How to retrieve client certificate passed by Apache proxy

Similar Messages

• How to retrieve client certificate information from sender mail adapter

  Hi, expert:
  I have a requirement to verify the validation of coming email with digital certification. The mail is with digital certification. If the coming email is valid, I 'll get the attachemt of the mail for further processing. I have a sender mail adapter and receiver file adapter configued.
  I have already my own developed adapter module, which is configued in mail adapter. My question is how to retrieve the detailed certificate information in the adapter module developed by myself. Is it feasible?
  Thanks a lot.

  The WL-Client-Proxy cert should be the cert used on the proxy side if SSL is configured between Apache and WebLogic, so I believe that is the reason why that does not work. Basically, the problem here is that SSL is end-to-end, and the two ends of this transaction are the client and apache.
  That said, when you add the +ExportCertData option, this should record the client's SSL certificate in the vairable SSL_CLIENT_CERT.  So you should be able to use request.getAttribute("SSL_CLIENT_CERT").
  See:
  http://www.modssl.org/docs/2.8/ssl_reference.html
  If this doesn't work for you (which is possible if the WL_Proxy is doing something funny to the request), it is probably best just to dump out the entire contents of the session, and see what you have:
  for (Enumeration e = request.getAttributeNames() ; e.hasMoreElements() ; ) {
  String attr = (String)e.nextElement();
  System.out.println("ATTR = " + attr);
  System.out.println("VAL = " + request.getAttribute(attr));
  If you can't see any SSL certificate there, you will have to work out some way to pass this on manually.
  cheers,
  Trevor

• How to retrieve WorkflowContext without passing username and password ?

  Hi,
  I have created a dynamic ApprovalGroup and inside this class i have the following private method.
  private IWorkflowContext fetchWorkflowContext() {
            IWorkflowServiceClient wfSvcClient =
                 WorkflowServiceClientFactory.getWorkflowServiceClient(WorkflowServiceClientFactory.LOCAL_CLIENT);
            ITaskQueryService queryService = wfSvcClient.getTaskQueryService();
            IWorkflowContext workflowContext;
            try {
                 workflowContext =queryService.authenticate("weblogic", "weblogic1".toCharArray(), null);
                 } catch (WorkflowException e) {
                 e.printStackTrace();
  But when i retrieve workflowContext, I have to pass username and password.As this dynamic ApprovalGroup class will be deployed on the same SOA server under D:\Oracle\Middleware111150\Oracle_SOA1\soa\modules\oracle.soa.ext_11.1.1
  I have kept wf_client_config.xml under D:\Oracle\Middleware111150\Oracle_SOA1\soa\modules\oracle.soa.ext_11.1.1\classes.
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <workflowServicesClientConfiguration
  xmlns="http://xmlns.oracle.com/bpel/services/client">
       <server name="default" default="true" excludeFromFederatedList="true">
       <localClient>
            <participateInClientTransaction>false</participateInClientTransaction>
       </localClient>
       <remoteClient>
            <serverURL>t3://localhost:8001</serverURL>
            <userName>weblogic</userName>
  <password>weblogic1</password>
            <initialContextFactory>weblogic.jndi.WLInitialContextFactory</initialContextFactory>
            <participateInClientTransaction>false</participateInClientTransaction>
       </remoteClient>
       <soapClient>
            <rootEndPointURL>t3://localhost:8001</rootEndPointURL>
            <identityPropagation mode="dynamic" type="saml">
                 <policy-references>
                 <policy-reference enabled="true" category="security" uri="oracle/wss10_saml_token_client_policy"/>
                 </policy-references>
            </identityPropagation>
       </soapClient>
       </server>
  </workflowServicesClientConfiguration>
  How to retrieve WorkflowContext without passing username and password ?
  ============================
  workflowContext =queryService.authenticate("weblogic", "weblogic1".toCharArray(), null);
  ============================
  regards.
  Edited by: user10303338 on Oct 5, 2011 1:51 AM

  Use :
  Properties prop = System.getProperties();
  prop.put("proxySet","true");
  prop.put("http.proxyHost","yourProxy");
  prop.put("http.proxyPort","8080"); // change the port
  //prop.put("https.proxyHost","yourProxy");
  //prop.put("https.proxyPort","8080"); // change the port
  Denis

• How to read client certificate after SSL has be established

  Hi, Folks:
  I've established mutual authentication between client and server, how do I go about reading the client certificate on the server side after SSL session has been established? Basically I am trying to read the client name from the client certificate, based on the name, the server will decide what resource the client can access.
  Thanks a lot
  --Richard                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  I need to know the process clearly... like how to configure ssl serverAs I said, that's not the topic of this thread. It's described in the Javadoc, and it's been covered in this forum, and the forum has a search facility. If you still have a question, start your own thread. Don't hijack other threads about other topics.
  Every one knows to read API documentation. If those were clear then I wouldn't ask here for help. Then you need to ask a specific question about something you specifically didn't understand, in a specific thread, in a specific forum. The best reference is the Javadoc. That's what it's for, and reading it is how I learned Java. If you can't understand it maybe you need to make more of an effort. Nobody is going to type it in here again for you in a more comprehensible form (I hope). It's your job to understand the material you have to work with. At the moment you're just asking someone to do your job for you.
  And yes this topic may have been covered previously, but its not necessary for me to know what topics are covered in this forum.The question asked in this thread has been answered previously in this thread. Is that too hard to find? The question you asked that hasn't been covered in this thread doesn't belong in this thread. Is that too hard to understand?

• How to install client certificate in Jdeveloper 10.1.3.41.57

  Hi,
  We need to connect to another website by presenting client certificate. This certifficate is provided by this website and password is required. Though I tried to tried to launch the JSP that redirects the page to the URL to connec to that website, and I imported the certifcate to the browser, I am still asked credential to connect.
  I was told by other people I need to install the client certificate on the server.
  My question is that how I install this client certificate on Jdeveloper 10.1.3.41.57 and launch JSP to connect to that website?
  the certificate is like xxx2_x.509Cert.pfx.
  Please help
  Thank you.
  jfu

  First, thank you so much for your reply. Yes, it works. I did converted pfx to JKS successfully.
  i use keytool -list to view this JKS file. I can see the content. The chain length is 2.
  However, I got error same error message when I tried to use above command to import JKS to cacerts under jdk/jre/lib/security/; if I add -storetype pKCS12, I got another error keytool error: java.io.IOException: DerInputStream.getLength(): lengthTAg=109, too big.
  Please help.
  Thanks,
  Jfu
  Edited by: 872272 on Sep 20, 2011 8:58 AM

• How to handle Client Certificate authentication using URLRequest/URLLoader

  Hi All,
  I developed an AIR Application which communicates with a server. Protocol used for communication is HTTPS, and server has a valid certificate.
  So whenever AIR App, communicates with the server, a dialogue box prompts to select the client certificate just as show below.
  So here what I am looking at is, Any method is available to prevent this prompt.
  I have already tried the method of Enabling "Dont Prompt for client certificate selection when only one certificate exists", Of course this method will work only if multiple certificate exists, so what if multiple certificate exists.
  How an air application can handle that?
  So any one find any way to handle this. I am using URLRequest for commnicating with server.
  Here is the code snippet I have used.
  var request:URLRequest = new URLRequest(url);
  request.method = URLRequestMethod.GET;
  var urlLoader:URLLoader = new URLLoader();
  urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
  urlLoader.addEventListener(Event.COMPLETE, loaderCompleteHandler)
  urlLoader.addEventListener(Event.OPEN, openHandler);
  urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
  urlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
  urlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);//, false, 0, true);
  Please help me...
  Thanks
  Sanal

  Yes it is possible. Refer
  Using Certificates for Authentication [http://docs.sun.com/app/docs/doc/820-7985/ginbp?l=en&a=view]
  SSL Authentication section in [http://docs.sun.com/app/docs/doc/820-7985/gdesn?l=en&a=view]
  client-auth element in server.xml [http://docs.sun.com/app/docs/doc/820-7986/gaifo?l=en&a=view]
  certmap.conf [http://docs.sun.com/app/docs/doc/820-7986/abump?l=en&a=view]
  certmap.conf should have verifycert "on", and lets say this certmap is called "cmverify" :
  certmap cmverify    default
  cmverify:DNComps
  cmverify:FilterComps    uid
  cmverify:verifycert onIn serve.xml we should have <client-auth> "required" and lets say we have an auth-db named "ldapregular":
  <http-listener>...
    <ssl>...
      <client-auth>required</client-auth>
    </ssl>
  </http-listener>
  <auth-db>
    <name>ldapregular</name><url>ldap://myldap:369/o%3DTestCentral</url>
    <property><name>binddn</name><value>cn=Directory Manager</value></property>
    <property><name>bindpw</name><value...</value><encoded/></property>
  </auth-db>In ACL file we should have method = "ssl", database = "ldapregular" and certmap = "cmverify" :# clientauth against LDAP database with special certmap which has verifyCert on
  acl "uri=/";
  authenticate (user,group) {
      prompt = "Enterprise Server";
      method = "ssl";
      database = "ldapregular";
      certmap = "cmverify";
  deny (all) user = "anyone";
  allow (all) user = "alpha,beta,gamma";

• How to retrieve the java object in a proxy service in osb -- Plz help

  Hi all,
  I have a singleton java class which runs whenever the weblogic server gets started and store the output in its object. I need to access this java object from a proxy service in osb.
  We tried using java call out and retrieved that object but we couldn't know how to parse that object into XML.
  We are not sure of using the java call out in osb to solve this purpose because whenever we use a java callout, that particular java code will run which is not the case of singleton class.
  So kindly help us how to retrieve the java object which holds the output without running the java code every time because its already run and holding the output in its object.
  Regards
  Prabhu

  here the doc http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/context.html#wp1106656
  but I guess you are already at the stage of getting a POJO in a first Java Callout and passing the POJO to a second Java Callout, which should then return it to OSB as a XMLObject.
  My recommendation is to write a Java function which returns a XMLObject and uses a XMLCursor to populate it with the values of the POJO.
  An XMLObject returned to the OSB is automatically transformed in a "XML" variable (which in reality is represented as a XMLObject in the Pipeline context)
  Here some code sample:
  http://www.javamonamour.org/2010/09/how-to-create-xmlobject-using-xmlcursor.html

• How is a client certificate accessed from a servlet that received a SSL3 enabled client-side cert required request

  I would like to know the variables in the http header that hold the client cert information simillar to SSL_CLIENT_CERT variable in apache and how do I access these from a servlet ?

  I would like to know the variables in the http header that hold the client cert information simillar to SSL_CLIENT_CERT variable in apache and how do I access these from a servlet ?

• How to retrieve client's IP address in servlet

  thanks

  According to the API documentation for ServletRequest, it has this method:
  getRemoteAddr()
  Returns the Internet Protocol (IP) address of the client that sent the request.
  Was that what you wanted?

• Client certificate information

  Hello,
  Does anyone have a definitive answer for how to retrieve
  client certificate information in coldfusionMX7 using Apache 2.0.x
  (just http server, not tomcat)? I can get it out of the environment
  in a perl script...I just don't know how to pass it to
  coldfusion..the client cert CGI variables are null. I've also tried
  using jsp's to retrieve the info. The information is obviously not
  getting to jrun. I've searched high and low, nobody seems to know
  what to do.
  Thanks
  Apache 2.0.x (has been configured with SSLOptions +StdEnvVars
  +ExportCertData)
  Coldfusion MX7

  IVootmon,
  I am trying to do the same on ColdFusionMX7 and ColdFusion8.
  The ColdFusion CGI variables for CERT_ are all empty. Did you find
  a solution to pass CERT_ info to ColdFusion? Thanks.

• X.509 client certificate not working through Reverse proxy

  Dear expert,
  We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
  As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
  Listen 1081
  <VirtualHost *:1081>
  SSLEngine on
  SSLCertificateFile  "D:/Apache24/conf/server.cer"
  SSLCertificateKeyFile  "D:/Apache24/conf/server.key"
  SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"
  SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
  SSLVerifyClient optional
  SSLVerifyDepth  10
  SSLProxyEngine On
  SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
  SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
  AllowEncodedSlashes On
  ProxyPreserveHost on
  RequestHeader unset Accept-Encoding
  <Proxy *>
       AddDefaultCharset Off
       SSLRequireSSL
       Order deny,allow
       Allow from all
  </Proxy>
  RequestHeader set ClientProtocol https
  RequestHeader set x-sap-webdisp-ap HTTPS=1081
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CLIENT_S_DN  ""
  RequestHeader set SSL_CLIENT_I_DN  ""
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
  ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on
  proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/
  We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
  thanks,
  Best regards,
  Xian' an

  Hi Samuli,
  Really thanks for your reply.
  Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
  Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
  Best regards,
  Xian' an

• Retrieving ssl certificates from a server

  Hello there,
  i am currently trying to learn some things about SSL, i've never had to work with ssl servers until now, and i've got a couple of questions here;
  first off, my client program needs to connect to an IMAP server, in order to retrieve the number of new messages in the inbox. Now, the certificate doesnt seem to be standard, because i get an sun.security.validator.ValidatorException: No trusted certificate found.
  I have already learned how to make my own keystore file and add in custom certificates, but i do not know how to retrieve these certificates from the servers I am connecting to.
  So, how can i get this information from an IMAP server? :)
  many thanks in advance!
  With kind regards,
  Steven

  Ok well I found a way on the net to use an "all-trusting" trust manager, so now the handshake works and i can work within the imap server..
  but, what's the use of this certificate then, if i can simply avoid using a real one? I hope someone could answer this :)

• UTL_HTTP and client certificate request

  I am hoping that someone can help me. We have a web site that we need to hit and pull the html code back from the pages and we have the code to get what we need but the website now has an option where it requests a client certificate from a user for authentication or if you cancel the request it will then ask you for username and password. I cannot figure out how to submit a cancel on the client certificate request so that my application can submit the username and password authentication. Does anyone have an idea or example to do this? Also if you submit a bad certificate it will prompt you for authentication. So if someone knows how to submit client certificates that would be helpful as well.
  Thanks in advance.

  I've never faced this issue but you might want to look at using UTL_TCP rather than UTL_HTTP.
  http://www.psoug.org/reference/utl_tcp.html

• Import client certificate

  After connfigure Oracle9iAS release 9.0.3, how import the client certificate in personal certificates using local
  computer instead of windows registry?
  Thanks,
  Augusto Gonçalves de Sousa

  Hi,
  I am facing issue that I have create https site and at deployment time I want to do Click Once deployment. Currently, I want to include bat file or script which should be run when installer being run by end user.
  At run time, certificate will be import on client machine so manifest file will be updated.
  Workaround: I can create bat file for installing certificate on target machine but after installer created how and who will initiate to run bat file.
  Thanks and Regards,
  Amit Khurana
  Hello,
  You could consider running that file or script with the following way.
  Walkthrough: Creating a Custom Installer for a ClickOnce Application
  Specially the part of InstallApplication method.
  In addition, I would recommend you consider deploying it with Installshield which supports custom actions, and if you get any issue about installshield, you could post them on its website to get help.
  Happy new year!
  Carl
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Configuring Client certificate

  Hi
  I have generated server side certificate using the certificate I got from my CA which is working fine. Due to the nature of the application we are hosting, we would like to have client certificates. This would mean that we will issue client certificates to users to install on their machines and to access the service.
  I have generated all my server ssl configs using keytool. Now I dont have any idea on how to configure client certificate.
  Please help us with this.
  Thanks
  Deepak

  Hi Again,
  This is what I have done for server:
  1. Generate keypair for server in file keystore.jks
  2. For testing i am using self signed certificate, therefore I exported the certificate from above to server.cer file
  3. I again imported the certificate in step 2 to truststore file named cacerts.jks
  This is what I have done for client:
  1. Generated keypair for client in the file named clientkeystore.jks
  2. Exported the certifcate generated to file client.cer
  3. Then exported the client.cer to truststore file which is cacerts.
      <Connector port="443" maxHttpHeaderSize="8192"
                 maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                 enableLookups="false" disableUploadTimeout="true"
                 acceptCount="100" scheme="https" secure="true"
                 clientAuth="true" sslProtocol="TLS" keystoreFile="C:\Documents and Settings\Deepak\keystore.jks" keypass="changeit" 
                    truststoreFile="C:\Documents and Settings\Deepak\cacerts.jks" />Now from the client machines I have installed the client.cer in the broswer and trying to access the service but it fails. This is the error I am getting:
  An error occurred during a connection to localhost.
  SSL peer cannot verify your certificate.
  *(Error code: ssl_error_bad_cert_alert)*
  Please check my process and please advice where I went wrong.
  Thanks
  Deepak