Https Client Authentication

i'm posting the data using HttpsURLConnection to IIS 5.0 web server. The code is working fine for server authentication. Now i want to enable the client authentication option in IIS. How do i send the client certificate from the Java program to the IIS web server

There are 2 things you need to do:
1. Turn on "Require client certificate" on IIS.
2. Either use HttpsURLConnection or if you're using SSLSocket, you have to send at least 2 lines
GET / HTTP/1.1
Host: iis-server
The Host HTTP header line is key.
Without that line, IIS won't send CertificateRequest during SSL handshake.
With that line, IIS force the client to connect again, on the second handshake, IIS send the CertificateRequest command correctly!

Similar Messages

Problems with HTTP Client Authentication in jdev 10.1.2.17.84.

Hi,
I've told HTTP Client Authentication doesn't work in jdev 10.1.2.17.84. I need users to be authenticated using a certificate so I'm trying several workarounds but none seems to be valid. Any help?
Thanks.
Luis Serrano.

been there done that.. ive decompiled the oc4j code, debuged down to the core... its big waste of my time... :(
my advice to you is to leave it.. if you do not plan to use oracle ldap sso or xml provider you can do nothing... your hands are tied... they hardcoded everything and if you want more than classic "username & password" custom login module you will have to change oc4j...
there is no point to make a custom loginmodule which utilize a client certificate because oracle JAZN do not suport that type of login module!
just implement a login filter and manage authentication and authorization yourself... just like steve muench did in his java store demo - he didnt use JAZN... :)
anyway current approach do not allow you to leverage JAAS in ADF model layer so why bother to have that in the view/controller layer anyway...
and if i understood correctly oracle plans big changes in this area in the next jdeveloper release, and they alredy said that custom login modules would be depreciated in the next releases...

Logout from an "https client authentication (public key certificate)"

Hi ,
I am using an https client authentication (public key certificate) to login to my ADF faces website
How can I logout form the application? It seems the session.invalidate() is not working because my login information is still displayed after running the logout method (below)
Note that this logout method was working well with the Form-Based Authentication.
Thank you
Jamil
public String logout() {
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletRequest request = (HttpServletRequest)ectx.getRequest();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();
String temp = request.getContextPath() + "/adfAuthentication?logout=true&end_url=/faces/logout";
try {
ectx.redirect(temp);
FacesContext.getCurrentInstance().responseComplete();
} catch (Exception ex) {
System.out.println("Exception in logout()");
return null;
}

Can you try with the null chk.. as this piece of code is working fine for us
public void logout(ActionEvent evt) {> FacesContext fc = FacesContext.getCurrentInstance();
> HttpSession session =
> (HttpSession)fc.getExternalContext().getSession(false);
> HttpServletRequest request =
> (HttpServletRequest)fc.getExternalContext().getRequest();
> HttpServletResponse response =
> (HttpServletResponse)fc.getExternalContext().getResponse();
> try {
> if (session != null) {
> session.invalidate();
> }
> fc.getExternalContext().redirect(request.getContextPath() +
> "/faces/index");
> } catch (Exception exp) {
> try {
> fc.getExternalContext().redirect("/faces/Error");
> } catch (Exception ex) {
}> }
> }

How to configure JSS 4 with Firefox 21.0 to to use with HTTPS client authentication? It´s supposed that JSS allows an applet to access Mozilla user´s cert

We are trying to use HTTPS client certificate based authentication to access a Java Applet in Firefox v21.0. We have followed the instructions as per the below two urls to enable JSS 4 -
https://developer.mozilla.org/en-US/docs/JSS/Using_JSS<br />
http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/keystores.html<br />
http://download.java.net/jdk8/docs/technotes/guides/deployment/deployment-guide/keystores.html
We are using JRE version 1.7.0_25-b16 Java HotSpot(TM) Client VM in Firefox v21 but we are getting - <br />
security: Accessing keys and certificate in Mozilla user profile: null<br />
security: JSS is not configured
followed by SSK handshake failure when trying to load the client certificate.
<pre><nowiki>javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source)
at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source)
at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)</nowiki></pre>
The client cert based authentication is working when using IE v8 and IE v9 with the same JRE version (JRE version 1.7.0_25-b16 Java HotSpot(TM) Client VM)
Any help to resolve this issue will be very much appreciated.

Thank you for your response.
Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet.

Error during Https client Authentication

Hi ,
I have configured the SOAP adapter for HTTPS with client authentication.The certificates are also in place. Even then i am getting the below error.
Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.adapter.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:927) at sun.reflect.GeneratedMethodAccessor370.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sap.engine.services.ejb3.runtime.impl.RequestInvocationContext.proceedFinal(RequestInvocationContext.java:43) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:166) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_StatesTransition.invoke(Interceptors_StatesTransition.java:19) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_Resource.invoke(Interceptors_Resource.java:71) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_Transaction.doWorkWithAttribute(Interceptors_Transaction.java:38) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_Transaction.invoke(Interceptors_Transaction.java:22) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:189) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_StatelessInstanceGetter.invoke(Interceptors_StatelessInstanceGetter.java:16) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_SecurityCheck.invoke(Interceptors_SecurityCheck.java:21) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_ExceptionTracer.invoke(Interceptors_ExceptionTracer.java:16) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.DefaultInvocationChainsManager.startChain(DefaultInvocationChainsManager.java:133) at com.sap.engine.services.ejb3.runtime.impl.DefaultEJBProxyInvocationHandler.invoke(DefaultEJBProxyInvocationHandler.java:164) at $Proxy2683.process(Unknown Source) at com.sap.aii.af.app.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:275) at sun.reflect.GeneratedMethodAccessor368.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sap.engine.services.ejb3.runtime.impl.RequestInvocationContext.proceedFinal(RequestInvocationContext.java:43) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:166) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_StatesTransition.invoke(Interceptors_StatesTransition.java:19) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_Resource.invoke(Interceptors_Resource.java:71) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_Transaction.doWorkWithAttribute(Interceptors_Transaction.java:38) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_Transaction.invoke(Interceptors_Transaction.java:22) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:189) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_StatelessInstanceGetter.invoke(Interceptors_StatelessInstanceGetter.java:16) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_SecurityCheck.invoke(Interceptors_SecurityCheck.java:21) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.Interceptors_ExceptionTracer.invoke(Interceptors_ExceptionTracer.java:16) at com.sap.engine.services.ejb3.runtime.impl.AbstractInvocationContext.proceed(AbstractInvocationContext.java:177) at com.sap.engine.services.ejb3.runtime.impl.DefaultInvocationChainsManager.startChain(DefaultInvocationChainsManager.java:133) at com.sap.engine.services.ejb3.runtime.impl.DefaultEJBProxyInvocationHandler.invoke(DefaultEJBProxyInvocationHandler.java:164) at $Proxy230.process(Unknown Source) at com.sap.aii.adapter.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:175) at com.sap.aii.adapter.soap.web.MessageServlet.doPost(MessageServlet.java:470) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:163) at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:82) at com.sap.engine.services.servlets_jsp.server.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:124) at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:74) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:425) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:289) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:376) at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:85) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:71) at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:160) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:71) at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:67) at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:71) at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60) at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:71) at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27) at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:71) at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29) at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12) at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:71) at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:309) at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.run(Processor.java:222) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:152) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:247)

Hi
The error "client certificate required" reported by you has a clear cause - at least at the first sight: You do not deliver a client certificate with your SOAP request or it is not vaild/corrupted.
Regards,
Volker

HTTPs without client authentication, error while posting through Altova

Hi Experts
I am doing a SOAP- XI-Proxy synchronous scenario where i have to use HTTPs without client authentication for the first time in my system.
I have made the scenario and WSDL out of it.
When i am trying to test it through Altova, i am getting the following error:
<?xml version="1.0"?>

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP:Body>
        <SOAP:Fault>
            <faultcode>SOAP:Server</faultcode>
            <faultstring>Server Error</faultstring>
            <detail>
                <s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
                    <context>XIAdapter</context>
                    <code>ADAPTER.JAVA_EXCEPTION</code>
                    <text><![CDATA[
java.security.AccessControlException: https scheme required
    at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:918)
    at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3.process(ModuleLocalLocalObjectImpl0_3.java:103)
    at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:296)
    at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0_0.process(ModuleProcessorLocalLocalObjectImpl0_0.java:103)
    at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:187)
    at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:496)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
          ]]></text>
                </s:SystemError>
            </detail>
        </SOAP:Fault>
    </SOAP:Body>
</SOAP:Envelope>
i saw a few discussion on web but nowhere the solution was provided.
the url is
http://abc.sap.point:1234/XISOAPAdapter/MessageServlet?channel=:system:communicationchannel&version=3.0&Sender.Service=x&Interface=x%5Ex
i changed it to https also but in that case it was not even posting the request.
i have set the sender adapter like this
is there any setting that i am missing.
What is the setting the i need to do in SM59.
Please help me getting through this.
Your help is highly appreciated. Thanks in advance.
Neha

HI Neha,
1. Enable the https service in the ICM: you can follow the way to do it like is pointed out in the page 4 of this document (PI 7.1 and PI 7.0 has the same smicm abap transaction) http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?overridelayout=t…
2. Generate the certificate. Use the STRUST transaction. Chech this document SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure
Hope this helps.
Regards.

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

when i connect to wcf service , i am getting the client authentication error.
It happens only when i connect to wcf service from a client machine (virtual machine) that is logged in with local user account.
Wcf service is hosted as windows service in my case.
Client application is a windows application that connects using below security mode.
BasicHttpBinding httpbind = new BasicHttpBinding();
httpbind.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
httpbind.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
httpFactory.Credentials.Windows.AllowedImpersonationLevel
= System.Security.Principal.TokenImpersonationLevel.Impersonation;
Please help me with a solution.
As i read more through below link , i doubt if the client is not in the same domain, it might not work ? is it rite.
http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
Regards Battech

https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396
Well, you need to figure out what the authentication is supposed to be bettwen the WCF client and WCF service, because Windows Authentication is being rejected.

Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
Jochen

Hi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen

Autoscaling Application block for Azure worker role console app not working. Get error as The HTTP request was forbidden with client authentication

I have written a console application to test the WASABi(AutoScaling Application Block) for my worker role running in azure. The worker role processes the messages in the queue and I want to scale-up based on the queue length. I have configured and set the
constraints and reactive rules properly. I get the following error when I run this application.
[BEGIN DATA]{}
DateTime=2013-12-11T21:30:02.5731267Z
Autoscaling General Verbose: 1002 : Rule match.
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","MatchingRules":[{"RuleName":"default","RuleDescription":"The default constraint rule","Targets":["AutoscalingWebRole","AutoscalingWorkerRole"]},{"RuleName":"ScaleUpOnHighWebRole","RuleDescription":"Scale
up the web role","Targets":[]},{"RuleName":"ScaleDownOnLowWebRole","RuleDescription":"Scale down the web role","Targets":[]},{"RuleName":"ScaleUpOnHighWorkerRole","RuleDescription":"Scale
up the worker role","Targets":[]},{"RuleName":"ScaleDownOnLowWorkerRole","RuleDescription":"Scale down the worker role","Targets":[]},{"RuleName":"ScaleUpOnQueueMessages","RuleDescription":"Scale
up the web role","Targets":[]},{"RuleName":"ScaleDownOnQueueMessages","RuleDescription":"Scale down the web role","Targets":[]}]}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling General Warning: 1004 : Undefined target.
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","TargetName":"AutoscalingWebRole"}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling Updates Verbose: 3001 : The current deployment configuration for a hosted service is about to be checked to determine if a change is required (for role scaling or changes to settings).
[BEGIN DATA]{"EvaluationId":"4f9f7cb0-fc0d-4276-826f-b6a5f3ea6801","HostedServiceDetails":{"Subscription":"psicloud","HostedService":"rmsazure","DeploymentSlot":"Staging"},"ScaleRequests":{"AutoscalingWorkerRole":{"Min":1,"Max":2,"AbsoluteDelta":0,"RelativeDelta":0,"MatchingRules":"default"}},"SettingChangeRequests":{}}
DateTime=2013-12-11T21:31:03.7516260Z
Autoscaling Updates Error: 3010 : Microsoft.Practices.EnterpriseLibrary.WindowsAzure.Autoscaling.ServiceManagement.ServiceManagementClientException: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure'
in subscription id 'af1e96ad-43aa-4d05-b3f1-0c9d752e6cbb' and deployment slot 'Staging'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException:
The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory)
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
If anyone know why I am getting this anonymous access violation error. My webrole is secured site but worker role not.
I appreciate any help.
Thanks,
ravi

Hello,
>>: The service configuration could not be retrieved from Windows Azure for hosted service with DNS prefix 'rmsazure' in subscription id **************
Base on error message, I guess your azure service didn't get your certificate and other instances didn't have certificate to auto scale. Please check your upload the certificate on your portal management. Also, you could refer to same thread via link(
http://stackoverflow.com/questions/12843401/azure-autoscaling-block-cannot-find-certificate ).
Hope it helps.
Any question or result, please let me know.
Thanks
Regards,
Will
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

HTTPS with Client Authentication not available in EHP1?

Hi Guys,
I am not seeing this option in PI 7.1 EHP1.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
any help would be appreciated
Thanks,
Srini

Hi Srinivas,
I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
But you have an option sender agreeement for security. Please see this help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
Regards,
---Satish

HTTPS with Client Authentication in SOAP sender Adapter

Hi All,
In SOAP Sender communication channel. When I generate WSDL with HTTP Security Level = HTTP: it works when third party tries to send data to XIwebservice.
But when I tried with HTTPS with Client Authentication option its giving error
InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.
Please guide how to use HTTPS with Client Authentication option, and what all configuration need to apply in XI & in third party to use this.
Regards

Rohan,
With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
Regards
Ravi Raman

HTTPS With Client Authentication

Hi,
I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
java.security.AccessControlException: client certificate required
In the the transaction scim the following can be seen:
[Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5061]     out: sssl_hdl = 1117534b0
[Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061]      in: sssl_hdl = 1117534b0
[Thr 5061]      in: cred_hdl = 116cfc110
[Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
[Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001 peer=XX.XX.XX.XX:2310
[Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
[Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061]          status = "resumed SSL session, NO client cert"
The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
Sender Communication Channel,
Transport Protocol: HTTP,
Message Protocol: Soap 1.1,
Adapter Engine: Central Adepter Engine,
HTTPS with Client Authentication,
Keep Headers
Any ideas?
Kind regards,
John

Hi Peter,
If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
All the best,
John

HTTPS Without client authentication shows error of Certificate

Hi Experts,
I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI. Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
Is below understanding right ?
-- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
Thanks..
regards,
Omkar.

Hello Omkar,
What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
2) At the time of Key Generation definitely it shall ask for a password. You remember that.
3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
Here follows the major part
4) Open NWA and go to Configuration Management->Authentication
5) Go to Properties Taband click Modify
6) Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
7) Now go to the Components Tab.
8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
       Flag : Sufficient
==> Name: BasicPasswordLoginModule
       Flag: Optional
9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
==>Name: Rule1.getUserFrom
       value : wholeCert
10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
and edit it.
11) Under the Authentication stack select the template client_cert against the used template label. and save it
12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
13) Now in NWA navigate to Operation management->Identity Management
14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
20) Before you execute the scenario make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
Good Luck!!
Best Regards,
Sundar

SOAP Adapter - HTTPS w/ client authentication -SSL termination @ dispatcher

Hi,
We have a SOAP client sending SOAP message over SSL to PI. We are using client cert for authentication, but terminating SSL at web dispatcher. In this scenario, i) do we need to configure security for XISOAPADAPTER in Visual admin on PI and ii) do we need to set HTTPS with client authentication security option in SOAp Sender communication channel?
My understanding is that since we are terminatinating SSL at web dispatcher (Server authentication happens between third-party gateway and our gateway and when web dispatcher terminates SSL, client cert for auth is passed via httpheader to PI where it is mapped to UME user with sufficient authorizations) we don't need to set the XISOAPADAPTER security (if it is end-to-end ssl we would i guess set up in V. Admin>Security provider service>clientcertloginmodule for XISOAPADAPTER) and we don't need to set the sender channel as https with client authentication ( it should just be http in SOAP sender channel).
Is my understanding correct? I will really appreciate any clues?
Thanks,
Saurabh

Hi saurabh
follow these links to SAP note
these will be helpful for you
Note 856597 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 SOAP Adapter
https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856597&_NLANG=E
Note 856599 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 Mail Adapter
https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856599&_NLANG=E
Note 870845 - XI 3.0 SOAP adapter SSL client certificate problem
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=916664&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=870845&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
regards
Sandeep
If helpful kindly reward points

Problem sending data with HTTPS using client authentication.

Hi,
I�m tryingto send a message to a secure server using for this client certificate, apparently if I make a GET of "/" (server root) , everything works fine (authentication, and data received), from the moment that I try to ways send data to the "/pvtn " directory i obtain the following error.
This is a sample of the code i�m using:
import com.sun.net.ssl.KeyManagerFactory;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.net.Socket;
import java.security.*;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Date;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.cert.*;
import javax.security.cert.X509Certificate;
public class Test
public static final String TARGET_HTTPS_SERVER = "mymachine.mydomain.pt";
public static final int TARGET_HTTPS_PORT = 443;
public static void main(String[] args) throws Exception
System.setProperty("javax.net.ssl.trustStore","/certificados/truststore.txt");
System.setProperty("javax.net.ssl.trustStorePassword","trustpwd");
System.setProperty("javax.net.ssl.keyStore","/certificados/truststore.txt");
System.setProperty("javax.net.ssl.keyStorePassword","trustpwd");
java.security.Security.removeProvider("SunJSSE");
java.security.Security.insertProviderAt(new com.sun.net.ssl.internal.ssl.Provider(),2);
KeyManagerFactory kmf= KeyManagerFactory.getInstance("SunX509", "SunJSSE") ;
//Socket
SSLSocket jsslSoc = (SSLSocket) SSLSocketFactory.getDefault().createSocket(TARGET_HTTPS_SERVER, TARGET_HTTPS_PORT);
String [] ciphers = jsslSoc.getSupportedCipherSuites() ;
//// Select the ciphers you want and put them.
//// Here we will put all availabel ciphers
jsslSoc.setEnabledCipherSuites(ciphers);
//// We are creating socket in client mode
jsslSoc.setUseClientMode(true);
//// Do SSL handshake
jsslSoc.startHandshake();
// Print negotiated cipher
System.out.println("Negotiated Cipher Suite: " + jsslSoc.getSession().getCipherSuite());
System.out.println("");
X509Certificate[] peerCerts = ((javax.net.ssl.SSLSocket)jsslSoc).getSession().getPeerCertificateChain();
if (peerCerts != null)
System.out.println("Printing server information:");
for(int i =0; i < peerCerts.length; i++)
System.out.println("Peer Certificate ["+i+"] Information:");
System.out.println("- Subject: " + peerCerts.getSubjectDN().getName());
System.out.println("- Issuer: " + peerCerts[i].getIssuerDN().getName());
System.out.println("- Version: " + peerCerts[i].getVersion());
System.out.println("- Start Time: " + peerCerts[i].getNotBefore().toString());
System.out.println("- End Time: " + peerCerts[i].getNotAfter().toString());
System.out.println("- Signature Algorithm: " + peerCerts[i].getSigAlgName());
System.out.println("- Serial Number: " + peerCerts[i].getSerialNumber());
else
System.out.println("Failed to get peer certificates");
try
Writer out = new OutputStreamWriter(jsslSoc.getOutputStream(), "ISO-8859-1");
//THIS WAY WORKS FINE
out.write("GET / HTTP/1.1\r\n");
// HERE COMES THE TROUBLES
//out.write("GET /pvtn?someparameter=paramvalue HTTP/1.1\r\n");
out.write("Host: " + TARGET_HTTPS_SERVER + ":" + TARGET_HTTPS_PORT + "\r\n");
out.write("Proxy-Connection: Keep-Alive\r\n");
out.write("User-Agent: SSL-TEST \r\n");
out.write("\r\n");
out.flush();
BufferedReader in = new BufferedReader(new InputStreamReader(jsslSoc.getInputStream(), "ISO-8859-1"));
String line = null;
while ((line = in.readLine()) != null)
System.out.println(line);
finally
jsslSoc.close();
the ssl log until sending the GET is
main, WRITE: SSL v3.1 Handshake, length = 36
main, READ: SSL v3.1 Change Cipher Spec, length = 1
main, READ: SSL v3.1 Handshake, length = 36
Plaintext after DECRYPTION: len = 36
0000: 14 00 00 0C 71 AB 40 CC 6C 33 92 05 E9 69 4B 8F [email protected].
0010: D1 77 3F 6E 3C DB F0 A0 B7 9C CF 49 B6 6D C8 17 .w?n<......I.m..
0020: 7E 03 52 14 ..R.
*** Finished, v3.1
verify_data: { 113, 171, 64, 204, 108, 51, 146, 5, 233, 105, 75, 143 }
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
[read] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 71 AB 40 CC 6C 33 92 05 E9 69 4B 8F [email protected].
Negotiated Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
When i send the GET
Plaintext before ENCRYPTION: len = 247
0000: 47 45 54 20 2F 70 76 74 6E 3F 41 30 33 30 3D 4D GET /pvtn?A030=M
main, WRITE: SSL v3.1 Application Data, length = 247
main, READ: SSL v3.1 Handshake, length = 24
Plaintext after DECRYPTION: len = 24
*** HelloRequest (empty)
%% Client cached [Session-1, SSL_RSA_WITH_RC4_128_SHA]
%% Try resuming [Session-1, SSL_RSA_WITH_RC4_128_SHA] from port 3535
*** ClientHello, v3.1
RandomCookie: GMT: 1131988975 bytes = { 45, 113, 241, 212, 81, 255, 244, 169, 74, 41, 160, 227, 197, 210, 155, 211, 47, 237, 18, 179, 238, 47, 28, 86, 30, 253, 157, 253 }
Session ID: {208, 18, 243, 174, 216, 156, 80, 201, 121, 136, 63, 162, 31, 196, 186, 95, 193, 143, 238, 172, 173, 79, 64, 219, 17, 149, 14, 138, 53, 95, 18, 96}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17, 0, 2, 0, 1, 0, 24, 0, 26, 0, 27, 0, 23, 0, 25 }
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 105
Plaintext before ENCRYPTION: len = 125
main, WRITE: SSL v3.1 Handshake, length = 125
main, READ: SSL v3.1 Handshake, length = 94
Plaintext after DECRYPTION: len = 94
*** ServerHello, v3.1
RandomCookie: GMT: 1131991620 bytes = { 205, 194, 212, 113, 37, 213, 41, 13, 60, 142, 135, 68, 17, 78, 227, 251, 176, 211, 133, 203, 153, 173, 153, 195, 93, 7, 87, 123 }
Session ID: {108, 85, 45, 208, 104, 124, 209, 24, 247, 113, 156, 134, 28, 154, 75, 198, 64, 181, 167, 9, 149, 223, 162, 21, 225, 32, 168, 31, 190, 48, 241, 195}
Cipher Suite: { 0, 5 }
Compression Method: 0
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
[read] MD5 and SHA1 hashes: len = 74
main, READ: SSL v3.1 Handshake, length = 3154
Plaintext after DECRYPTION: len = 3154
*** Certificate chain
stop on trusted cert: [
Version: V1
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Algorithm: [MD5withRSA]
Signature:
[read] MD5 and SHA1 hashes: len = 3134
main, READ: SSL v3.1 Handshake, length = 479
Plaintext after DECRYPTION: len = 479
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
[read] MD5 and SHA1 hashes: len = 455
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 19, 223, 230, 65, 59, 210, 10, 69, 239, 178, 185, 5, 52, 57, 44, 160, 163, 239, 85, 64, 173, 16, 132, 234, 33, 228, 0, 8, 134, 52, 20, 190, 196, 15, 205, 35, 169, 39, 14, 160, 143, 74, 210, 74, 43, 181 }
[write] MD5 and SHA1 hashes: len = 141
Plaintext before ENCRYPTION: len = 161
main, WRITE: SSL v3.1 Handshake, length = 161
SESSION KEYGEN:
PreMaster Secret:
.CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
0000: FE 94 DF 4C 1A 9F FA CE 0C E9 A6 DB 31 53 E5 FD ...L........1S..
... no IV for cipher
Plaintext before ENCRYPTION: len = 21
0000: 01 0D 16 E6 49 18 36 AF E1 52 9C 2F 72 EE CA DF ....I.6..R./r...
0010: 41 71 68 30 06 Aqh0.
main, WRITE: SSL v3.1 Change Cipher Spec, length = 21
*** Finished, v3.1
verify_data: { 243, 49, 247, 150, 113, 86, 182, 125, 244, 163, 245, 243 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C F3 31 F7 96 71 56 B6 7D F4 A3 F5 F3 .....1..qV......
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C F3 31 F7 96 71 56 B6 7D F4 A3 F5 F3 .....1..qV......
0010: 1A 7C 8F D9 51 CB 6F 47 2A 7C 90 81 20 EE 97 64 ....Q.oG*... ..d
0020: FF 47 35 CA .G5.
main, WRITE: SSL v3.1 Handshake, length = 36
main, SEND SSL v3.1 ALERT: warning, description = close_notify
Plaintext before ENCRYPTION: len = 22
0000: 01 00 F0 F4 AC 3C B2 DE 95 98 0E B4 ED B1 24 3B .....<........$;
0010: 54 6C 8B DC F3 1F Tl....
main, WRITE: SSL v3.1 Alert, length = 22
java.net.SocketException: Connection aborted by peer: socket write error
     void java.net.SocketOutputStream.socketWrite(java.io.FileDescriptor, byte[], int, int)
          native code
     void java.net.SocketOutputStream.write(byte[], int, int)
          SocketOutputStream.java:96
     void com.sun.net.ssl.internal.ssl.OutputRecord.a(java.io.OutputStream)
     void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.OutputRecord)
     void com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush()
     void com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(com.sun.net.ssl.internal.ssl.HandshakeMessage$Finished)
     void com.sun.net.ssl.internal.ssl.ClientHandshaker.c()
     void com.sun.net.ssl.internal.ssl.ClientHandshaker.a(com.sun.net.ssl.internal.ssl.SunJSSE_o)
     void com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(byte, int)
     void com.sun.net.ssl.internal.ssl.Handshaker.process_record(com.sun.net.ssl.internal.ssl.InputRecord)
     void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.InputRecord, boolean)
     void com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(com.sun.net.ssl.internal.ssl.InputRecord)
     int com.sun.net.ssl.internal.ssl.AppInputStream.read(byte[], int, int)
     int java.io.InputStream.read(byte[])
          InputStream.java:91
     int java.io.InputStreamReader.fill(char[], int, int)
          InputStreamReader.java:173
     int java.io.InputStreamReader.read(char[], int, int)
          InputStreamReader.java:249
     void java.io.BufferedReader.fill()
          BufferedReader.java:139
     java.lang.String java.io.BufferedReader.readLine(boolean)
          BufferedReader.java:299
     java.lang.String java.io.BufferedReader.readLine()
          BufferedReader.java:362
     void Teste3.main(java.lang.String[])
          Teste3.java:109
Exception in thread main
Debugger disconnected from local process.
Process exited with exit code 1.
One more thing if if make the same thing via browser (https://mymachine.mydomain.pt/pvtn?someparameter=somevalue) and works fine too (obviously i pre installed the client certificate in the browser and choose the certificate when the pop up show up)
It seems like the handshaking fails when i send data to /pvtn...
Regards,
Paulo.

I amhaving the another problem very similar, I am struggling with client authentication with IIS 5.0, and receiving the 'Remote Host closed the connection' error.
Is there any help me in this. I truly apprecaite it
Thanks

Https Client Authentication

Similar Messages

Maybe you are looking for