Solaris 8 Auth with NDS 4.16

I have installed Netscape Directory Server 4.16 on Solaris 8 and wish using LDAP for OS Auth. I refer to LDAP setup & Configuration Guide from docs.sun.com and fail to add domain entry refer to doc.
dn: dc=mydomain,dc=com
dc: mydomain
associatedDomain: mydomain.com
objectClass: top
objectClass: domain
objectClass: domainRelatedObject
objectClass: nisDomainObject
nisdomain: mydomain.com
I try console and /usr/bin/ldapadd. Both of them are failed. Do I typing mistake??
Lucas

I found the answer from http://forum.sun.com & there is a shell script to setup
http://www.sun.com/blueprints/tools

Similar Messages

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

On Sun fire v490 - Solaris 10 with Oracle 8.1.7.4 & Sybase 12.0

Hi,
We are going to upgrade our server with this configuration -
Sun Fire V490     2 x 1.05 GHz UltraSPARC IV CPU
8096MB RAM     2 x73GB local disk
2x FC 2GB Sun/QLogic HBAs
DAT72
On one machine we will have Sun Solaris v10 with
Oracle DB v8.1.7.4 & Second one will be Sun Solaris v10 with Sybase DB v12.0.0.6.
Now our question is - Sun fire have Hyper-thread CPUs �� will the O/S and databases (Oracle and Sybase) view the proposed system as a true 4 CPU platform? Will parameters used to tune the database such as Sybase max online engines still operate in the same manner as before?
Our old machine configuration was - Sun E450     4x400MHz CPU     1024MB RAM     2 x18; 8x36GB disks

Questions on Oracle and Sybase should be directed to a database forum, this forum is for Sun hardware support.
Here is a link to a DB forum I look at from time to time:
http://www.dbforums.com/index.php
The topic of tuning Oracle or Solaris is way beyond the scope of this forum, I have attempted to go into it before but didn't get any feedback and I would only like to spend lots of time on it if I was being paid!!! On the memory side, keep in mind that Oracle 9i 64-bit can address a maximum of 2 ^ 64 ( 16777216 TB ) memory, prior to that the DBA had to define memory parameters in init.ora. To be honest the last time I worked with a Oracle 8 database I shut a HP K class server down permanently that had been migrated to Oracle 9i on Solaris by an Oracle consultant and I can't remember all the tuning trick etc.

Successful install of 8.1.7 on Solaris 8 with more than 256Mb RAM

To all who have struggled with this one, like me. You owe me a bottle of Rogaine.... but I will accept a bottle of Jack instead.
It appears that the kernel parameters published in the Install Guide are only good for Solaris 8 with up to 256Mb RAM
If dbassist craters at around 80% in OUI with a "Can't connect to Oracle" and you have more than 256Mb on board
DOUBLE the kernel parameters !!!
shmmni = 200
shmseg = 20
semmns = 400
semmni = 200
semmls =200
semopm =200
touch /reconfigure (they don't mention that in the Guide)
reboot
If someone out there can isolate which actual damn kernel parameter is the culprit, I will gladly share some Jack with you.
Otherwise an email to [email protected] with a comment or three will suffice.
Cheers

Sorry to ask a dumb question, but want to be precise, whn you say touch/reconfigure, do you mean touch system.
WHat is the reconfigure?

Solaris x86 with Oracle RAC 10g Enterprise Edition Release 10.2.0.3.0

Hello,
Maybe you can help me (new on RMAN backup) in doing this.
I have configured a single Oracle 10g database to have backup with RMAN with following steps:
1. $ mkdir $ORACLE_BASE/rman_scripts
2. $ mkdir $ORACLE_BASE/logs
3. $ mkdir $ORACLE_BASE/tracking
4. $ mkdir $ORACLE_BASE/c_backup
5. $ sqlplus sys/<password> as sysdba
6. SQL> alter system set db_recovery_file_dest_size = 50G scope=both;
7. SQL> alter system set db_recovery_file_dest='${ ORACLE_BASE}/flash_recovery_ area' scope=both;
8. SQL> alter system set log_archive_dest_10='location= use_db_recovery_file_dest';
9. SQL> shutdown immediate
10. SQL> startup nomount
11. SQL> alter database archivelog;
12. SQL> alter database open;
13. SQL> alter database enable block change tracking using file '${ORACLE_BASE}/tracking/rman_ change_track.f';
14. $ rman target /
15. RMAN> CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK
TO '/var/opt/oracle/flash_ recovery_area/ORCL/c_backup/% F';
16. RMAN> CONFIGURE CONTROLFILE AUTOBACKUP ON;
17. RMAN> CONFIGURE BACKUP OPTIMIZATION ON;
18. RMAN> CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF 7 DAYS;
19. RMAN> exit
I need to configure incremental backup with RMAN on a two node Solaris x86 with Oracle RAC 10g Enterprise Edition Release 10.2.0.3.0 installation.
We also use ASM to store database files, and have Oracle software installed on separate file systems (two Oracle roots for Node1 and Node2).
I have following questions:
1) where to put Flash Recovery Area (FRA)?
I saw recommendations to put FRA on the ASM, is this the best way to do it?
2) Can I put FRA on another file system (not on the ASM) which is available only from Node1? This way I can save space on the ASM.
3) Is it possible/recommended to run RMAN from Node1 only?
Below is the script used to run RMAN on the normal Oracle database (without RAC) which I need to change :
=============================================================================================
2.0 Oracle backup script: /opt/app/oracle/rman_scripts/backup.sh
Use this for daily backups, possiblly as a cron job.
Once a week run this: /opt/app/oracle/rman_scripts/backup.sh FULL
All other days of the week: /opt/app/oracle/rman_scripts/backup.sh INCREMENTAL
Note: You may have to change ORACLE_SID, ORACLE_BASE below to match your database.
=============================================================================================
#!/usr/bin/ksh
ORACLE_SID=orcl
ORACLE_BASE=/opt/app/oracle
ORACLE_HOME=${ORACLE_BASE}/product/10.2.0/db_1
PATH=${ORACLE_HOME}/bin:/usr/bin
LOGDIR=${ORACLE_BASE}/logs
LOGFILE=${LOGDIR}/rman.log
if [[ $# < 1 ]]
then
echo "usage: backup.sh FULL|INCREMENTAL"
exit;
fi
BACKUPTYPE=${1}
full='FULL'
incremental='INCREMENTAL'
if [[ $BACKUPTYPE == $full ]]
then
$ORACLE_HOME/bin/rman target / nocatalog log ${LOGFILE} append << eof
run {
backup database;
SQL 'alter system archive log current';
backup archivelog all;
delete noprompt obsolete;
exit;
eof
echo ''
fi
if [[ $BACKUPTYPE == $incremental ]]
then
$ORACLE_HOME/bin/rman target / nocatalog log ${LOGFILE} append << eof
run {
backup database;
backup incremental level 1 database;
SQL 'alter system archive log current';
backup archivelog all;
delete noprompt obsolete;
exit;
eof
echo ''
fi

Hi [email protected],
Q1) where to put Flash Recovery Area (FRA)?
A1) With RAC: on the shared storage
I saw recommendations to put FRA on the ASM, is this the best way to do it?
If you want your backups to be available for both nodes you have to use shared storage or tape using an mml library.
So if you want to use the FRA for rman backups and the database is on ASM just make ASM the standard for the FRA as well.
Q2) Can I put FRA on another file system (not on the ASM) which is available only from Node1? This way I can save space on the ASM.
A2) Than you cannot recover in case Node1 is down. Best would be to send your storage admin to a training course so he can manage the clustered raw devices needed for ASM.
Q3) Is it possible/recommended to run RMAN from Node1 only?
A3) No see A2.
Regards,
Tycho

How to install solaris 8 with a nvidia M64 agp ?

How to install solaris 8 with a nvidia M64 agp ?

Use kdmconfig. Make sure your running MU3 or greater because there are some patches
specific to the M64 cards that are needed to run in the hi res modes.
---Bob

Upgrade to Solaris 8 with Oracle 8.0.6

Hi forum,
on a Sparc-Server with Oracle 8.0.6 we want to upgrade from Solaris 7 to Solaris 8. Do we need to upgrade Oracle first or is Oracle 8.0.6 supportet on Solaris 8 ?
Thanks
Hans-Peter

> Our organisation has been running SAP R/3 4.6C on Solaris 8 with Oracle 8i database. We are considering an upgrade to SAP ECC 6.0.
Oh.. you're aware of the fact, that Oracle 8 as well as Solaris 8 is out of support?
I would do it like (if you need/want to stay on the same hardware):
- upgrade Oracle 8 (I hope your run 8.1.7.4) to Oracle 9.2.0.8
- upgrade Solaris 8 to Solaris 10
- upgrade Oracle 9.2.0.8 to Oracle 10.2.0.4 + latest interim patches
- use kernel 46D_EX2
- upgrade the 4.6c to ERP 6.0
Be aware, that, if you plan to use Java applications (such as the Enterprise Portal or other Netweaer related appliation), the ERP 6.0 must be converted to Unicode.
Markus

Upgrade from solaris 8 to solaris 9 with sun solstice disksuite

Hi,
I have to upgrade the solaris 8 with Solstice disksuite to Solaris 9 OS. Please let me know the steps for the upgrade.
Regards
chesun

Yep!
See
http://docs.sun.com/db/doc/806-5205/6je7vd5rf?a=view
Lee

Installation Solaris 10 with JumpStart (ssh)

Hello,
I want to install Solaris 10 with a server JumpStart.
But i want only actived the ssh mod (for security).
How do you write that in the jumpstart script ?
What is the command line ?
Anybody can help me, please ?
Thank you :)
Message was edited by:
Marcorel

I have seen this too over the years and it ultimately comes down to something innate:
Here are a few suggestions:
1. Try and use interface ce0.
2. Check default route on both jumpstart server and client.
3. The arp cache may need to be flushed on the Jumpstart server.
4. Use snoop and see what happens during the actual RARPing phase between the server and host.
5. Switch the order in the sysid config file as indicated below:
system_locale=en_US
name_service=none
network_interface=ce2
{hostname=donau1 ip_address=10.50.57.24 netmask=255.255.252.0 protocol_ipv6=no default_route=10.50.56.1}
security_policy=none
terminal=vt100
timezone="MET"
timeserver=10.50.57.214
nfs4_domain=dynamic
root_password=*****************
Please note I blanked your root password. Let me know if this helps.

How to create a full system image for Solaris 10 with ZFS

Dear friend,
could you please advice which way to create a full system image for Solaris 10 with ZFS is trusted and practically used?
I'm searching the analogy like Norton Ghost or Acronis True Image but with ZFS support.
I have x86 server Sun Netra X4270.
Thanks in advance,
Dina

One more question Filip,
is it correct, that I should make 2 separate backup for ispool and rpool?
And is it important in which order to restore them from backup?
bash-3.2# zpool list
NAME    SIZE ALLOC   FREE CAP HEALTH ALTROOT
ispool 136G 8.08G   128G   5% ONLINE -
rpool   136G 44.1G 91.9G 32% ONLINE -
bash-3.2# zfs list
NAME                             USED AVAIL REFER MOUNTPOINT
ispool                          8.08G   126G    31K /ispool
ispool/iserver                  8.08G   126G 8.08G /export/home/iserver
rpool                           44.4G 89.5G 46.5K /rpool
rpool/ROOT                      39.1G 89.5G    31K legacy
rpool/ROOT/firstbe              39.1G 89.5G 14.1G /
rpool/ROOT/firstbe/export       20.1G 89.5G    32K /export
rpool/ROOT/firstbe/export/home 20.1G 89.5G 20.1G /export/home
rpool/ROOT/firstbe/opt           651M 89.5G   133M /opt
rpool/ROOT/firstbe/opt/SMAW      518M 89.5G   518M /opt/SMAW
rpool/ROOT/firstbe/usr          3.45G 89.5G 3.45G /usr
rpool/ROOT/firstbe/var           867M 89.5G   867M /var
rpool/dump                      1.00G 89.5G 1.00G -
rpool/swap                      4.25G 89.8G 4.00G -
Br,
Dina

Cloning Solaris 10 with zones

What is the best method to use when cloning a Solaris machine with zones, to ensure all software is included and can be easily installed
on new hardware?
Thank you!

If you use UFS, then ufsdump/ufsrestore
If you use ZFS, then zfs send/zfs receive
But, if you are using hardware or software RAID, you can also try to move one disk to an another machine.
You can see with these simple examples, that you have several methods and it depends how you configured your machine, Solaris and the zones. And finally, it depends too what is the source machine and what is the target machine, and how they are configured.

Web auth with , intenal web page of WLC and ISE as radius server

Hi All ,
We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server. AD is integrated with ISE .
When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
"ise has problems communicating with active directory using its machine credentials " and authentication getting failed .
When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
Only for L3 web auth it is not happening..
Any clue on this ..???
Thanks,
Regards,
Vijay.

Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Instantiating Object with NDS

I'm having no success in instantiating object with NDS. Does anyone know whether is possible?
I can hard code a statement as follows:
pkg1.gs_nt(gs_nt.LAST) := NEW SomeObject_ot('x');
where pkg1 is a package with the gs_nt variable declared in the spec. (global scope). The var. gs_nt is a nested table of SomeObject_ot type.
When I try to use the same approach using NDS I get error messages at compile time:
PLS-000103: Encountered the symbol "" - When I try to use the SomeObject_ot in a USING clause to set the value of a placeholder. In other words, it doesn't do the substitution.
PLS-00382: expression is of wrong type - when I try to concatenate the object with a string.
Based on the above, I've concluded that NDS can't be used to instantiate object types.
Is thsi conclusion correct? Does anyone have a solution?

Does this do what you need?
SQL> create or replace type SomeObject is Object (
2         val varchar2(10)
3 ) ;
4 /
Type created.
SQL>
SQL> create or replace type SomeObject_nt is table of SomeObject ;
2 /
Type created.
SQL>
SQL> CREATE OR REPLACE PACKAGE pkg1 IS
2      gs_nt someobject_nt;
3      PROCEDURE initialize(p_var IN VARCHAR2,
4                           p_obj IN VARCHAR2);
5 END;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY pkg1 IS
2      PROCEDURE initialize(p_var IN VARCHAR2,
3                           p_obj IN VARCHAR2) IS
4          str VARCHAR2(4000);
5      BEGIN
6          str := 'begin ' ||
7                 ' ' || p_var ||'.EXTEND ; '||
8                 ' ' || p_var || '(' || p_var ||'.LAST) := NEW ' || p_obj || '(:val) ; ' ||
9                 'end ;';
10          dbms_output.put_line('Count=' || pkg1.gs_nt.COUNT);
11          EXECUTE IMMEDIATE str
12              USING 'String';
13          dbms_output.put_line('Count=' || pkg1.gs_nt.COUNT || ' pkg1.gs_nt(1).val='||pkg1.gs_nt(1).val);
14      END;
15 BEGIN
16    gs_nt := SomeObject_nt() ;
17 END;
18 /
Package body created.
SQL> set serveroutput on size 100000
SQL> exec pkg1.initialize(p_var => 'pkg1.gs_nt',p_obj => 'SomeObject') ;
Count=0
Count=1 pkg1.gs_nt(1).val=String
PL/SQL procedure successfully completed.
SQL>

Failed to install Solaris 10 with Jump Start

Hi all:
When install Solaris 10 with Jump Start method. I met below error:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
{3} ok boot net -install
SC Alert: Host System has Reset
Probing system devices
Probing memory
Probing I/O buses
screen not found.
Rebooting with command: boot net -install
Use is subject to license terms.
whoami: no domain name
Hardware watchdog enabled
WARNING: exec(nstall) failed (file not found).
(Could not start init) Program terminated
{1} ok
Thanks a lots!

thats because you wrote "-install", which will be parsed as "-i nstall", hence your system will try to execute a kernel named "nstall".
The proper syntax is "boot net - install", with spaces on both sides of the -.
.7/M.

IE 6.0 Mutual auth with Sun One 8

Hello,
What I intend to do - generate new server key pair, then generate client key pair. Export client pair to IE (newest) for mutual auth.
Command I use:
Server pair:
1. keytool -genkey -keyalg rsa -keystore keystore.jks -storepass pass -alias server -dname "cn=www.myCompany.com,o=O2,ou=Ou2,L=W,C=US,S=W"
2. keytool -export -alias server -file server.cer -keystore keystore.jks --storepass pass
3. keytool -noprompt -import -v -trustcacerts -file server.cer -alias server -keystore cacerts.jks -storepass pass2
Client pair:
1. keytool -genkey -keyalg rsa -keystore keystore.jks -storepass ssaperots -alias client -dname "cn=client1,o=O2,ou=Ou2,L=W,C=US,S=W"
2. keytool -export -alias client -file client.cer -keystore keystore.jks --storepass pass
3. keytool -noprompt -import -v -trustcacerts -file client.cer -alias client -keystore
cacerts.jks -storepass pass2
Now I replace domain1/cacerts.jks and domain1/keystore.jks with new files, restart the server.
Mutual auth with jax-rpc from j2ee tutorial works flawlessly.
Finally I want IE to be able to do mutual auth:
Using jstk-1.0.1 from http://www.j2ee-security.net/book/dnldsrc/
jstk-1.0.1/bin/crypttool.sh export -keystore keystore.jks -alias client -storepass pass -outform PKCS12
I have client.p12 which I import into IE personal certificates.
Enter secure site on the server. Server cert is OK. I choose client1 pair for mutual auth.
Then I see in the browser: HTTP Status 403 - Access to the requested resource has been denied.
During the handshake in server.log I see:
[#|2004-06-02T01:12:42.496+0200|WARNING|j2ee-appserver1.4|org.apache.coyote.http11.Http11Processor|_ThreadID=11;|
Exception getting SSL Cert
java.net.SocketException: Socket Closed
a lot of stuff here
[at the end]
http1043-Processor3, handling exception: java.net.SocketTimeoutException: Read
I tries also additional java security package with JDK 1.5.0 beta to generate PKCS12 pair.
The same error diffrent exceptions.
Question:
1. Did I do something wrong ?
2. Is the PKCS12 file corrupted in some way ?
Thank You.

OK. I answer to my own question ;)
The problem I described in post 1 didn't even exist. I figured it by changing admin console to use mutual auth. It works.
However I change the question. I modify bookstore2 app from sun app server 8 tutorial sdk 1.4 to use mutual auth. I present deployment descriptors generated by deploytool.
This is sun-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 8.0 Servlet 2.4//EN" "http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_4-0.dtd">
<sun-web-app>
<context-root>/bookstore2</context-root>
<security-role-mapping>
<role-name>appuser</role-name>
<principal-name>admin</principal-name>
</security-role-mapping>
<resource-ref>
<res-ref-name>jdbc/BookDB</res-ref-name>
<jndi-name>jdbc/BookDB</jndi-name>
<default-resource-principal>
<name>PBPUBLIC</name>
<password>PBPUBLIC</password>
</default-resource-principal>
</resource-ref>
<cache enabled="false" max-entries="4096" timeout-in-seconds="30">
<default-helper/>
</cache>
<jsp-config>
<property name="keepgenerated" value="true"/>
</jsp-config>
</sun-web-app>
This is web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>bookstore2</display-name>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>messages.BookstoreMessages</param-value>
</context-param>
<listener>
<listener-class>listeners.ContextListener</listener-class>
</listener>
<servlet>
<display-name>Dispatcher</display-name>
<servlet-name>Dispatcher</servlet-name>
<servlet-class>dispatcher.Dispatcher</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookstore</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookcatalog</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookdetails</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookshowcart</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookcashier</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookordererror</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/bookreceipt</url-pattern>
</servlet-mapping>
<jsp-config>
<jsp-property-group>
<display-name>bookstore2</display-name>
<url-pattern>*.jsp</url-pattern>
<el-ignored>false</el-ignored>
<scripting-invalid>false</scripting-invalid>
<is-xml>false</is-xml>
<include-prelude>/template/prelude.jspf</include-prelude>
<include-coda>/template/coda.jspf</include-coda>
</jsp-property-group>
</jsp-config>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>OPTIONS</http-method>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>appuser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>appuser</role-name>
</security-role>
<resource-ref>
<res-ref-name>jdbc/BookDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
</web-app>
Using these I can't login.
It is because I don't have an option to specify a user when I login.
Qustions:
1. How to change the application so it uses only client-cert (without users and passwords)
2. How to change the application so login is possible with client-cert with specified user - admin?
(my first guess - do form auth then client-cert, client-cert -> form login not possible ?)
3. Are the certificated bound to specyfic application server users ?
Thanks.

Solaris 8 Auth with NDS 4.16

Similar Messages

Maybe you are looking for