Apache/Rails: Forwarding PKI

I have a Linux/Apache/Rails stack hosting 开发者_Python百科a data service. The data service is basically a front end for multiple data sources, akin to a federated search.

Queries to the service are authenticated via PKI. When handling each request, the PKI must be forwarded to each data source appropriate for the given request - each data source uses the PKI to control data access.

I know how to access the requestor's DN from Rails, but I haven't the first clue how to access the PKI or pass it along in web requests launched by the controller when handling the request. Any suggestions?

Your description makes it a bit hard to follow the organization, but Ill try to give this a shot.

The nature of PKI makes forwarding (proxying) a connection impossible, since the two endpoints set up a secret session key known only to those parties. It seems like you have 3 parties, a Client, an Intermediate, and an Endpoint. So the client can authenticate to the intermediate, and the intermediate now knows with certainty who the client is. I think your question is how to get the endpoint to know with certainty who the client is. The method I would choose is to have each intermediate have its own certificate, and authenticate to the endpoint itself (so now the endpoint knows who the intermediate is with certainty) then just have the intermediate pass the DN as some extra field that the endpoint will trust from the intermediate.