IOS 4.3 upgrade breaking ActiveSync profiles with client certificates
After upgrading iOS iPhones from 4.2 to 4.3 they are unable to authenticate to ActiveSync. The ActiveSync profiles on the phones have a client certificate associated with them and the ActiveSync server requires client certs for authentication. I am also unable to remove the profiles from the iphone that include the client cert/activesync profile.
Anyone else experiencing this problem. I am 3 for 3 so far, all three have the same issue. I have only been able to get around the issue by restoring a 4.2 backup which enabled me to remove the profiles and install new ones.
Hi all,
Apple have come back to us about the case we opened.
In our profile we have two payloads configured, the activesync payload (with a user certificate) and the credentials payload which has a user certificate and our enterprise root certs.
The Apple engineers are saying the issue is the user cert in the Credentials payload. Apparently in 4.3 they have made some changes here.
(when I say User cert I mean a certificate with a usage of client auth, and also in our case we have the users UPN in the subject line (or you can enter it as a SAN), so every user has a cert)
Apple say 4.3 upgrade should be Ok without this cert in the payload.
It will be tomorrow before I can test this.
But the thing is, we need that cert in there because we have extra security (cert auth) on some of our public mobile focused websites, i.e. the sites challenge for a certificate (and then challenge for credentials).
So we may have a work around (that requires new profiles loaded) but going forward we still need to see some sort of fix, i.e. no need to reload profiles (4.3.x ?).
I'll post here when I get more info ... and thanks to Jeremy at Apple for calling me yesterday and going through it, much appreciated.
Cheers,
Aengus
Similar Messages
-
IOS 8.1 upgrade froze screen apple 2
Try a reset first.
Reset the iPad by holding down on the sleep and home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider if it appears on the screen - let go of the buttons. Let the iPad start up.
If that fails, try ro restore the iOS software. You will probably need recovery mode.
If you can't update or restore your iPhone, iPad, or iPod touch -
Mobile safari no longer able to authenticate with client certificate in ios 5...
was working in 4.3.5 on iPad, but no more. Imported the cert with ipcu but Safari seems to not recognize that there is a cert installed. All certs are using sha1
Some additional info - the imported certificate works fine for Activesync, VPN, and WiFi, so I know it is installed correctly. When connecting to a web server that requires the certificate, the following is logged in the IPCU console:
MobileSafari[368] <Warning>: no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x2eeea0>
So to me, it looks like the Web server is requesting the client certificate, but mobilesafari does not see the identity certificate I imported. -
Is it possible to authenticate ActiveSync access with user certificates ?
I would like to authenticate Iphone users to access ActivSync services with a user certificates.
Exchange version is 2003 SP2
Front end is ISA Server 2006
I set up an internal PKI
I read in the Iphone Enterprise deployment guide the following:
Exchange ActiveSync Features Not Supported
Not all Exchange features are supported, including, for example:
Client certificate-based authentication
My question is: Is my configuration working ? If not, will it be supported in the future ? Is there a roadmap ?It was easily possible with iPhone OS 2.x, but it seems has changed something for 3.0. See also http://discussions.apple.com/thread.jspa?messageID=9660201
-
Project Server 2010 Web services access with Client Certificate Authentication
We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management -
HTTPS connection with client certificate not working in spartan
Spartan does not show certificate for the user to select
when I click the https link.
The certificates (taken from a smartcard) are indeed present in the user CertStore.
It works with IE 11 and Chrome.
Has somebody any suggestions ?
Thanks.in fact you are more using a reverse-proxy than a proxy since it is on the server part..
You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
hope it helps ! -
Problem with client certificate based authentication
Hello.
We are developing an AIR application that uses client
certificates for authentication. We have written a simple test case
to show the problem.
<?xml version="1.0" encoding="utf-8"?>
<mx:WindowedApplication xmlns:mx="
http://www.adobe.com/2006/mxml"
layout="absolute">
<mx:Script>
<![CDATA[
import mx.controls.Alert;
private function responseHandler(): void {
Alert.show("Response received");
]]>
</mx:Script>
<mx:HTTPService id="exampleService"
url="https://www1.aeat.es/pymes1/pacargoi.html"
showBusyCursor="true"
result="responseHandler()">
</mx:HTTPService>
<mx:Button label="Send"
click="exampleService.send()"/>
</mx:WindowedApplication>
When we click on the button, it sends the request to the
protected page and then (if you have CA emitted certificates) the
dialog appears requesting the client certificate. And it works
fine.
But next time we click on the button, the dialog requesting
the client certificate appears again.
Is there a way to stop showing the dialog every time?
Any help would be very appreciated.
Thanks a lot for your support.
Paco.I have just sent a Feature Request/Bug Report with the
following text:
"We are experiencing a problem using AIR with a server that
requires authentication via client certificate.
The dialog for selecting the client certificate appears every
time that the AIR application interacts with the server (not only
the first time).
Steps to reproduce bug:
1. Install Apache HTTP Server with SSL and require client
certificate in order to authenticate.
2. Develop an AIR Application that connects to this server
(HTTPService or RemoteObject have been tested with the same
result).
3. Every time that the AIR application connect to the
server, the dialog appears in order the user to select the client
certificate.
Results: This makes the AIR application unusable.
Expected results: The dialog requesting the client
certificate should appear the first time only."
Thanks,
Paco. -
Proxy https connection with client certificate credentials
Hello, we are building a application like netvibes/iGoogle which allows users to have portlets with rss feeds in them. The portlets are all loaded using ajax and therefore, the RSS feeds must exist on the same domain as the portal. If they don't, you run into problems with cross-domain security issues with ajax. Usually to get around this you just proxy the connection on the server which is very simple with rss feeds that are exposed via http. We however have many feeds that are exposed via https. These feeds likely require a client certificate to authenticate them. Therefore, just doing a basic proxy (take the distant url and open a new connection on the server) won't work because it will build the new connection with the servers credentials and not the users.
Is there a way to build the connection on the server using the users credentials?? How can we proxy this connection over https?
If anyone has ideas, please let me know.
Thanks!in fact you are more using a reverse-proxy than a proxy since it is on the server part..
You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
hope it helps ! -
ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures
Dears,
I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
- authentication-failure ignore [Only]
OR
- authentication-failure redirect cert-expired
OR
- authentication-failure ignore with authentication-failure redirect cert-expired
Appreciate your helpDear Kanwalsi
To pass only cert-expired !!! what do you think to apply the following
parameter-map type ssl TEST
authentication-failure ignore
authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302 -
In iPad how to use webdav nab with client certificate
I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.Hi Olek
I Have a working WebDAV setup with tomcat 6.0
the only problem is this only works on windows XP
anyway here is the code,
<servlet>
<servlet-name>webdav</servlet-name>
<servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<!-- Uncomment this to enable read and write access -->
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- The mapping for the webdav servlet -->
<!-- Using /* as the mapping ensures that jasper, welcome files etc are
over-ridden and all requests are processed by the webdav servlet.
This also overcomes a number of issues with some webdav clients
(including MS Webfolders) that do not respond correctly
to the
redirects (302) that result from using a mapping of / -->
<servlet-mapping>
<servlet-name>webdav</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>put that in your web.xml file
and here is a basic example of how to use it in a jsp.
<%
String networkPath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath() + "/";
%>
<body onload="document.getElementById('anchor').click();">
<a id="anchor" href="<%= networkPath %>Temp/Test/file.doc" folder= "<%= networkPath/Temp/Test/">
Open in Web Folder View
</a>
</body>Hope this helps you -
Troubles with client certificates in Windows Phone 8.1 WebViews
Hi,
I'm having difficulties using a client certificate in Windows Phone 8.1 WebViews.
My code works fine in my Windows 8.1 App but i get a WebErrorStatus=[CertificateIsInvalid] in WebView.NavigationCompleted in WP.
I'm using this code to import my certificate :
await CertificateEnrollmentManager.ImportPfxDataAsync(certificateBase64, certificatePassword, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, "MyClientCertificate");
I have no problem using this cert in HttpClient with either Windows 8.1 or Windows Phone 8.1.
I don't understand why it doesn't work with the WebView control only on Windows Phone.Tried it with no success.
But I just found this : https://blogs.msdn.com/b/wsdevsol/archive/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app.aspx?Redirected=true
With the note at the bottom:
Note: For Windows Phone 8.1, you need to attach the Client Certificate programmatically. For Windows, once you install the Client Certificate to the app container
store and do not attach the client certificate with the HttpClient request, the HttpClient class will automatically detect that there is a single certificate installed in the app container store and forward it to the server. However in the case of Windows
Phone 8.1, there is no such “automatic” selection of the certificate and one MUST provide the certificate programmatically.
Since there seems to be nothing to attach a custom HttpBaseProtocolFilter to a WebView, it doesn't seem possible atm. -
IOS 8 - MDM error while removing profile with provided identifier
I've implemented a custom solution for an MDM vendor, It works well but lately with an Iphone 6 device with IOS 8.1.3 installed, I got this error (MDM ErrorCode: 12013) while performing a "RemoveProfile" command. Here is command provided:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>Identifier</key>
<string>com.nttdata.dymora.policy.restrictions.80EA49BF-9506-450E-8D99-6A9DA6ED 6999</string>
<key>RequestType</key>
<string>RemoveProfile</string>
</dict>
<key>CommandUUID</key>
<string>dd71d6d0-5e04-4baf-9408-841e01227bfb</string>
</dict>
</plist>
and here is device response:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>dd71d6d0-5e04-4baf-9408-841e01227bfb</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12013</integer>
<key>ErrorDomain</key>
<string>MCMDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>Il profilo “com.nttdata.dymora.policy.restrictions.80EA49BF-9506-450E-8D99-6A9DA6ED6999<E2 ><80>? non è gestito da MDM.</string>
<key>USEnglishDescription</key>
<string>The profile “com.nttdata.dymora.policy.restrictions.80EA49BF-9506-450E-8D99-6A9DA6ED6999<E2 ><80>? is not managed by MDM.</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>bc880d07f41f5ef84a06253ee89a4bdd2b584b84</string>
</dict>
</plist>
I don't understand the reason why this command return such error, it has always worked properly!?!? Is there anyone with same error?
Thanks!
PaoloI've implemented a custom solution for an MDM vendor, It works well but lately with an Iphone 6 device with IOS 8.1.3 installed, I got this error (MDM ErrorCode: 12013) while performing a "RemoveProfile" command. Here is command provided:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>Identifier</key>
<string>com.nttdata.dymora.policy.restrictions.80EA49BF-9506-450E-8D99-6A9DA6ED 6999</string>
<key>RequestType</key>
<string>RemoveProfile</string>
</dict>
<key>CommandUUID</key>
<string>dd71d6d0-5e04-4baf-9408-841e01227bfb</string>
</dict>
</plist>
and here is device response:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>dd71d6d0-5e04-4baf-9408-841e01227bfb</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12013</integer>
<key>ErrorDomain</key>
<string>MCMDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>Il profilo “com.nttdata.dymora.policy.restrictions.80EA49BF-9506-450E-8D99-6A9DA6ED6999<E2 ><80>? non è gestito da MDM.</string>
<key>USEnglishDescription</key>
<string>The profile “com.nttdata.dymora.policy.restrictions.80EA49BF-9506-450E-8D99-6A9DA6ED6999<E2 ><80>? is not managed by MDM.</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>bc880d07f41f5ef84a06253ee89a4bdd2b584b84</string>
</dict>
</plist>
I don't understand the reason why this command return such error, it has always worked properly!?!? Is there anyone with same error?
Thanks!
Paolo -
IOS 4.x Upgrade breaks sound and video playback
Been fighting this issue for a while and I've hit a brick wall.
Apparently upgrading a 2nd generation Touch to IOS 4.2.1 has broken audio and video play back. My Touch will not play any sounds, music files, or videos, and it locks up when an alarm goes off.
Thinking I could downgrade, I went through the motions of downloading a 3.x version of IOS as well as a copy of Tiny Umbrella. The problem I have is to downgrade you have to save the SHSH blob (a software hash that identifies your device by chipset). Supposedly a service called Cydia has SHSH blobs for iPhones and some iPod Touch devices, but there is no SHSH blob for my touch. The bottom line is, I'm stuck. My Touch is BROKEN, and Apple did it.
So now the question is, will Apple fix this, or are they going to kick older Touch users to the curb? Personally I think a class action suit is in order.
Apple.... Are you listening? I sure hope so, but looking at their past performance in customer support, I seriously doubt they give a hoot.Sending a message via feedback was next on my list. It really is a shame that Apple is so paranoid and arrogant they can't give users a way to go back to a known good OS.
There may be a lot of MS bashing going on, but as a former MS employee, I can say that MS always gives users a way to clean up after a bad install. I know this to be true because I worked in Desktop Systems as a Customer Support rep. and my area of concentration was Setup and Install.
I've been building my own desktop PCs since the first IBM clones hit the streets, and this episode with IOS 4.x gives me one more reason stick with what works and leave Apple's stuff alone..... -
hi,
i have a servlet that calls a corba service via IOPS using weblogic's internal
ORB. doing SSL without client certificate works fine - but when the server requests
a client certificate in the SSL handshake, the call fails. on the server i see,
that no certificate has been sent.
in the debug output of the client there is the following exception:
<May 27, 2004 10:39:36 AM PDT> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: CertificateRequest>
<May 27, 2004 10:39:36 AM PDT> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<May 27, 2004 10:39:36 AM PDT> <Debug> <TLS> <000000> <........... Eating Exception
java.lang.ArrayIndexOutOfBoundsException: 1 >= 1
at java.util.Vector.elementAt(Vector.java:427)
at com.certicom.tls.interfaceimpl.CertificateSupport.getAuthChain(Unknown Source)
is this a known issue? or do i just have to fix my config somehow... i'm using
weblogic 8.1sp2
thanks"yves" <[email protected]> writes:
java.lang.ArrayIndexOutOfBoundsException: 1 >= 1
at java.util.Vector.elementAt(Vector.java:427)
at com.certicom.tls.interfaceimpl.CertificateSupport.getAuthChain(Unknown Source)
is this a known issue? or do i just have to fix my config somehow... i'm using
weblogic 8.1sp2Its not an issue that I know about but it looks like an SSL
problem. You should probably contact support.
Thanks
andy -
Client certificate authentication with custom authorization for J2EE roles?
We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
<auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--ThanksWe have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
protected void init(Properties props)
throws BadRealmException, NoSuchRealmException
public java.util.Enumeration getGroupNames (String username)
throws InvalidOperationException, NoSuchUserException
public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
protected AuthenticationStatus authenticate()
throws LoginException
private String[] authenticate(String username,String passwd)
private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
protected void init(Properties props)
* Returns the name of all the groups that this user belongs to.
* @param username Name of the user in this realm whose group listing
* is needed.
* @return Enumeration of group names (strings).
* @exception InvalidOperationException thrown if the realm does not
* support this operation - e.g. Certificate realm does not support
* this operation.
public Enumeration getGroupNames(String username)
throws NoSuchUserException, InvalidOperationException
* Complete authentication of certificate user.
* <P>As noted, the certificate realm does not do the actual
* authentication (signature and cert chain validation) for
* the user certificate, this is done earlier in NSS. This default
* implementation does nothing. The call has been preserved from S1AS
* as a placeholder for potential subclasses which may take some
* action.
* @param certs The array of certificates provided in the request.
public void authenticate(X509Certificate certs[])
throws LoginException
// Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM
Maybe you are looking for
-
How do you fix an LCD screen ripple dot in the center of the display (Macbook pro 13 inch late 2011
There is a small dot that ripples in the center of the screen. I have an Early 2011 macbook pro 13 inch and it should not have any problems with it. Does anyone have suggestions?
-
What Can I Do About This Error?
I have 2 form programs. The first program is the main menu. The user pushes a button and the program transfers control to a second form program. On this second screen, the user enters an SSAN. At the bottom of the screen there is a message which says
-
Type not showing when opening pdf in Illustrator
Here's a strange problem that I don't recall having seen before. I have a pdf file with diagrams of cupboards and tables with measurements. Everything looks o.k. I open it in Illie (CS3) and everything shows up except the type. It is point type and o
-
Hello People I am seeking for medium price, new laptop with firewire , and efficient in compression of video material. I can spend 600$ for it .
-
Which table contains - Customer Master Changes?
Team, Which table contains - Customer Master Changes? Please be specific; For example: CDHDR: OBJECTCLAS ? CDPOS: BJECTCLAS? ABNAME ABKEY HNGIND Thanks