Client Certificate authentication doesn't work
Hi there,
I want to use client authentication to log on to a SAP WebAS ABAP. I did everything as described in Gregor Wolfs Blog: Setup Authentication with Client Certificates for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows
(my system is not a sneak preview and it is based on Linux).
When I call a BSP application, I can choose the client certificate in the browser, and everything seems to work. But at the end, the basic authentication dialog appears.
In the dev_icm trace, I can see, that there is a user extracted from the DN of the certificate. In the HTTP access log, the user is logged on.
All certificates are valid, no problem found.
Exept the view VUSREXTID didnt work, the user in the HTTP access log was always the one from the DN, not the mapped one. But both are valid.
Any idea?
Thank you,
Erik
Did you map the certificate and user in the transaction 'extid_dn' ?
Because the 'normal' pop-up for username and password is opened when the system cannot find a user mapped to the certificate...
Felix
Similar Messages
-
Project Server 2010 Web services access with Client Certificate Authentication
We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management -
I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated. -
SOAP -Client Certificate Authentication in Receiver SOAP Adapter
Dear All,
We are working on the below scenario
SAP R/3 System -> XI/PI -> Proxy -> Customer
In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
Cusomer gave us the WSDL file and also a Certificate for authentication.
Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
Require your inputs on Client Certificate authentication and Proxy server configuration.
Regards,
SriniHi
Look this blog
How to use Client Authentication with SOAP Adapter
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Also refer to "SAP Security Guide XI" at service market place.
ABAP Proxy configuration
How do you activate ABAP Proxies? -
Client Certificate Authentication not working in OSB 11g
Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
JamieThis is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code. -
BUG - Client Authentication doesn't work !!! [standalone 10.1.3.0.0]
i tried to enable client authentication in jdevloper oc4j with
needs-client-auth="true" but it doesnt work.. i got SSL connection but server do not request client certificate
i did not have problems with 10.1.2.0.2FYI - It is hard to tell where you went wrong in the configuration. Typically this kind of error comes up if there is a problem with the certificate. The process of securing OC4J is detailed here:
http://download-west.oracle.com/otn_hosted_doc/ias/preview/web.1013/b14432.pdf
Perhaps you can validate what you did vs the documentation.
I cut and pasted the following from the docs so may not come out well:
Creating the Secure Web Site Configuration File
Specify the appropriate SSL settings under the <web-site> element, as illustrated in the following example.
<web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/
web-site-10_0.xsd" port="4443" secure="true" display-name="My Secure Web Site">
<access-log path="../log/secure-web-access.log" />
<ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory"
keystore="../../server.keystore" keystore-password="welcome"
provider="com.sun.net.ssl.internal.ssl.Provider" />
</web-site>
Note the additions to <web-site>, shown in bold:
Add a secure attribute with the value set to true. Setting secure="true" specifies that the HTTP protocol is to use an SSL socket.
Set the port attribute to an available port. The default for SSL ports is 443; in the example above, the port attribute is set to 4443.
Add the <ssl-config> element. This element is required whenever the secure flag is set to true. This element takes the following attributes and elements:
o The optional factory attribute is used to specify the third-party SSLSecureSocketFactory implementation to use if the application is not using JSSE.
The Oracle implementation - com.evermind.ssl.JSSESSLServerSocketFactory - is used by default. (Note that although the default implementation is shown in the example, it is implicit and does not need to be specified.)
If the application uses a third-party SSLServerSocketFactory implementation, you can use <property> subelements of <ssl-config> to send parameters to the factory.
o The keystore and keystore-password attributes specify the directory path and password for the keystore. The specified keystore must contain the certificates of any clients that are authorized to connect to OC4J through HTTPS. The value of keystore can indicate either an absolute or relative directory path and includes the file name.
o The optional provider attribute can be used to specify a security provider to use.
By default, the Sun Microsystems implementation - com.sun.net.ssl.internal.ssl.Provider - is used. (Note that although the default implementation is shown in the example, it is implicit and does not need to be specified.)
o One or more <property> elements containing parameters to pass to the SSLSecureSocketFactory. Each element contains a name attribute and a value attribute, enabling you to specify parameters as name/value pairs.
When the Web site configuration file is ready, add a <web-site> element referencing it to server.xml, the OC4J configuration file located in the J2EE_HOME/config directory. Note that applications will not be able to bind to the Web site unless this notation exists in server.xml. For example:
<application-server ... >
<web-site path="./default-web-site.xml" />
<web-site path="./mycustom-web-site.xml" />
<web-site path="./secure-web-site.xml" />
</application-server>
When configuration is complete, OC4J listens for SSL HTTP requests on one port and non-SSL HTTP requests on another. You can disable either SSL requests or non-SSL requests by commenting out the appropriate *-web-site.xml in the server.xml configuration file.
<!-- <web-site path="./secure-web-site.xml" /> commented out to remove SSL --> -
Client Certificate Authentication
Hi guys
I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
any help would be truly appreciated
JesusIf IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
Users could go to the website of the issuing certificate authorities and make a request.
I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
I'll look further though (interested in this myself).
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
PEAP-GTC on Win 7 and 8 platforms (LDAP authentication doesn't work)
Hi all!
Customer is using Open LDAP as directory services.
We're setting Cisco Wi-Fi network with following authentication scheme:
Wireless LAN Controller - Cisco ACS 5.3 - Open LDAP
According to the documents ACS - LDAP supports only EAP-TLS and PEAP-GTC methods.
We need to perform username/password authentication. It works good on Apple and Android devices. But id doesn't want to authenticate Windows 7 clients.
We're unchecking "Validate Servers certificate" in WLAN settings of Win 7 client, but it still doesn't work.
It seems, that Windows doesn't support PEAP-GTC method. Are there any workaround to solve the issue?
I might assume, that there could be some software plug-ins (supplicants) that can be installed on Windows and give support of PEAP-GTC. But in this case customer will face serious organizational issues of provisioning new devices.
Please advice!
Thank you!
YuriyIn order to see PEAP EAP-GTC option on the client, you need to install EAP-GTC supplicant on the client machine.
Check this:
http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1007967
Jatin Katyal
- Do rate helpful posts - -
PEAP : Machine authentication doesn't work
Hello,
I'm trying to set up machine authentication and at this time I have some problems.
I have the following configuration:
- the users laptop are running WinXP
- the AP is a 1232
- ACS 3.3.2
- external database (Win2000 Active Directory) authentication
I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
On the Active Directory I changed the Dial In config. for the computers to allow access.
Is there anything else that has to be modified in order to perform machine authentication?
Hope someone will be able to help me.
Thanks in advance.
AlexHi Alex
I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
I am spending the day to get this working and I'll post what I find out.
Regards
Colin -
Help required with ADFS 3.0 client certificate authentication
Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya KarveHi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks! -
Client certificate authentication on ASA 5520
Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent -
Certification authentication doesn't work on linux version of Firefox
I have web page on IIS6 which need windows authentication. I enabled certificate mapping on certain user so when I install the proper certificate on firefox installed on Windows-based PC (I login with local user) and set network.automatic-ntlm-auth.trusted-uris variable, I can access this site without typing username and password. I tried to configure in same way firefox on my linux station, but it doesn't work - the web site access attempt finishes with authentication request windows
I didn't
-
How to handle Client Certificate authentication using URLRequest/URLLoader
Hi All,
I developed an AIR Application which communicates with a server. Protocol used for communication is HTTPS, and server has a valid certificate.
So whenever AIR App, communicates with the server, a dialogue box prompts to select the client certificate just as show below.
So here what I am looking at is, Any method is available to prevent this prompt.
I have already tried the method of Enabling "Dont Prompt for client certificate selection when only one certificate exists", Of course this method will work only if multiple certificate exists, so what if multiple certificate exists.
How an air application can handle that?
So any one find any way to handle this. I am using URLRequest for commnicating with server.
Here is the code snippet I have used.
var request:URLRequest = new URLRequest(url);
request.method = URLRequestMethod.GET;
var urlLoader:URLLoader = new URLLoader();
urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.addEventListener(Event.COMPLETE, loaderCompleteHandler)
urlLoader.addEventListener(Event.OPEN, openHandler);
urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
urlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);//, false, 0, true);
Please help me...
Thanks
SanalYes it is possible. Refer
Using Certificates for Authentication [http://docs.sun.com/app/docs/doc/820-7985/ginbp?l=en&a=view]
SSL Authentication section in [http://docs.sun.com/app/docs/doc/820-7985/gdesn?l=en&a=view]
client-auth element in server.xml [http://docs.sun.com/app/docs/doc/820-7986/gaifo?l=en&a=view]
certmap.conf [http://docs.sun.com/app/docs/doc/820-7986/abump?l=en&a=view]
certmap.conf should have verifycert "on", and lets say this certmap is called "cmverify" :
certmap cmverify default
cmverify:DNComps
cmverify:FilterComps uid
cmverify:verifycert onIn serve.xml we should have <client-auth> "required" and lets say we have an auth-db named "ldapregular":
<http-listener>...
<ssl>...
<client-auth>required</client-auth>
</ssl>
</http-listener>
<auth-db>
<name>ldapregular</name><url>ldap://myldap:369/o%3DTestCentral</url>
<property><name>binddn</name><value>cn=Directory Manager</value></property>
<property><name>bindpw</name><value...</value><encoded/></property>
</auth-db>In ACL file we should have method = "ssl", database = "ldapregular" and certmap = "cmverify" :# clientauth against LDAP database with special certmap which has verifyCert on
acl "uri=/";
authenticate (user,group) {
prompt = "Enterprise Server";
method = "ssl";
database = "ldapregular";
certmap = "cmverify";
deny (all) user = "anyone";
allow (all) user = "alpha,beta,gamma"; -
Client certificate authentication with custom authorization for J2EE roles?
We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
<auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--ThanksWe have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
protected void init(Properties props)
throws BadRealmException, NoSuchRealmException
public java.util.Enumeration getGroupNames (String username)
throws InvalidOperationException, NoSuchUserException
public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
protected AuthenticationStatus authenticate()
throws LoginException
private String[] authenticate(String username,String passwd)
private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
protected void init(Properties props)
* Returns the name of all the groups that this user belongs to.
* @param username Name of the user in this realm whose group listing
* is needed.
* @return Enumeration of group names (strings).
* @exception InvalidOperationException thrown if the realm does not
* support this operation - e.g. Certificate realm does not support
* this operation.
public Enumeration getGroupNames(String username)
throws NoSuchUserException, InvalidOperationException
* Complete authentication of certificate user.
* <P>As noted, the certificate realm does not do the actual
* authentication (signature and cert chain validation) for
* the user certificate, this is done earlier in NSS. This default
* implementation does nothing. The call has been preserved from S1AS
* as a placeholder for potential subclasses which may take some
* action.
* @param certs The array of certificates provided in the request.
public void authenticate(X509Certificate certs[])
throws LoginException
// Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM -
HTTPS 2-way authentication doesn't work.
I succeeded in setting up my server (WL 6.1) to use SSL and enforce client
authentication.
I created a client certificate with OpenSSL, and imported it into my
browser.
When I request the page https://localhost:7002/
I get following message in the log:
CertificateVerify.md5 error____________________________
our computed md5 is
0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
the actual is
0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
When I turn on -Dssl.debug, then I get a stack trace:
CertificateVerify.md5 error____________________________
our computed md5 is
0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
the actual is
0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
weblogic.security.CipherException: Invalid signature
at
weblogic.security.SSL.CertificateVerify.input(CertificateVerify.java:
127)
at weblogic.security.SSL.Handshake.input(Handshake.java:115)
at weblogic.security.SSL.SSLSocket.getHandshake(SSLSocket.java:1043)
at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:778)
at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:622)
at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:267)
at
weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java
:238)
at
weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1116)
at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:90)
at
weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.
java:563)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
Any ideas?
Thanks,
LsuiI seem to be having similar problems, was there a solution found for this?
To set up the debug information do I need to add anything more
than -Dssl.debug (i.e. does it take an "=true" or something like that)?
Thanks,
Geoff.
"Luis Muniz" <[email protected]> wrote in message
news:[email protected]...
I succeeded in setting up my server (WL 6.1) to use SSL and enforce client
authentication.
I created a client certificate with OpenSSL, and imported it into my
browser.
When I request the page https://localhost:7002/
I get following message in the log:
CertificateVerify.md5 error____________________________
our computed md5 is
0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
the actual is
0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
When I turn on -Dssl.debug, then I get a stack trace:
CertificateVerify.md5 error____________________________
our computed md5 is
0: 6bd8 4b9a 1bb2 7b46 f815 2bdd a8cf de65 k.K...{F..+....e
the actual is
0: 3fcd 6673 4d46 4d45 654c 6bc5 9f01 a2d6 ?.fsMFMEeLk.....
weblogic.security.CipherException: Invalid signature
at
weblogic.security.SSL.CertificateVerify.input(CertificateVerify.java:
127)
at weblogic.security.SSL.Handshake.input(Handshake.java:115)
atweblogic.security.SSL.SSLSocket.getHandshake(SSLSocket.java:1043)
at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:778)
at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:622)
at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:267)
at
weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java
:238)
at
weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1116)
atweblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
atweblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:90)
at
weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.
java:563)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
Any ideas?
Thanks,
Lsui
Maybe you are looking for
-
During PGI - Error - Posting only possible in periods 2006/12 and 2006/11
Hi, I am a new to SAP. I am testing creating sales order. While posting Goods Issue, I am getting error " Posting only possible in periods 2006/12 and 2006/11 in company code 1000" I searched and got solutions in SDN- Forum as well as SAP best prac
-
Error while running index creation
Hi All , I am running index creation step like below . alter session enable parallel DDL; alter session set workarea_size_policy=manual; alter session set sort_area_size=250000000; alter session set db_file_multiblock_read_count=128; CREATE INDEX "CU
-
[SOLVED]Can't get Shadowgrounds to start(It can't find some libraries)
Yesterday I downloaded the Shadowgrounds demo from linuxgamepublishing.com and installed it. Everything went quite smoothly but when trying to run the game I bumped into this problem: $ ./shadowgrounds_demo ./shadowgrounds_demo: error while loading s
-
Cisco AnyConnect WEB/SSL VPN - does not launch after Apple's security update on Mac OS 10.7 and 10.6
AnyConnect version: 2.5.2001 Mac OS versions: 10.7.2 and 10.6.8 We used to invoke Cisco AnyConnect VPN via the Safari browser for the SSL URL and it used to work fine on Mac OS 10.6 and 10.7. Apple released a security update on 8/Nov/2011 (see: http:
-
Hello Friends, Can You please share with me Standard BAPI's available for the following transactions in S&D: 1.Sales Order 2.Delivery 3.Billing 4.Sales Returns 5.Inter depot transfer 6.Inter Depot receipt 7.Credit Note 8.Debit Note it is urgent,await