I am trying to implement PKI authentication on a service that currently uses HTTP Basic Authentication. This service runs on a tomcat server and all requests go through an apache HTTP server. I am trying to update the service so it can support both username/password and PKI client authentication.
Right now I am thinking doing the PKI authentication at the apache server level so that my service deployed on tomcat will not need to be affected.
The idea that I have now is to have the apache server authenticate the client's certificate and then add the HTTP basic authentication header to the request going into tomcat by looking up the username and password of the user from the Directory Server.
From my research into Apache I found that there is an SSL Option in Apache called FakeBasicAuth which will create add a HTTP basic authentication header to the request, but the issue I have with it is that the password is hardcoded to "password." Is there a module for apache that can do what FakeBasicAuth is doing, but instead of hardcoding password, will look up the user credentials in a directory server?
If not, is there another approach that you can recommend for enabling PKI authentication on my service?