Configuring Converged Application Server to Use WL-Proxy-Client-Cert

In order for Converged Application Server to use the WL-Proxy-Client-Cert header, a proxy server or load balancer must first transmit the X.509 certificate for a client request, encode it using base-64 encoding, and then add the resulting token WL-Proxy-Client-Cert header in the SIP message. If your system is configured in this way, you can enable the local Converged Application Server instance (or individual SIP Servlet instances) to examine the WL-Proxy-Client-Cert header for client tokens.

To configure the server instance to use the WL-Proxy-Client-Cert header:

1. From the Edit Tree of the Remote Console, expand Environment, then select the Servers node.
2. Select the name of a server from the Servers table.
3. Under the General subtab, select Client Cert Proxy Enabled.
4. Click Save, and then the shopping cart, and then Commit Changes.
5. Follow the instructions under "Configuring SSL and X509 for Converged Application Server" to configure either the default identity asserter or the LDAP Identity Asserter provider to manage X509 certificates.
6. Restart the server.

To enable the WL-Proxy-Client-Cert header for an individual Web Application, set the com.bea.wcp.clientCertProxyEnabled context parameter to true in the application's sip.xml deployment descriptor.