Two-way HTTPS Mutual Certificate Authentication through Relay Server or Reverse Proxy
- The remote client establish two-way HTTPS connection with relay
server/reverse proxy by providing its own client certificate. If the client
certificate is not trusted by relay server/reverse proxy, the connection could
not be established.
- After connection established, the remote client sends request to the relay
server/reverse proxy.
- The relay server/reverse proxy forwards the client request to
SAP Mobile Platform through the connection
established with its own certificate, and the remote client certificate is added
to the forwarded client request as the SSL_CLIENT_CERT http header.
- SAP Mobile Platform will determine the security configuration for
the request.
- SAP Mobile Platform authenticates the relay server/reverse proxy's
certificate, and ensure it has "SUP Impersonator" role. If the relay
server/reverse proxy's certificate is not mapped to "SUP Impersonator" role on
the security configuration, 403 error will be returned to remote client.
- SAP Mobile Platform retrieves the remote client certificate from
the SSL_CLIENT_CERT HTTP header, and passes to the security configuration to
perform authentication.
- If authentication succeeds, SAP Mobile Platform dispatches the
client request to corresponding service handler.
- For proxy service, proxy forwards client request to backend/gateway server by
establishing the HTTPS connection with the remote client certificate.