WAS Liberty Profile和IBM HTTP Server之间的相互SSL [英] Mutual SSL between WAS Liberty Profile and IBM HTTP Server
问题描述
我想在WAS自由配置文件上打开客户端身份验证,以便Web服务器与应用程序服务器之间的通信使用相互SSL.
I'd like to turn on client authentication on WAS liberty profile so that the communication b/w the web server and the app server is in mutual SSL.
在IHS上,我有一个插件文件,用于使用密钥环和存储文件在HTTPS中转发到应用服务器的流量.它正在工作,并且将流量转发到WLP.
On IHS, I have a plugin file to FW the traffic to the app server in HTTPS with a keyring and stashfile. It is working and FW the traffic to the WLP.
在WLP的server.xml上,我打开客户端身份验证以通过在<ssl>元素中提供clientAuthentication ="true"来强制WLP对证书进行身份验证.
On WLP's server.xml I turn on the client authentication to enforce the WLP to authenticate the certificate by giving clientAuthentication="true" in the <ssl> element.
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthentication="true" />
我尝试通过使用带有https地址(没有任何客户端证书)的浏览器直接命中应用服务器来验证这一点,并且期望访问被拒绝.如果相互SSL已启动并正在运行,则通过应用服务器访问应用服务器应授予访问权限.但是,无论是直接访问应用服务器还是通过Web服务器访问,我都可以访问资源.
I try to validate this by directly hitting the app server using browser with https address (without any client certificate) and expected to get a access denied. And to access the app server via the app server should grant access if mutual SSL is up and running. However, both hitting the app server directly or via web server, I can access the resource.
此设置显然不正确或不完整.有什么想法吗?
This set up clearly isn't correct or not complete. Any thoughts?
推荐答案
我解决了.我错过的是<httpEndpoint>中的<sslOptionRef id="defaultSSLConfig" />.我的印象是,它将自动获取我在server.xml中定义的一个<ssl>元素.但是,如果没有sslOptionRef,则客户端身份验证将无法正常工作,并且不会对客户端进行身份验证.
I have it resolved. What I missed was the <sslOptionRef id="defaultSSLConfig" /> inside <httpEndpoint>. I was under impression that it would automatically pick up the olny one <ssl> element I defined in server.xml. But without the sslOptionRef, client authentication somehow doesn't work and does not authenticate the client.
现在,在server.xml中定义了<sslOptionRef>的情况下,客户端身份验证可以正常工作,我只能通过浏览器中https的Web服务器访问WLP应用服务器.
Now with <sslOptionRef> defined in server.xml, the client authentication is working fine that I can only access the WLP app server via my web server in my browser in https.
这篇关于WAS Liberty Profile和IBM HTTP Server之间的相互SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
