PC with client cert -- IIS-- WLS using proxy plugin

I have the following configuration
PC ----> IIS Web Server ----> WLS
The PC has a Windows COM application that will use HTTPS to communicate with a
servlet + ejbs on WLS. The PC has a digitial certificate, the PC authenticates
IIS and the IIS authenticates the PC via SSL.
We want to use the BEA IIS plugin to proxy the PC requests to the Servlets/EJBs
on WLS. We also want the public digital certificate on the PC to be sent from
IIS to WLS as we need to extract information from it on WLS.
Solution ID S-08166 says this can be done for Apache. Can it be done for IIS and
if so how?
Thanks
Colman

I would like the same behaviour but with NSAPI plugin
any configuration guidelines
The ppath is the same but one is http and the other https
"Varun" <[email protected]> wrote in message
news:3da32e55$[email protected]..
>
We are trying to secure certain pages in our web application. Our setuphas an
IIS server with the WebLogic ISAPI plugin configured for path forwarding.However,
it seems that we can configure the plugin either to secure all traffic tothe
Weblogic server or none of it (SecureProxy=ON/OFF).
What we would like to do is to setup the plug-in so that all incomminghttp traffic
is forwarded to Weblogic server over http and all https traffic isforwarded to
the same weblogic server over https. Is there any way to do this?
Any help is very appreciated.

Similar Messages

Is strong 2FA with client cert and AD using AnyConnect possible?

Is it possible to configure AnyConnect to require a client cert that matches the AD username? Which attribute should be used? Common name (CN) or something else? Can anyone point me to the appropriate documentation on setting up this configuration?
Thanks in advance!

Jaime,
If you want binary comparison of the certificate I believe it's only possible with EAP methods.
That being said, you can extract multiple things from certificate to be used a authentication username.
Have a look at this doc
http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116111-11611-config-double-authen-00.html
It shows a couple of different ways to do this on ASA.
On IOS, I'd suggest looking at FlexVPN feature.
M.

Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

Hi everybody,
we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
I configured a Negociate Identity Asserter and an Active Directory provider.
I configure Kerberos services, so we have succefully access to our application through the Windows session.
But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
The web.xml used in our webapp :
<security-constraint>
<web-resource-collection>
<web-resource-name>sso</web-resource-name>
<description>Desc</description>
<url-pattern>/appmanager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>desc</description>
<role-name>ssoRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name/>
</login-config>
<security-role>
<description>Authenticated user</description>
<role-name>ssoRole</role-name>
</security-role>

which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
in any case, this would be the syntax
<Object name="weblogic" ppath="/hw/">
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
# gateway timeout - back end web logic not responding handle differently
<If code='504'>
# send it to a different post..
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
</If>
</Object>
- sriram

The HTTP Request is unauthorized with client authentication scheme negotiate - MDS Excel Plugin error

Hi,
Some users in my company are experiencing a strange issue when connecting to our MDS server using the MDS Excel plugin. They receive the error message:
"The HTTP Request is unauthorized with client authentication scheme negotiate. The authentication header received from the server was "NTLM,BASIC real="DOMAIN NAME IWA"
They are receiving this error when first trying to connect. For some reason they only receive this error when connected to the work network via the VPN. They don't receive this error from within our network.
Does anyone know what might be causing this issue and how to resolve?
Many Thanks,
Phil

Try the following links and see if it helps:
https://support.microsoft.com/en-us/kb/896861/
https://social.technet.microsoft.com/Forums/projectserver/en-US/912c7179-8858-4c48-a71d-d9a21ff10a1b/the-http-request-is-unauthorized-with-client-authentication-scheme-ntlm-the-authentication?forum=project2010custprog
-Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft.

Web service proxy client with client cert cause SSLSessionNotFoundErr

Hi,
I tried to run web service proxy client with certification from JDeveloper 10.1.3.0.4 to call PKI enabled web service got folllowing error:
WARNING: Unable to connect to URL: due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
Web service deployed on OAS

Hi,
i am trying to invoke from JDeveloper (10.1.3) a CRM On Demand's Web Service and I hava the same problem:
ADVERTENCIA: Unable to connect to URL: https://secure-ausomxgfa.crmondemand.com/Services/Integration due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
java.rmi.RemoteException: ; nested exception is:
     HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
     at testerlast.runtime.Contact_Stub.contactInsert(Contact_Stub.java:96)
     at testerlast.ContactClient.contactInsert(ContactClient.java:88)
     at testerlast.ContactClient.main(ContactClient.java:69)
Caused by: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
     at oracle.j2ee.ws.common.util.exception.JAXRPCExceptionBase.<init>(JAXRPCExceptionBase.java:93)
     at oracle.j2ee.ws.common.util.exception.JAXRPCExceptionBase.<init>(JAXRPCExceptionBase.java:89)
     at oracle.j2ee.ws.client.ClientTransportException.<init>(ClientTransportException.java:33)
     at oracle.j2ee.ws.client.http.HttpClientTransport.invokeImpl(HttpClientTransport.java:144)
     at oracle.j2ee.ws.client.http.HttpClientTransport.invoke(HttpClientTransport.java:121)
     at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:169)
     at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:111)
     at testerlast.runtime.Contact_Stub.contactInsert(Contact_Stub.java:80)
     ... 2 more
To do the invocation I have done a proxy to consume this Web Service, with the follow main:
public static void main(String[] args) {
try {
testerlast.ContactClient myPort = new testerlast.ContactClient();
System.out.println("calling " + myPort.getEndpoint());
myPort.setUsername(nameUser);
myPort.setPassword(password);
ListOfContactData llista = new ListOfContactData();
ContactData[] contacts=new ContactData[2];
ContactData contact=new ContactData();
ContactInsert_Input input=new ContactInsert_Input();
// Login WS HTTPS
String idSesion=connexioWS_CRM.logon(URL,nameUser,password);
// Add contact
for (int i = 0; i < contacts.length; i++) {
contact.setId("ProvaWSCRM"+i);
contact.setContactFirstName("JDeveloper"+i);
contact.setContactLastName("prove"+i);
contact.setCellularPhone("77777777"+i);
contact.setDescription("Add contact with Id:"+contact.getId());
contacts=contact;
System.out.println("Id:"+contacts[i].getId()+" firstName:"+contacts[i].getContactFirstName()+" lastName:"+contacts[i].getContactLastName());
llista.setContact(contacts);
input.setListOfContact(llista);
input.setEcho("off");
System.out.println("Pwd:"+myPort.getPassword()+" Port:"+myPort._port+" endpoint:"+myPort.getEndpoint()+" user:"+myPort.getUsername());
myPort.contactInsert(llista,"LIC","Broadset","OFF");
// Logout en WS (HTTPS)
connexioWS_CRM.logoff(URL, idSesion);
} catch (Exception ex) {
ex.printStackTrace();
What's wrong? Any idea?
Thank you
Edited by: user12085357 on 31-oct-2009 10:39

Java Plugin With Client Cert Auth and Keepalive

Hi,
I have a Java Applet that connects to a site requiring client side certificates. The site is running Apache 2.0.54 with a keepalive timeout of 15 minutes. As a result the applet prompts the user for a client side certificate on its inital connection and does not prompt again unless the user has been idle for more than 15 minutes. My problem is that when we try this through our Squid proxy, the Applet prompts the user on virtually every request, making for a very annoying user experience.
We have played with both Squid 2.4 and 3.0 and tweaked serveral promising-sounding parameters with no success. Is there something I am missing? I can mail any logs or config files as needed. One clue is that it does seem to work for requests spaced at about 2 seconds or so apart, but not more.
Thanks for any insights as to what might be happening here.
Best,
Seth

Issue resolved by creating a role with the relevant UME Action permissions. Not entirely sure if this is the best way forward, but it seems to work.
If anyone has other suggestions, or better ways of doing this, please let me know.
Thanks

Cannot Sync Mails on 3G / iOS4 with Client Cert. iPhone 4 OK, OS 3.1.3 OK

Hi One and All,
Our Exchange Server 2007 (published via ISA 2006) requires Client Certificates to Sync. We use the iPhone Configuration Utility to set up the mobileconfig file, and it normally works fine. However, I currently have two iPhones (1x3G and 1x3GS) that cannot access the server via either WLAN or 3G. If I install the same config file on an iPad or an iPhone 4, it works fine. On the 3G and 3GS, it does not even enforce setting the lock code. Going into the mail account results in a "Cannot Connect To Server" error.
If I use Safari, and navigate to the Active-Sync page "https://myserver.domain.com/Microsoft-Server-ActiveSync/default.eas" it pops up a message that I need a certificate, and to press continue to select a certificate, but it then just hangs with a doughnut, and I have to reboot if I want to use Safari again.
I have done a Reset All Settings, tried lots of different mobileconfig files, all of which work on the iPad and iPhone4, but not the iPhone 3. Any ideas?

Actually, I didn't resolve this using the iPhone Configuration Utility.
This is a new feature in iOS4. For security reasons, if you change the Exchange Profile, you have to reset the phone to factory defaults first, and then it works. According to Apple, this is by design.

Issue with re-importing images after using Nik plugins

Currently, when images are edited in a Nik plug-in and saved back to Aperture, the project folder the image originated in is changed from being organized by "date" to "manual" and then that image is inserted as the first image in that folder. In past versions of Aperture, the image would be placed back into the project folder by date. At the very least I would like to have the control on where that image is placed. And my selection of how that project folder is organized should NEVER change unless asked.
Is there some hidden setting that can change this behavior?
Ken

Unfortunately, this issue was with some of the last versions of Snow Leopard as well. Oh, and for clarification, this happens with HDR efex. Others have commented that the Nik plugin is designed to work this way. Maybe, but I would like a choice where the image is returned. I believe it is a NIk issue but they won't admit it.
I did try your suggestion, but no luck. This image changed the project folder organization to "manual" and put the image first.
Ken

Please help with Logic Express 7 and using DFH plugin!

Hey guys, I'm really in a tight spot here as I have no idea how to get my setup working properly. I recently bought an entirely new Imac, Logic Express 7, and a drum plugin called Drumkit From **** Superior (VSTi I believe is the type of plugin they call it). It is supposed to be compatable but I see no way to get it to show up as a plugin. I tried some other programs and it shows up as a plugin and I'm able to get into the interface, but I can't in LE7.
It is supposed to be compatable as a "rewire" plugin or something like that, but I'm not too sure how to approach that differently, both manuals are very vague.
Basically, I'm wondering:
1. How would I go about getting Drumkit From **** Superior to show up as a "plugin" (and what it would be under) if I have to use it a "rewire"?
2. If I could get it running as a plugin, how would I go about programming a drum part using that "drumkit" in Logic Express?
Thanks, any help is greatly appreciated.
-Daniel

It's a tough one man, I'm actually wanting to go for EZdrummer which I think comes under the same umbrealla as DFH, the patch will come to let you upgrade to intel hopefully by September so hold onto that plug in as I think it'll be worth it in the long run. In the mean time do you have any other options to make beats?
I use Reason 3.0, I sequence my beats using Reason Drum Kits 2.0 and export them as WAV or AIFF files into Logic, do you have anything similar that you can do? write you beats else where and import into Logic?

How to use CLIENT-CERT authentication?

Hi,
I would like to know how to use client authentication.
I used a web application with CLIENT-CERT authentication.
And I accessed to the application from browser, then I had the following error
message:
Incorrect or missing client certificate.
I used OpenSSL to generate keys.
Could you tell me the information of the setting?
Especially, I don't know theentry of CertAuthenticator.
Could you tell me?
Regards,
Kuniaki Hagiwara - HP Japan

Thank you for your response.
Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet.

Configure Client-cert with ACL in iPlanet

I need to configure iPlanet with "client-cert" configuration.
- It works with this setting (in the console) : [Preference] --> [Encryption Preferences] --> "Require client certificates (regardless of access control):" set to "Yes".
- I have a problem with this setting because all the instance is affected and clients without a certificate can not use other applications under this instance (they receive an "Acces Denied page").
- It seems I can specify this setting to a specific URL via an ACL but it does not work.
- Could you confirm I can do that ? If yes, could you precise the configuration of the ACL ?
I am using iPlanet 4.1 under Solaris 2.8. For information I am using a websphere 4 server with iPlanet. My J2EE application is CLIENT-CERT; that's why I need this setting.
Thanks !

Hi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel

CLIENT-CERT authentication in WL7

Hi,
I'm trying to enforce two-way authentication for clients (java applications) accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With BASIC authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to the web service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
the server doesn't
produce client certificate request. May it be the cause of the problem? If so,
how can I make the server to
generate client cert request?

Exactly, it was the reason. Thanks.
Marcin
On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
>
You must have been accessing the server over one-way SSL. Make sure the
two-way
ssl server attribute is set to: Client Certificate Enforced, or Client
Certificate
Requested But Not Enforced.
This should be all that is needed to make the server send the
certificate request.
With Client Certificate Enforced option you should be getting ssl
handshake failure
unless the client sends its certificate.
Pavel.
yazzva <[email protected]> wrote:
Yes, I have. If I had not done it, I couldn't have accessed the service
via https using basic authentication, and of course ssl debugging
information and server configuration show that ssl is configured
properly.
The problem is that WL7 doesn't generate client cert request. Thanks
for
an attempt to help.
Have you configured the server for two way ssl?
See
http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
for information on this.
Pavel.
"yazzva" <[email protected]> wrote:
Hi,
I'm trying to enforce two-way authentication for clients (java
applications)
accessing
a web service running on WL7.
Web service is configured to accept requests over https only. With
BASIC
authentication
it works. When I
switch it to use CLIENT-CERT authentication I cannot connect to theweb
service.
I've set the
"javax.net.debug" directive to "ssl" and noticed that during the
handshake
procedure
the server doesn't
produce client certificate request. May it be the cause of the
problem?
If so,
how can I make the server to
generate client cert request?--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Not responding / crash while using proxy calendar

Hi
On one station the GroupWise Client crashes often while using proxy calendars. The user opens a calender trough proxy access and klick on somme entries (days). The error is not reproducable - restarting the client and do the same klicks won't crash again.
Most of the crashes report this File: C:\PROGRA~2\Novell\GROUPW~1\gwclu.ocx
Any help would be nice.
grpwise.exe 11/16/2014 09:53:31 12.0.3.28451
- GroupWise Unhandled Exception Report -
- Generated on 4/1/2015 at 16:50:41 -
Exception code: C0000005 EXCEPTION_ACCESS_VIOLATION
Fault Address: 54BF63A8 01:000153A8
File: C:\PROGRA~2\Novell\GROUPW~1\gwclu.ocx
File TimeStamp: 11/16/14 09:54:20
--------------Network----------------------
Computer Name: PC-75
User Name: gau
--------------Hardware---------------------
Number of Processors: 8
Processor Type: Intel64 Family 6 Model 30 Stepping 5
--------------Operating System-------------
Platform: Windows NT
Version: 6.1
Build Number: 7601
Other Information: S

In article <[email protected]>, Interbit wrote:
> Yes, one user, one machine. The machine was completely new installed,
> still 2-3 isues per Week.
So this rather points to the user. So the next question is what
regular preventative maintenance do you have running?
What I typically set of customers is
http://www.konecnyad.ca/andyk/gwmnt5x.htm
If you are already running the contents checks, then look at section of
the resulting logs for that user to see what errors are showing there.
Especially of note would be errors that are identical each time as they
indicate there is something that needs a bit of direct effort.
Also are there any error showing in the POA logs that coinside with
these crashes?
Is it always the same calendar? Are others proxying into the same
calendar?
Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

Client-cert sample webapp doesn't work?

In trying to understand how one can use client certificates with a Java webapp in the WS7, I figured I would start with the sample that comes with WS7 (in samples/java/webapps/security/client-cert). Unfortunately, the sample doesn't seem to work. I can install it just fine, and it runs, but it doesn't do what it is supposed to do. When I access the servlet from my browser, I see the message "Welcome to our Certificate secure zone." Unfortunately, it let me access this page without ever prompting me for a certificate, so it's not actually a certificate secure zone. I double-checked in the access logs to see, and sure enough index.jsp is being delivered to an unauthenticated user.
When I examine the web.xml deployment descriptor, it's not clear to me that it should work. Here's the web.xml:
<web-app>
<display-name>Welcome to Certificate Security Zone</display-name>
<servlet>
    <servlet-name>clientcert</servlet-name>
    <display-name>clientcert</display-name>
    <jsp-file>/index.jsp</jsp-file>
</servlet>
<session-config>
    <session-timeout>30</session-timeout>
</session-config>
<security-constraint>
    <web-resource-collection>
      <web-resource-name>clientcert security test</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
</login-config>
</web-app>This web.xml seems to imply that the mere presence of a login-config will secure the entire app. The servlet specification seems a bit vague on this point, but since there isn't any auth-constraint in the security-constraint, I don't think the login-config ever applies. I think the login-config only comes into play when a security-constraint requires authentication.
What am I missing in my understanding of the web.xml?
What might prevent this simple sample from working properly? Could there be some other ACL or web server setting that overrides?
Thanks,
Tom

If URI is not a protected resource and you want client authentication, you should use server.xml <ssl><client-auth>...</client-auth></ssl> instead of PathCheck line as I told. Value can be set to "required" or "optional".
However, if URL is a protected resource you DO NOT HAVE to add PathCheck or client-auth element in server.xml.*
After installing client-cert sample application using ant and ant deploy, here is what you have to do to make it work :
1) Add in http-listener element in instance's server.xml :
   <ssl><enabled>true</enabled></ssl>2) Make sure you have a certificate named "Server-Cert" in NSS db in <ws-install-dir>/https-<instance-name>/config or change the certificate name appropriately in server.xml.
3) To make it a protected resource, web.xml should have :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
<web-app>
<display-name>clientcert</display-name>
<servlet>
    <servlet-name>clientcert</servlet-name>
    <display-name>clientcert</display-name>
    <jsp-file>/index.jsp</jsp-file>
</servlet>
<session-config>
    <session-timeout>30</session-timeout>
</session-config>
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/roleprotected/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>TestRoleOne</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
    <role-name>TestRoleOne</role-name>
</security-role>
</web-app>4) And sun-web.xml should have :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN" "http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd">
<sun-web-app>
<security-role-mapping>
   <role-name>TestRoleOne</role-name>
   <principal-name>[email protected], CN=Franzl Alpha, UID=alpha, OU=People, O=TestCentral, C=US</principal-name>
</security-role-mapping>
</sun-web-app>You will be able to access http://<host-name>:<port>/ without sending client certificate from the browser.
Now create client certificate and import this certificate in your browser.
Access from the browser, http://<host-name>:<port>/webapps-certificatebased-security/index.jsp browser should prompt for cert selection (if so configured) and the application should get certificate.
P/S I have tested it It works for me this way (without adding <ssl><client-auth> or PathCheck directive).

Downsides of using Proxy servers as a storage enabled node

Hello,
We are doing some investigation on proxy server configuration, I read "Oracle coherence recommends it's better to use proxy server as storage disabled".
can anyone explain downside of using proxy server as a storage enabled node?
Thanks
Prab

It seems that I was wrong with my original answer. The proxy uses a binary pass through mode so that if the proxy and cache service are using the same serialization format (de)serialization is largely avoided.
However, there are other overhead associated with managing potentially unpredictable client work loads, so using proxy server as storage enable node is still discouraged.
Thanks,
Wei

PC with client cert -- IIS-- WLS using proxy plugin

Similar Messages

Maybe you are looking for