CLIENT-CERT

Hi all,
Can any one please let me know how to change auth-method to CLIENT-CERT in web.xml of web logic server 10.3.3 ?
We are using OAM 10.1.4.3 and weblogic server 10.3.3.
We are trying to integrate OAM with weblogic server using oamAuthnProvider.jar.
Could integrate OAM with weblogic server using OAMAuthenticator sucessfully.
We are trying to integrate OAM with weblogic server using OAM Identity Asserter.
We followed the steps mentioned in http://download.oracle.com/docs/cd/E12529_01/wlss31/configsecurity/clientcert.html.
For this,we need to change auth-method to CLIENT-CERT in web.xml of web logic server 10.3.3.
When we are trying to change auth-method to CLIENT-CERT we are not able to login to the weblogic console.
Could any one please let we know how to change auth-method to CLIENT-CERT in web.xml of web logic server 10.3.3 ?
Are there any steps to be followed before doing the change?
Thanks & Regards,
Swathi.
Edited by: user9116523 on Aug 5, 2010 6:37 AM

CLIENT-CERT in web.xml of web logic server 10.3.3Since web.xml refers to a web app, do you mean that that you changed the console.war file?
If your intent is to require client certificates to be presented in order to access the admin console, you don't do that by editing web.xml within the console.war file. It would be done on the SSL tab for the Admin server.
Or have I misunderstood your question?

Similar Messages

Web service call with v3 client cert in CF8

I'm trying to call an external web service which requires a
v3 client certificate be installed on our end. Our code platform is
CF8, which I understand supports v3 certs. I've imported the
external party's client cert into the CF server's cert store
(cacerts) via keytool, and confirmed it's there. I've restarted the
CF server. How do I attach the certificate to the cfhttp call to
the external web service? I figure I can use a cfhttpparam, but am
not sure what type to use, and what the value should be. Thanks in
advance.

DrewBlah wrote:
> I'm trying to call an external web service which
requires a v3 client
> certificate be installed on our end. Our code platform
is CF8, which I
> understand supports v3 certs. I've imported the external
party's client cert
> into the CF server's cert store (cacerts) via keytool,
and confirmed it's
> there.
You should not import the client certificate, but the server
certificate:
http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool
http://jochem.vandieten.net/2008/02/28/cfhttp-and-client-certificates/
> I've restarted the CF server. How do I attach the
certificate to the
> cfhttp call to the external web service? I figure I can
use a cfhttpparam, but
> am not sure what type to use, and what the value should
be. Thanks in advance.
The certificate for the HTTP call should be on the filesystem
in PKCS#12
format. Then use the following code:
<cfset variables.certificatePath =
ExpandPath("certificate.pkcs") />
<cfset variables.certificatePass =
"fillOutYourOwnPassword"/>
<cfset variables.webserviceURL = "https://server/service"
/>
<cfsavecontent variable="theSoap">
<soapenv:Envelope
xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns="https://server/service">
<soapenv:Header/>
<soapenv:Body>
<ns:GetXXX>
<xxx>YYY</xxx>
</ns:GetXXX>
</soapenv:Body>
</soapenv:Envelope>
</cfsavecontent>
<cfhttp
url = "#variables.webserviceURL#"
clientCert = "#variables.certificatePath#"
clientCertPassword = "#variables.certificatePass#"
method = "get"
port="443"
>
<cfhttpparam type="header" name="Connection"
value="Keep-Alive">
<cfhttpparam type="header" name="SOAPAction"
value="service">
<cfhttpparam type="xml" value="#theSoap#">
</cfhttp>
<cfdump var="#XMLParse(cfhttp.filecontent)#">
Jochem
Jochem van Dieten
Adobe Community Expert for ColdFusion

Web App Security Fallback (client-cert then form-based)

Can you setup a web application to fall back to form-based login if the
client-cert (i.e. identity assertion token) is not available. I think this
would be very valuable because once you've configured the web app to use the
"client-cert" authentication, you can't access the web app directly (i.e.
browser->weblogic server). You will always need to go through the perimeter
authenticator so the token gets sent.

Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

Client-cert auth impl in web.xml does not work in Oracle Application Server

Hi,
I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
My server details are:
Oracle Application Server 10g Release 2 (10.1.2)
Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WSCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>WSCollection</realm-name> 
</login-config>
It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
Thanks,
Ms

I am having the same problem with doc and xsl. I have added this
<mime-mapping>
<extension>xls</extension>
<mime-type>application/vnd.ms-excel</mime-type>
</mime-mapping>
<mime-mapping>
<extension>doc</extension>
<mime-type>application/msword</mime-type>
</mime-mapping>
to my web.xml. I even restarted the server. I still see doc and xsl in binary.
Is there some other setting that needs to take place?
I am using WL6.1 with fixpack 1.
I can see the doc and excel files in the browser if I don't go through the weblogic
server. That just confirms it's not my browser.
Kumar Allamraju <[email protected]> wrote:
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
It works fine for me in 6.1 SP1.
<br><br>
If the following doesn't work , can you
<br>try application/winword instead of application/msword?
<p>--
<br>Kumar
<p>Siming Mu wrote:
<blockquote TYPE=CITE>Hi,
<p>I setup in my web.xml a mime mapping as follows,
<p><mime-mapping>
<br><extension>doc</extension><mime-type>application/msword</mime-type>
<br></mime-mapping>
<p>When I specify a test.doc url, the doc file appears in my browser
as
binary data
<br>instead of download.
<p>Please reference change request 055002, which decribes this problem.
According
<br>to edocs, it has been fixed in wls6.1sp1.
<p>But I am seeing it fixed. Am I doing anything wrong? Thanks.
<p>Siming</blockquote>
</html>

Jax-RPC Client side: How to use multiple X509 client certs ?

hi, (excuse me for my english)
i'm looking for an answer to this question:
I'm using the JAX-RPC libraries (JWSDP 2.0) for a web services client application in my app server (tomcat 4 under 1.4 Sun JVM) with HTTPS connection. All works fine when i'm using system.Setproperties for keystore and trustore.
Buk now, I want to use different client SSL keys for the same app to consume the web service (one SSL client key for a group of users).
Is it possible ?
i've tried using custom SSLSocketFactory and custom KeyManager but it won't works: when the SSL connection is well established once, i can connect to the app with an invalide client cert ! (it seems SSL connection is in cache and i dont't know how to disable this cache).
I have read some threads on this problem without answers ! (http://forum.java.sun.com/thread.jspa?forumID=331&threadID=333010 and http://forum.java.sun.com/thread.jspa?forumID=331&threadID=600372)
Thanks
Edited by: Buck007 on May 26, 2008 9:14 AM

I have the same problem. If you find the solution please post it here :)
thanks

Enabling CLIENT-CERT and FORM authentication in same web-app

Hi!
I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
1. If client does not send tokens in request, then set response header:
response.setHeader("WWW-Authenticate", "Negotiate");
response.sendError(response.SC_UNAUTHORIZED);
This works fine and client starts to send his tokens
2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
dispatcher.forward(request, response);
3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
log-in page is as defined in edocs:
<form method="POST" action="j_security_check">
     <table border=1>
          <tr>
               <td>Username:</td>
               <td><input type="text" name="j_username"></td>
          </tr>
          <tr>
               <td>Password:</td>
               <td><input type="password" name="j_password"></td>
          </tr>
          <tr>
               <td colspan=2 align=right><input type=submit value="Submit"></td>
          </tr>
     </table>
</form>
Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

Hi everybody,
we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
I configured a Negociate Identity Asserter and an Active Directory provider.
I configure Kerberos services, so we have succefully access to our application through the Windows session.
But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
The web.xml used in our webapp :
<security-constraint>
<web-resource-collection>
<web-resource-name>sso</web-resource-name>
<description>Desc</description>
<url-pattern>/appmanager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>desc</description>
<role-name>ssoRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name/>
</login-config>
<security-role>
<description>Authenticated user</description>
<role-name>ssoRole</role-name>
</security-role>

which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
in any case, this would be the syntax
<Object name="weblogic" ppath="/hw/">
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
# gateway timeout - back end web logic not responding handle differently
<If code='504'>
# send it to a different post..
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
</If>
</Object>
- sriram

How to use CLIENT-CERT authentication?

Hi,
I would like to know how to use client authentication.
I used a web application with CLIENT-CERT authentication.
And I accessed to the application from browser, then I had the following error
message:
Incorrect or missing client certificate.
I used OpenSSL to generate keys.
Could you tell me the information of the setting?
Especially, I don't know theentry of CertAuthenticator.
Could you tell me?
Regards,
Kuniaki Hagiwara - HP Japan

Thank you for your response.
Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet.

IBCM on non domain computers - Client Cert: None

I have IBCM up and running for my domain joined computers, but I have problems with our DMZ and workgroup computers. I have imported the client certificate with the computer name in the subject and SAN, I imported the root and sub cert into the local store
and the client actually installs. But it seems like there is no real communication. When checking in the control panel, one thing that sticks out is "Client Cert: None" on the first tab. I'm lost.

"I have imported the client certificate with the computer name in the subject and SAN"
What exactly does this mean? Where did you get this cert from? Why are you using a SAN for the client auth cert? Is this a even a client auth cert? Is it unique to this client?
Also, posting, single lines from a log file is useless and meaningless. Log files are about context and flow which are completely lost when you post a single line. Additionally, single lines rarely contain the actual issue and just reflect what happened
previously which can not be discerned without the lines before and after it. Thus, please post the entire relevant and unedited snippet of the log files requested by Nash showing the problem areas.
Jason | http://blog.configmgrftw.com | @jasonsandys

CLIENT-CERT authentication in WL7

Hi,
I'm trying to enforce two-way authentication for clients (java applications) accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With BASIC authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to the web service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
the server doesn't
produce client certificate request. May it be the cause of the problem? If so,
how can I make the server to
generate client cert request?

Exactly, it was the reason. Thanks.
Marcin
On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
>
You must have been accessing the server over one-way SSL. Make sure the
two-way
ssl server attribute is set to: Client Certificate Enforced, or Client
Certificate
Requested But Not Enforced.
This should be all that is needed to make the server send the
certificate request.
With Client Certificate Enforced option you should be getting ssl
handshake failure
unless the client sends its certificate.
Pavel.
yazzva <[email protected]> wrote:
Yes, I have. If I had not done it, I couldn't have accessed the service
via https using basic authentication, and of course ssl debugging
information and server configuration show that ssl is configured
properly.
The problem is that WL7 doesn't generate client cert request. Thanks
for
an attempt to help.
Have you configured the server for two way ssl?
See
http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
for information on this.
Pavel.
"yazzva" <[email protected]> wrote:
Hi,
I'm trying to enforce two-way authentication for clients (java
applications)
accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With
BASIC
authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to theweb
service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the
handshake
procedure
the server doesn't
produce client certificate request. May it be the cause of the
problem?
If so,
how can I make the server to
generate client cert request?--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

CLIENT-CERT - UserNameMapper problem

Hi,
I have a client, wich sends a soap-message, containing a username, to a
webservice, that responds with "hello, <username>". The communication
is over ssl. The webservice is running in a weblogic server 7.0 sp1.
I have 2-way ssl working. Now I'm trying to restrict access to the
web-service.
I changed the web.xml of the web-service to require BASIC as
auth-method. This works fine.
Then I changed BASIC to CLIENT-CERT in the web.xml.
I changed the active type of the defaultIdentityAsserter to X.509.
I implemented a UserNameMapper class, which prints data of the presented
certificate, and returns a username, that exists in the
embedded-ldap-realm of weblogic server, and that has the right to
execute the webservice (it works with BASIC auth).
I put the name of the UserNameMapper class in the
defaultIdentityAsserter, and I included it in my classpath.
The UserNameMapper is working, because the data of the certificate is
printed on stdout. But I get a 401 (Unauthorized)-error code when trying
to access the web-service.
Can someone give me a hint on what I'm mising?
Thanks,
Noella
************* code of UserNameMapper *********************
import java.security.cert.*;
public class VZNUserNameMapper implements
weblogic.security.providers.authentication.UserNameMapper{
public VZNUserNameMapper() {
public String mapCertificateToUserName(X509Certificate[] certs,
boolean ssl) {
System.out.println(certs[0].getSubjectDN().toString());
return "noella";
public String mapDistinguishedNameToUserName(byte[]
distinguishedName) {
return null;

Thanks it worked. Somehow I missed in documentation this x.509 setting.
I've also had a problem with setting "Client Certificate Requested But Not Enforced"
in WLS 7.0.0 but it seems to be working fine in SP1.
Thanks again
Greg
"kirann" <[email protected]> wrote:
hi,
I believe you need to turn on x.509 Identity Assertion in the server
console..
Please check the documention.
thanks
kiran
"Greg" <[email protected]> wrote in message
news:3e243a25$[email protected]..
Hi!
I'm trying to set up my web application to use client-cert
authentication. I've set in web.xml login config to
<auth-method>CLIENT-CERT</auth-method>. When I'm accessing my
application I'm always getting 401 Unauthorized. If I set
login to BASIC, browser pops up login dialog and everything works
fine.
I've done following:
- created and installed in WLS trusted CA certificate
- created and installed client certificate signed by that CA in
IE 5.5
- configured WLS to use ssl and set "Client Certificate Enforced"
- managed to connect to document root or console application
using https://localhost:7002/console and verified that accually client
certificate
is used (not able to connect without one)
Now I'm really stuck and have no ideas.
Please help. Thanks in advance.
Greg

Configure Client-cert with ACL in iPlanet

I need to configure iPlanet with "client-cert" configuration.
- It works with this setting (in the console) : [Preference] --> [Encryption Preferences] --> "Require client certificates (regardless of access control):" set to "Yes".
- I have a problem with this setting because all the instance is affected and clients without a certificate can not use other applications under this instance (they receive an "Acces Denied page").
- It seems I can specify this setting to a specific URL via an ACL but it does not work.
- Could you confirm I can do that ? If yes, could you precise the configuration of the ACL ?
I am using iPlanet 4.1 under Solaris 2.8. For information I am using a websphere 4 server with iPlanet. My J2EE application is CLIENT-CERT; that's why I need this setting.
Thanks !

Hi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel

Problems setting up 2way SSL with option Client certs requested Not Enfor

Hi,
Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
Any help with this will be greatly appreciated.
Thanks
Praveena.

Hi Peter,
I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
However it's not blocked and those port settings didn't work either.
The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
Good luck, and please repost if you get any further.
I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
Penny

BASIC_PLAIN and CLIENT-CERT for SAML2 authentication

Hi,
I recently managed to set up kerberos on weblogic 10.3.5 using the negotiate provider so that I can log in to the console automatically with my windows authentication token.
I also have saml2 IDP set up on the same weblogic server for logging in to Salesforce.
I was hoping that I could configure weblogic to automatically log me in to Salesforce as well. The weblogic saml2.war file in WL_HOME/server/lib contains a web.xml file and I changed the login in this from BASIC_PLAIN to CLIENT-CERT. However when the call is made to /saml2/idp/login I get a 403 authorization denied message back. The debug seems to indicate that the browser did not return a SPGNEGO type token. If I revert back to BASIC_PLAIN I can log into Salesforce again, but only after entering my credentials in the basic auth window.
I wondered if anyone might have any tips to solve this?
Thanks,
Ed.

Hi,
May be below links will be helpful
Check the following links.. you will get the information all about the securities...
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Also find soeminformation in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
Step by step guide for SSL security
step by step guide to implement SSL
Please go through below link for referance (above information is from below link)
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
General guide
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
Message level security
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
Regarding message level you can encrypt the message using certificates.
For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
Thanks
Swarup

IPlanet 4.1 SP9 - WL 6.1 SP2 - client certs

Hi,
We seem to have a problem with client certificates that are provided to our iPlanet
Webserver 4.1 SP9. Using WL 6.1 SP1, we used to following code to get the cert:
.. = request.getAttribute("javax.net.ssl.peer_certificates")
For some reason the exact same code will not work in SP2. We used the Jakarta SOAP
Tunnelgui to see how the request was formatted, and we saw this:
POST /login/logincertificaat.jsp HTTP/1.1
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/msword, application/vnd.ms-powerpoint, */*
referer:
https://<some URL>/login/logincertificate.jsp
accept-language: nl
content-type: application/x-www-form-urlencoded
connection: Keep-Alive
user-agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) host: some.host.com
content-length: 66
cache-control: no-cache
cookie: JSESSIONID=8F5a1R0P6eV1Nwg6lmAiFLJIhkG3MbULZQCeHmphDf4XAiMx76gZ!-1838370154!172190846!7005!7002
WL-Proxy-SSL: true
X-WebLogic-Force-Cookie: true
WL-Proxy-Client-Cert: MIIENDCCA96gAwIBAgIKTZeIPQAAAAAAKDANBgkqhkiG9w0BAQUFADCBjjEjMCEGCSqGSIb3DQEJARYUZS1zZXJ2aWNlc0BhY2htZWEubmwxCzAJBgNVBAYTAk5MMQwwCgYDVQQIEwNHTEQxEjAQBgNVBAcTCUFwZWxkb29ybjEPMA0GA1UEChMGQWNobWVhMRYwFAYDVQQLEw1IUyBlLVNlcnZpY2VzMQ8wDQYDVQQDEwZlLVNlcnYwHhcNMDIwMzIxMTUyNzIwWhcNMDMwMzIxMTUzNzIwWjCBoTEqMCgGCSqGSIb3DQEJARYbaGVyYmVydC5zY2h1dXJtYW5AYWNobWVhLm5sMQswCQYDVQQGEwJOTDEMMAoGA1UECBMDR0xEMRIwEAYDVQQHEwlBcGVsZG9vcm4xDzANBgNVBAoTBkFjaG1lYTEWMBQGA1UECxMNSFMgZS1TZXJ2aWNlczEbMBkGA1
UEAxMSSGVyYmVydCBTY2h1dXJtYW5zMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOf8cXepDBk7HAJiziImth2BTzdS7+uo+20859MAvkFXU07YdNSxUj9Ko6aW+KY02iju/k4FYHd0yX1kNgQeaMsCAwEAAaOCAgcwggIDMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUCz2UiUGlNraIqHu8cXxulD/Fmo8wgcoGA1UdIwSBwjCBv4AU30lTQ31VzMXGhfRM1shv2Q7HC9qhgZSkgZEwgY4xIzAhBgkqhkiG9w0BCQEWFGUtc2VydmljZXNAYWNobWVhLm5sMQswCQYDVQQGEwJOTDEMMAoGA1UECBMDR0xEMRIwEAYDVQQHEwlBcGVsZG9vcm4xDzANBgNVBAoTBkFjaG1lYTEWMBQGA1UECxMNSFMgZS1TZXJ2aWNlczEPMA0GA1UEAxMGZS
1TZXJ2ghBqt8LP7t9wm0AGHT qvjplaMGUGA1UdHwReMFwwK6ApoCeGJWh0dHA6Ly9zbnRlYjAxMC9DZXJ0RW5yb2xsL2UtU2Vydi5jcmwwLaAroCmGJ2ZpbGU6Ly9cXHNudGViMDEwXENlcnRFbnJvbGxcZS1TZXJ2LmNybDCBiAYIKwYBBQUHAQEEfDB6MDoGCCsGAQUFBzAChi5odHRwOi8vc250ZWIwMTAvQ2VydEVucm9sbC9zbnRlYjAxMF9lLVNlcnYuY3J0MDwGCCsGAQUFBzAChjBmaWxlOi8vXFxzbnRlYjAxMFxDZXJ0RW5yb2xsXHNudGViMDEwX2UtU2Vydi5jcnQwDQYJKoZIhvcNAQEFBQADQQA3N3spt+Cv2oHG59WORpQik9JrKFTpHNKmFtRIp1GMJqTfjPutw9CJDqbCucFjJXiESW7qVeCr0WtHlBvxFzaz
Proxy-Client-IP: 1.1.1.27
X-Forwarded-For: 1.1.1.27
Proxy-Path-Translated: /login/logincertificate.jsp
Proxy-Remote-User: USer
Proxy-Auth-Type: ssl
Since it looks like the cert is stored in the header, we also tried code like
.. ... = request.Header("WL-Proxy-Client-Cert"); ...
and all the variations on the request/header and the keys, but to no avail.
Since everything worked in SP1, we are confused and hope someone can shine a light
on this issue.
Thanx in advance.
Marnix
P.S Sorry for the cross-posting of this issue (also in security) but I thought it
is more appropriate to post it here.

BEA provided the solution:
In the web.xml file, add the following node:
<context-param>
<param-name>weblogic.httpd.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>
This property is introduced in SP2 to patch security hole.
"Marnix J. van Wendel de Joode" <[email protected]> wrote:
>
Hi,
We seem to have a problem with client certificates that are provided to
our iPlanet
Webserver 4.1 SP9. Using WL 6.1 SP1, we used to following code to get the
cert:
... = request.getAttribute("javax.net.ssl.peer_certificates")
For some reason the exact same code will not work in SP2. We used the Jakarta
SOAP
Tunnelgui to see how the request was formatted, and we saw this:
POST /login/logincertificaat.jsp HTTP/1.1
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,
application/msword, application/vnd.ms-powerpoint, */*
referer:
https://<some URL>/login/logincertificate.jsp
accept-language: nl
connection: Keep-Alive
user-agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) host: some.host.com
content-length: 66
cache-control: no-cache
cookie: JSESSIONID=8F5a1R0P6eV1Nwg6lmAiFLJIhkG3MbULZQCeHmphDf4XAiMx76gZ!-1838370154!172190846!7005!7002
WL-Proxy-SSL: true
X-WebLogic-Force-Cookie: true
WL-Proxy-Client-Cert: MIIENDCCA96gAwIBAgIKTZeIPQAAAAAAKDANBgkqhkiG9w0BAQUFADCBjjEjMCEGCSqGSIb3DQEJARYUZS1zZXJ2aWNlc0BhY2htZWEubmwxCzAJBgNVBAYTAk5MMQwwCgYDVQQIEwNHTEQxEjAQBgNVBAcTCUFwZWxkb29ybjEPMA0GA1UEChMGQWNobWVhMRYwFAYDVQQLEw1IUyBlLVNlcnZpY2VzMQ8wDQYDVQQDEwZlLVNlcnYwHhcNMDIwMzIxMTUyNzIwWhcNMDMwMzIxMTUzNzIwWjCBoTEqMCgGCSqGSIb3DQEJARYbaGVyYmVydC5zY2h1dXJtYW5AYWNobWVhLm5sMQswCQYDVQQGEwJOTDEMMAoGA1UECBMDR0xEMRIwEAYDVQQHEwlBcGVsZG9vcm4xDzANBgNVBAoTBkFjaG1lYTEWMBQGA1UECxMNSFMgZS1TZXJ2aWNlczEbMBkGA1
UEAxMSSGVyYmVydCBTY2h1dXJtYW5zMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOf8cXepDBk7HAJiziImth2BTzdS7+uo+20859MAvkFXU07YdNSxUj9Ko6aW+KY02iju/k4FYHd0yX1kNgQeaMsCAwEAAaOCAgcwggIDMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUCz2UiUGlNraIqHu8cXxulD/Fmo8wgcoGA1UdIwSBwjCBv4AU30lTQ31VzMXGhfRM1shv2Q7HC9qhgZSkgZEwgY4xIzAhBgkqhkiG9w0BCQEWFGUtc2VydmljZXNAYWNobWVhLm5sMQswCQYDVQQGEwJOTDEMMAoGA1UECBMDR0xEMRIwEAYDVQQHEwlBcGVsZG9vcm4xDzANBgNVBAoTBkFjaG1lYTEWMBQGA1UECxMNSFMgZS1TZXJ2aWNlczEPMA0GA1UEAxMGZS
1TZXJ2ghBqt8LP7t9wm0AGHT qvjplaMGUGA1UdHwReMFwwK6ApoCeGJWh0dHA6Ly9zbnRlYjAxMC9DZXJ0RW5yb2xsL2UtU2Vydi5jcmwwLaAroCmGJ2ZpbGU6Ly9cXHNudGViMDEwXENlcnRFbnJvbGxcZS1TZXJ2LmNybDCBiAYIKwYBBQUHAQEEfDB6MDoGCCsGAQUFBzAChi5odHRwOi8vc250ZWIwMTAvQ2VydEVucm9sbC9zbnRlYjAxMF9lLVNlcnYuY3J0MDwGCCsGAQUFBzAChjBmaWxlOi8vXFxzbnRlYjAxMFxDZXJ0RW5yb2xsXHNudGViMDEwX2UtU2Vydi5jcnQwDQYJKoZIhvcNAQEFBQADQQA3N3spt+Cv2oHG59WORpQik9JrKFTpHNKmFtRIp1GMJqTfjPutw9CJDqbCucFjJXiESW7qVeCr0WtHlBvxFzaz
Proxy-Client-IP: 1.1.1.27
X-Forwarded-For: 1.1.1.27
Proxy-Path-Translated: /login/logincertificate.jsp
Proxy-Remote-User: USer
Proxy-Auth-Type: ssl
Since it looks like the cert is stored in the header, we also tried code
like
... ... = request.Header("WL-Proxy-Client-Cert"); ...
and all the variations on the request/header and the keys, but to no avail.
Since everything worked in SP1, we are confused and hope someone can shine
a light
on this issue.
Thanx in advance.
Marnix
P.S Sorry for the cross-posting of this issue (also in security) but I thought
it
is more appropriate to post it here.

Client Cert Authentication

Is there any documentation that explain how to set up iAS 6.0 SP3 to use
Client Cert Authentication?
Thanks in advance,
Jose.

Hi,
I am not able to understand what "client cert authentication" means can
you please elaborate more on this. If this means authorization process by
any chance, then iAS uses LDAP that is bundled along with iAS to
authenticate. There is no other means to validate the users.
Regards
Raj
Jose Raya wrote:
Is there any documentation that explain how to set up iAS 6.0 SP3 to use
Client Cert Authentication?
Thanks in advance,
Jose.

CLIENT-CERT

Similar Messages

Maybe you are looking for