Skip to Content
author's profile photo Former Member
Former Member

XI behind Reverse Proxy with Client Certificate authentication

Hi all,

I have an SAP XI 3.0 in an inner DMZ. This XI is to communicate with some Business Connectors from the outside world. To reach the XI the BC's need to contact an apache that is configured as a reverse proxy. The overall communication shall be encrypted using SSL.

Everything works fine so far, as long as I use username/passwords to authenticate the Business Connector to the XI. But now I want the BC's to authenticate themself to the XI using a x.509 Client certificate.

The problem with this scenario is, that the XI and BC'S do not have a direct connection between each other as the proxy sits in the middle. The Proxy is to terminate the SSL connection coming in and, at this point, I loose the client certificate.

I learned from some research on the net and in the depth of the apache documentation that there is the possibility to configure the apache in such a way that it will put the BC'S client certificate in a RequestHeader variable and pass it along to the backend - in this case the XI.

How can I configure the XI to use such a certificate for authentication???

               |                    |
               |   terminates SSL   |
+--------+     |     +--------+     |   +--------+
|   BC   |-----|---->| apache |-----|-->|   XI   |
| cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
+--------+     |     +--------+     |   +--------+
               |                    |
initiates      |     encrypts       |   client logon
connection    FW1    with cert-2   FW2  with cert-1

As can be seen in the crude picture above: The BC initiates the SSL connection to the apache.

The apache's cert-2 is used for encryption and the BC is prepared to authenticate itself using his client cert-1.

After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the XI. This connection is encrypted with cert-3 of the XI. Now the XI want's the client (it obviously thinks that this client is the BC) to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in my XI application and the BC's cert-1 is lost due to the apache terminating the SSL connection.

Now again my question: Can I configure the XI to accept the BC certificate cert-1 when it is NOT presented to him as part of the normal SSL Handshale but rather in the form of a Header variable added to the HTTP data stream?

Kind regards,

Christian Guenther

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Sep 18, 2008 at 12:46 PM


    do you ever got an answer? I am really interested in this issue.

    Best regards,


    Edited by: Nils Kloth on Sep 18, 2008 3:36 PM

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Sep 19, 2008 at 05:56 AM

    Same here. My first thoughts are this will not be possible. The Cert has to be a part of the Normal SSL handshake. But then, I am not the SME on this and hence would love to hear on this as well.

    Any takers? 😊



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.