Technical data
Using SSL with the NSAPI Plug-In
Administration Guide 13-11
Specifying Trust of the WL-Proxy-Client-Cert Header
The plug-in can encode users’ identity certifications in the WL-Proxy-Client-Cert
header and pass the header to WebLogic Server instances (see Proxying Requests to
Another HTTP Server in the WebLogic Server Administration Guide). A WebLogic
Server instance uses the certificate information from that header, trusting that it comes
from a secure source (the Plug-In), to authenticate the user. In previous releases of
WebLogic Server, the default behavior was to always trust the
WL-Proxy-Client-Cert header. Beginning with WebLogic Server 6.1 SP2, you
need to explicitly define trust of the
WL-Proxy-Client-Cert header. A new
parameter,
clientCertProxy, allows WebLogic Server to determine whether to trust
the certificate header. For an additional level of security, use a connection filter to limit
all connections into WebLogic Server (therefore allowing WebLogic Server to only
accept connections from the machine on which the plug-in is running).
The
clientCertProxy parameter has been added to the HTTPClusterServlet and
Web applications.
For the
HTTPClusterServlet, add the parameter to the web.xml file as follows:
<context-param>
<param-name>clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
For Web applications, add the parameter to the web.xml file as follows:
ServletRequestImpl context-param
<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
You can also use this parameter in a cluster as follows:
<Cluster ClusterAddress="127.0.0.1" Name="MyCluster"
ClientCertProxyHeader="true"/>