Configuring Converged Application Server to Use WL-Proxy-Client-Cert
In order for Converged Application Server to use the
WL-Proxy-Client-Cert
header, a proxy server or load balancer must
first transmit the X.509 certificate for a client request, encode it using base-64
encoding, and then add the resulting token WL-Proxy-Client-Cert
header
in the SIP message. If your system is configured in this way, you can enable the local
Converged Application Server instance (or individual SIP Servlet instances) to examine
the WL-Proxy-Client-Cert
header for client tokens.
To configure the server instance to use the
WL-Proxy-Client-Cert
header:
-
Log in to the Administration Console for the Converged Application Server domain you want to configure.
-
In the left pane, expand Environment, then select the Servers node.
-
Select the name of a server from the Servers table.
-
Select Configuration, then select the General subtab in the right pane.
-
Select Client Cert Proxy Enabled.
-
Click Save to save your changes.
-
Follow the instructions under "Configuring SSL and X509 for Converged Application Server" to configure either the default identity asserter or the LDAP Identity Asserter provider to manage X509 certificates.
-
Restart the server.
To enable the WL-Proxy-Client-Cert
header for an individual
Web Application, set the com.bea.wcp.clientCertProxyEnabled
context
parameter to true in the application's sip.xml
deployment
descriptor.