Client authentication not working

Hi all,
I am using Apache's HTTPClient to connect with a server running https. The server is the latest stable Tomcat (version 4.1.27). If I set clientAuth="false" in the Tomcat configuration, everything is working fine. I am able to comunicate with the server, since the server's certificate is in the trusted store. If I want to authenticate myself (by setting clientAuth="true") it doesn't work. It seems that the application I have written doesn't send the client's certificate.
Here's the code:
HttpClient httpclient = new HttpClient();
Protocol myhttps =
     new Protocol(
          "https",
          new StrictSSLProtocolSocketFactory(false),
          8443);
httpclient.getHostConfiguration().setHost("rigel", 8443, myhttps);
GetMethod httpget = new GetMethod("/");
httpclient.executeMethod(httpget);
If I turn on all sorts of debugging this is what I get:
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java version: 1.4.0_02
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java vendor: Sun Microsystems Inc.
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java class path: f:\myhome\projects\NextiraOne\class;f:\myhome\projects\NextiraOne\lib\commons-httpclient-2.0-rc1.jar;f:\myhome\projects\NextiraOne\lib\log4j-1.2.6.jar;f:\myhome\projects\NextiraOne\lib\commons-logging.jar;f:\myhome\projects\NextiraOne\lib\commons-logging-api.jar;f:\myhome\projects\NextiraOne\lib\com.ibm.mq.jar;f:\myhome\projects\NextiraOne\lib\xmlparserv2new.jar;f:\myhome\projects\NextiraOne\lib\connector.jar
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system name: Windows 2000
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system architecture: x86
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system version: 5.0
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SUN 1.2: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunJSSE 1.4002: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunRsaSign 1.0: SUN's provider for RSA signatures
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunJCE 1.4: SunJCE Provider (implements DES, Triple DES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
2003/10/08 14:54:27:088 CEST [DEBUG] HttpClient - -SunJGSS 1.0: Sun (Kerberos v5)
2003/10/08 14:54:27:188 CEST [DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0)
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: f:\client.keystore
trustStore type is : jks
init truststore
adding private entry as trusted cert: [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@8fd984
Validity: [From: Wed Oct 08 13:48:24 CEST 2003,
               To: Tue Jan 06 12:48:24 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83f988 ]
Algorithm: [MD5withRSA]
Signature:
0000: 04 24 63 44 43 26 CA 79 BC 0B 96 2D 27 1A 40 DA .$cDC&.y...-'.@.
0010: E0 92 FE D6 57 F8 4C C4 C6 97 F7 13 24 4B 30 F9 ....W.L.....$K0.
0020: E7 C3 06 2B A3 67 FD 70 E1 A5 8E E7 16 3D 59 16 ...+.g.p.....=Y.
0030: DB 7B 73 AC 30 B1 43 C1 F2 96 DD 8F 52 0E 61 1F ..s.0.C.....R.a.
0040: 0E 23 0F 88 8E 1A 6F 24 54 B9 87 4C 2C A1 97 78 .#....o$T..L,..x
0050: FD 80 6A A1 F8 65 C3 CE 39 F4 AA A6 6C 3C 7A 98 ..j..e..9...l<z.
0060: 86 4E 5B 6A 2D 7F BC 89 E8 36 29 54 22 0A 3F C7 .N[j-....6)T".?.
0070: B3 83 4E 47 36 F1 C9 09 25 E7 9C D6 11 10 3B 3C ..NG6...%.....;<
adding as trusted cert: [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@f99ff5
Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
               To: Tue Jan 06 10:56:42 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83df5a ]
Algorithm: [MD5withRSA]
Signature:
0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
init context
trigger seeding of SecureRandom
done seeding SecureRandom
2003/10/08 14:54:32:456 CEST [DEBUG] HttpMethodBase - -Execute loop try 1
2003/10/08 14:54:32:466 CEST [DEBUG] wire - ->> "GET / HTTP/1.1[\r][\n]"
2003/10/08 14:54:32:466 CEST [DEBUG] HttpMethodBase - -Adding Host request header
2003/10/08 14:54:32:476 CEST [DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.0rc1[\r][\n]"
2003/10/08 14:54:32:476 CEST [DEBUG] wire - ->> "Host: rigel[\r][\n]"
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 1048840456 bytes = { 43, 4, 244, 103, 54, 110, 99, 128, 162, 132, 22, 2, 197, 112, 91, 105, 4, 133, 249, 114, 142, 122, 44, 203, 156, 188, 132, 100 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 3F 84 09 08 2B 04 F4 67 36 6E ...7..?...+..g6n
0010: 63 80 A2 84 16 02 C5 70 5B 69 04 85 F9 72 8E 7A c......p[i...r.z
0020: 2C CB 9C BC 84 64 00 00 10 00 05 00 04 00 09 00 ,....d..........
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
main, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3F 84 09 .............?..
0030: 08 2B 04 F4 67 36 6E 63 80 A2 84 16 02 C5 70 5B .+..g6nc......p[
0040: 69 04 85 F9 72 8E 7A 2C CB 9C BC 84 64 i...r.z,....d
main, WRITE: SSL v2, contentType = 22, translated length = 16310
main, READ: SSL v3.1 Handshake, length = 2275
*** ServerHello, v3.1
RandomCookie: GMT: 1048840456 bytes = { 2, 207, 237, 54, 101, 119, 116, 33, 59, 54, 56, 111, 170, 110, 92, 129, 178, 67, 124, 46, 187, 153, 247, 27, 216, 197, 21, 232 }
Session ID: {63, 132, 9, 8, 85, 66, 130, 20, 34, 100, 122, 131, 137, 133, 143, 214, 43, 232, 151, 61, 12, 216, 23, 84, 58, 241, 194, 116, 67, 44, 43, 44}
Cipher Suite: { 0, 5 }
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 3F 84 09 08 02 CF ED 36 65 77 ...F..?......6ew
0010: 74 21 3B 36 38 6F AA 6E 5C 81 B2 43 7C 2E BB 99 t!;68o.n\..C....
0020: F7 1B D8 C5 15 E8 20 3F 84 09 08 55 42 82 14 22 ...... ?...UB.."
0030: 64 7A 83 89 85 8F D6 2B E8 97 3D 0C D8 17 54 3A dz.....+..=...T:
0040: F1 C2 74 43 2C 2B 2C 00 05 00 ..tC,+,...
*** Certificate chain
chain [0] = [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b2a2d8
Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
               To: Tue Jan 06 10:56:42 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83df5a ]
Algorithm: [MD5withRSA]
Signature:
0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
stop on trusted cert: [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b2a2d8
Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
               To: Tue Jan 06 10:56:42 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83df5a ]
Algorithm: [MD5withRSA]
Signature:
0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
[read] MD5 and SHA1 hashes: len = 552
0000: 0B 00 02 24 00 02 21 00 02 1E 30 82 02 1A 30 82 ...$..!...0...0.
0010: 01 83 02 04 3F 83 DF 5A 30 0D 06 09 2A 86 48 86 ....?..Z0...*.H.
0020: F7 0D 01 01 04 05 00 30 54 31 0B 30 09 06 03 55 .......0T1.0...U
0030: 04 06 13 02 42 45 31 0C 30 0A 06 03 55 04 08 13 ....BE1.0...U...
0040: 03 4F 56 4C 31 0C 30 0A 06 03 55 04 07 13 03 4D .OVL1.0...U....M
0050: 45 52 31 0B 30 09 06 03 55 04 0A 13 02 44 43 31 ER1.0...U....DC1
0060: 0C 30 0A 06 03 55 04 0B 13 03 45 43 53 31 0E 30 .0...U....ECS1.0
0070: 0C 06 03 55 04 03 13 05 72 69 67 65 6C 30 1E 17 ...U....rigel0..
0080: 0D 30 33 31 30 30 38 30 39 35 36 34 32 5A 17 0D .031008095642Z..
0090: 30 34 30 31 30 36 30 39 35 36 34 32 5A 30 54 31 040106095642Z0T1
00A0: 0B 30 09 06 03 55 04 06 13 02 42 45 31 0C 30 0A .0...U....BE1.0.
00B0: 06 03 55 04 08 13 03 4F 56 4C 31 0C 30 0A 06 03 ..U....OVL1.0...
00C0: 55 04 07 13 03 4D 45 52 31 0B 30 09 06 03 55 04 U....MER1.0...U.
00D0: 0A 13 02 44 43 31 0C 30 0A 06 03 55 04 0B 13 03 ...DC1.0...U....
00E0: 45 43 53 31 0E 30 0C 06 03 55 04 03 13 05 72 69 ECS1.0...U....ri
00F0: 67 65 6C 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D gel0..0...*.H...
0100: 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 .........0......
0110: F0 8B 5A 91 87 97 AB 55 2A 6A AA 96 1F CF 77 D7 ..Z....U*j....w.
0120: 73 C2 23 4D 78 51 CF 6E 3F 10 46 C5 DA D7 9D 75 s.#MxQ.n?.F....u
0130: 77 3A 94 4A 07 5B D6 38 82 18 AE 71 6A 76 F9 6F w:.J.[.8...qjv.o
0140: 58 19 9D 2F 97 EE 4E 38 0E 3F E1 B2 5D 2D C1 1A X../..N8.?..]-..
0150: 0E F2 08 B2 D6 FF 0A 5E FC BD 57 73 C1 F0 09 C3 .......^..Ws....
0160: 8E E4 20 C2 CC 96 E3 DE 24 2C 76 DD 9C BA F3 D2 .. .....$,v.....
0170: 14 FC 94 86 C6 A3 6D 90 02 6B 5C 6E C7 94 0A 44 ......m..k\n...D
0180: A2 64 F6 A2 31 16 1E AC 97 36 17 84 7E 60 EC 2B .d..1....6...`.+
0190: 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 .....0...*.H....
01A0: 01 04 05 00 03 81 81 00 E0 21 80 C9 4C 8C BC FC .........!..L...
01B0: 48 B3 36 6A 0B E1 C1 94 79 E1 E7 6B 27 B0 71 7D H.6j....y..k'.q.
01C0: CF 17 A6 B9 E6 71 D6 85 6F 9F EB 66 73 4B CB A2 .....q..o..fsK..
01D0: C1 A2 7F F3 38 A1 A7 8B 92 F0 82 1F 4A A4 E9 F5 ....8.......J...
01E0: 8C 64 0B 7E 86 61 C0 D5 74 60 7D D3 B0 11 3F 77 .d...a..t`....?w
01F0: B9 D8 EC 7D 17 22 D8 7C 77 42 CB C1 24 CC 26 5E ....."..wB..$.&^
0200: CF 8A 20 7D 77 44 D4 29 DF 59 D1 17 CE D2 51 59 .. .wD.).Y....QY
0210: BC 53 35 B0 EB CE 51 CE 79 F7 D2 53 CE FD 2F 9A .S5...Q.y..S../.
0220: FD 1A A8 E3 3C 58 AF EB ....<X..
*** CertificateRequest
Cert Types: DSS, RSA,
Cert Authorities:
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<[email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
<[email protected], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US>
<OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<[email protected], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<[email protected], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<CN=kws, OU=Delaware, O=Delaware, L=BE, ST=BE, C=BE>
<OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<[email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
[read] MD5 and SHA1 hashes: len = 1645
0000: 0D 00 06 69 02 02 01 06 64 00 61 30 5F 31 0B 30 ...i....d.a0_1.0
0010: 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 ...U....US1.0...
0020: 55 04 0A 13 0E 56 65 72 69 53 69 67 6E 2C 20 49 U....VeriSign, I
0030: 6E 63 2E 31 37 30 35 06 03 55 04 0B 13 2E 43 6C nc.1705..U....Cl
0040: 61 73 73 20 33 20 50 75 62 6C 69 63 20 50 72 69 ass 3 Public Pri
0050: 6D 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 mary Certificati
0060: 6F 6E 20 41 75 74 68 6F 72 69 74 79 00 D1 30 81 on Authority..0.
0070: CE 31 0B 30 09 06 03 55 04 06 13 02 5A 41 31 15 .1.0...U....ZA1.
0080: 30 13 06 03 55 04 08 13 0C 57 65 73 74 65 72 6E 0...U....Western
0090: 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 Cape1.0...U....
00A0: 43 61 70 65 20 54 6F 77 6E 31 1D 30 1B 06 03 55 Cape Town1.0...U
00B0: 04 0A 13 14 54 68 61 77 74 65 20 43 6F 6E 73 75 ....Thawte Consu
00C0: 6C 74 69 6E 67 20 63 63 31 28 30 26 06 03 55 04 lting cc1(0&..U.
00D0: 0B 13 1F 43 65 72 74 69 66 69 63 61 74 69 6F 6E ...Certification
00E0: 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 Services Divisi
00F0: 6F 6E 31 21 30 1F 06 03 55 04 03 13 18 54 68 61 on1!0...U....Tha
0100: 77 74 65 20 50 72 65 6D 69 75 6D 20 53 65 72 76 wte Premium Serv
0110: 65 72 20 43 41 31 28 30 26 06 09 2A 86 48 86 F7 er CA1(0&..*.H..
0120: 0D 01 09 01 16 19 70 72 65 6D 69 75 6D 2D 73 65 ......premium-se
0130: 72 76 65 72 40 74 68 61 77 74 65 2E 63 6F 6D 00 [email protected].
0140: CE 30 81 CB 31 0B 30 09 06 03 55 04 06 13 02 5A .0..1.0...U....Z
0150: 41 31 15 30 13 06 03 55 04 08 13 0C 57 65 73 74 A1.0...U....West
0160: 65 72 6E 20 43 61 70 65 31 12 30 10 06 03 55 04 ern Cape1.0...U.
0170: 07 13 09 43 61 70 65 20 54 6F 77 6E 31 1A 30 18 ...Cape Town1.0.
0180: 06 03 55 04 0A 13 11 54 68 61 77 74 65 20 43 6F ..U....Thawte Co
0190: 6E 73 75 6C 74 69 6E 67 31 28 30 26 06 03 55 04 nsulting1(0&..U.
01A0: 0B 13 1F 43 65 72 74 69 66 69 63 61 74 69 6F 6E ...Certification
01B0: 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 Services Divisi
01C0: 6F 6E 31 21 30 1F 06 03 55 04 03 13 18 54 68 61 on1!0...U....Tha
01D0: 77 74 65 20 50 65 72 73 6F 6E 61 6C 20 42 61 73 wte Personal Bas
01E0: 69 63 20 43 41 31 28 30 26 06 09 2A 86 48 86 F7 ic CA1(0&..*.H..
01F0: 0D 01 09 01 16 19 70 65 72 73 6F 6E 61 6C 2D 62 ......personal-b
0200: 61 73 69 63 40 74 68 61 77 74 65 2E 63 6F 6D 00 [email protected].
0210: 61 30 5F 31 0B 30 09 06 03 55 04 06 13 02 55 53 a0_1.0...U....US
0220: 31 20 30 1E 06 03 55 04 0A 13 17 52 53 41 20 44 1 0...U....RSA D
0230: 61 74 61 20 53 65 63 75 72 69 74 79 2C 20 49 6E ata Security, In
0240: 63 2E 31 2E 30 2C 06 03 55 04 0B 13 25 53 65 63 c.1.0,..U...%Sec
0250: 75 72 65 20 53 65 72 76 65 72 20 43 65 72 74 69 ure Server Certi
0260: 66 69 63 61 74 69 6F 6E 20 41 75 74 68 6F 72 69 fication Authori
0270: 74 79 00 61 30 5F 31 0B 30 09 06 03 55 04 06 13 ty.a0_1.0...U...
0280: 02 55 53 31 17 30 15 06 03 55 04 0A 13 0E 56 65 .US1.0...U....Ve
0290: 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 37 30 35 riSign, Inc.1705
02A0: 06 03 55 04 0B 13 2E 43 6C 61 73 73 20 34 20 50 ..U....Class 4 P
02B0: 75 62 6C 69 63 20 50 72 69 6D 61 72 79 20 43 65 ublic Primary Ce
02C0: 72 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 68 rtification Auth
02D0: 6F 72 69 74 79 00 61 30 5F 31 0B 30 09 06 03 55 ority.a0_1.0...U
02E0: 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0A 13 ....US1.0...U...
02F0: 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 .VeriSign, Inc.1
0300: 37 30 35 06 03 55 04 0B 13 2E 43 6C 61 73 73 20 705..U....Class
0310: 31 20 50 75 62 6C 69 63 20 50 72 69 6D 61 72 79 1 Public Primary
0320: 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 41 Certification A
0330: 75 74 68 6F 72 69 74 79 00 D2 30 81 CF 31 0B 30 uthority..0..1.0
0340: 09 06 03 55 04 06 13 02 5A 41 31 15 30 13 06 03 ...U....ZA1.0...
0350: 55 04 08 13 0C 57 65 73 74 65 72 6E 20 43 61 70 U....Western Cap
0360: 65 31 12 30 10 06 03 55 04 07 13 09 43 61 70 65 e1.0...U....Cape
0370: 20 54 6F 77 6E 31 1A 30 18 06 03 55 04 0A 13 11 Town1.0...U....
0380: 54 68 61 77 74 65 20 43 6F 6E 73 75 6C 74 69 6E Thawte Consultin
0390: 67 31 28 30 26 06 03 55 04 0B 13 1F 43 65 72 74 g1(0&..U....Cert
03A0: 69 66 69 63 61 74 69 6F 6E 20 53 65 72 76 69 63 ification Servic
03B0: 65 73 20 44 69 76 69 73 69 6F 6E 31 23 30 21 06 es Division1#0!.
03C0: 03 55 04 03 13 1A 54 68 61 77 74 65 20 50 65 72 .U....Thawte Per
03D0: 73 6F 6E 61 6C 20 50 72 65 6D 69 75 6D 20 43 41 sonal Premium CA
03E0: 31 2A 30 28 06 09 2A 86 48 86 F7 0D 01 09 01 16 1*0(..*.H.......
03F0: 1B 70 65 72 73 6F 6E 61 6C 2D 70 72 65 6D 69 75 .personal-premiu
0400: 6D 40 74 68 61 77 74 65 2E 63 6F 6D 00 D4 30 81 [email protected].
0410: D1 31 0B 30 09 06 03 55 04 06 13 02 5A 41 31 15 .1.0...U....ZA1.
0420: 30 13 06 03 55 04 08 13 0C 57 65 73 74 65 72 6E 0...U....Western
0430: 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 Cape1.0...U....
0440: 43 61 70 65 20 54 6F 77 6E 31 1A 30 18 06 03 55 Cape Town1.0...U
0450: 04 0A 13 11 54 68 61 77 74 65 20 43 6F 6E 73 75 ....Thawte Consu
0460: 6C 74 69 6E 67 31 28 30 26 06 03 55 04 0B 13 1F lting1(0&..U....
0470: 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 53 65 Certification Se
0480: 72 76 69 63 65 73 20 44 69 76 69 73 69 6F 6E 31 rvices Division1
0490: 24 30 22 06 03 55 04 03 13 1B 54 68 61 77 74 65 $0"..U....Thawte
04A0: 20 50 65 72 73 6F 6E 61 6C 20 46 72 65 65 6D 61 Personal Freema
04B0: 69 6C 20 43 41 31 2B 30 29 06 09 2A 86 48 86 F7 il CA1+0)..*.H..
04C0: 0D 01 09 01 16 1C 70 65 72 73 6F 6E 61 6C 2D 66 ......personal-f
04D0: 72 65 65 6D 61 69 6C 40 74 68 61 77 74 65 2E 63 [email protected]
04E0: 6F 6D 00 5D 30 5B 31 0B 30 09 06 03 55 04 06 13 om.]0[1.0...U...
04F0: 02 42 45 31 0B 30 09 06 03 55 04 08 13 02 42 45 .BE1.0...U....BE
0500: 31 0B 30 09 06 03 55 04 07 13 02 42 45 31 11 30 1.0...U....BE1.0
0510: 0F 06 03 55 04 0A 13 08 44 65 6C 61 77 61 72 65 ...U....Delaware
0520: 31 11 30 0F 06 03 55 04 0B 13 08 44 65 6C 61 77 1.0...U....Delaw
0530: 61 72 65 31 0C 30 0A 06 03 55 04 03 13 03 6B 77 are1.0...U....kw
0540: 73 00 61 30 5F 31 0B 30 09 06 03 55 04 06 13 02 s.a0_1.0...U....
0550: 55 53 31 17 30 15 06 03 55 04 0A 13 0E 56 65 72 US1.0...U....Ver
0560: 69 53 69 67 6E 2C 20 49 6E 63 2E 31 37 30 35 06 iSign, Inc.1705.
0570: 03 55 04 0B 13 2E 43 6C 61 73 73 20 32 20 50 75 .U....Class 2 Pu
0580: 62 6C 69 63 20 50 72 69 6D 61 72 79 20 43 65 72 blic Primary Cer
0590: 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 68 6F tification Autho
05A0: 72 69 74 79 00 C7 30 81 C4 31 0B 30 09 06 03 55 rity..0..1.0...U
05B0: 04 06 13 02 5A 41 31 15 30 13 06 03 55 04 08 13 ....ZA1.0...U...
05C0: 0C 57 65 73 74 65 72 6E 20 43 61 70 65 31 12 30 .Western Cape1.0
05D0: 10 06 03 55 04 07 13 09 43 61 70 65 20 54 6F 77 ...U....Cape Tow
05E0: 6E 31 1D 30 1B 06 03 55 04 0A 13 14 54 68 61 77 n1.0...U....Thaw
05F0: 74 65 20 43 6F 6E 73 75 6C 74 69 6E 67 20 63 63 te Consulting cc
0600: 31 28 30 26 06 03 55 04 0B 13 1F 43 65 72 74 69 1(0&..U....Certi
0610: 66 69 63 61 74 69 6F 6E 20 53 65 72 76 69 63 65 fication Service
0620: 73 20 44 69 76 69 73 69 6F 6E 31 19 30 17 06 03 s Division1.0...
0630: 55 04 03 13 10 54 68 61 77 74 65 20 53 65 72 76 U....Thawte Serv
0640: 65 72 20 43 41 31 26 30 24 06 09 2A 86 48 86 F7 er CA1&0$..*.H..
0650: 0D 01 09 01 16 17 73 65 72 76 65 72 2D 63 65 72 ......server-cer
0660: 74 73 40 74 68 61 77 74 65 2E 63 6F 6D [email protected]
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 183, 52, 32, 171, 15, 252, 104, 26, 122, 4, 33, 152, 207, 169, 53, 3, 54, 92, 207, 235, 108, 124, 43, 137, 189, 40, 155, 244, 16, 195, 171, 111, 45, 24, 118, 251, 161, 5, 255, 221, 102, 77, 136, 92, 253, 146 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 E7 73 AF ..............s.
0010: 77 3C B9 37 C3 23 58 BB 44 7E B0 E1 EE D1 6F 37 w<.7.#X.D.....o7
0020: E9 C2 CB CD 5B 36 80 61 76 69 28 FA 66 E5 19 31 ....[6.avi(.f..1
0030: AF C5 CE 1D D0 B1 C0 A3 31 D4 2E 1A DB 1E CC 21 ........1......!
0040: 7F B9 9F 8C 6A B8 4C 43 50 78 95 CF 51 E3 9E 97 ....j.LCPx..Q...
0050: BF 07 DC 25 DE 56 D7 A5 7C D7 7D 5C D4 47 16 5D ...%.V.....\.G.]
0060: 54 FC FE 6C D8 C7 17 AB 18 A0 EE 31 B6 38 10 29 T..l.......1.8.)
0070: C4 D6 75 5B DB 1F B2 2B 20 28 40 C5 96 E4 E3 7A ..u[...+ (@....z
0080: 5C D6 85 C3 03 05 F5 38 FE 34 72 EF 3F \......8.4r.?
main, WRITE: SSL v3.1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 B7 34 20 AB 0F FC 68 1A 7A 04 21 98 CF A9 ...4 ...h.z.!...
0010: 35 03 36 5C CF EB 6C 7C 2B 89 BD 28 9B F4 10 C3 5.6\..l.+..(....
0020: AB 6F 2D 18 76 FB A1 05 FF DD 66 4D 88 5C FD 92 .o-.v.....fM.\..
CONNECTION KEYGEN:
Client Nonce:
0000: 3F 84 09 08 2B 04 F4 67 36 6E 63 80 A2 84 16 02 ?...+..g6nc.....
0010: C5 70 5B 69 04 85 F9 72 8E 7A 2C CB 9C BC 84 64 .p[i...r.z,....d
Server Nonce:
0000: 3F 84 09 08 02 CF ED 36 65 77 74 21 3B 36 38 6F ?......6ewt!;68o
0010: AA 6E 5C 81 B2 43 7C 2E BB 99 F7 1B D8 C5 15 E8 .n\..C..........
Master Secret:
0000: 92 AB 4A D6 D4 F1 35 46 3D F8 20 64 7D 0D 1D 3C ..J...5F=. d...<
0010: 6D 12 61 D7 B6 21 1D F9 9E F2 A3 1E C8 72 16 48 m.a..!.......r.H
0020: 7E EB ED BD 71 66 89 36 8D A4 AA 30 A7 B6 F9 E3 ....qf.6...0....
Client MAC write Secret:
0000: FB B5 C5 28 A0 EF A9 2C 6F 6E 9A 8E 46 21 F8 5D ...(...,on..F!.]
0010: 21 3A F3 5A !:.Z
Server MAC write Secret:
0000: AC B4 8C 0C 19 E9 70 87 86 2C 88 19 74 96 CB 86 ......p..,..t...
0010: E1 57 28 D0 .W(.
Client write key:
0000: 67 8C 40 8A 0E F6 66 02 AA 57 A9 46 3E 4C 2B 0B [email protected]>L+.
Server write key:
0000: 39 79 50 0C 26 2A 0C 06 34 57 9F D0 ED 9E 76 1A 9yP.&*..4W....v.
... no IV for cipher
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished, v3.1
verify_data: { 2, 131, 239, 184, 3, 52, 180, 31, 246, 47, 142, 241 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 02 83 EF B8 03 34 B4 1F F6 2F 8E F1 .........4.../..
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C 02 83 EF B8 03 34 B4 1F F6 2F 8E F1 .........4.../..
0010: E8 92 3D 1E 0C A5 0A B2 E3 71 7A E9 02 41 91 20 ..=......qz..A.
0020: 30 86 A2 47 0..G
main, WRITE: SSL v3.1 Handshake, length = 36
waiting for close_notify or alert: state 1
Exception while waiting for close java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read
main, SEND SSL v3.1 ALERT: warning, description = close_notify
Plaintext before ENCRYPTION: len = 22
0000: 01 00 BD 94 A3 63 BB DA 73 4F 7A 85 4B 79 25 76 .....c..sOz.Ky%v
0010: 8B 08 0F FF CE FC ......
main, WRITE: SSL v3.1 Alert, length = 22
java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read
     at java.net.SocketInputStream.socketRead0(Native Method)
     at java.net.SocketInputStream.read(SocketInputStream.java:116)
     at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(DashoA6275)
     at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(DashoA6275)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.g(DashoA6275)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275)
     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
     at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1344)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
     at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:779)
     at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2179)
     at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2534)
     at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1047)
     at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:638)
     at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:500)
     at kws.testing.out.HTTPClient.main(HTTPClient.java:60)
Exception in thread "main"
Does someone have an idea on how to get client authentication (without password) work?
regards,
Kenneth

... no IV for cipher
This line is in my debug and the debug posted in the original message.
Am having the same problem of accessing a page with a Client Side Cert that uses a password. I get debug that has the "no IV for cipher" message. It does not throw
an exception, but gets a 403 from server.
Does anyone know? Will a Client Side Cert with a Symmetric Key work in Java APIs?
I load the .pfx cert into a Java KeyStore and send this to Apache HTTPClient.

Similar Messages

  • [solved] NFS client will not work correctly

    I have all my $HOME on an NFS Server. So long I used suse and debian, now I want switch to arch but the nfs-client ist not working correctly:
    I start "portmap nfslock nfsd netfs" over rc.conf. When I do a "rpcinfo -p <ip-arch-system>" I got the following
    stefan:/home/stefan # rpcinfo -p 192.168.123.3
       Program Vers Proto   Port
        100000    2   tcp    111  portmapper
        100000    2   udp    111  portmapper
        100021    1   udp  32768  nlockmgr
        100021    3   udp  32768  nlockmgr
        100021    4   udp  32768  nlockmgr
        100003    2   udp   2049  nfs
        100003    3   udp   2049  nfs
        100003    4   udp   2049  nfs
        100021    1   tcp  48988  nlockmgr
        100021    3   tcp  48988  nlockmgr
        100021    4   tcp  48988  nlockmgr
        100003    2   tcp   2049  nfs
        100003    3   tcp   2049  nfs
        100003    4   tcp   2049  nfs
        100005    3   udp    891  mountd
        100005    3   tcp    894  mountd
    As you see "status" is missing, so the statd is not running. It sould look like the result on my suse box:
    stefan:/home/stefan # rpcinfo -p 192.168.123.2
       Program Vers Proto   Port
        100000    2   tcp    111  portmapper
        100000    2   udp    111  portmapper
        100024    1   udp  32768  status
        100021    1   udp  32768  nlockmgr
        100021    3   udp  32768  nlockmgr
        100021    4   udp  32768  nlockmgr
        100024    1   tcp  35804  status
        100021    1   tcp  35804  nlockmgr
        100021    3   tcp  35804  nlockmgr
        100021    4   tcp  35804  nlockmgr
    There is the "status" line and so the statd is running.
    How can I fix that problem, so that statd ist running on my arch box too?
    Last edited by stka (2007-06-10 15:59:48)

    The Problem ist solved.
    I use ldap for authentication. During the setup of the ldapclient I copied the nsswitch.ldap to nsswitch.conf. But the line for "hosts:" was:
    hosts:          dns ldap
    but in my dns ist no localhost entry. After I changed this line to:
    hosts:          files dns ldap
    everything was ok. The statd is now running and I can start to migrate to archlinux ;-)

  • BPC 7.5 Admin Client Links Not Working

    I am working in BPC 7.5 SP15 NW. I have recently upgraded to Windows 7 64-bit and now the links in the action pane in the desktop admin client are not working.  The cursor does not change from the nornal pointer to the hand.  That would indicate that the admin client is no longer recognizing them as links.  The links work fine in the desktop Excel client.  I am using 32-bit Excel 2010 with no other version of Office installed.
    Has anyone heard of this behavior and how to correct for it?

    Hi Kannan,
    i think this is a Osoft web site configuration issue, the error indicates that you have one duplicate section in the web site configuration file (web.config).
    If you didn't alter the web.config file then the problem may occur because when you use framework 4.0, the machine config already has some of the sections defined that were used in previous ASP.NEt versions.
    You should check which version of the MS Framework is configured for the application pool of the web site, change it to v2.
    Let me know if this solves the issue. Or if you need more help to resolve it.
    Kindest regards,

  • [svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

    Revision: 1720
    Author: [email protected]
    Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
    Log Message:
    Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
    QA: Yes
    Doc: No
    Details:
    Update to the TomcatLoginCommand to work correctly with NIO endpoints.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/LCDS-304
    Modified Paths:
    blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

    Revision: 1720
    Author: [email protected]
    Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
    Log Message:
    Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
    QA: Yes
    Doc: No
    Details:
    Update to the TomcatLoginCommand to work correctly with NIO endpoints.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/LCDS-304
    Modified Paths:
    blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

  • Ldap authentication not working for Solaris 8 host - Help!

    Greetings folks,
    I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
    Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
    ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
    My /etc/nsswitch.conf looks like this:
    passwd: files ldap
    group: files ldap
    My /etc/pam.conf looks like this:
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth sufficient pam_unix_auth.so.1
    login auth required pam_ldap.so.1
    sshd auth requisite pam_authtok_get.so.1
    sshd auth sufficient pam_unix_auth.so.1
    sshd auth required pam_ldap.so.1
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth sufficient pam_unix_auth.so.1
    other auth required pam_ldap.so.1
    passwd auth sufficient pam_passwd_auth.so.1
    passwd auth required pam_ldap.so.1
    I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
    hostname# getent passwd user1
    user1::1001:1001:User 1:/opt/home/user1:/bin/bash
    hostname# ldaplist -l passwd user1
    dn: uid=user1,ou=people,dc=mydomain,dc=com
    shadowFlag: 0
    userPassword: {crypt}(removed)
    uid: user1
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: account
    objectClass: top
    cn: user1
    uidNumber: 1001
    gidNumber: 1001
    gecos: User 1
    homeDirectory: /opt/home/user1
    loginShell: /bin/bash
    However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
    Any ideas?
    Thanks!
    Patrick

    I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
    1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
    2) Did you test and verify telnet/ftp/su working? but SSH not working?
    3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
    4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
    5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
    6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
    7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
    http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
    Gary

  • SOAP Axis adapter_Encryption via Client Certificate not working

    Dear Experts,
    Could anyone please share the steps to enable encryption via client certificate in SOAP AXIS receiver adapter.
    I am able to do the same using normal SOAP adapter but with AXIS framework the steps are not working.
    I have come across few sdn links to configure axis framework for authentication using wsse security standard but this seems to be different as it requires user and password whereas with certificates we are not given any user/password.
    Please provide some valuable inputs.
    Thanks.

    Hi Shikha,
    see the -
    Advanced Usage Questions
        8. How can I configure a channel to use the encryption and ....
    of the FAQ attached to the note -
    1039369 - FAQ XI Axis Adapter
    Regards
    Kenny

  • Client authentication doesnt work between 1.0.3 and 1.4

    Hi!
    Has anyone else experienced the following problem?
    I programmed an client-server-application using an SSL connection.
    It works well if client and server run on the same java version (JRE 1.3
    with JSSE 1.0.3 or JRE 1.4). It also works well when server is running on
    JRE 1.4 and client on 1.3 with 1.0.3.
    But when I run the client with JRE 1.4 and the server with JDK 1.3 and JSSE
    1.0.3 the connection fails with the following exception:
    javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
    Studiing the SSL debug outputs it occured to me that the client did not send
    his certificate as he was supposed to be because setNeedClientAuth was set
    to true.
    So i set NeedClientAuth to false and everything worked OK.
    Any ideas about how I can get client authentication working?
    If debug output is useful I will post it too.
    Thanks in advance.
    CU, Florian

    Hi!
    The described behaviour only shows up with Version 1.4.1 and 1.4.1_01. No problems with 1.4.0_03.
    Seems to be a bug in 1.4.1.
    CU, Florian

  • Client variables not working in Apache and CF8

    I have Apache and CF8 set up with multiple virtual hosts
    locally for development(win xp pro, apache 2.2.4)
    Client variables are not working. I can log into CF
    administrator fine(not sure if authentication uses client variables
    or not). Any site that I work on that uses client variables behaves
    as if the variable is not defined after setting it then going to
    another page that checks for its existence. I have verified that
    client variables are set up in cf administrator.
    Thanks for any help

    Thanks a lot. I understood the mistake. Pls do not spend time on this.
    Thanks,
    Swarna

  • 802.1x wireless authentication not working via RADIUS

    I've tried to implement 802.1x authentication in a windows 2012 domain environment using protected-EAP authentication. I read through guide after guide and still i am unable to get it to work. I'm confident the server side and WLC config is all correct. I have run the command debug client d0:df:9a:f6:30:40 which is my test laptop and i can see the WLC sending EAP-Request/Identify messages but it seems it never gets a reply. I have attached a copy of the debug. 
    Please can someone help me if possible?
    Laptop > AP > WLC > RADIUS SERVER

    Hmmm, peap. So PEAP requires the server be validated via a certificate trust. Did you download the WLC certificate and install it on the client (use self-signed cert), or did you install a new certificate on the WLC? In either case your client has to "trust" the Certificate Authority who signed the certificate used by the authentication device. If you use the self signed certificate you have to download the cert from the WLC and install on the client to validate the server, then the client is validated on the WLC with windows credentials or a saved username/password.
    Are you trying to do single sign-on? Is the client a member of the domain? Does the user belong to the domain? Did you do the certificate stuff above? if you need to test this without validating the server (JUST FOR TESTING PURPOSES) you can go under the WLAN profile on the client chose security, settings and uncheck validate server certificate. Then on user credentials verify you are using the correct client credentials on the client and try again. 
    If this works the certificate is the issue, you can troubleshoot from there. You DO NOT WANT TO LEAVE validate server certificate unchecked as that can create a BIG SECURITY HOLE. Just based on your description I am leaning towards a cert issue. If you can provide more details, would be great. Screenshots of your client EAP-PEAP setup, screenshot of windows cert store showing trusted root certification authorities with trusted CA your WLC is using. 
    Do you ever see logs on the AD server, with login attempts? If not the client is not able to verify the WLC's certificate and therefore won't send credentials. 
    LDAP configuration is pretty straightforward, if you just want to test this for the first time and are having issues with just getting a PEAP client to work you can attempt with a LOCAL EAP user on the WLC to verify the client and WLC are correct then add the LDAP server as Authentication Source, just ensure your server priorities are correct if you do this.
    Hopefully this helps
    ~Please rate useful post~

  • Cisco 1841 as PPTP client Does not work

    Dear All,
    I have Cisco 1841 router running the below roles       
    1) SSL VPN Server
    2) PPTP Server
    3) Site to Site Connection with Sonicwall router
    I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
    Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
    I went through below
    http://www.mreji.eu/content/cisco-router-pptp-client
    https://supportforums.cisco.com/thread/2167562
    But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
    protocol pptp
      rotary-group 4
    Please Advise and Help
    Regards
    Hasan Reza
    My Current Config is as below
    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
    exit
    Gateway#show run |      
    Building configuration...
    Current configuration : 25109 bytes
    ! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Gateway
    boot-start-marker
    boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
    boot-end-marker
    logging buffered 4096
    no logging console
    enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
    no aaa new-model
    dot11 syslog
    ip source-route
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.236.5.1 10.236.5.20
    ip dhcp excluded-address 10.236.5.21 10.236.5.50
    ip dhcp excluded-address 172.21.51.2 172.21.51.50
    ip dhcp pool ContosoPool
       network 10.236.5.0 255.255.255.0
       default-router 10.236.5.254
       dns-server 213.42.20.20 195.229.241.222
    ip dhcp pool DMZ
       network 172.21.51.0 255.255.255.0
       dns-server 172.21.51.10
       default-router 172.21.51.1
       domain-name contoso.local
    ip cef
    ip domain name contoso.local
    ip name-server 213.42.20.20
    ip name-server 195.229.241.22
    ip name-server 195.229.241.222
    ip ddns update method dyndns
    HTTP
      add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
      remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
    interval maximum 0 1 0 0
    multilink bundle-name authenticated
    vpdn enable
    vpdn-group 2
    request-dialin
      protocol l2tp
    initiate-to ip 173.195.0.42
    vpdn-group RAS-VPN
    ! Default PPTP VPDN group
    accept-dialin
      protocol pptp
      virtual-template 1
    l2tp tunnel timeout no-session 15
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP.StartSSL.CA
    enrollment terminal pem
    revocation-check none
    crypto pki trustpoint TP.StartSSL-vpn
    enrollment terminal pem
    usage ssl-server
    serial-number none
    fqdn ssl.spktelecom.com
    ip-address none
    revocation-check crl
    rsakeypair RSA.StartSSL-vpn
    crypto pki trustpoint TP-self-signed-1981248591
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1981248591
    revocation-check none
    rsakeypair TP-self-signed-1981248591
    crypto pki trustpoint VMWare
    enrollment terminal
    revocation-check crl
    crypto pki trustpoint OWA
    enrollment terminal pem
    revocation-check crl
    crypto pki certificate chain TP.StartSSL.CA
    certificate ca 01
      (removed the certificate info for clarity)
       quit
    crypto pki certificate chain TP.StartSSL-vpn
    certificate 0936E1
        (removed the certificate info for clarity)9
       quit
    certificate ca 18
      (removed the certificate info for clarity)
       quit
    crypto pki certificate chain TP-self-signed-1981248591
    certificate self-signed 01
        (removed the certificate info for clarity)
       quit
    crypto pki certificate chain VMWare
    certificate ca 008EDCE6DBCE6B
        (removed the certificate info for clarity)
       quit
    crypto pki certificate chain OWA
       (removed the certificate info for clarity)
    license udi pid CISCO1841 sn FCZ122191TW
    archive
    log config
      hidekeys
    username admin privilege 15 password 7 1304131F02023B7B7977
    username ali password 7 06070328
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 84000
    crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 10
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
    crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
    crypto dynamic-map mydyn 10
    set transform-set strongsha
    crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
    interface FastEthernet0/0
    description Internal Network (Protected Interface)
    ip address 10.236.5.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    interface ATM0/0/0
    no ip address
    shutdown
    no atm ilmi-keepalive
    interface BRI0/1/0
    no ip address
    encapsulation hdlc
    shutdown
    interface Virtual-Template1
    ip unnumbered Dialer1
    peer default ip address dhcp-pool ContosoPool
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2 eap
    interface Dialer1
    ip ddns update hostname XXXXXXX.dyndns.org
    ip ddns update dyndns
    ip address negotiated
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1450
    dialer pool 1
    ppp pap sent-username vermam password 7 13044E155E0913323B
    crypto map Dxb-Auh
    interface Dialer2
    mtu 1460
    ip address negotiated
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    dialer in-band
    dialer idle-timeout 0
    dialer string 123
    dialer vpdn
    dialer-group 2
    ppp pfc local request
    ppp pfc remote apply
    ppp encrypt mppe auto
    ppp authentication ms-chap ms-chap-v2 callin
    ppp eap refuse
    ppp chap hostname hasanreza
    ppp chap password 7 070E2541470726544541
    interface Dialer995
    no ip address
    ip local pool webssl 10.236.6.10 10.236.6.30
    ip forward-protocol nd
    ip http server
    ip http secure-server
    ip nat inside source list nat interface Dialer1 overload
    ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 172.21.51.0 255.255.255.0 10.236.5.253
    ip access-list extended internal
    permit ip any 10.236.5.0 0.0.0.255
    ip access-list extended nat
    deny   ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
    deny   ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
    permit ip 10.236.5.0 0.0.0.255 any
    ip access-list extended nonat
    permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
    permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
    ip access-list extended sslacl
    ip access-list extended webvpn
    permit tcp any any eq 443
    logging esm config
    access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    login local
    transport preferred ssh
    transport input telnet ssh
    line vty 5 15
    exec-timeout 0 0
    login local
    transport preferred ssh
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway1
    ip interface Dialer1 port 443
    ssl encryption rc4-md5
    ssl trustpoint TP.StartSSL-vpn
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
    webvpn install csd flash:/webvpn/sdesktop.pkg
    webvpn context webvpn
    ssl authenticate verify all
    url-list "Webservers"
       heading "SimpleIT Technologies NBNS Servers"
       url-text "Google" url-value "www.google.com"
       url-text "Mainframe" url-value "10.236.5.2"
       url-text "Mainframe2" url-value "https://10.236.5.2"
    nbns-list "ContosoServer"
       nbns-server 10.236.5.10
       nbns-server 10.236.5.11
       nbns-server 10.236.5.12
    port-forward "PortForwarding"
       local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
    policy group policy1
       url-list "Webservers"
       port-forward "PortForwarding"
       nbns-list "ContosoServer"
       functions file-access
       functions file-browse
       functions file-entry
       functions svc-enabled
       svc address-pool "webssl"
       svc default-domain "Contoso.Local"
       svc keep-client-installed
       svc split include 10.236.5.0 255.255.255.0
       svc split include 10.236.6.0 255.255.255.0
       svc split include 172.31.1.0 255.255.255.0
       svc split include 172.21.51.0 255.255.255.0
       svc dns-server primary 172.21.51.10
    default-group-policy policy1
    gateway gateway1
    inservice
    end
    Gateway#          

    Dear All,
    I have Cisco 1841 router running the below roles       
    1) SSL VPN Server
    2) PPTP Server
    3) Site to Site Connection with Sonicwall router
    I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
    Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
    I went through below
    http://www.mreji.eu/content/cisco-router-pptp-client
    https://supportforums.cisco.com/thread/2167562
    But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
    protocol pptp
      rotary-group 4
    Please Advise and Help
    Regards
    Hasan Reza
    My Current Config is as below
    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
    exit
    Gateway#show run |      
    Building configuration...
    Current configuration : 25109 bytes
    ! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Gateway
    boot-start-marker
    boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
    boot-end-marker
    logging buffered 4096
    no logging console
    enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
    no aaa new-model
    dot11 syslog
    ip source-route
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.236.5.1 10.236.5.20
    ip dhcp excluded-address 10.236.5.21 10.236.5.50
    ip dhcp excluded-address 172.21.51.2 172.21.51.50
    ip dhcp pool ContosoPool
       network 10.236.5.0 255.255.255.0
       default-router 10.236.5.254
       dns-server 213.42.20.20 195.229.241.222
    ip dhcp pool DMZ
       network 172.21.51.0 255.255.255.0
       dns-server 172.21.51.10
       default-router 172.21.51.1
       domain-name contoso.local
    ip cef
    ip domain name contoso.local
    ip name-server 213.42.20.20
    ip name-server 195.229.241.22
    ip name-server 195.229.241.222
    ip ddns update method dyndns
    HTTP
      add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
      remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
    interval maximum 0 1 0 0
    multilink bundle-name authenticated
    vpdn enable
    vpdn-group 2
    request-dialin
      protocol l2tp
    initiate-to ip 173.195.0.42
    vpdn-group RAS-VPN
    ! Default PPTP VPDN group
    accept-dialin
      protocol pptp
      virtual-template 1
    l2tp tunnel timeout no-session 15
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP.StartSSL.CA
    enrollment terminal pem
    revocation-check none
    crypto pki trustpoint TP.StartSSL-vpn
    enrollment terminal pem
    usage ssl-server
    serial-number none
    fqdn ssl.spktelecom.com
    ip-address none
    revocation-check crl
    rsakeypair RSA.StartSSL-vpn
    crypto pki trustpoint TP-self-signed-1981248591
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1981248591
    revocation-check none
    rsakeypair TP-self-signed-1981248591
    crypto pki trustpoint VMWare
    enrollment terminal
    revocation-check crl
    crypto pki trustpoint OWA
    enrollment terminal pem
    revocation-check crl
    crypto pki certificate chain TP.StartSSL.CA
    certificate ca 01
      (removed the certificate info for clarity)
       quit
    crypto pki certificate chain TP.StartSSL-vpn
    certificate 0936E1
        (removed the certificate info for clarity)9
       quit
    certificate ca 18
      (removed the certificate info for clarity)
       quit
    crypto pki certificate chain TP-self-signed-1981248591
    certificate self-signed 01
        (removed the certificate info for clarity)
       quit
    crypto pki certificate chain VMWare
    certificate ca 008EDCE6DBCE6B
        (removed the certificate info for clarity)
       quit
    crypto pki certificate chain OWA
       (removed the certificate info for clarity)
    license udi pid CISCO1841 sn FCZ122191TW
    archive
    log config
      hidekeys
    username admin privilege 15 password 7 1304131F02023B7B7977
    username ali password 7 06070328
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 84000
    crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 10
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
    crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
    crypto dynamic-map mydyn 10
    set transform-set strongsha
    crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
    interface FastEthernet0/0
    description Internal Network (Protected Interface)
    ip address 10.236.5.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    interface ATM0/0/0
    no ip address
    shutdown
    no atm ilmi-keepalive
    interface BRI0/1/0
    no ip address
    encapsulation hdlc
    shutdown
    interface Virtual-Template1
    ip unnumbered Dialer1
    peer default ip address dhcp-pool ContosoPool
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2 eap
    interface Dialer1
    ip ddns update hostname XXXXXXX.dyndns.org
    ip ddns update dyndns
    ip address negotiated
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1450
    dialer pool 1
    ppp pap sent-username vermam password 7 13044E155E0913323B
    crypto map Dxb-Auh
    interface Dialer2
    mtu 1460
    ip address negotiated
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    dialer in-band
    dialer idle-timeout 0
    dialer string 123
    dialer vpdn
    dialer-group 2
    ppp pfc local request
    ppp pfc remote apply
    ppp encrypt mppe auto
    ppp authentication ms-chap ms-chap-v2 callin
    ppp eap refuse
    ppp chap hostname hasanreza
    ppp chap password 7 070E2541470726544541
    interface Dialer995
    no ip address
    ip local pool webssl 10.236.6.10 10.236.6.30
    ip forward-protocol nd
    ip http server
    ip http secure-server
    ip nat inside source list nat interface Dialer1 overload
    ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 172.21.51.0 255.255.255.0 10.236.5.253
    ip access-list extended internal
    permit ip any 10.236.5.0 0.0.0.255
    ip access-list extended nat
    deny   ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
    deny   ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
    permit ip 10.236.5.0 0.0.0.255 any
    ip access-list extended nonat
    permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
    permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
    ip access-list extended sslacl
    ip access-list extended webvpn
    permit tcp any any eq 443
    logging esm config
    access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    login local
    transport preferred ssh
    transport input telnet ssh
    line vty 5 15
    exec-timeout 0 0
    login local
    transport preferred ssh
    transport input telnet ssh
    scheduler allocate 20000 1000
    webvpn gateway gateway1
    ip interface Dialer1 port 443
    ssl encryption rc4-md5
    ssl trustpoint TP.StartSSL-vpn
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
    webvpn install csd flash:/webvpn/sdesktop.pkg
    webvpn context webvpn
    ssl authenticate verify all
    url-list "Webservers"
       heading "SimpleIT Technologies NBNS Servers"
       url-text "Google" url-value "www.google.com"
       url-text "Mainframe" url-value "10.236.5.2"
       url-text "Mainframe2" url-value "https://10.236.5.2"
    nbns-list "ContosoServer"
       nbns-server 10.236.5.10
       nbns-server 10.236.5.11
       nbns-server 10.236.5.12
    port-forward "PortForwarding"
       local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
    policy group policy1
       url-list "Webservers"
       port-forward "PortForwarding"
       nbns-list "ContosoServer"
       functions file-access
       functions file-browse
       functions file-entry
       functions svc-enabled
       svc address-pool "webssl"
       svc default-domain "Contoso.Local"
       svc keep-client-installed
       svc split include 10.236.5.0 255.255.255.0
       svc split include 10.236.6.0 255.255.255.0
       svc split include 172.31.1.0 255.255.255.0
       svc split include 172.21.51.0 255.255.255.0
       svc dns-server primary 172.21.51.10
    default-group-policy policy1
    gateway gateway1
    inservice
    end
    Gateway#          

  • X.509 client certificate not working through Reverse proxy

    Dear expert,
    We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
    As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
    Listen 1081
    <VirtualHost *:1081>
    SSLEngine on
    SSLCertificateFile  "D:/Apache24/conf/server.cer"
    SSLCertificateKeyFile  "D:/Apache24/conf/server.key"
    SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"
    SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
    SSLVerifyClient optional
    SSLVerifyDepth  10
    SSLProxyEngine On
    SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
    SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
    AllowEncodedSlashes On
    ProxyPreserveHost on
    RequestHeader unset Accept-Encoding
    <Proxy *>
         AddDefaultCharset Off
         SSLRequireSSL
         Order deny,allow
         Allow from all
    </Proxy>
    RequestHeader set ClientProtocol https
    RequestHeader set x-sap-webdisp-ap HTTPS=1081
    RequestHeader set SSL_CLIENT_CERT  ""
    RequestHeader set SSL_CLIENT_S_DN  ""
    RequestHeader set SSL_CLIENT_I_DN  ""
    RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
    RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
    RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
    ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on
    proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/
    We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
    thanks,
    Best regards,
    Xian' an

    Hi Samuli,
    Really thanks for your reply.
    Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
    Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
    Best regards,
    Xian' an

  • Multiple Exchange accounts and client certificates not working...?

    Hi all,
    I have a problem with my company iPad's. I'm trying to configure 2 Exchange accounts with certificate based authentication on my iPad with the iPhone config utility. For that i have created 2 client certificates.
    When I configure just 1 mailbox, does not matter which one of the 2, with the iPhone config util, it al works ok with client authentication.
    When I configure 2 mailboxes, on the iPad, without client certificate authentication it al works ok.
    When I configure 2 mailboxes with the 2 client certificates with the iPhone config util, both exchange accounts have the same mailbox. When I configure for example mailbox Jim and Harry with the corresponding certificates and I load it into the iPad. The exchange account of Jim has Jim his mailbox, but the exchange account of Harry also has the mailbox of Jim. And sometimes it is vice versa.....
    Can anybody help me in this, we are using 4th gen iPad with MS Exchange ActiveSync 2003 SP2 en MS Forefront TMG with Kerberos delegation.
    Please advice.
    Cheers,
    Eddy

    Hi Eddy,
    I have the feeling that the SSL connection after being established is only using the first authenticated certificated to connect to the exchange server.
    Have you had a look over this Microsoft page:
    http://technet.microsoft.com/en-us/magazine/ff472472.aspx
    Are you able to test 2 accounts on one pad in a test environment preferably with SSL inspection off?
    Do you have any information in the Forefront logs of the users being authenticated from the iPad? Or is one user authenticated twice?
    Cheers,
    IhalpU

  • Wireless with PEAP Authentication not working using new NPS server

    All,
    We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
    I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
    But it is not working for me. I am getting the following error message on the NPS server.
    Error # 1
    =======
    Cryptographic operation.
    Subject:
                Security ID:                 SYSTEM
                Account Name:                       MADXXX
                Account Domain:                    AD
                Logon ID:                    0x3e7
    Cryptographic Parameters:
                Provider Name:          Microsoft Software Key Storage Provider
                Algorithm Name:         RSA
                Key Name:      XXX-Wireless-NPS
                Key Type:       Machine key.
    Cryptographic Operation:
                Operation:       Decrypt.
                Return Code:  0x80090010
    Error # 2
    ======
    An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    I was wondering if anyone has any insight on what is going on.
    Thanks, Ds

    Scott,
    I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
    I  disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
    Cryptographic operation.
    Subject:
    Security ID: SYSTEM
    Account Name: MADHFSVNPSPI01$
    Account Domain: AD
    Logon ID: 0x3e7
    Cryptographic Parameters:
    Provider Name: Microsoft Software Key Storage Provider
    Algorithm Name: RSA
    Key Name: DOT-Wireless-NPS
    Key Type: Machine key.
    Cryptographic Operation:
    Operation: Decrypt.
    Return Code: 0x80090010
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: AD\mscdzs
    Account Name: AD\mscdzs
    Account Domain: AD
    Fully Qualified Account Name: AD\mscdzs
    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 64-ae-0c-00-de-f0:DOT
    Calling Station Identifier: a0-88-b4-e2-79-cc
    NAS:
    NAS IPv4 Address: 130.47.128.7
    NAS IPv6 Address: -
    NAS Identifier: WISM2B
    NAS Port-Type: Wireless - IEEE 802.11
    NAS Port: 29
    RADIUS Client:
    Client Friendly Name: WISM2B
    Client IP Address: 130.47.128.7
    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: Secure Wireless Connections
    Authentication Provider: Windows
    Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
    Authentication Type: PEAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 23
    Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Attached are EAP logs & debug logs from the controller.
    Thanks for all the help. I really appreciate.

  • Email client will not work

    My mail client on my new iPad works fine with my .mac address, but will not work with my network solutions email. I keep getting a message "the mail server is not responding. It works fine on my iPhone and iMac.

    These are the settings. Note particularly the requirement for SSL.
    IMAP information for the incoming mail server
    Server name: imap.mail.me.com
    SSL Required: Yes
    If you receive errors when using SSL, try using TLS instead.
    Port: 993
    Username: The name part of your iCloud email address (for example, emilyparker, not [email protected])
    Password: Your iCloud password
    SMTP information for the outgoing mail server
    Server name: smtp.mail.me.com
    SSL Required: Yes
    If you receive errors when using SSL, try using TLS or STARTTLS instead.
    Port: 587
    SMTP Authentication Required: Yes
    Username: Your full iCloud email address (for example, [email protected], not emilyparker)
    Password: Your iCloud password

  • Connect a Client Computer Not Working At All

    I have a new Windows 7 clean install with updates that is not able to connect to SBS 2011 at all.
    In the past (about 2 years ago) I ran into the same problem and by following the simple steps outlined here - http://blog.ronnypot.nl/?p=594 - it worked no problem. Now it does not help at all.
    For a test, I took a spare machine and did a clean install of SBS 2011, applied the updates (except NET 4.5.1). When I tried to connect the new Windows 7 machine to the new SBS 2011 machine - this also has failed.

    Server's ipconfig /all
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : BLAH-1
       Primary Dns Suffix  . . . . . . . : BLAH.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : BLAH.local
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . : BLAH.local
       Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
       Physical Address. . . . . . . . . : REMOVED
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : REMOVED (Preferred)
       Link-local IPv6 Address . . . . . : REMOVED (Preferred)
       Link-local IPv6 Address . . . . . : REMOVED (Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.12(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : REMOVED
                                           192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : REMOVED
       DHCPv6 Client DUID. . . . . . . . : REMOVED
       DNS Servers . . . . . . . . . . . : REMOVED
                                           192.168.1.12
       NetBIOS over Tcpip. . . . . . . . : Enabled
       Connection-specific DNS Suffix Search List :
                                           BLAH.local
    Tunnel adapter isatap.{REMOVED}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : BLAH.local
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Workstation's ipconifg /all
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : BLAH-1
       Primary Dns Suffix  . . . . . . . : BLAH.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : BLAH.local
    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . : aspa2.local
       Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
       Physical Address. . . . . . . . . : REMOVED
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : REMOVED (Preferred)
       Link-local IPv6 Address . . . . . : REMOVED (Preferred)
       Link-local IPv6 Address . . . . . : REMOVED (Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.12(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : REMOVED
                                           192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : REMOVED
       DHCPv6 Client DUID. . . . . . . . : REMOVED
       DNS Servers . . . . . . . . . . . : REMOVED
                                           192.168.1.12
       NetBIOS over Tcpip. . . . . . . . : Enabled
       Connection-specific DNS Suffix Search List :
                                           BLAH.local
    Tunnel adapter isatap.{REMOVED}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : BLAH.local
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    HCI3 - I tried the steps you have listed and it did not work.

Maybe you are looking for

  • Mapping Network drive?

    I am attempting to map a network drive and I am not having any luck. I am typing //machine name/share name into the field and I am not having any success. am I missing something. I am using a WRT350N and Seagate Free Agent 320gb ext hard drive. I had

  • Color background for titles

    I'm using PrE10.  when i work on titles the background defaults to a black background.  How can I change it to white or some other color?

  • Dynamically load content into a "template" swf from text file

    I have a dream.... Well, I have a concept. I have not actively pursued Flash in several years, though I've continued to have it in my arsenal. I've not done much in the action scripting realm for a while though. I am trying to create a template that

  • ITunes freezing while synching apps!

    k the apps on my iPhone have stopped working so i deleted them all and wanted them to synch back on but now iTunes froze and doesnt response but my iPhone still says "synching" should i leave it alone or should i force iTunes to close and try it agai

  • Printing photos designed in photoshop

    Why are my photos printing out backwards?