Client Certificate Authentication

Hi guys
I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
any help would be truly appreciated
Jesus

If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
Users could go to the website of the issuing certificate authorities and make a request.
I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
I'll look further though (interested in this myself).
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Similar Messages

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

SOAP -Client Certificate Authentication in Receiver SOAP Adapter

Dear All,
We are working on the below scenario
SAP R/3 System -> XI/PI -> Proxy -> Customer
In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
Cusomer gave us the WSDL file and also a Certificate for authentication.
Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
Require your inputs on Client Certificate authentication and Proxy server configuration.
Regards,
Srini

Hi
Look this blog
How to use Client Authentication with SOAP Adapter
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Also refer to "SAP Security Guide XI" at service market place.
ABAP Proxy configuration
How do you activate ABAP Proxies?

Help required with ADFS 3.0 client certificate authentication

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

Hi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks!

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Client certificate authentication on ASA 5520

Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent

Client certificate authentication fails when the CA list sent by server is big and the list goes in 2 encrypted messages.

I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.

I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.

Client Certificate Authentication not working in OSB 11g

Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
Jamie

This is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code.

Client Certificate authentication doesn't work

Hi there,
I want to use client authentication to log on to a SAP WebAS ABAP. I did everything as described in Gregor Wolfs Blog: Setup Authentication with Client Certificates for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows
(my system is not a sneak preview and it is based on Linux).
When I call a BSP application, I can choose the client certificate in the browser, and everything seems to work. But at the end, the basic authentication dialog appears.
In the dev_icm trace, I can see, that there is a user extracted from the DN of the certificate. In the HTTP access log, the user is logged on.
All certificates are valid, no problem found.
Exept the view VUSREXTID didnt work, the user in the HTTP access log was always the one from the DN, not the mapped one. But both are valid.
Any idea?
Thank you,
Erik

Did you map the certificate and user in the transaction 'extid_dn' ?
Because the 'normal' pop-up for username and password is opened when the system cannot find a user mapped to the certificate...
Felix

Unable to achieve client certificate authentication

I am trying to do mutual certificate authentication (client/server authentication), and getting following error.
Anybody has any clue?
SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
My code is below.
import com.sun.net.ssl.HttpsURLConnection;
import java.security.cert.*;
import javax.net.ssl.*;
import java.security.*;
import java.net.URL;
import java.io.*;
import java.util.Enumeration;
public class ClientCert {
private static SSLSocketFactory getSocketFactory() {
SSLSocketFactory theFactory = null;
try {
// set up key manager to do server authentication
SSLContext theContext;
KeyManagerFactory theKeyManagerFactory;
KeyStore theKeyStore;
char[] thePassword = "goldy123".toCharArray();
theContext = SSLContext.getInstance("TLS");
theKeyManagerFactory = KeyManagerFactory.getInstance("SunX509");
theKeyStore = KeyStore.getInstance("JKS");
theKeyStore.load(new FileInputStream("c:/castore"), thePassword);
//java.security.cert.Certificate certi[] = theKeyStore.getCertificateChain("ca");
// System.out.println("Certificate "+certi.length);
theKeyManagerFactory.init(theKeyStore, thePassword);
KeyManager managers[] = theKeyManagerFactory.getKeyManagers();
theContext.init(managers, null, null);
theFactory = theContext.getSocketFactory();
return theFactory;
} catch (Exception e) {
System.err.println("Failed to create a server socket factory...");
e.printStackTrace();
return null;
public static void main(String[] args) {
try {
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
com.sun.net.ssl.HostnameVerifier hv=new com.sun.net.ssl.HostnameVerifier() {
public boolean verify(String urlHostname, String certHostname) {
return true;
HttpsURLConnection.setDefaultHostnameVerifier(hv);
URL mioUrl = new URL("https://viveksharma:9090/LoginPage.do?userName=root&password=password");
//URL mioUrl = new URL("https://www.verisign.com");
//SSLSocketFactory factory = getFactorySSLFromCert(mioCertFile ,mioCertPswd );
//HttpsURLConnection.setDefaultSSLSocketFactory(factory);
//System.setProperty("javax.net.ssl.keyStore","C:/castore");
//System.setProperty("javax.net.ssl.keyStorePassword","goldy123");
System.setProperty("javax.net.ssl.trustStore","C:/vivekstore");
System.setProperty("javax.net.ssl.trustStorePassword","goldy123");
HttpsURLConnection.setDefaultSSLSocketFactory(getSocketFactory());
HttpsURLConnection urlConn = (HttpsURLConnection)mioUrl.openConnection();
urlConn.connect();
//urlConn.setDoInput(true);
// urlConn.setUseCaches(false);
javax.security.cert.X509Certificate ch[] = urlConn.getServerCertificateChain();
System.out.println(ch[0]);
InputStreamReader streamIn = new InputStreamReader(urlConn.getInputStream());
BufferedReader in = new BufferedReader(streamIn);
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
} catch (Exception e) {
e.printStackTrace();

Hello guys!
I've had this problem twice (once with Tomcat server and once with OC4J -- Oracle 9iAS) and was able to resolve it.
First of, make sure that the certificate your client is passing is valid (I always use JKS format... i think its a must when using JSSE) and is in your server's truststore (and that you specify which truststore file for your server to look at in your config file).
Secondly, also import the root CA of your client cerficate (if it isn't there yet) to the cacert file in $JAVA_HOME/jre/lib/security.
Hope this helps.

How to handle Client Certificate authentication using URLRequest/URLLoader

Hi All,
I developed an AIR Application which communicates with a server. Protocol used for communication is HTTPS, and server has a valid certificate.
So whenever AIR App, communicates with the server, a dialogue box prompts to select the client certificate just as show below.
So here what I am looking at is, Any method is available to prevent this prompt.
I have already tried the method of Enabling "Dont Prompt for client certificate selection when only one certificate exists", Of course this method will work only if multiple certificate exists, so what if multiple certificate exists.
How an air application can handle that?
So any one find any way to handle this. I am using URLRequest for commnicating with server.
Here is the code snippet I have used.
var request:URLRequest = new URLRequest(url);
request.method = URLRequestMethod.GET;
var urlLoader:URLLoader = new URLLoader();
urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.addEventListener(Event.COMPLETE, loaderCompleteHandler)
urlLoader.addEventListener(Event.OPEN, openHandler);
urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
urlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);//, false, 0, true);
Please help me...
Thanks
Sanal

Yes it is possible. Refer
Using Certificates for Authentication [http://docs.sun.com/app/docs/doc/820-7985/ginbp?l=en&a=view]
SSL Authentication section in [http://docs.sun.com/app/docs/doc/820-7985/gdesn?l=en&a=view]
client-auth element in server.xml [http://docs.sun.com/app/docs/doc/820-7986/gaifo?l=en&a=view]
certmap.conf [http://docs.sun.com/app/docs/doc/820-7986/abump?l=en&a=view]
certmap.conf should have verifycert "on", and lets say this certmap is called "cmverify" :
certmap cmverify default
cmverify:DNComps
cmverify:FilterComps uid
cmverify:verifycert onIn serve.xml we should have <client-auth> "required" and lets say we have an auth-db named "ldapregular":
<http-listener>...
<ssl>...
 <client-auth>required</client-auth>
</ssl>
</http-listener>
<auth-db>
<name>ldapregular</name><url>ldap://myldap:369/o%3DTestCentral</url>
<property><name>binddn</name><value>cn=Directory Manager</value></property>
<property><name>bindpw</name><value...</value><encoded/></property>
</auth-db>In ACL file we should have method = "ssl", database = "ldapregular" and certmap = "cmverify" :# clientauth against LDAP database with special certmap which has verifyCert on
acl "uri=/";
authenticate (user,group) {
 prompt = "Enterprise Server";
 method = "ssl";
 database = "ldapregular";
 certmap = "cmverify";
deny (all) user = "anyone";
allow (all) user = "alpha,beta,gamma";

Activesync client Certificate authentication with third party CA

Hi, I have to configure ActiveSync certificate based authentication, and use a third party CA.
What informations and fields must I configure on the cert template, to use it for activesync ?
For now I've a template with the CN (FirstName LastName) for the Subject Name and a Subject Alternative name with UserPrincipalName (user@domain). Is it enough ?
Do I must publish the user's certificate in AD ?
Thanks

Just one additional thing to consider, as I have seen it go wrong in the past.
Make sure that whatever certificate solution you decide upon will be suitable for your internal clients (Outlook) as well as autodiscover, external name, etc.
I have seen where people put in mail.domain.com in the SAN field, and everything works great for external clients. However, internal clients who connect to
mbx01.domain.com (the internal server name) get errors, as this server name is not on the certificate.
To make this work, you generally have two options:
Put the internal name of the server on the certificate as well - requires a certificate that allows multiple names (may be referred to as a
UC certificate or 'SAN Options' or something like that, depending on vendor)
Setup split-DNS, so your internal clients also use mail.domain.com
internally
I realize that this doesn't answer your original question, but I have seen this being done wrong many times, and this will hopefully save some headache.

Authentication using Client Certificates

Has anyone implmented client certificate authentication where after user has entered her certificate id/pwd they get direct access to the portal without getting the portal logon page again.
I am using EP6 SP2, i get the request for client certficates but after that i get directed to the portal form based logon page. How do i bypass this and gain access to the portal.
regards
anton

Hi Kyle,
Here is my authscheme.xml file....i placed the CreateTicketLoginModule after the CertLoginModule but it didnt work. Have i done this correctly. By the way i am using EP6sp2 J2EE 6.20 pl 28
thanks anton
authschemes>
 
 <authscheme name="uidpwdlogon">
 
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
 <controlFlag>SUFFICIENT</controlFlag>
 <options></options>
 </loginmodule>
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.CreateTicketLoginModule</loginModuleName>
 <controlFlag>SUFFICIENT</controlFlag>
 <options></options>
 </loginmodule>
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
 
 <controlFlag>REQUISITE</controlFlag>
 <options></options>
 </loginmodule>
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.CertPersisterLoginModule</loginModuleName>
 <controlFlag>REQUIRED</controlFlag>
 <options></options>
 </loginmodule>
 <priority>21</priority>
 
 <frontendtype>2</frontendtype>
 
 <frontendtarget>com.sap.portal.runtime.logon.default</frontendtarget>
 </authscheme>
 <authscheme name="certlogon">
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
 <controlFlag>REQUISITE</controlFlag>
 <options></options>
 </loginmodule>
 <priority>20</priority>
 <frontendtype>2</frontendtype>
 <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
 </authscheme>
 <authscheme name="basicauthentication">
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
 <controlFlag>REQUIRED</controlFlag>
 <options></options>
 </loginmodule>
 <priority>20</priority>
 <frontendtype>2</frontendtype>
 <frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
 </authscheme>
 <authscheme name="header">
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.HeaderVariableLoginModule</loginModuleName>
 <controlFlag>OPTIONAL</controlFlag>
 <options>Header=remote-user</options>
 </loginmodule>
 <priority>5</priority>
 <frontendtype>2</frontendtype>
 <frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
 </authscheme>
 <authscheme name="guest">
 <loginmodule>
 <loginModuleName>com.sap.security.core.logon.imp.AnonymousLoginModule</loginModuleName>
 <controlFlag>OPTIONAL</controlFlag>
 <options></options>
 </loginmodule>
 <priority>1</priority>
 <frontendtype>2</frontendtype>
 <frontendtarget>com.sap.portal.runtime.logon.anonymous</frontendtarget>
 </authscheme>
 
 <authscheme name="anonymous">
 <priority>-1</priority>
 </authscheme>
 </authschemes>
 
 <authscheme-refs>
 <authscheme-ref name="default">
 <authscheme>uidpwdlogon</authscheme>
 </authscheme-ref>
 </authscheme-refs>
 <authscheme-refs>
 <authscheme-ref name="UserAdminScheme">
 <authscheme>uidpwdlogon</authscheme>
 </authscheme-ref>
 </authscheme-refs>
</document>

HTTP Error 403.16 - Forbidden, Your client certificate is either not trusted or is invalid.

Dear Experts,
I have tried mutual authentication with sample website as per below link:
http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
1. Created a Root certificate, client and server certificate based on this root certificate by using Makecert command as per below link:
2. Import these certificates in Trusted Root Certification authority of both the stores (Local and Current user)
3. Created a sample website with HTML page
4.Hosted this website in IIS with HTTPS binding and selected the above server certifcate
5. Enabled "Require SSL" and selected "Require" under SSL settings of website
6. Exported the client certificate in base64 format --> Edited in notepad --> made the key into single line
7. Placed the above key under Configuration editor --> system.webServer/security/authentication/iisClientCertificateMappingAuthentication --> one to one mapping with user credentials.
8. I tried to access the website
But, I ended with below error :(
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
Detailed Error Information:
Module    IIS Web Core
Notification    BeginRequest
Handler    ExtensionlessUrlHandler-Integrated-4.0
Error Code    0x800b0109
Requested URL    https://localhost:443/
Physical Path    E:\SampleRoot
Logon Method    Not yet determined
Logon User    Not yet determined
Could you please let me know what I missed here.
Note:
I am using windows8, IIS8.0.
Thanks in advance.
Regards,
M. Prasad Reddy.

Hi Prasad,
As per this case, I have been shared the corresponding details below
1.First of all,make sure that you import the certificate whether it belongs to Trusted RootCertification or not .
    If that is the case ,Goto Microsoft Management Console (MMC), open the Certificates snap-in.
    For instance, the certificate store that WCF is configured to retrieve X.509 certificates from, select the Trusted RootCertification Authoritiesfolder. Under the Trusted Root Certification Authorities folder, right-click the Certificatesfolder,
point to All Tasks, and then click Import.
2.you configured the server certificate as well, But check the client certificate whether have root certificate or not by following command?
makecert -pe -n "CN=SSLClientAuthClient"
         -eku 1.3.6.1.5.5.7.3.2 -is root -ir localmachine -in WebSSLTestRoot
         -ss my -sr currentuser -len 2048
3. Also check the Service Certificate whether its configured on the WCF Service side
4.Make sure that you followed all the steps are done correctly from your given referred link below
http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
5.Besides, please try to set the require SSL as ignore to see if you can access the website.
If the above details cannot able to resolve this issue, please post your config file here.

Using X.509 Client Certificates - SAP ABAP Webgui (SSL)

Hello,
current runs the integrated ITS (Webgui). We now want the smart card and have adapted to the configuration:
RZ10:
icm/server_port_0=PROT=HTTPS,PORT=1443,TIMEOUT=180
icm/HTTPS/verify_client=2
table USREXTID: C=DE,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,emailAddress=xxx
smart card certification -> firefox 2.x and IE 7.x install.
SICF: Webgui Service -> Login with Client Certificate
The test (with IE or Firefox) was unsuccessful.
SMICM Trace:
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
What should I do now?
Thanks, Silke
Full Trace:
sysno 02
sid RD1
systemid 560 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 148
intno 20050900
make: multithreaded, ASCII, optimized
pid 5468
[Thr 5416] started security log to file dev_icm_sec
[Thr 5416] ICM running on: sdatu100.pvw.tu-darmstadt.de
[Thr 5416] MtxInit: 30001 0 2
[Thr 5416] IcmInit: listening to admin port: 65000
[Thr 5416] DpSysAdmExtCreate: ABAP is active
[Thr 5416] DpSysAdmExtCreate: VMC (JAVA VM in WP) is not active
[Thr 5416] DpShMCreate: sizeof(wp_adm) 13576 (1044)
[Thr 5416] DpShMCreate: sizeof(tm_adm) 36258120 (18120)
[Thr 5416] DpShMCreate: sizeof(wp_ca_adm) 18000 (60)
[Thr 5416] DpShMCreate: sizeof(appc_ca_adm) 6000 (60)
[Thr 5416] DpCommTableSize: max/headSize/ftSize/tableSize=2000/8/2112040/2112048
[Thr 5416] DpShMCreate: sizeof(comm_adm) 2112048 (1048)
[Thr 5416] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0
[Thr 5416] DpShMCreate: sizeof(slock_adm) 0 (96)
[Thr 5416] DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0
[Thr 5416] DpShMCreate: sizeof(file_adm) 0 (72)
[Thr 5416] DpShMCreate: sizeof(vmc_adm) 0 (1296)
[Thr 5416] DpShMCreate: sizeof(wall_adm) (224040/329544/56/100)
[Thr 5416] DpShMCreate: sizeof(gw_adm) 48
[Thr 5416] DpShMCreate: SHM_DP_ADM_KEY (addr: 028C0040, size: 38968448)
[Thr 5416] DpShMCreate: allocated sys_adm at 028C0040
[Thr 5416] DpShMCreate: allocated wp_adm at 028C1B30
[Thr 5416] DpShMCreate: allocated tm_adm_list at 028C5038
[Thr 5416] DpShMCreate: allocated tm_adm at 028C5068
[Thr 5416] DpShMCreate: allocated wp_ca_adm at 04B591B0
[Thr 5416] DpShMCreate: allocated appc_ca_adm at 04B5D800
[Thr 5416] DpShMCreate: allocated comm_adm at 04B5EF70
[Thr 5416] DpShMCreate: system runs without slock table
[Thr 5416] DpShMCreate: system runs without file table
[Thr 5416] DpShMCreate: allocated vmc_adm_list at 04D629A0
[Thr 5416] DpShMCreate: allocated gw_adm at 04D629E0
[Thr 5416] DpShMCreate: system runs without vmc_adm
[Thr 5416] DpShMCreate: allocated ca_info at 04D62A10
[Thr 5096] IcmProxyWatchDog: proxy watchdog started
[Thr 5416] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 5416] IcmCreateWorkerThreads: created worker thread 0
[Thr 5416] IcmCreateWorkerThreads: created worker thread 1
[Thr 5416] IcmCreateWorkerThreads: created worker thread 2
[Thr 5416] IcmCreateWorkerThreads: created worker thread 3
[Thr 5416] IcmCreateWorkerThreads: created worker thread 4
[Thr 5416] IcmCreateWorkerThreads: created worker thread 5
[Thr 5416] IcmCreateWorkerThreads: created worker thread 6
[Thr 5416] IcmCreateWorkerThreads: created worker thread 7
[Thr 5416] IcmCreateWorkerThreads: created worker thread 8
[Thr 5416] IcmCreateWorkerThreads: created worker thread 9
[Thr 4352] IcmWatchDogThread: watchdog started
[Thr 5672] =================================================
[Thr 5672] = SSL Initialization on PC with Windows NT
[Thr 5672] = (700_REL,Mar 25 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5672] profile param "ssl/ssl_lib" = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
 resulting Filename = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
[Thr 5672] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 18 2005) MT-safe
[Thr 5672] = current UserID: SDATU100\SAPServiceRD1
[Thr 5672] = found SECUDIR environment variable
[Thr 5672] = using SECUDIR=D:\usr\sap\RD1\DVEBMGS02\sec
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLC.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLA.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] ******** Warning ********
[Thr 5672] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 5672] *** -- this will probably limit SSL-client side connectivity
[Thr 5672] ********
[Thr 5672] = Success -- SapCryptoLib SSL ready!
[Thr 5672] =================================================
[Thr 5672] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no
X.509 cert data will be removed from header [http_plg.c 720]
[Thr 5672] ISC: created 400 MB disk cache.
[Thr 5672] ISC: created 50 MB memory cache.
[Thr 5672] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 5672] HttpExtractArchive: files from archive D:\usr\sap\RD1\SYS\exe\run/icmadmin.SAR in directory D:/usr/sap/RD1/DVEBMGS02/
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 5672] CsiInit(): Initializing the Content Scan Interface
[Thr 5672] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)
[Thr 5672] CsiInit(): CSA_LIB = "D:\usr\sap\RD1\SYS\exe\run\sapcsa.dll"
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 5672] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0
[Thr 5672] Started service 1443 for protocol HTTPS on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=9
[Thr 5672] Started service 25000 for protocol SMTP on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=8
[Thr 5672] Tue Jul 15 14:38:37 2008
[Thr 5672] *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]
[Thr 5672] *** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c
[Thr 3932] Tue Jul 15 14:39:32 2008
[Thr 3932] *** WARNING => IcmCallAllSchedules: Schedule func 1 already running - avoid recursion [icxxsched.c 430]
[Thr 5416] Tue Jul 15 14:40:23 2008
[Thr 5416] IcmSetParam: Switched trace level to: 3
[Thr 5416] *
[Thr 5416] * SWITCH TRC-LEVEL to 3
[Thr 5416] *
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5416] NiIWrite: hdl 3 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 13
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 4392] IcmWorkerThread: worker 3 got the semaphore
[Thr 4392] REQUEST:
 Type: ADMMSG Index = 12
[Thr 4392] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 4392] MPI<a>0#5 GetInbuf -1 138968 440 (1) -> 6
[Thr 4392] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 4392] MPI<9>1#4 GetOutbuf -1 1489a0 65536 (0) -> 05348A00 0
[Thr 4392] MPI<a>0#6 FreeInbuf#2 0 138968 0 -> 0
[Thr 4392] MPI<9>1#5 FlushOutbuf l-1 1 1 1489a0 1104 6 -> 053489E0 0
[Thr 4392] IcmWorkerThread: Thread 3: Waiting for event
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 14
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5784] IcmWorkerThread: worker 4 got the semaphore
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5784] REQUEST:
 Type: ADMMSG Index = 13
[Thr 5784] MPI<c>0#5 GetInbuf -1 1489a0 440 (1) -> 6
[Thr 5784] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5784] MPI1#4 GetOutbuf -1 138968 65536 (0) -> 053389C8 0
[Thr 5784] MPI<c>0#6 FreeInbuf#2 0 1489a0 0 -> 0
[Thr 5784] MPI1#5 FlushOutbuf l-1 1 1 138968 1104 6 -> 053389A8 0
[Thr 5784] IcmWorkerThread: Thread 4: Waiting for event
[Thr 4352] Tue Jul 15 14:40:26 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5416] Tue Jul 15 14:40:29 2008
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8076 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1305
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 3 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 15
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 3932] IcmWorkerThread: worker 5 got the semaphore
[Thr 3932] REQUEST:
 Type: ACCEPT CONNECTION Index = 14
[Thr 3932] CONNECTION (id=1/8):
 used: 1, type: 1, role: 1, stateful: 0
 NI_HDL: 8, protocol: HTTPS(2)
 local host: 130.83.89.22:1443 ()
 remote host: 192.168.1.3:1305 ()
 status: NOP
 connect time: 15.07.2008 14:40:29
 MPI request: <0> MPI response: <0>
 request_buf_size: 0 response_buf_size: 0
 request_buf_used: 0 response_buf_used: 0
 request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 3932] MPI:1 create pipe 052002C0 1
[Thr 3932] MPI<d>1#1 Open( ANONYMOUS 1 1 ) -> 1
[Thr 3932] MPI<d>1#2 Open( ANONYMOUS 1 0 ) -> 1
[Thr 3932] MPI:0 create pipe 05200180 1
[Thr 3932] MPI<e>0#1 Open( ANONYMOUS 0 0 ) -> 0
[Thr 3932] MPI<e>0#2 Open( ANONYMOUS 0 1 ) -> 0
[Thr 3932] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 3932] <<- SapSSLSessionInit()==SAP_O_K
[Thr 3932] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 3932] out: sssl_hdl = 003FFBC0
[Thr 3932] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 3932] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 3932] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1305
[Thr 3932] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 3932] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 3932] SapISSLServerCacheExpiration(): Calling ServerCacheCleanup() (lifetime=900)
[Thr 3932] SapISSLServerCacheExpiration(srv,"D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse"): Cache max/before/now = 5000/1/1
[Thr 5096] Tue Jul 15 14:40:32 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 4352] Tue Jul 15 14:40:36 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5096] Tue Jul 15 14:40:42 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 3932] Tue Jul 15 14:40:45 2008
[Thr 3932] peer has closed connection
[Thr 3932] <<- SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_CONN_CLOSED
[Thr 3932] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 3932] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 3932] NiICloseHandle: shutdown and close hdl 8 / sock 8076
[Thr 3932] MPI<d>1#3 Close( 1 ) del=0 -> 0
[Thr 3932] MPI<d>1#5 Delete( 1 ) -> 0
[Thr 3932] MPI<d>1#4 Close( 1 ) del=1 -> 0
[Thr 3932] MPI<e>0#3 Close( 0 ) del=0 -> 0
[Thr 3932] MPI<e>0#5 Delete( 0 ) -> 0
[Thr 3932] MPI<e>0#4 Close( 0 ) del=1 -> 0
[Thr 3932] IcmConnFreeContext: context 1 released
[Thr 3932] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 3932] IcmWorkerThread: Thread 5: Waiting for event
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8092 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1309
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: check for client conn timeout
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 60 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 16
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 5708] IcmWorkerThread: worker 6 got the semaphore
[Thr 5708] REQUEST:
 Type: ACCEPT CONNECTION Index = 15
[Thr 5708] CONNECTION (id=1/9):
 used: 1, type: 1, role: 1, stateful: 0
 NI_HDL: 8, protocol: HTTPS(2)
 local host: 130.83.89.22:1443 ()
 remote host: 192.168.1.3:1309 ()
 status: NOP
 connect time: 15.07.2008 14:40:45
 MPI request: <0> MPI response: <0>
 request_buf_size: 0 response_buf_size: 0
 request_buf_used: 0 response_buf_used: 0
 request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5708] MPI:0 create pipe 05200180 1
[Thr 5708] MPI<f>0#1 Open( ANONYMOUS 0 1 ) -> 0
[Thr 5708] MPI<f>0#2 Open( ANONYMOUS 0 0 ) -> 0
[Thr 5708] MPI:1 create pipe 052002C0 1
[Thr 5708] MPI<10>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 5708] MPI<10>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 5708] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 5708] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5708] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 5708] out: sssl_hdl = 003FFBC0
[Thr 5708] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1309
[Thr 5708] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 5708] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5708] NiIHdlGetStatus: hdl 8 / sock 8092 ok, data pending (len=1)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"
[Thr 5708] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 5708] SecudeSSL_SessionStart: SSL_accept() failed --
secude_error 536871698 (0x20000312) = "the client did not send a certificate handshake message for its authentication and we c
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 5708] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 5708] NiICloseHandle: shutdown and close hdl 8 / sock 8092
[Thr 5708] MPI<f>0#3 Close( 0 ) del=0 -> 0
[Thr 5708] MPI<f>0#5 Delete( 0 ) -> 0
[Thr 5708] MPI<f>0#4 Close( 0 ) del=1 -> 0
[Thr 5708] MPI<10>1#3 Close( 1 ) del=0 -> 0
[Thr 5708] MPI<10>1#5 Delete( 1 ) -> 0
[Thr 5708] MPI<10>1#4 Close( 1 ) del=1 -> 0
[Thr 5708] IcmConnFreeContext: context 1 released
[Thr 5708] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 5708] IcmWorkerThread: Thread 6: Waiting for event
[Thr 4352] Tue Jul 15 14:40:46 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmQueueAppend: queuelen: 1
[Thr 4352] IcmCreateRequest: Appended request 17
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 4196] IcmWorkerThread: worker 7 got the semaphore
[Thr 4196] REQUEST:
 Type: SCHEDULER Index = 16
[Thr 4196] IcmGetSchedule: found slot 0
[Thr 4196] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmConnCheckStoredClientConn: next client timeout check in 59 sec
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmGetServicePtr: new serv_ref_count: 2
[Thr 4196] PlugInHandleAdmMessage: request received:
[Thr 4196] PlugInHandleAdmMessage: opcode: 136, len: 272, dest_type: 2, subhdlkey: 262145
[Thr 4196] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0
[Thr 4196] HttpCacheHandler: 4 0 006BBBC4 00000000
[Thr 4196] SCACHE: adm request received:
[Thr 4196] SCACHE: opcode: 136, len: 272, dest_type: 2, dest:
[Thr 4196] MTX_LOCK 3038 00ADEE88
[Thr 4196] MTX_UNLOCK 3051 00ADEE88
[Thr 4196] IctCmGetCacheInfo#5 -> 0
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48, blocks used: 1
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48
[Thr 4196] IcmNetBufFree: free netbuf: 00AD2B48 out of 1 used
[Thr 4196] IcmConnFreeContext: context 1 released
[Thr 4196] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 4196] IcmGetSchedule: next schedule in 30 secs
[Thr 4196] IcmWorkerThread: Thread 7: Waiting for event
[Thr 5096] Tue Jul 15 14:40:52 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)

>
silke kubelka wrote:
> SMICM-Log:
>
*** No SSL-client PSE "SAPSSLC.pse" available
>
*** this will probably limit SSL-client side connectivity
>
> is this a problem?
Well, since you want to enable the certificate-based user authentication (where your ABAP server is in the role of the SSL server) this does not matter. But if you intend to use your NWAS ABAP as SSL client (for outbound https communication) then it will matter. To resolve this problem you simply create an SSL Client PSE using transaction STRUST.
Once you've managed to [configure your NWAS ABAP for SSL,|https://service.sap.com/sap/support/notes/510007] you should see (in the ICM trace) that a X.509 client certificate was received. If the certificate-based logon does not succeed, then it's most likely due to some mapping problems - those can be analysed by using the tracing approach described in [note 495911|https://service.sap.com/sap/support/notes/495911].
If you need assistance in enabling the X.509 client certificate authentication you should submit an inquiry to SAP (message component BC-SEC-LGN).
Best regards,
Wolfgang

Client Certificate Authentication

Similar Messages

Maybe you are looking for