Presenting a Client Certificate from ACE?

Similar Messages

• Applet does not get client certificate from browser (Firefox, IE7)

  I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
  Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
  All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
  Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
  I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
  I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
  So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
  1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
  2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
  BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
  Thanks all.

  My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
  This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
  it is not relevant to your issue.
  due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
  I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
  Applet database to function. Surprise!
  Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
  I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
  If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
  Further it opens up a complete NIO server ands starts listening for connections on a random port
  (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
  This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
  There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
  etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
  which I like the best ATM as it (X fingers it stays so) always has worked.
  Sadly that tidbit doesn't help you either I am afraid.
  What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
  SSLCACertificateFile D:/Certificates/ca.crt
  SSLVerifyClient require
  SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
  Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
  automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
  On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
  The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
  So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
  (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
  I am thinking maybe there is another method of doing this I do not know.
  Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
  Maybe someone else has other ideas; did you try the security forum??
  Sorry but I am afraid that is not much help.
  I did snarf this tidbit which may have some relevance
  The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
  In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
  -Djavax.net.ssl.keyStore=<name and path to client keystore file>
  -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
  If it is a PKCS12 format keystore, specify:
  -Djavax.net.ssl.keyStoreType=PKCS12
  In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
  Dennis
  Posted Date : 2005-07-28 19:55:50.0Good Luck!
  Sincerely:
  (T)
  Edited by: tswain on 23-Jul-2008 10:07 AM

• HTTPS request signed by client certificate from PL/SQL procedure

  Hi All, please help.
  The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
  The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
  Is here the possibility to send signed HTTPS request from PL/SQL?
  If not, how to do it using Java and encapsulate for PL/SQL?
  Please answer ASAP!!!

  It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
  To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
  Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
  utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
  When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager.

• Applet won't get client certificate from browser

  Hi,
  We have an applet that runs fine as long as we don't have the web server require a client certificate. This applet runs inside a protected Intranet with a standard client JRE version 1.4.2 The rules of the intranet state that client certificates are required. So we registered our certificates with the JRE plug in in the browser and NaDa...
  I have read all sorts of things out there on the web that says the end user must register a personal Keystore and then we must code the applet to look into the end user's keystore for the certificate and the user must type in their personal password for the keystore into some sort of a form for the applet to read the keystore certificate.
  This sounds illogical and I strongly suspect that I am mis-interpreting what is being said...
  Can anyone help me understand what I am missing? (or perhaps point to a tutorial that has some better info in it...) I have looked at the Sun Java tutorial for applets didn't see any specific info regarding this type of problem- solution.
  Thanks for any pointers or suggestions you might have.
  JpGuy

  Hi,
  We have an applet that runs fine as long as we don't have the web server require a client certificate. This applet runs inside a protected Intranet with a standard client JRE version 1.4.2 The rules of the intranet state that client certificates are required. So we registered our certificates with the JRE plug in in the browser and NaDa...
  I have read all sorts of things out there on the web that says the end user must register a personal Keystore and then we must code the applet to look into the end user's keystore for the certificate and the user must type in their personal password for the keystore into some sort of a form for the applet to read the keystore certificate.
  This sounds illogical and I strongly suspect that I am mis-interpreting what is being said...
  Can anyone help me understand what I am missing? (or perhaps point to a tutorial that has some better info in it...) I have looked at the Sun Java tutorial for applets didn't see any specific info regarding this type of problem- solution.
  Thanks for any pointers or suggestions you might have.
  JpGuy

• How do I get the client certificate from the request

  We are on Netweaver 2004 using the SAP webdispatcher (end-to-end). I need to do an OCSP validation, I have all of the code I need for the OCSP portion.  What I need is the X509Certficate that came from the client.  Is this stored in the request object, session? How do I get it?
  Thanks.

  Hi Joseph,
  I think the question is which component terminates the SSL connection. It could be an upfront load balancer or the WebAS itself. The former could write the certificate into a request header vairable,  while the latter will create a J2EE standard request attribute: javax.servlet.request.X509Certificate
  I never did it with the web dispatcher, but you can try the following:
  X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
  HTH
  Daniel

• Roll out client certificate from Windows

  Hi,
  We have recently begun using Macs in our Windows Enviroment and are having problems with our wireless. It is 802.1x with Network Policy Server as RADIUS. To connect you need correct user credentials and machine certificate that is rolled out through GPO.
  Is there a way to roll out the certificate to our Macs also? If it's necessary to connect them to our domain, that isn't a problem.
  The Macs are running Mountain Lion or Mavericks.
  //Robert

  You can use the Profile Manager feature of OS X Server, and create a profile that retrieves a certificate via SCEP or RPC from your CA.  This profile can then be downloaded or pushed to Mac clients that are enrolled in the profile manager.

• How to exctract/backup a client certificate from Firefox for Android similar to question #1000240 but for the latest Firefox Beta for Android?

  As in #1000240 and in #1032181, I've installed a StartSSL login certificate in my Firefox for Android and having a problem with extracting/backuping it to use with another device/browser.
  I'm using the latest Firefox Beta for Android (35.0) at present; the Android version is 4.1.2, my phone model is Sony LT26i (Xperia S), so neither of the aforementioned questions asked at the Mozilla Support website do not contain any solution to the given problem.
  Any chance to recover the certificate?
  P. S. I haven't rooted my device; if getting a root is the only possible way to recover the certificate, I may consider doing so.

  You can try https://addons.mozilla.org/en-US/android/addon/copy-profile/ If that does not retrieve the file then see below.
  If you know the name and path of the file you can get it using run-as function of adb. See http://stackoverflow.com/questions/18471780/android-adb-retrieve-database-using-run-as
  If you end up down here you'll need root to be able to navigate the file system. I don't know the file name, though it is likely in your profile folder which can be determined by visiting about:cache in the Firefox address bar. It will be similar to /data/data/org.mozilla.firefox_beta/files/mozilla/$RANDOM.default/

• Optional Client Certificate

  I have problems to access a web site which asks for an optional client certificate. That means if browser presents a client certificate user will be an authenticated user, if not user is handled as guest user.
  iOS Safari does nothing if no client certificate is installed and does not show web site, furthermore no error is shown.
  Expected behaviour: Safari should not present a client certificate and show website w/o client certificate if web site does not send an 4xx or TLS error.

  Hi Alfred and Kristian,
  You can't do what you would like right now.
  My understanding is that you would like some functionality like this:
  "WebApp A" demands 2 way SSL (mutual Auth) while
  "WebApp B" is content with 1 way auth ("regular" ssl where only the server
  authenticates itself to the client)
  Unfortunately 2 way ssl cannot be specified on a per-web application basis at
  this time. It is "all or nothing."
  Hopefully you can find another solution to the problem you are faced with.
  Cheers,
  Joe Jerry Jerista
  Alfred Hiebl wrote:
  Hi,
  We are having the same problem in our project. I hope that someone from BEA
  can answer this question.
  Alfred
  "Leif Kristian Vadseth" <[email protected]> schrieb im
  Newsbeitrag news:[email protected]..
  I've asked for more information about this before, but not been given any
  answer. However, optimistic as I am, I'll give it another try:
  I would like to be able to configure the SSL protocol on the SAME WLS (v.
  6.1) so that DIFFERENT web applications can be configured either to demand
  mutual authentication (two-way SSL) or "server authentication" (one-waySSL,
  the server is authenticating itself to the client).
  Is this possible??? Is there any way that I programatically from a servlet
  can demand that the client shows his/hers certificate?
  Kristian Vadseth

• 2-way SSL and access control using the client certificate

  Hi,
  I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
  Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
  - The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
  - The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
  - Validate whether the client should be trusted (via the list in the trusted credentials)
  - Check whether the resource should be granted based on the "username".
  The on-line manual says
  "If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
  "The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
  So the questions I have are:
  - If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
  - Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
  Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
  - Without defining the security policy for the application, the debugging messages show that
  getRoles(): input arguments: subject:0
  Entitlement - <Role:Annonymous with expr:Grp(everyone)>
  Any suggestions? Thanks.

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• Case insensitive search on subject name to retrieve a certificate from key chain.

  Hi,
  I need to find the client certificate from key chain based on the subject name.
  Currently, I am using attribute kSecLabelItemAttr and providing the subject name to create the attribute list for the API "SecKeychainSearchCreateFromAttributes" which gives the certificate.
  Problem: This certificate search is case sensitive for the subject name.
  Question: Is there a way to do a case insensitive search on a subject name to get a certificate on snow leopard? I found the attribute "kSecMatchCaseInsensitive" which works with key "kSecClassCertificate" in the API "SecItemCopyMatching", but the key kSecClassCertificate is only available for 10.7 and later.
  https://developer.apple.com/library/mac/#documentation/Security/Reference/keycha inservices/Reference/reference.html#//apple_ref/doc/uid/TP30000898-CH4g-SW7
  Any help is highly appreciated.
  Thanks!

  I think there is issue with your logon trigger :
  "IF ((USER = 'MyAppUSER') OR(USER = 'MyAppREPORTINGUSER')) THEN"
  it should be :
  IF UPPER(USER) = 'MYAPPUSER' OR UPPER(USER) = 'MYAPPREPORTINGUSER' THEN
  because user name stored in Upper case. Check and try.
  HTH
  Girish Sharma

• Webdav using Client Certificates

  Hello all
  Finder (10.5.6) seems not to be able to use Webdav with client certificates. Especially in conjunction with Alfresco Share this would be nice.
  Any ideas?
  Pascal.

  Hi,
  > have a question, if we use this mechansim do we have to mainatin User's cerificate in user master or >this is not needed as we are accepting the connection from the intermediary server which is trusted by >the J2EE engine.
  I think it depends from your Biller Direct application.
  In my company we use Rosettanet B2B with SAP XI and have this setup :
  Internet -- https --> Apache -- https --> Web dispatcher -- https --> SAP J2EE PI
  The client certificate from the B2B partner is sent up to SAP PI and we did not have to set the certificate in the user mast.
  We did have to import the certificate in the J2EE keystore and to configure the Rosettanet connector.
  Regards,
  Olivier

• What is the option client certificate for user authentication used for?

  Hi All,
  I have to work on a FTPS - XI -SAP scenario.
  I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
  P.S: I went through sap help but couldnt quite understand.

  Thanks a lot Mark.
  So for a FTPS -> XI -> SAP scenario the following settings are required.
  1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
  2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
  the above 2 steps are mandatory.
  If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
  Will this certificate be used for encryption?
  To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
  The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

• UTL_HTTP and client certificate request

  I am hoping that someone can help me. We have a web site that we need to hit and pull the html code back from the pages and we have the code to get what we need but the website now has an option where it requests a client certificate from a user for authentication or if you cancel the request it will then ask you for username and password. I cannot figure out how to submit a cancel on the client certificate request so that my application can submit the username and password authentication. Does anyone have an idea or example to do this? Also if you submit a bad certificate it will prompt you for authentication. So if someone knows how to submit client certificates that would be helpful as well.
  Thanks in advance.

  I've never faced this issue but you might want to look at using UTL_TCP rather than UTL_HTTP.
  http://www.psoug.org/reference/utl_tcp.html

• Where/How do I install my client certificates to enable access to my company email??

  To access my military Web Outlook for unit email, I need to install my client certificates from my CAC card similar to what I do in Internet Explorer. Can't find anything similar in Firefox.

  Here I found some people with your same problem:
  http://support.mozilla.org/questions/752709
  http://support.mozilla.org/questions/785004
  http://support.mozilla.org/questions/845783

• Verisign Client Certificate Request

  Hi,
  Can anyone let me know how to request for Client Certificate (for example an X.509 certificate) to Verising for using SSL.
  I have seen most of the SAP Help/SDN and other stuff.
  I am unable to get the particular link how to request this SSL Client certificate to external trusted CA -  Verisign.
  Any help would be appreciated.
  Regards,
  Karthick Eswaran

  Hello Karthik,
                        Here is the link using which you can request for a standard SSL client certificate from verisign. But you need approval from your company and your comapny should be registered with Verisign.
  https://certmanager.verisign.com/mcelp/enroll/enroll?application_locale=en_US&jur_hash=40ecf02e370a3010daa47630cf62b996&certProductType=Server&sid=1211481933554
  Sai Kondapi.