Reputation: 12743
How to use trusted certificate with nginx and tomcat?
I am integrating a merchant with our application. The merchant provides us with JKS, KEY, PEM and P12 file along with Certificate Password.
In the development server, the integration works with JKS certificate and Certificate Password which is implemented using HttpsURLConnection.
SSLContext sc = SSLContext.getInstance("TLSv1.2");
KeyManagerFactory kmf;
KeyStore ks;
char[] passphrase = keystore_password.toCharArray();
kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(keystore_path), passphrase);
kmf.init(ks, passphrase);
sc.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HostnameVerifier hv = new HostnameVerifier() {
@Override
public boolean verify(String urlHostName, SSLSession session) {
if (!urlHostName.equalsIgnoreCase(session.getPeerHost())) {
logger.warn("Warning: URL host ' " + urlHostName + " ' is different to SSLSession host ' "
+ urlHostName + " '");
}
return true;
}
};
In the upper environment, the Tomcat is in DMZ Zone and interact external world via the Nginx only.
The tomcat request Nginx server with actual URL in a header and the header is parsed by Nginx and forward the request to URL and render the response to tomcat.
Question
How do I forward the request with credential via Nginx to merchant?
Upvotes: 0
Views: 2323
Answers (1)
Reputation: 38990
You can't "forward" it. To process HTTP requests based on the contents of the header, nginx must decrypt the incoming data and re-encrypt the outgoing, modified data. Since the whole point of a security protocol like SSL/TLS is that nobody other than the authorized endpoints can see or alter the data, nginx must terminate the client-side SSL/TLS session itself and create a separate server-side SSL/TLS session over which the HTTP-level data is forwarded.
Thus to authenticate to the 'merchant' server, it is nginx that must be configured with the client certificate including chain cert(s) if applicable and matching privatekey, see http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate et seq.
(If you didn't already have them, you could convert JKS to PKCS12 with keytool -importkeystore and PKCS12 to PEM with openssl pkcs12 -- there are numerous existing Qs on both here and on other Stacks like superuser and serverfault.)
Whether the session from the (real) client to nginx is authenticated with the same cert, a different cert, or not authenticated with a cert at all, is up to the configuration of nginx.
Upvotes: 1
Related Questions
- How to make my server trust with a certificate?
- Install SSL on Tomcat with certificate .cer
- nginx managed SSL with Tomcat 7
- TLS client authentication with Nginx and Tomcat web application
- SSL Certificates on a Tomcat Server
- SSL in Tomcat 8: server & client JKS + client public cer
- Enable SSL on Tomcat using SSL CERTIFICATE, PRIVATE KEY and SSLCertificateChain CERTIFICATE
- Configure Tomcat to use a trust store other than cacerts
- SSL Connection from Java client
- Tomcat SSL: No trusted certificate found