Client auth error

Similar Messages

• Client-Auth errors

  Hi all,
  I have a SOWS 6.1 and I am getting the following error eache time a user try to get the page:
  Client-Auth reports: Unexpected error receiving data: -5938
  Do you know what it should be?
  Thanks in advance

  Can you tell us the exact configuration you have.
  Send a request to the server to capture the details of initial handshake which performs the client authentication through ssltap. Save the output. Also, when the
  certificates are exchanged ssltap will save them to a file (see the output of
  ssltap for the filenames it used). Get those cert files as well.

• Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938

  I am trying to deploy the clientcert sample applcation that comes with the platform edition of SunOne V7.
  I have used openssl as a CA and have created client and server certs.
  I get the following problem.
       Sun ONE Application Server - HTTP Status 403 Error
       Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
       Type: Status Report
       Message: Access to the requested resource has been denied.
  As can be seen from the server.log below, some form of authentication succeeds:
       [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
  Note, common name is that of my client cert.
  However there is a severe error:
       [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
  Also, HTTPS works with server side authentication and I signed both client and server certs with same private "CA" certification.
  Question: Do I need any special extentions in the certs for use with SSL?
  Thanks in advance.
  server.log fragment:
  [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
  [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-4
  [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
  [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
  [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
  [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
  [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
  [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: No certificates included with this request
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Failed authenticate() test
  [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
  [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-5
  [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
  [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
  [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
  [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
  [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
  [12/Aug/2004:08:56:11] FINEST ( 2392): Processing login with credentials of type: class sun.security.x509.X500Name
  [12/Aug/2004:08:56:11] FINE ( 2392): Processing X.500 name login.
  [12/Aug/2004:08:56:11] FINEST ( 2392): Certificate realm setting up security context for: CN=tweekes, O=tester, C=ie
  [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
  [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Authenticated 'CN=tweekes, O=tester, C=ie' with type 'CLIENT-CERT'
  [12/Aug/2004:08:56:11] FINE ( 2392): SingleSignOn[server1]: Registering sso id '6264FF86CB3151E572951CB77D0C515F' for user 'CN=tweekes, O=tester, C=ie' with auth type 'CLIENT-CERT'
  [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Calling accessControl()
  [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL : CN=tweekes, O=tester, C=ie hasRole?: staffmember
  [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL TABLE: {staff=[staffmember], C=ie, O=tester, CN=tweekes=[staffmember]}

  The below one is the correct configurations
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>

• Client-Auth reports: HTTP4031: Unexpected error receiving data

  I noticed that the below error logged in errors log
  trying to GET /my/jsp/passo/, Client-Auth reports: HTTP4031: Unexpected error receiving data (End of file)
  I configured obj.conf for the above one
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/ap/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>
  Please correct me if i am wrong in the configuration. If i removed those lines it is started working. but i am not sure this will enforce the request to provide certificate from the client.
  I highly be appreciated if any one responded.

  The below one is the correct configurations
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>

• Client Auth  and SSL with Seeburger AS2 adapter

  Hello All,
  We are using the Seeburger AS2 adapter in our landscape and I am in the process of setting the same up and have made quite some progress in all my issues.
  and I  hope that you will be able to help me out.
  1. Server SSL on Receiver AS2 adapter
  I am sending a message from XI using the Receiver AS2 adapter to my AS2 test tool using Server SSL.
  This is working perfectly fine. In my AS2 adapter I have selected HTTPS as the protocol and the message goes via SSL to the target test tool, is processed and the MDN comes back to XI perfectly.
  The issue here is :
  Irrespective of what is provided in the Server Certificate ( Keystore) , the message goes to my target test tool. I even left this field blank with no certificate entry and still the SSL connection was established and the message went to the target system.
  Is there no validation that XI does here? I am lost what is the use of this entry Server Certificate if XI blindly accepts all SSL connections.
  I am using a Decentral Adapter Engine with LoadBalancer.
  2. Client Auth on Receiver AS2 Adapter
  I tried to perform Client Authentication by proving my Server's private key in the AS2 adapter. The corresponding public key is loaded in my partner's Keystore.
  XI error's with the error "SSL handshake failed - Bad Certificate" .
  I am not sure why XI is erroring out here and I have a feeling that I have misunderstood the use of the fields in the AS2 adapter,
  Server Certificate ( Keystore) and Private Key for Client Authentication.
  Has anyone tried this? If further details are needed, I will be able to furnish the same.
  Regards,
  Bhavesh

  Hello Jens,
  Thanks for your reply.
  1. The Encryption and Signature part of the Interface is working absolutely fine and I use the same concept highlighted by you - The Sender always signs the message with his private key and encrypts with message with the partner's public key in the corresponding agreement.
  2. Server SSL is also working perfectly fine, i.e, when XI initiates the connection the SSL connection is established to the partner.
  3. Mutual Auth was the issue where I was getting the bad certificate issue.
  To investigate further I moved the same setup to my Central Adapter Engine and all the issues I had described above seem to have vanished and things work exactly as I was expecting, ie.
  The field : Server Certificate (Keystore) is used to provide the Target System's Server SSL's public Certificate.
  The field : Private Key for Client Authentication is used where XI provides its own Server SSL's private key for Mutual / Client Authentication.
  The problem seems to be with my Decentral Adapter engine and not my central adapter engine and so I guess,
  1. I either have the incorrect certificates on my Decentral Adapter Engine.
  2. I also have 2 instances of a Decentral Adapter Engine with a Webdispatcher and so maybe the 2 Visual Admin's of the 2 Decentral AE are inconsistent.
  3. Maybe it was just a long day and I did something wrong
  Will investigate further for the root cause but I am glad that my concepts remain intact and things do work as I expected them to work.
  A blog on all this is on the cards sometime soon.
  Cheers,
  Bhavesh

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• Mail Server Error - 21055: auth: Error: od?

  Hi,
  Just upgraded to OSX 10.8 Mountain Lion, now my email services have gone AWOL.
  The server logs are telling me  [DateTime domain.com] log[21055]:auth: Error: od (username, ip address): authentication failed for user=me, method=DIGEST-MD5
  From a client (MS offlook) point of view I'm getting :
  Your message did not reach some or all of the intended recipients.
  Subject:    test
        Sent: 06/08/2012 19:09
  The following recipient(s) cannot be reached:
        '[email protected]' on 06/08/2012 19:10
              451 4.3.5 <unknown[ip address]>: Client host rejected: Server configuration error
  This used to work quite well with Lion and the Server Admin Tools.
  Is there anything I can try?
  Thanks in advance,
  Jeff.

  Thanks for getting back to me red shift, everything is now up and working again. 
  I think it was somthing to do with some folder permissions and some mail settings.  The mail server GUI supplied with Mountain Lion is all but useless and didn't help in any way in tracking down or resolving the problem. So, I've taken the plunge and set up MailServ for Mountain lion, its a much better mail server GUI client, and seemed to correct some of my postfix settings.
  I've tinkered a bit with command line mail stuff, but not quite at a level where I can fully administer it.
  Are there any good command line resources out there?  This is somthing I need to improve on.
  Cheers.

• Auth Error in BW while executing a query with Company hierarchy

  Hi All,
  I have an issue in BW Reporting auth objects.. Hope to get resolved here.
  We are using BI 7.0. However We  are still using the Reporting auth objects for fiield level security. We are having a problem while executing a query with company code hierarchy ,which is built on a multiprovider.
  The Background is as below
  Multiprovider: ZM_CD01 with 5 infocubes
  Query: Has 0COMP_CODE as free characteristics with display hierarchy for Japan (Node APSC_012 is fixed value)
  Node APSC_012 has 4070,4076,407A,408A,9830 company code values under it.
  Reporting Auth Objects:
  Z0COMPCODE: (for flat values)
  4070,4076,407A,408A,407M,407P,8236, :
  ZHCOMPCODE: (For tree structure)
  4070,4076,407A,408A,407M,407P,8080, :
  APSC_MGMT_HIER (Nodes: APSC_012,APSC019)
  Both the reporting authorization objects are checked for multi provider ZM_CD01 in RSSM
  While executing the query the following Auth error is received.
  You do not have authorization to read object  "Z0COMPCODE" authorization on '0COMP_CODE'
  When I change the values for Z0COMPCODE to * it works fine. No Auth error.
  Please help me resolve this issue. It is very critical now as the user needs to execute some important reports.
  Thanks in Advance.
  Ramkumar C

  Hi Chandra,
  Try the following:
  1. Go to tcode RSSM
  2. Enter the cube ZM_CD01 (all the other cubes) then click change.
  3. Afterwards, u201Cunchecku201D ALL Authorization Objects under this cube. (Repeate the same for all the cubes)
  4. Click Save.
  This will resolve the issue.
  Rgds,
  Raghu

• Client Authentication error while invoking portal web service.

  Hi All,
  I have created a java portal web service from portal service using NWDS, I am getting client authentication error while invoking the service.
  Please tell me where to enter client authenticity details.
  regards
  Santosh

  hi,
    check whether you have the UME permissions for accessing this webservice.
  Rdgs,
  Guru

• HTTPS with client auth

  Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?

  Hi together,
  i have the same problem? is anybody out there who could give us some hints?
  many thanks
  alex schramm

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• Client-Auth reports: HTTP4030: Timeout while waiting for client certificate

  Hello,
  I'm having problems with the certificate authentication in my Sun Java System Web Server Enterprise Edition 6.1: I have created an ACL in the SJWS that asks for a client certificate when the user goes to a specific URI:
  acl "uri=/server1/myaction.do";
  authenticate (user) {
  method="ssl";
  deny (all)
  user = "admin";
  It works great and, when the user goes to "/server1/myaction.do" (we are using Internet Explorer 7 as Web browser), the window for selecting the client certificate appears:
  - If the user selects a certificate that doesn't require password, everything works fine.
  - The problem comes when the certificate is configured in Internet Explorer for asking for a password every time it is accessed. Once the user has selected the password protected certificate, the window for typing the password appears, but if the user doesn't type it and click OK IN LESS THAN 5 SECONDS (I've timed it), the following messages appear in the SJWS logs:
  [28/Nov/2007:09:25:05] failure ( 2055): for host 10.0.145.11 trying to GET /server1/myaction.do, Client-Auth reports: HTTP4030: Timeout while waiting for client certificate.
  [28/Nov/2007:09:25:05] security ( 2055): HTTP4290: get_auth_user_ssl: client passed no certificate.
  I tried to add the following two lines to the magnus.conf file of the SJWS, but nothing changed:
  SSLClientAuthTimeout 240
  AcceptTimeout 3600
  Has anyone experienced something similar? Any little piece of advice would be greatly appreciated.
  Thank you very much in advance,
  Carlos.

  This is fixed in Web Server 7.0 update 2. Please migrate/upgrade to Web Server 7.0 update 2. Sorry for the inconvenience.

• BO 4.0 Web Intelligence Rich Client Login Error

  Hi Everyone,
  i have an error about log on rich client in BO 4.0 .
  Error is "Logon failure due to internal error".
  i can use rich client in server machine, but i try to use in client that error raised.
  i search forum and internet, some of people encounter this problem suggest some answers. but any suggestion does not resolve my problem.
  i tried to delete .lis files, and change default folder.
  do you suggest anything about this error?
  by the way network port is open (6400,6410)

  Hi All,
  I resolve WebI error.
  there are *.lsi files in My Documents\My SAP BusinessObjects Documents\LocData normally. these files are created by BO System when you log in firstly - i guess. if you create those files manually, you can grante log in with WebI. i do not know these file's contents. i have this files ex server and use them, after edited.
  but ı cannot resolve designer problem. I search internet and tried almost every solution which suggested.
  by the way, our system is BO 4.0 sp2 patch6 and server machine is;
  Windows 2008 Server R2
  16 GB RAM,
  3.7 Ghz Processor

• MY IOS does not support EKU Server-Auth/Client-Auth

  Hello,
  I have a cisco router with  Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T8.   im trying to set it up as my CA Server where I need to enroll my AnyConnect clients.
  But while I trying to configure my crypto pki server command,  I do not see   EKU Server-Auth or EKU Client-Auth   feature
  can any one tell why it does not have this feature ??

  it was added into 12.2T.    but for me it does not have this feature available .  any ideas ?

• Client Auth

  I'm still trying to get some information on how to implement client
  certificate authentication in workshop. I found the info on how to
  designate your jws as https (using weblogic-jws-config.xml). What else is
  needed to configure client auth. (I posted this earlier and was told there
  would be a document up on dev2dev about this a week or two ago - is it
  there, I can't find it).

  Is this document up there yet? I really need it.
  thanks.
  "Anurag Pareek" <[email protected]> wrote in message
  news:3d499bfd$[email protected]..
  Hi Dave,
  We plan to come up with this document by the end of next week. It will be
  posted at the dev2dev.beasys.com site. I will let you know the exact URL
  once we have it posted.
  Regards,
  Anurag
  Workshop Support
  "Dave Remy" <[email protected]> wrote in message
  news:[email protected]..
  I am looking for doc on how to set up a WLW project for two-way SSL. Ineed
  to know how to set it up and also how to get to the client X509certificate
  within a jws.
  thanks.