Client Cert Authentication

Is there any documentation that explain how to set up iAS 6.0 SP3 to use
Client Cert Authentication?
Thanks in advance,
Jose.

Hi,
I am not able to understand what "client cert authentication" means can
you please elaborate more on this. If this means authorization process by
any chance, then iAS uses LDAP that is bundled along with iAS to
authenticate. There is no other means to validate the users.
Regards
Raj
Jose Raya wrote:
Is there any documentation that explain how to set up iAS 6.0 SP3 to use
Client Cert Authentication?
Thanks in advance,
Jose.

Similar Messages

How to use CLIENT-CERT authentication?

Hi,
I would like to know how to use client authentication.
I used a web application with CLIENT-CERT authentication.
And I accessed to the application from browser, then I had the following error
message:
Incorrect or missing client certificate.
I used OpenSSL to generate keys.
Could you tell me the information of the setting?
Especially, I don't know theentry of CertAuthenticator.
Could you tell me?
Regards,
Kuniaki Hagiwara - HP Japan

Thank you for your response.
Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet.

CLIENT-CERT authentication in WL7

Hi,
I'm trying to enforce two-way authentication for clients (java applications) accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With BASIC authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to the web service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
the server doesn't
produce client certificate request. May it be the cause of the problem? If so,
how can I make the server to
generate client cert request?

Exactly, it was the reason. Thanks.
Marcin
On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
>
You must have been accessing the server over one-way SSL. Make sure the
two-way
ssl server attribute is set to: Client Certificate Enforced, or Client
Certificate
Requested But Not Enforced.
This should be all that is needed to make the server send the
certificate request.
With Client Certificate Enforced option you should be getting ssl
handshake failure
unless the client sends its certificate.
Pavel.
yazzva <[email protected]> wrote:
Yes, I have. If I had not done it, I couldn't have accessed the service
via https using basic authentication, and of course ssl debugging
information and server configuration show that ssl is configured
properly.
The problem is that WL7 doesn't generate client cert request. Thanks
for
an attempt to help.
Have you configured the server for two way ssl?
See
http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
for information on this.
Pavel.
"yazzva" <[email protected]> wrote:
Hi,
I'm trying to enforce two-way authentication for clients (java
applications)
accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With
BASIC
authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to theweb
service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the
handshake
procedure
the server doesn't
produce client certificate request. May it be the cause of the
problem?
If so,
how can I make the server to
generate client cert request?--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

JavaPlugin Applets don't work if you require Client-cert authentication

Our whole organization is about to start using Java SmartCards for everything in the near future. (DoD's common access card.) I foresee enormous problems for applications that are currently using applets in them as a result unless something is done to fix a bug in the next version of the plugin.
This link below is in reference to a bug which Sun seems to believe is fixed and closed.
http://developer.java.sun.com/developer/bugParade/bugs/4681247.html
I am posting here, because I believe that postings against this bug will never be read by anyone. Here is a short explaination of the problem:
The Java Plugin cannot download archives when the web server requires client side certificates. The fix is to tell the plugin where your certificate file is at. This recommended fix is bad if you are using software certs, because you don't have 1 certificate for all of the internet sites for which you need a cert. It also tells you to type your cert password in the clear on the filesystem so that the plugin can find it.
But most importantly, this advice is totally useless if you are using hard token certs such as .... JavaCards. PKCS11 modules are not files. They are plugins that supply the algorithms that are going to be done securely in the smartcard. This means that you cannot lock down a web server based application to require a smartcard if that application is using applets. The plugin needs to use the exact same protocol to download the archive as it used to get the applet tag that requires it.
In the same vein, it was an irritating experience to get some JavaCards and after much work come to the conclusion that the design of the JSSE makes it incompatible with JavaCard for client/server style applications. (Somebody tell me that you have a JSSE compliant toolkit in which you can make a standalone Java Application that opens up SSL connections to servers and can use a JavaCard resident certificate to do so. It seems that you have to resort to a third-party library to use JavaCard certs with JSSE) Too many APIs are still being designed to assume that security modules consist of a set of X509Certificate/PrivateKey pairs in which you can extract the private key out of the module, and supply it to an encryption or a signing algorithm. With hardware tokens, you can only assume that security modules consist of a X509Certificate, and a method that will do the encryption/signature. And this method does NOT take the private key as an argument.... the private key is buried into the module as part of the that method's definition.
Anyway, it appeared that the pleas relating to this issue are not being heard because the issue has been closed. This is a BIG deal for organizations who are now starting to actually PKI enable their existing applications - which often involve applets.

I commiserate.
I believe the heavy reliance on the javax.net.ssl.keyStore system property is just wrong. An applet-local key manager for client-certificates would be really helpful.
The current (1.4) plugin design includes its own certificate management ui (control panel). I feel this is wrong design. Why is there no upcall available from the applet framework into the host/browser's certificate management? The same sort of thing happened with the move from awt to swing. The not-invented-here mentality? What's next, a special java filesystem? :) Luckily applets are normally kept away from files, but with the impending service-oriented world, with certificates being passed about like Amoeba capabilities, better integration of the plugin with the host's security management is going to be a sore need.

Web App Security Fallback (client-cert then form-based)

Can you setup a web application to fall back to form-based login if the
client-cert (i.e. identity assertion token) is not available. I think this
would be very valuable because once you've configured the web app to use the
"client-cert" authentication, you can't access the web app directly (i.e.
browser->weblogic server). You will always need to go through the perimeter
authenticator so the token gets sent.

Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

Client-cert auth impl in web.xml does not work in Oracle Application Server

Hi,
I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
My server details are:
Oracle Application Server 10g Release 2 (10.1.2)
Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WSCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>WSCollection</realm-name> 
</login-config>
It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
Thanks,
Ms

I am having the same problem with doc and xsl. I have added this
<mime-mapping>
<extension>xls</extension>
<mime-type>application/vnd.ms-excel</mime-type>
</mime-mapping>
<mime-mapping>
<extension>doc</extension>
<mime-type>application/msword</mime-type>
</mime-mapping>
to my web.xml. I even restarted the server. I still see doc and xsl in binary.
Is there some other setting that needs to take place?
I am using WL6.1 with fixpack 1.
I can see the doc and excel files in the browser if I don't go through the weblogic
server. That just confirms it's not my browser.
Kumar Allamraju <[email protected]> wrote:
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
It works fine for me in 6.1 SP1.
<br><br>
If the following doesn't work , can you
<br>try application/winword instead of application/msword?
<p>--
<br>Kumar
<p>Siming Mu wrote:
<blockquote TYPE=CITE>Hi,
<p>I setup in my web.xml a mime mapping as follows,
<p><mime-mapping>
<br><extension>doc</extension><mime-type>application/msword</mime-type>
<br></mime-mapping>
<p>When I specify a test.doc url, the doc file appears in my browser
as
binary data
<br>instead of download.
<p>Please reference change request 055002, which decribes this problem.
According
<br>to edocs, it has been fixed in wls6.1sp1.
<p>But I am seeing it fixed. Am I doing anything wrong? Thanks.
<p>Siming</blockquote>
</html>

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
    <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
    protected void init(Properties props)
        throws BadRealmException, NoSuchRealmException
    public java.util.Enumeration getGroupNames (String username)
        throws InvalidOperationException, NoSuchUserException
    public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
*       _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
*      return commitAuthentication(_username, _password, _currentRealm,
*      grpList);
* <li>The grpList parameter is a String[] which can optionally be
*      populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
*    <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
*      <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
*       <property name="jaas-context" value="jdbcRealm"/>
*    </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
    protected AuthenticationStatus authenticate()
        throws LoginException
    private String[] authenticate(String username,String passwd)
    private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
*   <li>assign-groups - A comma-separated list of group names which
*       will be assigned to all users who present a cryptographically
*       valid certificate. Since groups are otherwise not supported
*       by the cert realm, this allows grouping cert users
*       for convenience.
* </ul>
public class CertificateRealm extends IASRealm
   protected void init(Properties props)
     * Returns the name of all the groups that this user belongs to.
     * @param username Name of the user in this realm whose group listing
     *     is needed.
     * @return Enumeration of group names (strings).
     * @exception InvalidOperationException thrown if the realm does not
     *     support this operation - e.g. Certificate realm does not support
     *     this operation.
    public Enumeration getGroupNames(String username)
        throws NoSuchUserException, InvalidOperationException
     * Complete authentication of certificate user.
     * <P>As noted, the certificate realm does not do the actual
     * authentication (signature and cert chain validation) for
     * the user certificate, this is done earlier in NSS. This default
     * implementation does nothing. The call has been preserved from S1AS
     * as a placeholder for potential subclasses which may take some
     * action.
     * @param certs The array of certificates provided in the request.
    public void authenticate(X509Certificate certs[])
        throws LoginException
        // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

CLIENT-CERT - UserNameMapper problem

Hi,
I have a client, wich sends a soap-message, containing a username, to a
webservice, that responds with "hello, <username>". The communication
is over ssl. The webservice is running in a weblogic server 7.0 sp1.
I have 2-way ssl working. Now I'm trying to restrict access to the
web-service.
I changed the web.xml of the web-service to require BASIC as
auth-method. This works fine.
Then I changed BASIC to CLIENT-CERT in the web.xml.
I changed the active type of the defaultIdentityAsserter to X.509.
I implemented a UserNameMapper class, which prints data of the presented
certificate, and returns a username, that exists in the
embedded-ldap-realm of weblogic server, and that has the right to
execute the webservice (it works with BASIC auth).
I put the name of the UserNameMapper class in the
defaultIdentityAsserter, and I included it in my classpath.
The UserNameMapper is working, because the data of the certificate is
printed on stdout. But I get a 401 (Unauthorized)-error code when trying
to access the web-service.
Can someone give me a hint on what I'm mising?
Thanks,
Noella
************* code of UserNameMapper *********************
import java.security.cert.*;
public class VZNUserNameMapper implements
weblogic.security.providers.authentication.UserNameMapper{
public VZNUserNameMapper() {
public String mapCertificateToUserName(X509Certificate[] certs,
boolean ssl) {
System.out.println(certs[0].getSubjectDN().toString());
return "noella";
public String mapDistinguishedNameToUserName(byte[]
distinguishedName) {
return null;

Thanks it worked. Somehow I missed in documentation this x.509 setting.
I've also had a problem with setting "Client Certificate Requested But Not Enforced"
in WLS 7.0.0 but it seems to be working fine in SP1.
Thanks again
Greg
"kirann" <[email protected]> wrote:
hi,
I believe you need to turn on x.509 Identity Assertion in the server
console..
Please check the documention.
thanks
kiran
"Greg" <[email protected]> wrote in message
news:3e243a25$[email protected]..
Hi!
I'm trying to set up my web application to use client-cert
authentication. I've set in web.xml login config to
<auth-method>CLIENT-CERT</auth-method>. When I'm accessing my
application I'm always getting 401 Unauthorized. If I set
login to BASIC, browser pops up login dialog and everything works
fine.
I've done following:
- created and installed in WLS trusted CA certificate
- created and installed client certificate signed by that CA in
IE 5.5
- configured WLS to use ssl and set "Client Certificate Enforced"
- managed to connect to document root or console application
using https://localhost:7002/console and verified that accually client
certificate
is used (not able to connect without one)
Now I'm really stuck and have no ideas.
Please help. Thanks in advance.
Greg

Client Certificate Authentication not working in OSB 11g

Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
Jamie

This is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code.

Testing exampleswebapp/SnoopServelt.jsp on https and client-cert

HI All:
I am trying to setup 2-way authentication in wls7.0. I have not been able to pin
down all the requriments for using client-cert authentication with 2-way authentication.
I have done the following:
1. enabled client certificate enforced under SSL tab
2. specified client-cert as login mechanism in web.xml
3. specified a security constraint and "INTEGRAL" as the transport mode for the
URL pattern /SnoopServlet.jsp
4. installed CertGenCA.der and client2certs.der, cerificates
for CA and client (generated using utils.CertGen) in the browser
when I hit the jsp I get a page cannot be displayed.
Any ideas what settings are wrong?
TIA,
-Sandeep

Hi Sandeep,
You did not mention the following necessary step.
- Configure the Trusted CA File Name for the client cert
If this step does not help, you can enable server-side
debugging by setting the following property on the java
command line when starting WebLogic.
-Dssl.debug=true
I hope this helps.
Regards,
Tom Hegadorn
Developer Relations Engineer
BEA Support
"Sandeep " <[email protected]> wrote:
>
HI All:
I am trying to setup 2-way authentication in wls7.0. I have not been
able to pin
down all the requriments for using client-cert authentication with 2-way
authentication.
I have done the following:
1. enabled client certificate enforced under SSL tab
2. specified client-cert as login mechanism in web.xml
3. specified a security constraint and "INTEGRAL" as the transport mode
for the
URL pattern /SnoopServlet.jsp
4. installed CertGenCA.der and client2certs.der, cerificates
for CA and client (generated using utils.CertGen) in the browser
when I hit the jsp I get a page cannot be displayed.
Any ideas what settings are wrong?
TIA,
-Sandeep

Implementing client-cert auth in web.xml in Oracle Application Server

Hi,
I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
My server details are:
Oracle Application Server 10g Release 2 (10.1.2)
Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WSCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>WSCollection</realm-name> 
</login-config>
It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
Thanks,
Ms

Hello,
You have different level of integration of SSO services in OC4J 10g (10.1.3).
If you are using an LDAP server you can integrate that using the LDAP security provider and support SSO between applications. This is documented as part of the Identity Management Integration.
Also in 10.1.3.0.0 you need to have at least an LDAP server (or bigger identity management solution) to do SSO.
In 10.1.3.1.0, that should be available this summer, OC4J will have a new security service that will allow applications to be authenticated in a single sing-on fashion. (Stay tuned to the OTN forum we will publish a beta version very soon)
Regards
Tugdual Grall

Enabling CLIENT-CERT and FORM authentication in same web-app

Hi!
I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
1. If client does not send tokens in request, then set response header:
response.setHeader("WWW-Authenticate", "Negotiate");
response.sendError(response.SC_UNAUTHORIZED);
This works fine and client starts to send his tokens
2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
dispatcher.forward(request, response);
3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
log-in page is as defined in edocs:
<form method="POST" action="j_security_check">
     <table border=1>
          <tr>
               <td>Username:</td>
               <td><input type="text" name="j_username"></td>
          </tr>
          <tr>
               <td>Password:</td>
               <td><input type="password" name="j_password"></td>
          </tr>
          <tr>
               <td colspan=2 align=right><input type=submit value="Submit"></td>
          </tr>
     </table>
</form>
Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

BASIC_PLAIN and CLIENT-CERT for SAML2 authentication

Hi,
I recently managed to set up kerberos on weblogic 10.3.5 using the negotiate provider so that I can log in to the console automatically with my windows authentication token.
I also have saml2 IDP set up on the same weblogic server for logging in to Salesforce.
I was hoping that I could configure weblogic to automatically log me in to Salesforce as well. The weblogic saml2.war file in WL_HOME/server/lib contains a web.xml file and I changed the login in this from BASIC_PLAIN to CLIENT-CERT. However when the call is made to /saml2/idp/login I get a 403 authorization denied message back. The debug seems to indicate that the browser did not return a SPGNEGO type token. If I revert back to BASIC_PLAIN I can log into Salesforce again, but only after entering my credentials in the basic auth window.
I wondered if anyone might have any tips to solve this?
Thanks,
Ed.

Hi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup

Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

Hi everybody,
we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
I configured a Negociate Identity Asserter and an Active Directory provider.
I configure Kerberos services, so we have succefully access to our application through the Windows session.
But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
The web.xml used in our webapp :
<security-constraint>
<web-resource-collection>
<web-resource-name>sso</web-resource-name>
<description>Desc</description>
<url-pattern>/appmanager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>desc</description>
<role-name>ssoRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name/>
</login-config>
<security-role>
<description>Authenticated user</description>
<role-name>ssoRole</role-name>
</security-role>

which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
in any case, this would be the syntax
<Object name="weblogic" ppath="/hw/">
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
# gateway timeout - back end web logic not responding handle differently
<If code='504'>
# send it to a different post..
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
</If>
</Object>
- sriram

WebService Proxy and x509 cert. authentication

Does anybody know if JDeveloper 10.1.3 generated WebService proxy by default is trying to use wallet other then keystore?
We have generated a web service proxy and trying to make a call to a WebService over SSL to the site which require x509 certificate.
Setting up keystore properties like :
System.setProperty("javax.net.ssl.keyStore","c://temp//keystore/myKeystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword","password");
does not have any affect. And debug shows the following:
{Thread-10} [1:42:59.187] URLC: (https:twss.trac2es.transcom.mil:443) Connecting ...
{Thread-10} [1:42:59.187] Conn: Creating Socket: twss.trac2es.transcom.mil:443
{Thread-10} [1:42:59.328] Conn: using SSL version Oracle
{Thread-10} [1:42:59.390] Using wallet:
{Thread-10} [1:42:59.437] Conn:
And then shows the errors:
{Thread-10} [1:42:59.437] Unable to connect to URL: https://twss.trac2es.transcom.mil/trac2es-pmr/WebServicePmrSoapHttpPort due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
Any help will be apreciated
Alex

Bruce,
We are trying to setup X509 Client Cert to involve CAC(Smart Card) processing as a part of the initial part of our Jdev 10 or 11g app utilizing jsf/toplink. We are running OAS 10.1.2.0.2 presently but we can move to OAS 10.1.3 or OAS 10.1.4 without any problem.
I am hearing a lot of references to Jdev and creating the WebService.
Do you know if I am better off using what comes with OAS for the authentication or using Jdeveloper? If there is any good document you can refer me to we'll greatly appreciate it.
Thank you in advance for your response.

Client Cert Authentication

Similar Messages

Maybe you are looking for