We have an BigIP LTM that routes traffic to an Apache web server that sits in front of a Weblogic app server. We are working on setting up mutual authentication (mTLS) for clients that want to consume our service (Java JAX-WS). The client while calling our service will initiate mTLS authentication by presenting a client certificate. The client certificate will be authenticated by the LTM based on certain parameters. Once authenticated, LTM will terminate the connection and then re-establish mTLS connection with the backend server (in this case Apache server) using an internal LTM certificate (since LTM has terminated the connection, it will not have the true client certificate, and hence uses the LTM certificate to establish connection). While establishing mTLS connection with the backend server, the LTM also inserts the true client certificate common name in the HTTP header, for example, X-CLIENT-CERT: test.certificate.com.
My question is: How can we get the Apache or Weblogic server to capture X-CLIENT-CERT header detail and pass it along such that we can read the value in our application code and authorise access accordingly?
I tried to loop through the header details using request.getheader but I don’t see the X-CLIENT-CERT header/value in the header list.