X.509 client certificate not working through Reverse proxy

Dear expert,

We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.

As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.

Listen 1081

<VirtualHost *:1081>

SSLEngine on

SSLCertificateFile  "D:/Apache24/conf/server.cer"

SSLCertificateKeyFile  "D:/Apache24/conf/server.key"

SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"

SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"

SSLVerifyClient optional

SSLVerifyDepth  10

SSLProxyEngine On

SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"

SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"

AllowEncodedSlashes On

ProxyPreserveHost on

RequestHeader unset Accept-Encoding

<Proxy *>

     AddDefaultCharset Off

     SSLRequireSSL

     Order deny,allow

     Allow from all

</Proxy>

RequestHeader set ClientProtocol https

RequestHeader set x-sap-webdisp-ap HTTPS=1081

RequestHeader set SSL_CLIENT_CERT  ""

RequestHeader set SSL_CLIENT_S_DN  ""

RequestHeader set SSL_CLIENT_I_DN  ""

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"

RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"

RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"

ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on

proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/

We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.

thanks,

Best regards,

Xian' an