Authentication Providers

Please let me know whether Authentication Providers which are in security -> realm of weblogic 8.1 contain LoginModules embedded in them or we have to write one ?

Please let me know whether Authentication Providers which are in security -> realm of weblogic 8.1 contain LoginModules embedded in them or we have to write one ?

Similar Messages

  • How to get the identity claim encoding types of windows and forms authentication providers using API?

    Hi,
    We have to get all the claims providers associated with a web application and its identity claim encoding type using API.
    For example:
    If the identity claim of windows authentication is user name and the user name is a string, then we should get
    "i:0#.w".
    If the identity claim of forms authentication is
    email and the provider name is "fba" , then we should get "i:0!.f|fba|".
    The below link shows us to get all claims providers associated with a web application, but how do we get the identity claim encoding type of each provider?
    http://msdn.microsoft.com/en-us/library/gg650432(v=office.14).aspx#SP_WCP_Tip3
    using (SPSite theSite = new SPSite("http://someContosoUrl"))
    // Get the web application.
        SPWebApplication wa = theSite.WebApplication;
        // Get the zone for the site.
        SPUrlZone theZone = theSite.Zone;
        // Get the settings that are associated with the zone.
        SPIisSettings theSettings = wa.GetIisSettingsWithFallback(theZone);
        // Get the list of authentication providers that are associated with the zone.
        foreach (SPAuthenticationProvider prov in
            theSettings.ClaimsAuthenticationProviders)
        {   // Need to get the identity claims encoding type using the SPAuthenticationProvider
    Is windows authentication's identity claim encoding type always i.0#.w or the identity claim is always the user name?
    Thanks & Regards,
    Kalai.

    If the requirement is to be able to convert claim identities to windows identities that can be used with other LOB/legacy application that still relies on NTLM/Windows Auth, then I would recommend to explore C2WTS.
    Here are some references:
    http://msdn.microsoft.com/en-us/library/office/ee539739(v=office.14).aspx
    http://blah.winsmarts.com/2013-11-Use_C2WTS_to_get_a_classic_windows_identity_from_a_claims_identity.aspx
    http://henrymcclain.blogspot.in/2013/05/claims-to-windows-token-service-c2wts.html
    http://blogs.msdn.com/b/rodneyviana/archive/2011/02/20/claims-to-windows-token-service-c2wts-may-not-start-automatically-when-you-reboot-your-server-don-t-blame-sharepoint-for-that.aspx
    http://blogs.msdn.com/b/russmax/archive/2010/05/27/understanding-sharepoint-2010-claims-authentication.aspx
    Thanks!
    These postings are provided "AS IS" with no warranties, and confers no rights.

  • Portal Admin Tool & order of Authentication Providers

    For our app, we use two LDAP authentication providers that point to different LDAP
    repositories.
    Both of them have been configured to have the JAAS flag - OPTIONAL. When the order
    is ProviderA and ProviderB (in WLS Console), the authentication works in Portal
    Admin Tool. But when the order is reversed to ProviderB and ProviderA, it throws
    profileNotFound error and the Portal Admin Tool bombs.
    Since both of the providers have been configured to OPTIONAL, shouldn't the order
    of the providers be immaterial?
    Is this a problem with the Portal Administration Tool?
    Thanks,
    James

    Is this a different problem, then? The ProfileNotFound exception comes only
    after
    authentication succeeds. If you are on SP2, it makes me wonder if the
    credentials
    for weblogic are in both providers and are different (different password)?
    Also, can you tell me which authorizer and role mapper providers you are
    using?
    -Phil
    "James Spencer" <[email protected]> wrote in message
    news:[email protected]...
    >
    Phil,
    We are on SP2. The problem I am having is, the weblogic admin user -weblogic
    - is not able to authenticate in Portal Admin Tool depending upon theorder of
    the providers.
    I thought the authentication for Multiple providers should work in SP2,irrespective
    of the order.
    I read about the users/groups page works only for the first auth provider.
    James
    "Phil Griffin" <BEA> wrote:
    You're right, the order should be immaterial. The problem is the
    portal admin tools (and runtime profile location) rely on a
    userExists() call succeeding against a single (default) ATN provider.
    There is a number of ways to specify which provider this is - see Javadoc
    for getProviderMBean for a description.
    http://edocs.bea.com/wlp/docs81/javadoc/com/bea/p13n/usermgmt/RealmHelper.h
    tml#getProviderMBean
    >>
    Better yet, SP2 includes a fix which automatically allows all providers
    to
    be
    checked. The Portal Admin tools still only operate against a singledefault
    provider
    (to edit users/groups), until SP3.
    -Phil
    "James Spencer" <[email protected]> wrote in message
    news:[email protected]...
    For our app, we use two LDAP authentication providers that point todifferent LDAP
    repositories.
    Both of them have been configured to have the JAAS flag - OPTIONAL.When
    the order
    is ProviderA and ProviderB (in WLS Console), the authentication worksin
    Portal
    Admin Tool. But when the order is reversed to ProviderB and ProviderA,it
    throws
    profileNotFound error and the Portal Admin Tool bombs.
    Since both of the providers have been configured to OPTIONAL, shouldn'tthe order
    of the providers be immaterial?
    Is this a problem with the Portal Administration Tool?
    Thanks,
    James

  • Multiple authentication providers for the same identity store?

    We are on WebLogic Server 11g PS5 and in the middle of configuring the authentication providers.
    Turns out we an Active Directory instance where we have two distinct User Base DNs we would like to use, without overlap, but they share the Group Base DN.
    What is the best practice to configure this? I think we could use the parent DN, but that would basically include the whole of the directory for users and groups, will that impact performance?

    Hi Alexandre,
    You might find this helpful - http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authen.htm#BABJCHEJ. The text "suppose the user requests a resource that is protected by a form-based authentication scheme that redirects the user to a form with several options for logging in. When the user selects a login method on the form, he or she is again redirected, this time to a form containing a certificate-based authentication scheme." suggests that what you want to achieve is possible. If you do get this configured and working the way you want, can you please share with the forum?
    -Vinod

  • OWSM 11g : Authentication Providers for X.509 and SAML policies

    Hi All,
    I am currently trying to implement the X.509 and SAML policies. As per the documentation for these polices I need to configure an authentication provider(or Identity Assertion provider) that can handle perimeter authentication via the NameCallback. I had configured an authentication provider(default authentication provider) that handled the namecallback and passwordcallback. What I can't figure out is how do these two authentication providers differs. And, incase one has to configure for the X.509 and SAML policies how to do the same.
    Any pointers will be useful. Especially, from anyone who has worked and implemented the above policies.
    Thanks in advance.
    Edited by: Shomit Sahdev on ८ अप्रैल, २०१० १२:२५ पूर्वाह्न

    After research by Oracle Support it actually turns out that this problem was a combination of factors:
    1) some clients were effectively using an invalid certificate so it is corrrect they got an error and everything worked fine when they started using the right certificate
    2) it does, however, turn out that, in the case of an error the error handling has been obfuscated in WLS 10.3.6 as compared to WLS 10.3.4 which gives a more descriptive error stating the nature of the problem (missing certificate, invalid certificate, unknown user, ...). Apparently this was deemed a security issue and has thus been replaced by a generic "internal server error". It is however possible to re-activate this older behaviour using a couple of JAVA_OPTS that you pass during server startup:
    -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true
    The above reintroduced the behaviour we had in WLS 10.3.4 and thus solves our problem!

  • Reorder weblogic authentication providers

    I have a properties file containing a list of weblogic authentication providers in a certain order.
    example properties file :
        ### realm components ###
        AuthenticationProvider=DefaultAuthenticator,DefaultIdentityAsserter,IPlanetAuthenticator,WaliSAMLAuthenticator,UmoeAuthenticator,MooseAuthenticator
    and a wlst jython script who uses this properties file as an argument to create and reorders the authentication providers in the security realm.
    wlst code to create AuthenticationProviders :
         #                                      realm config                                    #
         for a in AuthenticationProvider:
             print 'Config AuthenticationProvider ' + a
             if a == "IDMx509IdentityAsserter":
                 print 'Creating AuthenticationProvider IDMx509IdentityAsserter'
                 createIDMx509IdentityAsserter()
             elif a == "SAMLIdentityAsserterV2":
                 print 'Creating AuthenticationProvider SAMLIdentityAsserterV2'
                 createSAMLIdentityAsserterV2()
             elif a == "IDMSamlAuthenticationProvider":
                 print 'Creating AuthenticationProvider IDMSamlAuthenticationProvider'
                 createIDMSamlAuthenticationProvider()
             elif a == "WaliSAMLAuthenticator":
                 print 'Creating AuthenticationProvider WaliSAMLAuthenticator'
                 createWaliSAMLAuthenticator()
             elif a == "UAMPepRoleMapper":
                 print 'Creating AuthenticationProvider UAMPepRoleMapper'
                 providerUrl = prop.get(a + '.ProviderUrl')
                 createUAMPepRoleMapper(providerUrl)
             else:
                 print '!Problem creating AuthenticationProvider , don\'t know how to create ' + a
        setOrderAuthenticationProvider(AuthenticationProvider,domainName)
    the methode to set the order:
        def setOrderAuthenticationProvider(listAuthenticationProvider,domainname):
            try:     
                cd('/SecurityConfiguration/' + domainname + '/DefaultRealm/myrealm/')
                arrayAuthenticationProviders = get('AuthenticationProviders')
                lengt = len(arrayAuthenticationProviders)+1
                for x in xrange(1,lengt):
                    arrayAuthenticationProviders.pop(len(arrayAuthenticationProviders)-1)
            except:
               print '!Problem while trying to cleanup arrayAuthenticationProviders'
            try:
                for a in listAuthenticationProvider:
                    print 'add ' + a + ' to authenticatorArray'
                    cd('/SecurityConfiguration/' + domainname + '/DefaultRealm/myrealm/AuthenticationProviders/' + a )
                    currentAuthenticator = cmo
                    arrayAuthenticationProviders.append(currentAuthenticator)
            except:
                print '!Problem while trying to construct list of autehticators'
                dumpStackRollback()
            try:
                cd('/SecurityConfiguration/' + domainname + '/Realms/myrealm')
                set('AuthenticationProviders',arrayAuthenticationProviders)
            except:
                print '!Problem while setting order AuthenticatoionProviders'
                dumpStackRollback()
    The problem is when I call the methode i get an exception saying arrayAuthenticatorionProvider has not the correct type.
    a correct example to set the order correct is this:
        set('AuthenticationProviders',jarray.array([ObjectName('Security:Name=myrealmDefaultIdentityAsserter'), ObjectName('Security:Name=myrealmDefaultAuthenticator'), ObjectName('Security:Name=myrealmMooseAuthenticator'), ObjectName('Security:Name=myrealmIDMx509IdentityAsserter'), ObjectName('Security:Name=myrealmSAMLIdentityAsserterV2'), ObjectName('Security:Name=myrealmIDMSamlAuthenticationProvider'), ObjectName('Security:Name=myrealmWaliSAMLAuthenticator'), ObjectName('Security:Name=myrealmUmoeAuthenticator'), ObjectName('Security:Name=myrealmIPlanetAuthenticator')], ObjectName))
    Can somme one tell me how i can adopt my code to create a correct jarray with ObjectName type objects.

    Hi Nishith,
    Thanks very much for your informaiton.
    The link provided by you tells the policy migraiton from file system(System-jazn) to LDAP(OID or OVD) in Domain Policy store.
    What we need is "Upon installing a new patch update to the Domain, the weblogic Authenctication providers getting deleted. Perticularly the one which we configured for External authentication(OVD Authenticator).
    In our User interface we have one functionality for creating a External authenticaiotn provider(External authentication). it will create the Authentication provider in Weblogic as well as OVD. when we are updating our application with patch in the domain, the weblogic provider getting deleted.
    As of now we are creating that Authentication provider manully in Weblogic. My quesiton is, is there any script(wlst) or workaroud to persist or recreate the provider?
    I Hope you understand my problem.
    Thank you

  • Consume 3rd party authentication (providers) in SP13

    I have a situation where I should have multiple authentications for my SP13 farm.
    1. Since Claims is dominant in SP13, how can I integrate different (multiple) authentications? I am not clear on how claims works internally :(
    2. How users from different authentication types can be grouped into SharePoint specific groups?
    - GEM

    Hi GEM,
    1.Claims-based authentication is more general authentication mechanism that allows users to authenticate on external systems that provide asking system with claims about user. For how claims-based authentication works, you can have a look at the blog:
    http://www.c-sharpcorner.com/UploadFile/Ashush/authentication-methods-in-sharepoint-2013/
    For integrating multiple authentication methods in claims based web application, you can refer to the blog:
    http://www.dotnetspark.com/kb/2845-configuring-multiple-authentication-providers.aspx
    2.For adding users from diffferent authentication types into SharePoint groups, there is no special steps. Because with claims-based identities, a user obtains a digitally signed security token from a commonly trusted identity provider. The token contains
    a set of claims. Each claim represents a specific item of data about a user such as his or her name, group memberships, and role on the network. Claims-based authentication is user authentication that uses claims-based identity technologies and infrastructure.
    Applications that support claims-based authentication obtain a security token from a user, rather than credentials, and use the information within the claims to determine access to resources.
    Reference:
    http://technet.microsoft.com/en-us/library/cc262350(v=office.15).aspx
    Best Regards,
    Eric
    Eric Tao
    TechNet Community Support

  • Wbelogic 12c Server - wlst script to reorder Authentication Providers

    Does anyone know the jython commands  to set/reorder to Authentication Providers?

    Example script:
          edit()
          startEdit()
          # if needed create your authentication provider first
          cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm')
          cmo.createAuthenticationProvider('XYZ_Authenticator', 'com.xyz.providers.authentication.XYZ_Authenticator')
           # configure if needed
          cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm/AuthenticationProviders/XYZ_Authenticator')
          set('Debug','true')
          set('ControlFlag','SUFFICIENT')
          # reorder
          cd('/SecurityConfiguration/'+domainName+'/Realms/myrealm')
          set('AuthenticationProviders',jarray.array([ObjectName('Security:Name=myrealmXYZ_Authenticator'), ObjectName('Security:Name=myrealmDefaultAuthenticator'), ObjectName('Security:Name=myrealmDefaultIdentityAsserter')], ObjectName))
          save()
          activate()
    See also:  Advanced WebLogic Server Automation: Administration and Monitoring with WLST and JMX
    Advanced WebLogic Server Automation: Administration and Monitoring with WLST and JMX (Oracle In-Focus Series) (Volume 46…

  • Login Modules-Authentication Providers

    Are LoginModules embedded in Authentication
    Providers for Weblogic 8.1 ga or do we require to write one ?

    Siddhartha <[email protected]> wrote:
    Are LoginModules embedded in Authentication
    Providers for Weblogic 8.1 ga or do we require to write one ?If you're extending AuthenticationProvider you need to implement the method
    public AppConfigurationEntry getLoginModuleConfiguration()
    Where the AppConfigurationEntry constructor takes the following parameters:
    <YourLoginModule>.class.getName(),
    AppConfigurationEntry.LoginModuleControlFlag.(REQUIRED|SUFFICIENT etc)
    java.util.Map
    The docs at:
    http://edocs.bea.com/wls/docs81/dvspisec/index.html
    and
    http://edocs.bea.com/wls/docs81/dvspisec/atn.html#1182704
    The latter has code examples for LoginModules as well as the implementation of
    AuthenticationProvider.
    Hope this helps!
    You don't happen to know how to deploy an EJB to the Weblogic Server Console -
    ie: my AuthenticationProvider relies on an EJB - do you?
    Best wishes,
    Michael

  • Authentication providers for TACACS+ and RADIUS

    Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
    RADIUS?
    Ben

    So in the ACS network config you add 2 NASes (or should that be NASi?)
    One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
    Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
    RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
    With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
    Suggest you first take time to scan through the ACS docs.

  • How to use LanguageMap attribute for Authentication Providers?

    Hi all,
    I couldn't find a BEA MBean-specific forum, so I'll post this here and hope you can point me to the correct people to talk to.
    We're developing an Authentication provider for WebLogic 8.1. We would like to have our Authentication Provider MBean support multiple languages. I've experimented with the LanguageMap attribute but with no success. Has anybody been able to get these to work?
    The spec states that the path should be fully qualified, which I take to mean that it needs to be an absolute path. I found this to be a bit unreasonable but tried it nonetheless. Unfortunately, it did not work.
    I've also tried specifying the path in Java-style resource bundle form (eg// com.mycompany.mypackage.myresources) and relative paths but, again, with no success.
    I pack the resource file with the authentication mbean jar.
    Some examples of what I've done:
    (absolute path case, where I just copied my resources file to somewhere on my comp):
    <MBeanAttribute
    Name = "BDOption"
    LanguageMap = "c:/dev/BDResources.properties"
    DisplayName = "option.bdoption"
    Type = "java.lang.String"
    Writeable = "true"
    Default = ""Default Value""
    />
    (java resource bundle case):
    <MBeanAttribute
    Name = "BDOption"
    LanguageMap = "com.mycompany.mypackage.BDResources"
    DisplayName = "option.bdoption"
    Type = "java.lang.String"
    Writeable = "true"
    Default = ""Default Value""
    />
    My resource file has only the following entry:
    option.bdoption=Brian's Option
    But the option will always appear as "BDOption" rather than "Brian's Option"
    Any help would be appreciated,
    Brian

    refer the following links
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
    please let me know if u dont find relevant information

  • How to display all authentication providers when creating a new user?

    I have configured active Directory with weblogic 10.3.1. Users and groups display correctly under the users and groups tab. When creating a new user only the defaultauthenticator provider is displayed in the drop-down selection. How do I get my active directory authenticator to display here also for selection?

    I'm confident that the Active Directory provider is read-only. You could write your own Authentication Provider for AD that supports create/update/delete functionality, but it is not included in the out of the box AD Authentication Provider to my knowledge.
    I know both the Default Authenticator and the database authenticator are read/write.

  • Custom Authentication Module on Identity Server

    Hi,
    I have a custom authentication module which I am trying to access through the policy agent.
    I have set the following property in AMAgent.properties file
    com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
    My login module code is something like this:
    package com.iplanet.am.samples.authentication.providers;
    import java.util.*;
    import javax.security.auth.Subject;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.NameCallback;
    import javax.security.auth.callback.PasswordCallback;
    import javax.security.auth.login.LoginException;
    import com.sun.identity.authentication.spi.AMLoginModule;
    import com.sun.identity.authentication.spi.AuthLoginException;
    import java.rmi.RemoteException;
    import java.io.FileInputStream;
    import java.util.Properties;
    public class LoginModule1 extends AMLoginModule
    private String userName;
    private String userTokenId;
    private HashMap usersMap;
    private java.security.Principal userPrincipal = null;
    public LoginModule1() throws LoginException
    public void init(Subject subject, Map sharedState, Map options)
              System.out.println("LoginModule1 initialization");
              usersMap = new HashMap();
              ResourceBundle bundle = ResourceBundle.getBundle("users");
              Enumeration users = bundle.getKeys();
              while (users.hasMoreElements())
                   String user = (String)users.nextElement();
                   String password = bundle.getString(user.trim());
                   usersMap.put(user, password);
    public int process(Callback[] callbacks, int state) throws AuthLoginException
              int currentState = state;
              if (currentState == 1)
                   userName = ((NameCallback) callbacks[0]).getName().trim();
                   char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
                   String passwdString = new String (passwd);
                   if (userName.equals(""))
                        throw new AuthLoginException("names must not be empty");
                   if (userName.equals("testuser") && passwdString.equals("testuser"))
                        userTokenId = userName;
                        return -1;
                   if (usersMap.containsKey(userName))
                        if (usersMap.get(userName).equals(new String(passwd)))
                             userTokenId = userName;
                             return -1;
                   return 0;
         public java.security.Principal getPrincipal()
              if (userPrincipal != null)
                   return userPrincipal;
              else
              if (userTokenId != null)
                   userPrincipal = new SamplePrincipal("testuser");
                   return userPrincipal;
              else
                   return null;
    So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
    2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
    2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
    2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
    2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
    2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
    2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
    The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
    Thanks
    Srinivas

    Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
    I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
    I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
    so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

  • New server and/or CA certificate for connection from custom authentication

    We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
    I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
    My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
    Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
    Relevant things I've tried so far:
    Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
    Import the IPS CA into the web server cert8 style db via the web admin server.
    The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
    Part of the stack:
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
    [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
    The relevent bit of code from the SecureURL.retrieve looks as follows:
    URL u = new URL(url);
    if (!u.getProtocol().equals("https"))
    throw new IOException("only 'https' URLs are valid for this method");
    URLConnection uc = u.openConnection();
    uc.setRequestProperty("Connection", "close");
    r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
    String line;
    StringBuffer buf = new StringBuffer();
    while ((line = r.readLine()) != null)
    buf.append(line + "\n");
    return buf.toString();
    } finally { ...
    The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
    Thank you very much for any insights and help,
    Ethan

    I thought since this has had a fair number of views I would give an update.
    I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
    root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
    certutil: certificate is valid
    root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
    certutil: certificate is invalid: Certificate type not approved for application.
    root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
    root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
    FSU Wildcard Certificate : Certificate type not approved for application.
    So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
    BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
    This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
    After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

  • How to remove custom authentication provider in weblogic server 11g

    Hi ,
    I am trying to remove the custom authentication provider in weblogic server 11g, It disappears when i delete it from list of authentication providers. But upon server restart it appears again.
    Documentation for 10g says delete it from service administration but i couldn't find one in 11g. Please help me in removing the custom authentication provider
    Thanks
    Sandeep

    You can try editing the config.xml file and removing it there. (Re: After provider reorder I cannot login admin server console
    If you are referring to a jar file - custom authenticators are usually placed in the <middleware-home>wlserver_10.3/server/lib/mbeantypes/ directory.

Maybe you are looking for

  • All options are greyed out after i Click on Apply Maitenance

    Hi All, I am upgrading our EPM system from 11.1.2.1 to 11.1.2.2. I have downloaded all the required files from e-delivery.oracle .com and unzipped them. I selected Apply Maintenance and when i clicked next all the options are greyed out. I am not sur

  • How can I save space on my Macbook Pro after making videos on iMovie & FCP ? Should I delete my files after?

    Okay so I make a lot of videos on my mac for my Youtube Channel. I have quite a few projects and movies from Movie, but ive recently switched over to Final Cut pro and the rest is history. However im running out of space on my hard drive, FAST! to th

  • Convert pdf files to word on line- errors when saving converted file

    every time i hit the save button after exporting a pdf file and converting to word on line there is an error and windows explorer stops responding. what am i doing wrong? is there a problem with the web page, is it dodgey or ???

  • Browser background showing at bottom of page

    Hi all, all the pages on my site (still under construction) measure 700pxW x 480pxW. The browser background is a different colour to the content, but on all pages except the home page the content goes from top to bottom, which is how I want it. On th

  • MBAM Test Plan

    I am in the process of designing a MBAM 2.5 Installation that will be integrated with SCCM 2012 R2 There is no Test lab as such however I need to create a test plan for this. Does anyone know of any test plans for the application?