IPCU (v2.1) - deploying client certificates w/o private keys

Hi all,
We're in the process of trialling iPhones with Exchange ActiveSync at work. However, it's been mandated by our security team that we must issue SSL client certificates to the iPhones as part of the deployment (2-factor auth). We them have an ISA server in the DMZ validating these SSL certificates, before taking the users credentials and authenticating them against Active Directory.
To that end, I am using the iPhone Configuration Utility to package up a profile for deployment. The ActiveSync payload includes the configuration settings required to connect to Exchange, and I've also associated the SSL client certificate with it. However, when I choose the SSL client cert, it throws up an error if the private keys have not been marked as "exportable".
The error is: "Certificate exception: Key not valid in specified state". As soon as I generate the client cert, and make the private keys as exportable.... I can associate the client certificate OK using the configuration utility.
Why do the client keys have to be marked as exportable? This just means that if the phone is jailbroken the keys can be exported and moved to another device - not exactly ideal.
Does anyone know any specifics around how these client certificates should be generated.... is there a way to avoid having the private keys marked as exportable?
Regards, James.

It would seem, according to p.39 of the Enterprise Deployment Guide, this is only necessary on Windows, not on Mac. Just speculating, but maybe this is the only way a third-party app (iPCU) can get what it needs from the Windows Certificate Store?

Similar Messages

Can't Export a Certificate with the Private Key

I have downloaded a
Symantec Enterprise Mobile Code Signing Certificate from email link. And the certificate was installed with no errors. Now
when I'm going to export the certificate it will NOT allow me to export with private key. The option "Yes, export with private key" was grayed out. From MMC, add snap in certificate > local computer > certificate > certificatename. In this
location "I can see the certificate image with a key on it". Is this mean that the import is successful with private key? If so, how to export correctly? Kindly help please!
http://i1234.photobucket.com/albums/ff405/i_kiennt/Screenshot2_zpsaf770a8b.png
http://i1234.photobucket.com/albums/ff405/i_kiennt/Screenshot3_zpsde23204d.png

Hello MrTrungKien,
Please share us a screenshot about The option "Yes, export with private key" was grayed out.
Please take a look at the following article about exporting a Certificate with the Private Key.
http://technet.microsoft.com/en-us/library/cc754329.aspx
Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
It is marked as not exportable so users cannot export this certificate.
Please contact Symantec to confirm if the key is exportable.
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support

Out-of-range security question: Export a certificate with the private key

Hi Forumers'
As above title mention, if we doing PKI, we sure will get invovle with Certificate.
The moment i doing WLC and ACS express appliance, where the appliances is not coming with generate CSR feature...So we use openSSL for it.
To clear my curiousity, Why we need to export the certifiate wit the private key? Itsn't the private key cannot publish to the public ??
Thanks
Noel

Because both appliances are acting as a server, and you would need to have the private key on the server. However, you don't give the private key to all the clients for sure as you mentioned you only need to provide public key to the client, not the private key. Private key should only be kept on the server, and in this case both appliances are the server.

WLS 5.1 certificate issue: encrypted private key

My organization has acquired some certificates for use with WLS. However, the private
keys for these certs were inadvertently encrypted with a password. We have a mix
of 5.1 and 6.1 servers. We got the keys working with our 6.1 servers, but 5.1
is a little tougher. How can we use these keys with our 5.1 servers?

I dont think 5.1 supports password encrypted private keys
Jason Norman wrote:
My organization has acquired some certificates for use with WLS. However, the private
keys for these certs were inadvertently encrypted with a password. We have a mix
of 5.1 and 6.1 servers. We got the keys working with our 6.1 servers, but 5.1
is a little tougher. How can we use these keys with our 5.1 servers?

Client certificate authentication on ASA 5520

Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent

Client certificate question

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Hello,
I am novice with certs and I have a question. I want to implement EAP-TLS in a WPA deployment and I have a question about the client-side certificate.
When I install a client certificate in a machine for a specific user, is this certificate only valid for this machine and this user? Or can I export this certificate and use it in another machine but the same user?
Thanks in advance,

From my experience, you can copy the certificate to another computer (assuming a modern OS). There are two problems with this, though:
1 - You must be able to export the entire certificate, including the private key, to be able to use the certificate on another machine. Most PKI implementations prohibit/disable this.
2 - If you can export the certificate, including the private key, then you are risking the loss of integrity of your PKI. Someone else can get that cert with the private key and impersonate the user.

Google chrome : client certificate install fails

when i try ti install client certificate on google chrome, the error says : The server returned invalid client certificate.
This is happening in Google chrome under the certsrv site to install the issued certificate. Does chrome support client certificates?

Question:
What does Error
207 (net::ERR_CERT_INVALID) mean when I try to collect my certificate (CodeSigning or Email)?
Answer:
This means that you have tried to obtain your certificate using the Google Chrome browser. At this present time Google Chrome does
not support chained certificate enrollment and you can not use another browser to collect this certificate because the private key was generated with Chrome and you must start the process from the beginning again using another browser such as Mozilla Firefox
or Microsoft Internet Explorer.
Source:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/776/38/

Portability of client certificates

Hi,
I have created a client certificate (client.cer) for mutual authentication using keytool in linux. This client certificate will be stored at where the client application resides. Is client.cer portable? Can it be exported to a different platform eg. Windows, where the client application uses Stunnel and utilizes client.cer in mutual authentication?
From what I have found out, certificates in Stunnel are stored in PEM format, but the client certificate - client.cer generated by keytool cannot be used by Stunnel. Am I right?
Your input is much appreciated. Thanks.
Kim K.C.

Yes. Its portable.
CER extension reflects a public certificate encoded as binary. openssl package should be able to read that format . Java can read it too...
But if you want mutual authentication, you probably need to be able to sign something with the certificate and its corresponding private key. CER file is only the public certificate. There is no private key stored in that file type.
You need to export the certificate AND the private key into some safe keystore, ex, PKCS12. Openssl can store the private key in an password encrypted file.
/Bo
http://bofriis.dk

Self Signed Certificates vs. GnuPG key and Web of Trust

I'm not totally sure where to ask this question, though this is the best place I can think of.
Wanting to be able to digitally sign my emails, and I can use a self signed certificate, or get one from CAcert.org (which, as far as I can tell, is also a self signature)...
Whereas with GnuPG, the keys are certified based on the web of trust.
Is there any kind of web of trust for the certificates?
Russell

Your private key is stored in the keystore (.pfx or .p12)
file that adt created for you when you created your self-sign
certificate. The file itself is protected by the password you
entered. Don't ever give this file to anyone, and under no
circumstances should you give the password to anyone.
The public key is also stored in the same file. You can
export the public key, embedded in a certificate, from the keystore
file, although you likely won't have any need to do that.
If the resulting .air file is ever modified then the
application won't install. There's no need for users to check the
hash or anything like that to validate the file; it's all done
automatically as part of the installation process.
Hope that helps,
Oliver Goldman | Adobe AIR Engineering

How to load a client certificate into a servlet to access a Web Service

Hi,
I am having the following problem:
I am trying to use a Web Service client (Axis) within a servlet running under
WebLogic 8.1.
I would like to have mutual SSL-based authentication between the client and the
server hosting the Web Service. Thus, my client has to send a certificate to the
server.
My problem is: how to get the certificate into the request? I know that, for example,
the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
use this class.
Is there any other method to make sure that SSL requests use my client certificates?
By the way, I am receiving the following error message from the server:
<Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
s not supplied by peer>
<Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
ch
ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
Anyone has an idea?
Thanks for any hints,
Zoltan Schreter
Nokia

Hi all,
I have solved this problem basically by using weblogic's SSLSocketFactory instead
of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
which uses this Factory. I then created a custom Config class which I pass to
the constructor of Service. The Config class looks like this:
public class MyConfig extends SimpleProvider {
* Constructor - deploy client-side basic transports.
public MyConfig() {
deployTransport("java", new SimpleTargetedChain(new JavaSender()));
deployTransport("local", new SimpleTargetedChain(new LocalSender()));
deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
The relevant code within MyHttpSender looks something like this:
SSLClientInfo sslinfo = new SSLClientInfo();
File ClientKeyFile = new File("C:/certificates/testkey.pem");
File ClientCertsFile = new File("C:/certificates/testcert.pem");
InputStream[] ins = new InputStream[2];
ins[0] = new FileInputStream(ClientCertsFile);
ins[1] = new FileInputStream(ClientKeyFile);
String pwd = "mykeypass";
sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
sock = sockf.createSocket(host, port) ;
By the way, this change also solved the other problem I posted about (not being
able to tunnel through the https proxy).
Cheeers,
Zoltan Schreter
Nokia
"Tony" <TonyV> wrote:
Which API's are you currently using for the SSL communication in the
client
side?
Tony
"Zoltan Schreter" <[email protected]> wrote in message
news:[email protected]...
Hi,
I am having the following problem:
I am trying to use a Web Service client (Axis) within a servlet runningunder
WebLogic 8.1.
I would like to have mutual SSL-based authentication between the clientand the
server hosting the Web Service. Thus, my client has to send a certificateto the
server.
My problem is: how to get the certificate into the request? I knowthat,
for example,
the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
can't
use this class.
Is there any other method to make sure that SSL requests use my clientcertificates?
By the way, I am receiving the following error message from the server:
<Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
s not supplied by peer>
<Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
ch
ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
Anyone has an idea?
Thanks for any hints,
Zoltan Schreter
Nokia

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)

Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support
working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

PKI Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)

Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS
Support working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

Mobile safari no longer able to authenticate with client certificate in ios 5...

was working in 4.3.5 on iPad, but no more. Imported the cert with ipcu but Safari seems to not recognize that there is a cert installed. All certs are using sha1

Some additional info - the imported certificate works fine for Activesync, VPN, and WiFi, so I know it is installed correctly. When connecting to a web server that requires the certificate, the following is logged in the IPCU console:
MobileSafari[368] <Warning>: no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x2eeea0>
So to me, it looks like the Web server is requesting the client certificate, but mobilesafari does not see the identity certificate I imported.

Client certificate based authentication

We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.

Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
 /WEB-INF
 /resources
 - private.jar
 - private.jnlp
 /resources
 - icon.png
 - public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
 <servlet-name>ResourceProvider</servlet-name>
 <url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
 <web-resource-collection>
 <web-resource-name>protected resources awailiable from browser</web-resource-name>
 <url-pattern>/resources/secret/browser/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <role-name>somerole</role-name>
 </auth-constraint>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
</security-constraint>
<security-role>
 <role-name>somerole</role-name>
</security-role>
<login-config>
 <auth-method>BASIC</auth-method>
 <realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
 <information>
 <icon href="icon.png"/>
 </information>
 <resources>
 <j2se version="1.6+"/>
 <jar href="secret/javaws/secretkey/private.jar" />
 <jar href="public.jar" />
 </resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
 scheme="https"
 secure="true"
 SSLEnabled="true"
 clientAuth="false"
 sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help!

IPCU (v2.1) - deploying client certificates w/o private keys

Similar Messages

Maybe you are looking for