I'd like to authenticate my clients using SSL client certs, but just for some urls within an application? So I'd like:
site1/url1 does not ask for client certificate
site1/url2 requires that the client is using a valid client cert
With Apache you can do it with SSLClientVerify, but this option does not work with IHS. I have checked some URLs, but none of them answers my problem.
https://developer.ibm.com/answers/questions/246111/ihs-ssl-mutual-authentication-for-only-some-pages.html
Any clue?
Thanks.
It was not possible to do it with IHS, I changed it to Apache.
Related
When I try to hit Keycloak 6 behind an Azure gateway (reverse proxy) using SSL/HTTPS I get a "We're Sorry HTTPS Required" error in my browser. In the Keycloak log I see
[org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=x.x.x.x, error=ssl_required
I'm assuming I misconfigured something along the way but I can't figure out what it is.
I followed these instructions to set up SSL in Keycloak 6 behind a reverse proxy:
https://www.keycloak.org/docs/latest/server_installation/index.html#setting-up-https-ssl
I did NOT do any certificate creating/importing because the guide says "If you are not using a reverse proxy or load balancer to handle HTTPS traffic for you, you’ll need to enable HTTPS for the Keycloak server. This involves
Obtaining or generating a keystore that contains the private key and certificate for SSL/HTTP traffic
Configuring the Keycloak server to use this keypair and certificate."
My question is, do I need to do the certificate creating/importing anyway, even if I'm behind the reverse proxy? If not, any other ideas?
Please note: I am running the Keycloak stand alone server, not using it as an overlay on any other server container like Wildfly
Found the answer on this thread.
why is keycloak removing the SSL in the redirect uri?
Bottom line, you don't need to generate/install the cert AND there is an undocumented attribute
proxy-address-forwarding="true"
How to add secured ssl support in the thunderpush websocket server, i was looking in there doc but did not find any answers how to add the certificate file to the server.
not sure how we can achieve it.
Never tried it, but I guess you can use a haproxy with ssl terminate setup. Haproxy will accept ssl traffic and forward it to non ssl thunderpush backend.
Regards,
Vangelis
I am quite confused here:
I use DNSMadeeasy to manage my DNS. I have two apps.
One is Heroku hosted, and has https on https://example.com - Heroku has many great tutorials to setup the certificate, it hasn't been a problem.
The other one is a wordpress, hosted in 1and1 (though it shouldn't matter here), and is reachable at http://subdomain.example.com and we want it to be available at https://subdomain.example.com
1and1 does sell SSL certificate, but their automated setup works only when one uses their services for DNS also, as they say. Their support says it should be DNSMadeEasy which should be hosting our SSL certificate. I have the feeling it is not true, because for https://example.com, DNSMadeEasy was never involved.
Questions:
When does certificate querying occurs? Before, After, or in parallel of DNS resolution?
Who is hosting a certificate? The DNS provider? The server (accessible like a sitemap.xml at the root for instance)? A third party?
To enlarge the case, in general if I have a personal server with a fix IP, how can I communicate through https with a valid certificate?
In my case, how can I get my way out of it to make https://subdomain.example.com work?
You are right for not believing the 1and1 suggestion.
To answer your questions:
When does certificate querying occurs? Before, After, or in parallel
of DNS resolution?
A client resolves domain name to an IP address first. So DNS resolution happens first.
Who is hosting a certificate?
The server (in simplistic terms) hosts the certificate.
When a client wants to connect to your site (via HTTPS) it will first establish a secure connection with that IP address on port 443 (this is why usually (without SNI) you can only have one SSL certificate per IP address). As part of this process (which is called handshake) a client can also specify a server name (so-called server name extension) - this is a domain name of your site. This is useful if you have an SSL certificate that is valid for multiple domains.
A good/detailed explanation how it works can be found here
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
if I have a personal server with a fix IP, how can I communicate
through https with a valid certificate?
Your server will need to be able to respond on port 443 and have/host an SSL certificate for a domain that resolves to that IP address.
In my case, how can I get my way out of it to make
https://subdomain.example.com work?
You need to purchase a certificate for subdomain.example.com and install it on the wordpress server.
Usually in hosted solution like yours you have 2 options:
Buy the SSL certificate via the provider (1and1 in your case) - a simpler option, they will configure everything for you.
Buy the SSL certificate yourself. Here you will most likely need to login to your 1and1/Wordpress management interface and generate a CSR (essentially a certificate request). Then you purchase the SSL certificate using this CSR and then you can install it via the same management interface.
The process will look similar to this:
http://wpengine.com/support/add-ssl-site/
I m using Oracle HTTP Server as reverse proxy for WebLogic. I have set up SSL on both the proxy and the server with client certificate authentication. It works and the clients get authenticated by OHS, but i need to pass client certificate information to WebLogic so i can look at this certificate in my servlet. Documentation says that the proxy can forward client certificate within "WL-Proxy-Client-Cert" http header to the WebLogic server.
However, i can't get this to work. Within my servlet i tried both request.getHeader() and request.getAttribute() and getting null. I looked at both headers and attributes of the request objects and don't see anything like WL-Proxy-Client-Cert. In fact i don't see any headers starting with WL, only couple of headers starting with X-WebLogic, none of which has the certificate.
I did enable "Client Cert Proxy Enabled" option in Administration Console as described in the docs. Also i know that clients get authenticated since i see the certificate requested by the browser, after which i can successfully access the site.
Am i missing something?
I have finally got an answer from Oracle support on this. The problem was that i had to add one SSL directive to my virtual host configuration:
SSLOptions +ExportCertData
It goes under "IfModule ossl_module", right next to "SSLVerifyClient require" directive that specifies 2-way authentication for the proxy.
Note that after this, in the servlet, the certificate will be present in the usual "javax.servlet.request.X509Certificate" attribute, as if the server was doing client certificate authentication itself (no extra headers are received).
Also, note that you can have the server use 1-way SSL, if you feel secure with authentication done by the proxy, and you will still receive the certificate in the attribute in your servlet (in this case you should probably add a filter as they recommend to ensure the requests come from the proxy only). I have a feeling it will work even if the server port is regular http, though i haven't tested it yet.
I have a WCF web service that is setup to use Message based security. The service is using a wildcard certificate for securing the message: *.domain.com
After renewing the SSL cert, the service now throws the following error:
"Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was '*.domain.com' but the remote endpoint provided DNS claim 'domain.com'. ..."
How do I fix this so the service still responds with *.domain.com as the DNS claim?
Unfortunately updating the client configs is not really an option to use the new DNS claim via the DNS identity property.
Thanks,
Mark
This is an bug in WCF. Visit the connect site and upvote if its a blocking issue. http://connect.microsoft.com/wcf/feedback/details/683178/wcf-x509-certificate-validation-only-checks-last-dnsname-in-subject-alternative-name
Turns out the issue was with the SANs list on the Wild Card Cert. The order that the domains were listed were:
*.domain.com
domain.com
WCF was basically always resolving to the last item in the SANs list. I did stumble across a few articles where Office Communicator had a similar issue. I'm not sure if this is a WCF bug or not.
My solution was to ask the Certificate Authority to generate me a wildcard cert without the SANs attribute.
The dns setting for the client is simply used to verify the certificates authenticity, so you can simply set the dns of the client to "domain.com" instead of "service.domain.com".