My company is transitioning to cloud based application servers. Key applications will continue to run in-house but selected new applications will run on cloud based application servers. Many of the in-house application servers provide REST endpoints to client applications. Right now the company uses white listing for client authentication. This is ok for a single instance cloud services. We use AWS so an Elastic IP (EIP) works perfectly for a single or few instances. However, I believe it is problematic for cloud server applications that scales up and down instances depending upon demand to use our company policy for white listed IP's. Anything beyond a few EIP's becomes difficult. At least in my opinion.
I am thinking of using X.509 certificate name validation. In other words once the certificate is validated and session keys are exchanged I verify the name on the certificate with a list of valid names. If the name matches I proceed with the session. Otherwise, if the names don't match, the session is shut down with a 403 error code. This is done on both the client and server so both authenticate each other. Is it possible to do this name checking in Tomcat as part of the config.xml or something else that is automatic? In other words an automatic way so I don't have to modify the endpoint HTTPS code. Or do I have to modify the HTTPS code to include check for the certificate name? Does this make sense or this there a better way?
Best Regards, Steve Mansfield