Soasuite security policy that is equivalent of client-cert in web.xml

Can somebody suggect soasuite security policy that is equivalent of "client-cert in web.xml.?
We have authentication providers in weblogic to authenticate when "client-cert" is specified in web.xml. I am trying to find out is there a security policy in soasuite (11.1.1.6) that mimics/equivalent of "client-cert".
Please help.

Can somebody suggect soasuite security policy that is equivalent of "client-cert in web.xml.?
We have authentication providers in weblogic to authenticate when "client-cert" is specified in web.xml. I am trying to find out is there a security policy in soasuite (11.1.1.6) that mimics/equivalent of "client-cert".
Please help.

Similar Messages

  • How do I resolve this error in Safari Your page is blocked due to a security policy that prohibits access to Category Remote Proxies"?

    I'm trying to access several pages and keep geting "Your page is blocked due to a security policy that prohibits access to Category Remote Proxies" After going over all my security stuff I just can't find where I would correct the error.
    Is there anyone who could help me?
    Thanks
    Fr. Gary

    very strange,
    1. check time and date on your computer
    2. reset network configuration, make sure there are no proxy servers and you get DNS from your router not manual
    3. Reset certificates database
    Go to Terminal (Applications>Utilities)
    sudo rm /var/db/crls/*cache.db
    (you will be prompted for your password)
    and reboot the computer
    post back

  • This page has a content security policy that prevents it from being embedded in this way

    I keep getting this warning message on random pages, including AOL Mail, and Android Central Forums, after recent Firefox updates. I can't click this message off, and it locks the entire browser. Sometimes I can X out of it, and sometimes it opens many tabs and I have to force close it. I've using Chrome, out of frustration for the last few days and haven't had this pop up. I've used Firefox for many years and really enjoy it and hope I can continue. Any help and ideas would be appreciated.

    Do a malware check with several malware scanning programs on the Windows computer.
    Please scan with all programs because each program detects different malware.
    All these programs have free versions.
    Make sure that you update each program to get the latest version of their databases before doing a scan.
    *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
    *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
    *SuperAntispyware:<br>http://www.superantispyware.com/
    *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
    *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender
    *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
    *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
    You can also do a check for a rootkit infection with TDSSKiller.
    *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446
    See also:
    *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
    *https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware
    Boot the computer in Windows Safe Mode with network support (press F8 on the boot screen) as a test.
    *http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

  • Problems setting up 2way SSL with option Client certs requested Not Enfor

    Hi,
    Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
    Any help with this will be greatly appreciated.
    Thanks
    Praveena.

    Hi Peter,
    I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
    I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
    Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
    According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
    However it's not blocked and those port settings didn't work either.
    The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
    Good luck, and please repost if you get any further.
    I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
    Penny

  • CLIENT-CERT

    Hi all,
    Can any one please let me know how to change auth-method to CLIENT-CERT in web.xml of web logic server 10.3.3 ?
    We are using OAM 10.1.4.3 and weblogic server 10.3.3.
    We are trying to integrate OAM with weblogic server using oamAuthnProvider.jar.
    Could integrate OAM with weblogic server using OAMAuthenticator sucessfully.
    We are trying to integrate OAM with weblogic server using OAM Identity Asserter.
    We followed the steps mentioned in http://download.oracle.com/docs/cd/E12529_01/wlss31/configsecurity/clientcert.html.
    For this,we need to change auth-method to CLIENT-CERT in web.xml of web logic server 10.3.3.
    When we are trying to change auth-method to CLIENT-CERT we are not able to login to the weblogic console.
    Could any one please let we know how to change auth-method to CLIENT-CERT in web.xml of web logic server 10.3.3 ?
    Are there any steps to be followed before doing the change?
    Thanks & Regards,
    Swathi.
    Edited by: user9116523 on Aug 5, 2010 6:37 AM

    CLIENT-CERT in web.xml of web logic server 10.3.3Since web.xml refers to a web app, do you mean that that you changed the console.war file?
    If your intent is to require client certificates to be presented in order to access the admin console, you don't do that by editing web.xml within the console.war file. It would be done on the SSL tab for the Admin server.
    Or have I misunderstood your question?

  • WebStart, custom security policy and debugging

    Hi,
    Please forgive the long post, it's an obscure problem.
    A year ago I implemented a custom instance-centric security policy that uses a database for storing permission data. It has served our needs very well on the server side. Now, however, I need to reuse it in a client application deployed to about 50 users via WebStart (there are more similar applications coming which will take the user base to about 200).
    For some reason, the permissions are not being properly evaluated under WebStart. Tracing through my policy code, I can see that calls to imply() return with expected true/false values, however, when the internals of Java's underlying security API aggregate the results, calls to AccessController.checkPermission() don't raise exceptions when and where they are expected to.
    This is really a hard problem to debug/trace. When I run the application locally, I have no problems with security checks even if I run it under a security manager (via -D.java.security.manager). Tracing to standard helps to a point and I can see that there is a difference: during the local runs, calls to MyCustomPolicy.implies(Permission, Domain) are made once per every AccessController.checkPermission() call made from the business layer. Under WebStart, there are three calls to MyCustomPolicy.implies() per every call to AccessController.checkPermission(). All three calls seem to come from the same stack frame. All three return 'false', yet AccessController.checkPermission() doesn't raise an exception.
    Analyzing stack's state at the point MyCustomPolicy.implies() is been called, I think the answer to my problem may lie in the following code snippet of AccessControlContext.checkPermission(Permission):
            for (int i=0; i< context.length; i++) {
                if (context[i] != null &&  !context.implies(perm)) {
    if (debug != null) {
    debug.println("access denied "+perm);
    if (Debug.isOn("failure")) {
    Thread.currentThread().dumpStack();
    final ProtectionDomain pd = context[i];
    final Debug db = debug;
    AccessController.doPrivileged (new PrivilegedAction() {
    public Object run() {
    db.println("domain that failed "+pd);
    return null;
    throw new AccessControlException("access denied "+perm, perm);
    I believe that somehow one of the iterations gets to "return null" line, but at the moment I have no way of verifying this.
    I'm finally getting to my question. In order for me to understand what's going on, I need to enable debugging of AccessControlContext. I can do this by setting java.security.debug system property. Again, I have no problem enabling debugging on a local system, but not under WebStart.
    Here's what the relevant markup in the .jnlp file looks like:
    <resources>
    <j2se version="1.5" max-heap-size="128m" initial-heap-size="32m" java-vm-args="-Djava.security.debug=all">
    </j2se>
    <!-- a bunch of jar declarations -->
    <property name="java.security.auth.login.config" value="jar:swing-app-SNAPSHOT.jar!/jaas_login.properties">
    </property>
    <property name="java.security.debug" value="all">
    </property>
    </resources>
    this seems to have no effect and no debugging output appears. Any ideas why? Is there anything else I can do to enable debugging of AccessControlContext under WebStart?
    I don't expect too many replies to my post (unless 3 sleepless weeks made me miss something really obvious), but if anyone can offer a hit/hit/insightful comment :), that would be great.
    Dmitry

    Hey
    I have just finished such a policy implemention - boy could I have done with your help!
    I've never seen the java.security.debug property before - not to say it doesn't exist, but don't confuse system properties and security properties. Try setting it programmatically via Security.setProperty() or the Java Admin console [if you can], or even in the JRE WebStart uses via the java.security file.
    When you run it locally with security switched on, do you observe the 3-to-1 behaviour also? I'm not sure if this is important - depends on your answer. As for the checks being performed from the same stack frame, the AC iterates over the protection domains as it checks them; the 3-to-1 behaviour is the result of there being 3 extra frames to check, possibly due to the fact your executing from JWS [although I'd expect JWS to be considered system code]. If the execution in AC gets to return null; then Debug.isOn("failure") must evaluate to true [...I'd slump in my chair at this point] but there's no way to figure out accurately what the semantics of this is AS THERE'S NO FRICKIN SRC AVAILABLE [...this really annoys me]. The only thing I can suggest for that is to not try and switch debugging on.
    I suspect you are using JAAS [hence the dynamic policy need]? I have an idea if you are.
    I totally know what you mean about the sleepless nights mate - I'm glad I done it all now, learnt all about security within Java which I knew nothing about 6 months ago.
    Warm regads,
    D

  • Page can't be accessed due to security policy, category default-it's my homepage which has been my homepage forever.

    I suddenly can't access my homepage - I get this message: "Your page is blocked due to a security policy that prohibits access to Category default ". This has been my homepage for years and I've never had this problem before.

    Also do a malware check with several malware scanning programs on the Windows computer.
    Please scan with all programs because each program detects different malware.
    All these programs have free versions.
    Make sure that you update each program to get the latest version of their databases before doing a scan.
    *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
    *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
    *SuperAntispyware:<br>http://www.superantispyware.com/
    *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
    *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender
    *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
    *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
    You can also do a check for a rootkit infection with TDSSKiller.
    *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446
    See also:
    *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
    *https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware

  • Client-cert auth impl in web.xml does not work in Oracle Application Server

    Hi,
    I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
    My server details are:
    Oracle Application Server 10g Release 2 (10.1.2)
    Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
    I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
    <web-resource-name>WSCollection</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
    </login-config>
    It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
    I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
    Thanks,
    Ms

    I am having the same problem with doc and xsl. I have added this
    <mime-mapping>
    <extension>xls</extension>
    <mime-type>application/vnd.ms-excel</mime-type>
    </mime-mapping>
    <mime-mapping>
    <extension>doc</extension>
    <mime-type>application/msword</mime-type>
    </mime-mapping>
    to my web.xml. I even restarted the server. I still see doc and xsl in binary.
    Is there some other setting that needs to take place?
    I am using WL6.1 with fixpack 1.
    I can see the doc and excel files in the browser if I don't go through the weblogic
    server. That just confirms it's not my browser.
    Kumar Allamraju <[email protected]> wrote:
    <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
    <html>
    It works fine for me in 6.1 SP1.
    <br><br>
    If the following doesn't work , can you
    <br>try application/winword instead of application/msword?
    <p>--
    <br>Kumar
    <p>Siming Mu wrote:
    <blockquote TYPE=CITE>Hi,
    <p>I setup in my web.xml a mime mapping as follows,
    <p><mime-mapping>
    <br><extension>doc</extension><mime-type>application/msword</mime-type>
    <br></mime-mapping>
    <p>When I specify a test.doc url, the doc file appears in my browser
    as
    binary data
    <br>instead of download.
    <p>Please reference change request 055002, which decribes this problem. 
    According
    <br>to edocs, it has been fixed in wls6.1sp1.
    <p>But I am seeing it fixed.  Am I doing anything wrong? Thanks.
    <p>Siming</blockquote>
    </html>

  • Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

    Hi everybody,
    we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
    I configured a Negociate Identity Asserter and an Active Directory provider.
    I configure Kerberos services, so we have succefully access to our application through the Windows session.
    But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
    For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
    The web.xml used in our webapp :
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>sso</web-resource-name>
    <description>Desc</description>
    <url-pattern>/appmanager/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <description>desc</description>
    <role-name>ssoRole</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name/>
    </login-config>
    <security-role>
    <description>Authenticated user</description>
    <role-name>ssoRole</role-name>
    </security-role>

    which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
    in any case, this would be the syntax
    <Object name="weblogic" ppath="/hw/">
    Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
    # gateway timeout - back end web logic not responding handle differently
    <If code='504'>
    # send it to a different post..
    Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
    </If>
    </Object>
    - sriram

  • Client-cert sample webapp doesn't work?

    In trying to understand how one can use client certificates with a Java webapp in the WS7, I figured I would start with the sample that comes with WS7 (in samples/java/webapps/security/client-cert). Unfortunately, the sample doesn't seem to work. I can install it just fine, and it runs, but it doesn't do what it is supposed to do. When I access the servlet from my browser, I see the message "Welcome to our Certificate secure zone." Unfortunately, it let me access this page without ever prompting me for a certificate, so it's not actually a certificate secure zone. I double-checked in the access logs to see, and sure enough index.jsp is being delivered to an unauthenticated user.
    When I examine the web.xml deployment descriptor, it's not clear to me that it should work. Here's the web.xml:
    <web-app>
      <display-name>Welcome to Certificate Security Zone</display-name>
      <servlet>
        <servlet-name>clientcert</servlet-name>
        <display-name>clientcert</display-name>
        <jsp-file>/index.jsp</jsp-file>
      </servlet>
      <session-config>
        <session-timeout>30</session-timeout>
      </session-config>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>clientcert security test</web-resource-name>
          <url-pattern>/*</url-pattern>
        </web-resource-collection>
      </security-constraint>
      <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>certificate</realm-name>
      </login-config>
    </web-app>This web.xml seems to imply that the mere presence of a login-config will secure the entire app. The servlet specification seems a bit vague on this point, but since there isn't any auth-constraint in the security-constraint, I don't think the login-config ever applies. I think the login-config only comes into play when a security-constraint requires authentication.
    What am I missing in my understanding of the web.xml?
    What might prevent this simple sample from working properly? Could there be some other ACL or web server setting that overrides?
    Thanks,
    Tom

    If URI is not a protected resource and you want client authentication, you should use server.xml <ssl><client-auth>...</client-auth></ssl> instead of PathCheck line as I told. Value can be set to "required" or "optional".
    However, if URL is a protected resource you DO NOT HAVE to add PathCheck or client-auth element in server.xml.*
    After installing client-cert sample application using ant and ant deploy, here is what you have to do to make it work :
    1) Add in http-listener element in instance's server.xml :
       <ssl><enabled>true</enabled></ssl>2) Make sure you have a certificate named "Server-Cert" in NSS db in <ws-install-dir>/https-<instance-name>/config or change the certificate name appropriately in server.xml.
    3) To make it a protected resource, web.xml should have :
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
    <web-app>
      <display-name>clientcert</display-name>
    <servlet>
        <servlet-name>clientcert</servlet-name>
        <display-name>clientcert</display-name>
        <jsp-file>/index.jsp</jsp-file>
      </servlet>
      <session-config>
        <session-timeout>30</session-timeout>
      </session-config>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Protected Area</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>DELETE</http-method>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
          <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>*</role-name>
        </auth-constraint>
      </security-constraint>
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>Protected Area</web-resource-name>
          <url-pattern>/roleprotected/*</url-pattern>
          <http-method>DELETE</http-method>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
          <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>TestRoleOne</role-name>
        </auth-constraint>
      </security-constraint>
      <login-config>
        <auth-method>CLIENT-CERT</auth-method>
      </login-config>
      <security-role>
        <role-name>TestRoleOne</role-name>
      </security-role>
    </web-app>4) And sun-web.xml should have :
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN" "http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd">
    <sun-web-app>
    <security-role-mapping>
       <role-name>TestRoleOne</role-name>
       <principal-name>[email protected], CN=Franzl Alpha, UID=alpha, OU=People, O=TestCentral, C=US</principal-name>
    </security-role-mapping>
    </sun-web-app>You will be able to access http://<host-name>:<port>/ without sending client certificate from the browser.
    Now create client certificate and import this certificate in your browser.
    Access from the browser, http://<host-name>:<port>/webapps-certificatebased-security/index.jsp browser should prompt for cert selection (if so configured) and the application should get certificate.
    P/S I have tested it It works for me this way (without adding <ssl><client-auth> or PathCheck directive).

  • Only client cert in Sun One App server

    Hi,
    Is this possible to configure an application for Sun One Application Server 8 Update 1
    to use only Client Cert auth without login with id and password ?
    I configured whole 1043 port to use Client Auth. It works when I enter https://localhost:1043. I provide client cert. But when I enter my app I got 'access denied'.
    The app contains only one jsp page and no roles at all.
    The following is my web.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name xml:lang="pl">secure</display-name>
    <servlet>
    <display-name xml:lang="pl">secured</display-name>
    <servlet-name>secured</servlet-name>
    <jsp-file>/secured.jsp</jsp-file>
    </servlet>
    <jsp-config/>
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
    <web-resource-name>WRCollection</web-resource-name>
    <url-pattern>/secured.jsp</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint/>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    </login-config>
    </web-app>
    sun-web.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.0 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-0.dtd">
    <sun-web-app>
    <context-root>/secure</context-root>
    <session-config>
    <session-manager persistence-type="memory">
    <manager-properties/>
    <store-properties/>
    </session-manager>
    <session-properties/>
    <cookie-properties/>
    </session-config>
    <cache enabled="false" max-entries="4096" timeout-in-seconds="30">
    <default-helper/>
    </cache>
    </sun-web-app>
    Thank You.

    Hello again.
    I would like to refrain my question.
    In admin console on port 4848 in Http Service node is a http-listener-2 defined.
    In particular there is "Client Authentication" setting.
    This is global setting for all request coming to that port.
    Can I achive the same functionality using web.xml in one of the apps server on the same port without resorting to setting this global option to true ?
    Thank You.

  • Implementing client-cert auth in web.xml in Oracle Application Server

    Hi,
    I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
    My server details are:
    Oracle Application Server 10g Release 2 (10.1.2)
    Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
    I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
    <web-resource-name>WSCollection</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
    </login-config>
    It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
    I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
    Thanks,
    Ms

    Hello,
    You have different level of integration of SSO services in OC4J 10g (10.1.3).
    If you are using an LDAP server you can integrate that using the LDAP security provider and support SSO between applications. This is documented as part of the Identity Management Integration.
    Also in 10.1.3.0.0 you need to have at least an LDAP server (or bigger identity management solution) to do SSO.
    In 10.1.3.1.0, that should be available this summer, OC4J will have a new security service that will allow applications to be authenticated in a single sing-on fashion. (Stay tuned to the OTN forum we will publish a beta version very soon)
    Regards
    Tugdual Grall

  • IBCM on non domain computers - Client Cert: None

    I have IBCM up and running for my domain joined computers, but I have problems with our DMZ and workgroup computers. I have imported the client certificate with the computer name in the subject and SAN, I imported the root and sub cert into the local store
    and the client actually installs. But it seems like there is no real communication.  When checking in the control panel, one thing that sticks out is "Client Cert: None" on the first tab. I'm lost.

    "I have imported the client certificate with the computer name in the subject and SAN"
    What exactly does this mean? Where did you get this cert from? Why are you using a SAN for the client auth cert? Is this a even a client auth cert? Is it unique to this client?
    Also, posting, single lines from a log file is useless and meaningless. Log files are about context and flow which are completely lost when you post a single line. Additionally, single lines rarely contain the actual issue and just reflect what happened
    previously which can not be discerned without the lines before and after it. Thus, please post the entire relevant and unedited snippet of the log files requested by Nash showing the problem areas.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Client-cert only ?

    Hi,
    Sun App Server 8.
    Is it possible to setup web app security with client-cert only (no user & pass) ?
    If so, please provide sample xml files.
    Thanks

    The following security Constraint in web.xml will make the URL /clientCert to be be accessible only with a client cert
    <security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
         <web-resource-name>WRCollection</web-resource-name>
         <url-pattern>/clientCert</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    </login-config>

  • EAP-TLS client security policy enforcement question using ISE

    Hi Experts ,
    I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
    I am using EAP-TLS and machine authentication.
    In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    I am not sure ... will it get pushed through AD ? how will it happen ?
    It would be really helpful if someone could put light on this ..

    Hello Vino,
    Some answers below :
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
    It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
    If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
    In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
    In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
    Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
    Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
    I hope it helps.

Maybe you are looking for

  • How can i update apps purchased on an old apple id

    Ok, so for about 4 years I have been using my husbands apple id on my Mac and iPhone...now with Family Sharing I'm trying to switch both my Mac and iPhone over to my apple id.  The problem is that the apps that were bought with my husbands id will no

  • My iMac apps are not linking to relevant files in ICloud

    IMac applications not linking to relevant iCloud files My iMac and relevant software apps will not link to my files and documents in iCloud. This includes Apple apps i.e. pages, numbers etc and 3rd party app i.e. pixelmator etc. Also back to my mac w

  • Creating a Dynamic Node for a Dynamic Graphic - Tutorial

    Hi everyone, I'm sharing my first tutorial, hope it'll be helpful for you. In the Layout tab, it's possible to create an UI element "Business Graphic". It's a very simple tool that only requires a context node with a category attribute (that means, t

  • Include a pageflow in a template jsp

    Hi there, I would like to add Quick Search functionality (a standalone pageflow + jsps) into the template file for my web app. to be accessed from all the pages on the site. IS there a way to add the first jsp into the template? Thanks, Bindu

  • Change Movie Parameter Dynamically

    This is more of a javascript question but I figure actionscript folks would have run across this before. Is there a way, using javascrit , to change a movie's parameters, dynamically, AFTER the movie has been embeded? I know you can change some param