Require Client Certificate to Access ASDM on the Following Interfaces

Similar Messages

• Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)

  Hi,
  I am trying to install certificate services on a windows 2008 server (R2 ENT SP1) with a PCIe nCipher HSM module installed on it. The version of nCipher SW is = 11.30.  It is a RootCA, and I am trying to use a key that is already stored in the HSM (I
  have done this before with a PCI HSM (older HW version)).  I select “Use existing private key” and “Select an existing private key on this computer” on the wizard, then i change the CSP to nCipher and click on "search" the key I am looking for
  appears and I select that one.  I repeat, I have done this before and it works with a PCI HSM module.
  The installation is finished before being prompted to insert the operator cards, and it ends with two errors:
  <Error>: Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
  And:
  <Error>: Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct state to perform the requested operation.
  0x8007139f (WIN32: 5023)
  The servermanager.log says:
  1856: 2014-07-23 18:27:48.195 [CAManager]                 Sync: Validity period units: Years
  1856: 2014-07-23 18:27:48.928 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x800703E5): CCertSrvSetup::Install: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
     at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
     at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
  1856: 2014-07-23 18:27:48.928 [Provider]                  CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error:  Overlapped I/O operation is in progress.
  0x800703e5 (WIN32: 997)'
  1856: 2014-07-23 18:27:48.928 [Provider]                  Adding error message.
  1856: 2014-07-23 18:27:48.928 [Provider]                  [STAT] For 'Certification Authority':
  And:
  1856: 2014-07-23 18:27:49.053 [CAWebProxyManager]         Sync: Initializing defaults
  1856: 2014-07-23 18:27:49.162 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x8007139F): CCertSrvSetup::Install: The group or resource is not in the correct state to perform the requested operation. 0x8007139f (WIN32: 5023)
     at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
     at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
  1856: 2014-07-23 18:27:49.162 [Provider]                  CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error:  The group or resource is not in the correct
  state to perform the requested operation. 0x8007139f (WIN32: 5023)'
  1856: 2014-07-23 18:27:49.162 [Provider]                  Adding error message.
  Has anyone experienced this before? Am I missing something here?
  Any help will be very appreciated
  Thanks in advance
  Best regards
  Alejandro Lozano Villanueva

  Hi, thanks for your support.
  I have been playing around a bit with some ncipher commands and found this:
  C:\Program Files (x86)\nCipher\nfast\bin>cspcheck.exe
  cspcheck: fatal error: File key_mscapi_container-1c44b9424a23f6cddc91e8a065241a0
  9aa719e4f (key #1): 0 modules contain the counter (NVRAM file ID 021c44b9424a23f
  6cddc91)
  cspcheck: information: 2 containers and 2 keys found.
  cspcheck: fatal error occurred.
  If I perform the same command on the original server (the server with the original kmdata folder and with the running RootCA services):
  E:\nfast\bin>cspcheck.exe
  cspcheck: information: 2 containers and 2 keys found.
  cspcheck: everything seems to be in order.
  Strange?
  Moreover, when I do a csptest.exe command (also on both servers, i find this)
  On the new server:
  C:\Program Files (x86)\nCipher\nfast\bin>csptest.exe
  nCipher CSP test software
  =========================
  Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
    Provider name: nCipher Enhanced Cryptographic Provider
    Version number: 1.48
  User key containers:
      Container 'csptest.exe' has no stored keys.
      Container 'Administrator' has no stored keys.
    Machine key containers:
      Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
      Container 'ROOTCA' has no stored keys.
      Container 'csptest.exe' has no stored keys.
  While in the old server:
  E:\nfast\bin>csptest.exe
  nCipher CSP test software
  =========================
  Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
    Provider name: nCipher Enhanced Cryptographic Provider
    Version number: 1.40
  User key containers:
      Container 'csptest.exe' has no stored keys.
    Machine key containers:
      Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
      Container 'ROOTCA' has a 2048-bit signature key.
      Container 'csptest.exe' has no stored keys.
  As you can see, the container called ROOTCA, which is the one that I use during the installation, says it has no stored keys.  While on the old server, it says it contains a key.  Why is this happening?  I dont know, I am copying the complete
  key management folder from one server to another and initialize the security world with that folder as I always do, and i dont have any errors during this procedure. 
  Do you know what could be the cause of this? or how can I fix this?  Thanks a lot, best regards.
  Alejandro Lozano Villanueva

• Problem with Require Client Certificate on on IPlanet 6.0 server

  I installed client certificate. When I connect to the server using browser, I get following error........
  You are not authorized to view this page
  You might not have permission to view this directory or page using the credentials you supplied.
  How can I run the server in Verbose mode and see exactly why this error.
  Default error file does not have any information about this rejection.
  Thanks
  Krishna

  The message is cut and paste of what client (IE) shows on the browser.
  But the Server does not show any thing in it;'s log. I don't see any activity. I have Log Verbose On.
  If I change the client certificate on to off it works fine.
  The problem is only when the client certificate is on.
  The client certificate is created using Iplanet Certificate Server as well the server certificate also generated using Iplanet Certificate Server.
  In this case I am not trying to authenticate user in the client certificate just the client certificate is valid or not.
  Thanks for the reply.
  Regards
  Krishna

• How do I access RunState via the C interface?

  I'm utilzing TestStand by controlling it via a C++ program and TestStand as a COM module.  I haven't been able to find how to access the RunState property.  Thanks.
  -G-

  Hey Grasshopper,
  I'm not certain, but it sounds like you are building a User Interface in C++ to operate your sequences, much like the one you can find at C:\Program Files\National Instruments\TestStand 3.1\OperatorInterfaces\NI\Full-Featured\C++ using MFC.  If this is the case, then the way to get access to the RunState property is by utilize UIMessages.  You should be able to do a search on the forums or in the Developer Zone and find some more information and sample code about UI Messages, but in a nutshell, you'll send a message to the User Interface that you are building by utilizing the ActiveX adapter (Action Step) in a TestStand sequence (The Method is PostUIMessageEx and can be found in the Thread class).  When you send the data you will want to send ThisContext via the ActiveX parameters.  You will then use the ApplicationMgr Control in your UI to register the UserMessage event and then create a function to be called when this event does occur.  In this function, you can get the Sequence Context from the ActiveX parameter and at that point can handle it just like any other code module to get and set items within your locals, runstate, or whatever you want.  That should give you a start, let me know if you into major issues.
  Adam B. 

• Website requires client certificate

  Hello,
  I am trying to log onto a webmail outlook, however I keep getting a pop up window which looks like this.
  The certificate is valid and inspite of checking it through the Certificate Assitant and changing the settings to always trust, i am unable to access the account.
  your suggestions will help
  Thanks

  Same here. It might not be because the site requires a client-side SSL certificate. Some sites ask for it optionally. In that optional-case, does my solution help you, as well? However, in you case, I double-check with the site administrator if he uses client authentication intentionally at all.

• Q: Can Oracle Access Manage achieve the following? WS-Fed(RP) - SAML2(IdP)

  Can Oracle Access Manager do protocol translation and act as a gateway for multiple SAML2 IdP's talking back to a WS-Fed (RP/SP) ?
  <-> SAML2 (IdP) (multiple namespaces)
  WS-Fed (RP) <-> SAML2 (IdP) (multiple namespaces)
  <-> SAML2 (IdP)
  Sincerely,
  Adam

  Can Oracle Access Manager do protocol translation and act as a gateway for multiple SAML2 IdP's talking back to a WS-Fed (RP/SP) ?
  <-> SAML2 (IdP) (multiple namespaces)
  WS-Fed (RP) <-> SAML2 (IdP) (multiple namespaces)
  <-> SAML2 (IdP)
  Sincerely,
  Adam

• Applet does not get client certificate from browser (Firefox, IE7)

  I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
  Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
  All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
  Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
  I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
  I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
  So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
  1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
  2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
  BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
  Thanks all.

  My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
  This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
  it is not relevant to your issue.
  due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
  I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
  Applet database to function. Surprise!
  Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
  I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
  If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
  Further it opens up a complete NIO server ands starts listening for connections on a random port
  (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
  This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
  There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
  etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
  which I like the best ATM as it (X fingers it stays so) always has worked.
  Sadly that tidbit doesn't help you either I am afraid.
  What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
  SSLCACertificateFile D:/Certificates/ca.crt
  SSLVerifyClient require
  SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
  Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
  automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
  On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
  The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
  So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
  (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
  I am thinking maybe there is another method of doing this I do not know.
  Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
  Maybe someone else has other ideas; did you try the security forum??
  Sorry but I am afraid that is not much help.
  I did snarf this tidbit which may have some relevance
  The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
  In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
  -Djavax.net.ssl.keyStore=<name and path to client keystore file>
  -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
  If it is a PKCS12 format keystore, specify:
  -Djavax.net.ssl.keyStoreType=PKCS12
  In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
  Dennis
  Posted Date : 2005-07-28 19:55:50.0Good Luck!
  Sincerely:
  (T)
  Edited by: tswain on 23-Jul-2008 10:07 AM

• From time to time, I can't verify the expiration of my client certificate on IIS.

  I have a IIS web server and a CA(AD CS) server built on a 2008R2 virtual machine.
  I require a client certificate in order to access the web server.
  It works very well but FROM TIME TO TIME, a 403 error code is returned.
  According to the trace log(FailedReqLogFiles), a 0x80092013 error occurs.
  Once this 403 error occurs, it last for about an hour and then everything goes back to normal.
  In order to find out what is the problem, I have done setup:
  - CRL has a publication time of 1 hour
  - (Delta CRL) has a publication time of 30minutes.
  also:
  - Both web server and CA server are not on a domain but a workgroup
  - The CA certificate is registered on the web server & client on the root & intermediate certificate registrar.
  - Both setups are patched to the latest windows update
  As far as I've checked the log:
  - on the web server log(source: CAPI2), there is an event id 53 at almost every hour for both the CRL & delta CRL
  but before the problem occurs the event id 53 is only reported on the delta CRL and nothing on the CRL.
  - By the way, System32\config\systemprofile\AppData\LocalLow\Microsoft\X509Objects, the .crl file for the problematic update is only present on the delta CRL.
  - On the CA server's IIS access log, there is just the delta CRL access that is registered.
  - Below is the log on the CA server IIS's access log (XXX-CA is for anonymous sake):
  2014-04-16 10:51:34 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
  2014-04-16 10:51:39 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
  2014-04-16 11:52:05 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 265
  2014-04-16 12:52:22 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1).crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 218
  2014-04-16 12:52:28 fe80::f99a:eb13:7c7b:1de4%10 GET /CertEnroll/XXX-CA(1)+.crl - 80 - fe80::7993:d27a:af9f:170%10 Microsoft-CryptoAPI/6.1 200 0 0 202
  - I think that the 403 error is due to the fact this CRL is not getting reached but why would this happen?
  - Is there an other way than to restart the OS in order to clear this problem in a shorter time than 1 hour?
  side note:
  - this problem happens on the client setup too.
  - the log is shorten but if there is any filter to apply to get better information, please tell me.
  I would appreciate any helps on this matter!
  nb:
  this is a translation from a Japanese text.

  Hi,
  The error message will occur if IIS cannot download CRLs of the client certificate, in other words, if the CA is shut down or there are network connectivity issues between web server and CA when Internet Information Services try
  to download the client certificate’s CRL.
  Therefore, please make sure that there is no network connectivity issue between the web server and CA, you can
  find the IP address of the problem CDP server then add an entry to the HOSTS file on the IIS computer.
  Here are some related KB articles below I suggest you refer to:
  IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked
  http://support.microsoft.com/kb/294305/en-us
  You receive a "403.13 client certificate revoked" error message when you connect to a computer that is running Windows Server 2003 and Internet Information Services 6.0
  http://support.microsoft.com/kb/884115/en-us
  Best Regards,
  Amy

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• Rejected client certificate by the server

  Hello everyone.
  I writting you because a I have a big problem using ssl and client authenticate.
  I created a connector for the client connetions:
  <Connector port="9443"
       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
       keystoreFile="C:/WINDOWS/security/server.ks"
       keystorePass="*********"
  enableLookups="false" disableUploadTimeout="true"
  acceptCount="100" debug="0" scheme="https" secure="true"
  clientAuth="true" sslProtocol="SSL" />
  As it is for educational propurses, I created my own self-signed CA using openssl and generate a certificate request for the
  web server and then I signed with the self-signed CA.
  Then I created a client certificate and I signed with the self-signed CA, I import the self-signed CA in firefox as a
  certificate authority and the client certificate as a client certificate, but when I try to establish a connection I got this
  error message: "Could not establish an encrypted connection because your certificate was rejected by agatha. Error Code -12271"
  (agatha is the apache server).
  I got a openssl manual and I saw I followed the right steps to create the CA and the client certificate, I also read that the
  common name of the client must match an entry in tomcat-users.xml, I created an entry with this common name and
  the error message still apears.
  When I use Internet Explorer I get a error page with this title: The page cannot be displayed
  I opened the stdout.log file and there is a exception repeted 5 times:
  NotifyUtil::java.net.ConnectException: Connection refused: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(Unknown Source)
       at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
       at java.net.PlainSocketImpl.connect(Unknown Source)
       at java.net.Socket.connect(Unknown Source)
       at java.net.Socket.connect(Unknown Source)
       at sun.net.NetworkClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.New(Unknown Source)
       at sun.net.www.http.HttpClient.New(Unknown Source)
       at sun.net.www.http.HttpClient.New(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
       at org.netbeans.modules.web.monitor.server.NotifyUtil$RecordSender.run(NotifyUtil.java:237)
  What is happening??? is there something wrong??

  That didn't work for me - as well as a host of other things that did not work for me. I can honestly say that Netbeans is the worst piece of junk software I've ever used in the entirety of my life and my previous one thousand lives.
  The best way to rid yourself of this problem is to uninstall Netcrap and run over to Eclipse. But beyond that, edit your [$TOMCAT_HOME]/conf/web.xml file and rip out the following section from the top - where Netcrap snuck it in, and didn't remove - even causing config errors after I turned it off.
  =========================================
  <filter>
  <filter-name>HTTPMonitorFilter</filter-name>
  <filter-class>org.netbeans.modules.web.monitor.server.MonitorFilter</filter-class>
  <init-param>
  <param-name>netbeans.monitor.ide</param-name>
  <param-value>127.0.0.1:8082</param-value>
  </init-param>
  </filter>
  <filter-mapping>
  <filter-name>HTTPMonitorFilter</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>INCLUDE</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  =========================================
  I'm using 4.0 on Linux. Thing has got a couple of cool features, but nothing beats dependability, and a darn config interface that actually makes sense. I mean, turn off some features and you can't even open your past projects?! WTF?! But no indication! But first the icon looks good! And then you click on it and it disappears! Un-effing-believable! And it took me hours to figure out how to set up a dang server! I just assumed it didn't have the ability to do it at all! The source-code control config is whack. Man. Total lack of useful documentation, no decent news/web boards. Totally outrageous.
  Worst. Software. Ever.

• Getting the Client Certificate out of the HttpServletRequest object

  I have an interesting issue with weblogic 5.1 SP6 and getting/obtaining Client
  Certificates.
  The issue is that the Client Certificate is not always in the HttpServletRequest
  object depending on how the weblogic.properties are set. Here is my code to get
  the Certificates.
  // get the cert chain from the request
  Object obj=request.getAttributs("javax.net.ssl.peer_certificates");
  if (obj instanceof weblogic.security.X509[]) {                          
  weblogic.security.X509[] wlogicCert = (weblogic.security.X509[]) obj;
                                          try {
                                          iaik.x509.X509Certificate iaikClientCert =
       new iaik.x509.X509Certificate(wlogicCert[0].getBytes());
       clientSDN = aiaikClientCert.getSubjectDN().getName();
       clientCert = (Certificate)iaikClientCert;
  The only time the certificate is present in the Request Object is when the following
  weblogic.properties are set:
  weblogic.security.enforceClientCert=true
  weblogic.security.clientRootCA=CARoot.pem
  If the properties are set to to this: no Certificate can be received from the
  Request object.
  weblogic.security.enforceClientCert=false
  #weblogic.security.clientRootCA=CARoot.pem
  Is there a way to have Weblogic always receive/get a Client Certificate if one
  is provided by the client, but not have weblogic do any validation of the certificate?
  Any help would be appreciated!
  Gary

  ok i see.
  although it should be able to get the underlying
  outputStream handle since i have initialized
  (associated) it on the previous line.
  ThanksWell, you might be able to get the underlying stream. Look at the API docs. If there's a method there to do it, then you can. If not, then you can't.
  If you can do it, then you have to look at the API docs for FileOutputStream and see if it lets you get the associated File or path. If such a method exists, then you can get it. If not, then you can't.
  Even if both methods exist and you can utimately get the file, do you understand why this is not the same as "getting the file associated with a PrintStream"?

• Error while enabling two way authentication :Client certificate missing

  Hi,I am getting the following error while enabling the two way authentication.The weblogic server 5.1 has accepted both the client ca and server certificates and is listening for SSL on the specified port.But when I try to access thru the secured connection thru my IE it asks for Client Authentication dialog asking for valid Client certificate but I am not able to view any of the client certificate even though I have one which is the trusted root store.and there by giving the error page cannot be displayed .On the server side I get the following error.Thu Mar 08 10:54:35 GMT 05:30 2001:<D> <SSLListenThread> Problem accepting connectionjava.io.IOException: required client certificate missing at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:711) at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:529) at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:219) at weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java:192) at weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1001) at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30) at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:377) at weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.java:506) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)can anybody please guide me what could be wrong.Do I need to change the browser settings.I have enabled SSL 3.0 and SSL 2.0 and all other settings are defaultIt is urgent.pls give some suggestions.Regards,Bhavani

  I think you have to specify the client root in your weblogic.properties
  file.
  here are my settings:
  weblogic.security.enforceClientCert=true
  weblogic.security.certificate.server=democert.pem
  weblogic.security.key.server=demokey.pem
  weblogic.security.certificate.authority=ca.pem
  weblogic.security.clientRootCA=VeriSignClass1CA.der
  Regards,
  -Arthur
  Bhavani <[email protected]> wrote:
  Hi,I am getting the following error while enabling the
  two way authentication for Weblogic Server 5.1Thu Mar
  08 16:10:54 GMT 05:30 2001:<I> <ListenThread> Listening
  on port: 7001Thu Mar 08 16:10:54 GMT 05:30 2001:<I> <SSLListenThread>
  Listening on port: 7002<NT Performance Pack> NATIVE:
  created IoCompletionPort successfully. IoPort=0x000002a4Thu
  Mar 08 16:10:56 GMT 05:30 2001:<I> <WebLogicServer> WebLogic
  Server startedThu Mar 08 16:11:20 GMT 05:30 2001:<D>
  <SSLListenThread> Problem accepting connectionjava.io.IOException:
  required client certificate missing at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:711)
  at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:529)
  at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:219)
  at weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java:192)
  at weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1001)
  at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
  at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:377)
  at weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.java:506)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java,
  Compiled Code)Thu Mar 08 16:12:07 GMT 05:30 2001:<D>
  <SSLListenThread> Problem accepting connectionCan anybody
  suggest why this error is coming?Regards,Bhavani

• Client certificate authentication on ASA 5520

  Hi,
  We have configured certificate authentication for remote access IPSEC vpn and it is working fine.   This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
  We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
  How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA?    What is the process to follow on the GUI to do this?     Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

  Hi Paul,
  I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
  I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
  Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
  And that it.
  Vincent

• Client Certificate Authentication

  Hi guys
  I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
  We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
  I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
  Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
  any help would be truly appreciated
  Jesus

  If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
  Users could go to the website of the issuing certificate authorities and make a request.
  I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
  So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
  I'll look further though (interested in this myself).
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• How to retrieve client certificate passed by Apache proxy

  Hi all,
  Here's my configuration:
  Client <--HTTPS-->Apache Proxy (2-way SSL) <-- HTTP --> WLS 8.1
  I need to be able to access the client certificate passed to Apache by the client in my Java applications hosted on WLS.
  Here's what I did:-
  <pre>1. Set up Apache 2-way SSL. Tested ok.
  2. Set up Apache-Weblogic proxy. Tested ok for both HTTP, and server-side HTTPS.
  3. Configured Apache's ssl.conf SSLOption to export certifiate data: SSLOptions +ExportCertData.
  4. In my application, I used request.getAttribute("javax.servlet.request.X509Certificate") to try and retrieve the certificate.</pre>
  However the certificate don't seem to be passed along to Weblogic :-(
  Any ideas if I'm missing any steps from above? Or if it's even possible to do this?
  Thanks for any suggestions!
  Any ideas

  The WL-Client-Proxy cert should be the cert used on the proxy side if SSL is configured between Apache and WebLogic, so I believe that is the reason why that does not work. Basically, the problem here is that SSL is end-to-end, and the two ends of this transaction are the client and apache.
  That said, when you add the +ExportCertData option, this should record the client's SSL certificate in the vairable SSL_CLIENT_CERT.  So you should be able to use request.getAttribute("SSL_CLIENT_CERT").
  See:
  http://www.modssl.org/docs/2.8/ssl_reference.html
  If this doesn't work for you (which is possible if the WL_Proxy is doing something funny to the request), it is probably best just to dump out the entire contents of the session, and see what you have:
  for (Enumeration e = request.getAttributeNames() ; e.hasMoreElements() ; ) {
  String attr = (String)e.nextElement();
  System.out.println("ATTR = " + attr);
  System.out.println("VAL = " + request.getAttribute(attr));
  If you can't see any SSL certificate there, you will have to work out some way to pass this on manually.
  cheers,
  Trevor