When using IBM WebSphere Application Server.IBM HTTP Server and Plugin to build the environment.

I Configure the IBM HTTP Server required client certificate as follows:

---------

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

<IfModule mod_ibm_ssl.c>

Listen 443

NameVirtualHost 172.16.0.92:443

<VirtualHost 172.16.0.92:443>

ServerName was85.mydomain.com

SSLEnable

SSLClientAuth 2

SSLServerCert cert

</VirtualHost>

</IfModule>

SSLDisable

KeyFile "/opt/IBM/HTTPServer/conf/key.kdb"

When accessing the application through HTTPS under 8.5.5.15, request.getAttribute("javax.servlet.request.X509Certificate") can get the correct certificate information and request.getAttribute("com.ibm.websphere.webcontainer.is_direct_connection") return false.

After upgrading to 8.5.5.16, request.getAttribute("javax.servlet.request.X509Certificate") return null and request.getAttribute("com.ibm.websphere.webcontainer.is_direct_connection") return true.

It's very strange. How to solve it? Let request.getAttribute("javax.servlet.request.X509Certificate") return the correct certificate information.

It is probably a result of security update in WAS. And you may consider adding a customer property "trustedSensitiveHeaderOrigin". Read more: https://www.ibm.com/support/pages/node/879485