I've got a Linux/Apache/Rails stack hosting an information service. The information services are essentially a front-end for multiple data sources, similar to a federated search.

Queries towards the service are authenticated via PKI. When handling each request, the PKI should be submitted to every databases right for the given request - each databases uses the PKI to manage data access.

I understand how to gain access to the requestor's DN from Rails, however i haven't the very first clue how you can access the PKI or pass it along in web demands released through the controller when handling the request. Any suggestions?

Your description causes it to be a little strict the business, but Ill attempt to give mtss is a shot.

The character of PKI makes sending (proxying) an association impossible, because the two endpoints setup a secret session key known simply to individuals parties. It appears as if you have 3 parties, a customer, medium difficulty, as well as an Endpoint. Therefore the client can authenticate towards the intermediate, and also the intermediate now knows with certainty who the customer is. I believe your question is how you can obtain the endpoint to understand with certainty who the customer is. The technique I'd choose would be to have each intermediate have its very own certificate, and authenticate towards the endpoint itself (now the endpoint knows who the intermediate is by using certainty) then simply have the intermediate pass the DN as additional area the endpoint will trust in the intermediate.