CLIENT-CERT Optional

Similar Messages

• Problems setting up 2way SSL with option Client certs requested Not Enfor

  Hi,
  Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
  Any help with this will be greatly appreciated.
  Thanks
  Praveena.

  Hi Peter,
  I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
  I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
  Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
  According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
  However it's not blocked and those port settings didn't work either.
  The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
  Good luck, and please repost if you get any further.
  I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
  Penny

• CLIENT-CERT authentication in WL7

  Hi,
  I'm trying to enforce two-way authentication for clients (java applications) accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With BASIC authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to the web service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
  the server doesn't
  produce client certificate request. May it be the cause of the problem? If so,
  how can I make the server to
  generate client cert request?

  Exactly, it was the reason. Thanks.
  Marcin
  On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
  >
  You must have been accessing the server over one-way SSL. Make sure the
  two-way
  ssl server attribute is set to: Client Certificate Enforced, or Client
  Certificate
  Requested But Not Enforced.
  This should be all that is needed to make the server send the
  certificate request.
  With Client Certificate Enforced option you should be getting ssl
  handshake failure
  unless the client sends its certificate.
  Pavel.
  yazzva <[email protected]> wrote:
  Yes, I have. If I had not done it, I couldn't have accessed the service
  via https using basic authentication, and of course ssl debugging
  information and server configuration show that ssl is configured
  properly.
  The problem is that WL7 doesn't generate client cert request. Thanks
  for
  an attempt to help.
  Have you configured the server for two way ssl?
  See
  http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
  http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
  for information on this.
  Pavel.
  "yazzva" <[email protected]> wrote:
  Hi,
  I'm trying to enforce two-way authentication for clients (java
  applications)
  accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With
  BASIC
  authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to theweb
  service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the
  handshake
  procedure
  the server doesn't
  produce client certificate request. May it be the cause of the
  problem?
  If so,
  how can I make the server to
  generate client cert request?--
  Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

• Client-cert sample webapp doesn't work?

  In trying to understand how one can use client certificates with a Java webapp in the WS7, I figured I would start with the sample that comes with WS7 (in samples/java/webapps/security/client-cert). Unfortunately, the sample doesn't seem to work. I can install it just fine, and it runs, but it doesn't do what it is supposed to do. When I access the servlet from my browser, I see the message "Welcome to our Certificate secure zone." Unfortunately, it let me access this page without ever prompting me for a certificate, so it's not actually a certificate secure zone. I double-checked in the access logs to see, and sure enough index.jsp is being delivered to an unauthenticated user.
  When I examine the web.xml deployment descriptor, it's not clear to me that it should work. Here's the web.xml:
  <web-app>
    <display-name>Welcome to Certificate Security Zone</display-name>
    <servlet>
      <servlet-name>clientcert</servlet-name>
      <display-name>clientcert</display-name>
      <jsp-file>/index.jsp</jsp-file>
    </servlet>
    <session-config>
      <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>clientcert security test</web-resource-name>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
    </security-constraint>
    <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>certificate</realm-name>
    </login-config>
  </web-app>This web.xml seems to imply that the mere presence of a login-config will secure the entire app. The servlet specification seems a bit vague on this point, but since there isn't any auth-constraint in the security-constraint, I don't think the login-config ever applies. I think the login-config only comes into play when a security-constraint requires authentication.
  What am I missing in my understanding of the web.xml?
  What might prevent this simple sample from working properly? Could there be some other ACL or web server setting that overrides?
  Thanks,
  Tom

  If URI is not a protected resource and you want client authentication, you should use server.xml <ssl><client-auth>...</client-auth></ssl> instead of PathCheck line as I told. Value can be set to "required" or "optional".
  However, if URL is a protected resource you DO NOT HAVE to add PathCheck or client-auth element in server.xml.*
  After installing client-cert sample application using ant and ant deploy, here is what you have to do to make it work :
  1) Add in http-listener element in instance's server.xml :
     <ssl><enabled>true</enabled></ssl>2) Make sure you have a certificate named "Server-Cert" in NSS db in <ws-install-dir>/https-<instance-name>/config or change the certificate name appropriately in server.xml.
  3) To make it a protected resource, web.xml should have :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
  <web-app>
    <display-name>clientcert</display-name>
  <servlet>
      <servlet-name>clientcert</servlet-name>
      <display-name>clientcert</display-name>
      <jsp-file>/index.jsp</jsp-file>
    </servlet>
    <session-config>
      <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>*</role-name>
      </auth-constraint>
    </security-constraint>
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/roleprotected/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
        <role-name>TestRoleOne</role-name>
      </auth-constraint>
    </security-constraint>
    <login-config>
      <auth-method>CLIENT-CERT</auth-method>
    </login-config>
    <security-role>
      <role-name>TestRoleOne</role-name>
    </security-role>
  </web-app>4) And sun-web.xml should have :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN" "http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd">
  <sun-web-app>
  <security-role-mapping>
     <role-name>TestRoleOne</role-name>
     <principal-name>[email protected], CN=Franzl Alpha, UID=alpha, OU=People, O=TestCentral, C=US</principal-name>
  </security-role-mapping>
  </sun-web-app>You will be able to access http://<host-name>:<port>/ without sending client certificate from the browser.
  Now create client certificate and import this certificate in your browser.
  Access from the browser, http://<host-name>:<port>/webapps-certificatebased-security/index.jsp browser should prompt for cert selection (if so configured) and the application should get certificate.
  P/S I have tested it It works for me this way (without adding <ssl><client-auth> or PathCheck directive).

• Only client cert in Sun One App server

  Hi,
  Is this possible to configure an application for Sun One Application Server 8 Update 1
  to use only Client Cert auth without login with id and password ?
  I configured whole 1043 port to use Client Auth. It works when I enter https://localhost:1043. I provide client cert. But when I enter my app I got 'access denied'.
  The app contains only one jsp page and no roles at all.
  The following is my web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <display-name xml:lang="pl">secure</display-name>
  <servlet>
  <display-name xml:lang="pl">secured</display-name>
  <servlet-name>secured</servlet-name>
  <jsp-file>/secured.jsp</jsp-file>
  </servlet>
  <jsp-config/>
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WRCollection</web-resource-name>
  <url-pattern>/secured.jsp</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint/>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  </web-app>
  sun-web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.0 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-0.dtd">
  <sun-web-app>
  <context-root>/secure</context-root>
  <session-config>
  <session-manager persistence-type="memory">
  <manager-properties/>
  <store-properties/>
  </session-manager>
  <session-properties/>
  <cookie-properties/>
  </session-config>
  <cache enabled="false" max-entries="4096" timeout-in-seconds="30">
  <default-helper/>
  </cache>
  </sun-web-app>
  Thank You.

  Hello again.
  I would like to refrain my question.
  In admin console on port 4848 in Http Service node is a http-listener-2 defined.
  In particular there is "Client Authentication" setting.
  This is global setting for all request coming to that port.
  Can I achive the same functionality using web.xml in one of the apps server on the same port without resorting to setting this global option to true ?
  Thank You.

• Client cert password asked twice when requested in ie 6.X, 7

  Hi all,
  I have a ssl web server instance (Sun Java Web Server 6.1SP8) configured to ask for a client cert when a certain resource is requested. Accepted client certs are contained in a client smart card, password protected. When using internet explorer as browser, the password window to access the certificate is asked twice when requesting for the protected resource.
  When using firefox the password is only asked once.
  To configure the web server I've modified obj.conf file adding
  <Client uri="/myuri/*">
  PathCheck fn="get-client-cert" dorequest="1" require="0"
  </Client>and magnus.conf adding
  KeepAliveTimeout 0Has this something to do with the web server or is an internet explorer problem?
  Thanks in advance.

  Have you added any redirects in your obj.conf ?
  Do you see any thing in error logs when you run server in <log-level>finest</log-level> mode and compare the difference between IE and firefox.
  Some reference about get-client-cert :
  http://docs.sun.com/app/docs/doc/820-2203/abujm?l=en&a=view
  +"The get-client-cert function gets the authenticated client certificate from the SSL3 session. If the certificate is present or obtained from the SSL3 session, the function returns REQ_NOACTION and allows the request to proceed. Otherwise, it returns REQ_ABORTED and sets the protocol status to 403 forbidden, causing the request to fail."+
  In Web Server 7.0 try and add the following in server.xml also and see if it helps :
  In <ssl> element add
  <client-auth>required</client-auth>or
  <client-auth>optional</client-auth>Note that this setting will work for all URIs not just /myuri
  For more details on client-auth : http://docs.sun.com/app/docs/doc/820-2203/gaifo?l=en&a=view
  Element         client-auth
  Description       Client certificate authentication method
  Value             required, optional, or falseIn WS 6.x , it was called clientauth and it could be specified as an attribute in SSLPARAMS
  <!ELEMENT LS (DESCRIPTION?,SSLPARAMS?)>
  <!ATTLIST SSLPARAMS
  ...          clientauth %boolean; "false"
  ...>

• How to enable Client Cert Required, only for certain URL's in the webserver

  WE are using netegrity siteminder for authentication and their plugin is executed as AuthTrans function. If I enable clientauth in server.xml ( which is basically turning on the client cert required for entire site), everything works fine. But If I want to turn that on only for certain URL's how do I do that.
  I tried turning global clientauth off in server.xml and tried using PathCehck fn"get-client-cert" in obj.conf for the URL's that need client cert, but the problem is AuthTrans is getting executed first and my netegrity plugin is throwing an error saying it cann't find the cert.
  What are diffrent options to enable cert required only for certian URL's.
  Thanks

  What is the condition you want to match?
  You can use get-client-cert in If tags in Web Server 7.0 :
  For e.g. If the condition is matched, This gets a cert, requesting it if it is not already present and failing the request if it can't obtain an acceptable cert only on POST requests.
  <If $url ~="*abc*>
  PathCheck fn="get-client-cert" method="POST" dorequest="1" require="1"
  </If>
  or
  <Object ppath="*abc*">
  PathCheck fn="get-client-cert" dorequest="1" require="1"
  <Object>
  for more details :
  http://docs.sun.com/app/docs/doc/819-2630/6n4thbiek?a=view#indexterm-380

• Web service call with v3 client cert in CF8

  I'm trying to call an external web service which requires a
  v3 client certificate be installed on our end. Our code platform is
  CF8, which I understand supports v3 certs. I've imported the
  external party's client cert into the CF server's cert store
  (cacerts) via keytool, and confirmed it's there. I've restarted the
  CF server. How do I attach the certificate to the cfhttp call to
  the external web service? I figure I can use a cfhttpparam, but am
  not sure what type to use, and what the value should be. Thanks in
  advance.

  DrewBlah wrote:
  > I'm trying to call an external web service which
  requires a v3 client
  > certificate be installed on our end. Our code platform
  is CF8, which I
  > understand supports v3 certs. I've imported the external
  party's client cert
  > into the CF server's cert store (cacerts) via keytool,
  and confirmed it's
  > there.
  You should not import the client certificate, but the server
  certificate:
  http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool
  http://jochem.vandieten.net/2008/02/28/cfhttp-and-client-certificates/
  > I've restarted the CF server. How do I attach the
  certificate to the
  > cfhttp call to the external web service? I figure I can
  use a cfhttpparam, but
  > am not sure what type to use, and what the value should
  be. Thanks in advance.
  The certificate for the HTTP call should be on the filesystem
  in PKCS#12
  format. Then use the following code:
  <cfset variables.certificatePath =
  ExpandPath("certificate.pkcs") />
  <cfset variables.certificatePass =
  "fillOutYourOwnPassword"/>
  <cfset variables.webserviceURL = "https://server/service"
  />
  <cfsavecontent variable="theSoap">
  <soapenv:Envelope
  xmlns:soapenv="
  http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:ns="https://server/service">
  <soapenv:Header/>
  <soapenv:Body>
  <ns:GetXXX>
  <xxx>YYY</xxx>
  </ns:GetXXX>
  </soapenv:Body>
  </soapenv:Envelope>
  </cfsavecontent>
  <cfhttp
  url = "#variables.webserviceURL#"
  clientCert = "#variables.certificatePath#"
  clientCertPassword = "#variables.certificatePass#"
  method = "get"
  port="443"
  >
  <cfhttpparam type="header" name="Connection"
  value="Keep-Alive">
  <cfhttpparam type="header" name="SOAPAction"
  value="service">
  <cfhttpparam type="xml" value="#theSoap#">
  </cfhttp>
  <cfdump var="#XMLParse(cfhttp.filecontent)#">
  Jochem
  Jochem van Dieten
  Adobe Community Expert for ColdFusion

• Web App Security Fallback (client-cert then form-based)

  Can you setup a web application to fall back to form-based login if the
  client-cert (i.e. identity assertion token) is not available. I think this
  would be very valuable because once you've configured the web app to use the
  "client-cert" authentication, you can't access the web app directly (i.e.
  browser->weblogic server). You will always need to go through the perimeter
  authenticator so the token gets sent.

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• Client-cert auth impl in web.xml does not work in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  I am having the same problem with doc and xsl. I have added this
  <mime-mapping>
  <extension>xls</extension>
  <mime-type>application/vnd.ms-excel</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>doc</extension>
  <mime-type>application/msword</mime-type>
  </mime-mapping>
  to my web.xml. I even restarted the server. I still see doc and xsl in binary.
  Is there some other setting that needs to take place?
  I am using WL6.1 with fixpack 1.
  I can see the doc and excel files in the browser if I don't go through the weblogic
  server. That just confirms it's not my browser.
  Kumar Allamraju <[email protected]> wrote:
  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
  <html>
  It works fine for me in 6.1 SP1.
  <br><br>
  If the following doesn't work , can you
  <br>try application/winword instead of application/msword?
  <p>--
  <br>Kumar
  <p>Siming Mu wrote:
  <blockquote TYPE=CITE>Hi,
  <p>I setup in my web.xml a mime mapping as follows,
  <p><mime-mapping>
  <br><extension>doc</extension><mime-type>application/msword</mime-type>
  <br></mime-mapping>
  <p>When I specify a test.doc url, the doc file appears in my browser
  as
  binary data
  <br>instead of download.
  <p>Please reference change request 055002, which decribes this problem. 
  According
  <br>to edocs, it has been fixed in wls6.1sp1.
  <p>But I am seeing it fixed.  Am I doing anything wrong? Thanks.
  <p>Siming</blockquote>
  </html>

• Jax-RPC Client side: How to use multiple X509 client certs ?

  hi, (excuse me for my english)
  i'm looking for an answer to this question:
  I'm using the JAX-RPC libraries (JWSDP 2.0) for a web services client application in my app server (tomcat 4 under 1.4 Sun JVM) with HTTPS connection. All works fine when i'm using system.Setproperties for keystore and trustore.
  Buk now, I want to use different client SSL keys for the same app to consume the web service (one SSL client key for a group of users).
  Is it possible ?
  i've tried using custom SSLSocketFactory and custom KeyManager but it won't works: when the SSL connection is well established once, i can connect to the app with an invalide client cert ! (it seems SSL connection is in cache and i dont't know how to disable this cache).
  I have read some threads on this problem without answers ! (http://forum.java.sun.com/thread.jspa?forumID=331&threadID=333010 and http://forum.java.sun.com/thread.jspa?forumID=331&threadID=600372)
  Thanks
  Edited by: Buck007 on May 26, 2008 9:14 AM

  I have the same problem. If you find the solution please post it here :)
  thanks

• Enabling CLIENT-CERT and FORM authentication in same web-app

  Hi!
  I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
  My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
  1. If client does not send tokens in request, then set response header:
  response.setHeader("WWW-Authenticate", "Negotiate");
  response.sendError(response.SC_UNAUTHORIZED);
  This works fine and client starts to send his tokens
  2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
  RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
  dispatcher.forward(request, response);
  3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
  log-in page is as defined in edocs:
  <form method="POST" action="j_security_check">
       <table border=1>
            <tr>
                 <td>Username:</td>
                 <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
                 <td>Password:</td>
                 <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                 <td colspan=2 align=right><input type=submit value="Submit"></td>
            </tr>
       </table>
  </form>
  Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
  I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
  Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

  Hi everybody,
  we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
  I configured a Negociate Identity Asserter and an Active Directory provider.
  I configure Kerberos services, so we have succefully access to our application through the Windows session.
  But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
  For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
  The web.xml used in our webapp :
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>sso</web-resource-name>
  <description>Desc</description>
  <url-pattern>/appmanager/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description>desc</description>
  <role-name>ssoRole</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name/>
  </login-config>
  <security-role>
  <description>Authenticated user</description>
  <role-name>ssoRole</role-name>
  </security-role>

  which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
  in any case, this would be the syntax
  <Object name="weblogic" ppath="/hw/">
  Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
  # gateway timeout - back end web logic not responding handle differently
  <If code='504'>
  # send it to a different post..
  Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
  </If>
  </Object>
  - sriram

• "Anyconnect client profile" option missing in ASDM

  Hello,
  I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
  It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
  I don't have either of those options in ASDM. Here's what mine shows:
  I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
  Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

  Thanks for the response Marvin,
  It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
  Result of the command: "sh version"
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.2(1)
  Result of the command: "sh act | i Ess"
  AnyConnect Essentials        : Enabled 
  I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

• How to use CLIENT-CERT authentication?

  Hi,
  I would like to know how to use client authentication.
  I used a web application with CLIENT-CERT authentication.
  And I accessed to the application from browser, then I had the following error
  message:
  Incorrect or missing client certificate.
  I used OpenSSL to generate keys.
  Could you tell me the information of the setting?
  Especially, I don't know theentry of CertAuthenticator.
  Could you tell me?
  Regards,
  Kuniaki Hagiwara - HP Japan

  Thank you for your response.
  Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet.