Client Certificate Authentication not working in OSB 11g

Similar Messages

• Weblogic 8.1 Webservice Client Proxy Authentication not working

  We have a desktop console based Weblogic webservices client application that uses client stubs to establish the connection and communicate with the server where the WSDL was hosted.
  We are facing a problem in authenticating the Proxy user with valid credentials.
  We are using the following code to set the system properties and Authenticator class to authenticate the proxy user.
  //Code Segment #1
  Code:
  System.setProperty("http.proxyHost", proxyHost);System.setProperty("https.proxyHost", proxyHost);
  System.setProperty("weblogic.webservice.transport.http.proxy.host",proxyHost);
  System.setProperty("weblogic.webservice.transport.https.proxy.host",proxyHost);
  System.setProperty("http.proxyPort", proxyPort);
  System.setProperty("https.proxyPort", proxyPort);
  System.setProperty("weblogic.webservice.transport.http.proxy.port",proxyPort);
  System.setProperty("weblogic.webservice.transport.https.proxy.port",proxyPort);
  //System.setProperty("http.proxyType", "basic");
  //System.setProperty("https.proxyType", "basic");
  //System.setProperty("http.proxy.auth.type" ,"ntlm"); //This is not showing any impact
  System.setProperty("http.proxyUser", "bsil\\ashok.kumar");
  System.setProperty("https.proxyUser", "bsil\\ashok.kumar");
  System.setProperty("http.proxyPassword", " xyzddd");
  System.setProperty("https.proxyPassword", "xyzddd");
  Authenticator.setDefault(new MyAuthenticator());
  //Inner class
  public static class MyAuthenticator extends Authenticator {
  protected PasswordAuthentication getPasswordAuthentication() {
  String username = System.getProperty("http.proxyUser");
       String password = System.getProperty("http.proxyPassword");
       return new PasswordAuthentication(username, password.toCharArray());
  We are using following code initialize the stubs (Which internally opens a connection to the given endpoint base URL)
  //Code Segment #2
  Code:
  SessionService_Impl sessionService = new SessionService_Impl(getEndPointURL(SessionServicePort.class));
  port = sessionService.getSessionServicePort();
  return port;
  Using above code it always throws the following exception:
  Code:
  weblogic.webservice.tools.wsdlp.WSDLParseException: Failed to retrieve WSDL from https://apiclienttest.intralinks.com:443/webservices51/SessionService?WSDL. Please check the URL and make sure that it is a valid XML file [java.io.IOException: Proxy authenticator  failed: java.lang.ClassNotFoundException: ]
  if i replace the above code (Code Segment #2) to as bellow with Code Segment #3 then its working as expected. But we have been told that the Code Segment #2 is required as shwon above for the Weblogic ClientTimeout seconds feature so we cant replace the Code Segment #2 with Code Segment #3 since we don?t want to miss the ClientTimeout seconds feature for the application.
  //Code Segment #3
  Code:
  SessionService_Impl sessionService = new SessionService_Impl();
            SessionServicePort sessionServicePort = sessionService.getSessionServicePort();
            ((SessionServicePort_Stub) sessionServicePort)._setProperty("javax.xml.rpc.service.endpoint.address", endPointBaseURL+"SessionService");
  return sessionServicePort ;
  why the Proxy authentication is failing with the Code Segment #2 and why it is passing in case of Code Segment #3
  The endpoint base URL we are hitting is hosted on Weblogic server 9.0 (which is hosted at client side in US so it is behind our firewall).
  Is some thing more do we need to do in Authenticator class???
  Please help me if any one has worked on proxy server authenticator in java.

  We have a desktop console based Weblogic webservices client application that uses client stubs to establish the connection and communicate with the server where the WSDL was hosted.
  We are facing a problem in authenticating the Proxy user with valid credentials.
  We are using the following code to set the system properties and Authenticator class to authenticate the proxy user.
  //Code Segment #1
  Code:
  System.setProperty("http.proxyHost", proxyHost);System.setProperty("https.proxyHost", proxyHost);
  System.setProperty("weblogic.webservice.transport.http.proxy.host",proxyHost);
  System.setProperty("weblogic.webservice.transport.https.proxy.host",proxyHost);
  System.setProperty("http.proxyPort", proxyPort);
  System.setProperty("https.proxyPort", proxyPort);
  System.setProperty("weblogic.webservice.transport.http.proxy.port",proxyPort);
  System.setProperty("weblogic.webservice.transport.https.proxy.port",proxyPort);
  //System.setProperty("http.proxyType", "basic");
  //System.setProperty("https.proxyType", "basic");
  //System.setProperty("http.proxy.auth.type" ,"ntlm"); //This is not showing any impact
  System.setProperty("http.proxyUser", "bsil\\ashok.kumar");
  System.setProperty("https.proxyUser", "bsil\\ashok.kumar");
  System.setProperty("http.proxyPassword", " xyzddd");
  System.setProperty("https.proxyPassword", "xyzddd");
  Authenticator.setDefault(new MyAuthenticator());
  //Inner class
  public static class MyAuthenticator extends Authenticator {
  protected PasswordAuthentication getPasswordAuthentication() {
  String username = System.getProperty("http.proxyUser");
       String password = System.getProperty("http.proxyPassword");
       return new PasswordAuthentication(username, password.toCharArray());
  We are using following code initialize the stubs (Which internally opens a connection to the given endpoint base URL)
  //Code Segment #2
  Code:
  SessionService_Impl sessionService = new SessionService_Impl(getEndPointURL(SessionServicePort.class));
  port = sessionService.getSessionServicePort();
  return port;
  Using above code it always throws the following exception:
  Code:
  weblogic.webservice.tools.wsdlp.WSDLParseException: Failed to retrieve WSDL from https://apiclienttest.intralinks.com:443/webservices51/SessionService?WSDL. Please check the URL and make sure that it is a valid XML file [java.io.IOException: Proxy authenticator  failed: java.lang.ClassNotFoundException: ]
  if i replace the above code (Code Segment #2) to as bellow with Code Segment #3 then its working as expected. But we have been told that the Code Segment #2 is required as shwon above for the Weblogic ClientTimeout seconds feature so we cant replace the Code Segment #2 with Code Segment #3 since we don?t want to miss the ClientTimeout seconds feature for the application.
  //Code Segment #3
  Code:
  SessionService_Impl sessionService = new SessionService_Impl();
            SessionServicePort sessionServicePort = sessionService.getSessionServicePort();
            ((SessionServicePort_Stub) sessionServicePort)._setProperty("javax.xml.rpc.service.endpoint.address", endPointBaseURL+"SessionService");
  return sessionServicePort ;
  why the Proxy authentication is failing with the Code Segment #2 and why it is passing in case of Code Segment #3
  The endpoint base URL we are hitting is hosted on Weblogic server 9.0 (which is hosted at client side in US so it is behind our firewall).
  Is some thing more do we need to do in Authenticator class???
  Please help me if any one has worked on proxy server authenticator in java.

• Project Server 2010 Web services access with Client Certificate Authentication

  We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
  web service applications that no longer connect to server with the new authentication configuration.  Our custom applications are using the WCF interface to access the public web services.
  Please let us know if it is possible to authenticate with AD FS 2.0 and then call
  Project Server web services. Any help or coding examples would be greatly appreciated.

  what is the error occurred when the custom PSI app connects?
  can you upload the ULS logs here for research?
  What is the user account format you specified in the code for authentication?
  For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
  'I:0#.w|mybusinessdomain\ewmccarty').
  It requires you to manually call the UpnLogon method of
  “Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)  
  {  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;  }  
  if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
  Than you need to extract UPN-Claim from the identity.
  Upload the verbose log if possible.
  Did you see this?
  http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
  Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

• SOAP -Client Certificate Authentication in Receiver SOAP Adapter

  Dear All,
  We are working on the below scenario
  SAP R/3 System  -> XI/PI -> Proxy -> Customer
  In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
  Cusomer gave us the WSDL file and also a Certificate for authentication.
  Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
  Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
  Require your inputs on Client Certificate authentication and Proxy server configuration.
  Regards,
  Srini

  Hi
  Look this blog
  How to use Client Authentication with SOAP Adapter
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  Also refer to "SAP Security Guide XI" at service market place.
  ABAP Proxy configuration
  How do you activate ABAP Proxies?

• XML Schema dependencies is not valid in osb 11g version

  Hi,
  I'm working in osb 11.1.1.5 version.I have to import the 10g project in 11g server, but in my 10g project some schemas are included in another schemas.When i'm trying to export the resources in the 10g console and importing it in the 11g console i'm getting the errors. XML Schema dependencies is not valid in osb 11g version.Is there any alternative to import the 10g project in 11g in this case?Please suggest.
  Thanks in advance!

  while running the proxy in the eclipse i'm getting the error
  servicebus:/XMLSchema/HistoricLoadService/Schemas/CCD/datatypes-base:998:2: error: derivation-ok-restriction.5.3a: A type with a mixed content model can only restrict another type with a mixed content model. at poc_ccd.xsd
  When i'm trying to export the project from 10g console and importing it from osb 11g console I'm getting the conflicts like
  servicebus:/XMLSchema/HistoricLoadService/Schemas/CCD/datatypes-base:289:2: error: derivation-ok-restriction.5.3: Must be a valid restriction.
  Resource XMLSchema HistoricLoadService/Schemas/CCD/ poc_ccd forms a cyclic reference

• Reports who work in BIP 10G does not work in BIP 11G

  Hi!
  We are in the middle of going from BIP 10G to BIP 11G (latest patch installed the 9 of february). We have used the Upgrade Assistant to migrate the reports from 10G to 11G, about 80-90% are working directly.
  But, as always are there some problems. There are 2 major problems I am struggling with for the moment. 1 is long running reports who gets "Connection reset by peer" before the report ends and the more problematic which is this:
  [2012-02-27T11:09:50.397+01:00] [bi_server1] [ERROR] [] [oracle.xdo] [tid: 24] [userId: <anonymous>] [ecid: 22bf1318a95b3a18:-528a5dc9:135b0d15f61:-8000-0000000000025a30,0] [APP: bipublisher#11.1.1] XSL error:[[
  <Line 80, Column 151>: XML-23002: (Error) internal xpath error
  @Line 80 ==> <_G><xsl:if test="sum($G1[(./QADATE02 = current-group()/QADATE02)]/QATRQT) = '0'" xdofo:ctx="3">
  [2012-02-27T11:09:50.397+01:00] [bi_server1] [WARNING] [] [oracle.xdo] [tid: 24] [userId: <anonymous>] [ecid: 22bf1318a95b3a18:-528a5dc9:135b0d15f61:-8000-0000000000025a30,0] [APP: bipublisher#11.1.1] oracle.xdo.XDOException: java.lang.reflect.InvocationTargetException[[
       at oracle.xdo.template.fo.util.FOUtility.generateFO(FOUtility.java:1205)
       at oracle.xdo.template.fo.util.FOUtility.generateFO(FOUtility.java:276)
       at oracle.xdo.template.FOProcessor.createFO(FOProcessor.java:1973)
       at oracle.xdo.template.FOProcessor.generate(FOProcessor.java:1117)
       at oracle.xdo.servlet.RTFCoreProcessor.transform(RTFCoreProcessor.java:124)
       at oracle.xdo.servlet.CoreProcessor.process(CoreProcessor.java:372)
       at oracle.xdo.servlet.CoreProcessor.generateDocument(CoreProcessor.java:93)
       at oracle.xdo.servlet.ReportImpl.renderBodyHTTP(ReportImpl.java:1059)
       at oracle.xdo.servlet.ReportImpl.renderReportBodyHTTP(ReportImpl.java:624)
       at oracle.xdo.servlet.XDOServlet.writeReport(XDOServlet.java:477)
       at oracle.xdo.servlet.XDOServlet.writeReport(XDOServlet.java:447)
       at oracle.xdo.servlet.XDOServlet.doGet(XDOServlet.java:267)
       at oracle.xdo.servlet.XDOServlet.doPost(XDOServlet.java:299)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.xdo.servlet.metadata.track.MostRecentFilter.doFilter(MostRecentFilter.java:65)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.xdo.servlet.security.SecurityFilter.doFilter(SecurityFilter.java:122)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.xdo.servlet.init.InitCheckingFilter.doFilter(InitCheckingFilter.java:64)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: java.lang.reflect.InvocationTargetException
       at sun.reflect.GeneratedMethodAccessor7820.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at oracle.xdo.common.xml.XSLT10gR1.invokeProcessXSL(XSLT10gR1.java:917)
       at oracle.xdo.common.xml.XSLT10gR1.transform(XSLT10gR1.java:609)
       at oracle.xdo.common.xml.XSLT10gR1.transform(XSLT10gR1.java:328)
       at oracle.xdo.common.xml.XSLTWrapper.transform(XSLTWrapper.java:187)
       at oracle.xdo.template.fo.util.FOUtility.generateFO(FOUtility.java:1181)
       ... 40 more
  Caused by: oracle.xdo11g.xqxp.XQException: XPTY0004
       at oracle.xdo11g.xslt.XSLStylesheet.flushErrors(XSLStylesheet.java:1850)
       at oracle.xdo11g.xslt.XSLStylesheet.execute(XSLStylesheet.java:616)
       at oracle.xdo11g.xslt.XSLStylesheet.execute(XSLStylesheet.java:551)
       at oracle.xdo11g.xslt.XSLProcessor.processXSL(XSLProcessor.java:345)
       at oracle.xdo11g.xslt.XSLProcessor.processXSL(XSLProcessor.java:194)
       at oracle.xdo11g.xslt.XSLProcessor.processXSL(XSLProcessor.java:230)
       at oracle.xdo11g.parser.v2.XSLProcessor.processXSL(XSLProcessor.java:124)
       at sun.reflect.GeneratedMethodAccessor7820.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at oracle.xdo.common.xml.XSLT10gR1.invokeProcessXSL(XSLT10gR1.java:920)
       ... 44 more
  Does anyone have the solution for this type of error, we have about 30-40 reports that is behaving like this in BIP 11G but works fine in BIP 10G.
  Can we do anything general in the BIP 11G or does we need to find the solution for each report and change in the template?
  All ideas are appreciated, thanks,
  Anders B

  Hi!
  Have everyone out there been able to use the upgrade assistant without any problem?
  The UA.bat program says everything is ok but the report actually created in BIP 10G does not work in BIP 11G. We are looking for documentation or "findings" of what the problem can be, in a more general way. We are aware of that we probably have to fix this manually, but we dont know what to fix, and it is not so "fun" to be forced to re create all this templates and reports. The datamodell seems for the most of the time works, so we get a working xml source but the creation of the report thru the template dont work.
  Best regards,
  Anders

• [svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

  Revision: 1720
  Author: [email protected]
  Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
  Log Message:
  Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
  QA: Yes
  Doc: No
  Details:
  Update to the TomcatLoginCommand to work correctly with NIO endpoints.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/LCDS-304
  Modified Paths:
  blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

  Revision: 1720
  Author: [email protected]
  Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
  Log Message:
  Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
  QA: Yes
  Doc: No
  Details:
  Update to the TomcatLoginCommand to work correctly with NIO endpoints.
  Ticket Links:
  http://bugs.adobe.com/jira/browse/LCDS-304
  Modified Paths:
  blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

• Social Client & Nokia blogs not working

  from last week social client & nokia blogs not working. Facebook / Twitter / Conversations / Blog etc... are not opening. Get a blank white screen with only option to exit. Surprisingly the social widget is getting updated with posts from both Facebook & Twitter! But if i click to open then its the same issue...

  Thanks Adrian,
  Am from India and using N8.
  First thing i checked is for updates on suite but no luck with that... Not sure if there are updates released which are not made available for users here.
  Any idea on where to check if updates are available here? Or when it would be made available here?
  Appreciate ur help.
  Merry Christmas...
  Cheers
  Staty

• Client Certificate authentication doesn't work

  Hi there,
  I want to use client authentication to log on to a SAP WebAS ABAP. I did everything as described in Gregor Wolfs Blog: Setup Authentication with Client Certificates for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows
  (my system is not a sneak preview and it is based on Linux).
  When I call a BSP application, I can choose the client certificate in the browser, and everything seems to work. But at the end, the basic authentication dialog appears.
  In the dev_icm trace, I can see, that there is a user extracted from the DN of the certificate. In the HTTP access log, the user is logged on.
  All certificates are valid, no problem found.
  Exept the view VUSREXTID didnt work, the user in the HTTP access log was always the one from the DN, not the mapped one. But both are valid.
  Any idea?
  Thank you,
  Erik

  Did you map the certificate and user in the transaction 'extid_dn' ?
  Because the 'normal' pop-up for username and password is opened when the system cannot find a user mapped to the certificate...
  Felix

• Help required with ADFS 3.0 client certificate authentication

  Hi,
  I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
  federate user credentials to 3rd party trust for single-sign-on.
  I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
  use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
  The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
  Thanks!
  -Chinmaya Karve

  Hi Yan,
  Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
  So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
  using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
  for authentication. If you cancel the operation, please close your browser and try again.".
  I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
  I am really confused now, as to whose issue this really is...
  Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
  Any suggestion or inputs where I could have gone wrong in the setup?
  Thanks!

• Client Certificate Authentication

  Hi guys
  I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
  We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
  I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
  Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
  any help would be truly appreciated
  Jesus

  If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
  Users could go to the website of the issuing certificate authorities and make a request.
  I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
  So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
  I'll look further though (interested in this myself).
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Client certificate authentication fails when the CA list sent by server is big and the list goes in 2 encrypted messages.

  I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
  In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
  The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
  NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
  I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
  Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
  Any help would be appreciated.

  I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
  In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
  The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
  NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
  I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
  Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
  Any help would be appreciated.

• Client certificate is not send

  Hi
  I have not much experience in Java, so thank you in advance for your help.
  I have some piece of client code which setup the secure connection. Everything works fine until I use server authentication (in my certificate store I have trusted CA certificate and client certificate signed by this trusted CA). In mutual authentication handshake fails, because the cliend doesn't send any certificate (i checked it using network sniffer). I was looking for the way of enumerate the local certificates which are going to be send from client, but I can't understand how should I do it. There is my code below :
       System.setProperty("-Djavax.net.ssl.trustStore","G:/Program Files/Java/jre1.5.0_07/lib/security/cacerts".replace('/', File.separatorChar));
       System.setProperty("-Djavax.net.ssl.trustStorePassword","changeit");
       System.setProperty("-Djavax.net.debug","all");
       int port = 16993;
     String hostname = "10.10.1.11";
      SSLSocketFactory factory = null;
      SSLSocket socket = null;
      SSLSession session = null;
      String[] proto = new String[1];
      String[] ciphe = new String[1];
      String[] all_ciphe_supp = new String[33];
      System.out.println("Cipher Suite and Protocols test");
    try {
          factory = HttpsURLConnection.getDefaultSSLSocketFactory();
                } catch (Exception e) {
                     System.out.println( e.toString());
                if (factory != null) {
               // Connect to the server
                     try {
                          socket = (SSLSocket)factory.createSocket(hostname,port);
                          all_ciphe_supp = socket.getSupportedCipherSuites();
                          System.out.println("All ciphersuites and protocol supported");
                          socket.startHandshake();
                          session = socket.getSession();
                          System.out.println("Connection established using " + session.getProtocol() + " and " + session.getCipherSuite());
                          socket.close();
                     } catch (SSLPeerUnverifiedException e) {
                          System.out.println("Connection not established : " + e.toString());
                     } catch (IOException e) {
                          System.out.println("Connection not established : " + e.toString());
  }

  Thanks a lot, it is a little bit better, I can see debug messages at the output :)
  However the main problem still exists. In debug window I can see that client and CA certificates are added as trusted certificates, but no certificate is sent to server. Is it something wrong with certificate?
  I have the certificate in following formats: .der .p12 .pem
  I could only import .der using keytool (trying to import .p12 or .pem got Input not an X.509 certificate error), but using web browser I can use this certificate and mutual authentication goes ok.

• Anyconnect VPN Certificate-matching not working

  Cisco Adaptive Security Appliance Software Version 9.1(4); Device Manager Version 7.1(5)100; anyconnect-win-3.1.05152-k9.pkg
  Hello, I am trying to implement Certificate Matching for certain client profiles. However 'certificate matching' does not seem to work- another certificate is always selected instead for Anyconnect SSL VPN authentication.
  For example the client has two client-certificates installed: masin2 and masin3. I have configured the client-profile certificate-matching to use masin2 for authentication, but Anyconnect still chooses masin3 instead.
  The client-profile looks like this:
  <CertificateMatch>
              <KeyUsage>
                  <MatchKey>Key_Encipherment</MatchKey>
                  <MatchKey>Digital_Signature</MatchKey>
              </KeyUsage>
              <ExtendedKeyUsage>
                  <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
              </ExtendedKeyUsage>
              <DistinguishedName>
                  <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
                      <Name>CN</Name>
                      <Pattern>masin2</Pattern>
                  </DistinguishedNameDefinition>
              </DistinguishedName>
          </CertificateMatch>
  Any suggestions/ideas? thanks for any input,
  heiki.

  enabling wildcard did not help. also tried disabling/enabling automatic certificate selection- no luck.
  I have also tried with and without different keyusage and extendedkeyusage- no difference.
  The Client Profile is correctly updated on the client PC every time a change in made, but it seems like Anyconnect is not evaluating the Certificate Matching fields at all. And it seems like the problem is only with the CertificateMatch fields, because other fields are used as configured (for example: certificatestore, retainvpnonlogoff, usestartbeforelogon and so on).
  I even upgraded Anyconnect to the latest version 3.1.05160 and still- anyconnect completely ignores certificatematch configuration in client-profile.

• Wireless with PEAP Authentication not working using new NPS server

  All,
  We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
  I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
  But it is not working for me. I am getting the following error message on the NPS server.
  Error # 1
  =======
  Cryptographic operation.
  Subject:
              Security ID:                 SYSTEM
              Account Name:                       MADXXX
              Account Domain:                    AD
              Logon ID:                    0x3e7
  Cryptographic Parameters:
              Provider Name:          Microsoft Software Key Storage Provider
              Algorithm Name:         RSA
              Key Name:      XXX-Wireless-NPS
              Key Type:       Machine key.
  Cryptographic Operation:
              Operation:       Decrypt.
              Return Code:  0x80090010
  Error # 2
  ======
  An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
  I was wondering if anyone has any insight on what is going on.
  Thanks, Ds

  Scott,
  I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
  I  disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
  Cryptographic operation.
  Subject:
  Security ID: SYSTEM
  Account Name: MADHFSVNPSPI01$
  Account Domain: AD
  Logon ID: 0x3e7
  Cryptographic Parameters:
  Provider Name: Microsoft Software Key Storage Provider
  Algorithm Name: RSA
  Key Name: DOT-Wireless-NPS
  Key Type: Machine key.
  Cryptographic Operation:
  Operation: Decrypt.
  Return Code: 0x80090010
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: AD\mscdzs
  Account Name: AD\mscdzs
  Account Domain: AD
  Fully Qualified Account Name: AD\mscdzs
  Client Machine:
  Security ID: NULL SID
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: 64-ae-0c-00-de-f0:DOT
  Calling Station Identifier: a0-88-b4-e2-79-cc
  NAS:
  NAS IPv4 Address: 130.47.128.7
  NAS IPv6 Address: -
  NAS Identifier: WISM2B
  NAS Port-Type: Wireless - IEEE 802.11
  NAS Port: 29
  RADIUS Client:
  Client Friendly Name: WISM2B
  Client IP Address: 130.47.128.7
  Authentication Details:
  Connection Request Policy Name: Secure Wireless Connections
  Network Policy Name: Secure Wireless Connections
  Authentication Provider: Windows
  Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
  Authentication Type: PEAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 23
  Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
  Attached are EAP logs & debug logs from the controller.
  Thanks for all the help. I really appreciate.