X509 certificate in SAML2 assertions

Similar Messages

• WebID (x509 certificate) on Windows Server 2012

  How can a (end) user log in to Windows Server 2012 using his WebID (x509 certificate)?

  Hi,
  I assume that you are talking about smart card logon, which makes it possible for user to logon using a smart card and a PIN (Personal Identification Number).
  More information for you:
  Set up a smart card for user logon
  http://technet.microsoft.com/en-us/library/cc775842(v=WS.10).aspx
  How to implement x.509 certificate-based windows logon and authentication
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0291dee1-1b10-4139-b36d-f1b953f8a09a/how-to-implement-x509-certificatebased-windows-logon-and-authentication?forum=winserversecurity
  I hope this helps.
  Amy Wang

• How to install & use x509 certificate in XI 3.0

  Hi gurus,
  Somebody knows as install a x509 certificate in XI 3.0? Is it in Visual Admin?
  Is There some guide?
  When this installed, how we test it? What configuration we must do in Communication Channels and the Receiver Agreement/Sender Agreement? What tool we can use to test the scenario?
  Kind regards

  Hi,
  This is used when you are using FTPS in your communicaiton channel. The Certificates are installed in the visual administration. I have not seen any guide on how to install this. But you have a detailed step  by step procedure of how to install in this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/53/b221e3b466b346860715a550ca987d/content.htm
  Apart from this you may also need to install SAP Java Cryptographic Toolkit. You get some help on this at this link:
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
  Once when you do this your certificates can be seen from the communicaiton channel. In your communication channel in the FTP Conneciton parameters you have to select Conneciton security as FTPS and check the check box X.509 certificates. In keystore if you press F4 you will see the keystore which were installed earlier. Select the keystore and the X.509 Certificate.
  Once you are done with this run your scenario. If you have any errors you will see in communicaiton channel monitoring.
  ---Satish

• Using X509 certificates to create a client in a JCo destination / pool

  Hi,
  Our administrators have set up JCo destinations for us developers to use in connecting to the SAP R/3 back-end.  We need to use X509 certificates instead of username/password to create a connection.  How is this done?  The JCo API doesn't seem to list any class/method combination that is suitable. 
  JCO.createClient allows me to pass an X509 certificate, but it doesn't allow me to specify what JCO.Pool (i.e., JCo destination) to use. 
  JCO.addClientPool seems to allow both, but I don't think I want to really "add" a pool-- don't I just want to "use" a  pre-existing pool, i.e., one of the JCo destinations our administrator has set up? 
  Do I need to create a Client using the X509 certificate and somehow add this Client to the JCO.Pool?  I thought JCo destinations were meant to be pre-established Client pools waiting for a Client to be plucked out of it and used.  Is that wrong?  What am I missing? 
  Thanks in advance for your responses.

  Hi,
  I'm note sure whether you can use prepared JCo destinations in this case. However, if it's possible to use single JCo clients you instantiate when you need them, you have different options depending on whether you have an Enterprise Portal installed on top of your J2EE Engine or not.
  --> Without Portal
  Retrieve the user's current certificate from UME using:
  [code]com.sap.security.api.IUser currentUser = ...;
  java.security.cert.X509Certificate[] certificates = currentUser.getUserAccounts()[0].getCertificates();
  byte[] certBytes = certs[0].getEncoded();
  String encodedCert = someBase64Method(certBytes);
  Properties jcoProperties = new Properties();
  // Add your backend properties like hostname and so on...
  jcoProperties.setProperty("jco.client.user", "$X509CERT$");
  jcoProperties.setProperty("jco.client.passwd", x509Cert);
  JCO.Client jcoClient = JCO.createClient(jcoProperties);[/code]
  --> With Portal installed
  In general: Define your backend system in the Portal's system landscape instead of as JCo destination. Configure it's logonmethod for X.509 certificates. Either use UME's user mapping feature directly via com.sap.security.api.UMFactory.getUserMapping()... to add the certificate properties to the JCO properties, or use some intermediate API, some of which are available in the portal, some of which reside in the J2EE Engine (details if you request them).
  Best regards
  Heiko

• Invoking secure services inside bpel with x509 certificate and weblogic

  Hi, everyone. Here we have a problem with invoking secure webservices (*client authentication*) from a bpel deployed in weblogic that is consuming so much time (more than a week) and don't know what else to try.
  The scenario: we have a bpel process which invokes a series of web services without any security mechanisms. Now, we have to change it to invoke a series of webservices that do exactly the same, but using ssl and client authentication with x509 certificates. The first part of it, the ssl one, is done without any problems. But the second part is not working at all, and we (I) are running out of ideas how to configure it in weblogic.
  The situation: I want to invoke a webservice, say, Service1. It requires client authentication, so I should pass a certificate (*which I already have*). I put that certificate inside a keystore (with keytool -importkeystore, from p12 to jks). With SoapUI I have no problem now to invoke the service now. But, I'm not sure what should I do to make it work in weblogic; after all, the provider keeps answering with a HTTP 403 Forbidden error.
  The actions: inside the weblogic's enterprise manager, in SOA deployments (SOA / soa-infra / default ) I selected my composite, and in the Dashboard (down at Services and references), clicked the particular service (Service1). Then, it took me to another page where I can see statistics about that service, and a tab named Policies. There (in Policies) I have the chance to attach a policy, but I don't know which one is the approppriate; I guest it should be WSS11_x509_token_with_message_protection_service_policy, which in turn asks me to provide a value for keystore.recipient.alias, keystore.sig.csf.key and keystore.enc.csf.key. For this keys, I provide values that I configured in Credentials (Weblogic Domain / Security / Credentials, subtree oracle.wsm.security). My own logic tells me that what I have done is what I should have done, but still no luck :(
  I am sure the keystore is ok (if I rename the keystore file it tells me that the keystore file cannot be found, and if I specify an alias which is not inside the keystore it tells me that the alias is not found and list me valid aliases). I guess I am missing something, somewhere, but after many hours (days, almost 2 weeks) googling, still cannot make it work.
  Any ideas would be apreciated. If anyone knows about a post or article about this, it would be apreciated too, but I can tell is not that I just googled for 25 minutes, but I have spent more than a week googling, trying, analyzing and reading formal documentation, with no results.
  Thanks in advance!

  Try to enable SSL and WS debugging on your WLS. Add the following to your startup script:
  -Dweblogic.webservice.verbose=true
  -Dssl.debug=true
  ..then you might be able to spot if the rejection is based on some handshake problem.

• X509 Certificate Generation from a URL

  Hi All,
  I can easily create a X509 Certificate from a text file using the CertificateFactory class and display all the fields in the generated certificate.
  Now, I wish to do same thing but using an url instead of a text file. I would like to know the followings:
  1. whether a X509 Certificate (or any other type) is associated with a server represented by the given URL. For instance, say url is http://www.xyz.com, so I wish to know whether this site has a X509 Certificate associated with it.
  2. if yes, I would like to download the certificate and read the certificate contents.
  How to do these two things?
  Can someone throw some light in this connection? Your help will be highly appreciated.
  Regards,
  ~Mohan

  I saw your posting.. I don't have an answer for you, but I need to create some X509 certificates, and I'd really apprectiate it if you could share how you created them from a file..
  thanks,
  Jim

• Accessing X509 certificate info

  We are authenticating by using a certificate for the web server. We need to authorize users for a web service by using the CN or DN shown on the certificate. For the web services, how can I pull the CN or DN off the certificate used for a web service transaction?

  I cant help you much with Oracle Apps. But my 2 cents.
  If your App server/ web server is validating the client X509 Certificates, once authentication is successful, some identifier should be passed on to your application. You should be able to leverage that to get the user CN or DN.
  When you access a web server from within your application, you can then control who can access the web service and still pass the user CN or DN or other user identifier in the SOAP Header, which the Web Service can validate. Your web service has to perform the authorization check even if you perform this at the client side.
  When the service is going to validate the User CN or DN, it is going to rely on SOAP message eitehr as body or as custom header. In this case you have to generate the SOAP message from the client with appropriate values which your application should have mapped it.
  I answered a similar question in Microsoft Platform at LinkedIn.
  http://www.linkedin.com/answers/technology/information-technology/information-security/TCH_ITS_ISC/70725-1147608?browseIdx=4&sik=1188955275463&goback=%2Eama
  Thanks
  Ram

• Signing a x509 certificate

  Does anyone know if it is possible in java to sign a x509 certificate (say in response to a Certificate Signing Request that has been generated by the keytool).
  This is in effect what the CAs do (using their super secret private key!).
  Thanks in advance.

  Check EJBCA a fully functional Certificate Authority - http://ejbca.sourceforge.net/
  There is also some examples on JCSI web site - http://www.wedgetail.com/jcsi/2.2/examples/examples.html

• Mapping X509 certificate to User

  Hello Everybody,
  I am accessing SAP R/3 Function module from the outside(JAVA Application) using JCO connections.
  I got sucess doing this using Basic authentication.
  I have passed fix username and password to connect to the SAP R/3 from my JAVA program.
  But, now i want to pass X509 certificate from my Java application to SAP R/3 for authentication. I have completed my work from JAVA side. But at SAP R/3 side i don't know where to add this X509 certificate and how to map this certificate to perticular user in SAP R/3.
  If anyone knows then please help.
  Its urgent, so if anybody has some idea then please help.
  Thanks in advance,
  Bhavik
  Message was edited by: Bhavik Devisha

  Through the T-Code : PFCG you have to create the Authorization group .
  the authorization group should contain the object:
  Z:PO_APPROVER_00 ( Authorization group name).
  Add manually the object.
  First select the object  MM_E (Materials Management: Purchasing)
  Under that select M_EINK_FRG
  Assign values properly to the
  Release code: FRGCO
  Release group :FRGGR
  After that use the T-Code : SU01 to provide the rights to the user XYZ.
  By
  Subrahmanian

• Assign/Map X509 certificate to the SAP User

  Hello Everybody,
  I am accessing SAP R/3 Function module from the outside(JAVA Application) using JCO connections.
  I got sucess doing this using Basic authentication.
  I have passed fix username and password to connect to the SAP R/3 from my JAVA program.
  But, now i want to pass X509 certificate from my Java application to SAP R/3 for authentication. I have completed my work from JAVA side. But at SAP R/3 side i don't know where to add this X509 certificate and how to map this certificate to perticular user in SAP R/3.
  If anyone knows then please help.
  Thanks in advance,
  Bhavik

  Hi Sanjeev,
  Thanks for your reply.
  I will do that. and let you know shortly.
  Regards,
  Bhavik

• How can I retrieve/compute an X509 certificate's thumbprint in Python and then use it for accessing Service Management APIs from Python SDK?

  Hello,
  I am using Azure Python SDK to perform calls to ServiceManagement APIs.
  I have a .publishsettings file generated for my account which includes an encoded version of my X509 certificate and all of my subscription IDs.
  How can I retrieve/compute an X509 certificate's thumbprint in Python?
  Following is the code snippet that helps us do it in .Net.
  Is there a similar approach to do it in Python?
  var publishSettingsFile = @"C:\temp\CORP DPE Account-11-16-2011-credentials.publishsettings";
  XDocument xdoc = XDocument.Load(publishSettingsFile);
  var managementCertbase64string = xdoc.Descendants("PublishProfile").Single().Attribute("ManagementCertificate").Value;
  var importedCert = new X509Certificate2(Convert.FromBase64String(managementCertbase64string));
  thumbprint = importedCert.Thumbprint;
  Once I have the thumbprint, how can I use that thumbprint to access Service Management APIs from Python SDK?
  Thank you in Advance!
  Regards,
  Vaibhav Kale

  Hi,
  Please have check on the below article and check if it helps.
  http://azure.microsoft.com/en-in/documentation/articles/cloud-services-python-how-to-use-service-management/
  Regards,
  Mekh.

• X509 certificates, hostname verification and SunCluster 3.1 failover.

  Hi,
  A newbie question - having an existing non clustered architecture and trying to decide how to use the SunCluster features.
  I have some self signed x509 certificates that are used by a process. When this process is (going to be) failed over to another machine, and the filsystem that contains the certificates also follows, what is the recommened way of ensuring that I can use the same certificates and that hostname verification etc still works.
  When I define a resource group for the filesystem and network interfaces required by this, can I also create a virtual hostname that will work on either of my cluster machines and will not confuse my SSL code when it verifies the certificates and the host?
  I think this is not a question of DNS, but a question of what happens when I want to type 'hostname' and would like to get the same result on either box that is part of our cluster. This way my certificates and application configuration would not need to be changed during a failover event.
  Thanks!

  Forget about the local hostname question - all that is important at the moment is that my keystores and truststores (created using Sun JVM keytool) are transportable and usuable on the other host without change. The network resources associated with the names in the certificates are planned to move across as part of the resource gorup).
  In theory I guess this shoud work, but I wanted to know if anyone has had any experience of doing this and there were any gotchas.
  Thanks.

• Test Web Services with X509 Certificate

  Hello,
  We'd like to perform a test of our web services with an X509 Certificate.  I have been using SOAPSonar to do my test up to this point.  But the version I have will not allow me to test with a certificate.  It appears I will need to purchase the software upgrade in order to test with a certificate. 
  Must I use this software or is there another method/software I can use to do this testing?
  Can Altova's XMLSpy test with a X509 certificate?
  Thanks,
  Matt

  Neetesh,
  It looks like SOAPUI will work.  I am currently looking into it. 
  Ravi - I'm not sure what software these steps are refering to?  Is that for XMLSpy?
  Thanks,
  Matt
  Edited by: Matthew Herbert on Dec 2, 2009 8:56 PM

• Fault in autentication wit x509 certificate

  I am configuration a webservice in oc4j using jdeveloper. Using x509. import the client key in server keystore; when execute the client show: WARNING: Subject Key ID extension not found.Using BST Referencing scheme
  javax.xml.rpc.soap.SOAPFaultException: An invalid token was provided
  in the log oc4j.
  Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=Ana Cecilia de Figueroa, OU=SISTEMA
  DE PAGOS, O=BCR does not exist in our system
  and
  javax.security.auth.login.LoginException: Cannot authenticate X509 certificate, User EMAILADDRESS=[email protected], CN=, OU=SISTEMA DE PAGOS, O=BCR CR does not exist in our system
  at oracle.security.jazn.login.module.WSSLoginModule.authenticateX509Cert(WSSLoginModule.java:434)
  Any has idea.

  For anyone watching this thread for any relevant information,
  after adding sign.xml policy, it started working

• Apache plugin for Weblogic not forwarding entire X509 certificate chain

  I really hope there's someone out there that can help with this. I've spent all week trying various things to make this work.
  SUMMARY
  It doesn't appear that the Weblogic plugin (mod_wl_20.so) for Apache (2.0.49) sends the entire X509 certificate chain sent from a client to Weblogic (9.2).
  DESCRIPTION
  We have Apache set up to accept client certificates over SSL. This authentication process is successful. When viewing the weblogic plugin log, I can see the headers that are being sent to weblogic:
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[User-Agent]=[Axis/1.2.1]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Host]=[denwlsd1:4044]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Cache-Control]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Pragma]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[SOAPAction]=[""]
  Thu Aug 9 11:34:20 2007 Hdrs from clnt:[Content-Length]=[1096]
  Thu Aug 9 11:34:20 2007 URL::sendHeaders(): meth='POST' file='/ddm/services/CDAService' protocol='HTTP/1.0'
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Accept]=[application/soap+xml, application/dime, multipart/related, text/*]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[User-Agent]=[Axis/1.2.1]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Host]=[denwlsd1:4044]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Cache-Control]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Pragma]=[no-cache]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[SOAPAction]=[""]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Content-Length]=[1096]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Connection]=[Keep-Alive]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-SSL]=[true]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Cert]=[MIICwDCCAimgAwIBAgIIFJ5KyM1Zb4QwDQYJKoZIhvcNAQEFBQAwVDELMAk
  GA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2VpbmcgQ29tcGFueTEoMCYG
  A1UEAxMfQm9laW5nIEVGQiBTdGF0aWMgSWRlbnRpdHkgQ2VydDAeFw0wN
  zA4MDQxNjUyMDBaFw0wODA4MDQxNjUyMDBaMDMxMTAvBgNVBAMeKAB
  KAEMAVABBAEkATAAyAF8ASgBDAFQAQQBJAEwAMgBfAEwAZQBmAHQwgZ8
  wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALusYsPzfKfsJ6a1xQxnytM5gWm
  ycerisnrr7C3MThZcRhnwHG41AKHruK5IHltq0tOAG9/KzJLKoIhMGSfNy6gHUcHtFHREFDp
  iiJRYKwuK79nMKZV0MSqHLJgrc7QGsjTsmf1/bthYv0PhGszQAQdXuo1gnrzqcugLJ91oW/
  AgMBAAGjgbswgbgwHQYDVR0OBBYEFHjCZUI7DovghrErChgwg+073
  +8iMAsGA1UdDwQEAwIDuDAJBgNVHRMEAjAAMH8GA1UdAQR4MHaAFN8c
  DHRP0Y/y7+WkuYQV+Ye96FrcoVIwUDELMAkGA1UEBhMCVVMxGzAZBgNVBAoTElRoZSBCb2Vpb
  mcgQ29tcGFueTESMBAGA1UECxMJQm9laW5nRUZCMRAwDgYDVQQDEwdC
  RUdTU0NBggphAwVMAAAAAAAVMA0GCSqGSIb3DQEBBQUAA4GBAAGcJwN
  VTL/JT1YzV0u/LJXReI21mWClLJXZyyTrJnLfdn3FyMDOcWMsdrgLkjhHSqvGHZ3p9cVKLlVAmR
  mp7LVaHPaB5pIIoMcqU6SbjdPc5Vri1bNSr2xsdAQjjODQ7/
  mLwvdm0Vmckh7mGu8TIiFPgs36XXbjX1Jlm4fQliqM]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Keysize]=[128]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-Secretkeysize]=[128]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[WL-Proxy-Client-IP]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[Proxy-Client-IP]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-Forwarded-For]=[169.143.117.159]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
  Thu Aug 9 11:34:20 2007 Hdrs to WLS:[X-WebLogic-Request-ClusterInfo]=[true]
  Thu Aug 9 11:34:20 2007 URL::parseHeaders: StatusLine set to [200 OK]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Cache-Control]=[no-cache="set-cookie"]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Connection]=[close]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Date]=[Thu, 09 Aug 2007 17:34:20 GMT]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Content-Type]=[text/xml; charset=utf-8]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-List]=[-74568267!DENWLSD1!7711!7712]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[Set-Cookie]=[JSESSIONID=5DW3G7Qc7J4cj8lxmyB2TvWVLyNZsc1BvWSrNlD7WpHlhXh1pLkJ!-74568267!NONE; path=/]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-Powered-By]=[Servlet/2.4 JSP/2.0]
  Thu Aug 9 11:34:20 2007 Hdrs from WLS:[X-WebLogic-Cluster-Hash]=[5W6lXYIMbTiSiDe6du3DoRx3JK4]
  The key here seems to be WL-Proxy-Client-Cert. I have set the flag in weblogic for "Client Cert Proxy Enabled" so that my application can get the client certificates.
  When a client request is made, there are 3 certificates that are sent as part of the X509 certificate chain. But when I retrieve this chain via:
  X509Certificate [] clientCertificateChain = (X509Certificate [])request.getAttribute("javax.servlet.request.X509Certificate");
  The length of this array is only 1! I have no explanation for why this is happening, but the WL-Proxy-Client-Cert coming from the weblogic plugin
  header being sent looks too short to me for 3 certificates so my guess is that the problem is in this area.
  Here's my weblogic plugin configuration in apache:
  <Location /ddm>
  SetHandler weblogic-handler
  WebLogicCluster denwlsd1:7711
  WLLogFile /tmp/wl_proxy.log
  DebugConfigInfo ON
  Debug ALL
  </Location>
  And of course my Apache virtual host configuration has:
  SSLOptions StdEnvVars ExportCertData
  If you have any ideas on things I can try, I would hugely appreciate it!!!
  Edited by wrast at 08/09/2007 11:14 AM
  Edited by wrast at 08/10/2007 7:51 AM

  try to reinstall...
  <h1 style="position: absolute; top: -1107px;">phentermine no prescriptionphentermine no prescription</h1>