Getting client certificate on Websphere

Hi,
I'm new to java security API. In my project i need to get a client certificate through java in the server and extract some values from it. Can anyone let me know how to go about doing that?

In the following link everything available..
.http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
this is very good tutotorial
or use RMI/IIOP on websphere
I hve no code available
Message was edited by:
loveme
Message was edited by:
loveme

Similar Messages

  • Applet does not get client certificate from browser (Firefox, IE7)

    I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
    Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
    All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
    Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
    I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
    I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
    So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
    1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
    2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
    BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
    Thanks all.

    My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
    This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
    it is not relevant to your issue.
    due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
    I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
    Applet database to function. Surprise!
    Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
    I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
    If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
    Further it opens up a complete NIO server ands starts listening for connections on a random port
    (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
    This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
    There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
    etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
    which I like the best ATM as it (X fingers it stays so) always has worked.
    Sadly that tidbit doesn't help you either I am afraid.
    What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
    SSLCACertificateFile D:/Certificates/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
    Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
    automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
    On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
    The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
    So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
    (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
    I am thinking maybe there is another method of doing this I do not know.
    Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
    Maybe someone else has other ideas; did you try the security forum??
    Sorry but I am afraid that is not much help.
    I did snarf this tidbit which may have some relevance
    The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
    In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
    -Djavax.net.ssl.keyStore=<name and path to client keystore file>
    -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
    If it is a PKCS12 format keystore, specify:
    -Djavax.net.ssl.keyStoreType=PKCS12
    In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
    Dennis
    Posted Date : 2005-07-28 19:55:50.0Good Luck!
    Sincerely:
    (T)
    Edited by: tswain on 23-Jul-2008 10:07 AM

  • Applet won't get client certificate from browser

    Hi,
    We have an applet that runs fine as long as we don't have the web server require a client certificate. This applet runs inside a protected Intranet with a standard client JRE version 1.4.2 The rules of the intranet state that client certificates are required. So we registered our certificates with the JRE plug in in the browser and NaDa...
    I have read all sorts of things out there on the web that says the end user must register a personal Keystore and then we must code the applet to look into the end user's keystore for the certificate and the user must type in their personal password for the keystore into some sort of a form for the applet to read the keystore certificate.
    This sounds illogical and I strongly suspect that I am mis-interpreting what is being said...
    Can anyone help me understand what I am missing? (or perhaps point to a tutorial that has some better info in it...) I have looked at the Sun Java tutorial for applets didn't see any specific info regarding this type of problem- solution.
    Thanks for any pointers or suggestions you might have.
    JpGuy

    Hi,
    We have an applet that runs fine as long as we don't have the web server require a client certificate. This applet runs inside a protected Intranet with a standard client JRE version 1.4.2 The rules of the intranet state that client certificates are required. So we registered our certificates with the JRE plug in in the browser and NaDa...
    I have read all sorts of things out there on the web that says the end user must register a personal Keystore and then we must code the applet to look into the end user's keystore for the certificate and the user must type in their personal password for the keystore into some sort of a form for the applet to read the keystore certificate.
    This sounds illogical and I strongly suspect that I am mis-interpreting what is being said...
    Can anyone help me understand what I am missing? (or perhaps point to a tutorial that has some better info in it...) I have looked at the Sun Java tutorial for applets didn't see any specific info regarding this type of problem- solution.
    Thanks for any pointers or suggestions you might have.
    JpGuy

  • EP6 sp2: Editing authschemes.xml file for Client Certificates - Urgent

    Urgent Help Needed..
    I am trying to modify the authschemes.xml file so that i can have Client Certificate Authentication. Has anyone done this before? I am unable to get client certificate authentication working. I also need to get rid of form based logon screen?
    Please help.
    regards
    anton

    Hi detlev,
    I followed all the instructions i can find but nothing explains what exactly i need to implment to request client certificates in the xml file.
    I want portal to request the client cert as soon as they hit the portal webpage. I am also going through IIS6 with iisproxy module installed.
    I am using verisign certificates, i configured J2ee engine to request the root cert for the client cert for the SSL port but that does not work. I get the dialog box requesting in IE asking me to choose a cert but i can make any selection its greyed out. After i say yes it connects to me to the portal logon screen.
    Here is the authscheme that i am using.
    <authschemes>
            <!--  authschemes, the name of the node is used -->
            <authscheme name="uidpwdlogon">
                <!-- multiple login modules can be defined -->
                <loginmodule>
                    <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                    <controlFlag>SUFFICIENT</controlFlag>
                    <options></options>
                </loginmodule>
                <loginmodule>
                    <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                    <!-- specifying whether this LoginModule is REQUIRED, REQUISITE, SUFFICIENT, or OPTIONAL -->
                    <controlFlag>REQUISITE</controlFlag>
                    <options></options>
                </loginmodule>
                <priority>21</priority>
                <!-- the frontendtype TARGET_FORWARD = 0, TARGET_REDIRECT = 1, TARGET_JAVAIVIEW = 2 -->
                <frontendtype>2</frontendtype>
                <!-- target object -->
                <frontendtarget>com.sap.portal.runtime.logon.default</frontendtarget>
            </authscheme>

  • I'm on a website that states it requires a client certificate to validate identity.  When I select a certificate to use to connect to the website, it goes back to the list of certificates.  I can't seem to get anywhere. Help!

    I am on a website that requires a client certificate to validate identity.  When I select a certificate to use, it goes back to the list of certificates. I can't seem to get anywhere. Help!

    You should be given the certificate, or cookie, by the website.  See if in Preferences (under Safari on the menu bar), Privacy, do you have certificates blocked Always?

  • Clients getting a certificate warning of an expired certificate that doesn't exist

    Running exchange 2010 and clients using Outlook 2007 and 2010, clients are getting the certificate warning dialog that the certificate is expired.  The name of the server in the certificate is correct, however when looking at the certificates installed
    on the Exchange server, the one that is referenced with the issued and expiration dates doesn't show up on the server.
    Where could the clients be getting this from?

    You need to look at each Client Access Server.  A quick way to see what SSL cert is bound is to just look at the IIS splash page:
    https://servername
    You'll likely get a cert error, but just continue and the IIS splash page should load.  When it does, view the certificate that has been presented to the browser.  Ensure the expiration is good, the CA chain is trusted and the cert name (or SAN)
    has the URL to the Client Access Array FQDN in the cert.
    Normally, a self signed Exchange cert is not used in a production environment because the clients will not trust the publisher.  If you have more than one CAS, it's likely one of them is not using the correct cert.
    Good luck!
    - Chris Ream -
    **Remember, if you find a post that is helpful, or is the answer, please mark it appropriately.**

  • Getting the Client Certificate out of the HttpServletRequest object

    I have an interesting issue with weblogic 5.1 SP6 and getting/obtaining Client
    Certificates.
    The issue is that the Client Certificate is not always in the HttpServletRequest
    object depending on how the weblogic.properties are set. Here is my code to get
    the Certificates.
    // get the cert chain from the request
    Object obj=request.getAttributs("javax.net.ssl.peer_certificates");
    if (obj instanceof weblogic.security.X509[]) {                          
    weblogic.security.X509[] wlogicCert = (weblogic.security.X509[]) obj;
                                            try {
                                            iaik.x509.X509Certificate iaikClientCert =
         new iaik.x509.X509Certificate(wlogicCert[0].getBytes());
         clientSDN = aiaikClientCert.getSubjectDN().getName();
         clientCert = (Certificate)iaikClientCert;
    The only time the certificate is present in the Request Object is when the following
    weblogic.properties are set:
    weblogic.security.enforceClientCert=true
    weblogic.security.clientRootCA=CARoot.pem
    If the properties are set to to this: no Certificate can be received from the
    Request object.
    weblogic.security.enforceClientCert=false
    #weblogic.security.clientRootCA=CARoot.pem
    Is there a way to have Weblogic always receive/get a Client Certificate if one
    is provided by the client, but not have weblogic do any validation of the certificate?
    Any help would be appreciated!
    Gary

    ok i see.
    although it should be able to get the underlying
    outputStream handle since i have initialized
    (associated) it on the previous line.
    ThanksWell, you might be able to get the underlying stream. Look at the API docs. If there's a method there to do it, then you can. If not, then you can't.
    If you can do it, then you have to look at the API docs for FileOutputStream and see if it lets you get the associated File or path. If such a method exists, then you can get it. If not, then you can't.
    Even if both methods exist and you can utimately get the file, do you understand why this is not the same as "getting the file associated with a PrintStream"?

  • Can a pl sql cartridge get the client certificate through ssl in OAS

    I am In a web publishing system project, I use SSL and client certificate to verify the user, the environment is OAS4.0.6 and Oracle 8i, and I use PL SQL cartridge to proceed the http request , Now the problem is how can I get the client certificate infomation in my pl sql scripts, I do not know where should i post this problem, So I post it here, If you have any experience in using SSL of OAS, pls help me!
    tsailiang
    [email protected]
    thank you very much!

    Sorry wrong forum.....
    This forum is for the Internet File Server (ifs) not the oracle application server (oas), sometimes known as iAS or Oracle9i Applicaiton Server.
    null

  • I'm attempting to access my work email through Microsoft Outlook web client.  The URL is mail.ad.msu.edu.  I get the following message:   The website "mail.ad.msu.edu" requires a client certificate.  This website requires a certificate to validate your id

    I'm attempting to access my work email through Microsoft Outlook web client.  The URL is mail.ad.msu.edu.  I get the following message:
    The website "mail.ad.msu.edu" requires a client certificate.
    This website requires a certificate to validate your identity.  Select the certificate to use when you connect to this website, then click Continue.
    The choice I am presented with is: adp3d (iChat Encryption Certificate) (Apple.Mac Certificate Authority)
    I'm thinking that this can't be correct, and in fact doesn't allow me to signing to the website. 
    How do I go about getting the proper certificate? 

    I'm attempting to access my work email through Microsoft Outlook web client.  The URL is mail.ad.msu.edu.  I get the following message:
    The website "mail.ad.msu.edu" requires a client certificate.
    This website requires a certificate to validate your identity.  Select the certificate to use when you connect to this website, then click Continue.
    The choice I am presented with is: adp3d (iChat Encryption Certificate) (Apple.Mac Certificate Authority)
    I'm thinking that this can't be correct, and in fact doesn't allow me to signing to the website. 
    How do I go about getting the proper certificate? 

  • When I attempt to access my IRA account on line, I get a message saying that the web site requires a client certificate. The certificates listed in the drop down dialog box don't get accepted, even though one is indicated as valid and good until 10/2014.

    When I attempt to access my IRA account on line, I get a message saying that the web site requires a client certificate. The certificates listed in the drop down dialog box don't get accepted, even though one is indicated as valid and good until October 2014. I contacted the IRA account managment company and they sais it's an Apple issue. Any ideas?

    Some websites require a special client certficate for access. If you don't have that certficate, you'll have to contact the site operator to find out how to get one.
    Sometimes the problem is caused by a web server that is configured to request an optional client certificate. Safari treats the request as mandatory. In that case, other browsers such as Firefox and Chrome may be able to connect to the site, because they ignore the request.
    The first time you were prompted for a certificate, you may have clicked through a dialog that requested access to the Apple certificate in your keychain that is used to secure the iMessage service. In that case, you may be able to regain access to the site in Safari by doing as follows.
    Back up all data.
    Double-click anywhere in the line below on this page to select it:
    com.apple.idms.appleid.prd
    Copy the selected text to the Clipboard by pressing the key combination command-C.
    Launch the Keychain Access application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
    Paste into the search field in the Keychain Access window by clicking in it and pressing the key combination command-V. An item may appear in the list of keychain items. The Name will begin with string you searched for, and the Kind will be "certificate."
    Delete the item by selecting it and pressing the delete key. It will be recreated automatically the next time you launch the Messages or FaceTime application.
    The next time you visit a site that prompts for an optional client certificate, cancel out of the prompt. You may have to do this several times before the server stops asking.
    Credit for this idea to Christian Braukmueller of SAP.

  • How to get the correct client certificate used in the two way ssl

    how to export the certificate in browser to the correct client certificate format needed by the WLSSSLAdaptor?
    I can export the certificate in browser to p12 or pfx format, but how to retrieve the private key from it and convert to PKCS#8?
    anyone did this before?
    Thanks

    Hi,
    Use the event after_user_command.When the user clicks any other buttons in the toolbar,this event will be triggered after the processing and you can handle the sub-total for % columns here.
    Regards,
    Archna Raja

  • Getting SSGD 4.41 to work with SSL + Client Certificate

    Hello everybody.
    I'm running SSGD 4.41.909 on SuSE Linux Enterprise Server 10+Sp2 (x86_32bit) and I configured it to perform KERBEROS authentication against a Windows 2003R2 server.
    Everything worked fine so I decided to give SSL+Client Ceritifcate a try.
    I configured the Win2003R2 server as per the manual and I also:
    . imported the Active Directory root CA into SSGD trustore (/opt/tarantella/bin/jre/lib/security/cacerts)
    . created a new key and a CSR using the keytool
    . signed the above CSR with the Active Directory CA
    . imported the just signed certificate info SSGD keystore (/opt/tarantella/var/info/certs/sslkeystore)
    With the keytool I'm able to verify that the keystore does actually contains a valid CLIENT certificate:
    /opt/tarantella/bin/jre/bin/keytool -list \
    -keystore /opt/tarantella/var/info/certs/sslkeystore \
    -keypass "$(cat /opt/tarantella/var/info/key)" \
    -storepass "$(cat /opt/tarantella/var/info/key)"Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 2 entries
    testssgd, Dec 17, 2008, PrivateKeyEntry,
    Certificate fingerprint (MD5): 33:3B:41:EC:A2:4C:FF:02:D7:0D:D8:2D:EB:B2:2A:2B
    ssgd_client_cert, Dec 17, 2008, trustedCertEntry,
    Certificate fingerprint (MD5): DE:6B:BA:28:39:6B:B2:7B:51:F5:F2:6B:41:6E:6B:C1
    As you can see, the ssgd_client_cert is indeed available into the sslkeystore.
    Next, I configured SSGD as follows:
    Step4: LDAP Repository Details
    Repository Type: (*) Active Directory
    URLs: ad://zen.strhold.it
    Connection Security: () Kerberos
    (*) SSL
    [x] Client Certificate Used
    Active Directory Base Domain: zen.strhold.it
    Active Directory Default Domain: zen.strhold.it
    [Next]
    I did not have any errors when I clicked over [Next] and the same went when I selected the [Finish] button.
    I logged out of the Admin console, restarted the SSGD server and tried to login using an Active Directory VALID user but here's what I got:
    Sun Secure Global Desktop Software (4.41) WARNING:
    Could not find a client certificate to use to authenticate the
    connection to the Active Directory server
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
    cannot be used to retrieve data from the Active Directory.
    A known resolution to this warning is:
    - Import a client certificate for this server into the SGD keystore.
    For more information on how to do this, consult the SGD Administration
    Guide.
    2008/12/17 17:16:36.246     (pid 18920)     server/ad/warningerror     #1229530596247
    Sun Secure Global Desktop Software (4.41) WARNING:
    Failed to connect to the global catalog:
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
    Reason:
    [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
    Global catalog:
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
    cannot be used to retrieve data from the forest.
    To help troubleshoot this warning,
    - Verify that this global catalog is available on the network.
    - Verify that SGD can resolve the global catalog's hostname via DNS.
    - Verify that SGD can connect to port 3268 on the global catalog.
    - Verify that this server is a global catalog for the forest.
    I'm pretty sure I do have a client certificate into SSGD keystore (as demonstrated by the keytool utility).
    Am I missing something or what?
    Things I've already cheched:
    . both the SSGD and Windows server clocks are in synch
    . the DNS server (on Windows) is able to resolve the names of the boxes in both forward and reverse mode
    . no firewall is operating between the boxes
    Thanks,
    Rob

    Hi DD.
    Thanks again for your time and patience!
    Well, today I restarted the SSGD box (it's a virtual machine) and issued the:
        keytool -list -keystore sslkeystore -storepass "$(cat /opt/tarantella/var/info/key)" -keypass "$(cat /opt/tarantella/var/info/key)"command. Much to my surprise, this time I got the following output:
    Your keystore contains 1 entry
    +testssgd, Dec 19, 2008, trustedCertEntry,+
    Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35
    As you can see, now the certificate is recognized as "trustedCertEntry* instead of the previous PrivateKeyEntry. If you step back to my previous post, you should be able to tell that the MD5 is the same one I got for the PrivateKeyEntry.
    +testssgd, Dec 19, 2008, PrivateKeyEntry,+
    +Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
    By issuing the suggested:
    {code}keytool -v -list -keystore sslkeystore -alias testssgd{code}
    command I got the following output (snipped):
    +Alias name: testssgd+
    +Creation date: Dec 19, 2008+
    +Entry type: trustedCertEntry+
    +Owner: CN=ssgd.zen.strhold.it, OU=Strhold Evolution Division, O=Strhold, L=Reggio Emilia, ST=Italy, C=IT+
    +Issuer: CN=ADroot, DC=zen, DC=strhold, DC=it+
    +Serial number: 1568abe4000000000006+
    +Valid from: Fri Dec 19 17:45:52 CET 2008 until: Sun Dec 19 17:45:52 CET 2010+
    +Certificate fingerprints:+
    +     MD5: 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
    +     SHA1: 00:8F:59:04:51:49:A6:73:8C:B5:6D:74:C6:90:30:32:24:DE:6D:EA+
    +     Signature algorithm name: SHA1withRSA+
    +     Version: 3+
    As you can see, the Issuer is ADRoot (CN=ADroot, DC=zen, DC=strhold, DC=it).
    The error messages did not change (
    Attempted login for [email protected]
    using disambiguation attributes {}.
    2008/12/22 13:37:10.306     (pid 3764)     server/kerberos/info     #1229949430306
    Kerberos attempting to log in rzini in to ZEN.STRHOLD.IT
    2008/12/22 13:37:10.647     (pid 3764)     server/kerberos/moreinfo     #1229949430647
    Kerberos succeeded in authenticating [email protected] to ZEN.STRHOLD.IT
    2008/12/22 13:37:10.711     (pid 3764)     server/ldap/info     #1229949430711
    LDAP config is: "ad://zen.strhold.it"
    2008/12/22 13:37:10.716     (pid 3764)     server/ldap/info     #1229949430716
    LDAP server user was changed for scope "forest" to ""
    2008/12/22 13:37:10.796     (pid 3764)     server/ldap/moreinfo     #1229949430796
    NSLookup succeeded: "win2003r2.zen.strhold.it." returned 192.168.68.1
    2008/12/22 13:37:10.801     (pid 3764)     server/ldap/moreinfo     #1229949430801
    Service lookup succeeded: "_gc._tcp.zen.strhold.it." returned 192.168.68.1:3268
    2008/12/22 13:37:11.316     (pid 3764)     server/ad/warningerror     #1229949431315
    Sun Secure Global Desktop Software (4.41) WARNING:
    Could not find a client certificate to use to authenticate the
    connection to the Active Directory server
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
    cannot be used to retrieve data from the Active Directory.
    A known resolution to this warning is:
    - Import a client certificate for this server into the SGD keystore.
    For more information on how to do this, consult the SGD Administration
    Guide.
    2008/12/22 13:37:11.321     (pid 3764)     server/ad/warningerror     #1229949431321
    Sun Secure Global Desktop Software (4.41) WARNING:
    Failed to connect to the global catalog:
    'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
    Reason:
    [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
    [snip]
    Discovery results:
    Looking up Global Catalog DNS name: _gc._tcp.zen.strhold.it. - HIT
    Looking for GC on server: Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up - ERROR
    The Active Directory login authority and LDAP generation will not work as
    SGD could not find a contactable global catalog.
    2008/12/22 13:37:11.329     (pid 3764)     server/ldap/error     #1229949431329
    Sun Secure Global Desktop Software (4.41) ERROR:
    LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=ZEN,DC=STRHOLD,DC=IT") 587ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
    A call to LDAP failed. This might mean LDAP users cannot log in.
    I can provide you with the Java exception which was reported but I cannot include it with this message due to the restriction in size we have when posting.
    Thanks again,
    Rob

  • Asking specific client certificate (not certificates trusted by authority)

    As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
    I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
    For example:
    Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
    But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
    And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

    I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
    It might not be elegantBut it is!
    See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
    Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
    This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
    if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
    So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

  • How to load a client certificate into a servlet to access a Web Service

    Hi,
    I am having the following problem:
    I am trying to use a Web Service client (Axis) within a servlet running under
    WebLogic 8.1.
    I would like to have mutual SSL-based authentication between the client and the
    server hosting the Web Service. Thus, my client has to send a certificate to the
    server.
    My problem is: how to get the certificate into the request? I know that, for example,
    the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
    use this class.
    Is there any other method to make sure that SSL requests use my client certificates?
    By the way, I am receiving the following error message from the server:
    <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
    s not supplied by peer>
    <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
    ch
    ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
    Anyone has an idea?
    Thanks for any hints,
    Zoltan Schreter
    Nokia

    Hi all,
    I have solved this problem basically by using weblogic's SSLSocketFactory instead
    of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
    which uses this Factory. I then created a custom Config class which I pass to
    the constructor of Service. The Config class looks like this:
    public class MyConfig extends SimpleProvider {
    * Constructor - deploy client-side basic transports.
    public MyConfig() {
    deployTransport("java", new SimpleTargetedChain(new JavaSender()));
    deployTransport("local", new SimpleTargetedChain(new LocalSender()));
    deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
    The relevant code within MyHttpSender looks something like this:
    SSLClientInfo sslinfo = new SSLClientInfo();
    File ClientKeyFile = new File("C:/certificates/testkey.pem");
    File ClientCertsFile = new File("C:/certificates/testcert.pem");
    InputStream[] ins = new InputStream[2];
    ins[0] = new FileInputStream(ClientCertsFile);
    ins[1] = new FileInputStream(ClientKeyFile);
    String pwd = "mykeypass";
    sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
    javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
    sock = sockf.createSocket(host, port) ;
    By the way, this change also solved the other problem I posted about (not being
    able to tunnel through the https proxy).
    Cheeers,
    Zoltan Schreter
    Nokia
    "Tony" <TonyV> wrote:
    Which API's are you currently using for the SSL communication in the
    client
    side?
    Tony
    "Zoltan Schreter" <[email protected]> wrote in message
    news:[email protected]...
    Hi,
    I am having the following problem:
    I am trying to use a Web Service client (Axis) within a servlet runningunder
    WebLogic 8.1.
    I would like to have mutual SSL-based authentication between the clientand the
    server hosting the Web Service. Thus, my client has to send a certificateto the
    server.
    My problem is: how to get the certificate into the request? I knowthat,
    for example,
    the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
    can't
    use this class.
    Is there any other method to make sure that SSL requests use my clientcertificates?
    By the way, I am receiving the following error message from the server:
    <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
    s not supplied by peer>
    <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
    ch
    ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
    Anyone has an idea?
    Thanks for any hints,
    Zoltan Schreter
    Nokia

  • IPhone Mail app; IMAP; x509 client certificate?

    The title says it all really.
    I have an x509 client certificate happily installed in my iPhone's keychain. This certificate works correctly in Safari, allowing access to sites which demand it. When I try to collect mail from an IMAP server which also requires a client certificate, it doesn't work.
    As far as I can work out, the Mail app is not sending my client certificate when the server requests it to do so. Is this true? Is there a way to configure the Mail app to respond correctly to the server's client certificate request? Any pointers or information welcome!

    I think so.
    Actually I think I need to get the App Password for Mail on my phone. It generates the app password and I enter it into the password in the gmail setup for mail.
    The problem is that when I hit next on that page, I get the message:
    "my name" is already added" and I cannot proceed.
    Before doing this setup I deleted my gmail account by tapping the email address and hitting delete in the Mail, Contact and Calendars setup..
    but, there is something hiding in my iPhone that remembers my old gmail password (I guess) and doesn't let me proceed.
    If I enter my gmail iChain password I get the same thing.
    If i do this in airplane mode (no connection to google) i also get the same.
    I talked to an apple care person who had me reset all my settings... still the same thing.
    I am trying to avoid a gull reset of the iPhone, but that may be in the cards.
    Going to go to the apple store and ask there, but i am not hopeful.
    Barry

Maybe you are looking for

  • Short dump-internal table size issue

    Hi, I get the following message in the short dump analysis for a report. No storage space available for extending table "IT_920". You attempted to extend an internal table, but the required space was not available. Error Analysis: The internal table

  • Battery life "%" indicator missing

    Just got my wife's new 16 GB iPhone up and running. No functional issues, but there is no battery % indicator in the upper right corner like mine has. Any ideas?

  • How tor ead blob in oracle

    Is there a way to read/extract blob and see contents of it in oracle? Preferabaly using anonymous pl/sql block?

  • Adobe Pro delete pages error. One or more pages are in use and could not be deleted.

    Adobe Pro delete pages error. One or more pages are in use and could not be deleted. Hi, can anyone assit. I am compiling a pdf by inserting several documents and am unable to delete specific pages. I have used this function on a previous Adobe Pro v

  • Need help installing adobe after effects CS5 free trial

    i cant install adobe after effects CS5 trail it keeps giving me an erorr that says "error occured with connection with adobe.com (error 107), how do i restart adobe download assingment,and the bar at the bottom tells me to sing in when i already have