SSL client certificate problem with exchange owa

Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

Similar Messages

How can you configure an Exchange Account in Mac OS X to use a SSL client certificate?

I'm trying to connect the Mail App of Mac OS X to my company's Exchange server. For security reasons you have provide a SSL client certificate to the server. You can convince Safari to use a client certificate by putting it into your keychain and configuring a suitable "identity preference" for the URL of the related site. But the Mail App seems not to use the keychain for this part of the SSL negotiations.
Since you can configure the client certificate usage for an Exchange Account for the iPhone with the Configuration Utility there should be a way for the desktop App, too. Has someone sorted this issue out already or does the Mail App actually lack of client certificate support?

I had a nice chat with the Apple end user support which revealed that this feature falls in the responsibility of the business support group. Since I have no appropriate support contract I could ask for help for about 480€ per issue -- nice try
After more research I found the Configuration Profile Reference, where you get information about Exchange accounts too. Starting with a working iOS-Profile I changed the Exchange account part according to this documentation for OS X. All you have to do is to replace PayloadType com.apple.eas.account by com.apple.ews.account.
After importing this profile I found the expected Exchange account within the Contacts.app. But the SSL client certificate was still not used and therefore my account not usable.
You could enable Mail, Calendar & Reminders and Notes within the System Preferences, but neither of these would work due to the missing client certificate support.
I came to the conclusion that the relevant applications in OS X have no proper SSL Client support build in. Since the underlying libraries and frameworks have everything in place that is really a shame.
Would be nice, if someone would enforce the developers to do their homework there.

Error 403.7 - Forbidden: SSL client certificate is required

Hi people!
I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
_THE CODE_
package principal;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Security;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.axis.client.Call;
import org.apache.axis.client.Service;
import entidade.Certificado;
public class SSLClient {
private static final int PORT_NUMBER = 443;
private static final String HTTPS_ADDRESS = "10.200.140.117";
private static String strCabecalhoMsg = "";
private static String strDadosMsg = "";
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
System.setProperty("javax.net.ssl.keyStorePassword", "senha");
System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.debug","ssl,handshake,record");
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
Certificado.getArranjoCharSenhaCertificadoServidor());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ksT);
SSLContext sc = SSLContext.getInstance("SSLv3");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
SSLSocketFactory factory = sc.getSocketFactory();
try{
// method to load the values of the strings strCabecalhoMsg and strDadosMsg
carregarXMLCabecalhoDados();
SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
socket.startHandshake();
String [] arr = socket.getEnabledProtocols();
URL url = new URL("https://10.200.140.117/dirNotes");
HttpsURLConnection.setDefaultSSLSocketFactory(factory);
HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
urlc.setDoInput(true);
urlc.setUseCaches(false);
Object[] params = {strCabecalhoMsg, strDadosMsg};
Service service = new Service();
Call call = (Call) service.createCall();
call.setTargetEndpointAddress(url);
call.setOperationName("serviceName");
String ret = (String) call.invoke(params);
System.out.println("Result: " + ret);
catch (UnknownHostException uhe) {
uhe.printStackTrace();
System.err.println(uhe);
catch (Exception uhe) {
uhe.printStackTrace();
System.err.println(uhe);
private static void carregarXMLCabecalhoDados()
try
BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
String str;
while((str=input.readLine()) != null)
strCabecalhoMsg += str ;
System.out.println("Cabe�a: " + strCabecalhoMsg);
input = new BufferedReader( new FileReader("notas/nota.xml"));
while((str=input.readLine()) != null)
strDadosMsg += str ;
System.out.println("Nota: " + strDadosMsg);
catch (FileNotFoundException e)
// TODO Auto-generated catch block
e.printStackTrace();
catch (IOException e)
// TODO Auto-generated catch block
e.printStackTrace();
_THE TRACE_
adding as trusted cert:
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
*others trusted certs*
trigger seeding of SecureRandom
done seeding SecureRandom
export control - checking the cipher suites
export control - no cached value available...
export control - storing legal entry into cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 3953
*** ServerHello, TLSv1
RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V3
*many chains and related data*
Found trusted certificate:
Version: V3
Subject:
*many trusted certificates and related data*
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
CONNECTION KEYGEN:
Client Nonce:
0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
Server Nonce:
0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
Master Secret:
0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
Client MAC write Secret:
0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
Server MAC write Secret:
0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
Client write key:
0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
Server write key:
0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : Certificados/certificadoSondaMonitor.jks
keyStore type is : JKS
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: Certificados\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
adding as trusted cert:
* many certificates*
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
export control - checking the cipher suites
export control - found legal entry in cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 3953
*** ServerHello, TLSv1
RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
many chains again
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
CONNECTION KEYGEN:
Client Nonce:
0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
Server Nonce:
0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
Master Secret:
0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
Client MAC write Secret:
0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
Server MAC write Secret:
0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
Client write key:
0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
Server write key:
0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
%% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
main, setSoTimeout(600000) called
main, WRITE: TLSv1 Application Data, length = 282
main, WRITE: TLSv1 Application Data, length = 8208
main, WRITE: TLSv1 Application Data, length = 1102
main, READ: TLSv1 Application Data, length = 1830
main, received EOFException: ignored
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 18
main, called close()
main, called closeInternal(true)
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (404)Not Found
faultActor:
faultNode:
faultDetail:
     {}:return code: 404
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
     {http://xml.apache.org/axis/}HttpErrorCode:404
(404)Not Found
     at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
     at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
     at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
     at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
     at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
     at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
     at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
     at org.apache.axis.client.Call.invoke(Call.java:2767)
     at org.apache.axis.client.Call.invoke(Call.java:2443)
     at org.apache.axis.client.Call.invoke(Call.java:2366)
     at org.apache.axis.client.Call.invoke(Call.java:1812)
     at principal.SSLClient.main(SSLClient.java:86)
(404)Not Found
-----

I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
public class NFeClient {
     static{
          Security.addProvider(new BouncyCastleProvider());
     public static void main(final String[] args) throws Exception {
          final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
          final String keyStoreProvider = "BC";
          final String keyStoreType = "PKCS12";
          final String keyStore = "/home/mendes/certificados/cert.p12";
          final String keyStorePassword = "xxxx";
          System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
          System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
          System.setProperty("javax.net.ssl.keyStore",keyStore);
          System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
          System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
          final SSLContext context = SSLContext.getInstance("TLS");
          final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
          final KeyStore ks = KeyStore.getInstance(keyStoreType);
          ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
          kmf.init(ks, keyStorePassword.toCharArray());
          context.init(kmf.getKeyManagers(), null, null);
          final URL url = new URL(path);
          final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
          httpsConnection.setDoInput(true);
          httpsConnection.setRequestMethod("GET");
          httpsConnection.setRequestProperty("Host", "iis-server");
          httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
          httpsConnection.setSSLSocketFactory(context.getSocketFactory());
          try{
               final InputStream is = httpsConnection.getInputStream();
               final byte[] buff = new byte[1024];
               int readed;
               while((readed = is.read(buff)) > 0)
                    System.out.write(buff,0,readed);
          }catch(final IOException ioe){
               ioe.printStackTrace();
}and the response of the server is always the same:
java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
     at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

Safari client certificate problem w/ Canada Post website

I am using OSX 10.8.5 and Safari 6.1.1
I'm trying to use the Canada Post website for online shipping (ship-in-a-click) via the site:
http://www.canadapost.ca/personal/tools/cst/intro-e.asp
When I choose my option (in this case INTERNATIONAL) a pop-up opens asking to select a client certificate. A list of five certificates, which are all apparently valid and not expired, is given. No matter which certificate I select I cannot get past this pop up window. It just pops back up again.
The certificates are all in the form:
com.apple.idms.appleid.prd. then a very lengthy alpha numeric string
From what I have read with certificate problems you can just delete them and next time you visit the site will ask you to select a new one. However, in this case, with all the certificates seemingly being valid, I don't think that will be the solution. Although, I am a complete novice when it comes to these issues.
Can anybody suggest something other than using Firefox/Chrome etc. although if that is the ONLY choice then so be it. But surely this can be solved within Safari, no? The rest of the Canada Post site seems to behave OK with Safari.
Thank you.

Neither. I am on Mavericks and it shows the exact same issue, so it neither fixes the problem or intoduces new ones, at least with my site.
I also noticed that it is somewhat based on the loction (IP) of the server because on my local laptop (During development) and on our QA server would try and send a certificate that it should not send. HOWEVER once we implemented the SSL client certificate on our production server it would no longer send the certificate. I have no idea why and speculate that it is because our production server has a public IP.
If you want you can use my site and see if the problem persists for you there (http://whf.to); however given the seemingly random why Safari decides to send certificates you may or may not see the issue. If Safari does indeed send a certificate you should get an error page that details what happened (in somewhat lay-terms).
Sorry that Mavericks doesn't fix the issue for you.

Problem with exchange on my Iphone6

I have tryed everything possible but still problem with Exchange on my Iphone6.

What problem? You need to provide more information in order for us to help you.

TS4532 Any idea on the timing of the software update to fix the IOS6.1 problems with Exchange 2010?

Any idea on the timing of the SW update to fix the IOS 6.1 problem with Exchange 2010?
victor

In reply to Macca7275
We moved from Blackberry to iPhone for 120 services in 2010. We have just renewed the iPhone fleet. Security was the issue for the business that employs me (lawyers). When comparing the two, Blackberry performed without issue most of the time but we experienced a number of issues with the trackballs on individual phones. This was, however, the first of the Blackberry Bold models. The expense behind the scenes was one of the major factors for the move. It was cheaper to run Exchange and iPhones than Blackberry services. Our lawyers on the whole adopted the iPhones and a number have become quite proficient at using them. We ensured that we had a means to securely wipe and lock business phones. We chose Mobile Iron for this purpose but you will find other products to do the same job. Cost is probably going to be the deciding factor here. Our only negative factor was butterfingers resulting in smashed glass with the iPhones although I have had one user drown several phones.

Problem with exchange mail

I have problem with exchange mail on my macbook when i add my exchange acc to the mac mail app, the mail app got froze and closes by itself, when i try open it again it does the same thing till i delete the acc.

Make sure the user you are using to connect and search for Mail stores have sufficient rights to look for Mail store objects.
Thanks
Suren

Getting SSGD 4.41 to work with SSL + Client Certificate

Hello everybody.
I'm running SSGD 4.41.909 on SuSE Linux Enterprise Server 10+Sp2 (x86_32bit) and I configured it to perform KERBEROS authentication against a Windows 2003R2 server.
Everything worked fine so I decided to give SSL+Client Ceritifcate a try.
I configured the Win2003R2 server as per the manual and I also:
. imported the Active Directory root CA into SSGD trustore (/opt/tarantella/bin/jre/lib/security/cacerts)
. created a new key and a CSR using the keytool
. signed the above CSR with the Active Directory CA
. imported the just signed certificate info SSGD keystore (/opt/tarantella/var/info/certs/sslkeystore)
With the keytool I'm able to verify that the keystore does actually contains a valid CLIENT certificate:
/opt/tarantella/bin/jre/bin/keytool -list \
-keystore /opt/tarantella/var/info/certs/sslkeystore \
-keypass "$(cat /opt/tarantella/var/info/key)" \
-storepass "$(cat /opt/tarantella/var/info/key)"Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
testssgd, Dec 17, 2008, PrivateKeyEntry,
Certificate fingerprint (MD5): 33:3B:41:EC:A2:4C:FF:02:D7:0D:D8:2D:EB:B2:2A:2B
ssgd_client_cert, Dec 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): DE:6B:BA:28:39:6B:B2:7B:51:F5:F2:6B:41:6E:6B:C1
As you can see, the ssgd_client_cert is indeed available into the sslkeystore.
Next, I configured SSGD as follows:
Step4: LDAP Repository Details
Repository Type: (*) Active Directory
URLs: ad://zen.strhold.it
Connection Security: () Kerberos
(*) SSL
[x] Client Certificate Used
Active Directory Base Domain: zen.strhold.it
Active Directory Default Domain: zen.strhold.it
[Next]
I did not have any errors when I clicked over [Next] and the same went when I selected the [Finish] button.
I logged out of the Admin console, restarted the SSGD server and tried to login using an Active Directory VALID user but here's what I got:
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/17 17:16:36.246     (pid 18920)     server/ad/warningerror     #1229530596247
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
Global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the forest.
To help troubleshoot this warning,
- Verify that this global catalog is available on the network.
- Verify that SGD can resolve the global catalog's hostname via DNS.
- Verify that SGD can connect to port 3268 on the global catalog.
- Verify that this server is a global catalog for the forest.
I'm pretty sure I do have a client certificate into SSGD keystore (as demonstrated by the keytool utility).
Am I missing something or what?
Things I've already cheched:
. both the SSGD and Windows server clocks are in synch
. the DNS server (on Windows) is able to resolve the names of the boxes in both forward and reverse mode
. no firewall is operating between the boxes
Thanks,
Rob

Hi DD.
Thanks again for your time and patience!
Well, today I restarted the SSGD box (it's a virtual machine) and issued the:
    keytool -list -keystore sslkeystore -storepass "$(cat /opt/tarantella/var/info/key)" -keypass "$(cat /opt/tarantella/var/info/key)"command. Much to my surprise, this time I got the following output:
Your keystore contains 1 entry
+testssgd, Dec 19, 2008, trustedCertEntry,+
Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35
As you can see, now the certificate is recognized as "trustedCertEntry* instead of the previous PrivateKeyEntry. If you step back to my previous post, you should be able to tell that the MD5 is the same one I got for the PrivateKeyEntry.
+testssgd, Dec 19, 2008, PrivateKeyEntry,+
+Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
By issuing the suggested:
{code}keytool -v -list -keystore sslkeystore -alias testssgd{code}
command I got the following output (snipped):
+Alias name: testssgd+
+Creation date: Dec 19, 2008+
+Entry type: trustedCertEntry+
+Owner: CN=ssgd.zen.strhold.it, OU=Strhold Evolution Division, O=Strhold, L=Reggio Emilia, ST=Italy, C=IT+
+Issuer: CN=ADroot, DC=zen, DC=strhold, DC=it+
+Serial number: 1568abe4000000000006+
+Valid from: Fri Dec 19 17:45:52 CET 2008 until: Sun Dec 19 17:45:52 CET 2010+
+Certificate fingerprints:+
+     MD5: 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
+     SHA1: 00:8F:59:04:51:49:A6:73:8C:B5:6D:74:C6:90:30:32:24:DE:6D:EA+
+     Signature algorithm name: SHA1withRSA+
+     Version: 3+
As you can see, the Issuer is ADRoot (CN=ADroot, DC=zen, DC=strhold, DC=it).
The error messages did not change (
Attempted login for [email protected]
using disambiguation attributes {}.
2008/12/22 13:37:10.306     (pid 3764)     server/kerberos/info     #1229949430306
Kerberos attempting to log in rzini in to ZEN.STRHOLD.IT
2008/12/22 13:37:10.647     (pid 3764)     server/kerberos/moreinfo     #1229949430647
Kerberos succeeded in authenticating [email protected] to ZEN.STRHOLD.IT
2008/12/22 13:37:10.711     (pid 3764)     server/ldap/info     #1229949430711
LDAP config is: "ad://zen.strhold.it"
2008/12/22 13:37:10.716     (pid 3764)     server/ldap/info     #1229949430716
LDAP server user was changed for scope "forest" to ""
2008/12/22 13:37:10.796     (pid 3764)     server/ldap/moreinfo     #1229949430796
NSLookup succeeded: "win2003r2.zen.strhold.it." returned 192.168.68.1
2008/12/22 13:37:10.801     (pid 3764)     server/ldap/moreinfo     #1229949430801
Service lookup succeeded: "_gc._tcp.zen.strhold.it." returned 192.168.68.1:3268
2008/12/22 13:37:11.316     (pid 3764)     server/ad/warningerror     #1229949431315
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/22 13:37:11.321     (pid 3764)     server/ad/warningerror     #1229949431321
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
[snip]
Discovery results:
Looking up Global Catalog DNS name: _gc._tcp.zen.strhold.it. - HIT
Looking for GC on server: Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up - ERROR
The Active Directory login authority and LDAP generation will not work as
SGD could not find a contactable global catalog.
2008/12/22 13:37:11.329     (pid 3764)     server/ldap/error     #1229949431329
Sun Secure Global Desktop Software (4.41) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=ZEN,DC=STRHOLD,DC=IT") 587ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
A call to LDAP failed. This might mean LDAP users cannot log in.
I can provide you with the Java exception which was reported but I cannot include it with this message due to the restriction in size we have when posting.
Thanks again,
Rob

Certificate errors with Exchange 2013 and Outlook 2013

Hello, I wonder if someone could help.
I've recently set up a network with one Windows 2012 domain controller and one windows 2012 server running Exchange 2013.
Clients run Outlook 2013 and are all one the same Lan. Outlook's setup wizard finds the exchange server automatically and sets up the profile. However if I choose the manual setup and enter the server
name and user name it does not find the server.
When I check the server name in Outlook it shows as
[email protected] rather than the real name of the server: AYCEX01.AYC.local.
When Outlook is opened there is a certificate error saying "The name on the security certificate is invalid or does not match the name of the site." and another error saying "There is
a problem with the server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.ardfernyacht.co.uk. Outlook is unable to connect to the proxy server. (Error code 10)
The external address by which users connect to OWA and active sych is mail.ardfernyacht.co.uk. The
certificate which is used is one automatically generated by Exchange.
Any suggestions you may have would be appreciated.
Many thanks,
Ruaridh
Ruaridh Mackintosh

Self sign cert wont work With autodiscover.For that you need 3rd part or from Your own CA.
Please follow this guide to install CA in Your domain:
http://careexchange.in/how-to-install-certificate-authority-on-windows-server-2012/
Please follow this guide to request New cert in Exchange 2013:
http://exchangeserverpro.com/create-ssl-certificate-request-exchange-2013/
Your cert must contain external hostname of Your mail.domain.com
Also configure Your Virtual directories to contain internal and external hostname:
http://blogs.msdn.com/b/mvpawardprogram/archive/2013/03/18/virtual-directories-exchange-2013.aspx
Regarding servername when using autodiscover,it should automatically resolve mailbox guid instead of servername.
Please check if Your DNS is setup With autodiscover.domain.local (which is pointed to Your Exchange server)
Hope this helps!
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

FIM Service - Problems with Exchange Mail Listener

I have a lab environment with Exchange 2010 (exchange) and FIM 2010 R2 (fimserver), both running on Windows Server 2008 R2 Std SP1. My problem is that the Exchange Mail Listener in the FIM Web Services is throwing exceptions and unable to poll
or send mail. The exception is always "System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'."
Versions:
FIM Service: 4.1.3419.0
Exchange 2010: 14.01.0218.013
The FIM service is ran under a service account "Domain\fimservice", and has an Exchange 2010 mailbox
[email protected]. The "Microsoft.ResourceManagement.Service.exe.config" is defined as following:
<appSettings>

<add key="mailServer" value="https://exchange.domain.com/ews/exchange.asmx" />
<add key="isExchange" value="1" />
<add key="sendAsAddress" value="[email protected]" />
<add key="synchronizationServerName" value="fimserver.domain.com" />
</appSettings>
On the FIMServer I can run IE under the FIMService account and successfully get to
https://exchange.domain.com/ews/exchange.asmx without any certificate errors or authentication prompts. I can also access OWA and send and recieve mail from the fimservice account.
Turning on additional logging on the web services I see the following messages:
Microsoft.ResourceManagement Verbose: 0 : The Exchange Mail Listener is marking Microsoft Exchange "Read" messages as "Unread".
ThreadId=11
DateTime=2013-12-03T19:45:31.5391601Z
Microsoft.ResourceManagement Verbose: 0 : The mail listener is looking for items that match this search expression: Find Item:
(((((exists(ilmStatus) and (ilmStatus is equal to 'Read'))) and (((((((ItemClass is equal to 'IPM.Note.IdentityManagement.AddToGroups') or (ItemClass is equal to 'IPM.Note.IdentityManagement.RemoveFromGroups'))) or (ItemClass is equal to 'IPM.Note.IdentityManagement.ApprovalResponseApproved'))) or (ItemClass is equal to 'IPM.Note.IdentityManagement.ApprovalResponseRejected')))) and ((not(exists(ilmApprovalEndpoints)) or (
ThreadId=11
DateTime=2013-12-03T19:45:31.5470841Z
Microsoft.ResourceManagement Error: 3 : System.Web.Services: System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'.
The request failed with an empty response.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)
Here is another instance:
Microsoft.ResourceManagement Verbose: 0 : The Exchange Mail Binding is creating binding elements.
ThreadId=14
DateTime=2013-12-03T19:45:32.7624276Z
Microsoft.ResourceManagement Error: 3 : System.Web.Services: System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'.
The request failed with an empty response.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.ExchangeServiceBinding.FindItem(FindItemType FindItem1)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.<OnPollTimerExpired>b__0(Boolean findUnreadItems)
at Microsoft.ResourceManagement.WebServices.Mail.Exchange.MailChannel.ExchangeMailChannelListener`1.ExchangeMailListener.OnPollTimerExpired(Object state)
ThreadId=4
DateTime=2013-12-03T19:45:32.7644086Z
Any suggestions?

David,
Thanks for the suggestion. The account didn't have any e-mails. I eventually found the issue was with the exchange server itself and not related at all to FIM. Even though I could access OWA and the EWS asmx page the product wasn't fully functional due to
a missing DLL from another .NET update. So I thought exchange was working properly, but it wasn't.
After installing this
hotfix (KB2637518) on the exchange box, the product was working and therefore FIM was working as expected.
More details can read on this
technet blog, (at the very bottom labelled UPDATE)

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
    <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* <P>A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* <P>IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
    protected void init(Properties props)
        throws BadRealmException, NoSuchRealmException
    public java.util.Enumeration getGroupNames (String username)
        throws InvalidOperationException, NoSuchUserException
    public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* <P>This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* <P>In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* <P>The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* <P>This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
*       _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
*      return commitAuthentication(_username, _password, _currentRealm,
*      grpList);
* <li>The grpList parameter is a String[] which can optionally be
*      populated to contain the list of groups this user belongs to
* </ul>
* <P>The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* <P>Sample setting in server.xml for JDBCLoginModule
* <pre>
*    <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
*      <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
*       <property name="jaas-context" value="jdbcRealm"/>
*    </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
    protected AuthenticationStatus authenticate()
        throws LoginException
    private String[] authenticate(String username,String passwd)
    private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* <P>The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* <P>There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* <P>The certificate realm needs the following properties in its
* configuration: None.
* <P>The following optional attributes can also be specified:
* <ul>
*   <li>assign-groups - A comma-separated list of group names which
*       will be assigned to all users who present a cryptographically
*       valid certificate. Since groups are otherwise not supported
*       by the cert realm, this allows grouping cert users
*       for convenience.
* </ul>
public class CertificateRealm extends IASRealm
   protected void init(Properties props)
     * Returns the name of all the groups that this user belongs to.
     * @param username Name of the user in this realm whose group listing
     *     is needed.
     * @return Enumeration of group names (strings).
     * @exception InvalidOperationException thrown if the realm does not
     *     support this operation - e.g. Certificate realm does not support
     *     this operation.
    public Enumeration getGroupNames(String username)
        throws NoSuchUserException, InvalidOperationException
     * Complete authentication of certificate user.
     * <P>As noted, the certificate realm does not do the actual
     * authentication (signature and cert chain validation) for
     * the user certificate, this is done earlier in NSS. This default
     * implementation does nothing. The call has been preserved from S1AS
     * as a placeholder for potential subclasses which may take some
     * action.
     * @param certs The array of certificates provided in the request.
    public void authenticate(X509Certificate certs[])
        throws LoginException
        // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Web Service (SSL) and certificates (keytool) with INternet Explorer

Hi,
Followed this steps http://www.grallandco.com/blog/archives/2006/10/using_htts_with.html to have a secure SSL WEb service (with client authorization).
Tested from Jdeveloper it worked O.K.
Now I would like to test it with Internet explorer, but now server ask for certificate before internet show parameters page to invoke Web Service.
I generated self signed certificates and keystore using keytool. (This keystore is used by the OC4J and my proxy client).
Imported this certificate (.cer) to internet explorer succesfully, but when access URL for the web service (https) internet does not show this certificate to use it, so failed to connect...
keytool certificates could be used by INternet explorer for this purposes?, what am I doing wrong?
Thanks
J.

Hi,
I already configured HTTPS - client authenticate for OC4J, and you can work with follow step:
1: Create keystore for OC4J by java keytool
2: Using openssl to create certificate for your server (privatekey, certificate)
3. Using keytool to import your server's certificate (2) to keystore (1)
4. Generate client certificate (4)
5. Sign on client certificate (4) by privatekey and server certificate (20
6. Import client certificate to windows - (should create keystore with format pkcs12)
You can using "Java Certificate Services" to help you create keystore with multi format or sign cert....
Rgs

AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Problem with BIS & OWA

Hi, I have a problem with the setting up of an OWA account on BIS website. I think my only fix may be to change my email address formatting but I do not want to nor should I have to as this has been our email setup for years. It would be appreciated if someone has another method or someway of telling Blackberry to fix the website.
The problem is that my user's email format is [email protected] When I enter this in the OWA account setup page it attempts to authenticate the login using the http://mail.somesite.com/exchange/joe.blog url which is OK but it uses the joe.blog as the user's domain login which it is not correct. The login name is Joe Blog.
I can see in my event viewer where BIS has attempted to log in with joe.blog and of course is being denied access.
I would appreciate any feedback. TA

I don't know if BIS supports this ... If you can get it to connect I think you can get it to work ... you should be able to enter a different username from email name.
If you've found a solution through a post; please mark it as a solution.
If someone's was particularly helpful, give them kudo's!.
Get busy living, or get busy dying.
http://blog.port3101.org/hdawg/

Powerbook G4 Apple mail problem with exchange server?

Hello all,
I am new to the group. I just picked up a older PowerBook G4 at a pawnshop for cheap I've got it running really well now with the exception of my email.
I am running OS X 10.5.8
When trying to set it up with my exchange server email it does not seem to want to work with me.
I get an ALERT
(There may be a problem with the mail server or network. Check the settings for account "Exchange" or try again.)
I know i am online fine. Internet works, streams music etc...
and
(The server error encountered was: The connection to the server (mail.mycompany.com) on port "X" timed out.)
I have tried port numbers:
465
143
443
25
993
995
with no success.
I have pinged my mail.mycompany.com and it is communicating fine there 10 sent 10 recieved.
I am sending emails fine, however I cannot recieve emails.
Anybody know what the problem might be?
THANKS!

Hi,
This might have to do with your outgoing mail server(smtp).. For example, if you use hotmail as your mail client, then your smtp would be: smtp.live.com while the incoming mail server would be: pop.live.com.
In your case, try smtp.mycompany.com or smtp.mail.mycompany.com
See if that resolves the problem.

SSL client certificate problem with exchange owa

Similar Messages

Maybe you are looking for