Dynamically Accept Client Certificates

Hello all,
I am writing a simple client/server app using TLS and I have a problem with the following:
Each client machine will be uniquely identified with a certificate generated at compilation of the program with keytool. Each client will also have a copy of the server's public key certificate. But the server will have to be informed of the client's public key each time a new client connects.
In a nutshell: is it possible for the client to send its public key certificate to the server via an unsecure connection (ie: not using SSL) and have the server "add" that certificate to its TrustManager dynamically? As of now, the only way I can get the server to trust more clients is importing the public keys into a keystore with "keytool -import" and restarting the server. This, of course, is not acceptable.
I know that if a server dynamically accepts each certificate its thrown at it its the same as not having the client authenticate itself but its a (stupid) requirement so I have no say in this.

It's an extremely stupid requirement and you should certainly have your say in this. Any time you spend on this is wasted time and wasted money on the part of the people who determined that it should be done. They should simply turn off needClientAuth at the server and be done with it, or bite the bullet and import the certificates properly.
Nothing in the way of client-authentication security would be provided by this nonsense, and you can tell them I said so. For a reference see http://www.telekinesis.com.au/wipv3_6/FundamentalNetworkingInJava.A21 - I wrote it.
As a professional, you should certainly stick your hand up and say so loudly and clearly.

Similar Messages

Client Certificate Prompting

Environment:
Windows 2003 Server
IIS 6.0
Java Applets
JVM 1.6
I currently have IIS set to "accept client certificates" and have a valid list in my Certificate Trust List of certificates I want to accept. I also have Windows Authentication set in the event the user does not have a valid client certificate type then they will be prompted for their Windows Login. My problem is that even though they authenticate via Windows they are still being prompted for certificates by the JVM and of course there are none in IEs store.
Is there a way to stop this or is this just a way of life.

I think it is related to the certificate you are using: what are the available CRL's (Certificate Revocation List) in that certificate? You can see that by opening the properties of the cert. The client might want to check the CRL of your CA and has no permission
to do it.
You might want to check if the CRL distribution point as configured in the certification is accessible by the client or generate a different certificate with a different distribution point.
Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be

Webtop Client has to accept security certificate at each login

Hello again,
another issue we currently are facing is that users who are connecting via the webtop client (btw the NC works way better, in ways of printing perfomance and login speed) have to accept the security warning EVERY time:
"The Secure Global Desktop server you're connecting to is using an untrusted or unrecognized security certificate.
Accept the certificate only if you are sure there is no security risk. If you are unsure, click Don't Accept and contact an Administrator (you won't be able to log in)...." and then it says "you are connecting for the first time blabla"...
This only happens when connecting to the classic Tarantella subsystem only, not to the SGD.
Any hints?
Regards
Joerg

Hello again,
another issue we currently are facing is that users
who are connecting via the webtop client (btw the NC
works way better, in ways of printing perfomance and
login speed) have to accept the security warning
EVERY time:
"The Secure Global Desktop server you're connecting
to is using an untrusted or unrecognized security
certificate.
Accept the certificate only if you are sure there is
no security risk. If you are unsure, click Don't
Accept and contact an Administrator (you won't be
able to log in)...." and then it says "you are
connecting for the first time blabla"...
This only happens when connecting to the classic
Tarantella subsystem only, not to the SGD.
Any hints?
Regards
JoergJoerg,
it'd be great to know which version of SSGD you're playing with.
I assume this is version 4.3x but assumptions do not always work :-)
If the above stands, the release notes for SSGD 4.31 say:
=== cut here === 8< ===
Protecting Clients Against Unauthorized Servers
As the SGD Client can now start and log in automatically, it is vital that users only
connect to a host that is trusted. In this release, users must explicitly authorize the
connection to SGD.
When a user connects to a SGD host for the first time, they see an Untrusted Initial
Connection warning message that asks them whether they really want to connect to
the host. The message displays the host name and fingerprint of the security
certificate for the server they are connecting to. Users should check these details
before clicking Yes. Once a user agrees to the connection, they are not prompted again
unless there is a problem.
To ensure that users only connect to SGD servers that are trusted, SGD
Administrators should do the following:
■ Provide users with a list of host names and fingerprints for the servers that are
trusted. Use the tarantella security fingerprint command on each
member of the array to obtain a list of fingerprints.
■ Explain to users the security implications of agreeing to connect to server.
In a fresh installation, each SGD host has its own self-signed security certificate.
Administrators should obtain and install a valid X.509 certificate for each SGD host.
Note � If you are using the classic webtop, the Java technology client prompts users
every time it connects to a SGD server. The SGD Native Client never prompts users.
=== cut here === 8< ===
I think the above note is important.
For testing, using OpenSSL I manually created a local CA and signed a Certificate Signing Request generated by SSGD (tarantella security certrequest...); once I imported both the SSGD server and the CA certificates into the browser, everything worked fine.
Hope this helps.
Best,
Rob

When I attempt to access my IRA account on line, I get a message saying that the web site requires a client certificate. The certificates listed in the drop down dialog box don't get accepted, even though one is indicated as valid and good until 10/2014.

When I attempt to access my IRA account on line, I get a message saying that the web site requires a client certificate. The certificates listed in the drop down dialog box don't get accepted, even though one is indicated as valid and good until October 2014. I contacted the IRA account managment company and they sais it's an Apple issue. Any ideas?

Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.
Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.
The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.
Back up all data.
Double-click anywhere in the line below on this page to select it:
com.apple.idms.appleid.prd
Copy the selected text to the Clipboard by pressing the key combination command-C.
Launch the Keychain Access application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."
Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.
The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.
Credit for this idea to Christian Braukmueller of SAP.

Asking specific client certificate (not certificates trusted by authority)

As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

Using X.509 Client Certificates - SAP ABAP Webgui (SSL)

Hello,
current runs the integrated ITS (Webgui). We now want the smart card and have adapted to the configuration:
RZ10:
icm/server_port_0=PROT=HTTPS,PORT=1443,TIMEOUT=180
icm/HTTPS/verify_client=2
table USREXTID: C=DE,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,emailAddress=xxx
smart card certification -> firefox 2.x and IE 7.x install.
SICF: Webgui Service -> Login with Client Certificate
The test (with IE or Firefox) was unsuccessful.
SMICM Trace:
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
What should I do now?
Thanks, Silke
Full Trace:
sysno 02
sid RD1
systemid 560 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 148
intno 20050900
make: multithreaded, ASCII, optimized
pid 5468
[Thr 5416] started security log to file dev_icm_sec
[Thr 5416] ICM running on: sdatu100.pvw.tu-darmstadt.de
[Thr 5416] MtxInit: 30001 0 2
[Thr 5416] IcmInit: listening to admin port: 65000
[Thr 5416] DpSysAdmExtCreate: ABAP is active
[Thr 5416] DpSysAdmExtCreate: VMC (JAVA VM in WP) is not active
[Thr 5416] DpShMCreate: sizeof(wp_adm) 13576 (1044)
[Thr 5416] DpShMCreate: sizeof(tm_adm) 36258120 (18120)
[Thr 5416] DpShMCreate: sizeof(wp_ca_adm) 18000 (60)
[Thr 5416] DpShMCreate: sizeof(appc_ca_adm) 6000 (60)
[Thr 5416] DpCommTableSize: max/headSize/ftSize/tableSize=2000/8/2112040/2112048
[Thr 5416] DpShMCreate: sizeof(comm_adm) 2112048 (1048)
[Thr 5416] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0
[Thr 5416] DpShMCreate: sizeof(slock_adm) 0 (96)
[Thr 5416] DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0
[Thr 5416] DpShMCreate: sizeof(file_adm) 0 (72)
[Thr 5416] DpShMCreate: sizeof(vmc_adm) 0 (1296)
[Thr 5416] DpShMCreate: sizeof(wall_adm) (224040/329544/56/100)
[Thr 5416] DpShMCreate: sizeof(gw_adm) 48
[Thr 5416] DpShMCreate: SHM_DP_ADM_KEY (addr: 028C0040, size: 38968448)
[Thr 5416] DpShMCreate: allocated sys_adm at 028C0040
[Thr 5416] DpShMCreate: allocated wp_adm at 028C1B30
[Thr 5416] DpShMCreate: allocated tm_adm_list at 028C5038
[Thr 5416] DpShMCreate: allocated tm_adm at 028C5068
[Thr 5416] DpShMCreate: allocated wp_ca_adm at 04B591B0
[Thr 5416] DpShMCreate: allocated appc_ca_adm at 04B5D800
[Thr 5416] DpShMCreate: allocated comm_adm at 04B5EF70
[Thr 5416] DpShMCreate: system runs without slock table
[Thr 5416] DpShMCreate: system runs without file table
[Thr 5416] DpShMCreate: allocated vmc_adm_list at 04D629A0
[Thr 5416] DpShMCreate: allocated gw_adm at 04D629E0
[Thr 5416] DpShMCreate: system runs without vmc_adm
[Thr 5416] DpShMCreate: allocated ca_info at 04D62A10
[Thr 5096] IcmProxyWatchDog: proxy watchdog started
[Thr 5416] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 5416] IcmCreateWorkerThreads: created worker thread 0
[Thr 5416] IcmCreateWorkerThreads: created worker thread 1
[Thr 5416] IcmCreateWorkerThreads: created worker thread 2
[Thr 5416] IcmCreateWorkerThreads: created worker thread 3
[Thr 5416] IcmCreateWorkerThreads: created worker thread 4
[Thr 5416] IcmCreateWorkerThreads: created worker thread 5
[Thr 5416] IcmCreateWorkerThreads: created worker thread 6
[Thr 5416] IcmCreateWorkerThreads: created worker thread 7
[Thr 5416] IcmCreateWorkerThreads: created worker thread 8
[Thr 5416] IcmCreateWorkerThreads: created worker thread 9
[Thr 4352] IcmWatchDogThread: watchdog started
[Thr 5672] =================================================
[Thr 5672] = SSL Initialization on PC with Windows NT
[Thr 5672] = (700_REL,Mar 25 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5672] profile param "ssl/ssl_lib" = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
 resulting Filename = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
[Thr 5672] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 18 2005) MT-safe
[Thr 5672] = current UserID: SDATU100\SAPServiceRD1
[Thr 5672] = found SECUDIR environment variable
[Thr 5672] = using SECUDIR=D:\usr\sap\RD1\DVEBMGS02\sec
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLC.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLA.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] ******** Warning ********
[Thr 5672] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 5672] *** -- this will probably limit SSL-client side connectivity
[Thr 5672] ********
[Thr 5672] = Success -- SapCryptoLib SSL ready!
[Thr 5672] =================================================
[Thr 5672] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no
X.509 cert data will be removed from header [http_plg.c 720]
[Thr 5672] ISC: created 400 MB disk cache.
[Thr 5672] ISC: created 50 MB memory cache.
[Thr 5672] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 5672] HttpExtractArchive: files from archive D:\usr\sap\RD1\SYS\exe\run/icmadmin.SAR in directory D:/usr/sap/RD1/DVEBMGS02/
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 5672] CsiInit(): Initializing the Content Scan Interface
[Thr 5672] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)
[Thr 5672] CsiInit(): CSA_LIB = "D:\usr\sap\RD1\SYS\exe\run\sapcsa.dll"
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 5672] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0
[Thr 5672] Started service 1443 for protocol HTTPS on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=9
[Thr 5672] Started service 25000 for protocol SMTP on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=8
[Thr 5672] Tue Jul 15 14:38:37 2008
[Thr 5672] *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]
[Thr 5672] *** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c
[Thr 3932] Tue Jul 15 14:39:32 2008
[Thr 3932] *** WARNING => IcmCallAllSchedules: Schedule func 1 already running - avoid recursion [icxxsched.c 430]
[Thr 5416] Tue Jul 15 14:40:23 2008
[Thr 5416] IcmSetParam: Switched trace level to: 3
[Thr 5416] *
[Thr 5416] * SWITCH TRC-LEVEL to 3
[Thr 5416] *
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5416] NiIWrite: hdl 3 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 13
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 4392] IcmWorkerThread: worker 3 got the semaphore
[Thr 4392] REQUEST:
 Type: ADMMSG Index = 12
[Thr 4392] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 4392] MPI<a>0#5 GetInbuf -1 138968 440 (1) -> 6
[Thr 4392] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 4392] MPI<9>1#4 GetOutbuf -1 1489a0 65536 (0) -> 05348A00 0
[Thr 4392] MPI<a>0#6 FreeInbuf#2 0 138968 0 -> 0
[Thr 4392] MPI<9>1#5 FlushOutbuf l-1 1 1 1489a0 1104 6 -> 053489E0 0
[Thr 4392] IcmWorkerThread: Thread 3: Waiting for event
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 14
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5784] IcmWorkerThread: worker 4 got the semaphore
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5784] REQUEST:
 Type: ADMMSG Index = 13
[Thr 5784] MPI<c>0#5 GetInbuf -1 1489a0 440 (1) -> 6
[Thr 5784] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5784] MPI1#4 GetOutbuf -1 138968 65536 (0) -> 053389C8 0
[Thr 5784] MPI<c>0#6 FreeInbuf#2 0 1489a0 0 -> 0
[Thr 5784] MPI1#5 FlushOutbuf l-1 1 1 138968 1104 6 -> 053389A8 0
[Thr 5784] IcmWorkerThread: Thread 4: Waiting for event
[Thr 4352] Tue Jul 15 14:40:26 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5416] Tue Jul 15 14:40:29 2008
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8076 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1305
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 3 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 15
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 3932] IcmWorkerThread: worker 5 got the semaphore
[Thr 3932] REQUEST:
 Type: ACCEPT CONNECTION Index = 14
[Thr 3932] CONNECTION (id=1/8):
 used: 1, type: 1, role: 1, stateful: 0
 NI_HDL: 8, protocol: HTTPS(2)
 local host: 130.83.89.22:1443 ()
 remote host: 192.168.1.3:1305 ()
 status: NOP
 connect time: 15.07.2008 14:40:29
 MPI request: <0> MPI response: <0>
 request_buf_size: 0 response_buf_size: 0
 request_buf_used: 0 response_buf_used: 0
 request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 3932] MPI:1 create pipe 052002C0 1
[Thr 3932] MPI<d>1#1 Open( ANONYMOUS 1 1 ) -> 1
[Thr 3932] MPI<d>1#2 Open( ANONYMOUS 1 0 ) -> 1
[Thr 3932] MPI:0 create pipe 05200180 1
[Thr 3932] MPI<e>0#1 Open( ANONYMOUS 0 0 ) -> 0
[Thr 3932] MPI<e>0#2 Open( ANONYMOUS 0 1 ) -> 0
[Thr 3932] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 3932] <<- SapSSLSessionInit()==SAP_O_K
[Thr 3932] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 3932] out: sssl_hdl = 003FFBC0
[Thr 3932] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 3932] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 3932] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1305
[Thr 3932] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 3932] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 3932] SapISSLServerCacheExpiration(): Calling ServerCacheCleanup() (lifetime=900)
[Thr 3932] SapISSLServerCacheExpiration(srv,"D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse"): Cache max/before/now = 5000/1/1
[Thr 5096] Tue Jul 15 14:40:32 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 4352] Tue Jul 15 14:40:36 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5096] Tue Jul 15 14:40:42 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 3932] Tue Jul 15 14:40:45 2008
[Thr 3932] peer has closed connection
[Thr 3932] <<- SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_CONN_CLOSED
[Thr 3932] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 3932] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 3932] NiICloseHandle: shutdown and close hdl 8 / sock 8076
[Thr 3932] MPI<d>1#3 Close( 1 ) del=0 -> 0
[Thr 3932] MPI<d>1#5 Delete( 1 ) -> 0
[Thr 3932] MPI<d>1#4 Close( 1 ) del=1 -> 0
[Thr 3932] MPI<e>0#3 Close( 0 ) del=0 -> 0
[Thr 3932] MPI<e>0#5 Delete( 0 ) -> 0
[Thr 3932] MPI<e>0#4 Close( 0 ) del=1 -> 0
[Thr 3932] IcmConnFreeContext: context 1 released
[Thr 3932] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 3932] IcmWorkerThread: Thread 5: Waiting for event
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8092 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1309
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: check for client conn timeout
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 60 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 16
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 5708] IcmWorkerThread: worker 6 got the semaphore
[Thr 5708] REQUEST:
 Type: ACCEPT CONNECTION Index = 15
[Thr 5708] CONNECTION (id=1/9):
 used: 1, type: 1, role: 1, stateful: 0
 NI_HDL: 8, protocol: HTTPS(2)
 local host: 130.83.89.22:1443 ()
 remote host: 192.168.1.3:1309 ()
 status: NOP
 connect time: 15.07.2008 14:40:45
 MPI request: <0> MPI response: <0>
 request_buf_size: 0 response_buf_size: 0
 request_buf_used: 0 response_buf_used: 0
 request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5708] MPI:0 create pipe 05200180 1
[Thr 5708] MPI<f>0#1 Open( ANONYMOUS 0 1 ) -> 0
[Thr 5708] MPI<f>0#2 Open( ANONYMOUS 0 0 ) -> 0
[Thr 5708] MPI:1 create pipe 052002C0 1
[Thr 5708] MPI<10>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 5708] MPI<10>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 5708] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 5708] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5708] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 5708] out: sssl_hdl = 003FFBC0
[Thr 5708] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1309
[Thr 5708] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 5708] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5708] NiIHdlGetStatus: hdl 8 / sock 8092 ok, data pending (len=1)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"
[Thr 5708] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 5708] SecudeSSL_SessionStart: SSL_accept() failed --
secude_error 536871698 (0x20000312) = "the client did not send a certificate handshake message for its authentication and we c
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 5708] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 5708] NiICloseHandle: shutdown and close hdl 8 / sock 8092
[Thr 5708] MPI<f>0#3 Close( 0 ) del=0 -> 0
[Thr 5708] MPI<f>0#5 Delete( 0 ) -> 0
[Thr 5708] MPI<f>0#4 Close( 0 ) del=1 -> 0
[Thr 5708] MPI<10>1#3 Close( 1 ) del=0 -> 0
[Thr 5708] MPI<10>1#5 Delete( 1 ) -> 0
[Thr 5708] MPI<10>1#4 Close( 1 ) del=1 -> 0
[Thr 5708] IcmConnFreeContext: context 1 released
[Thr 5708] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 5708] IcmWorkerThread: Thread 6: Waiting for event
[Thr 4352] Tue Jul 15 14:40:46 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmQueueAppend: queuelen: 1
[Thr 4352] IcmCreateRequest: Appended request 17
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 4196] IcmWorkerThread: worker 7 got the semaphore
[Thr 4196] REQUEST:
 Type: SCHEDULER Index = 16
[Thr 4196] IcmGetSchedule: found slot 0
[Thr 4196] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmConnCheckStoredClientConn: next client timeout check in 59 sec
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmGetServicePtr: new serv_ref_count: 2
[Thr 4196] PlugInHandleAdmMessage: request received:
[Thr 4196] PlugInHandleAdmMessage: opcode: 136, len: 272, dest_type: 2, subhdlkey: 262145
[Thr 4196] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0
[Thr 4196] HttpCacheHandler: 4 0 006BBBC4 00000000
[Thr 4196] SCACHE: adm request received:
[Thr 4196] SCACHE: opcode: 136, len: 272, dest_type: 2, dest:
[Thr 4196] MTX_LOCK 3038 00ADEE88
[Thr 4196] MTX_UNLOCK 3051 00ADEE88
[Thr 4196] IctCmGetCacheInfo#5 -> 0
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48, blocks used: 1
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48
[Thr 4196] IcmNetBufFree: free netbuf: 00AD2B48 out of 1 used
[Thr 4196] IcmConnFreeContext: context 1 released
[Thr 4196] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 4196] IcmGetSchedule: next schedule in 30 secs
[Thr 4196] IcmWorkerThread: Thread 7: Waiting for event
[Thr 5096] Tue Jul 15 14:40:52 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)

>
silke kubelka wrote:
> SMICM-Log:
>
*** No SSL-client PSE "SAPSSLC.pse" available
>
*** this will probably limit SSL-client side connectivity
>
> is this a problem?
Well, since you want to enable the certificate-based user authentication (where your ABAP server is in the role of the SSL server) this does not matter. But if you intend to use your NWAS ABAP as SSL client (for outbound https communication) then it will matter. To resolve this problem you simply create an SSL Client PSE using transaction STRUST.
Once you've managed to [configure your NWAS ABAP for SSL,|https://service.sap.com/sap/support/notes/510007] you should see (in the ICM trace) that a X.509 client certificate was received. If the certificate-based logon does not succeed, then it's most likely due to some mapping problems - those can be analysed by using the tracing approach described in [note 495911|https://service.sap.com/sap/support/notes/495911].
If you need assistance in enabling the X.509 client certificate authentication you should submit an inquiry to SAP (message component BC-SEC-LGN).
Best regards,
Wolfgang

JAX-WS: How to choose from multiple client certificates on the fly?

I have a webapp that is calling a web service supplied by a vendor. The vendor requires the use of client certificates for authentication, and I have successfully called their service using the PKCS#12 keystore they gave us with JAX-WS 2.2 using code like this:
 System.setProperty("javax.net.ssl.keyStore", "myKeyStore.p12"); 
 System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); 
 System.setProperty("javax.net.ssl.keyStorePassword", "password");The problem is, my webapp will be supporting multiple business units, and the vendor differentiates between our business units by issuing separate certificates for each. So I'm in a quandary: I have four PKCS#12 files, one per business unit, and my webapp will need to decide which one to use at runtime. Moreover, this webapp could be heavily used by many simultaneous users, and thus more than one of the certs may need to be used at the same time. Hence whatever the solution is, it will need to be thread safe.
I was able to combine all four certificates into a single JKS keystore using the JDK 1.6 "keytool -importkeystore" operation with each of my four PKCS#12 certs, so I now have all four in a single JKS keystore. The above code then becomes this:
 System.setProperty("javax.net.ssl.keyStore", "myKeyStore.jks"); 
 System.setProperty("javax.net.ssl.keyStoreType", "jks"); 
 System.setProperty("javax.net.ssl.keyStorePassword", "password");So my challenge now is to programatically select between the four possible certs when calling the vendor's web service. How do I do that with JAX-WS RI 2.2?
Thanks,
Bill

Just to close the loop on this (and for the next person trying to figure out how to do it), I was able to [extend X509KeyManager as described in Alexandre Saudate's blog|http://alesaudate.com/2010/08/09/how-to-dynamically-select-a-certificate-alias-when-invoking-web-services/] . I was then able to set the com.sun.xml.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY on my JAX-WS request context to use my custom SSLSocketFactory, and it works like a charm!
Thanks,
Bill

Webdav using Client Certificates

Hello all
Finder (10.5.6) seems not to be able to use Webdav with client certificates. Especially in conjunction with Alfresco Share this would be nice.
Any ideas?
Pascal.

Hi,
> have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or >this is not needed as we are accepting the connection from the intermediary server which is trusted by >the J2EE engine.
I think it depends from your Biller Direct application.
In my company we use Rosettanet B2B with SAP XI and have this setup :
Internet -- https --> Apache -- https --> Web dispatcher -- https --> SAP J2EE PI
The client certificate from the B2B partner is sent up to SAP PI and we did not have to set the certificate in the user mast.
We did have to import the certificate in the J2EE keystore and to configure the Rosettanet connector.
Regards,
Olivier

What is a client certificate and how do I use it?

I am trying to pay a traffic fine on a municipal website. I keep getting a drop-down box saying the site requires a client certificate to verify my identity. I am given a choice of two certificates, both of which are listed as valid. However, when I select one and click "continue," the same box comes up again (no matter which one i select). This happens repeatedly. I have triend this on both my iMac (less than a year old) and my macBook Air (less than two years old), and the same thing happens on both I just want to pay my traffic ticket! Why won't it accept my selected certificate? Do I need to create a new one, and if so, how do I do that? And what is a cient certificate anyway?

Same here. Does my solution help you, as well? However, in you case, I double-check with the site administrator if he uses client authentication intentionally at all.

No client certificate available, sending empty certificate message

Dear Experts,
    I am trying to establish SSL client certificate connection to external partner. What puzzles me is that the certificate is not picked up by SAP PI. The intermediate and root CA for the partner are OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network and OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US, respectively. You will be able to spot them in the Accepted Certificate Authority list, yet PI insists on sending empty certificate.
    Below is trace gathered from J2EE default trace. Please help shed some light
Date : 11/16/2011
Time : 8:49:11:423
Message : additional info ssl_debug(9): Starting handshake (iSaSiLk 4.3)...
ssl_debug(9): Sending v3 client_hello message to preprod.connect.elemica.com:443, requesting version 3.2...
ssl_debug(9): Received v3 server_hello handshake message.
ssl_debug(9): Server selected SSL version 3.1.
ssl_debug(9): Server created new session 22:E7:C0:9E:C1:D2:78:83...
ssl_debug(9): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
ssl_debug(9): CompressionMethod selected by server: NULL
ssl_debug(9): Received certificate handshake message with server certificate.
ssl_debug(9): Server sent a 1024 bit RSA certificate, chain has 2 elements.
ssl_debug(9): ChainVerifier: No trusted certificate found, OK anyway.
ssl_debug(9): Received certificate_request handshake message.
ssl_debug(9): Accepted certificate types: RSA, DSA
ssl_debug(9): Accepted certificate authorities:
ssl_debug(9):   CN=QuoVadis Global SSL ICA,OU=www.quovadisglobal.com,O=QuoVadis Limited,C=BM
ssl_debug(9):   CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   CN=CSF - Classe III - Sign et Crypt,OU=Certification Professionnelle,O=Autorite Consulaire
ssl_debug(9):   CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
ssl_debug(9):   CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
ssl_debug(9):   CN=DPWN SSL CA I2 PS,OU=I2 PS,O=Deutsche Post World Net
ssl_debug(9):   CN=CSF,O=Autorite Consulaire
ssl_debug(9):   C=BE,O=GlobalSign nv-sa,OU=RootSign Partners CA,CN=GlobalSign RootSign Partners CA
ssl_debug(9):   CN=Dell Inc. Enterprise Utility CA1,O=Dell Inc.
ssl_debug(9):   EMAIL=premium-server(a)thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
ssl_debug(9):   CN=TC TrustCenter Class 2 L1 CA XI,OU=TC TrustCenter Class 2 L1 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   OU=VeriSign Trust Network,OU=(c) 1998 VeriSign, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=TC TrustCenter SSL CA I,OU=TC TrustCenter SSL CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=Meijer ipprod,OU=IT,OU=Merch,O=Meijer Stores Limited,L=Walker,ST=MI,C=US
ssl_debug(9):   CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
ssl_debug(9):   CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9):   CN=Deutsche Telekom CA 5,OU=Trust Center Deutsche Telekom,O=T-Systems Enterprise Services GmbH,C=DE
ssl_debug(9):   CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
ssl_debug(9):   CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA
ssl_debug(9):   CN=Bertschi CA,O=Bertschi AG (Schweiz),L=Duerrenaesch,ST=Switzerland,C=CH
ssl_debug(9):   CN=Cybertrust SureServer CA,O=GlobalSign Inc
ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   EMAIL=server-certs(a)thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
ssl_debug(9):   CN=Mark Van Hamme,O=Brain2 BVBA,L=Brussels,ST=Brabant,C=BE
ssl_debug(9):   CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
ssl_debug(9):   EMAIL=bis.at(a)siemens.com,CN=bis.siemens.at,OU=SBS ORS EDO,O=Siemens Business Services,L=Vienna,ST=Vienna,C=AT
ssl_debug(9):   CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=mail2.adr-logistics.hu,O=ADR Logistics Kft.,L=Gyu00E1l,ST=Pest,C=HU
ssl_debug(9):   EMAIL=brent.kemp(a)sscoop.com,CN=bacchusdevp.sscoop.com,OU=IS,O=Southern States Cooperative Inc,L=Richmond,ST=VA,C=US
ssl_debug(9):   CN=Cybertrust SureServer Standard Validation CA,O=Cybertrust Inc
ssl_debug(9):   OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US
ssl_debug(9):   CN=Certipost E-Trust Secondary Normalised CA for Legal Persons,O=Certipost s.a./n.v.,C=BE
ssl_debug(9):   EMAIL=cert(a)bit-serv.de,CN=BIT-SERV GmbH Root CA,O=BIT-SERV GmbH,C=DE
ssl_debug(9):   CN=SAP_elemica_tester
ssl_debug(9):   CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
ssl_debug(9):   OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=Montova Root CA,OU=Root CA,O=Montova,C=BE
ssl_debug(9):   CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
ssl_debug(9):   CN=Dell Inc. Enterprise CA,O=Dell Inc.
ssl_debug(9):   CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   EMAIL=support(a)tamgroup.com,OU=Engineering,O=Tamgroup,ST=California,L=San Anselmo,C=US,CN=Tamgroup
ssl_debug(9):   CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
ssl_debug(9):   CN=Certinomis AC 1 u00E9toile,OU=0002 433998903,O=Certinomis,C=FR
ssl_debug(9):   CN=GlobalSign ServerSign CA,OU=ServerSign CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
ssl_debug(9):   CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
ssl_debug(9):   CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
ssl_debug(9):   CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
ssl_debug(9):   CN=thawte Primary Root CA,OU=(c) 2006 thawte, Inc. - For authorized use only,OU=Certification Services Division,O=thawte, Inc.,C=US
ssl_debug(9):   CN=Certipost E-Trust Primary Normalised CA,O=Certipost s.a./n.v.,C=BE
ssl_debug(9):   CN=Thawte DV SSL CA,OU=Domain Validated SSL,O=Thawte, Inc.,C=US
ssl_debug(9):   OU=Equifax Secure Certificate Authority,O=Equifax,C=US
ssl_debug(9):   CN=preprod.connect.elemica.com,OU=CONNECTED SOLUTIONS,O=Elemica,L=Wayne,ST=Pennsylvania,C=US
ssl_debug(9):   CN=Certinomis - Autoritu00E9 Racine,OU=0002 433998903,O=Certinomis,C=FR
ssl_debug(9):   CN=DPWN Root CA R2 PS,OU=IT Services,O=Deutsche Post World Net,DC=com
ssl_debug(9):   CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA
ssl_debug(9):   OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
ssl_debug(9):   EMAIL=santiago.tolosa(a)eu.rhodia.com,CN=Rhodia Development CA,OU=ISF - WARTE,O=Rhodia,L=La Villette,ST=France,C=FR
ssl_debug(9):   CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
ssl_debug(9):   CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
ssl_debug(9):   CN=Groep H. Essers TEST (99805D6DA33FCC1700010002),O=Montova,C=BE
ssl_debug(9):   serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US
ssl_debug(9):   CN=VeriSign Class 3 Secure Server 1024-bit CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   serialNumber=10688435,CN=Starfield Secure Certification Authority,OU=http://certificates.starfieldtech.com/repository,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US
ssl_debug(9):   CN=Conextrade,OU=Swisscom IT,O=Swisscom AG,L=Zurich,ST=Zurich,C=CH,EMAIL=ccc.eTrade(a)swisscom.com
ssl_debug(9):   CN=b2bproto.basf-corp.com,OU=Corporate IS,O=BASF Corporation,L=Mount Olive,ST=New Jersey,C=US
ssl_debug(9):   CN=GlobalSign Domain Validation CA - G2,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
ssl_debug(9):   CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US
ssl_debug(9):   EMAIL=!sysadmin(a)elemica.com,CN=www.elemica.com,OU=Connected Solutions,O=Elemica, Inc,L=Wayne,ST=Pennsylvania,C=US
ssl_debug(9):   CN=GeoTrust SSL CA,O=GeoTrust, Inc.,C=US
ssl_debug(9):   CN=RapidSSL CA,O=GeoTrust, Inc.,C=US
ssl_debug(9):   CN=Entrust Certification Authority - L1E,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=EAS,O=COMPUDATA EDI Dienstleister,C=CH,EMAIL=helpdesk.dl(a)compudata.ch
ssl_debug(9):   CN=GlobalSign Domain Validation CA,O=GlobalSign nv-sa,OU=Domain Validation CA,C=BE
ssl_debug(9):   CN=GlobalSign Primary Secure Server CA,OU=Primary Secure Server CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
ssl_debug(9):   CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=Thawte SSL CA,O=Thawte, Inc.,C=US
ssl_debug(9):   CN=Entrust Certification Authority - L1C,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9):   EMAIL=vladimir.polak(a)esa.ch,CN=Vladimir Polak,O=Einkaufsorganisation des Schweizerischen Auto- und Motorfahrzeuggewerbes,C=CH
ssl_debug(9):   CN=IT Directions and Strategies,OU=ITDS EDI,ST=WI,C=US,L=Hartland,EMAIL=aklumpp(a)itdsllc.com,O=ITDS EDI
ssl_debug(9):   CN=Entrust Certification Authority - L1B,OU=(c) 2008 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY,OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=GlobalSign Organization Validation CA - G2,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=TeleSec ServerPass CA 1,OU=Trust Center Services,O=T-Systems International GmbH,C=DE
ssl_debug(9):   CN=TC TrustCenter Class 3 L1 CA V,OU=TC TrustCenter Class 3 L1 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   C=NL,ST=Zuid-Holland,L=Spijkenisse,O=De Rijke Transport,OU=ICT,CN=smtphost.derijke.com
ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=Comodo Class 3 Security Services CA,OU=(c)2002 Comodo Limited,OU=Terms and Conditions of use: http://www.comodo.net/repository,OU=Comodo Trust Network,O=Comodo Limited,C=GB
ssl_debug(9):   CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9):   OU=Starfield Class 2 Certification Authority,O=Starfield Technologies, Inc.,C=US
ssl_debug(9):   EMAIL=ftp(a)csx.com,C=US,O=CSX Corporation Inc,CN=CSX_CORPORATION_AS2_02062009
ssl_debug(9):   CN=EssentialSSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
ssl_debug(9):   CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): Received server_hello_done handshake message.
ssl_debug(9): No client certificate available, sending empty certificate message...
ssl_debug(9): Sending client_key_exchange handshake...
ssl_debug(9): Sending change_cipher_spec message...
ssl_debug(9): Sending finished message...
ssl_debug(9): Received alert message: Alert Fatal: bad certificate
ssl_debug(9): SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
ssl_debug(9): Shutting down SSL layer...
Severity : Error
Category : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
Location : com.sap.aii.messaging.net.HTTPClientConnection.call(Object)
Application : sap.com/com.sap.xi.rwb
Thread : SAPEngine_Application_Thread[impl:3]_0
Datasource : 7662250:E:\usr\sap\T37\DVEBMGS00\j2ee\cluster\server0\log\defaultTrace.trc
Message ID : 00505688007A006A0000005100001B8C0004B1CF78E9602A
Source Name : com.sap.aii.messaging.net.HTTPClientConnection
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : cc6d1cee0fec11e1c90200000074eaaa
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
Resource Bundlename :
Session : 365
Source : com.sap.aii.messaging.net.HTTPClientConnection
ThreadObject : SAPEngine_Application_Thread[impl:3]_0
Transaction :
User : CPWONG
Dsr Root Context ID :
Dsr Connection :
Dsr Counter : -1

Hi ,
Is the above problem solved , can you share the solution.
Thanks

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

Hello, I´m stucked with this problem for 3 weeks now.
I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.
Thank you
Jorge

Hi Rik,
the Below are the certificate details
ISE Certificate Signed by XX-CA-PROC-06
User PKI Signed by XX-CA-OTHER-08
In ISE certificate Store i have the below certificates
XX-CA-OTHER-08 signed by XX-CA-ROOT-04
XX-CA-PROC-06 signed by XX-CA-ROOT-04
XX-CA-ROOT-04 signed by XX-CA-ROOT-04
ISE certificate signed by XX-CA-PROC-06
I have enabled - 'Trust for client authentication' on all three certificates
this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
when i check the certificates of current user in the Client PC this is how it shows.
XX-CA-ROOT-04 is listed in Trusted root Certification Authority
and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities

Dynamic Webservices Client

Hey ,
I have an application which requires to talk to 2 different published webservices
from 2 different systems. Now instead od designing static webservice clients for
each of these systems(which would involve having separate proxy jars etc),
I am planning to design a dynamic webservice locator and invoker....
I know that we can have webservice clients which are dynamic to the extent that
we can create proxy objects at runtime once we know the endpoint WSDL..
eg:
ServiceFactory factory = ServiceFactory.newInstance();
QName serviceName =new QName targetNamespace,"net.xmethods.services.stockquote.StockQuoteService");
QName portName = new QName(targetNamespace,"net.xmethods.services.stockquote.StockQuotePort");
QName operationName = new QName("urn:xmethods-delayed-quotes","getQuote");
URL wsdlLocation = new URL("http://services.xmethods.net/soap/urn:xmethods-delayed-quotes.wsdl");
// create service
Service service = factory.createService(wsdlLocation, serviceName);
// create call Call call = service.createCall(portName, operationName);
My question on this...if I have a dynamic approach like the above what are the
pros and cons..I guess it would surely have more overhead compared to a static
client...?
Secondly ,is it even feasible to design a dynamic client in such a way that the
endpoint WSDL could also be an unknown and my generic client would also locate
the end-point dynamically and then invoke dynamic calls as above...
If anybody can share their insights on a dynamic webservice client , I would really
appreciate it...
Thanx,
Krish
KRISH.VENKATARAMAN
Senior Technology Analyst
Bank of America Corp.
Email:[email protected]

Hi Krish,
In WSDL, the data types passed between applications are described in schema
and
this is key for interop. I dont know of any standard/natural mapping for
values types,
object reference, etc in a binary protocol (like JRMP, IIOP) to schema. For
eg:
say there is serializable object Foo, which is the argument to a remote
method in RMI.
Object Foo can have data + behavior. It may be possible (not always, i
think) to
describe the data in Foo as schema, but how can one describe the behavior?
So, if WSDL is the only contract between the server and client (key
requirement
for interop), then IMHO RMI can not be described by WSDL.
Also, WSDL was designed for future extensions and does not map well to a
programming API. WSIF trys to expose all the gory WSDL details and its apis
are very clumsy.
These were the two main reason to vote it down at JAX-RPC EC.
I am attaching an example that shows, how to introspect WSDL and invoke
a method using JAX-RPC (with little extension to the std api). Also, it
shows
how to handle complex type without data binding. Will this solve your
problem?
I am very interested to get your feedback on this.
BTW, This example will only work with WLS 8.1.
regards,
-manoj
"Krish Venkataraman" <[email protected]> wrote in message
news:[email protected]...
>
>
Mike...thanx for the inputs...
As per ur suggestion...I have taken this offline and mailed u [email protected]
also....lemme know if thatz cool...
there are my observations..lemme know what am i missing..
1) The main difference I see between JAX-RPC and WSIF, is that with WSIFclient
it is easier to port to services talking
via other ports like RMI,IIOP etc...where as JAX-RPC is understandsonly SOAP(atleast
for now).
2) Lets assume for the time-being that I would be interested only to talkto services
talking SOAP.
Then why do I need WSIF ?
3) I can have a JX-RPC client , I can have a similar generic(reflection)code
for built-in/primitive datatypes and for
complex datatypes I anywayz would be doing the same thing(requiringthe java
representation of the datatype unless I use
something like JROM or something which I do not want to) in JAX-RPC orWSIF.
>
4) As far as syncronous or asyncronous invocation is concerned , myunderstanding
is that my client call is going to remain the
same ..the service provider is going to either use message-oriented orRPC
on his side...
Again assuming that I am interested only with services talking SOAP, thiscould
be my generic client invocation design
Background is that my client is going to run from within a WLS70sp1
Actors:
a) webSevice1ClientSessionBean : This will be a stateless session beanwhich might
have knowledge about webSevice1's end-point ,
complex dataTypes if any.
(There would be other session beans like this which would haveknowledge about
other specific webservice)
b) GenericWebServiceInvoker : This will have knowledge about everythingwithin
the webservice-standards/protocols.
eg:
//set weblogic ServiceFactory
System.setProperty( "javax.xml.rpc.ServiceFactory",
"weblogic.webservice.core.rpc.ServiceFactoryImpl" );
//create service factory
ServiceFactory factory = ServiceFactory.newInstance();
//define qnames
String targetNamespace = "http://soapinterop.org/";
QName serviceName = new QName( targetNamespace, "SimpleTest" );
QName portName = new QName( targetNamespace, "SimpleTestSoap" );
QName operationName = new QName( "http://soapinterop.org/",
"echoStruct" );
//create service
Service service = factory.createService( serviceName );
TypeMappingRegistry registry = service.getTypeMappingRegistry();
TypeMapping mapping = registry.getTypeMapping(
SOAPConstants.URI_NS_SOAP_ENCODING );
mapping.register( SOAPElement.class,
new QName( "http://soapinterop.org/xsd", "SOAPStruct" ),
new SOAPElementCodec(),
new SOAPElementCodec() );
//create call
Call call = service.createCall();
//set port and operation name
call.setPortTypeName( portName );
call.setOperationName( operationName );
call.addParameter( "inputStruct",
new QName( "http://soapinterop.org/xsd", "SOAPStruct" ),
ParameterMode.IN);
All parameter values specific to a particular webservice likeQName,targetNameSpace
etc will be sent to this invoker by
webSevice1ClientSessionBean. The GenericWebServiceInvoker will invokethe
service
(using reflection for primitive/builtin types) and alwayz accept anobject
from the service operation and just return
that "object" back the webSevice1ClientSessionBean.ThewebSevice1ClientSessionBean
will know how to interpret the
complexdataType or builtInDatatype whichever is returned.TheGenericWebServiceInvoker
will not have any application
specific knowledge...it will just have knowledge about how todiscover, invoke
any SOAP webservice...
Somewhere in the beginning of GenericWebServiceInvoker I will use JAXRto
discover services from UDDI if needed.
This way I will have a generic webservice client invocation frameworkwhich
can invoke any service which talks SOAP.
Now lemme know how the above picture looks and what is missing...
I have some questions :
1) Incase of complex dataTypes, I will have itz XML representation inthe
publisher's WSDL and the publisher will give
me the java representation of the complex dataType.But how does myclient
JAX-RPC know how to map the XML
to the java representation unless I specify the mapping somewhere?Does
the TypeMapping/TypeMappingRegistry do this ?
Thanx,
Krish
"Michael Wooten" <[email protected]> wrote:
You know, it's really cool to hear guys thinking things through, before
they "jump
on a bandwagon" :-)
Anyway, I suspect that the performance overhead of doing reflection,
and heavy
server-side code intrusion, is what has made a lot of developers balk
at using
WSIF. I would check out the IBM newsgroups, to see what the general
developer
sentiment is on WSIF.
To achieve any sort of decent performance with JAX-RPC based webservices,
you
need to do a fair amount of optimization/tuning on both the client and
server
side. I recommend setting up your own "lab environment" for doing these,
so you
can see exactly what's making things improve/degrade. If you are really
interested
in this topic, we should talk about it "off-line".
In general, the more "dynamic" things are on the client side, the slower
things
will be, the more you really need to question if you really need them
to be dynamic
:-) Does making it "dynamic" really offer something that you can't get
from a
"static" version? If not, who's really benefiting here. I mean, com'n.
All you
really want to do is invoke an operation, right? By the time you get
all the information
it takes to do a dynamic invocation (i.e. port, target namespace, data
type for
input argument, serializer/deserializer for each non-built-in data type,
etc.),
your client looks like you are trying to boot a PDP-11! LOL! For those
of you
who don't know what a PDP-11 is, it's an early computer (from the'60-'70),
that
you actually had to use switches to create the "binary instructions"
to boot it
up!
From a PM's (product manager's) perpective, I wouldn't even let thedevelopers
modify "working" EJBs to expose them as a web service. Alarm bells should
go off
in your head, if you have to modify existing server-side code to expose
a company
asset as a web service.
Response to OT comment: WebLogic Server 7.0 uses its own implementation
of JAX-RPC
1.0. This implementation, I've been told by one of the BEA engineering
that worked
on it, has been certified to be JAX-RPC compliant by Sun. Don't know
about Apache
Axis, in this regard. I use both Apache Axis and the JWSDP with WLS 6.1,
but I
haven't really spent a lot of time looking for differences between our
(BEA's)
implementation, and theirs.
Regards,
Mike Wooten
"Krish Venkataraman" <[email protected]> wrote:
Hey Mike ...
I hear ya..and I see the significance of WSIF...but that IBM started
it a year
back and itz not yet stabilized is what is holding me back...
U mite have a better hold of what WSIF can do...whatever I could grasp
from yesterday
is this...
a)It reads meta data from the wsdl and using a reflection mechanismcalls
the
service operations...
I see examples with primitive datatypes..but what happens when
complex/custom
datatypes come into play...
Would the client code differ between synchronous invocation toasynchronous
invocation...
And aleast in the samples for the WSIF distribution for connectors like
EJB/JMS
etc, the code does not look generic anymore..there are specific calls
to operations
and parameters...
Also Mike , what is the trade-off on performance between having adynamic
client(lets
say based on WSIF)or having a static client...the extent of reflection
a dynamic
client will have to do and create SAAJ objects at runtime will beenormous..
Also I know that there is a relevant API...but can u give an examleshowing
me
how I could discover services from UDDI ..?
Out of this current topic...does BEA use itz own implementation of SOAP
in itz
webservice implementation...and how does it compare with AXIS ?
Thanx,
Krish
"Michael Wooten" <[email protected]> wrote:
Hi Krish,
Well, I guess that's how things are when "needed functionality exceeds
the current
state of a technology" :-)
I (not necessarily BEA) look at it like way:
1. IBM co-authored the "Big 3" XML grammars for the current web
services
stack.
2. IBM always appears to be "there, somewhere" in the new crop ofproposed
additional
XML grammars for "partially agreed upon extension layers", for theweb
services
stack.
3. IBM donated it's original SOAP implementation to the open-sourcecommunity.
4. IBM came up with WSIF over a year ago.
5. IBM's WSTK uses the Apache Axis stuff.
6. A lot of the JAX-RPC/JAXM API is based on the Apache SOAP and Apache
Axis implementations.
7. It looks like IBM may have donated WSIF to Axis.
8. You appear to need something like WSIF :-)
So, there's probably at least a 60/40 chance that some WSIF-like thing
will make
it into the JWSDP, right? If you want "higher odds", you should talk
to the folks
working on the JWSDP, as they are somewhat "in charge" here :-)
Regards,
Mike Wooten
"Krish Venkataraman" <[email protected]> wrote:
Yes...I am surely lookin at something similar...but that framework
not
being standardized
scares me as I have seen many good ideas not seeing the light of the
day...and
I do not want to design something using a framework which might remain
un-standardized..
what are ur thots..
Thanx,
Krish
"Michael Wooten" <[email protected]> wrote:
Hi Krish,
It sounds like you want WSIF :-)
"WSIF allows stubless or completely dynamic invocation of a Web
service,
>>>>>>
based upon examination of the meta-data about the service at runtime.
It
also allows updated implementations of a binding to be plugged intoWSIF
at
runtime, and it allows the calling service to defer choosing a
binding
until
runtime."
Correct?
This is a relatively new "unofficial" addition to the Web ServicesStack,
so it
is not in WLS 7.0 (or Sun's JWSDP) yet. See the following link formore
details:
http://xml.apache.org/axis/wsif
Regards,
Mike Wooten
"Krish Venkataraman" <[email protected]> wrote:
Hey ,
I have an application which requires to talk to 2 different
published
webservices
from 2 different systems. Now instead od designing static webservice
clients for
each of these systems(which would involve having separate proxyjars
etc),
I am planning to design a dynamic webservice locator and invoker....
I know that we can have webservice clients which are dynamic tothe
extent
that
we can create proxy objects at runtime once we know the endpoint
WSDL..
eg:
ServiceFactory factory = ServiceFactory.newInstance();
QName serviceName =new QName
targetNamespace,"net.xmethods.services.stockquote.StockQuoteService");
>>>>>>>
QName portName = newQName(targetNamespace,"net.xmethods.services.stockquote.StockQuotePort");
>>>>>>>
QName operationName = newQName("urn:xmethods-delayed-quotes","getQuote");
>>>>>>>
URL wsdlLocation = newURL("http://services.xmethods.net/soap/urn:xmethods-delayed-quotes.wsdl");
>>>>>>>
// create service
Service service = factory.createService(wsdlLocation, serviceName);
// create call Call call = service.createCall(portName,
operationName);
>>>>>>>
>>>>>>>
My question on this...if I have a dynamic approach like the abovewhat
are the
pros and cons..I guess it would surely have more overhead comparedto
a static
client...?
Secondly ,is it even feasible to design a dynamic client in such
a
way
that the
endpoint WSDL could also be an unknown and my generic client wouldalso
locate
the end-point dynamically and then invoke dynamic calls as above...
If anybody can share their insights on a dynamic webservice client
I would really
appreciate it...
Thanx,
Krish
KRISH.VENKATARAMAN
Senior Technology Analyst
Bank of America Corp.
Email:[email protected]
[BrowserClient.java]
[DynamicClient.java]

New Wireless clients certificate not verified

Whenever a new clients login using SSID Green,using cisco WLC 4404, there is a prompt saying certificate is not valid. No doubt, clients can connect once they accept the certificate. Is there anyway I can remove this prompt? We have ACS doing authentication.The certificate is signed by authorized bodies? Please advice

I have indeed.
Pushing the profile can happen a few ways. If you use ISE you can push a profile in auto enrollment. Whereby you create the wireless profile (SSID, Security, Add Cert). This is delivered to the user automatically during enrollment.
Another way to make profiles and manually push is with the Apple Configurator.
https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12
You can also use a tool like Jamf for MACs to make and push profiles.
Hope this helps ..
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
"Im like bacon, I make your wireless better"

X.509 client certificate not working through Reverse proxy

Dear expert,
We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
Listen 1081
<VirtualHost *:1081>
SSLEngine on
SSLCertificateFile "D:/Apache24/conf/server.cer"
SSLCertificateKeyFile "D:/Apache24/conf/server.key"
SSLCertificateChainFile "D:/Apache24/conf/server-ca.cer"
SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
SSLVerifyClient optional
SSLVerifyDepth 10
SSLProxyEngine On
SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
AllowEncodedSlashes On
ProxyPreserveHost on
RequestHeader unset Accept-Encoding
<Proxy *>
 AddDefaultCharset Off
 SSLRequireSSL
 Order deny,allow
 Allow from all
</Proxy>
RequestHeader set ClientProtocol https
RequestHeader set x-sap-webdisp-ap HTTPS=1081
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CLIENT_S_DN ""
RequestHeader set SSL_CLIENT_I_DN ""
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
ProxyPass / https://ldcinxd.wdf.sap.corp:1081/ nocanon Keepalive=on
proxyPassReverse / https://ldcinxd.wdf.sap.corp:1081/
We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
thanks,
Best regards,
Xian' an

Hi Samuli,
Really thanks for your reply.
Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
Best regards,
Xian' an

Error while enabling two way authentication :Client certificate missing

Hi,I am getting the following error while enabling the two way authentication.The weblogic server 5.1 has accepted both the client ca and server certificates and is listening for SSL on the specified port.But when I try to access thru the secured connection thru my IE it asks for Client Authentication dialog asking for valid Client certificate but I am not able to view any of the client certificate even though I have one which is the trusted root store.and there by giving the error page cannot be displayed .On the server side I get the following error.Thu Mar 08 10:54:35 GMT 05:30 2001:<D> <SSLListenThread> Problem accepting connectionjava.io.IOException: required client certificate missing at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:711) at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:529) at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:219) at weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java:192) at weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1001) at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30) at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:377) at weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.java:506) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)can anybody please guide me what could be wrong.Do I need to change the browser settings.I have enabled SSL 3.0 and SSL 2.0 and all other settings are defaultIt is urgent.pls give some suggestions.Regards,Bhavani

I think you have to specify the client root in your weblogic.properties
file.
here are my settings:
weblogic.security.enforceClientCert=true
weblogic.security.certificate.server=democert.pem
weblogic.security.key.server=demokey.pem
weblogic.security.certificate.authority=ca.pem
weblogic.security.clientRootCA=VeriSignClass1CA.der
Regards,
-Arthur
Bhavani <[email protected]> wrote:
Hi,I am getting the following error while enabling the
two way authentication for Weblogic Server 5.1Thu Mar
08 16:10:54 GMT 05:30 2001: <ListenThread> Listening
on port: 7001Thu Mar 08 16:10:54 GMT 05:30 2001: <SSLListenThread>
Listening on port: 7002<NT Performance Pack> NATIVE:
created IoCompletionPort successfully. IoPort=0x000002a4Thu
Mar 08 16:10:56 GMT 05:30 2001: <WebLogicServer> WebLogic
Server startedThu Mar 08 16:11:20 GMT 05:30 2001:<D>
<SSLListenThread> Problem accepting connectionjava.io.IOException:
required client certificate missing at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:711)
at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:529)
at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:219)
at weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java:192)
at weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1001)
at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:377)
at weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.java:506)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java,
Compiled Code)Thu Mar 08 16:12:07 GMT 05:30 2001:<D>
<SSLListenThread> Problem accepting connectionCan anybody
suggest why this error is coming?Regards,Bhavani

Dynamically Accept Client Certificates

Similar Messages

Maybe you are looking for