Lowest cost SSL accelerator for HTTPS client certificate auth testing
Hi,
I need to test some some https connections that use client certificate authentication and need a low cost ebay-purchasable cisco ssl box (I think).
My understanding is that some Cisco products can terminate https connections (once client cert auth is successful) and then pass on the http connection with a cookie value set with the Subject DN information from the client certificate - correct me if I'm wrong :).
So any suitable kit for this?
Thanks,
Marc.
Hi Oliver,
Have a look at this http://forum.java.sun.com/thread.jsp?forum=2&thread=258908
You may find the answer to your question there.
Majid.
Similar Messages
-
When a site asks for a client certificate, not all certificates are presented.
At www.pkiuniversity.com/sandbox/index.php, I am asked for a client certificate. I get to choose from a list of the certificates issued by startcom but not my own. The extended key usage does mark it for client authentication. The root certificate corresponding to the signing private key is also in the store. Why don't these certificates pop up. They do in Safari.
If you're interested, I get my certificate from
reloid.com/enrollments/cheapcerts3/getcert.php?email=[email protected]
This is designed to be a very insecure certificate with no chance of being added to the built-in cache. -
ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures
Dears,
I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
- authentication-failure ignore [Only]
OR
- authentication-failure redirect cert-expired
OR
- authentication-failure ignore with authentication-failure redirect cert-expired
Appreciate your helpDear Kanwalsi
To pass only cert-expired !!! what do you think to apply the following
parameter-map type ssl TEST
authentication-failure ignore
authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302 -
SSL authentication using client certificate failing on a fresh new Yoga 2 Pro
I am a doctor and using a laptop to login into an SSL server for secure communication.
I was using an old asus with win 8.1 without a problem. 2 weeks ago I got my new Y2P installed the certificate I got from the IT guys and all worked like a charm! What a wonderful laptop.
And then, my SSD vanished suddently from the system could not boot, so I replaced the first Yoga with and identical one from the store. This time- win 8.1 an IE cannot recognize the newly issued ceertificte and getting an SSL error so cannot open the htpps website.
Tried onekey recovery, isntalling all windows updates, using a new user nothing works. Back to the old ASUS all working fine. The IT guys said they never had such a problem, after hundreds of certificates issued the same way.
First Y2P worked without a glitch second one does not.
Any ideas?I had the same problem with my new Yoga Pro 2 when trying to connect to some https sites that worked fine with my previous computer. I asked a friend that's a systems administrator for help and he had me look for marketing / adware type software that came pre-installed on my machine. He warned me that more and more new computers are coming pre-loaded with this type of software that many people would consider malware. He said that such software can cause this type of problem because of how it sits inbetween you and the sites you visit (how your information passes through it).
I found Superfish Visual Discovery, which fits this description, was pre-installed on my machine. As soon as I uninstalled it my https connection problems went away. You should check your list of installed programs (go to your Control Panel > Progams > Programs and Features). If you see "Superfish Inc. VisualDiscovery" in your list of installed programs, that is likely the casue of the problem (at least it was for me). Hope this helps... -
IOS prompts for a client certificate each time i change webpages on a site
The company intranet is published through a TMG 2010 box and we use client certificates as an extra level of authentication in addition to AD user / pass.
With any PC based browser you are prompted once for the certificate to use, however in IOS 5.1.1 on iphone and ipad we get a prompt each time you go to a new page, safari prompts for the certificate to use however the more times you change the page the more it relists the certificate in the selection window. The certificate you see in the screen shot is installed once. The first time I change the page, safari reprompts and lists 2 certificates (both the same) next time i change the page it then lists the certificate 3, then 4 then 5 times etc. The client certificate is issued directly from the root CA so this isnt the issue of IOS not supporting 2 or 3 tier certificates.
All other PC based browsers work fine and only prompt once then happily reuse that certificate when you change pages without reprompting.We're experiencing the same problem. We are also publishing internal web applications via TMG 2010, using forms based authentication with client SSL certificate authentication.
We see this problem on devices using iOS 5.1.1. Devices with iOS 6 are automatically selecting the client certificate. Unfortunately upgrading to iOS 6 is currently not an option. -
Hi all
can anyone send me the XML code to write in HTTP client to know the structure for a table using a scenario. I already developed the scenario for HTTP to JDBC just post me the XML code.
Thanks and Regards
Raghu.Hi
Go through this
You can find a description here:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/66dadc6e-0a01-0010-9ea9-bb6d8ca48cc8
Might be useful
Thanks -
Server Host and Port for HTTP Client Too
Hi All,
I'm using the HTTP Client tool to connect to XI. How can i find out the ServerHost, ServerPort and Client values.
Thanks,
SandeepHi Michal, Thanks for the response,
But when i use these values and connect. I get the Response - Resource not found . See the HTML below
Result:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Error Report</title>
<style>
td {font-family : Arial, Tahoma, Helvetica, sans-serif; font-size : 14px;}
A:link
A:visited
A:active
</style>
</head>
<body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0" rightmargin="0">
<table width="100%" cellspacing="0" cellpadding="0" border="0" align="left" height="75">
<tr bgcolor="#FFFFFF">
<td align="left" colspan="2" height="48"><font face="Arial, Verdana, Helvetica" size="4" color="#666666"><b> 404   Not Found</b></font></td>
</tr>
<tr bgcolor="#3F73A3">
<td height="23" width="84"><img width=1 height=1 border=0 alt=""></td>
<td height="23"><img width=1 height=1 border=0 alt=""></td>
<td align="right" height="23"><font face="Arial, Verdana, Helvetica" size="2" color="#FFFFFF"><b>SAP J2EE Engine/6.45 </b></font></td>
</tr>
<tr bgcolor="#9DCDFD">
<td height="4" colspan="3"><img width=1 height=1 border=0 alt=""></td>
</tr>
</table>
<br><br><br><br><br><br>
<p><font face="Arial, Verdana, Helvetica" size="3" color="#000000"><b> The requested resource does not exist.</b></font></p>
<p><font face="Arial, Verdana, Helvetica" size="2" color="#000000"><table><tr><td valign="top"><b> Details:</b></td><td valign="top"><PRE>Go to <A HREF="/" target="_parent">main page</A> of this application!</PRE></font></td></tr></table></font></p>
</body>
</html>
The interface, service all are correct. Do you think something else is wrong?
Thanks,
Sandeep -
MMP Client Certificate Auth problem
Hi, All!
I can't configure clients cert auth through MMP. I'm using the most recent release of communicationsuite (7u2) .
Proxy auth for clear imap using admin settings like StoreAdmin and StoreAdminPass works well.
MMP for unencrypted IMAP works well too.
However MMP for clents certificate auth does not work.
I see the following message in the log
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Alert: dmap_locate_basedn called with baseDN uid=monakhv, ou=people, o=dvatest.ot,o=isp
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Debug: (id 554) User '[email protected]' replay user '[email protected]'
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Error: (id 554) Proxy authentication invalid admin '[email protected]', login as '[email protected]'
I would appreciate any ideas to recover it.
Regards, Monk.cnewman wrote:
For the MMP, the MMP's StoreAdmin setting has to exactly match the administrative user. The log error you see:
This is from my ImapProxyAService.cfg
default:StoreAdmin admin
default:StoreAdminPass enz.ZIM137
[19/Dec/2011:11:27:43 +0400] sf240 ImapProxy[1688]: General Error: (id 554) Proxy authentication invalid admin '[email protected]', login as '[email protected]'
This is really strange message for me. Some experiment with mail client (Thunderbird) shows that
one '[email protected]' goes from user ssl certificate email field which is used for auth, another '[email protected]' goes from
user name field from Thunderbird server settings.
May be the problem is for mail client configuration?
Anyway I do not want to provide for users Admins certificate and password!
Is it possible to configure MMP authorization using user's SSL certificate?
indicates that the value of the MMP's StoreAdmin setting is something other than '[email protected]', so the request for proxy authentication is denied.
It seems odd that the authentication id and the authorization id is identical in this case, but I'd have to see the actual AUTH EXTERNAL protocol as well as your StoreAdmin setting to explain further.How can I get AUTH EXTERNAL protocol? -
Strange multiThreading behaviour for http client
Hi
I am writting an app which Posts data to two separate URL's. Since I didn't want one posting method to be held up by the other one I put each Posting method into its own thread. Each Thread repeatedly creates an HttpClient and posts away data to its respective URL. However I can see that the threads are waiting for eachother! ie: Thread2 won't post its data untill Thread1 receives its http response.
Why could this be ? I am not sharing any objects between the two threads. I even tried implementing the one thread with java.net and the other one with apache.commons.httpclient. Is it physically impossible to send two http requests similtaneously?
Thanks
AharonOkay heres the code, I tried to cut out some details but its still quite long winded
I hope the problem is as simple as mistakenly using run() instead of start() ;)
public class test
* @param args
public static void main(String[] args)
FlightTimeManager ftmnew = new FlightTimeManager();
FlightTracker ft =new FlightTracker();
public class FlightTracker extends Thread
private final int REFRESH_RATE = 100;
private boolean finish;
private long lastId;
public FlightTracker()
this.finish = false;
this.lastId = 0;
start();
public void stopTracker()
this.finish = true;
public void run()
while (!finish)
processFlightList();
try {
Thread.sleep(REFRESH_RATE);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
private void processFlightList()
ServerCon serverCon = new ServerCon();
Vector<String> vec = serverCon.receiveFlightList(this.lastId,20);
String outputStr = "";
if (vec != null)
serverCon = new ServerCon();
serverCon.updateFlights(vec);
public class ServerCon
public ServerCon()
public Vector<String> receiveFlightList(long id,int amount)
HttpLink httpLink = new HttpLink();
Vector<String> vec = null;
String url = "my website url";
String postStr = "my post parameteres";
int error = httpLink.converseWithServer(url, postStr,true);
if (error == HttpLink.OK)
String flightStr = httpLink.getResponse();
if (flightStr != null && !flightStr.equals("0"))
Scanner scanner = new Scanner(flightStr);
vec = new Vector<String>();
scanner.useDelimiter(",");
while (scanner.hasNext())
vec.add(scanner.next());
return vec;
public boolean updateFlights(Vector<String> flightLocationList)
HttpLink httpLink = new HttpLink();
boolean success = false;
String postStr = "my post parameteres";
int error = 0;
String url = "my website url";
error = httpLink.converseWithServer(url, postStr, false);
if (error == HttpLink.OK)
success = true;
return success;
public class HttpLink
public static final int OK = 0;
public static final int ENCODING_EXCEPTION = 1;
public static final int MALFORMED_URL_EXCEPTION = 2;
public static final int IO_EXCEPTION = 3;
private String responseString;
public HttpLink()
this.responseString = null;
public int converseWithServer(String urlStr,String sendStr,boolean waitforResponse)
int error = OK;
try
URL url = new URL(urlStr);
URLConnection connection = url.openConnection();
connection.setDoOutput(true);
OutputStreamWriter out = new OutputStreamWriter(
connection.getOutputStream());
out.write(sendStr);
out.close();
BufferedReader in = new BufferedReader(
new InputStreamReader(
connection.getInputStream()));
if (waitforResponse)
boolean receivedInfo = false;
String response;
while ((response = in.readLine()) != null)
this.responseString = new String(response);
receivedInfo = true;
if(!receivedInfo)
this.responseString = null;
in.close();
catch (UnsupportedEncodingException e)
error = ENCODING_EXCEPTION;
e.printStackTrace();
this.responseString = e.getMessage();
catch (MalformedURLException e)
error = MALFORMED_URL_EXCEPTION;
e.printStackTrace();
this.responseString = e.getMessage();
catch (IOException e)
error = IO_EXCEPTION;
e.printStackTrace();
this.responseString = e.getMessage();
return error;
public String getResponse()
String response = null;
if (this.responseString != null)
response = new String(this.responseString);
//this.responseString = null;
return response;
public class FlightTimeManager extends Thread
private final int REFRESH_RATE = 10000;
private boolean finish;
public FlightTimeManager()
this.finish = false;
start();
public void stopManager()
this.finish = true;
public void run()
while (!finish)
postData();
try {
Thread.sleep(REFRESH_RATE);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
public void postData()
String outputStr = "";
HttpClient httpClient = new HttpClient();
String url = "my website url";
PostMethod meth = new PostMethod(url);
meth.addParameter(some parameter);
try
httpClient.executeMethod(meth);
catch (HttpException e)
e.printStackTrace();
catch (IOException e)
e.printStackTrace();
} -
No pop-up for client certificate in spite of icm/HTTPS/verify_client = 1
Dear experts,
on my WebAS 6.40 I have set icm/HTTPS/verify_client = 1 so that it requests a client certificate every time a new SSL connection is established.
However, only on one client machine with IE 6 I really get a pop-up asking for a client certificate. On all other machines there's no such pop-up. Although on ALL clients I have set the IE setting "Don't prompt for client certificate selection when no certificates or only one certificate exists" to "disable". The setting seems to be correct, because when I want to go the SAP Service Marketplace with these clients, this pop-up comes up with an empty list of suitable certificates.
Can anybode explain this to me? Why does the one browser open the pop-up and the others don't althought this one setting is identical? Why do the IE's that get the pop-up for the SAP Service Marketplace don't get the popup for my WebAS 6.40?
Thanks and kind regards
ChristianYou will have to check the specific service (probably in SICF) to see if the Logon Procedure is set to 'Required with Client Certificate (SSL).' Is this for a BSP page?
Hope that helps.
J. Haynes -
SSL (https) set up in ABAP - pop-up Request Client Certificate
Hi,
We just configured SSL in ABAP. Accessing the website that the certificate is assigned to results in a pop-up appearing in IE7 that states:
The website you want to view requests identification. Please choose a certificate, with a blank screen.
Can the server be set so that it does not prompt for the client certificate?
Thanks, NeetaYou will have to check the specific service (probably in SICF) to see if the Logon Procedure is set to 'Required with Client Certificate (SSL).' Is this for a BSP page?
Hope that helps.
J. Haynes -
Using X.509 Client Certificates - SAP ABAP Webgui (SSL)
Hello,
current runs the integrated ITS (Webgui). We now want the smart card and have adapted to the configuration:
RZ10:
icm/server_port_0=PROT=HTTPS,PORT=1443,TIMEOUT=180
icm/HTTPS/verify_client=2
table USREXTID: C=DE,ST=xxx,L=xxx,O=xxx,OU=xxx,CN=xxx,emailAddress=xxx
smart card certification -> firefox 2.x and IE 7.x install.
SICF: Webgui Service -> Login with Client Certificate
The test (with IE or Firefox) was unsuccessful.
SMICM Trace:
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
What should I do now?
Thanks, Silke
Full Trace:
sysno 02
sid RD1
systemid 560 (PC with Windows NT)
relno 7000
patchlevel 0
patchno 148
intno 20050900
make: multithreaded, ASCII, optimized
pid 5468
[Thr 5416] started security log to file dev_icm_sec
[Thr 5416] ICM running on: sdatu100.pvw.tu-darmstadt.de
[Thr 5416] MtxInit: 30001 0 2
[Thr 5416] IcmInit: listening to admin port: 65000
[Thr 5416] DpSysAdmExtCreate: ABAP is active
[Thr 5416] DpSysAdmExtCreate: VMC (JAVA VM in WP) is not active
[Thr 5416] DpShMCreate: sizeof(wp_adm) 13576 (1044)
[Thr 5416] DpShMCreate: sizeof(tm_adm) 36258120 (18120)
[Thr 5416] DpShMCreate: sizeof(wp_ca_adm) 18000 (60)
[Thr 5416] DpShMCreate: sizeof(appc_ca_adm) 6000 (60)
[Thr 5416] DpCommTableSize: max/headSize/ftSize/tableSize=2000/8/2112040/2112048
[Thr 5416] DpShMCreate: sizeof(comm_adm) 2112048 (1048)
[Thr 5416] DpSlockTableSize: max/headSize/ftSize/fiSize/tableSize=0/0/0/0/0
[Thr 5416] DpShMCreate: sizeof(slock_adm) 0 (96)
[Thr 5416] DpFileTableSize: max/headSize/ftSize/tableSize=0/0/0/0
[Thr 5416] DpShMCreate: sizeof(file_adm) 0 (72)
[Thr 5416] DpShMCreate: sizeof(vmc_adm) 0 (1296)
[Thr 5416] DpShMCreate: sizeof(wall_adm) (224040/329544/56/100)
[Thr 5416] DpShMCreate: sizeof(gw_adm) 48
[Thr 5416] DpShMCreate: SHM_DP_ADM_KEY (addr: 028C0040, size: 38968448)
[Thr 5416] DpShMCreate: allocated sys_adm at 028C0040
[Thr 5416] DpShMCreate: allocated wp_adm at 028C1B30
[Thr 5416] DpShMCreate: allocated tm_adm_list at 028C5038
[Thr 5416] DpShMCreate: allocated tm_adm at 028C5068
[Thr 5416] DpShMCreate: allocated wp_ca_adm at 04B591B0
[Thr 5416] DpShMCreate: allocated appc_ca_adm at 04B5D800
[Thr 5416] DpShMCreate: allocated comm_adm at 04B5EF70
[Thr 5416] DpShMCreate: system runs without slock table
[Thr 5416] DpShMCreate: system runs without file table
[Thr 5416] DpShMCreate: allocated vmc_adm_list at 04D629A0
[Thr 5416] DpShMCreate: allocated gw_adm at 04D629E0
[Thr 5416] DpShMCreate: system runs without vmc_adm
[Thr 5416] DpShMCreate: allocated ca_info at 04D62A10
[Thr 5096] IcmProxyWatchDog: proxy watchdog started
[Thr 5416] CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
[Thr 5416] IcmCreateWorkerThreads: created worker thread 0
[Thr 5416] IcmCreateWorkerThreads: created worker thread 1
[Thr 5416] IcmCreateWorkerThreads: created worker thread 2
[Thr 5416] IcmCreateWorkerThreads: created worker thread 3
[Thr 5416] IcmCreateWorkerThreads: created worker thread 4
[Thr 5416] IcmCreateWorkerThreads: created worker thread 5
[Thr 5416] IcmCreateWorkerThreads: created worker thread 6
[Thr 5416] IcmCreateWorkerThreads: created worker thread 7
[Thr 5416] IcmCreateWorkerThreads: created worker thread 8
[Thr 5416] IcmCreateWorkerThreads: created worker thread 9
[Thr 4352] IcmWatchDogThread: watchdog started
[Thr 5672] =================================================
[Thr 5672] = SSL Initialization on PC with Windows NT
[Thr 5672] = (700_REL,Mar 25 2008,mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5672] profile param "ssl/ssl_lib" = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
resulting Filename = "D:\usr\sap\RD1\SYS\exe\run\sapcrypto.dll"
[Thr 5672] = found SAPCRYPTOLIB 5.5.5C pl17 (Aug 18 2005) MT-safe
[Thr 5672] = current UserID: SDATU100\SAPServiceRD1
[Thr 5672] = found SECUDIR environment variable
[Thr 5672] = using SECUDIR=D:\usr\sap\RD1\DVEBMGS02\sec
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLC.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] = secudessl_Create_SSL_CTX(): PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLA.pse" not found,
[Thr 5672] = using PSE "D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse" as fallback
[Thr 5672] ******** Warning ********
[Thr 5672] *** No SSL-client PSE "SAPSSLC.pse" available
[Thr 5672] *** -- this will probably limit SSL-client side connectivity
[Thr 5672] ********
[Thr 5672] = Success -- SapCryptoLib SSL ready!
[Thr 5672] =================================================
[Thr 5672] *** WARNING => HttpPlugInInit: Parameter icm/HTTPS/trust_client_with_issuer or icm/HTTPS/trust_client_with_subject no
X.509 cert data will be removed from header [http_plg.c 720]
[Thr 5672] ISC: created 400 MB disk cache.
[Thr 5672] ISC: created 50 MB memory cache.
[Thr 5672] HttpSubHandlerAdd: Added handler HttpCacheHandler(slot=0, flags=12293) for /:0
[Thr 5672] HttpExtractArchive: files from archive D:\usr\sap\RD1\SYS\exe\run/icmadmin.SAR in directory D:/usr/sap/RD1/DVEBMGS02/
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAdminHandler(slot=1, flags=4101) for /sap/admin:0
[Thr 5672] CsiInit(): Initializing the Content Scan Interface
[Thr 5672] PC with Windows NT (mt,ascii,SAP_CHAR/size_t/void* = 8/32/32)
[Thr 5672] CsiInit(): CSA_LIB = "D:\usr\sap\RD1\SYS\exe\run\sapcsa.dll"
[Thr 5672] HttpSubHandlerAdd: Added handler HttpAuthHandler(slot=2, flags=12293) for /:0
[Thr 5672] HttpSubHandlerAdd: Added handler HttpSAPR3Handler(slot=3, flags=1052677) for /:0
[Thr 5672] Started service 1443 for protocol HTTPS on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=9
[Thr 5672] Started service 25000 for protocol SMTP on host "sdatu100.pvw.tu-darmstadt.de"(on all adapters) (processing timeout=8
[Thr 5672] Tue Jul 15 14:38:37 2008
[Thr 5672] *** WARNING => IcmNetCheck: NiAddrToHost(10.0.0.1) took 5 seconds [icxxman.c 4578]
[Thr 5672] *** WARNING => IcmNetCheck: 1 possible network problems detected - please check the network/DNS settings [icxxman.c
[Thr 3932] Tue Jul 15 14:39:32 2008
[Thr 3932] *** WARNING => IcmCallAllSchedules: Schedule func 1 already running - avoid recursion [icxxsched.c 430]
[Thr 5416] Tue Jul 15 14:40:23 2008
[Thr 5416] IcmSetParam: Switched trace level to: 3
[Thr 5416] *
[Thr 5416] * SWITCH TRC-LEVEL to 3
[Thr 5416] *
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5416] NiIWrite: hdl 3 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 13
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 4392] IcmWorkerThread: worker 3 got the semaphore
[Thr 4392] REQUEST:
Type: ADMMSG Index = 12
[Thr 4392] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 4392] MPI<a>0#5 GetInbuf -1 138968 440 (1) -> 6
[Thr 4392] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 4392] MPI<9>1#4 GetOutbuf -1 1489a0 65536 (0) -> 05348A00 0
[Thr 4392] MPI<a>0#6 FreeInbuf#2 0 138968 0 -> 0
[Thr 4392] MPI<9>1#5 FlushOutbuf l-1 1 1 1489a0 1104 6 -> 053489E0 0
[Thr 4392] IcmWorkerThread: Thread 3: Waiting for event
[Thr 5416] SiSelNNext: sock 8088 selected (revt=r--)
[Thr 5416] NiBufISelProcess: hdl 9 process r-
[Thr 5416] NiBufIAlloc: malloc NIBUF-IN, to 72 bytes
[Thr 5416] NiIRead: hdl 9 received data (rcd=72,pac=1,MESG_IO)
[Thr 5416] NiBufIIn: NIBUF len=72
[Thr 5416] NiBufIIn: packet complete for hdl 9
[Thr 5416] NiBufISelUpdate: new MODE -- (r-) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: ---
[Thr 5416] NiBufISelUpdate: new STAT r-- (---) for hdl 9 in set0
[Thr 5416] NiSelIListInsert: add hdl 9 [17] to buf-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (1 buffered)
[Thr 5416] IcmMsgProcess: Receive data from partner: WP(2), wp_no: 1
[Thr 5416]
NiBufReceive starting
[Thr 5416] NiBufISelUpdate: new MODE r- (--) for hdl 9 in set0
[Thr 5416] SiSelNSet: set events of sock 8088 to: rp-
[Thr 5416] NiBufISelUpdate: new STAT - (r) for hdl 9 in set0
[Thr 5416] NiSelIListRemove: remove hdl 9 [17] from buf-list (1) of set0
[Thr 5416] IcmRecMsg: received 72 bytes
[Thr 5416] ============================================
[Thr 5416] | COM_DATA:
[Thr 5416] | Offset: 0 | Version: 7000
[Thr 5416] | MsgNo: 2 | Opcode: ICM_COM_OP_ICM_MONITOR (66)
[Thr 5416] ============================================
[Thr 5416] IcmHandleAdmMsg: op: 66
[Thr 5416] NiBufIAlloc: malloc NiBufadm, to 0 bytes
[Thr 5416] NiBufDup: ref 1 for buf 0252CE50
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 14
[Thr 5416] NiBufIAlloc: malloc ICM_EXT, to 80 bytes
[Thr 5416]
NiBufSend starting
[Thr 5784] IcmWorkerThread: worker 4 got the semaphore
[Thr 5416] NiIWrite: hdl 9 sent data (wrt=80,pac=1,MESG_IO)
[Thr 5416] NiBufFree: ref 1 for buf 0252CE50
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5784] REQUEST:
Type: ADMMSG Index = 13
[Thr 5784] MPI<c>0#5 GetInbuf -1 1489a0 440 (1) -> 6
[Thr 5784] IcmHandleMonitorMessage: called with opcode: 100
[Thr 5784] MPI<b>1#4 GetOutbuf -1 138968 65536 (0) -> 053389C8 0
[Thr 5784] MPI<c>0#6 FreeInbuf#2 0 1489a0 0 -> 0
[Thr 5784] MPI<b>1#5 FlushOutbuf l-1 1 1 138968 1104 6 -> 053389A8 0
[Thr 5784] IcmWorkerThread: Thread 4: Waiting for event
[Thr 4352] Tue Jul 15 14:40:26 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5416] Tue Jul 15 14:40:29 2008
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8076 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1305
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 3 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 15
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 3932] IcmWorkerThread: worker 5 got the semaphore
[Thr 3932] REQUEST:
Type: ACCEPT CONNECTION Index = 14
[Thr 3932] CONNECTION (id=1/8):
used: 1, type: 1, role: 1, stateful: 0
NI_HDL: 8, protocol: HTTPS(2)
local host: 130.83.89.22:1443 ()
remote host: 192.168.1.3:1305 ()
status: NOP
connect time: 15.07.2008 14:40:29
MPI request: <0> MPI response: <0>
request_buf_size: 0 response_buf_size: 0
request_buf_used: 0 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 3932] MPI:1 create pipe 052002C0 1
[Thr 3932] MPI<d>1#1 Open( ANONYMOUS 1 1 ) -> 1
[Thr 3932] MPI<d>1#2 Open( ANONYMOUS 1 0 ) -> 1
[Thr 3932] MPI:0 create pipe 05200180 1
[Thr 3932] MPI<e>0#1 Open( ANONYMOUS 0 0 ) -> 0
[Thr 3932] MPI<e>0#2 Open( ANONYMOUS 0 1 ) -> 0
[Thr 3932] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 3932] <<- SapSSLSessionInit()==SAP_O_K
[Thr 3932] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 3932] out: sssl_hdl = 003FFBC0
[Thr 3932] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 3932] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 3932] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1305
[Thr 3932] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 3932] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 3932] SapISSLServerCacheExpiration(): Calling ServerCacheCleanup() (lifetime=900)
[Thr 3932] SapISSLServerCacheExpiration(srv,"D:\usr\sap\RD1\DVEBMGS02\sec\SAPSSLS.pse"): Cache max/before/now = 5000/1/1
[Thr 5096] Tue Jul 15 14:40:32 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 4352] Tue Jul 15 14:40:36 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmCheckForBlockedThreads: check for blocked SSL-threads
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 5096] Tue Jul 15 14:40:42 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)
[Thr 3932] Tue Jul 15 14:40:45 2008
[Thr 3932] peer has closed connection
[Thr 3932] <<- SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_CONN_CLOSED
[Thr 3932] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 3932] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 3932] NiICloseHandle: shutdown and close hdl 8 / sock 8076
[Thr 3932] MPI<d>1#3 Close( 1 ) del=0 -> 0
[Thr 3932] MPI<d>1#5 Delete( 1 ) -> 0
[Thr 3932] MPI<d>1#4 Close( 1 ) del=1 -> 0
[Thr 3932] MPI<e>0#3 Close( 0 ) del=0 -> 0
[Thr 3932] MPI<e>0#5 Delete( 0 ) -> 0
[Thr 3932] MPI<e>0#4 Close( 0 ) del=1 -> 0
[Thr 3932] IcmConnFreeContext: context 1 released
[Thr 3932] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 3932] IcmWorkerThread: Thread 5: Waiting for event
[Thr 5416] SiSelNNext: sock 8160 selected (revt=r--)
[Thr 5416] NiSelIListInsert: add hdl 6 [3] to sel-list (0) of set0
[Thr 5416] NiSelISelectInt: 1 handles selected (0 buffered)
[Thr 5416] IcmExternalLogin: Connection request from Client received
[Thr 5416] NiIAccept: hdl 6 accepted connection
[Thr 5416] NiICreateHandle: hdl 8 state NI_INITIAL
[Thr 5416] NiIInitSocket: set default settings for hdl 8 / sock 8092 (I4; ST)
[Thr 5416] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5416] NiIAccept: state of hdl 8 NI_ACCEPTED
[Thr 5416] NiIAccept: hdl 6 accepted hdl 8 from 192.168.1.3:1309
[Thr 5416] NiIAccept: hdl 8 took local address 130.83.89.22:1443
[Thr 5416] IcmConnCheckStoredClientConn: check for client conn timeout
[Thr 5416] IcmConnCheckStoredClientConn: next client timeout check in 60 sec
[Thr 5416] IcmServIncrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 2
[Thr 5416] IcmQueueAppend: queuelen: 1
[Thr 5416] IcmCreateRequest: Appended request 16
[Thr 5416] IcmConnIntegrateServer: accepted connection from 192.168.1.3 on service 1443
[Thr 5708] IcmWorkerThread: worker 6 got the semaphore
[Thr 5708] REQUEST:
Type: ACCEPT CONNECTION Index = 15
[Thr 5708] CONNECTION (id=1/9):
used: 1, type: 1, role: 1, stateful: 0
NI_HDL: 8, protocol: HTTPS(2)
local host: 130.83.89.22:1443 ()
remote host: 192.168.1.3:1309 ()
status: NOP
connect time: 15.07.2008 14:40:45
MPI request: <0> MPI response: <0>
request_buf_size: 0 response_buf_size: 0
request_buf_used: 0 response_buf_used: 0
request_buf_offset: 0 response_buf_offset: 0
[Thr 5416] SiSelNSelect: start select (timeout=-1)
[Thr 5708] MPI:0 create pipe 05200180 1
[Thr 5708] MPI<f>0#1 Open( ANONYMOUS 0 1 ) -> 0
[Thr 5708] MPI<f>0#2 Open( ANONYMOUS 0 0 ) -> 0
[Thr 5708] MPI:1 create pipe 052002C0 1
[Thr 5708] MPI<10>1#1 Open( ANONYMOUS 1 0 ) -> 1
[Thr 5708] MPI<10>1#2 Open( ANONYMOUS 1 1 ) -> 1
[Thr 5708] ->> SapSSLSessionInit(&sssl_hdl=023BC640, role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT))
[Thr 5708] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5708] in: args = "role=2 (SERVER), auth_type=2 (REQUIRE_CLIENT_CERT)"
[Thr 5708] out: sssl_hdl = 003FFBC0
[Thr 5708] ->> SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL NI-sock: local=130.83.89.22:1443 peer=192.168.1.3:1309
[Thr 5708] <<- SapSSLSetNiHdl(sssl_hdl=003FFBC0, ni_hdl=8)==SAP_O_K
[Thr 5708] ->> SapSSLSessionStart(sssl_hdl=003FFBC0)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 FALSE
[Thr 5708] NiIHdlGetStatus: hdl 8 / sock 8092 ok, data pending (len=1)
[Thr 5708] NiIBlockMode: set blockmode for hdl 8 TRUE
[Thr 5708] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"
[Thr 5708] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL
[Thr 5708] SecudeSSL_SessionStart: SSL_accept() failed --
secude_error 536871698 (0x20000312) = "the client did not send a certificate handshake message for its authentication and we c
[Thr 5708] >> -
Begin of Secude-SSL Errorstack -
>>
[Thr 5708] ERROR in ssl3_get_client_certificate: (536871698/0x20000312) the client did not send a certificate handshake message
[Thr 5708] << -
End of Secude-SSL Errorstack -
[Thr 5708] <<- ERROR: SapSSLSessionStart(sssl_hdl=003FFBC0)==SSSLERR_SSL_ACCEPT
[Thr 5708] ->> SapSSLErrorName(rc=-56)
[Thr 5708] <<- SapSSLErrorName()==SSSLERR_SSL_ACCEPT
[Thr 5708] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c 1777]
[Thr 5708] ->> SapSSLSessionDone(&sssl_hdl=023BC640)
[Thr 5708] <<- SapSSLSessionDone(sssl_hdl=003FFBC0)==SAP_O_K
[Thr 5708] NiICloseHandle: shutdown and close hdl 8 / sock 8092
[Thr 5708] MPI<f>0#3 Close( 0 ) del=0 -> 0
[Thr 5708] MPI<f>0#5 Delete( 0 ) -> 0
[Thr 5708] MPI<f>0#4 Close( 0 ) del=1 -> 0
[Thr 5708] MPI<10>1#3 Close( 1 ) del=0 -> 0
[Thr 5708] MPI<10>1#5 Delete( 1 ) -> 0
[Thr 5708] MPI<10>1#4 Close( 1 ) del=1 -> 0
[Thr 5708] IcmConnFreeContext: context 1 released
[Thr 5708] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 5708] IcmWorkerThread: Thread 6: Waiting for event
[Thr 4352] Tue Jul 15 14:40:46 2008
[Thr 4352] NiSelISelectInt: 0 handles selected (0 buffered)
[Thr 4352] IcmQueueAppend: queuelen: 1
[Thr 4352] IcmCreateRequest: Appended request 17
[Thr 4352] IcmWatchDogThread: check ni handles (timeout=10000)
[Thr 4352] SiSelNFCSelect: start select (timeout=10000)
[Thr 4196] IcmWorkerThread: worker 7 got the semaphore
[Thr 4196] REQUEST:
Type: SCHEDULER Index = 16
[Thr 4196] IcmGetSchedule: found slot 0
[Thr 4196] IcmAlReportData: Reporting data to CCMS Alerting Infrastructure
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmConnCheckStoredClientConn: next client timeout check in 59 sec
[Thr 4196] NiIGetServNo: servicename '1443' = port 05.A3/1443
[Thr 4196] IcmGetServicePtr: new serv_ref_count: 2
[Thr 4196] PlugInHandleAdmMessage: request received:
[Thr 4196] PlugInHandleAdmMessage: opcode: 136, len: 272, dest_type: 2, subhdlkey: 262145
[Thr 4196] HttpSubHandlerCall: Call Handler: HttpCacheHandler, task=4, header_len=0
[Thr 4196] HttpCacheHandler: 4 0 006BBBC4 00000000
[Thr 4196] SCACHE: adm request received:
[Thr 4196] SCACHE: opcode: 136, len: 272, dest_type: 2, dest:
[Thr 4196] MTX_LOCK 3038 00ADEE88
[Thr 4196] MTX_UNLOCK 3051 00ADEE88
[Thr 4196] IctCmGetCacheInfo#5 -> 0
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48, blocks used: 1
[Thr 4196] IcmNetBufWrapBuf: allocated netbuf: 00AD2B48
[Thr 4196] IcmNetBufFree: free netbuf: 00AD2B48 out of 1 used
[Thr 4196] IcmConnFreeContext: context 1 released
[Thr 4196] IcmServDecrRefCount: sdatu100.pvw.tu-darmstadt.de:1443 - serv_ref_count: 1
[Thr 4196] IcmGetSchedule: next schedule in 30 secs
[Thr 4196] IcmWorkerThread: Thread 7: Waiting for event
[Thr 5096] Tue Jul 15 14:40:52 2008
[Thr 5096] SiSelNSelect: of 1 sockets 0 selected
[Thr 5096] IcmProxyWatchDog: check sockets (timeout=10000)
[Thr 5096] SiSelNSelect: start select (timeout=10000)>
silke kubelka wrote:
> SMICM-Log:
>
*** No SSL-client PSE "SAPSSLC.pse" available
>
*** this will probably limit SSL-client side connectivity
>
> is this a problem?
Well, since you want to enable the certificate-based user authentication (where your ABAP server is in the role of the SSL server) this does not matter. But if you intend to use your NWAS ABAP as SSL client (for outbound https communication) then it will matter. To resolve this problem you simply create an SSL Client PSE using transaction STRUST.
Once you've managed to [configure your NWAS ABAP for SSL,|https://service.sap.com/sap/support/notes/510007] you should see (in the ICM trace) that a X.509 client certificate was received. If the certificate-based logon does not succeed, then it's most likely due to some mapping problems - those can be analysed by using the tracing approach described in [note 495911|https://service.sap.com/sap/support/notes/495911].
If you need assistance in enabling the X.509 client certificate authentication you should submit an inquiry to SAP (message component BC-SEC-LGN).
Best regards,
Wolfgang -
HTTPS request signed by client certificate from PL/SQL procedure
Hi All, please help.
The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
Is here the possibility to send signed HTTPS request from PL/SQL?
If not, how to do it using Java and encapsulate for PL/SQL?
Please answer ASAP!!!It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager. -
Client-Auth reports: HTTP4030: Timeout while waiting for client certificate
Hello,
I'm having problems with the certificate authentication in my Sun Java System Web Server Enterprise Edition 6.1: I have created an ACL in the SJWS that asks for a client certificate when the user goes to a specific URI:
acl "uri=/server1/myaction.do";
authenticate (user) {
method="ssl";
deny (all)
user = "admin";
It works great and, when the user goes to "/server1/myaction.do" (we are using Internet Explorer 7 as Web browser), the window for selecting the client certificate appears:
- If the user selects a certificate that doesn't require password, everything works fine.
- The problem comes when the certificate is configured in Internet Explorer for asking for a password every time it is accessed. Once the user has selected the password protected certificate, the window for typing the password appears, but if the user doesn't type it and click OK IN LESS THAN 5 SECONDS (I've timed it), the following messages appear in the SJWS logs:
[28/Nov/2007:09:25:05] failure ( 2055): for host 10.0.145.11 trying to GET /server1/myaction.do, Client-Auth reports: HTTP4030: Timeout while waiting for client certificate.
[28/Nov/2007:09:25:05] security ( 2055): HTTP4290: get_auth_user_ssl: client passed no certificate.
I tried to add the following two lines to the magnus.conf file of the SJWS, but nothing changed:
SSLClientAuthTimeout 240
AcceptTimeout 3600
Has anyone experienced something similar? Any little piece of advice would be greatly appreciated.
Thank you very much in advance,
Carlos.This is fixed in Web Server 7.0 update 2. Please migrate/upgrade to Web Server 7.0 update 2. Sorry for the inconvenience.
-
Asking specific client certificate (not certificates trusted by authority)
As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.
Maybe you are looking for
-
How can I update a Site Column with the content of an array with javascript CSOM?
I'm relative new to Sharepoint 2013, I'm trying to update the content of a Site column with the content of an array, I can retrieve and visualize the content of my site column, the user is able to change and save the necessary part and the changes ar
-
In BAPI_PO_CREATE - Error- Purchase Order No. is not importing
Hi, I have a Report for PO creation - Where records get entered from Excel. FM - ALSM_EXCEL_TO_INTERNAL_TABLE, BAPI_PO_CREATE Problem - Excel has app. 100 similar records out of them 7 to 8 records are giving Error.
-
Lightning-to-30pin adapter compatibility questions
I'm thinking of upgrading my iPhone 4S to a 5 or 5S. I own two docks and would like to keep them. The product description for the adapter states: Supports analogue audio output, USB audio, as well as syncing and charging. One of the docks takes the
-
Issue while perform the Task and Data Audit in Workspace
Hi All, When we try to perform the task and data audit functions in workspace it throws the following error please advise how to fix this issue. An error has occurred. Please contact your administrator. Show Details: Error Reference Number: {110FD8BF
-
Hi Experts, In subcontracting there are 2 scneraios.. 1) HALB1 has special procurement key 30- Subcontracting. Components of this HALB are supplied by main plant.SAP Help says one should maintain special procurement key - Stock Transfer from Plant to