Client side authentication, 2 sided SSL

Hi,
Is using client side SSL auth. effective when working (via webservice) with a load balancer (SSL termination) that passes requests to a server connected to it?
Is this ok? considered a best practice? does the client side certificate add any security?
THANKS!

I agree with you sabre150. However, I was restricting my comments to the authentication part of Access Control (which I once defined in a book as being a three-part protocol dance, where every part is related, but independent):
i) Identification - where someone claims to be somebody who needs access to a resource;
2) Authentication - where that someone has to prove they are who they claim to be; and
3) Authorization - where the system determines if that authenticated entity is authorized to access the resource.
Sending the Client SSL certificate is Identification (anyone can do this so it doesn't prove anything). Digitally signing the nonce sent by the server is the proof (and the Authentication part of the dance). Verifying authorization is completely separate from the authentication part of the decision (which is what you referred to).
Many people confuse all three steps as "authentication" because it happens seamlessly on most systems; but in reality, they are distinct parts that can be interchanged - you can use a username-string as an identifier, a password as an authenticator and a UNIX group membership for authorization. You can also use an LDAP DN as an identifier, a digital signature as an authenticator and a XACML rule-set for authorization - and so on.
In the end, a system must do all three parts of the dance to provide access to protected resources; SSL ClientAuth focuses on only the authentication part of the dance; and for SSL ClientAuth to be considered secure, the protection of the Private Key becomes the single most important determinant. Everything after the verification of the digital signature is an authorization decision (which you pointed out).
(Sorry for the long answer, but I often make mistaken assumptions that cause me to write more cryptically than I should).
Arshad Noor
StrongAuth, Inc.

Similar Messages

Having problem with client side Authentication.

Hi,
I am haveing a problem enabling client side authentication with SSL on
weblogic 5.1.
I have set up the .properties files as explained, however it appears
my client is not sending a certificate back to the server. The same
client however works perfectly (using the same keystore file) with a
sample ClassFileSErver webserver from the jsse distribution. (the
client is a very slightly modified version of
SSLSocketClientWithClientAuth sample that comes with Jsse)
Below I've included a section of the debug dump from the interactions.
The only other difference I can see is the cipher suites offered by
the servers.
Weblogic offers type 0 or 9, and agrees on type 9
(SSL_RSA_WITH_DES_CBC_SHA), whereas ClassFileServer offer type 0 or 5
and settles on type 5 (SSL_RSA_WITH_RC4_128_SHA).
I am using the same keystore for both examples. Both servers request
an RSA client cert.... I'm out of ideas.
Any help would be greatfully received.
Cheers,
Keith
Debug dump information
=====================================
1/Weblogic server.
*** CertificateRequest
Cert Types: RSA,
Cert Authorities:
<CN=K H, OU=itsmobile, O=itsmobile, L=Dublin, ST=Dublin, C=ie>
<[email protected], CN=Demo Certificate Authority,
OU=Security, O=BEA WebLogic, L=San Francisco, ST=California, C=US>
<CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification,
ST=FOR TESTING PURPOSES ONLY, C=ZA>
[read] MD5 and SHA1 hashes: len = 427
0000: 0D 00 01 A7 01 01 01 A3 00 67 30 65 31 0B 30 09
.........g0e1.0.
0010: 06 03 55 04 06 13 02 69 65 31 0F 30 0D 06 03 55
..U....ie1.0...U
0020: 04 08 13 06 44 75 62 6C 69 6E 31 0F 30 0D 06 03
....Dublin1.0...
0030: 55 04 07 13 06 44 75 62 6C 69 6E 31 12 30 10 06
U....Dublin1.0..
0040: 03 55 04 0A 13 09 69 74 73 6D 6F 62 69 6C 65 31
.U....itsmobile1
0050: 12 30 10 06 03 55 04 0B 13 09 69 74 73 6D 6F 62
.0...U....itsmob
0060: 69 6C 65 31 0C 30 0A 06 03 55 04 03 13 03 4B 20
ile1.0...U....K
0070: 48 00 AC 30 81 A9 31 0B 30 09 06 03 55 04 06 13
H..0..1.0...U...
0080: 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 43 61
.US1.0...U....Ca
0090: 6C 69 66 6F 72 6E 69 61 31 16 30 14 06 03 55 04
lifornia1.0...U.
00A0: 07 13 0D 53 61 6E 20 46 72 61 6E 63 69 73 63 6F ...San
Francisco
00B0: 31 15 30 13 06 03 55 04 0A 13 0C 42 45 41 20 57
1.0...U....BEA W
00C0: 65 62 4C 6F 67 69 63 31 11 30 0F 06 03 55 04 0B
ebLogic1.0...U..
00D0: 13 08 53 65 63 75 72 69 74 79 31 23 30 21 06 03
..Security1#0!..
00E0: 55 04 03 13 1A 44 65 6D 6F 20 43 65 72 74 69 66 U....Demo
Certif
00F0: 69 63 61 74 65 20 41 75 74 68 6F 72 69 74 79 31 icate
Authority1
0100: 1E 30 1C 06 09 2A 86 48 86 F7 0D 01 09 01 16 0F
.0...*.H........
0110: 73 75 70 70 6F 72 74 40 62 65 61 2E 63 6F 6D 00
[email protected].
0120: 8A 30 81 87 31 0B 30 09 06 03 55 04 06 13 02 5A
.0..1.0...U....Z
0130: 41 31 22 30 20 06 03 55 04 08 13 19 46 4F 52 20 A1"0
..U....FOR
0140: 54 45 53 54 49 4E 47 20 50 55 52 50 4F 53 45 53 TESTING
PURPOSES
0150: 20 4F 4E 4C 59 31 1D 30 1B 06 03 55 04 0A 13 14
ONLY1.0...U....
0160: 54 68 61 77 74 65 20 43 65 72 74 69 66 69 63 61 Thawte
Certifica
0170: 74 69 6F 6E 31 17 30 15 06 03 55 04 0B 13 0E 54
tion1.0...U....T
0180: 45 53 54 20 54 45 53 54 20 54 45 53 54 31 1C 30 EST TEST
TEST1.0
0190: 1A 06 03 55 04 03 13 13 54 68 61 77 74 65 20 54
...U....Thawte T
01A0: 65 73 74 20 43 41 20 52 6F 6F 74 est CA Root
main, READ: SSL v3.0 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
main, SEND SSL v3.0 ALERT: warning, description = no_certificate
main, WRITE: SSL v3.0 Alert, length = 2
And below is a sample when I used the ClassFileServer.
This time the client (same src) returned a certificate.
2/ClassFileSErver (from Sun Jsse distribution)
*** CertificateRequest
Cert Types: DSS, RSA,
Cert Authorities:
<CN=K H, OU=itsmobile, O=itsmobile, L=Dublin, ST=Dublin, C=ie>
[read] MD5 and SHA1 hashes: len = 114
0000: 0D 00 00 6E 02 02 01 00 69 00 67 30 65 31 0B 30
...n....i.g0e1.0
0010: 09 06 03 55 04 06 13 02 69 65 31 0F 30 0D 06 03
...U....ie1.0...
0020: 55 04 08 13 06 44 75 62 6C 69 6E 31 0F 30 0D 06
U....Dublin1.0..
0030: 03 55 04 07 13 06 44 75 62 6C 69 6E 31 12 30 10
.U....Dublin1.0.
0040: 06 03 55 04 0A 13 09 69 74 73 6D 6F 62 69 6C 65
..U....itsmobile
0050: 31 12 30 10 06 03 55 04 0B 13 09 69 74 73 6D 6F
1.0...U....itsmo
0060: 62 69 6C 65 31 0C 30 0A 06 03 55 04 03 13 03 4B
bile1.0...U....K
0070: 20 48 H
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
matching client alias : rsakey
*** Certificate chain

Matt,
Did you read this article:
https://wiki.sdn.sap.com/wiki/display/BSP/Using%20Proxies
This explains how to properly setup the HTTPURLLOC table.
In your case you should have entries that look something like this:
40 HTTP * <internal host name> <https port>
50 HTTPS * <external host name> <https port>
In addition you need to run the report to determine if the proxy configuration is setup properly. The URL should be run with the
https://<externalhostname>/sap/bc/bsp/sap/system_test/test_proxy.htm
Take care,
Stephen

Question on client side authentication

Does anyone have recommendation for a good way to do client side
authentication in a java application and pass it through to the application
server for RMI calls? I can use JAAS to authenticate the user on the client
side but how do I get the user principal to pass through to the weblogic
server as part of the RMI call.
Kent

You can check out both JAAS and JNDI authentication for weblogic in this link:
http://edocs.bea.com/wls/docs61/security/prog.html#1022997
"Kent Mitchell" <[email protected]> wrote:
Does anyone have recommendation for a good way to do client side
authentication in a java application and pass it through to the application
server for RMI calls? I can use JAAS to authenticate the user on the
client
side but how do I get the user principal to pass through to the weblogic
server as part of the RMI call.
Kent

Popping up a dialog box on client side for authentication in a proxy server

hi all,
we have wriiten a code for proxy server.now we want to add the authentication code in the same which will authenticate client by popping up a dialog box on the client side.though no code runs on the client side.only the client has to open the browser and enter the credentials.
we dont know how to pop up this authentication window on the client side when he requsts for the service.
Its almost like a SQUID where the pop up box appears.
The code for our proxy server is
import java.net.*;
import java.io.*;
public class BasicProxyServer {
     private static int serverPort;
     private static String primaryServerHost;
     private static int primaryServerPort;
     // 1st arg: port to listen on     // 2nd arg: primary server IP     // 3rd arg: primary server port
     public static void main(String [] args) {
          serverPort = Integer.parseInt(args[0]);
          primaryServerHost = args[1];
          primaryServerPort = Integer.parseInt(args[2]);
          BasicServer bserv = new BasicServer(serverPort,primaryServerHost,primaryServerPort);
class BasicServer extends Thread {
     private int serverPort;
     private String primaryHost;
     private int primaryPort;
     private ServerSocket servSock = null;
     public BasicServer(int port, String primSrv, int primPort) {
          serverPort = port;
          primaryHost = primSrv;
          primaryPort = primPort;
          start();
     public void run() {
          Socket clientSock = null;
          Socket primaryServerSock = null;
          try {
               servSock = new ServerSocket(serverPort);
          catch (IOException e) {
               e.printStackTrace();
          while(true) {
               try {
                    clientSock = servSock.accept();
                    primaryServerSock = new Socket(primaryHost, primaryPort);
                    PipedInputStream fromClient = new PipedInputStream();
//BufferedReader br= new BufferedReader(new InputStreamReader(clientSock.getInputStream()));
//String ipline=br.readLine();
//History hi=new History();
//hi.writeHistory(ipline);
//try{
//hi.getHistory();
//catch(ClassNotFoundException cne){
// System.out.println(cne);
                    PipedOutputStream toMainServer = new PipedOutputStream(fromClient);
                    PipedInputStream fromMainServer = new PipedInputStream();
                    PipedOutputStream toClient = new PipedOutputStream(fromMainServer);
                    Talk clientToMainServer = new Talk(clientSock, fromClient, primaryServerSock, toMainServer);
                    Talk mainServerToClient = new Talk(primaryServerSock, fromMainServer, clientSock, toClient);
                    clientToMainServer.start();
                    mainServerToClient.start();
               catch (IOException e) {
                    e.printStackTrace();
protected void finalize() {
if (servSock != null) {
try {
servSock.close();
} catch (IOException e) {
e.printStackTrace();
servSock = null;
class Talk extends Thread {
     private Socket incoming;
     private Socket outgoing;
     private InputStream in;
     private OutputStream out;
String urlrequest="";
     private InputStream from;
     private OutputStream to;
     Talk(Socket inSock, InputStream in, Socket outSock, OutputStream out) {
          this.in = in;
          this.out = out;
          incoming = inSock;
          outgoing = outSock;
     public void run() {
          int aByte;
          try {
               from = incoming.getInputStream();
               to = outgoing.getOutputStream();
               while(( aByte = from.read()) != -1 ) {     //read from socket
                    out.write(aByte);
if(new Integer("3128").equals(incoming.getPort()))
urlrequest=urlrequest+out.toString();
urlrequest=urlrequest+incoming.getPort()+outgoing.getPort();
// write to pipe`
                    // read the byte from the pipe
                    to.write(in.read());          // write it to the output socket stream
                    to.flush();
System.out.println(urlrequest);
               to.close();
               from.close();
               if(incoming != null) {
                    incoming.close();
                    incoming = null;
               if(outgoing != null) {
                    outgoing.close();
                    outgoing = null;
          catch (SocketException e) {
          // there is one for a closed socket. Seems to have no effect.
          //     e.printStackTrace();
          catch (IOException e) {
               e.printStackTrace();
waiting for reply.....

Install a java.net.Authenticator.

SERVER_MS_NOT_AVAILABLE Internal error during authentication - client side

Hi Experts,
I reviewed the various threads here concerning this topic, and not found one that fits my situation. We have a well functioning SAP-PI 7.11 landscape, and normally 10+ support team members connecting with no issues. Except for a 2nd PC i have just installed. Our normal desktop is Corporate imaged XP PC. my problem child though is a Linux PC (I would think it should be the other way around ) Anyway the Linux box uses the exact same LAN, same DHCP, same DNS server as it's XP brethen. it connects to the http portion of PI just fine, but fails with the SERVER_MS_NOT_AVAILABLE error when I attempt to connect to the ESB or IB. Just to be safe I have placed the FQDN of the PI hosts into the Linux hosts file. no effect. What am I missing? Anyone else ever see this? suggestions on troubleshooting?

hi Abhishek,
Yes I reviewed it and several others. I am confident alll our sever side settinsg are correct otherwise the exiting Pcs would not be connecting. The only item that applies to the client side is #4 - using the FQDN on the local hosts file, which I have already tried.

Using X.509 Client Certificates - SAP ABAP Webgui (SSL)

Hello,
current runs the integrated ITS (Webgui). We now want the smart card and have adapted to the configuration:
RZ10:
icm/server_port_0=PROT=HTTPS,PORT=1443,TIMEOUT=180
icm/HTTPS/verify_client=2
table USREXTID: C=DE,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,emailAddress=xxx
smart card certification -> firefox 2.x and IE 7.x install.
SICF: Webgui Service -> Login with Client Certificate
The test (with IE or Firefox) was unsuccessful.
SMICM Trace:
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
What should I do now?
Thanks, Silke
Full Trace:
sysno 02
sid RD1
systemid 560 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 148
intno 20050900
make: multithreaded, ASCII, optimized
pid 5468
[Thr 5416] started security log to file dev_icm_sec
[Thr 5416] ICM running on: sdatu100.pvw.tu-darmstadt.de
[Thr 5416] MtxInit: 30001 0 2
[Thr 5416] IcmInit: listening to admin port: 65000
[Thr 5416] DpSysAdmExtCreate: ABAP is active
[Thr 5416] DpSysAdmExtCreate: VMC (JAVA VM in WP) is not active
[Thr 5416] DpShMCreate: sizeof(wp_adm) 13576 (1044)
[Thr 5416] DpShMCreate: sizeof(tm_adm) 36258120 (18120)
[Thr 5416] DpShMCreate: sizeof(wp_ca_adm) 18000 (60)
[Thr 5416] DpShMCreate: sizeof(appc_ca_adm) 6000 (60)
[Thr 5416] DpCommTableSize: max/headSize/ftSize/tableSize=2000/8/2112040/2112048
[Thr 5416] DpShMCreate: sizeof(comm_adm) 2112048 (1048)
[Thr 5416] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0
[Thr 5416] DpShMCreate: sizeof(slock_adm) 0 (96)
[Thr 5416] DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0
[Thr 5416] DpShMCreate: sizeof(file_adm) 0 (72)
[Thr 5416] DpShMCreate: sizeof(vmc_adm) 0 (1296)
[Thr 5416] DpShMCreate: sizeof(wall_adm) (224040/329544/56/100)
[Thr 5416] DpShMCreate: sizeof(gw_adm) 48
[Thr 5416] DpShMCreate: SHM_DP_ADM_KEY (addr: 028C0040, size: 38968448)
[Thr 5416] DpShMCreate: allocated sys_adm at 028C0040
[Thr 5416] DpShMCreate: allocated wp_adm at 028C1B30
[Thr 5416] DpShMCreate: allocated tm_adm_list at 028C5038
[Thr 5416] DpShMCreate: allocated tm_adm at 028C5068
[Thr 5416] DpShMCreate: allocated wp_ca_adm at 04B591B0
[Thr 5416] DpShMCreate: allocated appc_ca_adm at 04B5D800
[Thr 5416] DpShMCreate: allocated comm_adm at 04B5EF70
[Thr 5416] DpShMCreate: system runs without slock table
[Thr 5416] DpShMCreate: system runs without file table
[Thr 5416] DpShMCreate: allocated vmc_adm_list at 04D629A0
[Thr 5416] DpShMCreate: allocated gw_adm at 04D629E0
[Thr 5416] DpShMCreate: system runs without vmc_adm
[Thr 5416] DpShMCreate: allocated ca_info at 04D62A10
[Thr 5096] IcmProxyWatchDog: proxy watchdog started
[Thr 5416] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 5416] IcmCreateWorkerThreads: created worker thread 0
[Thr 5416] IcmCreateWorkerThreads: created worker thread 1
[Thr 5416] IcmCreateWorkerThreads: created worker thread 2
[Thr 5416] IcmCreateWorkerThreads: created worker thread 3
[Thr 5416] IcmCreateWorkerThreads: created worker thread 4
[Thr 5416] IcmCreateWorkerThreads: created worker thread 5
[Thr 5416] IcmCreateWorkerThreads: created worker thread 6
[Thr 5416] IcmCreateWorkerThreads: created worker thread 7
[Thr 5416] IcmCreateWorkerThreads: created worker thread 8
[Thr 5416] IcmCreateWorkerThreads: created worker thread 9
[Thr 4352] IcmWatchDogThread: watchdog started
[Thr 5672] =================================================
[Thr 5672] = SSL Initialization on PC with Windows NT
[Thr 5672] = (700_REL,Mar 25 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5672] profile param "ssl/ssl_lib" = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
 resulting Filename = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
[Thr 5672] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 18 2005) MT-safe
[Thr 5672] = current UserID: SDATU100\SAPServiceRD1
[Thr 5672] = found SECUDIR environment variable
[Thr 5672] = using SECUDIR=D:\usr\sap\RD1\DVEBMGS02\sec
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLC.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLA.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] ******** Warning ********
[Thr 5672] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 5672] *** -- this will probably limit SSL-client side connectivity
[Thr 5672] ********
[Thr 5672] = Success -- SapCryptoLib SSL ready!
[Thr 5672] =================================================
[Thr 5672] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no
X.509 cert data will be removed from header [http_plg.c 720]
[Thr 5672] ISC: created 400 MB disk cache.
[Thr 5672] ISC: created 50 MB memory cache.
[Thr 5672] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 5672] HttpExtractArchive: files from archive D:\usr\sap\RD1\SYS\exe\run/icmadmin.SAR in directory D:/usr/sap/RD1/DVEBMGS02/
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 5672] CsiInit(): Initializing the Content Scan Interface
[Thr 5672] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)
[Thr 5672] CsiInit(): CSA_LIB = "D:\usr\sap\RD1\SYS\exe\run\sapcsa.dll"
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 5672] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0
[Thr 5672] Started service 1443 for protocol HTTPS on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=9
[Thr 5672] Started service 25000 for protocol SMTP on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=8
[Thr 5672] Tue Jul 15 14:38:37 2008
[Thr 5672] *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]
[Thr 5672] *** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c
[Thr 3932] Tue Jul 15 14:39:32 2008
[Thr 3932] *** WARNING => IcmCallAllSchedules: Schedule func 1 already running - avoid recursion [icxxsched.c 430]
[Thr 5416] Tue Jul 15 14:40:23 2008
[Thr 5416] IcmSetParam: Switched trace level to: 3
[Thr 5416] *
[Thr 5416] * SWITCH TRC-LEVEL to 3
[Thr 5416] *
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5416] NiIWrite: hdl 3 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 13
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 4392] IcmWorkerThread: worker 3 got the semaphore
[Thr 4392] REQUEST:
 Type: ADMMSG Index = 12
[Thr 4392] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 4392] MPI<a>0#5 GetInbuf -1 138968 440 (1) -> 6
[Thr 4392] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 4392] MPI<9>1#4 GetOutbuf -1 1489a0 65536 (0) -> 05348A00 0
[Thr 4392] MPI<a>0#6 FreeInbuf#2 0 138968 0 -> 0
[Thr 4392] MPI<9>1#5 FlushOutbuf l-1 1 1 1489a0 1104 6 -> 053489E0 0
[Thr 4392] IcmWorkerThread: Thread 3: Waiting for event
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 14
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5784] IcmWorkerThread: worker 4 got the semaphore
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5784] REQUEST:
 Type: ADMMSG Index = 13
[Thr 5784] MPI<c>0#5 GetInbuf -1 1489a0 440 (1) -> 6
[Thr 5784] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5784] MPI1#4 GetOutbuf -1 138968 65536 (0) -> 053389C8 0
[Thr 5784] MPI<c>0#6 FreeInbuf#2 0 1489a0 0 -> 0
[Thr 5784] MPI1#5 FlushOutbuf l-1 1 1 138968 1104 6 -> 053389A8 0
[Thr 5784] IcmWorkerThread: Thread 4: Waiting for event
[Thr 4352] Tue Jul 15 14:40:26 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5416] Tue Jul 15 14:40:29 2008
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8076 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1305
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 3 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 15
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 3932] IcmWorkerThread: worker 5 got the semaphore
[Thr 3932] REQUEST:
 Type: ACCEPT CONNECTION Index = 14
[Thr 3932] CONNECTION (id=1/8):
 used: 1, type: 1, role: 1, stateful: 0
 NI_HDL: 8, protocol: HTTPS(2)
 local host: 130.83.89.22:1443 ()
 remote host: 192.168.1.3:1305 ()
 status: NOP
 connect time: 15.07.2008 14:40:29
 MPI request: <0> MPI response: <0>
 request_buf_size: 0 response_buf_size: 0
 request_buf_used: 0 response_buf_used: 0
 request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 3932] MPI:1 create pipe 052002C0 1
[Thr 3932] MPI<d>1#1 Open( ANONYMOUS 1 1 ) -> 1
[Thr 3932] MPI<d>1#2 Open( ANONYMOUS 1 0 ) -> 1
[Thr 3932] MPI:0 create pipe 05200180 1
[Thr 3932] MPI<e>0#1 Open( ANONYMOUS 0 0 ) -> 0
[Thr 3932] MPI<e>0#2 Open( ANONYMOUS 0 1 ) -> 0
[Thr 3932] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 3932] <<- SapSSLSessionInit()==SAP_O_K
[Thr 3932] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 3932] out: sssl_hdl = 003FFBC0
[Thr 3932] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 3932] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 3932] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1305
[Thr 3932] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 3932] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 3932] SapISSLServerCacheExpiration(): Calling ServerCacheCleanup() (lifetime=900)
[Thr 3932] SapISSLServerCacheExpiration(srv,"D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse"): Cache max/before/now = 5000/1/1
[Thr 5096] Tue Jul 15 14:40:32 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 4352] Tue Jul 15 14:40:36 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5096] Tue Jul 15 14:40:42 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 3932] Tue Jul 15 14:40:45 2008
[Thr 3932] peer has closed connection
[Thr 3932] <<- SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_CONN_CLOSED
[Thr 3932] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 3932] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 3932] NiICloseHandle: shutdown and close hdl 8 / sock 8076
[Thr 3932] MPI<d>1#3 Close( 1 ) del=0 -> 0
[Thr 3932] MPI<d>1#5 Delete( 1 ) -> 0
[Thr 3932] MPI<d>1#4 Close( 1 ) del=1 -> 0
[Thr 3932] MPI<e>0#3 Close( 0 ) del=0 -> 0
[Thr 3932] MPI<e>0#5 Delete( 0 ) -> 0
[Thr 3932] MPI<e>0#4 Close( 0 ) del=1 -> 0
[Thr 3932] IcmConnFreeContext: context 1 released
[Thr 3932] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 3932] IcmWorkerThread: Thread 5: Waiting for event
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8092 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1309
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: check for client conn timeout
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 60 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 16
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 5708] IcmWorkerThread: worker 6 got the semaphore
[Thr 5708] REQUEST:
 Type: ACCEPT CONNECTION Index = 15
[Thr 5708] CONNECTION (id=1/9):
 used: 1, type: 1, role: 1, stateful: 0
 NI_HDL: 8, protocol: HTTPS(2)
 local host: 130.83.89.22:1443 ()
 remote host: 192.168.1.3:1309 ()
 status: NOP
 connect time: 15.07.2008 14:40:45
 MPI request: <0> MPI response: <0>
 request_buf_size: 0 response_buf_size: 0
 request_buf_used: 0 response_buf_used: 0
 request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5708] MPI:0 create pipe 05200180 1
[Thr 5708] MPI<f>0#1 Open( ANONYMOUS 0 1 ) -> 0
[Thr 5708] MPI<f>0#2 Open( ANONYMOUS 0 0 ) -> 0
[Thr 5708] MPI:1 create pipe 052002C0 1
[Thr 5708] MPI<10>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 5708] MPI<10>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 5708] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 5708] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5708] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 5708] out: sssl_hdl = 003FFBC0
[Thr 5708] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1309
[Thr 5708] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 5708] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5708] NiIHdlGetStatus: hdl 8 / sock 8092 ok, data pending (len=1)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"
[Thr 5708] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 5708] SecudeSSL_SessionStart: SSL_accept() failed --
secude_error 536871698 (0x20000312) = "the client did not send a certificate handshake message for its authentication and we c
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 5708] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 5708] NiICloseHandle: shutdown and close hdl 8 / sock 8092
[Thr 5708] MPI<f>0#3 Close( 0 ) del=0 -> 0
[Thr 5708] MPI<f>0#5 Delete( 0 ) -> 0
[Thr 5708] MPI<f>0#4 Close( 0 ) del=1 -> 0
[Thr 5708] MPI<10>1#3 Close( 1 ) del=0 -> 0
[Thr 5708] MPI<10>1#5 Delete( 1 ) -> 0
[Thr 5708] MPI<10>1#4 Close( 1 ) del=1 -> 0
[Thr 5708] IcmConnFreeContext: context 1 released
[Thr 5708] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 5708] IcmWorkerThread: Thread 6: Waiting for event
[Thr 4352] Tue Jul 15 14:40:46 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmQueueAppend: queuelen: 1
[Thr 4352] IcmCreateRequest: Appended request 17
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 4196] IcmWorkerThread: worker 7 got the semaphore
[Thr 4196] REQUEST:
 Type: SCHEDULER Index = 16
[Thr 4196] IcmGetSchedule: found slot 0
[Thr 4196] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmConnCheckStoredClientConn: next client timeout check in 59 sec
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmGetServicePtr: new serv_ref_count: 2
[Thr 4196] PlugInHandleAdmMessage: request received:
[Thr 4196] PlugInHandleAdmMessage: opcode: 136, len: 272, dest_type: 2, subhdlkey: 262145
[Thr 4196] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0
[Thr 4196] HttpCacheHandler: 4 0 006BBBC4 00000000
[Thr 4196] SCACHE: adm request received:
[Thr 4196] SCACHE: opcode: 136, len: 272, dest_type: 2, dest:
[Thr 4196] MTX_LOCK 3038 00ADEE88
[Thr 4196] MTX_UNLOCK 3051 00ADEE88
[Thr 4196] IctCmGetCacheInfo#5 -> 0
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48, blocks used: 1
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48
[Thr 4196] IcmNetBufFree: free netbuf: 00AD2B48 out of 1 used
[Thr 4196] IcmConnFreeContext: context 1 released
[Thr 4196] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 4196] IcmGetSchedule: next schedule in 30 secs
[Thr 4196] IcmWorkerThread: Thread 7: Waiting for event
[Thr 5096] Tue Jul 15 14:40:52 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)

>
silke kubelka wrote:
> SMICM-Log:
>
*** No SSL-client PSE "SAPSSLC.pse" available
>
*** this will probably limit SSL-client side connectivity
>
> is this a problem?
Well, since you want to enable the certificate-based user authentication (where your ABAP server is in the role of the SSL server) this does not matter. But if you intend to use your NWAS ABAP as SSL client (for outbound https communication) then it will matter. To resolve this problem you simply create an SSL Client PSE using transaction STRUST.
Once you've managed to [configure your NWAS ABAP for SSL,|https://service.sap.com/sap/support/notes/510007] you should see (in the ICM trace) that a X.509 client certificate was received. If the certificate-based logon does not succeed, then it's most likely due to some mapping problems - those can be analysed by using the tracing approach described in [note 495911|https://service.sap.com/sap/support/notes/495911].
If you need assistance in enabling the X.509 client certificate authentication you should submit an inquiry to SAP (message component BC-SEC-LGN).
Best regards,
Wolfgang

How to encrypt username and password before transmit on client side

I want to encrypt the username and password at client side when user login to my page first and then send to server.
Could anybody tell me how to do it?
Thanks a lot.

Yup , What suggested is true...
The HTTPs authentication type is mainly for encrypting..
This is an extract from the book i have which states how you can do that...
UNDERSTANDING AUTHENTICATION MECHANISMS
HTTPS Client authentication :
HTTPS is HTTP over SSL (Secure Socket Layer). SSL is a protocol developed by
Netscape to ensure the privacy of sensitive data transmitted over the Internet. In this
mechanism, authentication is performed when the SSL connection is established
between the browser and the server. All the data is transmitted in the encrypted form
using public-key cryptography, which is handled by the browser and the servlet container
in a manner that is transparent to the servlet developers. The exam doesn�t
require you to know the details of this mechanism.
Advantages
The advantages of HTTPS Client authentication are
� It is the most secure of the four types.
� All the commonly used browsers support it.
1 Actually, instead of the password, an MD5 digest of the password is sent. Please refer to RFC 1321 for
more information.
Disadvantages
The disadvantages of HTTPS Client authentication are
� It requires a certificate from a certification authority, such as VeriSign.
� It is costly to implement and maintain.

Wallets on client side

I am interested in setting up SSL communication in Oracle for network encryption (10.2G on linux) but I'm not really interested in validating the identity of clients and thus don't want to set up wallets/certificates on the client side. Is this possible - I have managed to connect using TCPS through the server but not through clients - they all seem to want to find a wallet file?
Thanks
Simon

From the Advance Security Administration Guide:
"The SSL_CLIENT_AUTHENTICATION parameter in the sqlnet.ora file controls whether the client is authenticated using SSL. The default value is TRUE.
You must set this parameter to FALSE if you are using a cipher suite that contains Diffie-Hellman anonymous authentication (DH_anon). Also, you can set this parameter to FALSE for the client to authenticate itself to the server by using any of the non-SSL authentication methods supported by Oracle Advanced Security, such as Kerberos or RADIUS.
Note:
There is a known bug in which an OCI client requires a wallet even when using a cipher suite with DH_ANON, which does not authenticate the client."
~ Madrid.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

CLIENT-CERT authentication in WL7

Hi,
I'm trying to enforce two-way authentication for clients (java applications) accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With BASIC authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to the web service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
the server doesn't
produce client certificate request. May it be the cause of the problem? If so,
how can I make the server to
generate client cert request?

Exactly, it was the reason. Thanks.
Marcin
On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
>
You must have been accessing the server over one-way SSL. Make sure the
two-way
ssl server attribute is set to: Client Certificate Enforced, or Client
Certificate
Requested But Not Enforced.
This should be all that is needed to make the server send the
certificate request.
With Client Certificate Enforced option you should be getting ssl
handshake failure
unless the client sends its certificate.
Pavel.
yazzva <[email protected]> wrote:
Yes, I have. If I had not done it, I couldn't have accessed the service
via https using basic authentication, and of course ssl debugging
information and server configuration show that ssl is configured
properly.
The problem is that WL7 doesn't generate client cert request. Thanks
for
an attempt to help.
Have you configured the server for two way ssl?
See
http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
for information on this.
Pavel.
"yazzva" <[email protected]> wrote:
Hi,
I'm trying to enforce two-way authentication for clients (java
applications)
accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With
BASIC
authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to theweb
service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the
handshake
procedure
the server doesn't
produce client certificate request. May it be the cause of the
problem?
If so,
how can I make the server to
generate client cert request?--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Client-side handler: static config?

I would like to provide a client-side JAX-RPC handler that would
be invoked without any modification to existing client code.
The idea is that user's would only need to modify a config file
(something like the web-services.xml file, but on the client-
side) to use our handler.
We are already doing this in axis (uses a client-side deployment
descriptor: client_deploy.wsdd), but based on another thread
("Client Handler Chain - help ??"), it looks like there is
currently no equivalent in WLS?
Are there plans to add the ability to statically configure
client-side handlers in WLS via some sort of client-side config
file/descriptor, or is the programmatic method of modifying
the HandlerRegistry in the client code the only way?
Any help/ideas would be greatly appreciated!
--Terry

In 7.0, you can do this in a handler:
import weblogic.webservice.binding.soap.HttpClientBinding;
String url = http://my/new/address/;
sslAdapter = null; //only needed for ssl
Binding binding = new HttpClientBinding( url, sslAdapter );
context.setProperty( WLMessageContext.BINDING_PROP,
binding );
HTHs
-manoj
http://manojc.com
"William Cassidy" <[email protected]> wrote in message
news:[email protected]...
>
Is there a similar way to set the endPointAddress.
"manoj cheenath" <[email protected]> wrote:
Ok, I will add this as a feature request.
If you are ok with using WLS internal APIs (This APIs may change in
the future), try this:
weblogic.webservice.Operation operation
=
((weblogic.webservice.WLMessageContext)messageContext).getOperation();
>>
weblogic.webservice.Port port = operation.getPort();
String endPointAddress = port.getAddress();
regards,
-manoj
"Terry Martin" <[email protected]> wrote in message
news:[email protected]...
Manoj, thanks for the response.
We'd definitely like to see a client side dd at some point, but
can work with the API's for now. Thanks much for adding this as
a feature request.
On another subject:
I need to determine the target/endpoint URL from my client-side
request handler. Again, this was something we were able to do in
axis, but is currently not part of the JAX-RPC standard (JSR101).
I could be missing something, but haven't seen any way of
determining the target URL given only the SOAPMessageContext.
The only way seems to be if it were passed as a "standard"
property in the SOAPMessageContext (this is one way it is done
in axis).
I imagine this will someday be standardized in JAX-RPC (I can
think of many uses for this feature, other than our own). In the
meantime, could you also add this as a feature request for WLS?
Thanks again,
-Terry
"manoj cheenath" <[email protected]> wrote:
True. In WLS 7.0 there are no client side dd in which you can specify
the handler chain. We did not comeup with ourown client side dd,
hopeing that JSR109 will define the dd.
It is quite easy to register the handlers through APIs. Let us know
if
that will not help you.
I will add client side dd as a feature requst for the next release.
regards,
-manoj
"Terry Martin" <[email protected]> wrote in message
news:[email protected]...
I would like to provide a client-side JAX-RPC handler that would
be invoked without any modification to existing client code.
The idea is that user's would only need to modify a config file
(something like the web-services.xml file, but on the client-
side) to use our handler.
We are already doing this in axis (uses a client-side deployment
descriptor: client_deploy.wsdd), but based on another thread
("Client Handler Chain - help ??"), it looks like there is
currently no equivalent in WLS?
Are there plans to add the ability to statically configure
client-side handlers in WLS via some sort of client-side config
file/descriptor, or is the programmatic method of modifying
the HandlerRegistry in the client code the only way?
Any help/ideas would be greatly appreciated!
--Terry

EAP-TLS or PEAP authentication failed during SSL handshake

Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---

Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul

EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
Thanks..

Here are some configs you can try:
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config

EAP-TLS or PEAP authentication failed during SSL handshake error

I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
Thanks for the help

My experience suggests that the problem is the certificate.
I'm running ACS 3.3.
I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
Correctly following the instructions led to a successful connection and no more error message.

RUN form FMX from the client side

Hii
I have installed oracle forms developer 10g, i have designed simple form and i run it from the local mechine it worked, and i want to try to connect it from the client side, it didn't work
Can you help on this please

No you don't need to have an iAS to test this
Start your OC4J instance on your host
copy the file default.env to test.env (located in <oracle_home>/forms/server)
in test.env modify your forms_path to the pathe where your form is residing.
modify your formsweb.cfg file (located in <oracle_home>/forms/server)
add a named config at the end of the file (copy the example and modify to your needs)
looking like
[test]
envfile=test.env
form=test.fmx
userid=.../..@... (or you can leave this out and then you get an authentication pop up)
leave the other stuff default
now call on your other client
htpp://<your machine where oc4j is running>:8889/forms/frmservlet?config=test
if you still have troubles with your fields check wheter you have other java clients installed (I experienced also problems when other JVM's were installed with certain Jinitiator)
If so you can bypass this by making JRE the standard instead of Jinitiator
put in your named config
IE=native
and change
baseHTMLjinitiator=webutiljinit.htm
baseHTMLie=webutiljpi.htm
into
baseHTMLjinitiator=webutiljpi.htm
baseHTMLie=webutiljpi.htm
Now you will load sun's JRE instead of Jinit
Hope this helps
Erwin

Client side authentication, 2 sided SSL

Similar Messages

Maybe you are looking for