Certificate Based Authentication - Questions and Authentication Modules

Similar Messages

• SharePoint - authentication question and error message

  When I try to add a data source bound to a SharePoint list, I receive an error message "an error occurred while retrieving SharePoint lists". I'm not sure, but I'm assuming this may be an authentication issue (the Microsoft account I'm using
  does not have access to our SharePoint server, I use a separate account for that). My question is: would this be the cause of the error message and if so, how/where would I set authentication up for the data source?

  More info from ULS viewer:
  02/18/2014 13:56:33.63 w3wp.exe (0x14B8) 0x16C0 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 e973759c-f025-c061-a37a-3d6b6639b7bd
  I have a feeling this is related to ADFS? We aren't supporting ADFS on our farm at the moment.

• DPS attempting certificate based authentication with Directory Servers

  I'm running DPS 6.3 and DS 6.3.
  I have DPS configured to always connect to the directory servers over SSL. This is working, however, all of the Direectory server error logs are showing certificate based bind attempts originating from the DPS. This results in err=32, since the certificate isn't stored in the ldap server. Anyone else seeing this type of behavior?
  I checked the DPS Security config, and under the "Certificate to use with Data Sources" I have it set to 'None'.
  Thanks.

  Hello,
  Certificate-based authentication cannot be proxied (it was designed to prevent man-in-the-middle attacks).
  When the proxy receives a certificate-based bind (SASL EXTERNAL authentication method), it first validates the client certificate (signature, validity,trust etc), and map the certificate identity (subject) onto a LDAP identity. This is done by doing some LDAP lookups against the directory server. Then, that LDAP identity is used for subsequent LDAP requests to the directory servers. As the password is not available, the proxy must be configured to contact the directory server using proxied authorization method or using fixed credentials (used in conjunction with acis set on the proxy)
  DPS 6.3 never uses the SASL/EXTERNAL (certificate-based) authentication method when it contacts directory servers.
  When SSL is used between the proxy and the server, the proxy may present its own certificate to the directory server (controlled by the DPS security property you mentioned). It is possible to check if DPS stashes its own certificate when it establish a SSL channel to the directory server by using the ssltap tool [http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html] . If a certificate is passed, the No-Such-Object error you see might be generated during certificate validation by the directory server.
  Hope this helps
  -Sylvain

• IDM Password Reset Authentication Questions

  Hi,
  We are implementing Password Self Service using IDM 7.1, everything is set up and we have tested and were able to reset password for users to connected target systems. we are now doing some cosmetic changes before going live, like
  setting up new authentication questions and changing existing questions from IDM.
  In total we have 10 questions and the way we set it is
  Minimum number of validation questions = 5
  No. of questions to show = 3
  No. of answers required = 3
  After setting all 10 questions, i took a new test id who was never set with a profile and set its profile with 5 random questions answers out of 10 and saved it, went back to   /idm/pwdrest  and entered the unique id which is the user id and the 3 challenge questions it showed up were not the ones i set my answers to.
  Why is it prompting the questions for which i have not set answers to ?
  Can anyone tell me if i am missing any config creating these attributes ?? or its the way IDM works ??
  Thanks.

  Greetings,
  It has been my experience that the system will show any of the available questions when a user has not had any answers set. Sometimes, there is a disconnect with the Unique ID entered and the user ID stored in the identity store and it just cannot find the stored answers. As long as the additional question attributes you created follow the existing convention, they should be fine.
  I would start by looking at what question attributes you have commited for the user and which ones show in the pwdreset task screen for the user. You can also run the guided task several times with the same ID to see what rotation of questions you see to see if it is going through all 10 or only a certain subset.
  Do you have a self-service task configured to set the question answers?
  Thanks,
  Jared

• Authentication Questions Deleted When Saving User View

  I am working with IDM version 6, SP1
  We wish to start using the user self server reset password function.
  Howerver, the user authentication questions and answeres keep getting deleted.
  Any time a user view is checked out and checked back in, the questions are deleted.
  This happens from the Admin Interface, from workflows, and even from the BPE.
  Has anyone seen this before and if so is there a fix?
  Upgrading is a concideration but is not on the "Todo" list for quite a while.
  This is a real problem as it is stopping us from moving forward with user self serve password resets.
  Regards
  Mike F.

  We have a similar issue with version 7.0. I had posted questions about it here (forums) and have an open bug report in with Sun.
  Searching on another forum (which you may or may not have access to), it looks like there is a bug -- at least in in version 7.0 -- where several pages are +"doing a setViewId and not setting it to readonly, so a checkout was done on the user for every page"+. It sounds like this bug may be fixed in version 7.1 and later. If I search through the jsps, I see liberal calls to "form.setViewId()".
  I haven't yet tried explicitly setting these calls to readonly (I don't even know what the syntax would be at this point). Your problem sounds somewhat different (ours only occurs on failed validations) but perhaps you are seeing a similar bug in version 6.
  In case you are interested, my issue is described in this post:
  http://forums.sun.com/thread.jspa?forumID=764&threadID=5414572
  That's the problem description, not a description of the fix. And while it talks about a different problem, we also see cases where if a validation fails when the user is entering data, AuthN questions are deleted, which is what makes me think this may be a similar problem.

• SBO Ebook: Certification and Interview Questions and Answers

  Hi, please permit me to use this forum to introduce you to this ebook titled: [SAP BUSINESS ONE SOLUTION CONSULTANT CERTIFICATION REVIEW AND INTERVIEW: QUESTIONS, ANSWERS AND EXPLANATIONS|http://www.ebookmall.com/ebook/277772-ebook.htm]
  This book consists of real life and scenario based review questions and answers on SAP Business One solution certification examinations with Booking Codes/Certification ID: C_TB1200_04, C_TB1200_05 and C_TB1200_07. It covers the SAP Business One Solution Consultant curriculum namely:
   TB 1000 - SAP Business One – Logistics
   TB 1100 - SAP Business One – Accounting
   TB 1200 - SAP Business One – Implementation and Support
  The book is targeted at:
   SAP Business One Consultants preparing for the Solution certification exams (C_TB1200_04, C_TB1200_05 and C_TB1200_07)
   SAP Business One Solution Consultant Job Seekers
   SAP Business One Solution Consultant recruiters
   SAP Business One Implementation team
   SAP Business One Project Managers
  In this book, you will find:
   SAP Business One Solution Consultant Certification Areas of Concentration (AoC)
   SAP Business One Solution Consultant Certification Curriculum
   Things you must know about the SAP Business One Solution Consultant Certification Examination.
   SAP Business One Certification review questions and detailed answers
   SAP Business One Interview questions and detailed answers
  It can be downloaded at http://www.ebookmall.com/ebook/277772-ebook.htm.

  Hi Dan,
  Thanks for your observation, comment and review.
  1. As a matter of fact, since many features of SAP B1 has not changed, just as you asserted, I took cognizance of new enhancements to the solution over the various releases, especially as it relates to the functionalities. By extension however, most questions for prior releases applies to the “successor” release.
  Furthermore, there was a mix-up in the download. Ideally, you should have three sections in the book. Section I (release 2004, by extension - 2005 and 2007 releases); Section II (release 2005, by extension - 2007 release) and Section III (release 2007). The document has been reviewed. Hence, everyone that bought the book before 29th of April 2008 should visit my [blog|http://blogs.ittoolbox.com/sap/kehinde/archives/sap-business-one-solution-consultant-ebook-review-notice-24053] on how to get a copy of the revised version within 24 hours at no extra cost. I regret any inconveniences. PLEASE DO NOT LEAVE YOUR EMAIL ADDRESS ON THIS FORUM.
  2. On localization, SAP Business One has more than 10,000 installations across the world. The book is not intended to be "localization specific". It is intended to serve as a certification review for functionalities that cuts across board with a mix of localized functionalities. I am sure you found in there a number of localization questions for other countries like UK. My advice for individuals using the book is to identify which questions apply to their localization.
  While I await your review of the [revised version|http://www.ebookmall.com/ebook/277772-ebook.htm] as an SAP Business One advisor, I believe you will agree with me that it is an invaluable resource for preparing for the certification exam and also technical interview sessions. 
  Thanks

• Technical platform for Question and answer system

  Hello everone!
  We are looking for a technology solutions to realize a <b>question and answer module</b>.
  Short discription of the functionality we are looking for:
  - member can post a question
  - this is forwarded to all members via email
  - direct answers via email are returned to asker and to the system (--> automatically generate Q&A list)
  - system should import/be integrated with distribution list members
  I have heard that some requirements will be met by JIVE forums software which comes with NetWeaver 2004s, but I dont know any details (when? where to test?).
  Now I wanted to ask if you know a system like this or have experience with question and answer systems and can give us some hints. Would be very nice to hear from you.
  Kind regards
  Tilman
  Business Consulting Knowledge Management

  Here's another variant. You're going to have some answers that are the same for multiple questions. Standard text like 'The SYSTEM tablespace'. Now for some questions that is the correct answer and for others it is the incorrect answer.
  So now what we have is:
  create table questions (q_id number, q_text varchar2(255), primary key (q_id))
  create table answers (a_id number, a_text varchar2(255), primary key (a_id))
  create table q_a
  (q_id number
      , a_id number
      , a_order char(1)
      , correct_yn char(1)
      , primary key (q_id, a_id)
      , check (a_order in ('A', 'B', 'C', 'D'))
      , check ( correct_yn in ('Y', 'N')))
  /Obviously we need foreign keys too. You also need a check for uniqueness of the answers' ordering; a recent entry on the Amis blog could help you here. While your at it you need to check that every question has the correct number of putative answers and at least one correct answer.
  Cheers, APC

• Certificate Based Authentication and SSL

  To whom it may concern,
  I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
  Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
  Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
  I am running my Messenger express (http) like this :
  http://testing.xyz.com:8100
  (I am using port 8100 for http access to mails). After restarting the mail server, I tried :
  https://testing.xyz.com:8100 also,
  http://testing.xyz.com:443 also,
  https://testing.xyz.com:443 also,
  but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
  And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
  Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
  Thanking you,
  Farhan Ahmed,
  System Engineer
  Dubai, UAE.

  Dear jay,
  I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
  [29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
  i got this line from the http log:
  [29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
  Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
  Thanking you,
  Farhan Ahmed,
  System Engineer,
  Dubai Internet City, Dubai, UAE.

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• OWA and ActiveSync certificate based authentication

  I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
  I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
  But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
  when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
  So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
  Can anyone help me?

  Hi,
  We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
  Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
  Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
  https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
  Thanks,
  Winnie Liang
  TechNet Community Support

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Anyconnect 3.1 and user certificate-based authentication

  Hi experts,
  I'm trying to test a basic full tunnel VPN connection from Anyconnect 3.1 installed on a Windows 7 machine to a Cisco ASA, using only certificate authentication.
  Steps i took:
  1) I've created a Windows 2008 certificate authority for testing, and imported the root CA certificate into both the Windows 7 client and into Cisco ASA
  2) I generated a certificate signing request on the W7 client, got that signed by W2008 CA and imported the signed certificate into W7. Both user certificate and root CA are in the personal certificate store
  3) On ASA, I've also generated a certificate signing request, got that signed by W2008 CA and imported the signed certificate back in ASA
  I then used ASDM to configure ASA to support Anyconnect on its untrust interface.
  When I use Anyconnect on the W7 client to connect to ASA, I got "No valid certificates available for authentication" and "certificate validation failure" messages as seen in the below screenshot
  I can confirm that both user and root CA certificate exist in the personal certificate store
  The corresponding ASA configuration and debug output are shown in the attached txt file. On the ASA, I've made sure its ID certificate has CN=<public IP of ASA> since I don't have a DNS setup in place.
  Can anyone suggest what could be wrong with my setup?

  Problem has been fixed by using IP address instead of hostname in the Anyconnect Client profile, since I don't have a DNS setup in my environment.
  Once that is done I was able to connect and authenticate using user certificates.
  ASA1# sh vpn-sessiondb detail anycon
  Session Type: AnyConnect Detailed
  Username     : cisco                  Index        : 2
  Assigned IP  : 10.5.1.100             Public IP    : 10.3.1.10
  Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent
  License      : AnyConnect Premium
  Encryption   : AES256                 Hashing      : none SHA1
  Bytes Tx     : 0                      Bytes Rx     : 30758
  Pkts Tx      : 0                      Pkts Rx      : 195
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0
  Group Policy : GroupPolicy_VPN-CP1    Tunnel Group : VPN-CP1
  Login Time   : 06:40:49 UTC Wed Feb 19 2014
  Duration     : 0h:07m:38s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none
  IKEv2 Tunnels: 1
  IPsecOverNatT Tunnels: 1
  AnyConnect-Parent Tunnels: 1
  AnyConnect-Parent:
    Tunnel ID    : 2.1
    Public IP    : 10.3.1.10
    Encryption   : none                   Auth Mode    : Certificate
    Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
    Client Type  : AnyConnect
    Client Ver   : 3.1.05152
  IKEv2:
    Tunnel ID    : 2.2
    UDP Src Port : 50530                  UDP Dst Port : 4500
    Rem Auth Mode: Certificate
    Loc Auth Mode: rsaCertificate
    Encryption   : AES256                 Hashing      : SHA1
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 85941 Seconds
    PRF          : SHA1                   D/H Group    : 5
    Filter Name  :
    Client OS    : Windows
  IPsecOverNatT:
    Tunnel ID    : 2.3
    Local Addr   : 0.0.0.0/0.0.0.0/0/0
    Remote Addr  : 10.5.1.100/255.255.255.255/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28341 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607970 K-Bytes
    Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
    Bytes Tx     : 0                      Bytes Rx     : 31218
    Pkts Tx      : 0                      Pkts Rx      : 196
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 459 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

• Need Help about Certificate based Authentication

  Hi friends..
  Currently, i'm trying to develop an applet that using Certificate Based Authentication..
  i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
  these is what Safarmer says about steps to generate CSR :
  0. Generate key pair on the card.
  1. Get public key from card
  2. Build CSR off card from the details you have, the CSR will not have a signature
  3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
  4. Generate a SHA1 hash of the CSR (without the signature section)
  5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  6. Send DigestInfo to the card
  7. On the card, the matching private key to encrypt the DigestInfo
  8. Return the encrypted digest info to the host
  9. Insert the response into the CSR as the signature
  Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
  on step 4,
  Generate a SHA1 hash of the CSR (without the signature section)
  Does it mean we have to "build" CSR looks like :
  Data:
  Version: 0 (0x0)
  Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (1024 bit)
  Modulus (1024 bit):
  00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
  ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
  84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
  fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
  23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
  ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
  61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
  24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
  db:38:2f:5b:1f:85:c1:20:eb
  Exponent: 65537 (0x10001)
  Attributes:
  a0:00
  on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
  And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
  Please help me regarding this..
  Thanks in advance..
  Leonardo Carreira

  Hi,
  Leonardo Carreira wrote:
  Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
  I think its' easier to encode the public key by Off Card app..
  Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
  I have several some questions :
  1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
  2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
  - I think Applet must holds :
  - its Private Key,
  - its Public Key Modulus and its Public Key Exponent,
  - its Certificate,
  - Host Certificate
  i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
  Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
  ~800 bytes for your private key
  ~260 bytes per public key for PKI hierarchy (CA trust points)
  ~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
  3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
  Cheers,
  Shane

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?