Skip to Content
Former Member
Sep 15, 2005 at 09:36 AM

XI behind Reverse Proxy with Client Certificate authentication


Hi all,

I have an SAP XI 3.0 in an inner DMZ. This XI is to communicate with some Business Connectors from the outside world. To reach the XI the BC's need to contact an apache that is configured as a reverse proxy. The overall communication shall be encrypted using SSL.

Everything works fine so far, as long as I use username/passwords to authenticate the Business Connector to the XI. But now I want the BC's to authenticate themself to the XI using a x.509 Client certificate.

The problem with this scenario is, that the XI and BC'S do not have a direct connection between each other as the proxy sits in the middle. The Proxy is to terminate the SSL connection coming in and, at this point, I loose the client certificate.

I learned from some research on the net and in the depth of the apache documentation that there is the possibility to configure the apache in such a way that it will put the BC'S client certificate in a RequestHeader variable and pass it along to the backend - in this case the XI.

How can I configure the XI to use such a certificate for authentication???

               |                    |
               |   terminates SSL   |
+--------+     |     +--------+     |   +--------+
|   BC   |-----|---->| apache |-----|-->|   XI   |
| cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
+--------+     |     +--------+     |   +--------+
               |                    |
initiates      |     encrypts       |   client logon
connection    FW1    with cert-2   FW2  with cert-1

As can be seen in the crude picture above: The BC initiates the SSL connection to the apache.

The apache's cert-2 is used for encryption and the BC is prepared to authenticate itself using his client cert-1.

After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the XI. This connection is encrypted with cert-3 of the XI. Now the XI want's the client (it obviously thinks that this client is the BC) to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in my XI application and the BC's cert-1 is lost due to the apache terminating the SSL connection.

Now again my question: Can I configure the XI to accept the BC certificate cert-1 when it is NOT presented to him as part of the normal SSL Handshale but rather in the form of a Header variable added to the HTTP data stream?

Kind regards,

Christian Guenther