SSL and Client Certificates

Similar Messages

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• CSS SSL and client certificate

  Hello,
  In a situation where SSL Traffic is terminated on a SSL Module.
  And having clients which to clientcertification.
  There are 2 contents aviable on the webserver.
  One for certified users and one for both.
  Is there a way to restrict a path of a url to clients which performed a client cert?
  And have all other content on that server aviable to both , certified and not certified clients?
  Sven

  Hi Gilles,
  i have not described my problem at all.
  Currently we are doing the SSL Termination on a webserver.
  There are two locations specified in the apache config.
  Like this:
  location /webservices/onlytoca>
  SSLVerifyClient require
  SSLVeridfyDepth 0
  So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
  The /content is allowed to all.
  I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
  My question was, is there a way to restrict a url path to clients which did a client certification.
  I can set up the ssl-server to ignore certificaton failures.
  Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
  If not, a solution would be to have 3 contet_rules
  one, which checks for a existing of http-header which is set when the request is cerfified.
  There i can limit the URL to /webservices/toCaOnly/*
  one cr, which allows any other content
  one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
  I hope i wrote it down clear enough to understand.
  Sven

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• Receiver SOAP adapter SSL error - client certificate required?

  Hi all,
  Problem configuring SSL in XI 3.0 NW04 SP17....
  I have followed the config steps from Rahul's excellent weblog at <a href="/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter">How to use Client Authentication with SOAP Adapter</a> (my Basis team have done the Visual Admin steps) and am going through his example as it closely matches my requirement. So, I have a test receiver SOAP adapter sending messages to a web service URL defined for a sender SOAP adapter. My test scenario is:
  <b>Sender File -> <u><i>Receiver SOAP -> Sender SOAP</i></u> -> IDoc Receiver -> IDocs in R/3</b>
  The problem components are in italic and underlined above. My Receiver SOAP Adapter has the web service URL, Certificate Keystore Entry and View entered. If, in the Sender SOAP Adapter, I have an HTTP Security Level of HTTPS Without Client Authentication, the interface works fine (note that Rahul suggests you untick the User Authentication in the Receiver but with this Security Level, it seems to work with or without it).
  The problem is when I set HTTPS <b>With</b> Client Authentication in the Sender. I then get the following error in the message monitor:
  SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: <b>client certificate required caused by: java.security.AccessControlException</b>: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more
  Has anyone got any idea what this could be caused by?
  Many thanks,
  Stuart Richards

  Have you configured the https port with that keystore entry?
  Check out these links:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b0/881e3e3986f701e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/15f73dd0408e5be10000000a114084/frameset.htm
  Regards,
  Henrique.

• Router WebVPN and client certificate

  Hello!
  In my test lab I can't to make work my webvpn configuration =\
  I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also -  "Invalid or no certificate", but this strange because I imported CA certificate for this.
  Can you help me make it works?
  My 2911 version:
  Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
  My Config:
  aaa authentication login webvpn group ldap local
  ip local pool webvpn 192.168.200.1 192.168.200.254
  bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd
  webvpn gateway vpn
  ip address <ip address> port 4443
  ssl trustpoint root-ca
  inservice
  webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1
  webvpn context employee
  ssl authenticate verify all
  login-message "VPN Portal"
  policy group policy1
     url-list "inside"
     functions svc-enabled
     filter tunnel VPN-SPLIT
     svc address-pool "webvpn" netmask 255.255.255.0
     svc default-domain "domain.com"
     svc keep-client-installed
     svc split dns "domain.com"
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.1.1
     svc dns-server secondary 192.168.1.2
     citrix enabled
  virtual-template 1
  default-group-policy policy1
  aaa authentication list webvpn
  gateway vpn
  authentication certificate
  username-prefill
  ca trustpoint root-ca
  user-profile location flash0:/userprof
  inservice
  crypto pki trustpoint root-ca
  enrollment terminal
  revocation-check none
  rsakeypair root-ca
  I imported certificate from pkcs12 with CA certificate.
  From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)
  Jun  5 11:22:39: WV: validated_tp :  cert_username :  matched_ctx :
  Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl
  Jun  5 11:22:39: WV: failed to get sslvpn appinfo from opssl
  Jun  5 11:22:39: WV: Error: No certificate validated for the client
  Can anybody explain me why it doesn't work?

  Hi,
  did you find any solution for this? As I am in it seems the same situation now.
  I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)
  Thanx for any advice/help
  Pavel

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• IOS4,  apple-mobile-web-app-capable and client certificates

  IOS4 (4.0 and 4.0.1) seems to have broken apple-mobile-web-app-capable. I have a webbapplication using client certificates to authenticate the user. This worked flawless on IOS3.x. However, after having upgraded my iPhone to IOS4, the application fails when started from the springboard with an error message telling a client certificate is required (I have one installed). When I start the application from within Safari it works OK. I tracked the error down to the following line in the HTML code:
  <meta name="apple-mobile-web-app-capable" content="yes" />
  When I remove this line, the application works again flawless when started from the springboard. However the native look and feel are gone. As soon as I add this line to the HTML, the application works when started from Safari, but fails when started from the springboard.
  Does anyone have a glue or is this a bug on the apple-mobile-web-app-capable function of IOS4?

  I have also experienced this problem on iOS 4.1. I want to authenticate access to a web-app using SSL client certificates but I get an error "Cannot Open ... requires a client certificate" when launching the app from the home screen. Very annoying!
  Navigating to the page in Safafi prompts the user to choose which certificate to use and then loads the page successfully. Just as a side question, is there anyway to automatically associate a client certificate with a web site so that the user is never prompted to choose a certificate when accessing the site? I want an authentication process that is transparent to the user.

• Multiple Exchange accounts and client certificates not working...?

  Hi all,
  I have a problem with my company iPad's. I'm trying to configure 2 Exchange accounts with certificate based authentication on my iPad with the iPhone config utility. For that i have created 2 client certificates.
  When I configure just 1 mailbox, does not matter which one of the 2, with the iPhone config util, it al works ok with client authentication.
  When I configure 2 mailboxes, on the iPad, without client certificate authentication it al works ok.
  When I configure 2 mailboxes with the 2 client certificates with the iPhone config util, both exchange accounts have the same mailbox. When I configure for example mailbox Jim and Harry with the corresponding certificates and I load it into the iPad. The exchange account of Jim has Jim his mailbox, but the exchange account of Harry also has the mailbox of Jim. And sometimes it is vice versa.....
  Can anybody help me in this, we are using 4th gen iPad with MS Exchange ActiveSync 2003 SP2 en MS Forefront TMG with Kerberos delegation.
  Please advice.
  Cheers,
  Eddy

  Hi Eddy,
  I have the feeling that the SSL connection after being established is only using the first authenticated certificated to connect to the exchange server.
  Have you had a look over this Microsoft page:
  http://technet.microsoft.com/en-us/magazine/ff472472.aspx
  Are you able to test 2 accounts on one pad in a test environment preferably with SSL inspection off?
  Do you have any information in the Forefront logs of the users being authenticated from the iPad? Or is one user authenticated twice?
  Cheers,
  IhalpU

• SCCM 2012 IBCM and client certificate

  Hi all, I need to answer a question about an ICMB SSL Bridging configuration.
  If I am using more than one site server for each role, do I have to have a public DNS entry for each one of them (my guess is yes).
  And, if I have more than one site server used and publish on public DNS, does my client certificate require a SAN for each one of them? or only the MP is necessary and will give all the required information to my clients so that they are able to connect
  to the site server for each required role.
  I am trying to understand a bit more how does SSL Bridging work.
  The planned architecture is that all role would be on different servers, and tat each one of them will be accessible from the internet. I am still trying to understand how the client ill get the external FQDN for each roles.
  It doesn't seem that many documentation about using IBCM using many servers out there.
  Thank you!
  Mat

  The client certificate is only used by the client for client authentication, so there is no requirement at all to add a SAN for the site system(s) in there. The web server certificate of the Internet-facing site system is the certificate that requires a
  SAN for the Internet FQDN and the intranet FQDN. Pure technically speaking the requirement for both FQDNs is only for a SUP, or for a site system that's being used on the Internet and intranet.
  For more information see also:
  http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Web Service, SSL and Client Authentication

  I tried to enable SSL with client authentication over a web service. I am using App Server 10.1.3.4.
  The test page requires my certificate (firefox asks me to choose the certificate) the response page of the web service returns this error:
  java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 405 Method Not Allowed
  Has anyone used web services with SSL client authentication?
  Any clue why?
  Regards

  Any comment?
  Thank you.

• UTL_HTTP and client certificate request

  I am hoping that someone can help me. We have a web site that we need to hit and pull the html code back from the pages and we have the code to get what we need but the website now has an option where it requests a client certificate from a user for authentication or if you cancel the request it will then ask you for username and password. I cannot figure out how to submit a cancel on the client certificate request so that my application can submit the username and password authentication. Does anyone have an idea or example to do this? Also if you submit a bad certificate it will prompt you for authentication. So if someone knows how to submit client certificates that would be helpful as well.
  Thanks in advance.

  I've never faced this issue but you might want to look at using UTL_TCP rather than UTL_HTTP.
  http://www.psoug.org/reference/utl_tcp.html

• HTTP adapter, SSL and wildcard certificate

  Hi,
  I am developing a B2B integration solution using BizTalk Server. The protocol used to communicate with the partner’s server is HTTPS and so it uses SSL.
  The certificate the partner is using to establish SSL connections is provided by GeoTrust but it is a wildcard certificate, issued to *.*.*.company.com
  The server I am trying to contact to is on a domain of the form: a.b.c.company.com (which seems to match the wildcard).
  When I try to open an HTTPS connection to the server (either through Internet Explorer, a .Net Windows Application or BizTalk), the connection cannot be established because the certificate is said to not be trusted. For example, Internet Explorer shows a pop-up message saying that:
  - The certificate is issued from a valid CA
  - The certificate date is valid
  - The name of the certificate is NOT matching the name of the site. This means that the certificate is issued for a domain different that the one we are accessing to. So it seems that the wildcard system is not working for this certificate? Is that possible if they aquire a wrong type of certificate by mistake? or is multipart wildcard certificate (*.*.*) not supported?
  Anyway even if their certificate is not 100% valid, they refuse to change it as their other partners work with that and they won't change to a proper certificate just for us...
  In .Net 2.0 code, it is easy to circumvent any certificate validation by setting the delegate ServicePointManager.ServerCertificateValidationCallback to a callback method with something like:
  ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)  { return true; };
  Nevertheless, I need to achieve this sort of circumvention with BizTalk Server 2006 and I would like to know if anyone ever did that.
  I am aware that I can write my own custom HTTP Adapter but I need this urgently so I thought of asking this forum's community first. Maybe someone as a quicker way than writing a custom adapter such as some "hack" (registry keys, custom class... ) or knows of an existing custom adapter already doing the job.
  Thanks in advance,
  Best regards,
  Francois Malgreve

  The certificate needs to be installed as a explicitly trusted certificate in the store under the computer a/c on the BzTalk machine and then it'll work. Refer
  https://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/ for the steps.
  Regards.

• Web services and client certificates

  Hello,
  Is there a way to invoke a web service that sits on a web
  server that requires client certificate authentication. Like in
  Coldfusion 8 you can pass the client cert along with the cfhttp
  call. We're running into the problem of calling the page that
  invokes the web service, then the invoke fails because that's a
  call to a URL that is protected. Anyone know how to do this, or a
  good work around?
  Any help is appreciated.

  Thanks for the reply! I'm no expert either, that's why I'm
  here!
  Yes, the certificate for the server is loaded. I'm doing this
  all on one machine, so I just loaded it's own server certificate
  into the trust store. The problem is the server is protected by
  client authentication via certificates. I guess I'm relating this
  to a regular request, where if you have a server that requires
  certificates, you can pass along the cert in an CFHTTP call with
  clientCert parameter. Here we are calling a page that invokes the
  web service which is really another request. This is where the
  issue is, since I don't see how to send along the certificate
  information in the invoke call.
  Thanks for the help!

• AnyConnect and client certificate

  Hi,
  I was looking at 'BRKSEC-3033 - Advanced AnyConnect Deployment' on Ciscovirtuallive.
  On that session the presenter says that:
  "Issuer of client certificate may not be the same as the issuer of the ASA certificate."
  With my basic PKI understanding :-),  anyone know why you cant have the same certificate issuer? 
  It's a good presentation, can recommend it.
  BR
  Micke

  Hello Mikael,
  You DO can have the same certificate issuer!!
  I think he said it was an option to not have it with AnyConnect but as your PKI understanding  states you do can have it like that.
  Regards,
  Julio
  Do rate all the helpful posts