Configure Client Authentication with Digital Certificates on Apache HTTP Server

You must configure client authentication on Apache HTTP server for mutual SSL communications.

The Apache HTTP server and clients can communicate over an encrypted connection using the SSL communication. This reduces the risk of exposing sensitive content in plain text. The secured communication using an encrypted connection ensures that the server always identifies itself to its clients. This guarantees that the server is the uniquely correct end point for the communication. However, if you want to authorize the service requests in TIBCO API Exchange Gateway, the clients must authenticate themselves to the Apache HTTP server using its own client certificates.

The client authentication can be configured on the Apache HTTP server by setting the following Apache directives in the virtual host configuration for the SSL virtual server instance:

  • SSLVerifyClient

    The SSLVerifyClient directive defines the verification type. The possible values are as follows:

    • none: indicates that no client certificate is required at all.
    • optional: indicates that the client may present a valid certificate.
    • require:indicates that the client has to present a valid certificate.

      The require value is used to ensure that the Apache HTTP server authenticates every client request before it forwards it to TIBCO API Exchange Gateway.

    • optional_no_ca: indicates that the client may present a valid certificate but does not have to be successfully verified.
  • SSLVerifyDepth

    The SSLVerifyDepth directive specifies the depth of the certificate issuer chains verification. If the server does not find a trusted Certificate Authority (CA) within this depth, it declares the certificate invalid. The depth actually is the maximum number of intermediate certificate issuers, that is, the maximum number of CA certificates that is followed while verifying the client certificate. For example, Depth 0 (zero) means that all clients must present certificates that are self-signed and present in the server's collection of trusted certificates. Depth 1 means that client certificates may be either self-signed (as previously mentioned), or signed by a trusted CA. The default value is 1.

  • SSLCACertificatePath

    The SSLCACertificatePath directive specifies the path to a directory containing certificate authority’s digital certificate files. Each digital certificate has a separate file. However, when you use this SSLCACertificatePath directive, the Apache HTTP server expects that each file be named with the hash of the CA certificate that is in it, followed by a period and a sequence number that starts at 0 and gets incremented for each file. The Apache server expects this for efficiency reasons. When you have a large number of CA certificates, it becomes inefficient to open and read every file in the directory every time it needs to find a specific certificate.

  • SSLCACertificateFile

    The SSLCACertificateFile directive specifies the name and location of a single certificate file that contains all CA certificates.

Note: Configuring the SSLCACertificateFile directive is easy. As the number of trusted certificate authorities increases, it can be difficult or error prone to add, replace, or remove CA certificates in this file. When the number of trusted certificate authorities is large, use the SSLCACertificatePath directive for best results.

See Configuring Client Authentication with Digital Certificates on Apache HTTP Server for configuration steps.