Ssl – Certificate Authentication from Salesforce.com through a reverse proxy

apache-2.2authenticationreverse-proxyssl

I am attempting to allow Salesforce.com to connect to a biztalk instance that sits inside our corporate network. In between, is a reverse proxy and a series of firewalls.

When a standard HTTP request is made against the reverse proxy, the biztalk server responds correctly. It is important to note, that the reverse proxy itself appears to be working correctly.

What I need to do is enable security, limiting access to this web service to authorized clients. Initially, this is just Salesforce.com.

Salesforce.com has provided their SSL Certificate for authentication, andI have placed this certificate in the httpd.conf file with the SSLCACertificateFile Directive.

    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /opt/apache/veri/auth.crt

When SalesForce connects and these directives are in use, the error "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" is generated.

Removing the SSLVerifyClient require, and normal operations resume.

Best Answer

Here's the problem:

SSLCACertificateFile /opt/apache/veri/auth.crt

As you can see in the apache documentation, SSLCACertificateFile means the path to the issuing CA certificate for the client certificate, not to the client certificate itself. There is no way to require a particular client certificate as such. What you can do, however, is to require that the certificate be issued by a particular CA and then verify the CN of the certificate.

So, you need to ask your client to send you the public part of the certificate that signed their certificate. You also need to check what CN their certificate contains:

$ openssl x509 -in path/to/clientcert.crt  -noout -text|grep Subject|grep CN
        Subject: C=US, ST=Something, L=Something, O=Organization Name, OU=SomeOU, CN=host.name.example.com

Then change your configuration to look like this:

SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "host.name.example.com" 
SSLVerifyDepth 1
SSLCACertificateFile /opt/apache/veri/auth.crt

This tells Apache that it will accept an SSL connection but only if the hostname in the certificate is host.name.example.com and the certificate has been signed by the certificate authority whose certificate is in /opt/apache/veri/auth.crt.

There is more information at the mod_ssl documenation at Apache with several examples of how you can use SSLRequire to test for variables in client certificates.

Related Solutions

The difference between Load Balancer and Reverse Proxy

Your confusion is reasonable - they are often the same thing. But not always. When you refer to a load balancer you are referring to a very specific thing - a server or device that balances inbound requests across two or more web servers to spread the load. A reverse proxy, however, typically has any number of features:

load balancing: as discussed above
caching: it can cache content from the web server(s) behind it and thereby reduce the load on the web server(s) and return some static content back to the requester without having to get the data from the web server(s)
security: it can protect the web server(s) by preventing direct access from the internet; it might do this through simple means by just obfuscating the web server(s) or it may have some more active components that actually review inbound requests looking for malicious code
SSL acceleration: when SSL is used; it may serve as a termination point for those SSL sessions so that the workload of dealing with the encryption is offloaded from the web server(s)

I think this covers most of it but there are probably a few other features I've missed. Certainly it isn't uncommon to see a device or piece of software marketed as a load balancer/reverse proxy because the features are so commonly bundled together.

Ssl – how to download the ssl certificate from a website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Best Answer

Related Solutions

The difference between Load Balancer and Reverse Proxy

Ssl – how to download the ssl certificate from a website

Related Topic