Client-cert only ?

Similar Messages

• Force client cert only for anyconnect and not for ssl-clientless?

  I need to configure different authentication for anyconnect clients and clients logging in using the ssl portal in the browser.
  I want both AAA and certificate for anyconnect but i want ONLY aaa for the ssl portal (clientless)
  I tried using two tunnel groups with different authentication settings but i need the same alias available for both clientless and anyconnect and when i tried that it said i cant have two with the same alias.

  Did you ever get an answer to this question?
  It seems you should be able to set up a two different client profiles.  Under Authentication, ssl-client would would specify "Both" and the sslclientless would specify AAA.  You would likely have to duplicate much of the other work but the requirement would be satisfied.

• Only client cert in Sun One App server

  Hi,
  Is this possible to configure an application for Sun One Application Server 8 Update 1
  to use only Client Cert auth without login with id and password ?
  I configured whole 1043 port to use Client Auth. It works when I enter https://localhost:1043. I provide client cert. But when I enter my app I got 'access denied'.
  The app contains only one jsp page and no roles at all.
  The following is my web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <display-name xml:lang="pl">secure</display-name>
  <servlet>
  <display-name xml:lang="pl">secured</display-name>
  <servlet-name>secured</servlet-name>
  <jsp-file>/secured.jsp</jsp-file>
  </servlet>
  <jsp-config/>
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WRCollection</web-resource-name>
  <url-pattern>/secured.jsp</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint/>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  </web-app>
  sun-web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.0 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-0.dtd">
  <sun-web-app>
  <context-root>/secure</context-root>
  <session-config>
  <session-manager persistence-type="memory">
  <manager-properties/>
  <store-properties/>
  </session-manager>
  <session-properties/>
  <cookie-properties/>
  </session-config>
  <cache enabled="false" max-entries="4096" timeout-in-seconds="30">
  <default-helper/>
  </cache>
  </sun-web-app>
  Thank You.

  Hello again.
  I would like to refrain my question.
  In admin console on port 4848 in Http Service node is a http-listener-2 defined.
  In particular there is "Client Authentication" setting.
  This is global setting for all request coming to that port.
  Can I achive the same functionality using web.xml in one of the apps server on the same port without resorting to setting this global option to true ?
  Thank You.

• How to enable Client Cert Required, only for certain URL's in the webserver

  WE are using netegrity siteminder for authentication and their plugin is executed as AuthTrans function. If I enable clientauth in server.xml ( which is basically turning on the client cert required for entire site), everything works fine. But If I want to turn that on only for certain URL's how do I do that.
  I tried turning global clientauth off in server.xml and tried using PathCehck fn"get-client-cert" in obj.conf for the URL's that need client cert, but the problem is AuthTrans is getting executed first and my netegrity plugin is throwing an error saying it cann't find the cert.
  What are diffrent options to enable cert required only for certian URL's.
  Thanks

  What is the condition you want to match?
  You can use get-client-cert in If tags in Web Server 7.0 :
  For e.g. If the condition is matched, This gets a cert, requesting it if it is not already present and failing the request if it can't obtain an acceptable cert only on POST requests.
  <If $url ~="*abc*>
  PathCheck fn="get-client-cert" method="POST" dorequest="1" require="1"
  </If>
  or
  <Object ppath="*abc*">
  PathCheck fn="get-client-cert" dorequest="1" require="1"
  <Object>
  for more details :
  http://docs.sun.com/app/docs/doc/819-2630/6n4thbiek?a=view#indexterm-380

• Client-cert auth impl in web.xml does not work in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  I am having the same problem with doc and xsl. I have added this
  <mime-mapping>
  <extension>xls</extension>
  <mime-type>application/vnd.ms-excel</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>doc</extension>
  <mime-type>application/msword</mime-type>
  </mime-mapping>
  to my web.xml. I even restarted the server. I still see doc and xsl in binary.
  Is there some other setting that needs to take place?
  I am using WL6.1 with fixpack 1.
  I can see the doc and excel files in the browser if I don't go through the weblogic
  server. That just confirms it's not my browser.
  Kumar Allamraju <[email protected]> wrote:
  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
  <html>
  It works fine for me in 6.1 SP1.
  <br><br>
  If the following doesn't work , can you
  <br>try application/winword instead of application/msword?
  <p>--
  <br>Kumar
  <p>Siming Mu wrote:
  <blockquote TYPE=CITE>Hi,
  <p>I setup in my web.xml a mime mapping as follows,
  <p><mime-mapping>
  <br><extension>doc</extension><mime-type>application/msword</mime-type>
  <br></mime-mapping>
  <p>When I specify a test.doc url, the doc file appears in my browser
  as
  binary data
  <br>instead of download.
  <p>Please reference change request 055002, which decribes this problem. 
  According
  <br>to edocs, it has been fixed in wls6.1sp1.
  <p>But I am seeing it fixed.  Am I doing anything wrong? Thanks.
  <p>Siming</blockquote>
  </html>

• CLIENT-CERT authentication in WL7

  Hi,
  I'm trying to enforce two-way authentication for clients (java applications) accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With BASIC authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to the web service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
  the server doesn't
  produce client certificate request. May it be the cause of the problem? If so,
  how can I make the server to
  generate client cert request?

  Exactly, it was the reason. Thanks.
  Marcin
  On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
  >
  You must have been accessing the server over one-way SSL. Make sure the
  two-way
  ssl server attribute is set to: Client Certificate Enforced, or Client
  Certificate
  Requested But Not Enforced.
  This should be all that is needed to make the server send the
  certificate request.
  With Client Certificate Enforced option you should be getting ssl
  handshake failure
  unless the client sends its certificate.
  Pavel.
  yazzva <[email protected]> wrote:
  Yes, I have. If I had not done it, I couldn't have accessed the service
  via https using basic authentication, and of course ssl debugging
  information and server configuration show that ssl is configured
  properly.
  The problem is that WL7 doesn't generate client cert request. Thanks
  for
  an attempt to help.
  Have you configured the server for two way ssl?
  See
  http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
  http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
  for information on this.
  Pavel.
  "yazzva" <[email protected]> wrote:
  Hi,
  I'm trying to enforce two-way authentication for clients (java
  applications)
  accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With
  BASIC
  authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to theweb
  service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the
  handshake
  procedure
  the server doesn't
  produce client certificate request. May it be the cause of the
  problem?
  If so,
  how can I make the server to
  generate client cert request?--
  Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

• Problems setting up 2way SSL with option Client certs requested Not Enfor

  Hi,
  Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
  Any help with this will be greatly appreciated.
  Thanks
  Praveena.

  Hi Peter,
  I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
  I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
  Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
  According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
  However it's not blocked and those port settings didn't work either.
  The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
  Good luck, and please repost if you get any further.
  I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
  Penny

• BASIC_PLAIN and CLIENT-CERT for SAML2 authentication

  Hi,
  I recently managed to set up kerberos on weblogic 10.3.5 using the negotiate provider so that I can log in to the console automatically with my windows authentication token.
  I also have saml2 IDP set up on the same weblogic server for logging in to Salesforce.
  I was hoping that I could configure weblogic to automatically log me in to Salesforce as well. The weblogic saml2.war file in WL_HOME/server/lib contains a web.xml file and I changed the login in this from BASIC_PLAIN to CLIENT-CERT. However when the call is made to /saml2/idp/login I get a 403 authorization denied message back. The debug seems to indicate that the browser did not return a SPGNEGO type token. If I revert back to BASIC_PLAIN I can log into Salesforce again, but only after entering my credentials in the basic auth window.
  I wondered if anyone might have any tips to solve this?
  Thanks,
  Ed.

  Hi,
  May be below links will be helpful
  Check the following links.. you will get the information all about the securities...
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
  Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Also find soeminformation in these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  /people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
  Step by step guide for SSL security
  step by step guide to implement SSL
  Please go through below link for referance (above information is from below link)
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
  General guide
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
  Message level security
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Regarding message level you can encrypt the message using certificates.
  For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
  Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
  Thanks
  Swarup

• Client-cert sample webapp doesn't work?

  In trying to understand how one can use client certificates with a Java webapp in the WS7, I figured I would start with the sample that comes with WS7 (in samples/java/webapps/security/client-cert). Unfortunately, the sample doesn't seem to work. I can install it just fine, and it runs, but it doesn't do what it is supposed to do. When I access the servlet from my browser, I see the message "Welcome to our Certificate secure zone." Unfortunately, it let me access this page without ever prompting me for a certificate, so it's not actually a certificate secure zone. I double-checked in the access logs to see, and sure enough index.jsp is being delivered to an unauthenticated user.
  When I examine the web.xml deployment descriptor, it's not clear to me that it should work. Here's the web.xml:
  <web-app>
    <display-name>Welcome to Certificate Security Zone</display-name>
    <servlet>
      <servlet-name>clientcert</servlet-name>
      <display-name>clientcert</display-name>
      <jsp-file>/index.jsp</jsp-file>
    </servlet>
    <session-config>
      <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>clientcert security test</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
    </security-constraint>
    <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>certificate</realm-name>
    </login-config>
  </web-app>This web.xml seems to imply that the mere presence of a login-config will secure the entire app. The servlet specification seems a bit vague on this point, but since there isn't any auth-constraint in the security-constraint, I don't think the login-config ever applies. I think the login-config only comes into play when a security-constraint requires authentication.
  What am I missing in my understanding of the web.xml?
  What might prevent this simple sample from working properly? Could there be some other ACL or web server setting that overrides?
  Thanks,
  Tom

  If URI is not a protected resource and you want client authentication, you should use server.xml <ssl><client-auth>...</client-auth></ssl> instead of PathCheck line as I told. Value can be set to "required" or "optional".
  However, if URL is a protected resource you DO NOT HAVE to add PathCheck or client-auth element in server.xml.*
  After installing client-cert sample application using ant and ant deploy, here is what you have to do to make it work :
  1) Add in http-listener element in instance's server.xml :
     <ssl><enabled>true</enabled></ssl>2) Make sure you have a certificate named "Server-Cert" in NSS db in <ws-install-dir>/https-<instance-name>/config or change the certificate name appropriately in server.xml.
  3) To make it a protected resource, web.xml should have :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
  <web-app>
    <display-name>clientcert</display-name>
  <servlet>
      <servlet-name>clientcert</servlet-name>
      <display-name>clientcert</display-name>
      <jsp-file>/index.jsp</jsp-file>
    </servlet>
    <session-config>
      <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/roleprotected/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>TestRoleOne</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>CLIENT-CERT</auth-method>
    </login-config>
    <security-role>
      <role-name>TestRoleOne</role-name>
    </security-role>
  </web-app>4) And sun-web.xml should have :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN" "http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd">
  <sun-web-app>
  <security-role-mapping>
     <role-name>TestRoleOne</role-name>
     <principal-name>[email protected], CN=Franzl Alpha, UID=alpha, OU=People, O=TestCentral, C=US</principal-name>
  </security-role-mapping>
  </sun-web-app>You will be able to access http://<host-name>:<port>/ without sending client certificate from the browser.
  Now create client certificate and import this certificate in your browser.
  Access from the browser, http://<host-name>:<port>/webapps-certificatebased-security/index.jsp browser should prompt for cert selection (if so configured) and the application should get certificate.
  P/S I have tested it It works for me this way (without adding <ssl><client-auth> or PathCheck directive).

• CLIENT-CERT Optional

  Is there a way to request but not require a client certificate? Not all of our users have digital certificates, so I can not enforce the client-cert method. Is there a way to request a client cert after ssl has been established?
  Any ideas would be appreciated.
  Mark

  Thanks - I am using Tomcat on Windows 2003 and XP.
  I have only been able to get Tomcat to use client-certs or not. The Servlet spec seems to indicate the same, but I was hoping there was an optional way.
  Thanks,
  Mark

• Oc4j standalone not seeing client cert in truststore

  OC4J standalone 10.1.2 running on W2K server.
  I have a web site configured for SSL with needs-client-auth="true".
  If the client certificate is in the keystore referenced in the <ssl-config> element, authorization works. If the client cert is instead in the truststore (cacerts), the certificate is not found. The Sun JSSE docs recommend that private keys only be in the keystore, and public keys in the truststore. When the client certs are in the keystore, they are visible to the outside world thru a utility like openssl. This exposes our customer names (the CN on the client cert).
  How do I get client certs in a truststore to be recognized?
  Thanks, Marshall

  Keystores and truststores are the same type of file. Each can be accessed through a utility like openssl if one has access to the file system (whuch would list all public certs in them provided that you have the password of course). The Sun JSSE recommends this as a best practice, not as a security vulnerability as far as I know.

• Client Certs for just one directory using IIS

  I am using JRun 4 and IIS 5 on one site and IIS 6 on another, and am using SSL and requiring client certificates. I have all that working through IIS's site properties but my issue is that I only want to accept client certificates on one directory, in fact I only want the request for the client cert to pop up on that one directory. By setting the JRun.dll to the proper security settings to accept client certificates in IIS, any jsp file will prompt for the cert.
  Do I not want to want to use IIS to set up my SSL and client cert request as opposed to doing it in the web.xml? All my research pointed me to do this through IIS. Using IIS, do I need to use another ISAPI Jrun connector? How do I do that?
  Can someone tell me a way to get this working for a client cert prompt only for the one directory either though IIS or application security?
  Thanks for any input you can provide.

  Hello Bill,
  I am sorry but I do not have an answer to your issue. It just
  happend that I am trying to set up SSL connection between JRUN 4
  and IIS 5 using JRUN ISAPI connector. Unfortunately every time I
  try to run the "*.jsp" test page I am getting "fetchprops" error
  message on JRUN ISAPI connector. Would you be able to give me some
  hints as to what could cause this issue. By the way, I am testing
  it only with trial version of SSL certificate on IIS.
  Thank you

• Client cert password asked twice when requested in ie 6.X, 7

  Hi all,
  I have a ssl web server instance (Sun Java Web Server 6.1SP8) configured to ask for a client cert when a certain resource is requested. Accepted client certs are contained in a client smart card, password protected. When using internet explorer as browser, the password window to access the certificate is asked twice when requesting for the protected resource.
  When using firefox the password is only asked once.
  To configure the web server I've modified obj.conf file adding
  <Client uri="/myuri/*">
  PathCheck fn="get-client-cert" dorequest="1" require="0"
  </Client>and magnus.conf adding
  KeepAliveTimeout 0Has this something to do with the web server or is an internet explorer problem?
  Thanks in advance.

  Have you added any redirects in your obj.conf ?
  Do you see any thing in error logs when you run server in <log-level>finest</log-level> mode and compare the difference between IE and firefox.
  Some reference about get-client-cert :
  http://docs.sun.com/app/docs/doc/820-2203/abujm?l=en&a=view
  +"The get-client-cert function gets the authenticated client certificate from the SSL3 session. If the certificate is present or obtained from the SSL3 session, the function returns REQ_NOACTION and allows the request to proceed. Otherwise, it returns REQ_ABORTED and sets the protocol status to 403 forbidden, causing the request to fail."+
  In Web Server 7.0 try and add the following in server.xml also and see if it helps :
  In <ssl> element add
  <client-auth>required</client-auth>or
  <client-auth>optional</client-auth>Note that this setting will work for all URIs not just /myuri
  For more details on client-auth : http://docs.sun.com/app/docs/doc/820-2203/gaifo?l=en&a=view
  Element         client-auth
  Description       Client certificate authentication method
  Value             required, optional, or falseIn WS 6.x , it was called clientauth and it could be specified as an attribute in SSLPARAMS
  <!ELEMENT LS (DESCRIPTION?,SSLPARAMS?)>
  <!ATTLIST SSLPARAMS
  ...          clientauth %boolean; "false"
  ...>

• Implementing client-cert auth in web.xml in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  Hello,
  You have different level of integration of SSO services in OC4J 10g (10.1.3).
  If you are using an LDAP server you can integrate that using the LDAP security provider and support SSO between applications. This is documented as part of the Identity Management Integration.
  Also in 10.1.3.0.0 you need to have at least an LDAP server (or bigger identity management solution) to do SSO.
  In 10.1.3.1.0, that should be available this summer, OC4J will have a new security service that will allow applications to be authenticated in a single sing-on fashion. (Stay tuned to the OTN forum we will publish a beta version very soon)
  Regards
  Tugdual Grall

• Is strong 2FA with client cert and AD using AnyConnect possible?

  Is it possible to configure AnyConnect to require a client cert that matches the AD username?  Which attribute should be used?  Common name (CN) or something else?  Can anyone point me to the appropriate documentation on setting up this configuration?
  Thanks in advance!

  Jaime, 
  If you want binary comparison of the certificate I  believe it's only possible with EAP methods. 
  That being said, you can extract multiple things from certificate to be used a authentication username. 
  Have a look at this doc 
  http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html
  It shows a couple of different ways to do this on ASA.
  On IOS, I'd suggest looking at FlexVPN feature. 
  M.