP handles client certitifcate and client key which can be configured in the HTTPS monitor in BiG IP. 1)确保BIG IP处理可在BiG IP的HTTPS监视器中配置的客户端证书和客户端密钥。
2) Configure the BIG-IP to insert a header named WL-Proxy-SSL: with a value of true into each request. 2)配置BIG-IP在每个请求中插入一个名为WL-Proxy-SSL:的标头,其值为true。
3) Enable weblogic proxy plugin tab in 3)在中启用weblogic代理插件选项卡
AdminConsole —> Servers —-> [Your_Server_Name] —> Configuration [Tab] —> General [Sub-Tab] AdminConsole->服务器-> [Your_Server_Name]->配置[Tab]->常规[Sub-Tab]
- Click on “Advanced” Link 点击“高级”链接
- Check the CheckBox in this Page “WebLogic Plug-In Enabled” 选中此页面中的复选框“ WebLogic插件已启用”
Above changes will help in undersatnding the weblogic that request coming from BIG IP was initially the SSL enabled. 上面的更改将有助于降低对WebLogic的了解,即来自BIG IP的请求最初已启用SSL。
Check below link for configuring WL-Proxy-SSL with BIGIP 检查以下链接,以使用BIGIP配置WL-Proxy-SSL
https://support.f5.com/kb/en-us/solutions/public/4000/400/sol4443.html?sr=10058313 https://support.f5.com/kb/zh-CN/solutions/public/4000/400/sol4443.html?sr=10058313
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.