F5, HTTPD and Mod_jk and Tomcat full HTTPS

Question

Hi,&nbsp;
I have the following architecture :&nbsp;
Client =&gt; F5 =&gt; HTTPD =&gt; Mod_jk =&gt; Tomcat 8
IE :
HTTPS -&gt; HTTPS-&gt; HTTPS -&gt; AJP/13 -&gt; AJP/13/SSL Connector&nbsp;
My application asks to the browser client a certificate to authenticate.&nbsp;
The previous solution was to attach the client certificate to the header and, I don't know how, build a X509 Object with. But the previous application was running on jBoss and there was no httpd server between F5 and him.&nbsp;
Do you think that there is a solution to make it works without using a level 4 SSL proxy ?&nbsp;
(I've build a tomcat application that show header values and they are OK, but the attribute java.security.cert.X509Certificate is always null, except if I bypass F5)&nbsp;
thank you very much,&nbsp;
Best regards&nbsp;
Yann Boulanger&nbsp;

maintenance_ssi · Answer

We also try to let tomcat build the connection without wrapping anything on tomcat level
Thank you,&nbsp;
Yann&nbsp;

kevin_stewart · Answer

I'm thinking java.security.cert.X509Certificate would only get populated if httpd was actually consuming the client certificate. There are probably a few options here:&nbsp;

Configure the new mode_jk/tomcat services to consume the certificate as an HTTP header. This was likely done by base64-encoding the client's certificate in PEM form and simply passing as a header.

Use APM to do the client side certificate auth, then do Kerberos on the server side.&nbsp;

Use the Client Certificate Constrained Delegation (C3D) function, available in 13.1, to forge a client certificate to the server. In this approach, the F5 consumes and validates the client certificate, and then a local CA cert/key re-issues a client certificate to the backend server, copying all of the necessary attributes from the original client cert. The server just needs to trust the local CA. This also allows you to explicitly decrypt and re-encrypt the traffic at the F5. Ref: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/4.html

Forum Discussion

F5, HTTPD and Mod_jk and Tomcat full HTTPS

2 Replies

Recent Discussions

Inquiry on F5's Maintenance Mode Feature for Pool Members

AS3 Deployments (shared objects)

F5Access | MacOS Sonoma

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

F5 monitor for Tomcat/Pega

Creating a tmsh script with iControl REST and using it to restart HTTPD

Form Based Authentication with Tomcat not working on F5

Apache Tomcat Remote Code Execution via JSP upload (CVE-2017-12615 / CVE-2017-12617)

Apache Tomcat Remote Code Execution on Windows (CVE-2019-0232)