Configure Client Certificate Identification Details On Apache HTTP Server

After setting up the client authentication configuration on the Apache HTTP server, configure the identity details of the authenticated client on the Apache HTTP server.

The identity details of the authenticated client can be forwarded as custom HTTP headers to the Core Engine. The Core Engine matches the client identification details from the HTTP headers with the identification details configured on the Config UI.

Note: By default, the Apache HTTP server does not forward the authenticated client identity to TIBCO API Exchange Gateway. Therefore, all requests that TIBCO API Exchange Gateway receives through this channel are identified as being sent by the anonymous user.

TIBCO API Exchange Gateway retrieves the client’s identity from the two custom HTTP header fields CAissuer and SerialNumber. The CAissuer field contains the distinguished name of the certificate authority that issued the client certificate. The distinguished name provides the unique identification of that certificate authority. The SerialNumber HTTP header contains the unique identification of the client in the context of a TIBCO API Exchange Gateway partner. This could either be the client certificate’s serial number, or the certificate’s subject distinguished name.

When TIBCO API Exchange Gateway receives a request that includes these two HTTP header fields, it identifies the partner by matching the values in these two HTTP header fields with the Partner CA Issuer and Partner Serial Number fields in the Partner tab configuration of the Config UI. The Partner CA Issuer contains the identity realm and the Partner Serial Number represents the partner’s identity for that realm.

The serial number uniquely identifies a specific certificate that the partner uses to identify itself. If you use the serial number for the partner configuration, the partner configuration needs to be updated to reflect a new serial number in case a partner’s certificate has expired.

Note: When the partner renews its certificate after the certificate expiration, you do not need to update the TIBCO API Exchange Gateway partner configuration in case you use the subject distinguished name.

The following configuration setup is required on the Apache HTTP server so that TIBCO API Exchange Gateway can identify a partner based on the CAissuer and SerialNumber HTTP header fields:

  • Configure SSL engine options

    Configure the SSL engine options to export the standard SSL/TLS related SSL_* environment variables. This makes the client certificate information available in the Apache server for further reference in the request processing steps. This includes the issuer distinguished name, the certificate serial number, and the subject distinguished name.

  • Enable mod_headers module

    Enable the mod_headers module to control and modify the HTTP request and response headers.

  • Set RequestHeader directives

    Set the RequestHeader directives that add specific CAissuer and SerialNumber HTTP headers to the incoming request. The header values are populated with the values retrieved from the SSL environment variables including the issuer distinguished name, the certificate serial number, or the subject distinguished name.

See Configure Client Certificate Identification Details On Apache HTTP Server for configuration steps.