I don't agree, I was simply asking what others have done to create trust between the gateway environment and my application server.
What we ended up doing is signing a JWT token from the gateway and we verify signature in our application server. The JWT token contains all the security claims necessary to build a JAAS subject which is built in a custom login module. We are currently experimenting with Spring Security to replace those login modules.
So at the end the specific implementation would be vendor specific but what I wanted to hear where best practices which never got answered.