Client Association,Authentication

Hey All,
In regards to the Assoiciation and Authentication I would just like to check that I am getting the process correct:
1. Authentication( open or shared) this is the client talking to the AP and saying that it is an 802.11 device ( kind of like an ethernet cable being pluged into a wall jack), if it has a PSK then it must have the right details to Auth with the AP. This is Auth'd to the AP but not the network, so no network traffic can pass just yet.
2. Association the client associates with the BSS/AP and data can now pass over to the AP.
3. 802.1x Authentication ( EAP) - if required
In the above Image the Associated status means it passed step 2 and the Auth means in passed 802.1x?
If this is the case in the above Image the Authed clients ( blue line) are the clients that have passed 802.1x? and the red line is clients that have passed stage 2?
Thanks

Hello,
In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client sends out a probe and scans all the channels and listens for beacons and responses to the probes from the access points. The client associates to the access point that has the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point (this process is called roaming). During association, the SSID, MAC address, and security settings are sent from the client to the access point and checked by the access point. Figure 3-6 illustrates the client association process.
Figure 3-6 Client Association
A wireless clients association to a selected access point is actually the second step in a two-step process. First, authentication and then association must occur before an 802.11 client can pass traffic through the access point to another host on the network. Client authentication in this initial process is not the same as network authentication (entering username and password to get access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and it establishes communication. The 802.11 standard specifies only two different methods of authentication: open authentication and shared key authentication. Open authentication is simply the exchange of four "hello" type packets with no client or access point verification, to allow ease of connectivity. Shared key authentication uses a statically defined WEP key, known between the client and access point, for verification. This same key might or might not be used to encrypt the actual data passing between a wireless client and an access point based on user configuration.
http://www.ciscopress.com/articles/article.asp?p=1156068&seqNum=3

Similar Messages

WLC 2504 v7.5.102.0 Client Association Issues. Association not consistent

Hi All,
I'm having a strange issue whereby client association to my corporate or guest wifi ssid are not consistent. Sometimes I have no issues connecting repeatedly and other times I cannot connect and receive the "Windows was unable to connect to *SSID*"
I'm unable to determine whether it is a wireless association issue or if its a authentication issue as I have troubles connecting to both my secure (WPA2, AES, 802.1x) corporate wifi or my guest (Open Auth) wifi.
Currently per day I have about 15 users using the wifi on both SSID's. The access points are right in the vicinity of the users. I have 2 LAP1142 access points on separate 802.11a/b/g/n channels and signal strenght is always high.. I'm certain its not co-channel interference or interference whatsoever. RSSI values are -60dBm and SNR 30+ dB. On average I will have 10 users on the wireless fine but one or two people are unable to connect.
I have had wireshark run and when it does not connect I do not see anything in the logs. No traffic is captured!
I cannot see the AAA capturing anything. Signal strength as stated above is high ( I have the AP on my desk!)
Sometimes I can instantly connect with no troubles and other times its not association at all. I've recently updated to version 7.5 and these issues started to occur. Previous version 7.3 had no problems at all for years!.
The logs in the WLC show
*Dot1x_NW_MsgTask_0: Nov 27 04:42:09.956: #DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c:864 Received invalid EAPOL-key M2 msg in START state - invalid secure bit; KeyLen 24, Key type 1, client 3c:a9:f4:4x:xx:xx
Does anyone have an idea what could this issue could be?
Many thanks

Thanks for your reply Sandeep. Been working on it all afternoon with debugging.
To answer your question, sometimes I can connect and sometimes I cannot. This afternoon I haven't been able to connect much at all. 2 out of 20 times perhaps. Other users I can see are connected to the two access points in this office. This isn't just happening on my laptop but several laptops. Same symptom.
Heres the dot1x output I have captured from the debug of a FAILED association attempt.
(Cisco Controller) >show debug
MAC Addr 1.................................. 3C:A9:F4:36:1C:48
Debug Flags Enabled:
dot1x aaa enabled.
dot1x packet enabled.
dot1x events enabled.
dot1x states enabled.
(Cisco Controller) >*DHCP Socket Task: Nov 27 07:44:49.842: 3c:a9:f4:36:1c:48 apfMsRunStateInc
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Processing RSN IE type 48, length 22 for mobile 3c:a9:f4:36:1c:48
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Received RSN IE with 0 PMKIDs from mobile 3c:a9:f4:36:1c:48
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Found an cache entry for BSSID 20:bb:c0:c9:26:92 in PMKID cache at index 0 of station 3c:a9:f4:36:1c:48
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Removing BSSID 20:bb:c0:c9:26:92 from PMKID cache of station 3c:a9:f4:36:1c:48
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Resetting MSCB PMK Cache Entry 0 for station 3c:a9:f4:36:1c:48
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 Setting active key cache index 0 ---> 8
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 unsetting PmkIdValidatedByAp
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 apfMsRunStateDec
*apfMsConnTask_4: Nov 27 07:45:15.284: 3c:a9:f4:36:1c:48 apfMs1xStateDec
*dot1xMsgTask: Nov 27 07:45:15.287: 3c:a9:f4:36:1c:48 Disable re-auth, use PMK lifetime.
*dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 dot1x - moving mobile 3c:a9:f4:36:1c:48 into Connecting state
*dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 Sending EAP-Request/Identity to mobile 3c:a9:f4:36:1c:48 (EAP Id 1)
*dot1xMsgTask: Nov 27 07:45:15.288: 3c:a9:f4:36:1c:48 Sending 802.11 EAPOL message to mobile 3c:a9:f4:36:1c:48 WLAN 3, AP WLAN 3
*dot1xMsgTask: Nov 27 07:45:15.288: 00000000: 02 00 00 3c 01 01 00 3c 01 00 6e 65 74 77 6f 72 ...<...<..networ
*dot1xMsgTask: Nov 27 07:45:15.288: 00000010: 6b 69 64 3d 54 50 49 2d 57 49 46 49 2c 6e 61 73 kid=PI-WIFI,nas
*dot1xMsgTask: Nov 27 07:45:15.288: 00000020: 69 64 3d 4d 2d 54 50 49 2d 51 4c 44 2d 44 43 30 id=M-PI-QLD-DC0
*dot1xMsgTask: Nov 27 07:45:15.288: 00000030: 30 31 2d 57 43 30 31 2c 70 6f 72 74 69 64 3d 31 01-WC01,portid=1
*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Failure sending WPA EAPOL-Key due to invalid state 0 to mobile 3c:a9:f4:36:1c:48
*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Unable to send WPA key to mobile 3c:a9:f4:36:1c:48
(Cisco Controller) >*dot1xMsgTask: Nov 27 07:45:29.326: 3c:a9:f4:36:1c:48 Unable to update broadcast key to mobile 3C:A9:F4:36:1C:48
*osapiBsnTimer: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 802.1x 'txWhen' Timer expired for station 3c:a9:f4:36:1c:48 and for message = M0
*dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 dot1x - moving mobile 3c:a9:f4:36:1c:48 into Connecting state
*dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 Sending EAP-Request/Identity to mobile 3c:a9:f4:36:1c:48 (EAP Id 2)
*dot1xMsgTask: Nov 27 07:45:45.126: 3c:a9:f4:36:1c:48 Sending 802.11 EAPOL message to mobile 3c:a9:f4:36:1c:48 WLAN 3, AP WLAN 3
*dot1xMsgTask: Nov 27 07:45:45.126: 00000000: 02 00 00 3c 01 02 00 3c 01 00 6e 65 74 77 6f 72 ...<...<..networ
*dot1xMsgTask: Nov 27 07:45:45.126: 00000010: 6b 69 64 3d 54 50 49 2d 57 49 46 49 2c 6e 61 73 kid=PI-WIFI,nas
*dot1xMsgTask: Nov 27 07:45:45.126: 00000020: 69 64 3d 4d 2d 54 50 49 2d 51 4c 44 2d 44 43 30 id=M-PI-QLD-DC0
I can see that the WLC has tried to send a EAP-Request/Identity request to the client but no response back. I just don't understand why it works at times and why it doesn't.
It has the same issues on my guest network which is open authentication. Nothing has changed in regards to configuration and it has been working for years. Only thing that changed was a version upgrade to 7.5 three weeks ago.
Here is the debug output of the client MAC when attempting to association to the GUEST network.
(Cisco Controller) >debug client 3C:A9:F4:36:1C:48
(Cisco Controller) >*apfProbeThread: Nov 27 07:53:48.059: aggregated probe IE: TIMESTAMP
*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Adding mobile on LWAPP AP 20:bb:c0:c9:26:90(0)
*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Association received from mobile on BSSID 20:bb:c0:c9:26:91
*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Global 200 Clients are allowed to AP radio
*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Max Client Trap Threshold: 0 cur: 5
*apfMsConnTask_4: Nov 27 07:58:02.021: 3c:a9:f4:36:1c:48 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Re-applying interface policy for client
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 In processSsidIE:4565 setting Central switched to TRUE
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 In processSsidIE:4568 apVapId = 2 and Split Acl Id = 65535
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying site-specific Local Bridging override for station 3c:a9:f4:36:1c:48 - vapId 2, site 'default-group', interface 'guest'
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Applying Local Bridging Interface Policy for station 3c:a9:f4:36:1c:48 - vlan 650, interface id 12, interface 'guest'
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 20:bb:c0:c9:26:90 vapId 2 apVapId 2 flex-acl-name:
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfMsAssoStateInc
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 3c:a9:f4:36:1c:48 on AP 20:bb:c0:c9:26:90 from Idle to Associated
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 apfPemAddUser2:session timeout forstation 3c:a9:f4:36:1c:48 - Session Tout 65535, apfMsTimeOut '65535' and sessionTimerRunning flag is 0
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Scheduling deletion of Mobile Station: (callerId: 49) in 65535 seconds
*apfMsConnTask_4: Nov 27 07:58:02.022: 3c:a9:f4:36:1c:48 Func: apfPemAddUser2, Ms Timeout = 65535, Session Timeout = 65535
*apfMsConnTask_4: Nov 27 07:58:02.023: 3c:a9:f4:36:1c:48 Sending Assoc Response to station on BSSID 20:bb:c0:c9:26:91 (status 0) ApVapId 2 Slot 0
*apfMsConnTask_4: Nov 27 07:58:02.023: 3c:a9:f4:36:1c:48 apfProcessAssocReq (apf_80211.c:7957) Changing state for mobile 3c:a9:f4:36:1c:48 on AP 20:bb:c0:c9:26:90 from Associated to Associated
*apfMsConnTask_4: Nov 27 07:58:02.026: 3c:a9:f4:36:1c:48 Updating AID for REAP AP Client 20:bb:c0:c9:26:90 - AID ===> 4
*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5716, Adding TMP rule
*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 20:bb:c0:c9:26:90, slot 0, interface = 1, QOS = 0
IPv4 ACL ID = 255, IPv
*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 650, Local Bridging intf id = 12
*apfReceiveTask: Nov 27 07:58:04.998: 3c:a9:f4:36:1c:48 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Nov 27 07:58:04.999: 3c:a9:f4:36:1c:48 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Nov 27 07:58:04.999: 3c:a9:f4:36:1c:48 Sent an XID frame
*IPv6_Msg_Task: Nov 27 07:58:05.000: 3c:a9:f4:36:1c:48 Pushing IPv6 Vlan Intf ID 12: fe80:0000:0000:0000:f0a7:e03b:151a:3af8 , and MAC: 3C:A9:F4:36:1C:48 , Binding to Data Plane. SUCCESS !! dhcpv6bitmap 0
*IPv6_Msg_Task: Nov 27 07:58:05.000: 3c:a9:f4:36:1c:48 Link Local address fe80::f0a7:e03b:151a:3af8 updated to mscb. Not Advancing pem state.Current state: mscb in apfMsMmInitial mobility state and client state APF_MS_STATE_A
(Cisco Controller) >

Dot11 associations table, client associated with 0.0.0.0

I'm having an issue where wireless client association seam to fail to get IP address, but acctually don't...
MAC Address    IP address      Device        Name            Parent         State
0016.eaae.c896 0.0.0.0         unknown       -               self           EAP-Assoc
001f.e178.c6d8 192.168.27.192 unknown       -               self           EAP-Assoc
This happens only "sometimes", especially when the clients (laptops) wake up from sleep mode.
Although the association shows IP 0.0.0.0, the state is "EAP-Assoc" and I can confirm that the client passed RADIUS authentication, received IP from DHCP and can ping the gateway.
The wireless network is made up by autonomous/standalone access-points (Cisco aironet 1100, 1130, 1200, 1040).
Network access is PEAP, WPA/AES, dot1x, multiple Vlans...
All access-points have an access-list at the radio IN that is dropping all IP broadcasts.
When I remove the ACL, everything appear to be fine (at least all the times that I checked), but when the ACL is active the issue doesn't always come up.
I must understand what is going on because this ACL (although it's not very common) has proven it's value by saving 30-40% CPU usage on access-points...
Does anyone know how the "dot11 associations" table is built??
Maybe some tips on how to troubleshoot the issue.
thanks in advance

As an answer to your early quetsions (that I don't know why we did not answer it yet):
Assoc table is mainly built from information in association frames.
Assoc frames have no idea about IP addresses so how the APs know the IP? Not from assoc frames of course.
Each vendor may have different way to know the IP (they can look into the header of the IP traffic of that special client or they an look into dhcp communication).
summarizing the issue so far:
- The issue happens ONLY with the ACL in place.
- It does not happen with all clients.
- It happens ONLY when the clients in power save mode.
- It happens with same clients if they use static ip address even if they are not in power save mode (please confirm or amend this sentence to be more accurate).
Why power save mode do not show the IP? - > answering this quetion almost solves the problem.
what is common among the problematic clients? - > need to know this in order to isolate further.
Is it AP hardware/software related? -> helps to isolate further.
I said that it could possibly be related to information elements but not necessarily.
There are information element that transfer Power Save capability between clietns and the AP. I have no idea though how those can be related.
More information about information elements can be found in the IEEE standard downloadable from here:
http://standards.ieee.org/getieee802/download/802.11-2007.pdf
go to section :
7.3.2 Information elements
in page 99.
I tried to read about power save and tried to link that with our issue with no hope.
It could possibly a bug or so that when PS is used the AP behaves differently.
HTH
Amjad

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

SOAP -Client Certificate Authentication in Receiver SOAP Adapter

Dear All,
We are working on the below scenario
SAP R/3 System -> XI/PI -> Proxy -> Customer
In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
Cusomer gave us the WSDL file and also a Certificate for authentication.
Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
Require your inputs on Client Certificate authentication and Proxy server configuration.
Regards,
Srini

Hi
Look this blog
How to use Client Authentication with SOAP Adapter
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Also refer to "SAP Security Guide XI" at service market place.
ABAP Proxy configuration
How do you activate ABAP Proxies?

How to use CLIENT-CERT authentication?

Hi,
I would like to know how to use client authentication.
I used a web application with CLIENT-CERT authentication.
And I accessed to the application from browser, then I had the following error
message:
Incorrect or missing client certificate.
I used OpenSSL to generate keys.
Could you tell me the information of the setting?
Especially, I don't know theentry of CertAuthenticator.
Could you tell me?
Regards,
Kuniaki Hagiwara - HP Japan

Thank you for your response.
Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet.

CLIENT-CERT authentication in WL7

Hi,
I'm trying to enforce two-way authentication for clients (java applications) accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With BASIC authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to the web service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
the server doesn't
produce client certificate request. May it be the cause of the problem? If so,
how can I make the server to
generate client cert request?

Exactly, it was the reason. Thanks.
Marcin
On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
>
You must have been accessing the server over one-way SSL. Make sure the
two-way
ssl server attribute is set to: Client Certificate Enforced, or Client
Certificate
Requested But Not Enforced.
This should be all that is needed to make the server send the
certificate request.
With Client Certificate Enforced option you should be getting ssl
handshake failure
unless the client sends its certificate.
Pavel.
yazzva <[email protected]> wrote:
Yes, I have. If I had not done it, I couldn't have accessed the service
via https using basic authentication, and of course ssl debugging
information and server configuration show that ssl is configured
properly.
The problem is that WL7 doesn't generate client cert request. Thanks
for
an attempt to help.
Have you configured the server for two way ssl?
See
http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
for information on this.
Pavel.
"yazzva" <[email protected]> wrote:
Hi,
I'm trying to enforce two-way authentication for clients (java
applications)
accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With
BASIC
authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to theweb
service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the
handshake
procedure
the server doesn't
produce client certificate request. May it be the cause of the
problem?
If so,
how can I make the server to
generate client cert request?--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

ABAP client Proxy authentication required

Hallo, my problem is about ABAP client Proxy authentication.
Scenario:
Our Dev. BW MWDCLNT600 queries forward a (RetailPro) database (JDBC Receiver C.Channel), by Dev. XI , in order to "drive" data extraction (realized, backward, from RetailPro to BW).
Forward communication from BW uses a call on ABAP Client Proxy technology (I mean, a BW class implements an XI outbound Message Interface).
Problem:
Something changed, we don't know what or where, and since last week everytime you execute the report (F8) you are prompted for an authentication popup.
Official manual guide is: (ABAP Proxy Generation)
http://help.sap.com/saphelp_nw04/helpdata/en/ba/f21a403233dd5fe10000000a155106/frameset.htm
in which you have to manage the 2 properties for credential supplying:
com.sap.aii.applicationsystem.serviceuser.name
com.sap.aii.applicationsystem.serviceuser.pwd
in order to "drive" authentication to Integration Engine.
In our scenario, ABAP report ZRTP_FLOW_CONTROL drives data extraction query, by a call to execute method
of class: ZCO_MI_FLOW_CONTROL_OB
which implements Outbound MI: MI_Flow_Control_OB (...all in SPROXY).
In SXMB_ADM, XI IEngine URL is correct...
In Exchange Profile, the 2 properties (see above) are correctly maintained (user: XIAPPLUSER, and password is OK)
Any suggestion?
Thanks all in advance!
Gianluca

Hi
I would like to suggest you to change the password in http destination (sm59) configured to comunicate with XI and put another one using UPPER case only. Another thing to check is tx SLDAPICUST. There is a problem in this transaction (I think it is a problem, maybe it's a feature , you need to use password with UPPER there to, and you need to double save the data there (change something, click save, change another thing, click save, and will work, otherwise not). Check tx SLDCHECK to see if connection with SLD and Integration Directory are ok.
Regards.
Roberti

Client Certificate Authentication not working in OSB 11g

Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
Jamie

This is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code.

Client Cert Authentication

Is there any documentation that explain how to set up iAS 6.0 SP3 to use
Client Cert Authentication?
Thanks in advance,
Jose.

Hi,
I am not able to understand what "client cert authentication" means can
you please elaborate more on this. If this means authorization process by
any chance, then iAS uses LDAP that is bundled along with iAS to
authenticate. There is no other means to validate the users.
Regards
Raj
Jose Raya wrote:
Is there any documentation that explain how to set up iAS 6.0 SP3 to use
Client Cert Authentication?
Thanks in advance,
Jose.

5508 WLC - need MIB/OIDs for current client associations

We installed 5508 controllers in multiple locations. We have an existing SNMP mangement system and syslog that will work fine with these 5508's. We are having issues figuring out an OID that reports current "unique" client associations (with a timestamp/MAC address/IP Address/AP Name/Protocol and 802.11 state).
We tried using the NCS reports (every 60 seconds) but, that only gives a historical view of client assocations (and 60 individual emails in an hour). We would like to have a better reporting technique to show live data with a refresh of 60 seconds of current associated "unique" clinets and what AP they are connected too. Parsing out historical data in a .CSV format is really painful and inefficient
Has anyone attempted anything like this? Would anyone know a good MIB/OID to use for something like this?
Thanks,
Nick

We installed 5508 controllers in multiple locations. We have an existing SNMP mangement system and syslog that will work fine with these 5508's. We are having issues figuring out an OID that reports current "unique" client associations (with a timestamp/MAC address/IP Address/AP Name/Protocol and 802.11 state).
We tried using the NCS reports (every 60 seconds) but, that only gives a historical view of client assocations (and 60 individual emails in an hour). We would like to have a better reporting technique to show live data with a refresh of 60 seconds of current associated "unique" clinets and what AP they are connected too. Parsing out historical data in a .CSV format is really painful and inefficient
Has anyone attempted anything like this? Would anyone know a good MIB/OID to use for something like this?
Thanks,
Nick

Having problem with client side Authentication.

Hi,
I am haveing a problem enabling client side authentication with SSL on
weblogic 5.1.
I have set up the .properties files as explained, however it appears
my client is not sending a certificate back to the server. The same
client however works perfectly (using the same keystore file) with a
sample ClassFileSErver webserver from the jsse distribution. (the
client is a very slightly modified version of
SSLSocketClientWithClientAuth sample that comes with Jsse)
Below I've included a section of the debug dump from the interactions.
The only other difference I can see is the cipher suites offered by
the servers.
Weblogic offers type 0 or 9, and agrees on type 9
(SSL_RSA_WITH_DES_CBC_SHA), whereas ClassFileServer offer type 0 or 5
and settles on type 5 (SSL_RSA_WITH_RC4_128_SHA).
I am using the same keystore for both examples. Both servers request
an RSA client cert.... I'm out of ideas.
Any help would be greatfully received.
Cheers,
Keith
Debug dump information
=====================================
1/Weblogic server.
*** CertificateRequest
Cert Types: RSA,
Cert Authorities:
<CN=K H, OU=itsmobile, O=itsmobile, L=Dublin, ST=Dublin, C=ie>
<[email protected], CN=Demo Certificate Authority,
OU=Security, O=BEA WebLogic, L=San Francisco, ST=California, C=US>
<CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification,
ST=FOR TESTING PURPOSES ONLY, C=ZA>
[read] MD5 and SHA1 hashes: len = 427
0000: 0D 00 01 A7 01 01 01 A3 00 67 30 65 31 0B 30 09
.........g0e1.0.
0010: 06 03 55 04 06 13 02 69 65 31 0F 30 0D 06 03 55
..U....ie1.0...U
0020: 04 08 13 06 44 75 62 6C 69 6E 31 0F 30 0D 06 03
....Dublin1.0...
0030: 55 04 07 13 06 44 75 62 6C 69 6E 31 12 30 10 06
U....Dublin1.0..
0040: 03 55 04 0A 13 09 69 74 73 6D 6F 62 69 6C 65 31
.U....itsmobile1
0050: 12 30 10 06 03 55 04 0B 13 09 69 74 73 6D 6F 62
.0...U....itsmob
0060: 69 6C 65 31 0C 30 0A 06 03 55 04 03 13 03 4B 20
ile1.0...U....K
0070: 48 00 AC 30 81 A9 31 0B 30 09 06 03 55 04 06 13
H..0..1.0...U...
0080: 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 43 61
.US1.0...U....Ca
0090: 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04
lifornia1.0...U.
00A0: 07 13 0D 53 61 6E 20 46 72 61 6E 63 69 73 63 6F ...San
Francisco
00B0: 31 15 30 13 06 03 55 04 0A 13 0C 42 45 41 20 57
1.0...U....BEA W
00C0: 65 62 4C 6F 67 69 63 31 11 30 0F 06 03 55 04 0B
ebLogic1.0...U..
00D0: 13 08 53 65 63 75 72 69 74 79 31 23 30 21 06 03
..Security1#0!..
00E0: 55 04 03 13 1A 44 65 6D 6F 20 43 65 72 74 69 66 U....Demo
Certif
00F0: 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 31 icate
Authority1
0100: 1E 30 1C 06 09 2A 86 48 86 F7 0D 01 09 01 16 0F
.0...*.H........
0110: 73 75 70 70 6F 72 74 40 62 65 61 2E 63 6F 6D 00
[email protected].
0120: 8A 30 81 87 31 0B 30 09 06 03 55 04 06 13 02 5A
.0..1.0...U....Z
0130: 41 31 22 30 20 06 03 55 04 08 13 19 46 4F 52 20 A1"0
..U....FOR
0140: 54 45 53 54 49 4E 47 20 50 55 52 50 4F 53 45 53 TESTING
PURPOSES
0150: 20 4F 4E 4C 59 31 1D 30 1B 06 03 55 04 0A 13 14
ONLY1.0...U....
0160: 54 68 61 77 74 65 20 43 65 72 74 69 66 69 63 61 Thawte
Certifica
0170: 74 69 6F 6E 31 17 30 15 06 03 55 04 0B 13 0E 54
tion1.0...U....T
0180: 45 53 54 20 54 45 53 54 20 54 45 53 54 31 1C 30 EST TEST
TEST1.0
0190: 1A 06 03 55 04 03 13 13 54 68 61 77 74 65 20 54
...U....Thawte T
01A0: 65 73 74 20 43 41 20 52 6F 6F 74 est CA Root
main, READ: SSL v3.0 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
main, SEND SSL v3.0 ALERT: warning, description = no_certificate
main, WRITE: SSL v3.0 Alert, length = 2
And below is a sample when I used the ClassFileServer.
This time the client (same src) returned a certificate.
2/ClassFileSErver (from Sun Jsse distribution)
*** CertificateRequest
Cert Types: DSS, RSA,
Cert Authorities:
<CN=K H, OU=itsmobile, O=itsmobile, L=Dublin, ST=Dublin, C=ie>
[read] MD5 and SHA1 hashes: len = 114
0000: 0D 00 00 6E 02 02 01 00 69 00 67 30 65 31 0B 30
...n....i.g0e1.0
0010: 09 06 03 55 04 06 13 02 69 65 31 0F 30 0D 06 03
...U....ie1.0...
0020: 55 04 08 13 06 44 75 62 6C 69 6E 31 0F 30 0D 06
U....Dublin1.0..
0030: 03 55 04 07 13 06 44 75 62 6C 69 6E 31 12 30 10
.U....Dublin1.0.
0040: 06 03 55 04 0A 13 09 69 74 73 6D 6F 62 69 6C 65
..U....itsmobile
0050: 31 12 30 10 06 03 55 04 0B 13 09 69 74 73 6D 6F
1.0...U....itsmo
0060: 62 69 6C 65 31 0C 30 0A 06 03 55 04 03 13 03 4B
bile1.0...U....K
0070: 20 48 H
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
matching client alias : rsakey
*** Certificate chain

Matt,
Did you read this article:
https://wiki.sdn.sap.com/wiki/display/BSP/Using%20Proxies
This explains how to properly setup the HTTPURLLOC table.
In your case you should have entries that look something like this:
40 HTTP * <internal host name> <https port>
50 HTTPS * <external host name> <https port>
In addition you need to run the report to determine if the proxy configuration is setup properly. The URL should be run with the
https://<externalhostname>/sap/bc/bsp/sap/system_test/test_proxy.htm
Take care,
Stephen

Wireless client association hostname

Hi all,
I'm having issue with the above unit. Currently I have 3 units of AIR-SAP2602E-S-K9 with 15.2(2)JB under 1 SSID. Currently all my clients connected to the AP does not have their computer hostname appearing under the client association. What it is showing instead is the hostname of the AP. For eg;
Device Type
Name
IP Address
MAC Address
State
Parent
VLAN
ccx-client
AP-HOSTNAME
XXX.XXX.XXX.XXX
Xxx.xXx.Xxx
EAP-Associated
self
1
Any Idea how I can get the hostname of the clients instead?

If both the SSID and your client were configured for open, and you still couldn't associate, something doesn't jive. There are a couple of things that can cause an issue like this.
1) Is the MFP Client Protection "Required" under the advanced tab?
2) Is the WMM Policy "Required" under the QoS tab?
3) Is the "Aironet IE" enabled under the advanced tab of the SSID? That can cause problems for some clients.
Any of those (especially the first two) would cause a similar issue with not being able to associate, as having mismatched encryption types.

Unable to achieve client certificate authentication

I am trying to do mutual certificate authentication (client/server authentication), and getting following error.
Anybody has any clue?
SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
My code is below.
import com.sun.net.ssl.HttpsURLConnection;
import java.security.cert.*;
import javax.net.ssl.*;
import java.security.*;
import java.net.URL;
import java.io.*;
import java.util.Enumeration;
public class ClientCert {
private static SSLSocketFactory getSocketFactory() {
SSLSocketFactory theFactory = null;
try {
// set up key manager to do server authentication
SSLContext theContext;
KeyManagerFactory theKeyManagerFactory;
KeyStore theKeyStore;
char[] thePassword = "goldy123".toCharArray();
theContext = SSLContext.getInstance("TLS");
theKeyManagerFactory = KeyManagerFactory.getInstance("SunX509");
theKeyStore = KeyStore.getInstance("JKS");
theKeyStore.load(new FileInputStream("c:/castore"), thePassword);
//java.security.cert.Certificate certi[] = theKeyStore.getCertificateChain("ca");
// System.out.println("Certificate "+certi.length);
theKeyManagerFactory.init(theKeyStore, thePassword);
KeyManager managers[] = theKeyManagerFactory.getKeyManagers();
theContext.init(managers, null, null);
theFactory = theContext.getSocketFactory();
return theFactory;
} catch (Exception e) {
System.err.println("Failed to create a server socket factory...");
e.printStackTrace();
return null;
public static void main(String[] args) {
try {
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
com.sun.net.ssl.HostnameVerifier hv=new com.sun.net.ssl.HostnameVerifier() {
public boolean verify(String urlHostname, String certHostname) {
return true;
HttpsURLConnection.setDefaultHostnameVerifier(hv);
URL mioUrl = new URL("https://viveksharma:9090/LoginPage.do?userName=root&password=password");
//URL mioUrl = new URL("https://www.verisign.com");
//SSLSocketFactory factory = getFactorySSLFromCert(mioCertFile ,mioCertPswd );
//HttpsURLConnection.setDefaultSSLSocketFactory(factory);
//System.setProperty("javax.net.ssl.keyStore","C:/castore");
//System.setProperty("javax.net.ssl.keyStorePassword","goldy123");
System.setProperty("javax.net.ssl.trustStore","C:/vivekstore");
System.setProperty("javax.net.ssl.trustStorePassword","goldy123");
HttpsURLConnection.setDefaultSSLSocketFactory(getSocketFactory());
HttpsURLConnection urlConn = (HttpsURLConnection)mioUrl.openConnection();
urlConn.connect();
//urlConn.setDoInput(true);
// urlConn.setUseCaches(false);
javax.security.cert.X509Certificate ch[] = urlConn.getServerCertificateChain();
System.out.println(ch[0]);
InputStreamReader streamIn = new InputStreamReader(urlConn.getInputStream());
BufferedReader in = new BufferedReader(streamIn);
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
} catch (Exception e) {
e.printStackTrace();

Hello guys!
I've had this problem twice (once with Tomcat server and once with OC4J -- Oracle 9iAS) and was able to resolve it.
First of, make sure that the certificate your client is passing is valid (I always use JKS format... i think its a must when using JSSE) and is in your server's truststore (and that you specify which truststore file for your server to look at in your config file).
Secondly, also import the root CA of your client cerficate (if it isn't there yet) to the cacert file in $JAVA_HOME/jre/lib/security.
Hope this helps.

Client Association,Authentication

Similar Messages

Maybe you are looking for