Making a two way SSL authentication between apache httpd reverse proxy and Tomcats

Scis picture Scis · Jul 4, 2012 · Viewed 16.4k times · Source

I have an Apache HTTPD working as a reverse proxy, and Tomcat(6.0.35) server(s), what I'm trying to achieve is that there will be mutual trust between the Tomcat server and the reverse proxy. Meaning that when reverse proxy forwards a request it will present it's own certificate that will be imported into Tomcat's truststore file thus making the Tomcat accept requests only when they really are made by the reverse proxy(and if possible maybe even check that the tomcat's certificate is a certain specific certificate). I have managed to setup a Tomcat that requires a client certificate and it works perfectly but the correct reverse proxy configuration seems to be eluding me.

Answer

Bruno picture Bruno · Jul 4, 2012

You should try the SSLProxyMachineCertificateFile option and point it to a file containing your client certificate and its (unencrypted) private key in PEM format.