SOAP -Client Certificate Authentication in Receiver SOAP Adapter

Dear All,
We are working on the below scenario
SAP R/3 System -> XI/PI -> Proxy -> Customer
In this, SAP R/3 System sends a IDOC and XI should give that XML Payload of IDOC to Customer.
Cusomer gave us the WSDL file and also a Certificate for authentication.
Mapping - we are using XSLT mapping to send that XML payload as we need to capture the whole XML payload of IDOC into 1 field at the target end ( This was given in the WSDL).
Now, how can we achieve this Client Certificate authentication in the SOAP Receiver Adapter when we have Proxy server in between PI/XI and Customer system.
Require your inputs on Client Certificate authentication and Proxy server configuration.
Regards,
Srini

Hi
Look this blog
How to use Client Authentication with SOAP Adapter
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
Also refer to "SAP Security Guide XI" at service market place.
ABAP Proxy configuration
How do you activate ABAP Proxies?

Similar Messages

Project Server 2010 Web services access with Client Certificate Authentication

We switched our SharePoint/Project Server 2010 farm to use client certificate authentication with Active Directory Federation Services (AD FS) 2.0, which is working without issue. We have some administrative Project Server Interface (PSI)
web service applications that no longer connect to server with the new authentication configuration. Our custom applications are using the WCF interface to access the public web services.
Please let us know if it is possible to authenticate with AD FS 2.0 and then call
Project Server web services. Any help or coding examples would be greatly appreciated.

what is the error occurred when the custom PSI app connects?
can you upload the ULS logs here for research?
What is the user account format you specified in the code for authentication?
For proper authorization, the “user logon account” in PWA for the user needs to be changed from domain\username to the claims token (e.g.
'I:0#.w|mybusinessdomain\ewmccarty').
It requires you to manually call the UpnLogon method of
“Claims to Windows Token Service”. if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
{ var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity; }
if (Thread.CurrentPrincipal.Identity is ClaimsIdentity)
var identity = (ClaimsIdentity)Thread.CurrentPrincipal.Identity;
Than you need to extract UPN-Claim from the identity.
Upload the verbose log if possible.
Did you see this?
http://msdn.microsoft.com/en-us/library/ff181538(v=office.14).aspx
Cheers. Happy troubleshooting !!! Sriram E - MSFT Enterprise Project Management

Configure Client Authentication for Receiver SOAP Adapter

Hi,
Can you please tell me what i should give in receiver soap channel for KeyStoreEntry and KeyStoreView after checking Configure Client Authentication checkbox,as I have got certificate from third party.
Thanks in advance
Best Regards,
Harleen Kaur Chadha

Hi,
Keystore Entry:
Login to Visual Admin --> Server --> Services --> KeyStorage --> TrustedCAs --> Load --> Select the location where you have stored the certificate on your local system
Load function is used as you have already got the certificate....
Once this is done you will find an entry for your certificate in the Entries tab of your TrustedCAs section.
This is your Keystore Entry...in other words it the name of your certificate.
Keystore View:
http://help.sap.com/saphelp_webas630/helpdata/en/16/c0503e1dac5b46e10000000a114084/content.htm
Are you going to consume Logon tickets of the Third party system (which is other than SAP J2ee engine of your XI)? If yes, then you may also need to do some more settings in the J2ee Engine.
Regards,
Abhishek.

SOAP Header authentication in receiver SOAP

Hi,
we are interfacining a scenario where in receiver soap we are getting user name and pwd in header.
my scenairo is proxy to soap and it is asyncronous.
could you please tell me the solution how to do that. without header information it is working fine. i want what configuration i have to do to get the header information.
thanks
Laxmi Bhushan

Hi Laxmi,
follow this guide last section deploying SDA file using JSPM .
If you are not able to see your SDA file then run the comand which i have mentioned iin last section.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00b4a020-4ae6-2c10-5a95-fed4ad9a4b60?quicklink=index&overridelayout=true
Also take care of the extension of .SDA file.
Extract it properly in a folder . After adding content again create SDA and start deployement
thanks
sandeep

How to retrieve client certificate information from sender mail adapter

Hi, expert:
I have a requirement to verify the validation of coming email with digital certification. The mail is with digital certification. If the coming email is valid, I 'll get the attachemt of the mail for further processing. I have a sender mail adapter and receiver file adapter configued.
I have already my own developed adapter module, which is configued in mail adapter. My question is how to retrieve the detailed certificate information in the adapter module developed by myself. Is it feasible?
Thanks a lot.

The WL-Client-Proxy cert should be the cert used on the proxy side if SSL is configured between Apache and WebLogic, so I believe that is the reason why that does not work. Basically, the problem here is that SSL is end-to-end, and the two ends of this transaction are the client and apache.
That said, when you add the +ExportCertData option, this should record the client's SSL certificate in the vairable SSL_CLIENT_CERT. So you should be able to use request.getAttribute("SSL_CLIENT_CERT").
See:
http://www.modssl.org/docs/2.8/ssl_reference.html
If this doesn't work for you (which is possible if the WL_Proxy is doing something funny to the request), it is probably best just to dump out the entire contents of the session, and see what you have:
for (Enumeration e = request.getAttributeNames() ; e.hasMoreElements() ; ) {
String attr = (String)e.nextElement();
System.out.println("ATTR = " + attr);
System.out.println("VAL = " + request.getAttribute(attr));
If you can't see any SSL certificate there, you will have to work out some way to pass this on manually.
cheers,
Trevor

Help required with ADFS 3.0 client certificate authentication

Hi,
I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
federate user credentials to 3rd party trust for single-sign-on.
I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
Thanks!
-Chinmaya Karve

Hi Yan,
Thanks for your response. I have gone through the posts that you have suggested, and my setup looks pretty much as expected.
So, as I mentioned earlier, I have 2 parallel setups with 3rd party service(SalesForce). Once of them is running ADFS 2.0 and another one has ADFS 3.0. I can logon to the third-party services, from both the setups using username/format. I can logon to SF
using client authentication certificate from ADFS 2.0 setup, but from the same client machine, when I try to logon SF via ADFS 3.0, the browser just does not pick up any certificate. The page just shows message of "Select a certificate that you want to use
for authentication. If you cancel the operation, please close your browser and try again.".
I have checked the browser, and it has the right certificates. Also, the same browser/machine is used to logon to SF through ADFS 2.0 via client certificate, which works just fine !
I am really confused now, as to whose issue this really is...
Just to confirm, I am using Certificate Authentication from ADFS 3.0 Authentication Methods for both Intranet and Extranet.
Any suggestion or inputs where I could have gone wrong in the setup?
Thanks!

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Client certificate authentication on ASA 5520

Hi,
We have configured certificate authentication for remote access IPSEC vpn and it is working fine. This is using the same internal Certificate Authority server for both the identity certificate of the ASA and the client certificates issued to remote clients.
We now wish to use a different CA which is a subordinate of the existing CA for client certificates - we want to keep the existing identity certificate using the root CA.
How do we ensure that the ASA will authenticate clients using certificates published by the old root CA and the new subordinate CA? What is the process to follow on the GUI to do this? Do I just add another CA certificate under the 'certificate management>CA certificates' window with a new ADSM trustpoint, or is there more steps?

Hi Paul,
I generate a PCKS#12 file that enclosed the client certificate + the associated private key + the CA certchain.
I deployed it on client host machine by juste sending it by e-mail/ USB key/ Web plushing.
Depending of your client OS version, the client certificate should be present in, the "login" store of keychain repository on a MAC OS-X client and in the "personal" store of the certificate repository on a Windows client.
And that it.
Vincent

Client Certificate Authentication

Hi guys
I am not sure if this is the right place to ask but here I go. We are trying to find the best option to push client certificates to our user's Mobile Devices so they just log into a website, type their credentials and the user certificated get pushed.
We have implemented Workplace Join, this allows us to use the certificate pushed by ADFS to log into a webapp with the only once, then for some reason (still under investigation) doesn't work anymore.
I have also read about Client Certificate Mapping Authentication with IIS and AD but obviously the Client Certificate has to be in the mobile device in order to accomplish the authentication.
Windows Intune ultimately will do the trick but the idea of this research is to find out what's available in Microsoft platform.
any help would be truly appreciated
Jesus

If IIS is used for certificate distribution (and access to CRLs), I think this could be done with Active Directory Certificate Services.
Users could go to the website of the issuing certificate authorities and make a request.
I've only done this for real with Group Policy triggering the request behind the scenes for *domain members* and approval based on membership in a particular group.
So I'm not 100% sure how you would configure automatic issuance of the cert based on entry of a correct password. Usually, the "certificate managers" have to approve per company policy.
I'll look further though (interested in this myself).
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Client certificate authentication fails when the CA list sent by server is big and the list goes in 2 encrypted messages.

I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.

I checked with IE browser(on windows and MAC) and MAC safari packet capture. The CA certificate list is sent by server in 2 messages as the list is too big. I compared packet by packet exchanges in both the browsers. It is same till TLSv1 handshake is done for the ldap certificate authentication. It works fine in IE without any issues though the certificate list is divided into 2 messages.
In case of safari, after the TLSv1 handshake is done successfully, it again sends a SSLv3 'Client Hello' message and initiates the whole handshake process again and the server responds to it too till the handshake is complete. But it brakes after that with the server showing 'Cant establish secure connection' at the browser.
The issue occurs only in case of MAC safari for big list of CA certs >150(where it crosses the max limit) from server. It is not clear why safari alone is switching from TLSv1 to SSLv3 in this scenario.
NOTE: With shorter list of CA certs at server when it goes in one message, safari works fine and all messages are only TLSv1 and does not repeat the handshake process.
I have checked on safari version 5 and 6.0.3 on OS X mountain lion.
Is there any specific reason why MAC safari behaves like this or somethings needs to be done at server?
Any help would be appreciated.

Client Certificate Authentication not working in OSB 11g

Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
Jamie

This is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code.

Client Certificate authentication doesn't work

Hi there,
I want to use client authentication to log on to a SAP WebAS ABAP. I did everything as described in Gregor Wolfs Blog: Setup Authentication with Client Certificates for the Sneak Preview SAP NetWeaver 04 ABAP Edition on Windows
(my system is not a sneak preview and it is based on Linux).
When I call a BSP application, I can choose the client certificate in the browser, and everything seems to work. But at the end, the basic authentication dialog appears.
In the dev_icm trace, I can see, that there is a user extracted from the DN of the certificate. In the HTTP access log, the user is logged on.
All certificates are valid, no problem found.
Exept the view VUSREXTID didnt work, the user in the HTTP access log was always the one from the DN, not the mapped one. But both are valid.
Any idea?
Thank you,
Erik

Did you map the certificate and user in the transaction 'extid_dn' ?
Because the 'normal' pop-up for username and password is opened when the system cannot find a user mapped to the certificate...
Felix

Unable to achieve client certificate authentication

I am trying to do mutual certificate authentication (client/server authentication), and getting following error.
Anybody has any clue?
SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
My code is below.
import com.sun.net.ssl.HttpsURLConnection;
import java.security.cert.*;
import javax.net.ssl.*;
import java.security.*;
import java.net.URL;
import java.io.*;
import java.util.Enumeration;
public class ClientCert {
private static SSLSocketFactory getSocketFactory() {
SSLSocketFactory theFactory = null;
try {
// set up key manager to do server authentication
SSLContext theContext;
KeyManagerFactory theKeyManagerFactory;
KeyStore theKeyStore;
char[] thePassword = "goldy123".toCharArray();
theContext = SSLContext.getInstance("TLS");
theKeyManagerFactory = KeyManagerFactory.getInstance("SunX509");
theKeyStore = KeyStore.getInstance("JKS");
theKeyStore.load(new FileInputStream("c:/castore"), thePassword);
//java.security.cert.Certificate certi[] = theKeyStore.getCertificateChain("ca");
// System.out.println("Certificate "+certi.length);
theKeyManagerFactory.init(theKeyStore, thePassword);
KeyManager managers[] = theKeyManagerFactory.getKeyManagers();
theContext.init(managers, null, null);
theFactory = theContext.getSocketFactory();
return theFactory;
} catch (Exception e) {
System.err.println("Failed to create a server socket factory...");
e.printStackTrace();
return null;
public static void main(String[] args) {
try {
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
com.sun.net.ssl.HostnameVerifier hv=new com.sun.net.ssl.HostnameVerifier() {
public boolean verify(String urlHostname, String certHostname) {
return true;
HttpsURLConnection.setDefaultHostnameVerifier(hv);
URL mioUrl = new URL("https://viveksharma:9090/LoginPage.do?userName=root&password=password");
//URL mioUrl = new URL("https://www.verisign.com");
//SSLSocketFactory factory = getFactorySSLFromCert(mioCertFile ,mioCertPswd );
//HttpsURLConnection.setDefaultSSLSocketFactory(factory);
//System.setProperty("javax.net.ssl.keyStore","C:/castore");
//System.setProperty("javax.net.ssl.keyStorePassword","goldy123");
System.setProperty("javax.net.ssl.trustStore","C:/vivekstore");
System.setProperty("javax.net.ssl.trustStorePassword","goldy123");
HttpsURLConnection.setDefaultSSLSocketFactory(getSocketFactory());
HttpsURLConnection urlConn = (HttpsURLConnection)mioUrl.openConnection();
urlConn.connect();
//urlConn.setDoInput(true);
// urlConn.setUseCaches(false);
javax.security.cert.X509Certificate ch[] = urlConn.getServerCertificateChain();
System.out.println(ch[0]);
InputStreamReader streamIn = new InputStreamReader(urlConn.getInputStream());
BufferedReader in = new BufferedReader(streamIn);
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
} catch (Exception e) {
e.printStackTrace();

Hello guys!
I've had this problem twice (once with Tomcat server and once with OC4J -- Oracle 9iAS) and was able to resolve it.
First of, make sure that the certificate your client is passing is valid (I always use JKS format... i think its a must when using JSSE) and is in your server's truststore (and that you specify which truststore file for your server to look at in your config file).
Secondly, also import the root CA of your client cerficate (if it isn't there yet) to the cacert file in $JAVA_HOME/jre/lib/security.
Hope this helps.

How to handle Client Certificate authentication using URLRequest/URLLoader

Hi All,
I developed an AIR Application which communicates with a server. Protocol used for communication is HTTPS, and server has a valid certificate.
So whenever AIR App, communicates with the server, a dialogue box prompts to select the client certificate just as show below.
So here what I am looking at is, Any method is available to prevent this prompt.
I have already tried the method of Enabling "Dont Prompt for client certificate selection when only one certificate exists", Of course this method will work only if multiple certificate exists, so what if multiple certificate exists.
How an air application can handle that?
So any one find any way to handle this. I am using URLRequest for commnicating with server.
Here is the code snippet I have used.
var request:URLRequest = new URLRequest(url);
request.method = URLRequestMethod.GET;
var urlLoader:URLLoader = new URLLoader();
urlLoader.dataFormat = URLLoaderDataFormat.TEXT;
urlLoader.addEventListener(Event.COMPLETE, loaderCompleteHandler)
urlLoader.addEventListener(Event.OPEN, openHandler);
urlLoader.addEventListener(HTTPStatusEvent.HTTP_STATUS, httpStatusHandler);
urlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR, securityErrorHandler);
urlLoader.addEventListener(IOErrorEvent.IO_ERROR, ioErrorHandler);//, false, 0, true);
Please help me...
Thanks
Sanal

Yes it is possible. Refer
Using Certificates for Authentication [http://docs.sun.com/app/docs/doc/820-7985/ginbp?l=en&a=view]
SSL Authentication section in [http://docs.sun.com/app/docs/doc/820-7985/gdesn?l=en&a=view]
client-auth element in server.xml [http://docs.sun.com/app/docs/doc/820-7986/gaifo?l=en&a=view]
certmap.conf [http://docs.sun.com/app/docs/doc/820-7986/abump?l=en&a=view]
certmap.conf should have verifycert "on", and lets say this certmap is called "cmverify" :
certmap cmverify default
cmverify:DNComps
cmverify:FilterComps uid
cmverify:verifycert onIn serve.xml we should have <client-auth> "required" and lets say we have an auth-db named "ldapregular":
<http-listener>...
<ssl>...
 <client-auth>required</client-auth>
</ssl>
</http-listener>
<auth-db>
<name>ldapregular</name><url>ldap://myldap:369/o%3DTestCentral</url>
<property><name>binddn</name><value>cn=Directory Manager</value></property>
<property><name>bindpw</name><value...</value><encoded/></property>
</auth-db>In ACL file we should have method = "ssl", database = "ldapregular" and certmap = "cmverify" :# clientauth against LDAP database with special certmap which has verifyCert on
acl "uri=/";
authenticate (user,group) {
 prompt = "Enterprise Server";
 method = "ssl";
 database = "ldapregular";
 certmap = "cmverify";
deny (all) user = "anyone";
allow (all) user = "alpha,beta,gamma";

Activesync client Certificate authentication with third party CA

Hi, I have to configure ActiveSync certificate based authentication, and use a third party CA.
What informations and fields must I configure on the cert template, to use it for activesync ?
For now I've a template with the CN (FirstName LastName) for the Subject Name and a Subject Alternative name with UserPrincipalName (user@domain). Is it enough ?
Do I must publish the user's certificate in AD ?
Thanks

Just one additional thing to consider, as I have seen it go wrong in the past.
Make sure that whatever certificate solution you decide upon will be suitable for your internal clients (Outlook) as well as autodiscover, external name, etc.
I have seen where people put in mail.domain.com in the SAN field, and everything works great for external clients. However, internal clients who connect to
mbx01.domain.com (the internal server name) get errors, as this server name is not on the certificate.
To make this work, you generally have two options:
Put the internal name of the server on the certificate as well - requires a certificate that allows multiple names (may be referred to as a
UC certificate or 'SAN Options' or something like that, depending on vendor)
Setup split-DNS, so your internal clients also use mail.domain.com
internally
I realize that this doesn't answer your original question, but I have seen this being done wrong many times, and this will hopefully save some headache.

SOAP -Client Certificate Authentication in Receiver SOAP Adapter

Similar Messages

Maybe you are looking for