cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XI behind Reverse Proxy with Client Certificate authentication

Former Member

on ‎09-15-2005 10:36 AM

0 Kudos

Hi all,

I have an SAP XI 3.0 in an inner DMZ. This XI is to communicate with some Business Connectors from the outside world. To reach the XI the BC's need to contact an apache that is configured as a reverse proxy. The overall communication shall be encrypted using SSL.

Everything works fine so far, as long as I use username/passwords to authenticate the Business Connector to the XI. But now I want the BC's to authenticate themself to the XI using a x.509 Client certificate.

The problem with this scenario is, that the XI and BC'S do not have a direct connection between each other as the proxy sits in the middle. The Proxy is to terminate the SSL connection coming in and, at this point, I loose the client certificate.

I learned from some research on the net and in the depth of the apache documentation that there is the possibility to configure the apache in such a way that it will put the BC'S client certificate in a RequestHeader variable and pass it along to the backend - in this case the XI.

How can I configure the XI to use such a certificate for authentication???


               |                    |
               |   terminates SSL   |
+--------+     |     +--------+     |   +--------+
|   BC   |-----|---->| apache |-----|-->|   XI   |
| cert-1 | SSL |     | cert-2 | SSL |   | cert-3 |
+--------+     |     +--------+     |   +--------+
               |                    |
initiates      |     encrypts       |   client logon
connection    FW1    with cert-2   FW2  with cert-1

As can be seen in the crude picture above: The BC initiates the SSL connection to the apache.

The apache's cert-2 is used for encryption and the BC is prepared to authenticate itself using his client cert-1.

After the SSL connection between client and apache is established, the apache initiates a new SSL connection to the XI. This connection is encrypted with cert-3 of the XI. Now the XI want's the client (it obviously thinks that this client is the BC) to authenticate itself using client certificate instead of with a normal username/password pair. This, of course, fails at the moment, because the certificate of the apache has no rights in my XI application and the BC's cert-1 is lost due to the apache terminating the SSL connection.

Now again my question: Can I configure the XI to accept the BC certificate cert-1 when it is NOT presented to him as part of the normal SSL Handshale but rather in the form of a Header variable added to the HTTP data stream?

Kind regards,

Christian Guenther

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

bhavesh_kantilal
Active Contributor
‎09-19-2008 6:56 AM
0 Kudos

Same here. My first thoughts are this will not be possible. The Cert has to be a part of the Normal SSL handshake. But then, I am not the SME on this and hence would love to hear on this as well.

Any takers?

Regards

Bhavesh

Show replies
Show replies
Former Member
‎09-18-2008 1:46 PM
0 Kudos

Hi,

do you ever got an answer? I am really interested in this issue.

Best regards,

Nils

Edited by: Nils Kloth on Sep 18, 2008 3:36 PM

Show replies
Show replies
Ask a Question