<Directory /secure>
            SSLVerifyClient require
            SSLOptions +StdEnvVars +ExportCertData
            require valid-user
</Directory>

create table app_users
(f_uid number not null, -- код пользователя
 f_uname varchar2(255) not null, -- имя пользователя
 f_cert blob, -- X.509
 f_certhash varchar2(4000), -- хэш X.509
 primary key (f_uid));
create unique index idx_app_users_uname on app_users (f_uname);
create unique index idx_app_users_certhash on app_users (f_certhash);

<Location /verysecure>
    SetHandler pls_handler
    Order allow,deny
    Allow from All
    AllowOverride None

    PlsqlDatabaseUsername APEX_PUBLIC_USER
    PlsqlDatabasePassword pass
    PlsqlDatabaseConnectString securedb TNSFormat
    PlsqlNLSLanguage AMERICAN_AMERICA.AL32UTF8
    PlsqlAuthenticationMode Basic
    PlsqlAlwaysDescribeProcedure Off
    PlsqlDefaultPage apex

    PlsqlCGIEnvironmentList SSL_CLIENT_S_DN
    PlsqlCGIEnvironmentList SSL_CLIENT_CERT
</Location>

 function auth_ssl return integer is
   
  exEmptyCertificate exception;
  exUserNotFound exception;

  client_cert varchar2(8000);
  client_dn varchar2(4000);
  cert_hash varchar2(4000);
  blob_cert blob;
  raw_cert raw(32000);
  l_uid app_users.f_uid%type;
  l_uname app_users.f_uname%type;
 begin
   -- получаем DN и X.509 открытый ключ в base64 через переменные окружения
   client_dn   := owa_util.get_cgi_env('SSL_CLIENT_S_DN');
   client_cert := owa_util.get_cgi_env('SSL_CLIENT_CERT');
   if (client_cert is null) or (client_dn is null) then
    raise exEmptyCertificate;
   end if;
   
   -- удаляем комменты -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
   client_cert:=substr(client_cert,instr(client_cert,chr(10))+1);
   client_cert:=substr(client_cert,1,instr(client_cert,chr(10),-2)-1);

   -- декодируем открытый ключ из base64 в raw, потом хэшируем алгоритмом SHA
   dbms_lob.createtemporary(blob_cert,true,dbms_lob.session);
   raw_cert:=utl_encode.base64_decode(utl_raw.cast_to_raw(client_cert));
   dbms_lob.writeappend(blob_cert,utl_raw.length(raw_cert),raw_cert);
   cert_hash:=utl_raw.cast_to_varchar2(utl_encode.base64_encode((dbms_crypto.Hash(blob_cert,dbms_crypto.HASH_SH1))));
   dbms_lob.freetemporary(blob_cert);  
   
   -- поиск текущего пользователя по хэшу
   begin
    select f_uid,f_uname into l_uid,l_uname
    from app_users
    where f_certhash=cert_hash;
   exception when no_data_found then raise exUserNotFound;
   end; 
   
   -- возвращаем код пользователя
   return l_uid;
 
 -- обрабатываем исключения  
 exception
  when exEmptyCertificate then 
     -- ....
     return null; 
  when exUserNotFound then 
     -- ....
     return null;
  when others then 
     -- ....
     return null;
 end;

<Location /ords>
 SSLVerifyClient require
 SSLOptions +StdEnvVars +ExportCertData
 require valid-user

 RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
 RequestHeader set X-Client-Cert %{SSL_CLIENT_CERT}e
 
 Proxypass ajp://localhost:8009/ords
</Location>