Using a Reverse Proxy with Mutual SSL Authentication

Configure the reverse proxy to connect to SAP Mobile Server using mutual SSL authentication, then set up specific certificate requirements.

1. Configure the reverse proxy to connect to the mutual SSL port of SAP Mobile Server.
2. Configure the reverse proxy to trust the SAP Mobile Server certificate.
3. Configure the reverse proxy to use an impersonator client certificate to connect to SAP Mobile Platform. The client certificate must be mapped to the "SUP Impersonator" role for all security configurations.
4. Configure the reverse proxy to require a client certificate.
5. Configure the reverse proxy with all trusted CA certificates of SAP Mobile Platform, to accept all client certificates that can be accepted by SAP Mobile Platform.
6. Configure the reverse proxy to forward the client certificate as a SSL_CLIENT_CERT HTTP header to the SAP Mobile Server, for the server to retrieve and authenticate it.

Listen 8082 
<VirtualHost *:8082>
ServerName proxy-server
  # activate HTTPS on the reverse proxy
    SSLEngine on
    SSLCertificateFile "C:/Apache2.2/conf/proxy-server.crt"
    SSLCertificateKeyFile "C:/Apache2.2/conf/proxy-server.key"
    SSLCertificateChainFile "C:/Apache2.2/conf/proxy-server-ca.crt"
  # activate the client certificate authentication
    SSLCACertificateFile "C:/Apache2.2/conf/trusted-client-ca.crt"
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLProxyEngine On
    SSLProxyCACertificateFile C:/Apache2.2/conf/sup-server-ca.crt
    SSLProxyMachineCertificateFile C:/Apache2.2/conf/proxy-client.pem
  # initialize the special headers to a blank value to avoid http header forgeries
    RequestHeader set SSL_CLIENT_CERT "" 
    <Location /> 
        4.add SSL_CLIENT_CERT header to forward real client certificate
        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
        ProxyPass https://sup-server:8002/ 
        ProxyPassReverse https://sup-server:8002/ 
    </Location>
</VirtualHost>