Hi All,
Am trying to configure SSL based authentication. Below is my VHOST configuration.
Server version:
Siteminder 12.8
Apache/2.4.37
Server built: Feb 21 2023 02:57:44
OpenSSL 1.1.1k FIPS 25 Mar 2021
When i tried to access my application by setting "SSLVerifyClient require" at globally its working. The problem is for all the URI its validating the certificate (need to submit certificate for all URL, then the login page is displayed).
I want certificate validation only for "/login/x509" for rest of application (where user navigates ) apache should not validate certificate.
When i set SSLVerifyClient none globally am getting Access forbidden.
192.168.10.1 - - [28/Mar/2023:12:18:43 +0530] "GET /login/x509/1679986123/smgetcred.scc?TYPE=16777244&REALM=-SM-DEV_APP_AUTHN_CERTONLY%20[12%3a18%3a43%3a139839840191780]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-oGB5JjP2CdzbzVlQMFgyLn1wWmfWrg53ZpP0HyCS8UXxx%2bV%2bx%2f583a7my1YtNRwWiDSX7t%2b2ZeHgWsb2ATJyM%2bKon%2fYVZeq2&TARGET=-SM-HTTPS%3a%2f%2fdev--app%2esmtestsso%2ecom%3a1700%2fsmtestsso%2fcertx509%2fheaders%2ephp HTTP/1.1" 403 17
Can someone review below and let me know, what i did wrong.
`Listen 192.168.10.30:1200
<VirtualHost 192.168.10.30>
ErrorLog "|/usr/sbin/rotatelogs /data/logs/apache/conf1/dev-smauth.rp.agridamlabs.com/error.%Y%m%d.log 86400 -l"
TransferLog "|/usr/sbin/rotatelogs /data/logs/apache/conf1/dev-smauth.rp.agridamlabs.com/access.%Y%m%d.log 86400 -l"
SSLEngine on
SSLVerifyClient none
#SSLVerifyClient require
#SSLVerifyClient none
SSLVerifyDepth 3
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCertificateFile /appl/apache/w3_rp1_apps/certs/sm.crt
SSLCertificateKeyFile /appl/apache/w3_rp1_apps/certs/sm.key
SSLCertificateChainFile /appl/apache/w3_rp1_apps/certs/ca-chain.crt
SSLCACertificateFile /appl/apache/w3_rp1_apps/certs/ca-chain.crt
RewriteEngine On
ProxyRequests off
ProxyPreserveHost on
ServerName dev-smauth.rp.agridamlabs.com
DocumentRoot "/data/www/dev-smauth.rp.agridamlabs.com/conf1"
<Directory "/data/www/dev-smauth.rp.agridamlabs.com/conf1">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Location /keepalive>
Require all granted
</Location>
<Directory "/login">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
Require all granted
SSLVerifyClient none
SSLVerifyDepth 3
</Directory>
<Directory "/login/x509">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
Require all granted
Require ssl
Require ssl-verify-client
SSLRequireSSL
SSLOptions +FakeBasicAuth +StrictRequire
#SSLVerifyClient require
#SSLVerifyDepth 3
#Require ssl-verify-client
#SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
</Directory>
<Directory "/login/x509opt">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
Require all granted
SSLVerifyClient optional
SSLVerifyDepth 3
</Directory>
</VirtualHost>`
------------------------------
Regards,
Gowtham.
------------------------------