Open hhtps with a client certificate

Hi:
How do I open a https connection with a specific client certificate? I mean; If I have a X509Certificate, how do I open a connection with a ssl server by code? Client certificate can be different, It deppends of user.
Thanks
Edited by: MrViSiOn on Oct 30, 2008 8:44 AM

We have been able to resolve the problem. The setup we did was correct, but there was a problem with the java keystore. The keystore should not only contain the private key and the certificate used for authentication, but also the full certificate chain up to the root CA for it to work.
You should see a message like this in the log:
####<Mar 2, 2011 1:25:17 PM CET> <Debug> <SecuritySSL> <XX> <XX> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <4b6c0032292e8f22:-558fda9e:12e7663d32b:-7ff3-00000000000001ea> <1299068717879> <BEA-000000> <Returning chain of 2 certificates.>
If you get this message:
####<Mar 1, 2011 8:01:43 PM CET> <Debug> <SecuritySSL> <XX> <XX> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>>
<1299006103215> <BEA-000000> <No suitable identity certificate chain has been found.>
It indicates that weblogic can not find the chain in the store and that you need to check the JKS file.
@atheek1, thanks for the replies!
Cheers,
Hugo

Similar Messages

Non-Deterministic Exception When Connecting With Wrong Client Certificate

I am working on an internal application and need to determine the correct client-side SSL certificate to use when connecting to a server (the user can supply multiple client-side certificates). I had expected that if I connected to a server using the wrong client certificate the java client would throw a SSLHandshakeException and I could then try the next certificate. This seems to work some of the time, however the java client will sometimes throw a SocketException: Software caused connection abort: recv failed, in which case it is not possible to know that the wrong certificate caused the problem.
Below is the code I have been using to test as well as the intermittent SocketException stack trace. Does anyone have an idea as to how to fix this problem? Thanks in advance.
Note: the TrustAllX509TrustManager is a trust manager that trusts all servers.
protected void connectSsl() throws Exception {
      final String host = "x.x.x.x";
      final int portNumber = 443;
      final int socketTimeout = 10*1000;
      // Note: Wrong certificate (expect SSLHandshakeException).
      final String certFilename = "C:\\xxx\\clientSSL.P12";
      final String certPassword = "certPassword";
      final BufferedInputStream bis = new BufferedInputStream(new FileInputStream(new File(certFilename)));
      final char[] certificatePasswordArray = certPassword.toCharArray();
      final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
      final KeyStore keyStore = KeyStore.getInstance("PKCS12");
      keyStore.load(bis, certificatePasswordArray);
      keyManagerFactory.init(keyStore, certificatePasswordArray);
      final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
      final SSLContext context = SSLContext.getInstance("SSL");
      context.init(keyManagers, new TrustManager[]{new TrustAllX509TrustManager()}, new SecureRandom());
      final SocketFactory secureFactory = context.getSocketFactory();
      final Socket socket = secureFactory.createSocket();
      final InetAddress ip = InetAddress.getByName(host);
      socket.connect(new InetSocketAddress(ip, portNumber), socketTimeout);
      socket.setSoTimeout(socketTimeout);
      // Write the request.
      final OutputStream out = new BufferedOutputStream(socket.getOutputStream());
      out.write("GET / HTTP/1.1\r\n".getBytes());
      out.write("\r\n".getBytes());
      out.flush();
      InputStream inputStream = socket.getInputStream();
      ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
      byte[] byteArray = new byte[1024];
      int bytesRead = 0;
      while ((bytesRead = inputStream.read(byteArray)) != -1) {
         outputStream.write(byteArray, 0, bytesRead);
      socket.close();
      System.out.println("Response:\r\n" + outputStream.toString("UTF-8"));
   }Unexpected SocketException:
main: java.net.SocketException: Software caused connection abort: recv failed
     at java.net.SocketInputStream.socketRead0(Native Method)
     at java.net.SocketInputStream.read(SocketInputStream.java:129)
     at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
     at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
     at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
     at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

Thanks for the quick response. Here are answers to the questions:
1) No, this issue is not associated with one particular certificate. I have tried several certificates and see the same issue.
2) I agree it would be simpler to only send the required certificate, but unfortunately the project requires that the user be able to specify multiple certificates and, if a client-side certificate is required, the application try each one in turn until the correct certificate is found.
3) Yes, I realize the TrustAllX509TrustManager is insecure, but I am using this for testing purposes while trying to diagnose the client certificate problem.
In terms of testing, I am just wrapping the above code in a try/catch block and executing it in a loop. It is quite odd that the same exact code will sometimes generate a SSLHandshakeException and other times a SocketException.
One additional piece of information: if I force the client code to use "SSLv3" using the Socket.setEnabledProtocols(...) method, the problem goes away (I consistently get a SSLHandshakeException). However, I don't think this solves my problem as forcing the application to use SSLv3 would mean it could not handle TLS connections.
The code to specify the SSLv3 protocol is:
SSLSocket sslSocket = (SSLSocket) socket;
sslSocket.setEnabledProtocols(new String[] {"SSLv3"});
One other strange issue: if instead of specifying the SSLv3 protocol using setEnabledProtocols(...) I instead specify the protocol when creating the SSLContext, the SocketException problem comes back. So if I replace:
final SSLContext context = SSLContext.getInstance("SSL");
with:
final SSLContext context = SSLContext.getInstance("SSLv3");
and remove the "sslSocket.setEnabledProtocols(new String[] {"SSLv3"})" line, I see the intermittent SocketException problem.
All very weird. Any thoughts?

Getting SSGD 4.41 to work with SSL + Client Certificate

Hello everybody.
I'm running SSGD 4.41.909 on SuSE Linux Enterprise Server 10+Sp2 (x86_32bit) and I configured it to perform KERBEROS authentication against a Windows 2003R2 server.
Everything worked fine so I decided to give SSL+Client Ceritifcate a try.
I configured the Win2003R2 server as per the manual and I also:
. imported the Active Directory root CA into SSGD trustore (/opt/tarantella/bin/jre/lib/security/cacerts)
. created a new key and a CSR using the keytool
. signed the above CSR with the Active Directory CA
. imported the just signed certificate info SSGD keystore (/opt/tarantella/var/info/certs/sslkeystore)
With the keytool I'm able to verify that the keystore does actually contains a valid CLIENT certificate:
/opt/tarantella/bin/jre/bin/keytool -list \
-keystore /opt/tarantella/var/info/certs/sslkeystore \
-keypass "$(cat /opt/tarantella/var/info/key)" \
-storepass "$(cat /opt/tarantella/var/info/key)"Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
testssgd, Dec 17, 2008, PrivateKeyEntry,
Certificate fingerprint (MD5): 33:3B:41:EC:A2:4C:FF:02:D7:0D:D8:2D:EB:B2:2A:2B
ssgd_client_cert, Dec 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): DE:6B:BA:28:39:6B:B2:7B:51:F5:F2:6B:41:6E:6B:C1
As you can see, the ssgd_client_cert is indeed available into the sslkeystore.
Next, I configured SSGD as follows:
Step4: LDAP Repository Details
Repository Type: (*) Active Directory
URLs: ad://zen.strhold.it
Connection Security: () Kerberos
(*) SSL
[x] Client Certificate Used
Active Directory Base Domain: zen.strhold.it
Active Directory Default Domain: zen.strhold.it
[Next]
I did not have any errors when I clicked over [Next] and the same went when I selected the [Finish] button.
I logged out of the Admin console, restarted the SSGD server and tried to login using an Active Directory VALID user but here's what I got:
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/17 17:16:36.246     (pid 18920)     server/ad/warningerror     #1229530596247
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
Global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the forest.
To help troubleshoot this warning,
- Verify that this global catalog is available on the network.
- Verify that SGD can resolve the global catalog's hostname via DNS.
- Verify that SGD can connect to port 3268 on the global catalog.
- Verify that this server is a global catalog for the forest.
I'm pretty sure I do have a client certificate into SSGD keystore (as demonstrated by the keytool utility).
Am I missing something or what?
Things I've already cheched:
. both the SSGD and Windows server clocks are in synch
. the DNS server (on Windows) is able to resolve the names of the boxes in both forward and reverse mode
. no firewall is operating between the boxes
Thanks,
Rob

Hi DD.
Thanks again for your time and patience!
Well, today I restarted the SSGD box (it's a virtual machine) and issued the:
    keytool -list -keystore sslkeystore -storepass "$(cat /opt/tarantella/var/info/key)" -keypass "$(cat /opt/tarantella/var/info/key)"command. Much to my surprise, this time I got the following output:
Your keystore contains 1 entry
+testssgd, Dec 19, 2008, trustedCertEntry,+
Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35
As you can see, now the certificate is recognized as "trustedCertEntry* instead of the previous PrivateKeyEntry. If you step back to my previous post, you should be able to tell that the MD5 is the same one I got for the PrivateKeyEntry.
+testssgd, Dec 19, 2008, PrivateKeyEntry,+
+Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
By issuing the suggested:
{code}keytool -v -list -keystore sslkeystore -alias testssgd{code}
command I got the following output (snipped):
+Alias name: testssgd+
+Creation date: Dec 19, 2008+
+Entry type: trustedCertEntry+
+Owner: CN=ssgd.zen.strhold.it, OU=Strhold Evolution Division, O=Strhold, L=Reggio Emilia, ST=Italy, C=IT+
+Issuer: CN=ADroot, DC=zen, DC=strhold, DC=it+
+Serial number: 1568abe4000000000006+
+Valid from: Fri Dec 19 17:45:52 CET 2008 until: Sun Dec 19 17:45:52 CET 2010+
+Certificate fingerprints:+
+     MD5: 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
+     SHA1: 00:8F:59:04:51:49:A6:73:8C:B5:6D:74:C6:90:30:32:24:DE:6D:EA+
+     Signature algorithm name: SHA1withRSA+
+     Version: 3+
As you can see, the Issuer is ADRoot (CN=ADroot, DC=zen, DC=strhold, DC=it).
The error messages did not change (
Attempted login for [email protected]
using disambiguation attributes {}.
2008/12/22 13:37:10.306     (pid 3764)     server/kerberos/info     #1229949430306
Kerberos attempting to log in rzini in to ZEN.STRHOLD.IT
2008/12/22 13:37:10.647     (pid 3764)     server/kerberos/moreinfo     #1229949430647
Kerberos succeeded in authenticating [email protected] to ZEN.STRHOLD.IT
2008/12/22 13:37:10.711     (pid 3764)     server/ldap/info     #1229949430711
LDAP config is: "ad://zen.strhold.it"
2008/12/22 13:37:10.716     (pid 3764)     server/ldap/info     #1229949430716
LDAP server user was changed for scope "forest" to ""
2008/12/22 13:37:10.796     (pid 3764)     server/ldap/moreinfo     #1229949430796
NSLookup succeeded: "win2003r2.zen.strhold.it." returned 192.168.68.1
2008/12/22 13:37:10.801     (pid 3764)     server/ldap/moreinfo     #1229949430801
Service lookup succeeded: "_gc._tcp.zen.strhold.it." returned 192.168.68.1:3268
2008/12/22 13:37:11.316     (pid 3764)     server/ad/warningerror     #1229949431315
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/22 13:37:11.321     (pid 3764)     server/ad/warningerror     #1229949431321
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
[snip]
Discovery results:
Looking up Global Catalog DNS name: _gc._tcp.zen.strhold.it. - HIT
Looking for GC on server: Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up - ERROR
The Active Directory login authority and LDAP generation will not work as
SGD could not find a contactable global catalog.
2008/12/22 13:37:11.329     (pid 3764)     server/ldap/error     #1229949431329
Sun Secure Global Desktop Software (4.41) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=ZEN,DC=STRHOLD,DC=IT") 587ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
A call to LDAP failed. This might mean LDAP users cannot log in.
I can provide you with the Java exception which was reported but I cannot include it with this message due to the restriction in size we have when posting.
Thanks again,
Rob

Problem with Require Client Certificate on on IPlanet 6.0 server

I installed client certificate. When I connect to the server using browser, I get following error........
You are not authorized to view this page
You might not have permission to view this directory or page using the credentials you supplied.
How can I run the server in Verbose mode and see exactly why this error.
Default error file does not have any information about this rejection.
Thanks
Krishna

The message is cut and paste of what client (IE) shows on the browser.
But the Server does not show any thing in it;'s log. I don't see any activity. I have Log Verbose On.
If I change the client certificate on to off it works fine.
The problem is only when the client certificate is on.
The client certificate is created using Iplanet Certificate Server as well the server certificate also generated using Iplanet Certificate Server.
In this case I am not trying to authenticate user in the client certificate just the client certificate is valid or not.
Thanks for the reply.
Regards
Krishna

Client Certificate Mapping authentication using Active Directory across trusted forests

Hi,
We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
Mapping".
However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
1. Is this possible?
2. If yes, what do we need to do to make this work.
Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

1. Yes!
2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
and mapping?
/Hasain
We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
To simulate the scenario, I setup up two separate forests and established a trust between them.
I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
I setup a test ASP page to capture the Login Info on both the servers.
With the client and the server in the same forest, I got the following results
Login Info
LOGON_USER: CORP\ASmith
AUTH_USER: CORP\ASmith
AUTH_TYPE: SSL/PCT
With the client in the domain with the PKI and the server in the other Forest, I got the following response
Login Info
LOGON_USER:
AUTH_USER:
AUTH_TYPE:
I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied

SOAP Receiver Adapter problem (client certificate required)

My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
PI Server AXD - (Client) - Receiver SOAP adapter
PI Server AXQ - (Server) - Sender SOAP Adapter.
Steps in AXD
1. I have created a certificate of AXD in the service_ssl view of key storage.
2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
Steps in AXQ
1. I have created a certificate of AXQ in the service_ssl view of key storage.
2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
Any pointer to solve this problem is highly appreciated.
Thanks
Abinash

Hi Hemant,
I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
As far as my scenario goes I am not using message level security.
Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage. I can see a view named just WebServiceSecuity though.
Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
Abinash

Help required with ADFS 3.0 client certificate authentication

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

Hi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks!

HTTPS connection with client certificate not working in spartan

Spartan does not show certificate for the user to select
when I click the https link.
The certificates (taken from a smartcard) are indeed present in the user CertStore.
It works with IE 11 and Chrome.
Has somebody any suggestions ?
Thanks.

in fact you are more using a reverse-proxy than a proxy since it is on the server part..
You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
hope it helps !

Proxy https connection with client certificate credentials

Hello, we are building a application like netvibes/iGoogle which allows users to have portlets with rss feeds in them. The portlets are all loaded using ajax and therefore, the RSS feeds must exist on the same domain as the portal. If they don't, you run into problems with cross-domain security issues with ajax. Usually to get around this you just proxy the connection on the server which is very simple with rss feeds that are exposed via http. We however have many feeds that are exposed via https. These feeds likely require a client certificate to authenticate them. Therefore, just doing a basic proxy (take the distant url and open a new connection on the server) won't work because it will build the new connection with the servers credentials and not the users.
Is there a way to build the connection on the server using the users credentials?? How can we proxy this connection over https?
If anyone has ideas, please let me know.
Thanks!

in fact you are more using a reverse-proxy than a proxy since it is on the server part..
You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
hope it helps !

In iPad how to use webdav nab with client certificate

I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.

Hi Olek
I Have a working WebDAV setup with tomcat 6.0
the only problem is this only works on windows XP
anyway here is the code,
 <servlet>
 <servlet-name>webdav</servlet-name>
 <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
 <init-param>
 <param-name>debug</param-name>
 <param-value>0</param-value>
 </init-param>
 <init-param>
 <param-name>listings</param-name>
 <param-value>true</param-value>
 </init-param>
 
 <init-param>
 <param-name>readonly</param-name>
 <param-value>false</param-value>
 </init-param>
 <load-on-startup>1</load-on-startup>
</servlet>


<servlet-mapping>
 <servlet-name>webdav</servlet-name>
 <url-pattern>/*</url-pattern>
</servlet-mapping>put that in your web.xml file
and here is a basic example of how to use it in a jsp.
<%
String networkPath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath() + "/";
%>
<body onload="document.getElementById('anchor').click();">
 <a id="anchor" href="<%= networkPath %>Temp/Test/file.doc" folder= "<%= networkPath/Temp/Test/">
 Open in Web Folder View
 </a>
</body>Hope this helps you

Client Certificate Rejected, repeatedly +with great vigor

Hi all --
Perhaps you can give me a hand. I recently got a new Macbook Pro -- my first new CPU since the ole' clamshell back in 2001. Very happy with it as a whole but also finding that I am a bit behind the times in terms of my understanding of the software. Here is the problem: Yesterday I tried to access a page using Safari (2.0.3) from my history. I do not believe that it was a secure page as it was part of the dartmouth.edu website but it may have been. Anyway, a dialouge box popped up asking for my to use FileVaultMaster keychain. I did not know that I had such a thing but I typed in my master password. The page still did not open, but Safari displayed a text box saying that there was an error -- this particular error, in fact:
<begin quote>
The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message
<end of quote>
Now, when I try to access the basic Dartmouth homepage of http://www.dartmouth.edu, Safari converts it automatically to https://www.dartmouth.edu and asks for the keychain and then displays the error. I tried emptying the cache and resetting Safari (and even restarting the computer, although I understand that that is no longer necessairy with OS X) but to no avail. Can anyone clue me as to what is happening, and why?
Thanks much in advance,
-Sparco03
MacBook Pro Mac OS X (10.4.5)

I emailed [email protected] about this problem and here is the response. The solution of getting a valid Dartmouth certificate doesn't apply to non Dartmouth users, so I'm not sure what to do in that case.
"You need to check your Keychain. The reason you are getting that error is because Safari is sending a Client Certificate back to the web server (which asked for it), but the web server can't verify that it's a good certificate. This usually happens when you have an expired certificate, or you have a non-Dartmouth certificate that Safari is likely sending because it can't find a Dartmouth one."
"Whichever of these is the case, the solution is to get a valid Dartmouth certificate, which you can generate by going to https://collegeca.dartmouth.edu/ and following the directions on the web page. If you have an expired Dartmouth cert, you will need to delete that before you import your new, valid certificate."
"The reason all of this is happening is specific to Intel Macs. The mechanism that Dartmouth has used, better than 7+ years, to authenticate browser users to web site (Kerberos) uses the SideCar helper application. This application doesn't run on Intel Macs, and it most likely never will. Fortunately, Dartmouth installed client certificates as an additional/alternate solution for web site authentication a few years ago. Since client certs work great on Intel Macs, we had to force Intel Macs to always use HTTPS when connecting to any site on www.dartmouth.edu. That way we can always be able to ask for your client cert, so that we don't break your ability to access protected sites that live on the www.dartmouth.edu server."

IOS 4.3 upgrade breaking ActiveSync profiles with client certificates

After upgrading iOS iPhones from 4.2 to 4.3 they are unable to authenticate to ActiveSync. The ActiveSync profiles on the phones have a client certificate associated with them and the ActiveSync server requires client certs for authentication. I am also unable to remove the profiles from the iphone that include the client cert/activesync profile.
Anyone else experiencing this problem. I am 3 for 3 so far, all three have the same issue. I have only been able to get around the issue by restoring a 4.2 backup which enabled me to remove the profiles and install new ones.

Hi all,
Apple have come back to us about the case we opened.
In our profile we have two payloads configured, the activesync payload (with a user certificate) and the credentials payload which has a user certificate and our enterprise root certs.
The Apple engineers are saying the issue is the user cert in the Credentials payload. Apparently in 4.3 they have made some changes here.
(when I say User cert I mean a certificate with a usage of client auth, and also in our case we have the users UPN in the subject line (or you can enter it as a SAN), so every user has a cert)
Apple say 4.3 upgrade should be Ok without this cert in the payload.
It will be tomorrow before I can test this.
But the thing is, we need that cert in there because we have extra security (cert auth) on some of our public mobile focused websites, i.e. the sites challenge for a certificate (and then challenge for credentials).
So we may have a work around (that requires new profiles loaded) but going forward we still need to see some sort of fix, i.e. no need to reload profiles (4.3.x ?).
I'll post here when I get more info ... and thanks to Jeremy at Apple for calling me yesterday and going through it, much appreciated.
Cheers,
Aengus

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Mobile safari no longer able to authenticate with client certificate in ios 5...

was working in 4.3.5 on iPad, but no more. Imported the cert with ipcu but Safari seems to not recognize that there is a cert installed. All certs are using sha1

Some additional info - the imported certificate works fine for Activesync, VPN, and WiFi, so I know it is installed correctly. When connecting to a web server that requires the certificate, the following is logged in the IPCU console:
MobileSafari[368] <Warning>: no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x2eeea0>
So to me, it looks like the Web server is requesting the client certificate, but mobilesafari does not see the identity certificate I imported.

Open hhtps with a client certificate

Similar Messages

Maybe you are looking for