Configuring Converged Application Server to Use WL-Proxy-Client-Cert

In order for Converged Application Server to use the WL-Proxy-Client-Cert header, a proxy server or load balancer must first transmit the X.509 certificate for a client request, encode it using base-64 encoding, and then add the resulting token WL-Proxy-Client-Cert header in the SIP message. If your system is configured in this way, you can enable the local Converged Application Server instance (or individual SIP Servlet instances) to examine the WL-Proxy-Client-Cert header for client tokens.

To configure the server instance to use the WL-Proxy-Client-Cert header:

  1. Log in to the Administration Console for the Converged Application Server domain you want to configure.

  2. In the left pane, expand Environment, then select the Servers node.

  3. Select the name of a server from the Servers table.

  4. Select Configuration, then select the General subtab in the right pane.

  5. Select Client Cert Proxy Enabled.

  6. Click Save to save your changes.

  7. Follow the instructions under "Configuring SSL and X509 for Converged Application Server" to configure either the default identity asserter or the LDAP Identity Asserter provider to manage X509 certificates.

  8. Restart the server.

To enable the WL-Proxy-Client-Cert header for an individual Web Application, set the com.bea.wcp.clientCertProxyEnabled context parameter to true in the application's sip.xml deployment descriptor.