CSS11501 and client certificate processing
I use CSS 11501 to accelerate ssl sessions and autheticate users.
CSS gets the certificate from the client browser. The certificate DN contains for example:
"CN=info1, SERIALNUMBER=REGON: 321123321, OU=info2, O=info3, C=PL".
The CSS sends the certificate to beckend servers as:
"C=PL, O=info3, OU=info2 ADR, SN=REGON: 321123321, CN=info1".
There are two incorrect things:
1. The order of attributes in DN is reversed. This is not compliant with RCF 1779.
2. SERIALNUMBER is replaced to SN string.
How to resolve this problem ?
what's your version ?
Are you re-encrypting traffic in the backend ?
Or ar you using the header insert feature ?
What is your config ?
I do not think we touch the certificate.
We simply forward it as we receive it.
But I can verify.
Gilles.
Similar Messages
-
JDBC Thin Connections with SSL and client certificates
Hi ,
we are going have a look at JDBC Thin Connections with SSL and client certificates.
I have two questions:
1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
Thanks for your help
regards
Markus ReichertI could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
Steps to add the SSL Certificate:
1. Run the form with the https mode in the IE Browser.
2. Security Alert is raised.
3. Click on the View Certificate button.
4. In the Certificate Window, click on the Details tab.
5. Click on the Copy to File button to copy the certificate.
6. Copy the certificate and append to the certdb.txt file. -
IOS4, apple-mobile-web-app-capable and client certificates
IOS4 (4.0 and 4.0.1) seems to have broken apple-mobile-web-app-capable. I have a webbapplication using client certificates to authenticate the user. This worked flawless on IOS3.x. However, after having upgraded my iPhone to IOS4, the application fails when started from the springboard with an error message telling a client certificate is required (I have one installed). When I start the application from within Safari it works OK. I tracked the error down to the following line in the HTML code:
<meta name="apple-mobile-web-app-capable" content="yes" />
When I remove this line, the application works again flawless when started from the springboard. However the native look and feel are gone. As soon as I add this line to the HTML, the application works when started from Safari, but fails when started from the springboard.
Does anyone have a glue or is this a bug on the apple-mobile-web-app-capable function of IOS4?I have also experienced this problem on iOS 4.1. I want to authenticate access to a web-app using SSL client certificates but I get an error "Cannot Open ... requires a client certificate" when launching the app from the home screen. Very annoying!
Navigating to the page in Safafi prompts the user to choose which certificate to use and then loads the page successfully. Just as a side question, is there anyway to automatically associate a client certificate with a web site so that the user is never prompted to choose a certificate when accessing the site? I want an authentication process that is transparent to the user. -
Router WebVPN and client certificate
Hello!
In my test lab I can't to make work my webvpn configuration =\
I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also - "Invalid or no certificate", but this strange because I imported CA certificate for this.
Can you help me make it works?
My 2911 version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
My Config:
aaa authentication login webvpn group ldap local
ip local pool webvpn 192.168.200.1 192.168.200.254
bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd
webvpn gateway vpn
ip address <ip address> port 4443
ssl trustpoint root-ca
inservice
webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1
webvpn context employee
ssl authenticate verify all
login-message "VPN Portal"
policy group policy1
url-list "inside"
functions svc-enabled
filter tunnel VPN-SPLIT
svc address-pool "webvpn" netmask 255.255.255.0
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.1.1
svc dns-server secondary 192.168.1.2
citrix enabled
virtual-template 1
default-group-policy policy1
aaa authentication list webvpn
gateway vpn
authentication certificate
username-prefill
ca trustpoint root-ca
user-profile location flash0:/userprof
inservice
crypto pki trustpoint root-ca
enrollment terminal
revocation-check none
rsakeypair root-ca
I imported certificate from pkcs12 with CA certificate.
From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)
Jun 5 11:22:39: WV: validated_tp : cert_username : matched_ctx :
Jun 5 11:22:39: WV: failed to get sslvpn appinfo from opssl
Jun 5 11:22:39: WV: failed to get sslvpn appinfo from opssl
Jun 5 11:22:39: WV: Error: No certificate validated for the client
Can anybody explain me why it doesn't work?Hi,
did you find any solution for this? As I am in it seems the same situation now.
I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)
Thanx for any advice/help
Pavel -
UTL_HTTP and client certificate request
I am hoping that someone can help me. We have a web site that we need to hit and pull the html code back from the pages and we have the code to get what we need but the website now has an option where it requests a client certificate from a user for authentication or if you cancel the request it will then ask you for username and password. I cannot figure out how to submit a cancel on the client certificate request so that my application can submit the username and password authentication. Does anyone have an idea or example to do this? Also if you submit a bad certificate it will prompt you for authentication. So if someone knows how to submit client certificates that would be helpful as well.
Thanks in advance.I've never faced this issue but you might want to look at using UTL_TCP rather than UTL_HTTP.
http://www.psoug.org/reference/utl_tcp.html -
Multiple Exchange accounts and client certificates not working...?
Hi all,
I have a problem with my company iPad's. I'm trying to configure 2 Exchange accounts with certificate based authentication on my iPad with the iPhone config utility. For that i have created 2 client certificates.
When I configure just 1 mailbox, does not matter which one of the 2, with the iPhone config util, it al works ok with client authentication.
When I configure 2 mailboxes, on the iPad, without client certificate authentication it al works ok.
When I configure 2 mailboxes with the 2 client certificates with the iPhone config util, both exchange accounts have the same mailbox. When I configure for example mailbox Jim and Harry with the corresponding certificates and I load it into the iPad. The exchange account of Jim has Jim his mailbox, but the exchange account of Harry also has the mailbox of Jim. And sometimes it is vice versa.....
Can anybody help me in this, we are using 4th gen iPad with MS Exchange ActiveSync 2003 SP2 en MS Forefront TMG with Kerberos delegation.
Please advice.
Cheers,
EddyHi Eddy,
I have the feeling that the SSL connection after being established is only using the first authenticated certificated to connect to the exchange server.
Have you had a look over this Microsoft page:
http://technet.microsoft.com/en-us/magazine/ff472472.aspx
Are you able to test 2 accounts on one pad in a test environment preferably with SSL inspection off?
Do you have any information in the Forefront logs of the users being authenticated from the iPad? Or is one user authenticated twice?
Cheers,
IhalpU -
SCCM 2012 IBCM and client certificate
Hi all, I need to answer a question about an ICMB SSL Bridging configuration.
If I am using more than one site server for each role, do I have to have a public DNS entry for each one of them (my guess is yes).
And, if I have more than one site server used and publish on public DNS, does my client certificate require a SAN for each one of them? or only the MP is necessary and will give all the required information to my clients so that they are able to connect
to the site server for each required role.
I am trying to understand a bit more how does SSL Bridging work.
The planned architecture is that all role would be on different servers, and tat each one of them will be accessible from the internet. I am still trying to understand how the client ill get the external FQDN for each roles.
It doesn't seem that many documentation about using IBCM using many servers out there.
Thank you!
MatThe client certificate is only used by the client for client authentication, so there is no requirement at all to add a SAN for the site system(s) in there. The web server certificate of the Internet-facing site system is the certificate that requires a
SAN for the Internet FQDN and the intranet FQDN. Pure technically speaking the requirement for both FQDNs is only for a SUP, or for a site system that's being used on the Internet and intranet.
For more information see also:
http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
Web services and client certificates
Hello,
Is there a way to invoke a web service that sits on a web
server that requires client certificate authentication. Like in
Coldfusion 8 you can pass the client cert along with the cfhttp
call. We're running into the problem of calling the page that
invokes the web service, then the invoke fails because that's a
call to a URL that is protected. Anyone know how to do this, or a
good work around?
Any help is appreciated.Thanks for the reply! I'm no expert either, that's why I'm
here!
Yes, the certificate for the server is loaded. I'm doing this
all on one machine, so I just loaded it's own server certificate
into the trust store. The problem is the server is protected by
client authentication via certificates. I guess I'm relating this
to a regular request, where if you have a server that requires
certificates, you can pass along the cert in an CFHTTP call with
clientCert parameter. Here we are calling a page that invokes the
web service which is really another request. This is where the
issue is, since I don't see how to send along the certificate
information in the invoke call.
Thanks for the help! -
AnyConnect and client certificate
Hi,
I was looking at 'BRKSEC-3033 - Advanced AnyConnect Deployment' on Ciscovirtuallive.
On that session the presenter says that:
"Issuer of client certificate may not be the same as the issuer of the ASA certificate."
With my basic PKI understanding :-), anyone know why you cant have the same certificate issuer?
It's a good presentation, can recommend it.
BR
MickeHello Mikael,
You DO can have the same certificate issuer!!
I think he said it was an option to not have it with AnyConnect but as your PKI understanding states you do can have it like that.
Regards,
Julio
Do rate all the helpful posts -
Forms 10G - Java applet and Client Certificate
Hello,
I recently developed a servlet to read a client certificate on the application server.
I set the apache server to request a client certificate on launching.
Everything works fine.
Now, my customer wants to stop the application when the client certificate is removed (The client certificate is stored on a USB key).
After some tests, I realized that the client certificate is stored inside the java Apllet cache;
In other words, the Certificate is removed from the browser store (as expected) but not from the Applet store.
So my question is, Is it possible to configure Java applet not to keep certificate in cache ?
Or is it a way to force Applet to synchronize with the certificate store of the browser ?
thanks in advance for your help.Thank you very much for your link...i saw there that you had the same problem. My question now is if Frank ( i know him from the Forms Forum :)) did tell you about working with the embedded server starting it as an external OC4J instance.
If he did please tell me also. i am interested in that because i havent heard of any patch on JDeveloper 10g on this matter.
All the best -
Hi,
We are using Forms 6i deployed using 9iAS Release 1(1.0.2.2.2a).
We are using the "Forms Listener Servlet" implementation, and have successfully configured Apache (Oracle HTTP Server) using mod_ssl to use Server Side certificates to provide SSL / HTTPS communications.
I have also been attempting to validate the existence of Client Side (personal) certificates. This has been successful when accessing normal Web Pages, but not when accessing the Forms Application.
We are using JInitiator on the client (1.1.8.19), and receive a Java Exception ---
javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
Looking on the server logs, we can see the following error
OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
I have used all the Oracle documentation (notes 130728.1, 147836.1 and 161161.1), but nowhere does this state that Client Side Certification is supported by using JInitiator (or any other JVM).
Searching other forums, it appears that this may just not be
supported by any JVM running on the client machine.
Has anyone any information or expererience of successfully using Client Side Certificates to deploy Oracle Forms with 9iAS ?
Many Thanks
Marc LudwigI could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
Steps to add the SSL Certificate:
1. Run the form with the https mode in the IE Browser.
2. Security Alert is raised.
3. Click on the View Certificate button.
4. In the Certificate Window, click on the Details tab.
5. Click on the Copy to File button to copy the certificate.
6. Copy the certificate and append to the certdb.txt file. -
CSS11501 and intermediate certificates
Hi,
First : we have the following css :
Product Name: CSS11501S-K9 F0 SW Version: 07.50.1.03
Version: sg0750103 (07.50.1.03)
Flash (Locked): 07.50.1.03
Flash (Operational): 07.50.1.03
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
I was wondering if there is a way to provide intermediate ssl certificates on the css. We used to upload the pem cert and key and this always worked. Recently we have changed to premium ssl certs from verisign and it looks like we will need to provide the intermediate certificate on the css.
Does anybody know any reference as to how we can do this ?
Kind regards,
RonnyHi,
No need to look, found it on the net.
Kind regards,
Ronny -
Anyconnect and client certificates for dynamic access policies (dap)
I'm faced with the challenge of rolling out AnyConnect to our clients (which I've done before at another job) but in this case we want to 'NAC' vpn clients... We're still in discussion around the security policy and those details, but I wanted to see if folks on this forum could chime in with their experience on this.
We have a mix of Windows, Linux and MACs that are corporate issued devices that should receive some form of posture checking and then be granted access. Personal devices would also be subjected to some level of posture checking, but if during the initial scan it was deemed that this is not a corporate machine, then that machine would have very limited access.
From what I've read, the OS agnostic route to take is using certificates. I'm looking for design tips or docs that would assist in rolling this out. We do not have a PKI infrastructure today. So some of the questions I have are:
Can the ASA manage all of the client issued certs? From enrollment to revocation?
Or would I look to my Windows infrastructure for that? And if so, how does that integrate with the ASA?
Client certs vs machine certs?
Any advice from high level to low level or partial answers would be appreciated...
Thanks"Can the ASA manage all of the client issued certs? From enrollment to revocation?"
Yes, please check the Cisco url below, configuration method.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html#wp1067758
Hope that helps.
thanks
Rizwan Rafeek -
CSS SSL and client certificate
Hello,
In a situation where SSL Traffic is terminated on a SSL Module.
And having clients which to clientcertification.
There are 2 contents aviable on the webserver.
One for certified users and one for both.
Is there a way to restrict a path of a url to clients which performed a client cert?
And have all other content on that server aviable to both , certified and not certified clients?
SvenHi Gilles,
i have not described my problem at all.
Currently we are doing the SSL Termination on a webserver.
There are two locations specified in the apache config.
Like this:
location /webservices/onlytoca>
SSLVerifyClient require
SSLVeridfyDepth 0
So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
The /content is allowed to all.
I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
My question was, is there a way to restrict a url path to clients which did a client certification.
I can set up the ssl-server to ignore certificaton failures.
Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
If not, a solution would be to have 3 contet_rules
one, which checks for a existing of http-header which is set when the request is cerfified.
There i can limit the URL to /webservices/toCaOnly/*
one cr, which allows any other content
one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
I hope i wrote it down clear enough to understand.
Sven -
About personal CA root and client certificates
Hi Guys,
I create a topic here, but I not sure of the place. There is two servers, one in 10.6.2 the other with 10.5.8.
I've created, with Certificate Assistant my own CA, on my 10.6.2 server. I would like to use it to sign a certificate use by my mail server (running on a 10.5.8 server).
So in Server Admin (on the 10.5.8 server) I've create a self-signed certificat then a CSR for this certificate. I send it to my 10.6.2 server (which have the CA in the Admin Keychain) and, with the Certificate Assistant I signed it. The result is a .cer file.
I tried to "Add Signed or Renew Certificate from a Certificate Authority..." but the certificate remains Self-Signed. I tried to import the certificate, but It doesn't work any more.
I do something wrong, but I can see what. Who can help me ?
Thanks in advance,
JacquesU can refer these two
http://weblogic-wonders.com/weblogic/2010/11/11/configuring-ssl-on-weblogic-server-custom-identity-and-custom-trust/
http://weblogic-wonders.com/weblogic/2011/05/25/ssl-configuration-for-weblogic-server/
Maybe you are looking for
-
ORA-01445 error when creating a form on a view
Hi, I am attempting to create a form on a view - the view is a simple select from three tables that are connected to each other via foreign key relationships. When I attempt to submit data via this form, I get the ORA_01445 error. The Oracle8i Error
-
We have a lot of Outbound Interfaces from SAP which require the payment information ( REGUH REGUP PAYR, BSAK, BSEG details). Is there a way we can configure SAP so that every payment run ( f110 ) would create Outbound IDOCS for all the payment types
-
IS-U enhancing transaction FPBW (open items extraction using table DFKKOPBW
Has anybody experiances with IS-U Accounts Receivable & payable - 'Open Items' extraction using transaction FPBW (which fill the table DFKKOPBW). 1. I need to fill an custom included structure in this table (DFKKOPBW) and I am searching for the corre
-
Inventory Management output message
Hi Experts Currently the output types WE03 & WLB1 is used for plant A with respective logo (smartform). When rolling out to plant B, (required different logo), inorder to differentiate the output type by plant, should i custom the Table 072 ? As curr
-
Crashing after update to firmware v400.21.013 for ...
I'm using nokia E71 and I just update to firmware v400.21.013. Now it keeps report error and I can't connect to pc suite. After I download and install one software to MMC, I lost everything. Can I re-install the original firmware back? Please anyone