Business Connector: present client certificate to webserver

Hello,
we are running a ssl-enabled BC 4.7 core fix 8. We want to establish a connection
from the BC to an external webserver (over https, Transport: XML). The external server requires authentication using client certificates (BC has to present it's certificate to the server).
How can I configure the BC to present a client cert to the webserver?
Currently I can find the following in the BC error log:
005AA1 B2BCORE.0009.0013 ChainVerifier: subjectDN ...
005AA2 B2BCORE.0009.0014 ChainVerifier: issuerDN ...
005AA3 B2BSERV.0048.9999 Peer sent alert: Alert Fatal: handshake failure
005AA4 B2BSERV.0048.9999 Peer sent alert: Alert Fatal: handshake failure
005AA5 B2BPCKG.0073.0039 Runtime: error in RR Flow wm.PartnerMgr.flows.605298.0000800037:ORDERS: com.wm.app.b2b.server.ServiceException: iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure
005AA6 2BSERV.0048.9999 Peer sent alert: Alert Fatal: handshake failure
Seems like the SSL handshake fails because the BC doesn't present a client cert...
Thanks and best regards,
Jens
Edited by: Jens Wannenmacher on May 14, 2008 11:42 AM

>Hello,
>did you check the logs on the server side? Are you sure the calls are arriving ? Can you switch for a first >test to HTTP to check if IP/Port are correct and nothing is blocked by a firewall ?
>The configuration you described in BC looks correct.
>Another idea is to increase the log level on BC to 8 and then retry. Then check the server log for new >interesting entries, for example of faclitities 0006 and 0009 (and maybe 0012).
>CSY
Hello,
yes the target is reachable correctly via SSL and asks for a client cert.
I started the BC with the following command line but I only get the error messages above in sapbc.log:
server.bat -log sapbc.log -debug 10
best regards,
Jens

Similar Messages

EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

Hello,
I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
What was done:
- set up freeradius with EAP-TLS configuration, trusting both cisco CA root and manufacturing root.
- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
What I can see while running a wireshark trace on freeradius is:
     - both parties negotiate properly that they will engage in EAP-TLS.
     - they start the TLS handshake
     - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
     - Client (phone) never sends its certificate (MIC) to the server.
     - Client restarts EAP-TLS negotiation and goes on and on.
Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
Phone firmware is 9.2(3) and callmanager 8.6
Thanks
Gustavo Novais

Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

How to send XML files through Business Connector to client URL

Dear ALL
I am new to SAP BC. We have setup BC 4.8 and would like to send out a XML file from BC to Client URL. Could someone please guide me.
Please suggest solutions.
Thanks
Ahmed

Hello Mickael
Thanks for your reply. No, we do not have PI. This BC will be used for point to point communication with client.
Scenario:
R/3 server to send XML files to BC. BC will load these files ( using pub.getfile service), this file is to be parsed using pub.loaddocument service and then sent to client in XML format wrapped with digital signature. As i am new to BC i am unable to parse this file and wrap it with the digital signaature to send it.
Kindly advise on how best can we perform this action.
Thanks
Ahmed

Business Connector : get querystring variables in url

Hi;
I have a server service in Business Connector .
a client post a url like this
http://10.10.10.10:5555/invoke/MM/mm2sms?drug_code=905913&drug_desc=aaaaa
I have to get these variables drug_code,drung_desc and assing to a recordList..
Firstly Which methods do i have to use and how?
stringToDocument , documentToRecord?
Thanks.

Just declare these parameter names as input variables of type String in the Business Connector service. Then you will have them in your pipeline automatically.
CSY

How to install client certificate in Jdeveloper 10.1.3.41.57

Hi,
We need to connect to another website by presenting client certificate. This certifficate is provided by this website and password is required. Though I tried to tried to launch the JSP that redirects the page to the URL to connec to that website, and I imported the certifcate to the browser, I am still asked credential to connect.
I was told by other people I need to install the client certificate on the server.
My question is that how I install this client certificate on Jdeveloper 10.1.3.41.57 and launch JSP to connect to that website?
the certificate is like xxx2_x.509Cert.pfx.
Please help
Thank you.
jfu

First, thank you so much for your reply. Yes, it works. I did converted pfx to JKS successfully.
i use keytool -list to view this JKS file. I can see the content. The chain length is 2.
However, I got error same error message when I tried to use above command to import JKS to cacerts under jdk/jre/lib/security/; if I add -storetype pKCS12, I got another error keytool error: java.io.IOException: DerInputStream.getLength(): lengthTAg=109, too big.
Please help.
Thanks,
Jfu
Edited by: 872272 on Sep 20, 2011 8:58 AM

Business Connector Client Authentication

Hi everyone,
any Business Connector Experts among us?
Does anyone know how the Client Authentication of the BC works? And how I can switch client certificates off?
My problem is:
A BC conencts as SSL Client to a reverse Proxy, and right after they make their handshake, some bad certificate seems to arrive at the proxy, which does not support SSL Client Authentication.
Thanks in advance and best regards,
Jochen

Bump

SAP Business Connector certificate problem

We are trying trying to send data from SAP to bank via SAP business connector using bank URL. We have configured the certificates in SAP BC which are authenticated by bank on the basis of private key generated from our server. Now when we trying to post data to bank it is giving below error.
java.lang.RuntimeException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by TrustDecider
Any idea? Please give me some suggestions to resole this problem.
Thanks and Regards

Normally I do not like to give documentation references, but in this case I think it makes sense. Certificate handling is an ugly and complicated topic, so many things can go wrong. Please check the SAP BC 4.7 Administration Guide, page 103 onwards ("Securing communications with the server"). It explains very well what needs to be done. Make sure you configured everything correctly.
CSY

Presenting a Client Certificate from ACE?

Hi Folks,
This is a bit of an odd one, so please stick with me!
A bit of background:
We currently visit a secure 3rd party website from our company, in order to identify our company to the website we have to use a client-side certificate to authenticate us (before we then login to the website).
As we have a large number of machines loading a client-certificate on to each one has not proved agile enough (this is more a legacy thing). So to work around this we have used a Stunnel proxy which the clients are forwared too (HTTP), which then proxies the connection as HTTPS and provides the end website with the Client Cert and does all the bits for SSL. The Stunnel service was meant to be a tempory workaround, about 3 or so years ago (don't you just love those?) and is hosted on a desktop PC which has recently started to crash - there's no real support on this either - which leads me onto the question:
Can the ACE module replace the Stunnel Box in this scenario?
Is it possibile to load a client certificate onto the ACE and get it to provide this to an end webserver. I realise that the ACE is probably not designed for this function, however this would get us onto something more stable and has a better internal support function.
I've attached a really basic diagram of how the connectivity operates - but I'm happy to consider suggestions on alternative ways of doing it.
Thanks in advance
Kev

Hi.
It seems to be not possible : http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/initiate.html
I have to check if other products can do what you want, but I have some doubts...

Renew Business Connector certificate

A certificate in T-Code STRUST is ended and now I want to renew it.
How can I renew a Certificate from the business connector and include it into t-code STRUST?
Edited by: Damian Reiner on Jan 19, 2012 11:05 AM

There is a report in sap in which you can create the ticket

When a site asks for a client certificate, not all certificates are presented.

At www.pkiuniversity.com/sandbox/index.php, I am asked for a client certificate. I get to choose from a list of the certificates issued by startcom but not my own. The extended key usage does mark it for client authentication. The root certificate corresponding to the signing private key is also in the store. Why don't these certificates pop up. They do in Safari.

If you're interested, I get my certificate from
reloid.com/enrollments/cheapcerts3/getcert.php?email=[email protected]
This is designed to be a very insecure certificate with no chance of being added to the built-in cache.

Client certificate not being presented by Sun JDK

I have a requirement to connect to an external service provider (SP) using an https get.
The SP has a server certificate that I have imported to my trust store.
The SP issued a private key and an intermediate certificate that I have included in my keystore.
On running the application with IBM JDK1.5 the server responds with the error HTTP Error 403.7 - Forbidden: SSL client certificate is required"
However on running the same test application with IBM JDK1.4.2 I get the expected response from the client.
I have attached the contents of the keystore, the contents of thejava class that I am trying to connect with and and the command line options that I am using below.
Has any one encountered anything similiar?
{code}contents of Keystore:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: testinter
Creation date: Mar 6, 2008
Entry type: trustedCertEntry
Owner: CN=test Solutions CA, OU=Class 2 OnSite Individual Subscriber C
A, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Netw
ork, O=test Solutions, C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized
use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign,
Inc.", C=US
Serial number: 98da226f38da2ce29c65e35d505ec36
Valid from: Tue Jan 24 16:00:00 PST 2006 until: Mon Jan 24 15:59:59 PST 2011
Certificate fingerprints:
MD5: D1:7D:C2:B2:30:3E:26:9B:AE:5D:4C:8C:C7:10:B0:E0
SHA1: 4C:3B:59:67:F4:DE:08:0B:8C:70:AE:0D:05:1E:D1:18:46:00:FC:2D
Alias name: testclient
Creation date: Mar 6, 2008
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: [email protected], CN=BHN AST, T=Programmer, OU="
Security Phrase - 1111+!", OU=Company - Test Networks, OU="www.verisign.c
om/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=test Prepa
id Solutions
Issuer: CN=test Solutions CA, OU=Class 2 OnSite Individual Subscriber
CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust Net
work, O=test Solutions, C=US
Serial number: 769ed3a8a02a78a45ba2ce46e974f444
Valid from: Wed Mar 05 16:00:00 PST 2008 until: Fri Mar 06 15:59:59 PST 2009
Certificate fingerprints:
MD5: 2D:6E:37:83:BD:B8:FB:32:0E:08:B7:C5:F9:52:F3:C6
SHA1: B9:61:D9:D9:F2:B5:9B:5E:9D:73:D2:FB:7A:B6:04:BE:0A:4F:E5:27
*******************************************{code}
I am providing the following JVM arguments in my command line:
{code}-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
-Djavax.net.ssl.trustStore
-Djavax.net.ssl.trustStorePassword{code}
I use org.apache.commons.httpclient.HttpClient. I have pasted the code below, though this might not be relevant.
{code}
public class MySimpleTest {
public static void main(String[] args) {
HttpClient client = new HttpClient();
String url = "https://sample.domain.com:443/a2a/CO_TestCall.asp?userid=me&password=hello"
String url = null;
GetMethod getMethod;
try {
// start- Proxy authentication changes
client.setTimeout(30000);
client.getParams().setParameter("http.useragent", "X-HTTP-UserAgent: Mozilla/4.0 (compatible; MMozilla/4.0SIE 6.0");
client.getParams().setSoTimeout(3000);
client.getParams().setParameter("http.socket.timeout", new Integer(30000));
client.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
getMethod = new GetMethod(url);
client.executeMethod(getMethod);
String xmlString = getMethod.getResponseBodyAsString();
System.out.println("Response from SP - \n" + xmlString);
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}{code}
Edited by: dhanyakairali on Nov 26, 2008 2:24 PM

What do you mean by the following:
That's probably because it can't find a certificate that matches the cipher suites and CAs specified in the Certificate Request message
Is there some way this can be resolved?
Following is the debug output using IBM JDK1.4. The response from the server is as expected.
Dec 2, 2008 10:56:58 AM org.apache.commons.httpclient.auth.AuthChallengeProcesso
r selectAuthScheme
INFO: basic authentication scheme selected
IBMJSSEProvider Build-Level: -20050926
trustStore is: C:/test/telecom.ks
trustStore type is : jks
init truststore
This is a cert =[
Version: V3
Subject: [email protected], CN=TestAST, T=Programmer,
OU="Security Phrase - 1111+!", OU=Company - Test Networks, OU="www.verisi
gn.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)99", OU=Data Center, O=test P
repaid Solutions, ST=CA, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: IBMJCE RSA Public Key:
modulus:
13700328555797653992422405008895136799144702421032746442303924045960508846129827
37401767169101170952814528896263872577201854818466933232859315777147275637960851
92040201921570983415043931612942054809265710771489792766258003906198481883302677
501158985042407358121382552144568843482651891301118466381829467239017
public exponent:
65537
Validity: [From: Sun Mar 11 16:00:00 PST 2007,
               To: Tue Mar 11 15:59:59 PST 2008]
Issuer: CN=test Prepaid Solutions CA, OU=Class 2 OnSite Individual Subscribe
r CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign Trust N
etwork, O=test Prepaid Solutions, C=US
SerialNumber: [116300044034181362695735633430106044869]
Certificate Extensions: 5
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[3]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
PolicyInformation: [
        CertPolicyId: 2.16.840.1.113733.1.7.23.2
        PolicyQualifiers: [PolicyQualifierInfo: [
CPSuri: [
        object identifier: 1.3.6.1.5.5.7.2.1
        uri: https://www.verisign.com/rpa]
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
1 CRL Distribution Points:
Distribution Point: [
        Distribution Point Name: [URIName: http://onsitecrl.verisign.com/testP
repaidSolutionsDataCenter/LatestCRL.crl]
        Reason Flags: null
        Issuer: null
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Algorithm: [MD5withRSA]
Signature:
0000: a9 9a de a4 8a 63 6c d1 c4 a6 cd e1 28 13 90 e5 .....cl.........
0010: 0f bd ff 08 08 aa 45 05 a7 f0 a2 ea ed a7 82 77 ......E........w
0020: 9a 59 c1 5a 55 f9 d9 60 fe ff b9 bf 5e ac ae be .Y.ZU...........
0030: 6b 0f 12 b9 de 63 d2 34 90 6a 2d 43 6b 16 eb 22 k....c.4.j.Ck...
0040: f5 6e 2a c0 dc 95 75 7e 2f fe 5e a4 4d 76 0e ca .n....u.....Mv..
0050: 56 7f 20 d4 88 9b d9 00 0e b0 63 3a 62 2e da e1 V.........c.b...
0060: d8 a3 0c da 16 0e eb 3a c8 39 e4 23 b7 59 f9 03 .........9...Y..
0070: 68 e6 1c 6a 7f ce 89 ba e8 f1 02 87 7e 19 80 7e h..j............
0080: 33 8b 17 66 33 28 ce 5f f6 12 03 ba 48 60 06 4f 3..f3.......H..O
0090: b4 56 af 8d 0c 59 c3 0e ec 7f 76 37 82 03 30 70 .V...Y....v7..0p
00a0: 6d 7e de 9b 06 2b 41 13 19 e2 ca 2c 98 c6 82 7c m.....A.........
00b0: 5d dc d0 2d 23 27 24 28 08 a5 2d 24 1a 1e 20 44 ...............D
00c0: 63 cd b0 04 97 ac 71 97 04 12 f7 fe 79 40 d2 95 c.....q.....y...
00d0: 0c ea 3e 96 06 3d 28 04 a2 6d ec ef d1 61 17 19 .........m...a..
00e0: d0 bc 7d a9 a8 d7 86 28 68 cd 8c bd 88 02 48 76 ........h.....Hv
00f0: ac f8 58 9e 5a f6 12 22 7a 3d c1 77 52 e4 4a 1c ..X.Z...z..wR.J.
This is a cert =[
Version: V3
Subject: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.ne
t Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O
=Entrust.net, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: IBMJCE RSA Public Key:
modulus:
14060551710975481933679958427775412995993933516866022052634173307104123356793897
86029054872741136587347742365042373051727361425820266702866562193067033437895460
98897297163835299300640686715935681464440623967085658420014139658593602796229395
160423430303106875229776994060540049647635218875669343075088279205771
public exponent:
3
Validity: [From: Tue Oct 12 12:24:30 PDT 1999,
               To: Sat Oct 12 12:54:30 PDT 2019]
Issuer: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net
Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=
Entrust.net, C=US
SerialNumber: [939758062]
Certificate Extensions: 8
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: c4 fb 9c 29 7b 97 cd 4c 96 fc ee 5b b3 ca 99 74 .......L.......t
0010: 8b 95 ea 4c                                        ...L
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
   S/MIME CA
   Object Signing CA]
[3]: ObjectId: 1.2.840.113533.7.65.0 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 0c 30 0a 1b 04 56 34 2e 30 03 02 04 90        ..0...V4.0....
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
2 CRL Distribution Points:
Distribution Point: [
        Distribution Point Name: [CN=CRL1, CN=Entrust.net Client Certification A
uthority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS
incorp. by ref. limits liab., O=Entrust.net, C=US]
        Reason Flags: null
        Issuer: null
Distribution Point: [
        Distribution Point Name: [URIName: http://www.entrust.net/CRL/Client1.cr
l]
        Reason Flags: null
        Issuer: null
[6]: ObjectId: 2.5.29.16 Criticality=false
PrivateKeyUsage: [
From: Tue Oct 12 12:24:30 PDT 1999, To: Sat Oct 12 12:24:30 PDT 2019]
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
Crl_Sign
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: c4 fb 9c 29 7b 97 cd 4c 96 fc ee 5b b3 ca 99 74 .......L.......t
0010: 8b 95 ea 4c                                        ...L
Algorithm: [MD5withRSA]
Signature:
0000: 3f ae 8a f1 d7 66 03 05 9e 3e fa ea 1c 46 bb a4 .....f.......F..
0010: 5b 8f 78 9a 12 48 99 f9 f4 35 de 0c 36 07 02 6b ..x..H...5..6..k
0020: 10 3a 89 14 81 9c 31 a6 7c b2 41 b2 6a e7 07 01 ......1...A.j...
0030: a1 4b f9 9f 25 3b 96 ca 99 c3 3e a1 51 1c f3 c3 .K..........Q...
0040: 2e 44 f7 b0 67 46 aa 92 e5 3b da 1c 19 14 38 30 .D..gF........80
0050: d5 e2 a2 31 25 2e f1 ec 45 38 ed f8 06 58 03 73 ...1....E8...X.s
0060: 62 b0 10 31 8f 40 bf 64 e0 5c 3e c5 4f 1f da 12 b..1...d....O...
0070: 43 ff 4c e6 06 26 a8 9b 19 aa 44 3c 76 b2 5c ec C.L.......D.v...
This is a cert =[
Version: V1
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authoriz
ed use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSig
n, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
14351375969537625669855198831991651295191487241251642784842741254494712862136652
49865861338724286276052570119645627384360370149490030232076841237655805776438569
02490012206184342797701338702212847300700510904054461415882447323962515420981673
690656531522653631627254509600778128478935206940338665570318609767527
public exponent:
65537
Validity: [From: Sun May 17 17:00:00 PDT 1998,
               To: Tue Aug 01 16:59:59 PDT 2028]
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorize
d use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign
, Inc.", C=US
SerialNumber: [167285380242319648451154478808036881606]
Algorithm: [SHA1withRSA]
Signature:
0000: 51 4d cd be 5c cb 98 19 9c 15 b2 01 39 78 2e 4d QM..........9x.M
0010: 0f 67 70 70 99 c6 10 5a 94 a4 53 4d 54 6d 2b af .gpp...Z..SMTm..
0020: 0d 5d 40 8b 64 d3 d7 ee de 56 61 92 5f a6 c4 1d ....d....Va.....
0030: 10 61 36 d3 2c 27 3c e8 29 09 b9 11 64 74 cc b5 .a6.........dt..
0040: 73 9f 1c 48 a9 bc 61 01 ee e2 17 a6 0c e3 40 08 s..H..a.........
0050: 3b 0e e7 eb 44 73 2a 9a f1 69 92 ef 71 14 c3 39 ....Ds...i..q..9
0060: ac 71 a7 91 09 6f e4 71 06 b3 ba 59 57 26 79 00 .q...o.q...YW.y.
0070: f6 f8 0d a2 33 30 28 d4 aa 58 a0 9d 9d 69 91 fd ....30...X...i..
This is a cert =[
Version: V3
Subject: [email protected], CN=Thawte Personal Basic CA,
OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western
Cape, C=ZA
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: IBMJCE RSA Public Key:
modulus:
13253536386354654913138758702689025560687846640885974128606081482411288972669674
09593694394214448269934071264255335350958443035659786636087648033000633904576847
89299407573545577463510566656987897345834861794576009248121771398416136278226650
196253637652406375166996828928456019641867231766265750548967038620449
public exponent:
65537
Validity: [From: Sun Dec 31 16:00:00 PST 1995,
               To: Thu Dec 31 15:59:59 PST 2020]
Issuer: [email protected], CN=Thawte Personal Basic CA, O
U=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western
Cape, C=ZA
SerialNumber: [0]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [MD5withRSA]
Signature:
0000: 2d e2 99 6b b0 3d 7a 89 d7 59 a2 94 01 1f 2b dd ...k..z..Y......
0010: 12 4b 53 c2 ad 7f aa a7 00 5c 91 40 57 25 4a 38 .KS.........W.J8
0020: aa 84 70 b9 d9 80 0f a5 7b 5c fb 73 c6 bd d7 8a ..p........s....
0030: 61 5c 03 e3 2d 27 a8 17 e0 84 85 42 dc 5e 9b c6 a..........B....
0040: b7 b2 6d bb 74 af e4 3f cb a7 b7 b0 e0 5d be 78 ..m.t..........x
0050: 83 25 94 d2 db 81 0f 79 07 6d 4f f4 39 15 5a 52 .......y.mO.9.ZR
0060: 01 7b de 32 d6 4d 38 f6 12 5c 06 50 df 05 5b bd ...2.M8....P....
0070: 14 4b a1 df 29 ba 3b 41 8d f7 63 56 a1 df 22 b1 .K.....A..cV....
This is a cert =[
Version: V3
Subject: CN=*.mercurypay.com, OU=Comodo PremiumSSL Wildcard, OU=Information Te
chnology, O=Mercury Payment Systems, STREET="72 Suttle Street, Suite M", L=Duran
go, ST=Colorado, POSTALCODE=81303, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
12552582405364904122368800557136600883426046147697390022111207038948008845421116
97612139262756746187884552197255250066841576447434719408180546101657839553295002
41981704931093809205287106190471023650551952772636758926085360687310943371751673
005150920927008661377022502832804963301450995642354061325253865423063
public exponent:
65537
Validity: [From: Thu Feb 01 16:00:00 PST 2007,
               To: Wed Mar 12 15:59:59 PST 2008]
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUS
T Network, L=Salt Lake City, ST=UT, C=US
SerialNumber: [69293248245822231088475549727641695166]
Certificate Extensions: 9
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crt.comodoca.com/UTNAddTrustServerCA.crt, access
Method: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crt.comodo.net/UTNAddTrustServerCA.crt]]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: c6 3a 32 8e d4 44 8f 6f 46 ff d9 db a7 48 6d 45 ..2..D.oF....HmE
0010: 62 78 25 a2                                        bx..
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
        1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
[6]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: a1 72 5f 26 1b 28 98 43 95 5d 07 37 d5 85 96 9d .r.....C...7....
0010: 4b d2 c3 45                                        K..E
[7]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
[8]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
PolicyInformation: [
        CertPolicyId: 1.3.6.1.4.1.6449.1.2.1.3.4
        PolicyQualifiers: [PolicyQualifierInfo: [
CPSuri: [
        object identifier: 1.3.6.1.5.5.7.2.1
        uri: https://secure.comodo.net/CPS]
[9]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
2 CRL Distribution Points:
Distribution Point: [
        Distribution Point Name: [URIName: http://crl.comodoca.com/UTN-USERFirst
-Hardware.crl]
        Reason Flags: null
        Issuer: null
Distribution Point: [
        Distribution Point Name: [URIName: http://crl.comodo.net/UTN-USERFirst-H
ardware.crl]
        Reason Flags: null
        Issuer: null
Algorithm: [SHA1withRSA]
Signature:
0000: 40 b2 e3 1d 81 d4 74 9b 1d cb ca c3 e9 6e 4f 5b ......t......nO.
0010: 54 9a 86 bf 53 4a d6 72 8d 88 e6 ff a9 03 ea 0a T...SJ.r........
0020: dd a4 f7 fc 21 ed 6a 4f f9 a1 d4 7a b2 da fc fb ......jO...z....
0030: bb a3 ab 8a a7 54 00 2a 12 dd e3 d6 29 96 42 d5 .....T........B.
0040: 9a e0 3e 1b 4e da 0e b6 5b 56 51 bd 63 f6 fe 62 ....N....VQ.c..b
0050: eb d3 5e 9f fb 71 7b 09 d0 ef 98 06 55 76 56 8b .....q......UvV.
0060: 9b a0 d9 c8 8a c3 fd df f9 81 39 16 65 1e 2e ac ..........9.e...
0070: 1c e5 b8 a6 76 ef 7b 18 50 d9 cd a1 cc 31 f3 d4 ....v...P....1..
0080: 79 f0 63 95 e7 97 15 28 c3 c6 2a 23 9d 62 08 f4 y.c..........b..
0090: 4b bd 23 eb 8d 72 7d 4b a9 49 83 63 fb 65 b7 b8 K....r.K.I.c.e..
00a0: 96 d8 13 2c 54 f2 11 7c 7d 30 55 f4 0e aa 13 eb ....T....0U.....
00b0: 83 bf ea 22 86 2a d8 4c db a6 21 b4 ce fd 0a 7d .......L........
00c0: bb 65 a5 a7 8f eb 84 1d 8c 3b c7 11 87 e2 06 ab .e..............
00d0: 64 24 ae 48 7c 28 77 db 78 0e a8 b4 a9 32 ff 15 d..H..w.x....2..
00e0: a0 64 65 18 f3 a3 30 3d 9e ed 8d 29 a4 a0 a1 61 .de...0........a
00f0: 3b 86 e2 36 dd 4b fc c9 92 36 e4 be 20 89 cc ab ...6.K...6......
This is a cert =[
Version: V3
Subject: CN=*.pinsprepaid.com, OU=PayGo Web Certificate, O=Test Network,
L=San Diego, ST=California, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
16285445822297696212633924794811890815794019787240551300464692045229173045293235
50230392745826419206436177596443014635997679083703668232616210082740759395739089
19454275822427538242285978316988871614402763162307764241796571858989037339686419
365958906689885958381857638860003924094925916555184457276424623285201
public exponent:
65537
Validity: [From: Sat Dec 29 20:23:42 PST 2007,
               To: Fri Dec 24 20:23:42 PST 2027]
Issuer: CN=*.pinsprepaid.com, OU=PayGo Web Certificate, O=Test Network, L
=San Diego, ST=California, C=US
SerialNumber: [10665365584614926415]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: a0 28 c8 12 0d dd 40 13 f5 22 d7 b6 c9 eb 42 ae ..............B.
0010: e1 14 66 94                                        ..f.
[CN=*.pinsprepaid.com, OU=PayGo Web Certificate, O=Test Network, L=San Dieg
o, ST=California, C=US]
SerialNumber: [10665365584614926415]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: a0 28 c8 12 0d dd 40 13 f5 22 d7 b6 c9 eb 42 ae ..............B.
0010: e1 14 66 94                                        ..f.
Algorithm: [SHA1withRSA]
Signature:
0000: 9c 44 24 18 34 24 f7 74 87 24 96 60 44 83 e8 db .D..4..t....D...
0010: 1b ee 83 e9 e1 c3 56 7b 26 2f e3 5a 61 47 89 08 ......V....ZaG..
0020: ba 90 53 93 bd fa 4b bf d4 8e d3 f4 73 33 25 88 ..S...K.....s3..
0030: f1 03 33 03 b8 58 51 7f d0 e3 6c e5 52 6a 7e 13 ..3..XQ...l.Rj..
0040: b1 a6 fc 0a 35 0f c1 0f 5f cd 98 e3 15 34 3b 01 ....5........4..
0050: 4d 97 c4 46 f7 dc 4a 88 ac f8 9a a1 ed d7 2d 62 M..F..J........b
0060: d8 1b af 22 3c 80 af f1 d5 11 b0 b4 05 c8 31 71 ..............1q
0070: d5 dd 4a 42 d1 4c 97 f3 18 74 77 5f 0b 9b 10 7d ..JB.L...tw.....
This is a cert =[
Version: V3
Subject: CN=secure1.galileoprocessing.com, OU=Production, O=Galileo Processing
Inc., L=West Bountiful, ST=Utah, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
16585272136129690466708620936482853429710701504038078236367586054432000828333691
71917574804367890152416144664864739837342571709183400677965661645849511638944496
97747864586117452849688436666474856963873439961969030395107131294137520076094597
149589721904600686262918653808018055505396653031945227384584896096387
public exponent:
65537
Validity: [From: Mon Jan 14 16:00:00 PST 2008,
               To: Mon Feb 28 15:59:59 PST 2011]
Issuer: [email protected], CN=Thawte Premium Server CA, O
U=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Weste
rn Cape, C=ZA
SerialNumber: [165265921466827562370348155546990963259]
Certificate Extensions: 4
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.thawte.com]]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
1 CRL Distribution Points:
Distribution Point: [
        Distribution Point Name: [URIName: http://crl.thawte.com/ThawteServerPre
miumCA.crl]
        Reason Flags: null
        Issuer: null
[4]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
        1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
Algorithm: [SHA1withRSA]
Signature:
0000: 81 c0 8d bd d5 b7 6f 7f eb fc 93 33 c3 aa 0d 6f ......o....3...o
0010: d9 36 30 c9 af a0 01 a9 dd 75 1a 45 34 60 47 6f .60......u.E4.Go
0020: cb 52 65 8c 91 e6 f8 38 91 91 46 00 9f 4d 78 42 .Re....8..F..MxB
0030: 9f bf 4a 4e ff 63 cb 18 6f 6e 88 26 4e da e0 73 ..JN.c..on..N..s
0040: ed 49 4a e2 ab dc 01 db 3d fe 4c d7 99 1c 23 23 .IJ.......L.....
0050: f8 24 54 5b a0 bf 27 57 4c 0a f0 8e 3e 58 3f 5c ..T....WL....X..
0060: 03 da 09 0a 29 f2 f5 99 2b b0 da 0e 82 5b 18 cb ................
0070: 39 bd 14 91 62 ac 83 8a b9 b6 8c a4 e0 d9 fd e3 9...b...........
This is a cert =[
Version: V3
Subject: CN=*.questps.com.au, OU=Operations, O=Quest Payment Systems, L=Hawtho
rn, ST=Victoria, C=AU
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
13927401538401051481741625165099229029681926680820373629686880750356955603275739
35404946995026390516720126110345930925847480302939279377134754082062263865742071
20957396443715719965192780351342785833080978234789409963603439531488192089117237
143472365458965132391280159287801210635522967328773863585549974229739
public exponent:
65537
Validity: [From: Sun Jul 15 23:15:18 PDT 2007,
               To: Tue Jul 15 23:15:18 PDT 2008]
Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
SerialNumber: [506317]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 48 e6 68 f9 2b d2 b2 95 d7 47 d8 23 20 10 4f 33 H.h......G....O3
0010: 98 90 9f d4                                        ....
[2]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
1 CRL Distribution Points:
Distribution Point: [
        Distribution Point Name: [URIName: http://crl.geotrust.com/crls/secureca
.crl]
        Reason Flags: null
        Issuer: null
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0a 69 ce 61 f9 da 96 c8 b5 f9 36 81 43 f6 75 fb .i.a......6.C.u.
0010: e4 14 2f 0e                                        ....
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
        1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
Algorithm: [SHA1withRSA]
Signature:
0000: 45 66 89 34 af 71 dc b1 fe 20 54 15 54 e8 9e b4 Ef.4.q....T.T...
0010: 75 da 1c 64 c3 9d e9 d7 91 99 a5 e6 50 88 2f 83 u..d........P...
0020: cb 14 e5 e1 5a 66 21 68 f3 2b 23 54 61 8e 88 95 ....Zf.h...Ta...
0030: ec b1 f3 86 d4 c3 3e c2 ee 09 25 78 fa f1 74 dc ...........x..t.
0040: a4 d2 73 14 7a 51 f0 82 9e 1f 93 00 f3 f0 94 b5 ..s.zQ..........
0050: c0 ba 48 9c 86 5f 5b 74 fd 8c 81 83 a7 35 27 cb ..H....t.....5..
0060: 31 3b e6 e8 3b b7 3c 26 fb 4e 4d 30 5e 32 e5 da 1........NM0.2..
0070: 83 e8 8c f9 3e 84 09 04 6d 61 40 ea 08 e7 ff c7 ........ma......
This is a cert =[
Version: V1
Subject: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="
(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O
="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
22096661060012873855689347974161418916763510073523357926358326864792592503123173
99490819292635395781267090128441774779218884243225403432375392329269925111338044
19877348645492891283661498502893173840787837475108926513618176408123228217171508
48579148188498107741752990085073340007737937361627542392633585717193577428778849
70689954598075001332363158305018470088291940060537606809254674162830802015825390
73549038990262947134158436810352799408298755647856794057801047782628775050960576
78977556854174242282489588564651152454691261263722936464927601734981930340276221
549179112855447214959676835981467313741947570713364283017
public exponent:
65537
Validity: [From: Thu Sep 30 17:00:00 PDT 1999,
               To: Wed Jul 16 16:59:59 PDT 2036]
Issuer: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(
c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O=
"VeriSign, Inc.", C=US
SerialNumber: [129520775995541613599859419027715677050]
Algorithm: [SHA1withRSA]
Signature:
0000: 34 26 15 3c c0 8d 4d 43 49 1d bd e9 21 92 d7 66 4.....MCI......f
0010: 9c b7 de c5 b8 d0 e4 5d 5f 76 22 c0 26 f9 84 3a .........v......
0020: 3a f9 8c b5 fb ec 60 f1 e8 ce 04 b0 c8 dd a7 03 ................
0030: 8f 30 f3 98 df a4 e6 a4 31 df d3 1c 0b 46 dc 72 .0......1....F.r
0040: 20 3f ae ee 05 3c a4 33 3f 0b 39 ac 70 78 73 4b .......3..9.pxsK
0050: 99 2b df 30 c2 54 b0 a8 3b 55 a1 fe 16 28 cd 42 ...0.T...U.....B
0060: bd 74 6e 80 db 27 44 a7 ce 44 5d d4 1b 90 98 0d .tn...D..D......
0070: 1e 42 94 b1 00 2c 04 d0 74 a3 02 05 22 63 63 cd .B......t....cc.
0080: 83 b5 fb c1 6d 62 6b 69 75 fd 5d 70 41 b9 f5 bf ....mbkiu..pA...
0090: 7c df be c1 32 73 22 21 8b 58 81 7b 15 91 7a ba ....2s...X....z.
00a0: e3 64 48 b0 7f fb 36 25 da 95 d0 f1 24 14 17 dd .dH...6.........
00b0: 18 80 6b 46 23 39 54 f5 8e 62 09 04 1d 94 90 a6 ..kF.9T..b......
00c0: 9b e6 25 e2 42 45 aa b8 90 ad be 08 8f a9 0b 42 ....BE.........B
00d0: 18 94 cf 72 39 e1 b1 43 e0 28 cf b7 e7 5a 6c 13 ...r9..C.....Zl.
00e0: 6b 49 b3 ff e3 18 7c 89 8b 33 5d ac 33 d7 a7 f9 kI.......3..3...
00f0: da 3a 55 c9 58 10 f9 aa ef 5a b6 cf 4b 4b df 2a ..U.X....Z..KK..
This is a cert =[
Version: V3
Subject: [email protected], CN=Thawte Personal Premium
CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Wes
tern Cape, C=ZA
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: IBMJCE RSA Public Key:
modulus:
14142912792453816926684060849225594563491048166366460724276985519259966555971678
52869379882523038078369899938721755934187919620921836179968420049065941827306142
30211575508893419840570952601082644441415731845520305432484883710755881614381726
656557001768827822997905802020222847103928452492333928687906770815093
public exponent:
65537
Validity: [From: Sun Dec 31 16:00:00 PST 1995,
               To: Thu Dec 31 15:59:59 PST 2020]
Issuer: [email protected], CN=Thawte Personal Premium C
A, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=West
ern Cape, C=ZA
SerialNumber: [0]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [MD5withRSA]
Signature:
0000: 69 36 89 f7 34 2a 33 72 2f 6d 3b d4 22 b2 b8 6f i6..4.3r.m.....o
0010: 9a c5 36 66 0e 1b 3c a1 b1 75 5a e6 fd 35 d3 f8 ..6f.....uZ..5..
0020: a8 f2 07 6f 85 67 8e de 2b b9 e2 17 b0 3a a0 f0 ...o.g..........
0030: 0e a2 00 9a df f3 14 15 6e bb c8 85 5a 98 80 f9 ........n...Z...
0040: ff be 74 1d 3d f3 fe 30 25 d1 37 34 67 fa a5 71 ..t....0..74g..q
0050: 79 30 61 29 72 c0 e0 2c 4c fb 56 e4 3a a8 6f e5 y0a.r...L.V...o.
0060: 32 59 52 db 75 28 50 59 0c f8 0b 19 e4 ac d9 af 2YR.u.PY........
0070: 96 8d 2f 50 db 07 c3 ea 1f ab 33 e0 f5 2b 31 89 ...P......3...1.
This is a cert =[
Version: V3
Subject: CN=*.backuppay.com, OU=Comodo PremiumSSL Wildcard, OU=Information Tec
hnology, O=Mercury Payment Systems, STREET="72 Suttle, Suite 'M'", L=Durango, ST
=Colorado, POSTALCODE=81303, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: IBMJCE RSA Public Key:
modulus:
13600061469090500423648422271274026009793773824200084939450792307466414518281905
78915137508617752173548436692455079898861149850144087985398167558687604694824219
94042711833635299385450526613233517165581563624887506491771190814673785574365279
979908619877143128523889569350716633683176043911091941941182416621337
public exponent:
65537
Validity: [From: Thu Feb 01 16:00:00 PST 2007,
               To: Wed Mar 12 15:59:59 PST 2008]
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUS
T Network, L=Salt Lake City, ST=UT, C=US
SerialNumber: [291946271077116231447010286015885314245]
Certificate Extensions: 9
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crt.comodoca.com/UTNAddTrustServerCA.crt, access
Method: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crt.comodo.net/UTNAddTrustServerCA.crt]]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: c1 a6 cc 48 48 b5 ed 73 ef 0a cd 2c 29 4c 62 b4 ...HH..s.....Lb.
0010: d0 ab bf 6e                                        ...n
[5]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
        1.3.6.1.5.5.7.3.1       1.3.6.1.5.5.7.3.2]
[6]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: a1 72 5f 26 1b 28 98 43 95 5d 07 37 d5 85 96 9d .r.....C...7....
0010: 4b d2 c3 45                                        K..E
[7]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL client
   SSL server
[8]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
PolicyInformation: [
        CertPolicyId: 1.3.6.1.4.1.6449.1.2.1.3.4
        PolicyQualifiers: [PolicyQualifierInfo: [
CPSuri: [
        object identifier: 1.3.6.1.5.5.7.2.1
        uri: https://secure.comodo.net/CPS]
[9]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
2 CRL Distribution Points:
Distribution Point: [
        Distribution Point Name: [URIName: http://crl.comodoca.com/UTN-USERFirst
-Hardware.crl]
        Reason Flags: null
        Issuer: null
Distribution Point: [
        Distribution Point Name: [URIName: http://crl.comodo.net/UTN-USERFirst-H
ardware.crl]
        Reason Flags: null
        Issuer: null
Algorithm: [SHA1withRSA]
Signature:
0000: a6 e4 56 7a 01 79 c3 28 2a b5 ad ae 58 0c 7c de ..Vz.y......X...
0010: bc a2 b7 85 e2 98 e1 18 c5 53 9e 20 bf e8 8f f2 .........S......
0020: 5e cc 1b 8c 86 47 e4 9d 4e 18 16 91 77 c6 05 7f .....G..N...w...
0030: d8 50 4b 94 09 8b ff 64 4b 90 8c 64 4a 78 b3 cb .PK....dK..dJx..
0040: d0 3f 46 65 e2 38 a3 0f c5 31 d1 2a c4 37 51 a7 ..Fe.8...1...7Q.
0050: 9a 47 d6 03 0b 48 50 6c 5a a2 5d 4f af 8f 6a 77 .G...HPlZ..O..jw
0060: 78 9f 71 a9 c7 8c ae e2 23 f4 2a 4b 48 e0 05 46 x.q........KH..F
0070: 4a 88 99 5f ca ef 09 95 f7 d4 37 6f 4a 4a 13 86 J.........7oJJ..
0080: 41 15 74 80 02 a8 02 80 29 fc 6d d6 e0 d3 a2 ad A.t.......m.....
0090: d9 4d ec 25 c3 a0 83 26 0f 7f b5 3d 7d 6f 0d 9a .M...........o..
00a0: 2e ab f3 cb 8b 5c d0 18 e3 20 bc 22 97 b6 a0 45 ...............E
00b0: 8a d0 0c f9 d9 1c 77 6e 17 ee 30 8f 5e 9e 7d c1 ......wn..0.....
00c0: d4 77 44 8e 3a 3a 7f ee ee e1 7b 1b 32 81 01 a8 .wD.........2...
00d0: 62 7e 82 55 be 6c 73 d3 12 a4 23 ab b9 ef ad 5a b..U.ls........Z
00e0: 73 7b 28 05 37 d9 69 13 8a 7a d4 31 e8 02 39 6f s...7.i..z.1..9o
00f0: ac f9 aa 5f b4 ea bd de 87 03 ee fb b0 80 16 49 ...............I
This is a cert =[
Version: V3
Subject: [email protected], CN=64.47.55.17, OU=MI
S, O=Cabelas Inc, L=Sidney, ST=Nebraska, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: IBMJCE RSA Public Key:
modulus:
13768870705676032884943158948133086707130963695630252713762741898658183420051882
41914160772118669025761340096644368492520897452521291473029710155067231617758619
45693847182035381145540493930157142197837425711697611478316115600616533780363229
520298453203636612811789291165305298410647569530743837859826680773901
public exponent:
65537
Validity: [From: Thu Oct 05 08:36:55 PDT 2006,
               To: Su

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Client certificate based authentication

We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.

Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
 /WEB-INF
 /resources
 - private.jar
 - private.jnlp
 /resources
 - icon.png
 - public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
 <servlet-name>ResourceProvider</servlet-name>
 <url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
 <web-resource-collection>
 <web-resource-name>protected resources awailiable from browser</web-resource-name>
 <url-pattern>/resources/secret/browser/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>somerole</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>
<security-role>
 <role-name>somerole</role-name>
</security-role>
<login-config>
 <auth-method>BASIC</auth-method>
 <realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
 <information>
 <icon href="icon.png"/>
 </information>
 <resources>
 <j2se version="1.6+"/>
 <jar href="secret/javaws/secretkey/private.jar" />
 <jar href="public.jar" />
 </resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
 scheme="https"
 secure="true"
 SSLEnabled="true"
 clientAuth="false"
 sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help!

Business Connector 4.7 SSL configuration

HI,
I am configuring SSL in Business Connector 4.7 (to use HTTPS using digital certificates).
I am following the admin guide.
I finished the first step - Configuring the Server to Use SSL.
The next step is to import the client certificate and map it with a user.
My query is that , how can i get a client certificate.
Could anyone please suggest me.
Also, does any one has step by step configuration of SAP BC for SSL.
Regards,
Kuna

Hi,
You should be getting the certificates from the client (where you got the URL from), for example if you are trying to connect your BC to SAP using SSL, you should get the certificates from SAP and install them in BC for communication.
thanks...
Karna....

Com.wm.app.b2b.server.ServiceException with Business Connector

Hi Everybody,
I could need some help with the Business Connctor 4.8...
We just made an upgrade from SAP Business Connector 4.7 to 4.8. The new Business Connector also was moved to another server.
The installation was fine. In SM59 the RFC test works and also the MAPS are all in green status.The routing should also be fine.
I have the following problem when using the FM IDOC_INBOUND_ASYNCHRONOUS to send invoices to the customers I get the following error:
com.wm.app.b2b.server.ServiceException: com.wm.app.b2b.server.UnknownServiceException: [B2BSERV.0026.9201] Unknown service: wm.PartnerMgr.flows.MANDANT001.1STBP:INVOIC
I also created and imported the necessary certificates to communicate with our partner by https.
Please could you help? Is it a problem in the configuration or do I miss something with the certificates?
Thanks in advance!
Kind regards,
Lu Huynh

Hi Lu,
Yes that note was for SPA BC 4.7. I though it could provide you with some more insight.
Anyway, can you recheck whether the settings which you have done for IDoc in SAP BC. There might be some problem with them.
Also check this thread, it might be helpful (but i am not sure)
[B2BSERV.0026.9201] Unknown service: wm.PartnerMgr
One doubt the error message says Unknown service: wm.PartnerMgr.flows.MANDANT001.. IS the client 001?
Regards
Suraj

Business Connector: present client certificate to webserver

Similar Messages

Maybe you are looking for