Specifying Client Auth Cert in Anyconnect NAM

Similar Messages

• Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938

  I am trying to deploy the clientcert sample applcation that comes with the platform edition of SunOne V7.
  I have used openssl as a CA and have created client and server certs.
  I get the following problem.
       Sun ONE Application Server - HTTP Status 403 Error
       Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
       Type: Status Report
       Message: Access to the requested resource has been denied.
  As can be seen from the server.log below, some form of authentication succeeds:
       [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
  Note, common name is that of my client cert.
  However there is a severe error:
       [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
  Also, HTTPS works with server side authentication and I signed both client and server certs with same private "CA" certification.
  Question: Do I need any special extentions in the certs for use with SSL?
  Thanks in advance.
  server.log fragment:
  [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
  [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-4
  [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
  [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
  [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
  [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
  [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
  [12/Aug/2004:08:56:09] SEVERE ( 2392): for host 169.254.111.12 trying to GET /cert, Client-Auth reports: HTTP4031: Unexpected error receiving data: -5938
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: No certificates included with this request
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Failed authenticate() test
  [12/Aug/2004:08:56:09] FINE ( 2392): for host 169.254.111.12 trying to GET /cert, ntrans-j2ee reports: directory listing for context "/cert"
  [12/Aug/2004:08:56:09] FINE ( 2392): Attaching to JVM thread service-j2ee-5
  [12/Aug/2004:08:56:09] FINE ( 2392): context = StandardEngine[null].StandardHost[server1].StandardContext[cert]
  [12/Aug/2004:08:56:09] FINE ( 2392): contextPath = /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): wrapper = null
  [12/Aug/2004:08:56:09] FINE ( 2392): servletPath = null
  [12/Aug/2004:08:56:09] FINE ( 2392): pathInfo = null
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Process request for '/cert'
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: Checking for SSO cookie
  [12/Aug/2004:08:56:09] FINE ( 2392): SingleSignOn[server1]: SSO cookie is not present
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Security checking request GET /cert
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Checking constraint 'SecurityConstraint[clientcert security test]' against GET --> true
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Subject to constraint SecurityConstraint[clientcert security test]
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling checkUserData()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: User data constraint has no restrictions
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Calling authenticate()
  [12/Aug/2004:08:56:09] FINE ( 2392): Authenticator[cert]: Looking up certificates
  [12/Aug/2004:08:56:09] FINEST ( 2392): Requesting client certificate from core.
  [12/Aug/2004:08:56:11] FINEST ( 2392): Processing login with credentials of type: class sun.security.x509.X500Name
  [12/Aug/2004:08:56:11] FINE ( 2392): Processing X.500 name login.
  [12/Aug/2004:08:56:11] FINEST ( 2392): Certificate realm setting up security context for: CN=tweekes, O=tester, C=ie
  [12/Aug/2004:08:56:11] FINE ( 2392): X.500 name login succeeded for : CN=tweekes, O=tester, C=ie
  [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Authenticated 'CN=tweekes, O=tester, C=ie' with type 'CLIENT-CERT'
  [12/Aug/2004:08:56:11] FINE ( 2392): SingleSignOn[server1]: Registering sso id '6264FF86CB3151E572951CB77D0C515F' for user 'CN=tweekes, O=tester, C=ie' with auth type 'CLIENT-CERT'
  [12/Aug/2004:08:56:11] FINE ( 2392): Authenticator[cert]: Calling accessControl()
  [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL : CN=tweekes, O=tester, C=ie hasRole?: staffmember
  [12/Aug/2004:08:56:11] FINEST ( 2392): PRINCIPAL TABLE: {staff=[staffmember], C=ie, O=tester, CN=tweekes=[staffmember]}

  The below one is the correct configurations
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>

• Login scripts not running with AnyConnect NAM and ISE 1.2

  I am using AnyConnect 3.1 NAM as my 802.1x supplicant for ISE 1.2.  When users log in with EAP Chaining (User and Machine Auth), the login script seems hit or miss on if it runs to map their drives.  If I uninstall the NAM client, they map drives every time.  I would think that running a login script to map drives is a common scenario and I was wondering if anyone else using AnyConnect NAM was having similar issues or how they were dealing with it.

  I have the same issue and I solve the issue with change these parameters.
  1.- You must change on configuration profile "before user logon". I have 5 seconds
  2.- You must change on configuration profile  "port authentication Exception policy" and you must enable checkbox "enable port exceptions" and select "allow data traffic before authentication"
  3.- You must enable in the option of interface Ethernet Intel on PC "Wait for link" this option It's in "configured advanced of Intel. You must select "on" in this option.
  4.- (this recommendation it was by Cisco) 
  Active Direct GPO has a setting "Computer Configuration\Administrative
  Templates\System\Logon\ Always wait for the network at computer startup and logon" that
  can be enabled to make the logon scripts wait till 802.1x authentication is completed.
  With those changes the logon script run fine.
  Regards
  David.

• Client auth error

  I am using iPlanet Web Server 6.0 SP4 on Solaris 2.8 that is enabled for SSL and Client-auth.
  In order to validate the client certificate, I configured this server to use my own Plug-in by adding authTrans line in "obj.conf":
  <Object name=default>
  AuthTrans fn="vsCheckClientCert"
  </Object>
  During startup, web server fails with following error.
  Thanks in advance!!!
  [20/Sep/2002:11:50:58] info ( 1984): successful server startup
  [20/Sep/2002:11:50:58] info ( 1984): iPlanet-WebServer-Enterprise/6.0SP4 B07/17/2002 14:04
  [20/Sep/2002:11:51:00] info ( 1985): Installing a new configuration
  [20/Sep/2002:11:51:00] info ( 1985): [LS ls1] https://xx-sun.yy.com, port 444 ready to accept requests
  [20/Sep/2002:11:51:00] info ( 1985): A new configuration was successfully installed
  [20/Sep/2002:11:51:01] info ( 1985): Using the Solaris VM v1.2.2 from Sun Microsystems Inc.
  [20/Sep/2002:11:51:01] info ( 1985): Java VM classpath: /usr/netscape/servers/plugins/servlets/examples/legacy/beans.10/SDKBeans10.jar:/usr/n
  etscape/servers/bin/https/jar/NSServletLayer.jar:/usr/netscape/servers/bin/https/jar/NSJavaUtil.jar:/usr/netscape/servers/bin/https/jar/Admin
  NativeUtil.jar:/usr/netscape/servers/bin/https/jar/NSJavaMiscUtil.jar:/usr/netscape/servers/bin/https/jar/servlet.jar:/usr/netscape/servers/b
  in/https/jar/servlet-2.3-filters-api.jar:/usr/netscape/servers/bin/https/jar/jsp092.jar:/usr/netscape/servers/bin/https/jar/jaxp.jar:/usr/net
  scape/servers/bin/https/jar/crimson.jar:/usr/netscape/servers/bin/https/jar/xalan.jar:/usr/netscape/servers/bin/https/jar/jspengine.jar:
  [20/Sep/2002:11:51:01] info ( 1985): Loading IWSSessionManager by default.
  [20/Sep/2002:11:51:01] info ( 1985): IWSSessionManager: Maximum number of sessions is 1000
  [20/Sep/2002:11:51:01] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:01] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:02] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Error getting document-root for this virtual server; please check your server c
  onfiguration.
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Cannot create web applications virtual server environment.
  [20/Sep/2002:11:51:02] failure ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (h
  ttps-cvm-test-444)
  [20/Sep/2002:11:51:02] info ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (http
  s-cvm-test-444)
  [20/Sep/2002:11:51:02] failure ( 1985): The new configuration was rejected, rolling back

  Thanks for the reply!!
  My SAF (vsCheckClientCert) works fine if I disable the servlets. It also works by disabling the Web Application State in server.xml
  <VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
  <VS id="https-cvm-test-444" state="on" urlhosts="psingal-sun.verisign.com" mime="mime1" aclids="acl1" connections="group1">
  ===> <VARS webapps_file="web-apps.xml" webapps_enable="off"/>
  </VS>
  </VSCLASS>
  I am facing the problem only with iPlanet 6.0, the SAF worked fine with "Servlet Enabled" in the previous releases of iPlanet 4.x. Is there any way by which my SAF works with default server settings i.e. Servlet Enabled and Web Application State On?

• MY IOS does not support EKU Server-Auth/Client-Auth

  Hello,
  I have a cisco router with  Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T8.   im trying to set it up as my CA Server where I need to enroll my AnyConnect clients.
  But while I trying to configure my crypto pki server command,  I do not see   EKU Server-Auth or EKU Client-Auth   feature
  can any one tell why it does not have this feature ??

  it was added into 12.2T.    but for me it does not have this feature available .  any ideas ?

• Client-Auth errors

  Hi all,
  I have a SOWS 6.1 and I am getting the following error eache time a user try to get the page:
  Client-Auth reports: Unexpected error receiving data: -5938
  Do you know what it should be?
  Thanks in advance

  Can you tell us the exact configuration you have.
  Send a request to the server to capture the details of initial handshake which performs the client authentication through ssltap. Save the output. Also, when the
  certificates are exchanged ssltap will save them to a file (see the output of
  ssltap for the filenames it used). Get those cert files as well.

• Client-Auth reports: HTTP4031: Unexpected error receiving data

  I noticed that the below error logged in errors log
  trying to GET /my/jsp/passo/, Client-Auth reports: HTTP4031: Unexpected error receiving data (End of file)
  I configured obj.conf for the above one
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/ap/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>
  Please correct me if i am wrong in the configuration. If i removed those lines it is started working. but i am not sure this will enforce the request to provide certificate from the client.
  I highly be appreciated if any one responded.

  The below one is the correct configurations
  <If $uri =~ "/my(/passo.*)">
  NameTrans fn="restart" from="$uri" uri="/my/jsp$1"
  </If>
  <Object ppath="/my/jsp/passo/*">
  PathCheck fn="get-client-cert" dorequest="1"
  </Object>

• Alerting or logging from AnyConnect NAM

  We are planning to use Cisco AnyConnect Network Access Manager as a 802.1x supplicant for our wired network as we ran into issues with  Microsoft
  native supplicant. There are certain advantages in using inbuilt supplicant on Windows as one can get desired information from event log about the dot1x events and use them to alert in case of failures. I however don't see a similar logging available in Cisco AnyConnect NAM. We can of course use DART bundle, but we would like to have a detailed dynamic logs from the client to build automation to alert NOC on any dot1x failure in the network.
  Thanks,
  Vijay

  You should use "live authentication" logs from ISE. You can also configure to switch to send the switch logs to ISE, that way when you click the details of ISE "live authentication" you will see in the same screen both the ISE logs and the switch logs.
  If you want alerts, you can go to "Operations > Alarms > Rules" and set alarms. You can configure ISE to send the alarms by email or by using syslog.
  Please rate if this helps

• Client Auth  and SSL with Seeburger AS2 adapter

  Hello All,
  We are using the Seeburger AS2 adapter in our landscape and I am in the process of setting the same up and have made quite some progress in all my issues.
  and I  hope that you will be able to help me out.
  1. Server SSL on Receiver AS2 adapter
  I am sending a message from XI using the Receiver AS2 adapter to my AS2 test tool using Server SSL.
  This is working perfectly fine. In my AS2 adapter I have selected HTTPS as the protocol and the message goes via SSL to the target test tool, is processed and the MDN comes back to XI perfectly.
  The issue here is :
  Irrespective of what is provided in the Server Certificate ( Keystore) , the message goes to my target test tool. I even left this field blank with no certificate entry and still the SSL connection was established and the message went to the target system.
  Is there no validation that XI does here? I am lost what is the use of this entry Server Certificate if XI blindly accepts all SSL connections.
  I am using a Decentral Adapter Engine with LoadBalancer.
  2. Client Auth on Receiver AS2 Adapter
  I tried to perform Client Authentication by proving my Server's private key in the AS2 adapter. The corresponding public key is loaded in my partner's Keystore.
  XI error's with the error "SSL handshake failed - Bad Certificate" .
  I am not sure why XI is erroring out here and I have a feeling that I have misunderstood the use of the fields in the AS2 adapter,
  Server Certificate ( Keystore) and Private Key for Client Authentication.
  Has anyone tried this? If further details are needed, I will be able to furnish the same.
  Regards,
  Bhavesh

  Hello Jens,
  Thanks for your reply.
  1. The Encryption and Signature part of the Interface is working absolutely fine and I use the same concept highlighted by you - The Sender always signs the message with his private key and encrypts with message with the partner's public key in the corresponding agreement.
  2. Server SSL is also working perfectly fine, i.e, when XI initiates the connection the SSL connection is established to the partner.
  3. Mutual Auth was the issue where I was getting the bad certificate issue.
  To investigate further I moved the same setup to my Central Adapter Engine and all the issues I had described above seem to have vanished and things work exactly as I was expecting, ie.
  The field : Server Certificate (Keystore) is used to provide the Target System's Server SSL's public Certificate.
  The field : Private Key for Client Authentication is used where XI provides its own Server SSL's private key for Mutual / Client Authentication.
  The problem seems to be with my Decentral Adapter engine and not my central adapter engine and so I guess,
  1. I either have the incorrect certificates on my Decentral Adapter Engine.
  2. I also have 2 instances of a Decentral Adapter Engine with a Webdispatcher and so maybe the 2 Visual Admin's of the 2 Decentral AE are inconsistent.
  3. Maybe it was just a long day and I did something wrong
  Will investigate further for the root cause but I am glad that my concepts remain intact and things do work as I expected them to work.
  A blog on all this is on the cards sometime soon.
  Cheers,
  Bhavesh

• The system cannot find the path specified.---- Error code:-2147467259 Error code name:failed

  Friends,
              I'm facing below issue while accessing a crystal report. I heard it might be an access issue. But i'm able to access a report within a same folder.
  com.crystaldecisions.sdk.occa.report.lib.ReportSDKServerException : The system cannot find the path specified.---- Error code:-2147467259 Error code name:failed
  at com.crystaldecisions.sdk.occa.report.application.PrintOutputController.export(Unknown Source)
  at com.crystaldecisions.sdk.occa.report.application.PrintOutputController.export(Unknown Source)
  Any suggestions would be very helpful.
  Thanks in Advance,
  Bharath

  Apply trace on RAS and look for errors in the RAS logs at the same timestamp.
  These errors come for various errors and tracing RAS would give us a better idea.
  It might hapen that you observe these errors for reports which takes more than the RAS timeout to export the reports.
  Post getting the RAS logs you can try below steps if we see timeout errors in RAS logs.
  Copy clientSDKOptions.xml file from <BO install path>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\java\lib to the machine where your app is running Open clientSDKOptions.xml and change CORBARequestTimeOut from 600000 to a value large enough to allow the report to render, for instance 1200000. Default value is 600000 (10 minutes)
  Specify the location of the clientSDKOptions.xml file at run-time. In your JSP or Java files, use the Java method setProperty from the System class. Set the system property indicated by the ras.config key to the specified directory as: system.setProperty("ras.config","c:\temp"). This function call specifies that the clientSDKOptions.xml file in c:\temp is to be used for locating RAS servers.
  Thanks,
  Prithvi

• UNABLE TO RETRIEVE THE CLIENT IP ADDRESS AND HOST NAME OF A PORTAL USER

  I'm trying to retrive the client IP address and host name of a portal user
  trying to access a portal page using APIs:
  PortletRenderRequest portletRequest =
  (PortletRenderRequest)request.getAttribute(HttpCommonConstants.PORTLET_RENDER_REQUEST);
  HttpServletRequest servletRequest =
  (HttpServletRequest)portletRequest.getAttribute(HttpCommonConstants.SERVLET_REQUEST);
  String l_szClientIPAddress = servletRequest.getRemoteAddr();
  String l_szClientHost = servletRequest.getRemoteHost();
  but i found that for all portal users on different machines IP addresses, the
  returned IP is the same for all which is Portal middle tier IP address.
  So how can retrive the IP addess of a portal user trying to access a portal
  page ?

  Brijesh,
  Do you mean how to see hostname/ip address of client requests processed by the server? If yes, depending on what's your front ending component - Web Cache or OHS, you can configure the access log format to have this information recorded in either of these component's access log file.
  For Web Cache access log file, refer this:
  http://download.oracle.com/docs/cd/B14099_19/caching.1012/b14046/diagnostics.htm#sthref2090
  For OHS access log file, refer this:
  http://download.oracle.com/docs/cd/B14099_19/web.1012/b14007/servlog.htm#sthref439
  By default, both Web Cache and OHS are configured to use Common Log Format (CLF) that does record hostname/ip address so if you haven't made any changes to log format, this info is already there for you. Look for $ORACLE_HOME/webcache/logs/access_log file for Web Cache and $ORACLE_HOME/Apache/Apache/logs/access_log file for OHS.
  Thanks
  Shail

• HTTPS with client auth

  Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?

  Hi together,
  i have the same problem? is anybody out there who could give us some hints?
  many thanks
  alex schramm

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• Client-Auth reports: HTTP4030: Timeout while waiting for client certificate

  Hello,
  I'm having problems with the certificate authentication in my Sun Java System Web Server Enterprise Edition 6.1: I have created an ACL in the SJWS that asks for a client certificate when the user goes to a specific URI:
  acl "uri=/server1/myaction.do";
  authenticate (user) {
  method="ssl";
  deny (all)
  user = "admin";
  It works great and, when the user goes to "/server1/myaction.do" (we are using Internet Explorer 7 as Web browser), the window for selecting the client certificate appears:
  - If the user selects a certificate that doesn't require password, everything works fine.
  - The problem comes when the certificate is configured in Internet Explorer for asking for a password every time it is accessed. Once the user has selected the password protected certificate, the window for typing the password appears, but if the user doesn't type it and click OK IN LESS THAN 5 SECONDS (I've timed it), the following messages appear in the SJWS logs:
  [28/Nov/2007:09:25:05] failure ( 2055): for host 10.0.145.11 trying to GET /server1/myaction.do, Client-Auth reports: HTTP4030: Timeout while waiting for client certificate.
  [28/Nov/2007:09:25:05] security ( 2055): HTTP4290: get_auth_user_ssl: client passed no certificate.
  I tried to add the following two lines to the magnus.conf file of the SJWS, but nothing changed:
  SSLClientAuthTimeout 240
  AcceptTimeout 3600
  Has anyone experienced something similar? Any little piece of advice would be greatly appreciated.
  Thank you very much in advance,
  Carlos.

  This is fixed in Web Server 7.0 update 2. Please migrate/upgrade to Web Server 7.0 update 2. Sorry for the inconvenience.