My company is transitioning to cloud based application servers. Key applications will continue to run in-house but selected new applications will run on cloud based application servers. Many of the in-house application servers provide REST endpoints to client applications. Right now the company uses white listing for client authentication. This is ok for a single instance cloud services. We use AWS so an Elastic IP (EIP) works perfectly for a single or few instances. However, I believe it is problematic for cloud server applications that scales up and down instances depending upon demand to use our company policy for white listed IP's. Anything beyond a few EIP's becomes difficult. At least in my opinion.
I am thinking of using X.509 certificate name validation. In other words once the certificate is validated and session keys are exchanged I verify the name on the certificate with a list of valid names. If the name matches I proceed with the session. This is done on both the client and server so both authenticate each other. Otherwise, if the names don't match, the session is shut down with a 403 error code. Is it possible to do this name checking in Tomcat as part of the config.xml or something else that is automatic? This way I do not have to modify the REST endpoint code. Or do I have to modify the HTTPS code to include check for the certificate name? Does this make sense or this there a better way?
Best Regards, Steve Mansfield
Aucun commentaire:
Enregistrer un commentaire