How to use CLIENT-CERT authentication?

Similar Messages

• CLIENT-CERT authentication in WL7

  Hi,
  I'm trying to enforce two-way authentication for clients (java applications) accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With BASIC authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to the web service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
  the server doesn't
  produce client certificate request. May it be the cause of the problem? If so,
  how can I make the server to
  generate client cert request?

  Exactly, it was the reason. Thanks.
  Marcin
  On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
  >
  You must have been accessing the server over one-way SSL. Make sure the
  two-way
  ssl server attribute is set to: Client Certificate Enforced, or Client
  Certificate
  Requested But Not Enforced.
  This should be all that is needed to make the server send the
  certificate request.
  With Client Certificate Enforced option you should be getting ssl
  handshake failure
  unless the client sends its certificate.
  Pavel.
  yazzva <[email protected]> wrote:
  Yes, I have. If I had not done it, I couldn't have accessed the service
  via https using basic authentication, and of course ssl debugging
  information and server configuration show that ssl is configured
  properly.
  The problem is that WL7 doesn't generate client cert request. Thanks
  for
  an attempt to help.
  Have you configured the server for two way ssl?
  See
  http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
  http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
  for information on this.
  Pavel.
  "yazzva" <[email protected]> wrote:
  Hi,
  I'm trying to enforce two-way authentication for clients (java
  applications)
  accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With
  BASIC
  authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to theweb
  service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the
  handshake
  procedure
  the server doesn't
  produce client certificate request. May it be the cause of the
  problem?
  If so,
  how can I make the server to
  generate client cert request?--
  Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

• Client Cert Authentication

  Is there any documentation that explain how to set up iAS 6.0 SP3 to use
  Client Cert Authentication?
  Thanks in advance,
  Jose.

  Hi,
  I am not able to understand what "client cert authentication" means can
  you please elaborate more on this. If this means authorization process by
  any chance, then iAS uses LDAP that is bundled along with iAS to
  authenticate. There is no other means to validate the users.
  Regards
  Raj
  Jose Raya wrote:
  Is there any documentation that explain how to set up iAS 6.0 SP3 to use
  Client Cert Authentication?
  Thanks in advance,
  Jose.

• Tutorial on using client cert with Tomcat 5

  Hello,
  I'm looking for a tutorial on using client-cert method with tomcat 5.0.28 with jsp pages.
  I want to generate my own certs and keys.
  Is there anything like this on the web ?
  Thanks

  Maybe you could try searching the Tomcat mail archives or post your question to one of their mailing lists.
  http://jakarta.apache.org/site/mail.html

• How to handle Client Certificate authentication using URLRequest/URLLoader

  Hi All,
  I developed an AIR Application which communicates with a server. Protocol used for communication is HTTPS, and server has a valid certificate.
  So whenever AIR App, communicates with the server, a dialogue box prompts to select the client certificate just as show below.
  So here what I am looking at is, Any method is available to prevent this prompt.
  I have already tried the method of Enabling "Dont Prompt for client certificate selection when only one certificate exists", Of course this method will work only if multiple certificate exists, so what if multiple certificate exists.
  How an air application can handle that?
  So any one find any way to handle this. I am using URLRequest for commnicating with server.
  Here is the code snippet I have used.
  var request:URLRequest = new URLRequest(url);
  request.method = URLRequestMethod.GET;
  var urlLoader:URLLoader = new URLLoader();
  urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
  urlLoader.addEventListener(Event.COMPLETE, loaderCompleteHandler)
  urlLoader.addEventListener(Event.OPEN, openHandler);
  urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
  urlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
  urlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);//, false, 0, true);
  Please help me...
  Thanks
  Sanal

  Yes it is possible. Refer
  Using Certificates for Authentication [http://docs.sun.com/app/docs/doc/820-7985/ginbp?l=en&a=view]
  SSL Authentication section in [http://docs.sun.com/app/docs/doc/820-7985/gdesn?l=en&a=view]
  client-auth element in server.xml [http://docs.sun.com/app/docs/doc/820-7986/gaifo?l=en&a=view]
  certmap.conf [http://docs.sun.com/app/docs/doc/820-7986/abump?l=en&a=view]
  certmap.conf should have verifycert "on", and lets say this certmap is called "cmverify" :
  certmap cmverify    default
  cmverify:DNComps
  cmverify:FilterComps    uid
  cmverify:verifycert onIn serve.xml we should have <client-auth> "required" and lets say we have an auth-db named "ldapregular":
  <http-listener>...
    <ssl>...
      <client-auth>required</client-auth>
    </ssl>
  </http-listener>
  <auth-db>
    <name>ldapregular</name><url>ldap://myldap:369/o%3DTestCentral</url>
    <property><name>binddn</name><value>cn=Directory Manager</value></property>
    <property><name>bindpw</name><value...</value><encoded/></property>
  </auth-db>In ACL file we should have method = "ssl", database = "ldapregular" and certmap = "cmverify" :# clientauth against LDAP database with special certmap which has verifyCert on
  acl "uri=/";
  authenticate (user,group) {
      prompt = "Enterprise Server";
      method = "ssl";
      database = "ldapregular";
      certmap = "cmverify";
  deny (all) user = "anyone";
  allow (all) user = "alpha,beta,gamma";

• How to enable Client Cert Required, only for certain URL's in the webserver

  WE are using netegrity siteminder for authentication and their plugin is executed as AuthTrans function. If I enable clientauth in server.xml ( which is basically turning on the client cert required for entire site), everything works fine. But If I want to turn that on only for certain URL's how do I do that.
  I tried turning global clientauth off in server.xml and tried using PathCehck fn"get-client-cert" in obj.conf for the URL's that need client cert, but the problem is AuthTrans is getting executed first and my netegrity plugin is throwing an error saying it cann't find the cert.
  What are diffrent options to enable cert required only for certian URL's.
  Thanks

  What is the condition you want to match?
  You can use get-client-cert in If tags in Web Server 7.0 :
  For e.g. If the condition is matched, This gets a cert, requesting it if it is not already present and failing the request if it can't obtain an acceptable cert only on POST requests.
  <If $url ~="*abc*>
  PathCheck fn="get-client-cert" method="POST" dorequest="1" require="1"
  </If>
  or
  <Object ppath="*abc*">
  PathCheck fn="get-client-cert" dorequest="1" require="1"
  <Object>
  for more details :
  http://docs.sun.com/app/docs/doc/819-2630/6n4thbiek?a=view#indexterm-380

• How To Use Client Side Certificate to access the SOAP service

  HI,
  I am client side and need to access a remote SOAP server side using a certificate.
  I don't know how to add the certificate in my Java code, although I can get it using X509Certificate. The following is my code.
  Thanks for any help
  public class Dash911 {
  public static void main(String args[]) throws IOException {
  try {
       //I have a Cert class that generate the cert          
  X509Certificate certificate = (new Cert()).getCertificate();
  String targetURI= "http://schemas.ecs.telefinity.com/webservices/postal/";
  String methodName = "FindStreet";
  String encodingStyleURI = Constants.NS_URI_SOAP_ENC;
  Vector params = new Vector();
       String[] names = {"Westcorp", "35805"};
       params.addElement(new Parameter("names", names.getClass(), names, null));
       String endpointURL = "https://prototype.test.telefinity.com/integrationprovisioning/postal.asmx";
       makeCall(targetURI, methodName, encodingStyleURI, null, params, endpointURL);
       } catch (Throwable t) {
       }//main          
  Thanks a lot

  Keystore or Truststore may be rigtht the same file, the matter is how you use it
  at each time: if you need to authenticate yourself (no matter wether you are a
  server or a client), you will have to initiate your SSLcontext with such file
  managed by TrustManager. On the other hand, you just do same but
  indicating your file is shall be managed by a KeyManager.

• JavaPlugin Applets don't work if you require Client-cert authentication

  Our whole organization is about to start using Java SmartCards for everything in the near future. (DoD's common access card.) I foresee enormous problems for applications that are currently using applets in them as a result unless something is done to fix a bug in the next version of the plugin.
  This link below is in reference to a bug which Sun seems to believe is fixed and closed.
  http://developer.java.sun.com/developer/bugParade/bugs/4681247.html
  I am posting here, because I believe that postings against this bug will never be read by anyone. Here is a short explaination of the problem:
  The Java Plugin cannot download archives when the web server requires client side certificates. The fix is to tell the plugin where your certificate file is at. This recommended fix is bad if you are using software certs, because you don't have 1 certificate for all of the internet sites for which you need a cert. It also tells you to type your cert password in the clear on the filesystem so that the plugin can find it.
  But most importantly, this advice is totally useless if you are using hard token certs such as .... JavaCards. PKCS11 modules are not files. They are plugins that supply the algorithms that are going to be done securely in the smartcard. This means that you cannot lock down a web server based application to require a smartcard if that application is using applets. The plugin needs to use the exact same protocol to download the archive as it used to get the applet tag that requires it.
  In the same vein, it was an irritating experience to get some JavaCards and after much work come to the conclusion that the design of the JSSE makes it incompatible with JavaCard for client/server style applications. (Somebody tell me that you have a JSSE compliant toolkit in which you can make a standalone Java Application that opens up SSL connections to servers and can use a JavaCard resident certificate to do so. It seems that you have to resort to a third-party library to use JavaCard certs with JSSE) Too many APIs are still being designed to assume that security modules consist of a set of X509Certificate/PrivateKey pairs in which you can extract the private key out of the module, and supply it to an encryption or a signing algorithm. With hardware tokens, you can only assume that security modules consist of a X509Certificate, and a method that will do the encryption/signature. And this method does NOT take the private key as an argument.... the private key is buried into the module as part of the that method's definition.
  Anyway, it appeared that the pleas relating to this issue are not being heard because the issue has been closed. This is a BIG deal for organizations who are now starting to actually PKI enable their existing applications - which often involve applets.

  I commiserate.
  I believe the heavy reliance on the javax.net.ssl.keyStore system property is just wrong. An applet-local key manager for client-certificates would be really helpful.
  The current (1.4) plugin design includes its own certificate management ui (control panel). I feel this is wrong design. Why is there no upcall available from the applet framework into the host/browser's certificate management? The same sort of thing happened with the move from awt to swing. The not-invented-here mentality? What's next, a special java filesystem? :) Luckily applets are normally kept away from files, but with the impending service-oriented world, with certificates being passed about like Amoeba capabilities, better integration of the plugin with the host's security management is going to be a sore need.

• How to use a Certificate authentication to connect to a ONTAP 8.3 Cluster in Posh?

  Hi All,      I've configured my Cluster Vserver to be able to authenticate via a self signed certificate. I'm able to use Perl NMSDK to connect and it works good. I want to use Powershell cmdlets for this. How can I do this? I've tried Connect-NcCluster but I don't see any option to specify a certificate there.  I'm also open to use NMSDK for Posh if someone can guide how to use it. I've tried that too but I can't get it working. Can anyone help? sinhaa    

  Hi Sinhaa - You've discovered the key difference between the Perl API bindings in the NMSDK and the PowerShell toolkit.  The NMSDK, and with the Perl bindings in particular, easily exposes the entire SDK from basic connection methods, the lowlevel XML building mechanisms, and a single function wrapper around each individual ZAPI function call that handles both the XML building from and recoveyr into convenient Perl data structures.  The entire API is accessible including higher privilege level options and commands. The PowerShell toolkit is much more a convenience wrapper around common functions for those in a Windows environment.  It doesn't expose the entire API, it doesn't expose all the parameters of the APIs that it does wrap (for instance, you can't access or use options only available in Advanced or Diagnostic mode), and security is somewhat Windows centric in that it uses a saved credential model similar to other Windows systems. As my company tends to be more Windows centric the PowerShell toolkit tends to be the default utility used for most automation, but I drop to the Perl NMSDK bindings for almost everything I do of substance because I need the abilities it provides.  I've asked through many channels for the PowerShell toolkit to at least add Advanced mode privilige options for a number of the cmdlets it provides.  Haven't yet seen any indication that those will be forthcoming. Bob    

• How to use client.jar generated by deploytool for a EJB web service

  Hello!
  Could anyone help me?
  I use Sun Application Server to deploy my EJB module and expose it as a web service. Then I open deploytool tree and select localhost under Server branch. In the right panel it shows a list of web services deployed. I chose recently deployed service and press "Client Jar..." button to get generated client stubs.
  Good.
  Could anyone tell me how I should use this jar file? It does not contain ..._Service_Impl.class that is usually used to get service port and call service methods.
  Please, explain me.
  Thank you much

  try
  jar tf Client.jar and look at what is inside.
  Usually you run the client to connect to the server -- (java -classpath blah pack.age.name.Client)
  Dont know how its being done over there.

• How to Use REGION_STATIC_ID in authentication scheme

  Hello,
  I am storing Region Static ID in Table , on bases of that table I created an Authentication scheme, I want to give specific user to access that region.
  When I am passing #REGION_STATIC_ID# in authentication function it is not allowing me to do that.
  I want to to use static ID as below.
  -- authentication Scheme function return Boolean
  AND obj.OBI_APP_STATIC_ID = #REGION_STATIC_ID#
  can any one please help ?
  Muhammad Rehan

  Hello Muhammad,
  >> I am storing Region Static ID in Table , on bases of that table I created an Authentication scheme
  The “out-of-the-box” APEX approach is different from yours. You maintain a list of regions per your users. APEX allows you to maintain a list of users per your regions (or other APEX component). You should check the principles of the APEX Access Control List - http://download.oracle.com/docs/cd/E14373_01/appdev.32/e11838/app_comp.htm#sthref1263 – and see if you can use them to your needs.
  Regards,
  Arie.
  &diams; Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.
  &diams; Author of Oracle Application Express 3.2 – The Essentials and More

• CLIENT-CERT - UserNameMapper problem

  Hi,
  I have a client, wich sends a soap-message, containing a username, to a
  webservice, that responds with "hello, <username>". The communication
  is over ssl. The webservice is running in a weblogic server 7.0 sp1.
  I have 2-way ssl working. Now I'm trying to restrict access to the
  web-service.
  I changed the web.xml of the web-service to require BASIC as
  auth-method. This works fine.
  Then I changed BASIC to CLIENT-CERT in the web.xml.
  I changed the active type of the defaultIdentityAsserter to X.509.
  I implemented a UserNameMapper class, which prints data of the presented
  certificate, and returns a username, that exists in the
  embedded-ldap-realm of weblogic server, and that has the right to
  execute the webservice (it works with BASIC auth).
  I put the name of the UserNameMapper class in the
  defaultIdentityAsserter, and I included it in my classpath.
  The UserNameMapper is working, because the data of the certificate is
  printed on stdout. But I get a 401 (Unauthorized)-error code when trying
  to access the web-service.
  Can someone give me a hint on what I'm mising?
  Thanks,
  Noella
  ************* code of UserNameMapper *********************
  import java.security.cert.*;
  public class VZNUserNameMapper implements
  weblogic.security.providers.authentication.UserNameMapper{
  public VZNUserNameMapper() {
  public String mapCertificateToUserName(X509Certificate[] certs,
  boolean ssl) {
  System.out.println(certs[0].getSubjectDN().toString());
  return "noella";
  public String mapDistinguishedNameToUserName(byte[]
  distinguishedName) {
  return null;

  Thanks it worked. Somehow I missed in documentation this x.509 setting.
  I've also had a problem with setting "Client Certificate Requested But Not Enforced"
  in WLS 7.0.0 but it seems to be working fine in SP1.
  Thanks again
  Greg
  "kirann" <[email protected]> wrote:
  hi,
  I believe you need to turn on x.509 Identity Assertion in the server
  console..
  Please check the documention.
  thanks
  kiran
  "Greg" <[email protected]> wrote in message
  news:3e243a25$[email protected]..
  Hi!
  I'm trying to set up my web application to use client-cert
  authentication. I've set in web.xml login config to
  <auth-method>CLIENT-CERT</auth-method>. When I'm accessing my
  application I'm always getting 401 Unauthorized. If I set
  login to BASIC, browser pops up login dialog and everything works
  fine.
  I've done following:
  - created and installed in WLS trusted CA certificate
  - created and installed client certificate signed by that CA in
  IE 5.5
  - configured WLS to use ssl and set "Client Certificate Enforced"
  - managed to connect to document root or console application
  using https://localhost:7002/console and verified that accually client
  certificate
  is used (not able to connect without one)
  Now I'm really stuck and have no ideas.
  Please help. Thanks in advance.
  Greg

• Testing exampleswebapp/SnoopServelt.jsp on https and client-cert

  HI All:
  I am trying to setup 2-way authentication in wls7.0. I have not been able to pin
  down all the requriments for using client-cert authentication with 2-way authentication.
  I have done the following:
  1. enabled client certificate enforced under SSL tab
  2. specified client-cert as login mechanism in web.xml
  3. specified a security constraint and "INTEGRAL" as the transport mode for the
  URL pattern /SnoopServlet.jsp
  4. installed CertGenCA.der and client2certs.der, cerificates
  for CA and client (generated using utils.CertGen) in the browser
  when I hit the jsp I get a page cannot be displayed.
  Any ideas what settings are wrong?
  TIA,
  -Sandeep

  Hi Sandeep,
  You did not mention the following necessary step.
  - Configure the Trusted CA File Name for the client cert
  If this step does not help, you can enable server-side
  debugging by setting the following property on the java
  command line when starting WebLogic.
  -Dssl.debug=true
  I hope this helps.
  Regards,
  Tom Hegadorn
  Developer Relations Engineer
  BEA Support
  "Sandeep " <[email protected]> wrote:
  >
  HI All:
  I am trying to setup 2-way authentication in wls7.0. I have not been
  able to pin
  down all the requriments for using client-cert authentication with 2-way
  authentication.
  I have done the following:
  1. enabled client certificate enforced under SSL tab
  2. specified client-cert as login mechanism in web.xml
  3. specified a security constraint and "INTEGRAL" as the transport mode
  for the
  URL pattern /SnoopServlet.jsp
  4. installed CertGenCA.der and client2certs.der, cerificates
  for CA and client (generated using utils.CertGen) in the browser
  when I hit the jsp I get a page cannot be displayed.
  Any ideas what settings are wrong?
  TIA,
  -Sandeep

• Client Certificate Authentication not working in OSB 11g

  Hi All,
  I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
  We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
  All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
  We can test the keystore using SOAPUI and we get a valid response from the live API.
  We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
  The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
  As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
  Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
  What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
  Any input appreciated.
  Jamie

  This is issue has now been resolved.
  It was an environment specific issue rather than anything wrong with the actual code.

• Web App Security Fallback (client-cert then form-based)

  Can you setup a web application to fall back to form-based login if the
  client-cert (i.e. identity assertion token) is not available. I think this
  would be very valuable because once you've configured the web app to use the
  "client-cert" authentication, you can't access the web app directly (i.e.
  browser->weblogic server). You will always need to go through the perimeter
  authenticator so the token gets sent.

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works