Client authentication with apache+mod_ssl+tomcat

Hello.
My question is a little bit off topic.
I try to read client certificates with request.getAttribute("javax.servlet.request.X509Certificate"), but the result is always null.
Probably it's null because I have nothing on the session. So my tomcat does not have the certificate. I use apache + mod_ssl + mod_jk + tomcat.
And here is my question: how did you configured apache and tomcat so that tomcat has the client cert ?
Thanks.

usually u generate a keystore for client, and mention that in ur SSL connector of tomcat
in apache, we need to configure things in ssl.conf

Similar Messages

Kerberos authentication with Apache Kerberos Module

Hi,
Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
GET: http://www.myhost.com/protected_page.html
HOST: www.myhost.com
AUTHENTICATE: negotiate XXXXX
However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
Thanks for any help or advice,
Neil.

Here are your options:
1) Configure Krb5LoginModule programmatically.
If the environment variable KRB5CC_NAME points to the ticket cache location,
(which is updated each time), you can configure the Krb5LoginModule
programmatically and set the "ticketCache" option to the value obtained
from KRB5CC_NAME.
Refer to following docs for details:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
2) Use native Kerberos from the platform
Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
you will not be able to use this option.
For details refer to following docs:
http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
Seema

Apache SSL Client Authentication with Windows Mobile

The biggest question I have here is if anyone has actually made this work. I would think this would be pretty standard...
On our HTTP server I have protected folders setup with Certificate Based Client Authentication. Each folder requires a unique client certificate.
This works perfectly with IE & Firefox running on PCs.
The problem I have is trying to authenticate a Windows Mobile Device.
I can authenticate the CA certificate but nothing in the client certificate.
In ssl.conf I have the following parameters for each folder:
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Our Organization"
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "User Division Level"
SSLRequire %{SSL_CLIENT_S_DN_OU} eq "User Level"
The only parameter that Apache is able to validate from the device is DN_O and that is coming from the CA certificate.
DN_CN & DN_OU are contained in the user certificate but it is not able to validate those.
Anyone have any ideas on this?
Edited by: Alan3 on Nov 20, 2008 2:15 PM

Bump.
Is anyone out there using Win Mobile devices with Oracle HTTP server?

Right problem with apache and tomcat

Bonjour;
I use a user login "apache" to stop/start Apache and tomcat. Because never launching apache et tomcat as root.
But I have the following problem with apache (file error.log) :
[Tue May 6 17:26:22 2003] [error] Connection "warpConnection" cannot connect
[Tue May 6 17:26:22 2003] [error] Cannot open connection "warpConnection"
[Tue May 6 17:27:01 2003] [error] Re-Trying to deploy connections
As root the error msg does'nt exists (lost)
Best regards;
A+;

Run it from the shell to see whats wrong:
# httpd

TLP client configuration with Apache

Can someone help out with configuring a TLP client and server to send SUN explorer output from client to server through Apache.

I'm getting closer, I finally got the connector to install
with the folling command line, and a 1.4 version of the JDK
installed:
C:\jdk1.4.2_13\bin\java -Dtrace.ci=1 -jar wsconfig.jar
-server coldfusion -ws apache -dir C:\Apache\conf -bin
C:\Apache\bin\httpd.exe -coldfusion -v
That was a lot of work for something that should be easy, I
hope Adobe corrects this problem in their installer soon, or at
least provides steps that are a little more clear for WinXP users.

SOAP sender adapter with client authentication

Hi,
Can you please tell me the steps to be followed to configure SOAP sender adpater for HTTPS with client authentication.
Thanks

Hello,
Check out this SAP NOTE
[Note 891877 - Message-specific configuration of HTTP-Security|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=891877]
Check out below blog for step by step process.
/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
Hope this will help.
Nilesh
Edited by: Nilesh Kshirsagar on May 28, 2009 11:31 AM

Problem sending data with HTTPS using client authentication.

Hi,
I�m tryingto send a message to a secure server using for this client certificate, apparently if I make a GET of "/" (server root) , everything works fine (authentication, and data received), from the moment that I try to ways send data to the "/pvtn " directory i obtain the following error.
This is a sample of the code i�m using:
import com.sun.net.ssl.KeyManagerFactory;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.net.Socket;
import java.security.*;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Date;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.cert.*;
import javax.security.cert.X509Certificate;
public class Test
public static final String TARGET_HTTPS_SERVER = "mymachine.mydomain.pt";
public static final int TARGET_HTTPS_PORT = 443;
public static void main(String[] args) throws Exception
System.setProperty("javax.net.ssl.trustStore","/certificados/truststore.txt");
System.setProperty("javax.net.ssl.trustStorePassword","trustpwd");
System.setProperty("javax.net.ssl.keyStore","/certificados/truststore.txt");
System.setProperty("javax.net.ssl.keyStorePassword","trustpwd");
java.security.Security.removeProvider("SunJSSE");
java.security.Security.insertProviderAt(new com.sun.net.ssl.internal.ssl.Provider(),2);
KeyManagerFactory kmf= KeyManagerFactory.getInstance("SunX509", "SunJSSE") ;
//Socket
SSLSocket jsslSoc = (SSLSocket) SSLSocketFactory.getDefault().createSocket(TARGET_HTTPS_SERVER, TARGET_HTTPS_PORT);
String [] ciphers = jsslSoc.getSupportedCipherSuites() ;
//// Select the ciphers you want and put them.
//// Here we will put all availabel ciphers
jsslSoc.setEnabledCipherSuites(ciphers);
//// We are creating socket in client mode
jsslSoc.setUseClientMode(true);
//// Do SSL handshake
jsslSoc.startHandshake();
// Print negotiated cipher
System.out.println("Negotiated Cipher Suite: " + jsslSoc.getSession().getCipherSuite());
System.out.println("");
X509Certificate[] peerCerts = ((javax.net.ssl.SSLSocket)jsslSoc).getSession().getPeerCertificateChain();
if (peerCerts != null)
System.out.println("Printing server information:");
for(int i =0; i < peerCerts.length; i++)
System.out.println("Peer Certificate ["+i+"] Information:");
System.out.println("- Subject: " + peerCerts.getSubjectDN().getName());
System.out.println("- Issuer: " + peerCerts[i].getIssuerDN().getName());
System.out.println("- Version: " + peerCerts[i].getVersion());
System.out.println("- Start Time: " + peerCerts[i].getNotBefore().toString());
System.out.println("- End Time: " + peerCerts[i].getNotAfter().toString());
System.out.println("- Signature Algorithm: " + peerCerts[i].getSigAlgName());
System.out.println("- Serial Number: " + peerCerts[i].getSerialNumber());
else
System.out.println("Failed to get peer certificates");
try
Writer out = new OutputStreamWriter(jsslSoc.getOutputStream(), "ISO-8859-1");
//THIS WAY WORKS FINE
out.write("GET / HTTP/1.1\r\n");
// HERE COMES THE TROUBLES
//out.write("GET /pvtn?someparameter=paramvalue HTTP/1.1\r\n");
out.write("Host: " + TARGET_HTTPS_SERVER + ":" + TARGET_HTTPS_PORT + "\r\n");
out.write("Proxy-Connection: Keep-Alive\r\n");
out.write("User-Agent: SSL-TEST \r\n");
out.write("\r\n");
out.flush();
BufferedReader in = new BufferedReader(new InputStreamReader(jsslSoc.getInputStream(), "ISO-8859-1"));
String line = null;
while ((line = in.readLine()) != null)
System.out.println(line);
finally
jsslSoc.close();
the ssl log until sending the GET is
main, WRITE: SSL v3.1 Handshake, length = 36
main, READ: SSL v3.1 Change Cipher Spec, length = 1
main, READ: SSL v3.1 Handshake, length = 36
Plaintext after DECRYPTION: len = 36
0000: 14 00 00 0C 71 AB 40 CC 6C 33 92 05 E9 69 4B 8F [email protected].
0010: D1 77 3F 6E 3C DB F0 A0 B7 9C CF 49 B6 6D C8 17 .w?n<......I.m..
0020: 7E 03 52 14 ..R.
*** Finished, v3.1
verify_data: { 113, 171, 64, 204, 108, 51, 146, 5, 233, 105, 75, 143 }
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
[read] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 71 AB 40 CC 6C 33 92 05 E9 69 4B 8F [email protected].
Negotiated Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
When i send the GET
Plaintext before ENCRYPTION: len = 247
0000: 47 45 54 20 2F 70 76 74 6E 3F 41 30 33 30 3D 4D GET /pvtn?A030=M
main, WRITE: SSL v3.1 Application Data, length = 247
main, READ: SSL v3.1 Handshake, length = 24
Plaintext after DECRYPTION: len = 24
*** HelloRequest (empty)
%% Client cached [Session-1, SSL_RSA_WITH_RC4_128_SHA]
%% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_SHA] from port 3535
*** ClientHello, v3.1
RandomCookie: GMT: 1131988975 bytes = { 45, 113, 241, 212, 81, 255, 244, 169, 74, 41, 160, 227, 197, 210, 155, 211, 47, 237, 18, 179, 238, 47, 28, 86, 30, 253, 157, 253 }
Session ID: {208, 18, 243, 174, 216, 156, 80, 201, 121, 136, 63, 162, 31, 196, 186, 95, 193, 143, 238, 172, 173, 79, 64, 219, 17, 149, 14, 138, 53, 95, 18, 96}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17, 0, 2, 0, 1, 0, 24, 0, 26, 0, 27, 0, 23, 0, 25 }
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 105
Plaintext before ENCRYPTION: len = 125
main, WRITE: SSL v3.1 Handshake, length = 125
main, READ: SSL v3.1 Handshake, length = 94
Plaintext after DECRYPTION: len = 94
*** ServerHello, v3.1
RandomCookie: GMT: 1131991620 bytes = { 205, 194, 212, 113, 37, 213, 41, 13, 60, 142, 135, 68, 17, 78, 227, 251, 176, 211, 133, 203, 153, 173, 153, 195, 93, 7, 87, 123 }
Session ID: {108, 85, 45, 208, 104, 124, 209, 24, 247, 113, 156, 134, 28, 154, 75, 198, 64, 181, 167, 9, 149, 223, 162, 21, 225, 32, 168, 31, 190, 48, 241, 195}
Cipher Suite: { 0, 5 }
Compression Method: 0
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
[read] MD5 and SHA1 hashes: len = 74
main, READ: SSL v3.1 Handshake, length = 3154
Plaintext after DECRYPTION: len = 3154
*** Certificate chain
stop on trusted cert: [
Version: V1
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: [MD5withRSA]
Signature:
[read] MD5 and SHA1 hashes: len = 3134
main, READ: SSL v3.1 Handshake, length = 479
Plaintext after DECRYPTION: len = 479
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
[read] MD5 and SHA1 hashes: len = 455
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 19, 223, 230, 65, 59, 210, 10, 69, 239, 178, 185, 5, 52, 57, 44, 160, 163, 239, 85, 64, 173, 16, 132, 234, 33, 228, 0, 8, 134, 52, 20, 190, 196, 15, 205, 35, 169, 39, 14, 160, 143, 74, 210, 74, 43, 181 }
[write] MD5 and SHA1 hashes: len = 141
Plaintext before ENCRYPTION: len = 161
main, WRITE: SSL v3.1 Handshake, length = 161
SESSION KEYGEN:
PreMaster Secret:
.CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
0000: FE 94 DF 4C 1A 9F FA CE 0C E9 A6 DB 31 53 E5 FD ...L........1S..
... no IV for cipher
Plaintext before ENCRYPTION: len = 21
0000: 01 0D 16 E6 49 18 36 AF E1 52 9C 2F 72 EE CA DF ....I.6..R./r...
0010: 41 71 68 30 06 Aqh0.
main, WRITE: SSL v3.1 Change Cipher Spec, length = 21
*** Finished, v3.1
verify_data: { 243, 49, 247, 150, 113, 86, 182, 125, 244, 163, 245, 243 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C F3 31 F7 96 71 56 B6 7D F4 A3 F5 F3 .....1..qV......
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C F3 31 F7 96 71 56 B6 7D F4 A3 F5 F3 .....1..qV......
0010: 1A 7C 8F D9 51 CB 6F 47 2A 7C 90 81 20 EE 97 64 ....Q.oG*... ..d
0020: FF 47 35 CA .G5.
main, WRITE: SSL v3.1 Handshake, length = 36
main, SEND SSL v3.1 ALERT: warning, description = close_notify
Plaintext before ENCRYPTION: len = 22
0000: 01 00 F0 F4 AC 3C B2 DE 95 98 0E B4 ED B1 24 3B .....<........$;
0010: 54 6C 8B DC F3 1F Tl....
main, WRITE: SSL v3.1 Alert, length = 22
java.net.SocketException: Connection aborted by peer: socket write error
     void java.net.SocketOutputStream.socketWrite(java.io.FileDescriptor, byte[], int, int)
          native code
     void java.net.SocketOutputStream.write(byte[], int, int)
          SocketOutputStream.java:96
     void com.sun.net.ssl.internal.ssl.OutputRecord.a(java.io.OutputStream)
     void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.OutputRecord)
     void com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush()
     void com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(com.sun.net.ssl.internal.ssl.HandshakeMessage$Finished)
     void com.sun.net.ssl.internal.ssl.ClientHandshaker.c()
     void com.sun.net.ssl.internal.ssl.ClientHandshaker.a(com.sun.net.ssl.internal.ssl.SunJSSE_o)
     void com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(byte, int)
     void com.sun.net.ssl.internal.ssl.Handshaker.process_record(com.sun.net.ssl.internal.ssl.InputRecord)
     void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.InputRecord, boolean)
     void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.InputRecord)
     int com.sun.net.ssl.internal.ssl.AppInputStream.read(byte[], int, int)
     int java.io.InputStream.read(byte[])
          InputStream.java:91
     int java.io.InputStreamReader.fill(char[], int, int)
          InputStreamReader.java:173
     int java.io.InputStreamReader.read(char[], int, int)
          InputStreamReader.java:249
     void java.io.BufferedReader.fill()
          BufferedReader.java:139
     java.lang.String java.io.BufferedReader.readLine(boolean)
          BufferedReader.java:299
     java.lang.String java.io.BufferedReader.readLine()
          BufferedReader.java:362
     void Teste3.main(java.lang.String[])
          Teste3.java:109
Exception in thread main
Debugger disconnected from local process.
Process exited with exit code 1.
One more thing if if make the same thing via browser (https://mymachine.mydomain.pt/pvtn?someparameter=somevalue) and works fine too (obviously i pre installed the client certificate in the browser and choose the certificate when the pop up show up)
It seems like the handshaking fails when i send data to /pvtn...
Regards,
Paulo.

I amhaving the another problem very similar, I am struggling with client authentication with IIS 5.0, and receiving the 'Remote Host closed the connection' error.
Is there any help me in this. I truly apprecaite it
Thanks

Weird client-authentication behavior

I'm trying to enforce client-authentication. Tbe client-certificate I'm using is one that is signed by my own CA created using OpenSSL. Naturally, the CA cert is in my servers truststore.
Anyway, I test client-authentication with Tomcat (clientAuth="true"), and it seems to work fine. Using the "s_client" command in Linux, I can see the client certificate being passed:
Acceptable client certificate CA names
/O=Smart Communcations, Inc./L=Makati/ST=Manila/C=PH
But when I try the same thing using Oracle (OC4J standalone), and passing the same client certificate, I see the following details using "s_client":
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Smart Communcations, Inc./L=Makati/ST=Manila/C=PH
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/[email protected]
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Code Signing Root
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/[email protected]
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/[email protected]
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root 5
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/[email protected]
Which seems very wrong since it should not have those other CA's as part of the certificate chain. Anyone know whats going on here?
Thanks!
Liam

resolved.

SOAP Adapter (Client Authentication)

Hi Guys,
I am trying to follow this blog
How to use Client Authentication with SOAP Adapter
Am new to this security settings stuffs , i hear that we have to maintainn keys in visual admin and then later authenticate , am confused all around
My Question
1) Who would provide the Key or certificate ?
2) Should we generate and give it to client r is it given by the client??
3) Where to maintain these key , i know in visual admin , but what r the steps and which place ?
$) How to use this to get authenticated with SOAP Sender Adapter ?
Can any one elobrate this in details and provide any more links on this.
thx in advance for help
with regards
Srini

HI
1.These will be provided by th Client or they can be downloaded from the website n then the Basis Team or the System Adminstrator will do the needful for us.
2.it depends , if the client wishes to give to us he will give or Basis team will be helping us in this Query.
Digital certificates
A digital certificate is an electronic "credit card" that establishes your credentials when doing business or other transactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digital certificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users can look up other users' public keys.
Certificates are issued by Certifying Authority(CA) for people or an organization. This is used to identify unique person or unique organization.
Also look at these links
http://www.abanet.org/scitech/ec/isc/dsg-tutorial.html
http://mindprod.com/jgloss/certificate.html
Please go through these links and i am sure they will help you in some ways.
http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/content.htm
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/db3d8798-0701-0010-9781-8a6e925dd5da
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
cheers
Edited by: vemuganti naga phalguna on Jul 2, 2008 1:00 PM

HTTPS without client authentication

Hi Friends,
In SOAP adapter, we have three options for HTTP
HTTP without SSL
HTTP with SSL (= HTTPS) without client authentication
HTTP with SSL (= HTTPS) with client authentication
Please let me know if I use "HTTP with SSL (= HTTPS) without client authentication" , is it Transport Layer Sceurity of Message level Security?
Please answer only if you are confident. No guess please!!!
Thanks,
Sandeep Maurya

Hi,
Please let me know if I use "HTTP with SSL (= HTTPS) without client authentication" , is it Transport Layer Sceurity or Message level Security?
HTTPS is used to encrypt the traffic between the client and the Web server. SSL encrypt the segments of network connections at the Transport Layer end-to-end.
Don't get confused with the Client Authentication (with / without), as SSL is already being used in both the forms and the network is secured.
Regards,
Neetesh

Client Authentication/Authorization via ISE & AD, Posture Registry Key, and mapped to specific DHCP scope by AD membership

Hi Team,
I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance. Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:
Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for AD group ABC.
Client authenticating with registry key and in AD group XXX that passes authentication gets IP address or subnet for AD group XXX.
Clients---->WLC------>ISE-----> MS AD ( groups ABC, XXXX, YYY )
currently using EAP-PEAP/MSCHAPv2
Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this? Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership?
Thanks...

Do check cisco how to guides you will get step by step configuration of the current requirement

Outlook 2011 for Mac not authenticating with Exchange 2010

Hi,
We have an issue with our Mac Clients authenticating with our Exchange Server. We have Exchange 2010 Version 14.03.0174.001.
Outlook is saying the credentials are incorrect for the user when we know they work fine in OWA and in Outlook 2010.
It seems this is since we re-keyed are SSL certificate. I have changed the EWS directory to Basic Authentication and also re-created the EWS directory. I have also re-ran all the SBS Wizards.
Is there anything else we can do to get this sorted?
Thanks

Hi Robert,
I found a KB for your reference:
Sending email error "Authentication failed. Error 17897" in Outlook 2011 for Mac
http://support.microsoft.com/kb/2492901
If it not matches to yours, please paste the details without sensitive information.
Thanks
Mavis
Mavis Huang
TechNet Community Support

Tomcat repeatedly prompts for client authentication w/ IIS as web server

Team,
We have an IIS 6 / Tomcat configuration using the Apache supplied ISAPI redirector. The client application is an Applet that is using signed Jars.
The environment has been configured and communication is happening correctly between IIS and Tomcat, and the client applet is functioning properly.
Client Authentication (using Active Directory) is turned on in IIS and is authenticating Users correctly.
The only issue is that the Users are being prompted multiple times (throughout the same session) for their client authentication. The Applet communicates to the server through a single servlet.
This multiple prompting is unacceptable, because if a User does not notice that they have had their cert requested again (sometimes it pops - up minimized, or they are working to fast so it ends up behind the applet), the communication to the servlet is severed and the User ends up with some very bad results.
My question is: How can I make Tomcat stop authenticating clients? We have ONLY allowed the AJP connector to be open, and have set "tomcatAuthenticate" to false so that the RemoteUser and Principle are passed correctly from IIS.
I have attempted "socket_keepalive" in the workers.properties file and even clientAuth=false on the AJP connector (which I believe is not a valid parameter).
Does anyone have an idea of what I should do next? I have not attempted to import my client certificate into Tomcat's keystore yet, and am hoping that that is not the solution.

From the info above I see you are trying to publish over HTTPS?
BUT the request doesn't seem to be for HTTPS.
Request: GET http://test.mm.com/
Filter information: Req ID: 11cb9306; Compression: client=Yes, server=No, compress rate=0% decompress
rate=0%
Protocol: http
Please try to access as https://yourdomainserver.com
let me know, how it goes, will be happy to help!

HTTPS With Client Authentication

Hi,
I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
java.security.AccessControlException: client certificate required
In the the transaction scim the following can be seen:
[Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5061]     out: sssl_hdl = 1117534b0
[Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061]      in: sssl_hdl = 1117534b0
[Thr 5061]      in: cred_hdl = 116cfc110
[Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
[Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001 peer=XX.XX.XX.XX:2310
[Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
[Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061]          status = "resumed SSL session, NO client cert"
The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
Sender Communication Channel,
Transport Protocol: HTTP,
Message Protocol: Soap 1.1,
Adapter Engine: Central Adepter Engine,
HTTPS with Client Authentication,
Keep Headers
Any ideas?
Kind regards,
John

Hi Peter,
If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
All the best,
John

Handshake failure with client authentication

Hi,
I am using the JDK1.4 beta 3 to accomplish the following: I want to request an HTML page on an Apache webserver configured with SSL and client-authentication. It works with Netscape and Internet Explorer (and also with the openssl s_client test program)...
But now I want to try it using Java... So, I wrote a very simple program based on some examples found on this forum... But i keep getting the following error (excerpt from the javax.net.debug=all command)
As you can see the server request a client certificate that's issued by the certificate authority mentioned...
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<[email protected], CN=Andy Zaidman, OU=stage, O=Kava's Certif
icate Authority, L=Antwerp, ST=Antwerp, C=BE>
[read] MD5 and SHA1 hashes: len = 180
0000: 0D 00 00 B0 02 01 02 00 AB 00 A9 30 81 A6 31 0B ...........0..1.
0010: 30 09 06 03 55 04 06 13 02 42 45 31 10 30 0E 06 0...U....BE1.0..
0020: 03 55 04 08 13 07 41 6E 74 77 65 72 70 31 10 30 .U....Antwerp1.0
0030: 0E 06 03 55 04 07 13 07 41 6E 74 77 65 72 70 31 ...U....Antwerp1
0040: 25 30 23 06 03 55 04 0A 13 1C 4B 61 76 61 27 73 %0#..U....Kava's
0050: 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 Certificate Aut
0060: 68 6F 72 69 74 79 31 0E 30 0C 06 03 55 04 0B 13 hority1.0...U...
0070: 05 73 74 61 67 65 31 15 30 13 06 03 55 04 03 13 .stage1.0...U...
0080: 0C 41 6E 64 79 20 5A 61 69 64 6D 61 6E 31 25 30 .Andy Zaidman1%0
0090: 23 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 41 6E #..*.H........An
00A0: 64 79 2E 5A 61 69 64 6D 61 6E 40 75 69 61 2E 61 [email protected]
00B0: 63 2E 62 65 c.be
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 38, 54, 219, 158, 32, 158, 155, 15, 55, 137, 216, 164, 4
5, 65, 153, 142, 200, 98, 57, 251, 55, 6, 46, 124, 181, 161, 164, 234, 218, 75,
195, 72, 218, 187, 182, 197, 4, 11, 249, 45, 3, 136, 207, 114, 236, 172 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 64 92 2E .............d..
0010: 42 2C A5 79 1D 2B A9 A5 D0 46 2A 1F 67 F3 49 28 B,.y.+...F*.g.I(
0020: E0 ED 1D 85 E3 06 22 49 8A 79 02 48 E2 DD E6 75 ......"I.y.H...u
0030: F3 C0 D3 A8 31 C0 18 94 7C 81 24 75 6A A1 0C 4F ....1.....$uj..O
0040: 99 03 66 B8 37 4F 05 0D 5D CD F2 A0 10 F5 D5 F5 ..f.7O..].......
0050: 50 66 49 91 CA C0 18 F1 07 E9 70 D0 CB EA 70 D3 PfI.......p...p.
0060: 8E 13 55 E7 43 BD 94 1C D3 96 1F E9 67 93 57 62 ..U.C.......g.Wb
0070: 91 5C E6 ED B1 75 9C A8 55 B7 50 DE CE 9B 1C EE .\...u..U.P.....
0080: 57 62 20 9C F3 11 36 68 7A 38 62 79 D1 Wb ...6hz8by.
main, WRITE: SSL v3.1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 26 36 DB 9E 20 9E 9B 0F 37 89 D8 A4 2D 41 ..&6.. ...7...-A
0010: 99 8E C8 62 39 FB 37 06 2E 7C B5 A1 A4 EA DA 4B ...b9.7........K
0020: C3 48 DA BB B6 C5 04 0B F9 2D 03 88 CF 72 EC AC .H.......-...r..
CONNECTION KEYGEN:
Client Nonce:
0000: 3B E9 51 EF F3 13 65 11 4E D6 B7 B1 9F E8 F6 CB ;.Q...e.N.......
0010: B5 2B 34 8F 87 53 66 61 33 BF 5A AD 7D 22 57 7D .+4..Sfa3.Z.."W.
Server Nonce:
0000: 3B E9 53 4E 03 37 E9 CD E8 DB 7C 54 9A 9E 53 B9 ;.SN.7.....T..S.
0010: 78 E0 36 DF 06 17 07 90 2C D1 83 5E 20 05 DC E9 x.6.....,..^ ...
Master Secret:
0000: B5 A0 37 0A 2C 29 AD AC 99 B6 2F E0 4D 80 38 68 ..7.,)..../.M.8h
0010: F7 4F 24 C4 AA 8C ED 25 A9 D6 90 33 4B 5A 0B 1D .O$....%...3KZ..
0020: 11 A5 C9 E8 DB DE EF 9B 8D EB 7C 84 D6 AC 94 4F ...............O
Client MAC write Secret:
0000: F5 AF 61 5B B4 C2 A8 12 DA 7A FE A6 82 79 7F FC ..a[.....z...y..
0010: B9 86 B2 C0 ....
Server MAC write Secret:
0000: 62 22 C6 39 91 E4 45 50 2A 49 E0 26 CF 16 3E 6A b".9..EP*I.&..>j
0010: 46 19 00 D9 F...
Client write key:
0000: D9 D2 99 89 5C CA 2E 7D F3 B8 52 24 9E 01 9B 3B ....\.....R$...;
Server write key:
0000: 37 C3 37 78 8B 85 B0 FE 01 83 E2 6C F7 C6 73 33 7.7x.......l..s3
... no IV for cipher
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished, v3.1
verify_data: { 51, 236, 194, 3, 230, 37, 147, 76, 251, 233, 132, 207 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
0010: 64 30 E3 0B 31 CF 7D C7 D6 17 D8 FB 31 23 F9 34 d0..1.......1#.4
0020: 5D B9 47 F9 ].G.
main, WRITE: SSL v3.1 Handshake, length = 36
main, READ: SSL v3.1 Alert, length = 2
main, RECV SSLv3 ALERT: fatal, handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:61)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at HttpClient.main(HttpClient.java:105)
Now, I am sure the certificate is in the keystore, because one of the first things I do in the program is print the certificates available in the keystore...
Does anyone know what I'm doing wrong? If you need the code to make a proper judgement, I will post it...
Tnx in advance!
Greetz,
Andy Zaidman
[email protected]

import java.net.*;
import java.io.*;
import java.security.*;
import java.security.cert.*;
import javax.net.ssl.*;
import java.util.*;
public class HttpClient
     public HttpClient(){}
     public static void main (String args[])
     try
          //This is my server certificate - public key
          String serverCertificateFile = "MyCA.cer";
          //This is my client personal certificate
          String clientCertificateFile = "MyPersonal.pfx";
          CertificateFactory cf = CertificateFactory.getInstance("X.509");
          KeyStore ks = KeyStore.getInstance("JKS");
          TrustManagerFactory tmf = TrustManagerFactory.getInstance("SUNX509");
          ks.load(null, null);
          java.security.cert.X509Certificate the_cert = (java.security.cert.X509Certificate) cf.generateCertificate(new FileInputStream(serverCertificateFile));
          ks.setCertificateEntry("server", the_cert);
          tmf.init(ks);
          for (Enumeration e = ks.aliases() ; e.hasMoreElements() ;)
     System.out.println(ks.getCertificate(e.nextElement().toString()).toString());
          KeyStore ks2 = KeyStore.getInstance("PKCS12", "SunJSSE");
          KeyManagerFactory kmf = KeyManagerFactory.getInstance("SUNX509");
          ks2.load(null, null);
          FileInputStream fin = new FileInputStream(clientCertificateFile);
          ks2.load(fin, "xxx".toCharArray());
          kmf.init(ks2, "xxx".toCharArray());
          fin.close();
          for (Enumeration e = ks2.aliases() ; e.hasMoreElements() ;)
     System.out.println(ks2.getCertificate(e.nextElement().toString()).toString());
          SSLContext ctx = SSLContext.getInstance("SSLv3");
          KeyManager[] km = kmf.getKeyManagers();
          for(int i = 0; i < km.length; ++i)
               System.out.println(km);
          TrustManager[] tm = tmf.getTrustManagers();
          ctx.init(km, tm, null);
          // connection part
          SSLSocketFactory factory = ctx.getSocketFactory();
          SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 443);
          for(int i = 0; i < socket.getEnabledCipherSuites().length; ++i)
               System.out.println(socket.getEnabledCipherSuites()[i]);
          socket.startHandshake();
          PrintWriter out = new PrintWriter(
                    new BufferedWriter(
                    new OutputStreamWriter(
                    socket.getOutputStream())));
          out.println("GET " + "/" + " HTTP/1.1");
          out.println();
          out.flush();
     catch(Exception e)
          e.printStackTrace();

Client authentication with apache+mod_ssl+tomcat

Similar Messages

Maybe you are looking for