Proxy https connection with client certificate credentials

Hello, we are building a application like netvibes/iGoogle which allows users to have portlets with rss feeds in them. The portlets are all loaded using ajax and therefore, the RSS feeds must exist on the same domain as the portal. If they don't, you run into problems with cross-domain security issues with ajax. Usually to get around this you just proxy the connection on the server which is very simple with rss feeds that are exposed via http. We however have many feeds that are exposed via https. These feeds likely require a client certificate to authenticate them. Therefore, just doing a basic proxy (take the distant url and open a new connection on the server) won't work because it will build the new connection with the servers credentials and not the users.
Is there a way to build the connection on the server using the users credentials?? How can we proxy this connection over https?
If anyone has ideas, please let me know.
Thanks!

in fact you are more using a reverse-proxy than a proxy since it is on the server part..
You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
hope it helps !

Similar Messages

  • HTTPS connection with client certificate not working in spartan

    Spartan does not show certificate for the user to select
    when I click the https link.
    The certificates (taken from a smartcard) are indeed present in the user CertStore.
    It works with IE 11 and Chrome.
    Has somebody any suggestions ?
    Thanks.

    in fact you are more using a reverse-proxy than a proxy since it is on the server part..
    You have to put all the SSL server part on the reserve-proxy itself and not on the final RSS feed. Then, the reverse-proxy will authenticate your client and gets its certificate. After that, either this proxy will open a plain connection (no ssl) towards the RSS, or you can also open a ssl connection but this means you must create a client certificate for the proxy. It just depends on the security level you need, and I used this solution many times in professional hosting.
    hope it helps !

  • Mac RDP Client (v8.0.10 on 10.10.1): HTTPEndPointException: 4, The non-proxy http connection failed to connect with the message: 404 Not Found

    My office is setting up a new gateway server.  I can connect to the old one just fine, but the new one is not allowing me to connect.  I can connect from my Windows VM, but not my Mac Client.  
    This is the log:
    2014-Nov-26 16:09:10] RDP (0): Final rdp configuration used: gatewayhostname:s:gat1.gibbscam.com
    screen mode id:i:0
    use multimon:i:0
    session bpp:i:24
    full address:s:dev-JeremyS2.gibbs.local
    audiomode:i:2
    username:s:Gibbs\JeremyS
    disable wallpaper:i:0
    disable full window drag:i:0
    disable menu anims:i:0
    disable themes:i:0
    alternate shell:s:
    shell working directory:s:
    authentication level:i:2
    connect to console:i:0
    gatewayusagemethod:i:1
    disable cursor setting:i:0
    allow font smoothing:i:1
    allow desktop com"font-family:Helvetica;line-height:normal;" />redirectprinters:i:0
    bookmarktype:i:3
    use redirection server name:i:0
    [2014-Nov-26 16:09:10] RDP (0): --- BEGIN INTERFACE LIST ---
    [2014-Nov-26 16:09:10] RDP (0): lo0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): lo0 af=30 (AF_INET6)  addr=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    [2014-Nov-26 16:09:10] RDP (0): lo0 af=2 (AF_INET)  addr=127.0.0.1 netmask=255.0.0.0
    [2014-Nov-26 16:09:10] RDP (0): lo0 af=30 (AF_INET6)  addr=fe80::1%lo0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:10] RDP (0): gif0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): stf0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): en0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): en1 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): en1 af=30 (AF_INET6)  addr=fe80::1240:f3ff:fe97:e0b2%en1 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:10] RDP (0): en1 af=2 (AF_INET)  addr=192.168.0.5 netmask=255.255.255.0
    [2014-Nov-26 16:09:10] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:1240:f3ff:fe97:e0b2 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:10] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:65fb:7056:64eb:4363 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:10] RDP (0): fw0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): en2 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): p2p0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): bridge0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): utun0 af=18  addr= netmask=
    [2014-Nov-26 16:09:10] RDP (0): utun0 af=30 (AF_INET6)  addr=fe80::ec38:250a:2a5d:3618%utun0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:10] RDP (0): utun0 af=30 (AF_INET6)  addr=fd68:4c46:7658:e98e:ec38:250a:2a5d:3618 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:10] RDP (0): --- END INTERFACE LIST ---
    [2014-Nov-26 16:09:10] RDP (0): correlation id: d8afdeb7-ce3a-ceff-a6e8-51a5d5b40000
    [2014-Nov-26 16:09:10] RDP (0): Protocol state changed to: ProtocolConnectingNetwork(1)
    [2014-Nov-26 16:09:15] RDP (0): Exception caught: Exception in file '../../librdpclient/asiosocketendpoint.cpp' at line 521
        User Message : Unable to connect to remote PC. Please provide the fully-qualified name or the IP address of the remote
    PC, and then try again.
    [2014-Nov-26 16:09:15] RDP (0): Protocol state changed to: ProtocolDisconnecting(7)
    [2014-Nov-26 16:09:15] RDP (0): Protocol state changed to: ProtocolDisconnected(8)
    [2014-Nov-26 16:09:15] RDP (0): ------ END ACTIVE CONNECTION ------
    [2014-Nov-26 16:09:15] RDP (0): --- BEGIN INTERFACE LIST ---
    [2014-Nov-26 16:09:15] RDP (0): lo0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): lo0 af=30 (AF_INET6)  addr=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    [2014-Nov-26 16:09:15] RDP (0): lo0 af=2 (AF_INET)  addr=127.0.0.1 netmask=255.0.0.0
    [2014-Nov-26 16:09:15] RDP (0): lo0 af=30 (AF_INET6)  addr=fe80::1%lo0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:15] RDP (0): gif0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): stf0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): en0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): en1 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): en1 af=30 (AF_INET6)  addr=fe80::1240:f3ff:fe97:e0b2%en1 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:15] RDP (0): en1 af=2 (AF_INET)  addr=192.168.0.5 netmask=255.255.255.0
    [2014-Nov-26 16:09:15] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:1240:f3ff:fe97:e0b2 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:15] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:65fb:7056:64eb:4363 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:15] RDP (0): fw0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): en2 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): p2p0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): bridge0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): utun0 af=18  addr= netmask=
    [2014-Nov-26 16:09:15] RDP (0): utun0 af=30 (AF_INET6)  addr=fe80::ec38:250a:2a5d:3618%utun0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:15] RDP (0): utun0 af=30 (AF_INET6)  addr=fd68:4c46:7658:e98e:ec38:250a:2a5d:3618 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 16:09:15] RDP (0): --- END INTERFACE LIST ---
    [2014-Nov-26 16:09:15] RDP (0): correlation id: 3d81bcf6-8d0e-fba8-b75e-bd2a247c0000
    [2014-Nov-26 16:09:15] RDP (0): Protocol state changed to: ProtocolConnectingNetwork(1)
    [2014-Nov-26 16:09:15] RDP (0): Resolved 'gat1.gibbscam.com' to '12.167.61.34' using NameResolveMethod_DNS(1)
    [2014-Nov-26 16:09:15] RDP (0): Resolved 'gat1.gibbscam.com' to '12.167.61.34' using NameResolveMethod_DNS(1)
    [2014-Nov-26 16:09:15] RDP (0): Exception caught: Exception in file '../../librdp/private/httpendpoint.cpp' at line 305
        User Message : HTTPEndpointException: 4, The non-proxy http connection failed to connect with the message: 404 Not
    Found
    [2014-Nov-26 16:09:15] RDP (0): Protocol state changed to: ProtocolDisconnecting(7)
    [2014-Nov-26 16:09:15] RDP (0): Protocol state changed to: ProtocolDisconnected(8)
    [2014-Nov-26 16:09:16] RDP (0): ------ END ACTIVE CONNECTION ------
    And here's a log for server that I can connect to:
    [2014-Nov-26 15:52:20] RDP (0): Final rdp configuration used: gatewayhostname:s:gato.gibbscam.com
    screen mode id:i:0
    use multimon:i:1
    session bpp:i:24
    full address:s:dev-JeremyS2.gibbs.local
    audiomode:i:2
    username:s:Gibbs\JeremyS
    disable wallpaper:i:0
    disable full window drag:i:0
    disable menu anims:i:0
    disable themes:i:0
    alternate shell:s:
    shell working directory:s:
    authentication level:i:2
    connect to console:i:0
    gatewayusagemethod:i:1
    disable cursor setting:i:0
    allow font smoothing:i:1
    allow desktop com"font-family:Helvetica;line-height:normal;" />redirectprinters:i:0
    bookmarktype:i:3
    use redirection server name:i:0
    [2014-Nov-26 15:52:20] RDP (0): --- BEGIN INTERFACE LIST ---
    [2014-Nov-26 15:52:20] RDP (0): lo0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): lo0 af=30 (AF_INET6)  addr=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    [2014-Nov-26 15:52:20] RDP (0): lo0 af=2 (AF_INET)  addr=127.0.0.1 netmask=255.0.0.0
    [2014-Nov-26 15:52:20] RDP (0): lo0 af=30 (AF_INET6)  addr=fe80::1%lo0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:20] RDP (0): gif0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): stf0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): en0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): en1 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): en1 af=30 (AF_INET6)  addr=fe80::1240:f3ff:fe97:e0b2%en1 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:20] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:1240:f3ff:fe97:e0b2 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:20] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:d111:af1b:b193:8d4e netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:20] RDP (0): en1 af=2 (AF_INET)  addr=192.168.0.5 netmask=255.255.255.0
    [2014-Nov-26 15:52:20] RDP (0): fw0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): en2 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): p2p0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): bridge0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): utun0 af=18  addr= netmask=
    [2014-Nov-26 15:52:20] RDP (0): utun0 af=30 (AF_INET6)  addr=fe80::ec38:250a:2a5d:3618%utun0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:20] RDP (0): utun0 af=30 (AF_INET6)  addr=fd68:4c46:7658:e98e:ec38:250a:2a5d:3618 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:20] RDP (0): --- END INTERFACE LIST ---
    [2014-Nov-26 15:52:20] RDP (0): correlation id: 3bea4411-4b23-c197-9b52-63f948a10000
    [2014-Nov-26 15:52:20] RDP (0): Protocol state changed to: ProtocolConnectingNetwork(1)
    [2014-Nov-26 15:52:25] RDP (0): Exception caught: Exception in file '../../librdpclient/asiosocketendpoint.cpp' at line 521
        User Message : Unable to connect to remote PC. Please provide the fully-qualified name or the IP address of the remote
    PC, and then try again.
    [2014-Nov-26 15:52:25] RDP (0): Protocol state changed to: ProtocolDisconnecting(7)
    [2014-Nov-26 15:52:25] RDP (0): Protocol state changed to: ProtocolDisconnected(8)
    [2014-Nov-26 15:52:25] RDP (0): ------ END ACTIVE CONNECTION ------
    [2014-Nov-26 15:52:25] RDP (0): --- BEGIN INTERFACE LIST ---
    [2014-Nov-26 15:52:25] RDP (0): lo0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): lo0 af=30 (AF_INET6)  addr=::1 netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    [2014-Nov-26 15:52:25] RDP (0): lo0 af=2 (AF_INET)  addr=127.0.0.1 netmask=255.0.0.0
    [2014-Nov-26 15:52:25] RDP (0): lo0 af=30 (AF_INET6)  addr=fe80::1%lo0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:25] RDP (0): gif0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): stf0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): en0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): en1 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): en1 af=30 (AF_INET6)  addr=fe80::1240:f3ff:fe97:e0b2%en1 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:25] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:1240:f3ff:fe97:e0b2 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:25] RDP (0): en1 af=30 (AF_INET6)  addr=2605:e000:63c2:f800:d111:af1b:b193:8d4e netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:25] RDP (0): en1 af=2 (AF_INET)  addr=192.168.0.5 netmask=255.255.255.0
    [2014-Nov-26 15:52:25] RDP (0): fw0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): en2 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): p2p0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): bridge0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): utun0 af=18  addr= netmask=
    [2014-Nov-26 15:52:25] RDP (0): utun0 af=30 (AF_INET6)  addr=fe80::ec38:250a:2a5d:3618%utun0 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:25] RDP (0): utun0 af=30 (AF_INET6)  addr=fd68:4c46:7658:e98e:ec38:250a:2a5d:3618 netmask=ffff:ffff:ffff:ffff::
    [2014-Nov-26 15:52:25] RDP (0): --- END INTERFACE LIST ---
    [2014-Nov-26 15:52:26] RDP (0): correlation id: 509122b5-d9b1-60f0-a0ac-b75a8dc20000
    [2014-Nov-26 15:52:26] RDP (0): Protocol state changed to: ProtocolConnectingNetwork(1)
    [2014-Nov-26 15:52:26] RDP (0): Resolved 'gato.gibbscam.com' to '12.167.61.35' using NameResolveMethod_DNS(1)
    [2014-Nov-26 15:52:26] RDP (0): Resolved 'gato.gibbscam.com' to '12.167.61.35' using NameResolveMethod_DNS(1)
    [2014-Nov-26 15:52:26] RDP (0): Protocol state changed to: ProtocolNegotiatingCredentials(2)
    [2014-Nov-26 15:52:27] RDP (0): Protocol state changed to: ProtocolConnectingRDP(3)
    [2014-Nov-26 15:52:27] RDP (0): Protocol state changed to: ProtocolInactive(4)
    [2014-Nov-26 15:52:28] RDP (0): Server supports RAIL
    [2014-Nov-26 15:52:28] RDP (0): Protocol state changed to: ProtocolActive(5)
    [2014-Nov-26 15:52:29] RDP (0): Server hides cursor
    [2014-Nov-26 15:52:31] RDP (0): Server shows cursor
    [2014-Nov-26 15:52:35] RDP (0): Protocol state changed to: ProtocolDisconnecting(7)
    [2014-Nov-26 15:52:35] RDP (0): Protocol state changed to: ProtocolDisconnected(8)
    [2014-Nov-26 15:52:35] RDP (0): ------ END ACTIVE CONNECTION ------
    Any suggestions on what I can ask my IT department to change on the server so I can connect would be greatly appreciated. 

    Hi Jeremy,
    Thank you for posting in Windows Server Forum.
    From the error and other description it seems that there is some misconfiguration with setup. You need to provide the FQDN name of the server as might server name is not resolving its name properly and so facing issue. As seems from below details:
    [2014-Nov-26 15:52:20] RDP (0): Final rdp configuration used:gatewayhostname:s:gato.gibbscam.com
    screen mode id:i:0
    use multimon:i:1
    session bpp:i:24
    full address:s:dev-JeremyS2.gibbs.local
    Configuration used and full address name both appears different so please verify configuration accordingly.
    Please check the DNS record, check certificate whether it match FQDN name of the server with certificate name, also try to check to connect with IP address and see what result you can find.
    You can follow below guide to configure RD Gateway and after that verify the result.
    1. Deploying Remote Desktop Gateway RDS 2012
    2. How To Work with RD Gateway in Windows Server 2012
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support

  • How to invalidate the client part of a HTTPS Session with client auth

    Hi to everybody here,
    I'm having an issue with HTTPS and client authentication related with how SSLHandshake works and the behavior of the client browser. I hope you can help.
    I'm setting up a web application that ask for a valid session in order to allow access to the application. If the user has no valid session, he's redirected to the login form, and if the auth process is ok, the user gets a session and is redirected again to the secured pages.
    We are in the way to create a new login service with client certificates, so the user identificates himself with a certificate valid on the application server.
    We have an application server with a secure listener in port 8443. It's configured to request client certificates so we can access to the certificate and validate it and create a session for the user automatically. The user just type his pin code in the browser, no passwords at all. This process is working and sessions are created. The problem comes up when we are trying to log the user out.
    We invalidate the session using a logout.jsp, but if the user goes to the secured pages again, we have observed that the authentication takes place automatically and the user can see the secured pages, so he thinks the logout.jsp doesn't work.
    My questions are: can we access to delete or modify the client browser ssl part in order to reset the https connection established against our application server? Are there any other ways to avoid this behavior?
    Thanks in advance.
    Miss.

    An enduser presents a certificate from a CAC for authentication to our website.
    They pick the Cert off the inserted CAC and submit it. Get logged into the application successfully.
    The user removes the card form the reader and the SSO session times out.
    In the same browser the user clicks log in with CAC and is not prompted for the cert this time the browser just goes ahead and presents the cached cert even though the card is no longer in the reader. The user logs in successfully.
    The desired behavior would be to prompt the user for for a cert again obviously.
    I am wondering how to turn this off as well.

  • Configuring Sender HTTPS Connection -- Server/Client Authentification

    Hello together,
    I need to configure an HTTPS Sender Connection with client and server authentication. I have already check the documentation however I am still not sure about the particular steps. My questions are as follows:
    - Do I configure the HTTPS connection on the ABAP or JAVA stack?
    - Is it necessary to setup an HTTP sender communication channel
    - How does the URL look like (compared to HTTP connection)?
    I have provided XI certificates to the client and the client has provided the certificates to me already. So I guess I have to import them somehow on XI.
    Any help is appreciated!
    Thank you very much.

    Hi
    Please follow below steps for HTTPS configuration as sender
    You need to use either SOAP adapter or XI Adapter for HTTPS connectivity.
    Here configure the Security Check for Inbound Messages.
    Refer below links
    http://help.sap.com/saphelp_nw04/helpdata/en/fc/5ad93f130f9215e10000000a155106/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/4f/0a1640a991c742e10000000a1550b0/frameset.htm
    XI3.0: Soap Sender with HTTPS
    SAP Security Guide XI, HTTP and SSL
    http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
    http://help.sap.com/saphelp_nw04s/helpdata/en/97/818a4286031253e10000000a155106/frameset.htm
    No configuration is required in the adapter-specific sender channel configuration (inbound) of the Integration Directory.
    The authentication/authorization is performed by the J2EE Engine and therefore needs to be configured with the Visual Administrator. This configuration is described in the J2EE Engine Administration Manual and is outlined in the following section.
    When a message is to be sent to the Adapter Engine (and ultimately to the Integration Server), the J2EE Engine serves as the SSL Server and presents its server certificate to the client as part of the SSL handshake procedure.
    Client-Side Configuration (Required)
    The public certificate of the trusted authority (CA) that signed the public certificate of the SSL server needs to be imported to the list of trusted certificates of the SSL client. This allows the SSL client to accept the certificate of the server in the SSL handshake.
    Server-Side Configuration (Optional)
    If basic authentication is used, no additional configuration is required on server side.
    If client certificate authentication is requested or required by selection of the corresponding option in the SSL service and configuration of the ClientCertLoginModule in the SecurityProvider service (using the J2EE Administration Tool), additional configuration steps are required.
    If the server certificate check on the client side is successful, the client sends its public certificate to the server as part of the SSL handshake (when requested). The server needs to map the certificate to a user for authentication and will then check the authorization based on the security roles of the user.
    Perform the following steps to allow the J2EE engine to map the client certificate to a user:
           1.      Import the CA cert of the client certificate to the list of trusted certificates (TrustedCAs keystore view in the keystore service) and import the client cert to an arbitrary keystore view.
           2.      Map the client certificate to an existing user with role SAP_XI_APPL_SERV_USER by using the Visual Administrator, SecurityProvider service, UserManagement tab page.
    Refer below link
    Here u go
    http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm

  • Client proxy Http connection

    Hi experts,
    When doing abap client proxy.. in receiver channel i speficied XI adapter.. its asking the Http destination... so i went sm59 tcode and trying to create Http connection.. what are the parameter i should give...
    Connection type is "H"
    in the host name what should i give host name of PI or R3.. and what is the service number how to find out the service no? what should be the prefix string. what is need of this? .. in logon & security tab.. In user name and password , do we give the values of R3 system or PI system...
    Actually i gave the values like
    , in Host ---> i gave the Hostname of PI system and service no as 8000
    in prefix string --- > i gave '/sap/xi/engine?type=entry'
    (but i got the error like 'Query string not allowed')
    Please guide me
    Regards,
    Balaji

    Hi abhishek,
    There is no destination for r3 in type "H".
    i want to create the HTTP connection to r3. so i gave the hostname of R3 system.. the system instance is '00'' so i gave the service name as 8000... i gave the user name , password of r3.
    other setting are
    Logon procedure---> SAP standard
    status secure protocol-----> 
                  SSL--> Active
    SSL client certificate---> Default SSL client (standard)
    I dint give the single course  i gave /sap/xi/engine?type=entry only. But still he saying "Query string is not allowed".
    Regards,
    Balaji
    Edited by: Balaji Pichaimuthu on Aug 1, 2009 12:24 PM

  • Project Server 2010 Web services access with Client Certificate Authentication

    We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
    web service applications that no longer connect to server with the new authentication configuration.  Our custom applications are using the WCF interface to access the public web services.
    Please let us know if it is possible to authenticate with AD FS 2.0 and then call
    Project Server web services. Any help or coding examples would be greatly appreciated.

    what is the error occurred when the custom PSI app connects?
    can you upload the ULS logs here for research?
    What is the user account format you specified in the code for authentication?
    For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
    'I:0#.w|mybusinessdomain\ewmccarty').
    It requires you to manually call the UpnLogon method of
    “Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)  
    {  var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;  }  
    if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
    var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
    Than you need to extract UPN-Claim from the identity.
    Upload the verbose log if possible.
    Did you see this?
    http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
    Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

  • Problem with client certificate based authentication

    Hello.
    We are developing an AIR application that uses client
    certificates for authentication. We have written a simple test case
    to show the problem.
    <?xml version="1.0" encoding="utf-8"?>
    <mx:WindowedApplication xmlns:mx="
    http://www.adobe.com/2006/mxml"
    layout="absolute">
    <mx:Script>
    <![CDATA[
    import mx.controls.Alert;
    private function responseHandler(): void {
    Alert.show("Response received");
    ]]>
    </mx:Script>
    <mx:HTTPService id="exampleService"
    url="https://www1.aeat.es/pymes1/pacargoi.html"
    showBusyCursor="true"
    result="responseHandler()">
    </mx:HTTPService>
    <mx:Button label="Send"
    click="exampleService.send()"/>
    </mx:WindowedApplication>
    When we click on the button, it sends the request to the
    protected page and then (if you have CA emitted certificates) the
    dialog appears requesting the client certificate. And it works
    fine.
    But next time we click on the button, the dialog requesting
    the client certificate appears again.
    Is there a way to stop showing the dialog every time?
    Any help would be very appreciated.
    Thanks a lot for your support.
    Paco.

    I have just sent a Feature Request/Bug Report with the
    following text:
    "We are experiencing a problem using AIR with a server that
    requires authentication via client certificate.
    The dialog for selecting the client certificate appears every
    time that the AIR application interacts with the server (not only
    the first time).
    Steps to reproduce bug:
    1. Install Apache HTTP Server with SSL and require client
    certificate in order to authenticate.
    2. Develop an AIR Application that connects to this server
    (HTTPService or RemoteObject have been tested with the same
    result).
    3. Every time that the AIR application connect to the
    server, the dialog appears in order the user to select the client
    certificate.
    Results: This makes the AIR application unusable.
    Expected results: The dialog requesting the client
    certificate should appear the first time only."
    Thanks,
    Paco.

  • Calling webservices from ABAP via https/ssl with p12 certificates.

    Hi all,
    I have a problem with calling an external webservice via HTTPS.
    I configured my system as indicate in the blog /people/jens.gleichmann/blog/2008/10/31/calling-webservices-from-abap-via-httpsssl-with-pfx-certificates but when I check the RFC connection the result is: ICM_HTTP_SSL_ERROR.
    I check the ICM monitor and this is the result:
    [Thr 11] Thu May 26 16:02:57 2011                                                                               
    [Thr 11] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL                                           
    [Thr 11]    session uses PSE file "/usr/sap/SV5/DVEBMGS10/sec/SAPSSLHTTPS1.pse"                                                
    [Thr 11] SecudeSSL_SessionStart: SSL_connect() failed                                                                          
      secude_error 536875072 (0x20001040) = "received a fatal SSLv3 handshake failure alert message from the peer"                 
    [Thr 11] >>            Begin of Secude-SSL Errorstack            >>                                                            
    [Thr 11] WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
    WARNING in ssl3_output_cert_chain: (12354/0x3042) No hierarchy certificate in FCPath                                           
    WARNING in reduce_FCPath_by_Issuer: (12354/0x3042) No hierarchy certificate in FCPath                                          
    [Thr 11] <<            End of Secude-SSL Errorstack                                                                            
    [Thr 11]   SSL_get_state() returned 0x000021d0 "SSLv3 read finished A"                                                         
    [Thr 11]   Server's List of trusted CA DNames (from cert-request message):                                                     
    [Thr 11]     #1  " certificate 1
    [Thr 11]     #2  " certificate 2
    [Thr 11]   SSL NI-sock: local=ip  peer=ip2                                                       
    [Thr 11] <<- ERROR: SapSSLSessionStart(sssl_hdl=6000000000652010)==SSSLERR_SSL_CONNECT                                         
    [Thr 11] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]
    SAP_ABA     700     0012     SAPKA70012     Componenti validi per tutte le applicazioni
    SAP_BASIS     700     0012     SAPKB70012     Componenti di base SAP
    PI_BASIS     2005_1_700     0012     SAPKIPYJ7C     PI_BASIS 2005_1_700
    ST-PI     2008_1_700     0001     SAPKITLRD1     SAP Solution Tools Plug-In
    SAP_BW     700     0013     SAPKW70013     SAP NetWeaver BI 7.0
    SAP_AP     700     0010     SAPKNA7010     Piatt. d'applicazione SAP
    CCM     200_700     0010     SAPK-27010INCCM     CCM 200_700 : Add-On Supplement
    SRM_PLUS     550     0010     SAPKIBK010     SRM_PLUS per mySAP SRM
    SRM_SERVER     550     0010     SAPKIBKT10     SRM_SERVER
    BI_CONT     703     0001     SAPKIBIIP1     Contenuto Business Intelligence
    ST-A/PI     01L_BCO700     0000          -     Servicetools for other App./Netweaver 04
    What do you think about it?
    Best regards,
    Norberto.

    Don´t forget to set your proxy settings! Be sure that the application server could establish a connection to the external server.
    From the BLog.
    Thr 11 WARNING in ssl3_read_bytes: (536875072/0x20001040) received a fatal SSLv3 handshake failure alert message from the peer
    From the Error.
    Have you looked into the above details?
    Thanks
    SM

  • Mobile safari no longer able to authenticate with client certificate in ios 5...

    was working in 4.3.5 on iPad, but no more. Imported the cert with ipcu but Safari  seems to not recognize that there is a cert installed. All certs are using sha1

    Some additional info - the imported certificate works fine for Activesync, VPN, and WiFi, so I know it is installed correctly.  When connecting to a web server that requires the certificate, the following is logged in the IPCU console:
    MobileSafari[368] <Warning>: no itentities, but we have a challenge <NSURLAuthenticationChallenge: 0x2eeea0>
    So to me, it looks like the Web server is requesting the client certificate, but mobilesafari does not see the identity certificate I imported.

  • ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures

    Dears,
    I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
    which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
    - authentication-failure ignore [Only]
    OR
    - authentication-failure redirect cert-expired
    OR
    - authentication-failure ignore with authentication-failure redirect cert-expired
    Appreciate your help

    Dear Kanwalsi
    To pass only cert-expired !!! what do you think to apply the following
    parameter-map type ssl TEST
    authentication-failure ignore
    authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
    authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
    authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
    authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
    authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
    authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
    authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302

  • Https connectivity with file as an attachment

    Hi,
      I have a scenario idoc to file. where my client required the https connectivity between the server.  Initially it was successfull throught ftp connectivity but to have security they are come up with https.
      But i am not sure whether it could be possible to send the same file as an attachment throught https/http.
    If yes please let me know your suggestion how can we specify the file details.
    Regards,
    Dhill

    Hi,
      Anybody can let me know if any solution ?.  Please let me know if any more details required or let me know if my question is not understandable way...
    Regards,
    Dhill

  • How to implement a persistent HTTP connection on client side...

    Sorry for the inconvenience everyone, but I could really use some help here since I am a total newbie to Java programming
    I am trying to implement a persistent HTTP connection on the client side with request pipelining. The way I understand it is that client requests will be sent to the server, which will reply to them back to back, and then the client will read them accordingly. But when I read the server responses, I get only the reply for the first request, and nothing further, when I actually expect it to give me as many responses as the number of requests I ussued. Here is a sample code illustrating what I am trying to do.
    ====================
    import java.io.*;
    import java.net.*;
    import java.util.*;
    public class HttpClient {
    public static String host = "www.somehost.com";
    public static int port = 80;
    public static String pathname = "/download.asp";
    public static String protocol = "http";
    public static ArrayList list;
    public static void main(String[] args) {
    Parser parser = new Parser();
    list = parser.getIDs();
    try {
    Socket socket = new Socket(host, port);
    InputStream from_server = socket.getInputStream();
    PrintWriter to_server = new PrintWriter(socket.getOutputStream());
    OutputStream to_file;
    to_file = new FileOutputStream("HTTP_response.txt", true);
    for(int i = 0; i < 3; i++)
    String s = (String)parser.getIDs().get(i);
    String filename = "/download.asp?id=" + s;
    to_server.print("GET " + filename + "\n\n");
    to_server.flush(); // Send it right now!
    //This response gives only  only the response to the first
    //request,....
    byte[] buffer = new byte[4096];
    int bytes_read;
    while((bytes_read = from_server.read(buffer)) != -1)
    to_file.write(buffer, 0, bytes_read);
    to_file.close();
    socket.close();
    catch (Exception e) {
    System.err.println(e);
    System.err.println("Usage: java HttpClient <URL> [<filename>]");
    }

    There are many things wrong with your code. Learn the HTTP protocol and you'll know what I mean.
    Here's a hint - you'r missing headers in your code.
    Some servers do not support keep-alive connections, nor do you request a keep-alive connection.
    Connection: keep-alive
    Use that header field and see what happends. Also, in your while-loop, you actually close the output file and the socket. Don't you think it may be hard for the server to respond to a client that closed the connection on it?
    1. You don't know HTTP
    2. You don't seem to know Java
    3. You don't seem to understand basic programming logic

  • In iPad how to use webdav nab   with client certificate

    I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
    While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.

    Hi Olek
    I Have a working WebDAV setup with tomcat 6.0
    the only problem is this only works on windows XP
    anyway here is the code,
        <servlet>
        <servlet-name>webdav</servlet-name>
        <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
        <init-param>
          <param-name>debug</param-name>
          <param-value>0</param-value>
        </init-param>
        <init-param>
          <param-name>listings</param-name>
          <param-value>true</param-value>
        </init-param>
        <!-- Uncomment this to enable read and write access -->
        <init-param>
          <param-name>readonly</param-name>
          <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <!-- The mapping for the webdav servlet -->
      <!-- Using /* as the mapping ensures that jasper, welcome files etc are
           over-ridden and all requests are processed by the webdav servlet.
           This also overcomes a number of issues with some webdav clients
           (including MS Webfolders) that do not respond correctly
    to the
           redirects (302) that result from using a mapping of / -->
      <servlet-mapping>
        <servlet-name>webdav</servlet-name>
        <url-pattern>/*</url-pattern>
      </servlet-mapping>put that in your web.xml file
    and here is a basic example of how to use it in a jsp.
    <%
    String networkPath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + request.getContextPath() + "/";
    %>
    <body onload="document.getElementById('anchor').click();">
        <a id="anchor" href="<%= networkPath %>Temp/Test/file.doc" folder= "<%= networkPath/Temp/Test/">
               Open in Web Folder View
        </a>
    </body>Hope this helps you

  • Troubles with client certificates in Windows Phone 8.1 WebViews

    Hi,
    I'm having difficulties using a client certificate in Windows Phone 8.1 WebViews.
    My code works fine in my Windows 8.1 App but i get a WebErrorStatus=[CertificateIsInvalid] in WebView.NavigationCompleted in WP.
    I'm using this code to import my certificate :
    await CertificateEnrollmentManager.ImportPfxDataAsync(certificateBase64, certificatePassword, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, "MyClientCertificate");
    I have no problem using this cert in HttpClient with either Windows 8.1 or Windows Phone 8.1.
    I don't understand why it doesn't work with the WebView control only on Windows Phone.

    Tried it with no success.
    But I just found this : https://blogs.msdn.com/b/wsdevsol/archive/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app.aspx?Redirected=true
    With the note at the bottom: 
    Note: For Windows Phone 8.1, you need to attach the Client Certificate programmatically. For Windows, once you install the Client Certificate to the app container
    store and do not attach the client certificate with the HttpClient request, the HttpClient class will automatically detect that there is a single certificate installed in the app container store and forward it to the server. However in the case of Windows
    Phone 8.1, there is no such “automatic” selection of the certificate and one MUST provide the certificate programmatically.
    Since there seems to be nothing to attach a custom HttpBaseProtocolFilter to a WebView, it doesn't seem possible atm.

Maybe you are looking for

  • Infoobject routine problem in transformation using BI 7.0 datasource

    Hi expert, We have the business senario:need to look up data from Active data of DSO: /BIC/AZIN_O0100 into infoobject ZN1 in DSO:AAA through the link ZNR. We have the code, but after DTP, there are blank value in infoobject ZN1 in the content of DSO:

  • How to retain numerical order (Of file names) when combining files in Acrobat (9) Standard

    How to retain numerical order (Of file names) when combining files in Acrobat (9) Standard, please see the attached screenshot for a clearer explanation. I understand that if we prefix all files with leading zero's this will probably resolve the issu

  • One SAP for several company

    We are using SAP as our ERP system. And now, we would like to add one more company into the system, Actually, the business of new comapany is totally differ to our existing business, and they are two entity. I would like to know, we use the existing

  • ELearning Suite 6.1 Subscription Problem

    I purchased a subscription to eLearning Suite 6.1. The download included Adobe Acrobat XI Pro, but a trial version. Adobe says they are aware of the problem and are working on it. I was not given a target date for a solution.

  • Query to check item no in all the rows in a sales order

    Dear All, Please assist me with a query which would be able to check the rows in a sales order to see if a particular item no is present. We are using SAP B1 2005 PL50 Kind Regards, Monil.