SSO Certificate-based authentication problem
Hello,
I have successfully configured certificate-based authentication, and I am able to authenticate with a user certificate that I created with OCA which is stored in the user's profile in OID. Here lies my problem, it seems as if the authentication module (ssomappernickname) only validates against the first certificate stored in the user's profile(userCertificate attribute). This is after I add another certificate to the user's profile. Below is the problem I am describing during my tests:
Order of certificates stored in user's profile.
1. valid cert, invalid cert -> successful authentication
2. invalid cert, valid cert -> unsuccessful authentication (it should STILL be successful here)
Shouldn't the SSO authentication module search each binary certificate in the multi-value attribute for the correct certificate? Or is there some LDAP control that I need to set in order to get this problem solved? Basically, I need to be able let user's perform certificate authentication against multiple certificates in their profiles.
For the benefit of anyone finding this, in my case this problem was resolved by reimporting my internal CA's Cert into the ASA.
I suspect I had inadvertently imported an expired CA Cert into the ASA and this rather un-informative error 1838 is trying to tell you this.
Similar Messages
-
The previous release (10.1) say: "Support for our other LiveCycle authentication types may appear in future releases, including Kerberos, Smartcard/PKI certificate-based authentication, SAML-based authentication, or other SSO mechanisms."
Now in 11.6 certificate-based authentication is enabled?
ThanksApparently, security programs like Macafee and Norton view Itunes updates as new programs and block then from access. If you add Itunes to the list of exemptions, it solves the problem.
-
Certificate Based Authentication and SSL
To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE. -
Transition to Certificate Based Authentication
Hello,
I was hoping someone could help provide some insight into a question I have. We are in the process of rolling out a new Mobile Device Management system that will give us the ability to insert User Certificates on the mobile devices.
My question is: While we are in transition to this system, is it possible to have both Digest AND Certificate Based authentication working on Exchange (2010) without causing service disruption to the devices that have not yet been migrated to the new MDM
system?
Thank you in advance,
RyanHi,
Reporting Services uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate
to a Reporting Services URL reservation to support report server connections through an encrypted channel.
Server certificates are installed on the Web server and typically require no additional configuration on the clients. Server certificates allow the clients to verify the identity of the server.
Because, some Web sites and applications might require client certificates. Client certificates are installed on the client and allow the server to authenticate the clients. For more information about configuring client certificates, see
Enabling Client Certificates in IIS 6.0 . But Client certificates is not supported in the SSRS 2005 later version. So SSRS 2008 R2 will not allow the server to authenticate the clients.
More details information in article below for your reference:
Configuring a Report Server for Secure Sockets Layer (SSL) Connections
If you still have any problem, please feel free to ask.
Regards,
Vicky Liu
Vicky Liu
TechNet Community Support -
Client certificate based authentication
We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
/WEB-INF
/resources
- private.jar
- private.jnlp
/resources
- icon.png
- public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
<servlet-name>ResourceProvider</servlet-name>
<url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources awailiable from browser</web-resource-name>
<url-pattern>/resources/secret/browser/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>somerole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>somerole</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
<information>
<icon href="icon.png"/>
</information>
<resources>
<j2se version="1.6+"/>
<jar href="secret/javaws/secretkey/private.jar" />
<jar href="public.jar" />
</resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help! -
Certificate based authentication using amclientsdk
Hi there,
We have written custom authentication framework around the amclientsdk. we are able to use the basic authentication (user/password) service configured in access manager for authentication. But we also like to do certificate based authentication where the user choose the the logon using certificate link and certificate from browser will be preseneted to our custom framework and from there i am using the AM API to invoke Cert auth service.It didn't work and reports User certificate not found error. I don't how to present the retrived user certificate to access manager as there is no call backs for Cert auth service.
Our custom application and access manager are running under different sun web server instance. And both configured for SSL (client authentication not required mode).
I tried changing the access manager instance to SSL client authentication required mode that time it sent 403 error code. but i need the previous scenario to work.Hi there
I've got to get this working aswell.
In my case I've got to have both the user/password authentication OR certificate based.
The thing is, the documentation says that I need to have the containers (don't know if both the am server and the agent containers or only one of them ) with SSL and "Client Authentication enabled"... now the problem is, when I make it Client Authentication Enabled the container gives me a similar error to the one you described, this is because the server requests the browser to send a certificate when trying to access the server .....
Can you give me any pointers to how this is supposed to be done? I would really appreciate help with this.
Thanks
Rp -
NetMail,Netlet,NetFile stop after enabling certificate based authentication
I use SunONE Portal6.1+SRA. I have installed the gateway and portal on the same machine and have installed the sample portal also. Everithing works fine (Netlet,NetMail,NetFile) untill I enabled the gateway to use certificate based client authentication. After this step the applications (NetFile,Netlet,NetMail) stopped working. It seems that they can't connect to the gateway after the initial applet download because of the client certificate based authentication.
Is there some workaround or configuration change that I can do in order to allow the applets to communicate with the gateway?At last I have found my mistake. I was using the JPI 1.4.1. If I use JPI 1.3.1 there is no problem because this version of java usesthe browser libraries in order to make the ssl connection and then the certificate that is imported in to the browser is used. Finally I have found the way to tell the JPI 1.4 which certificate to use and how.
Look here if you want more information:
http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html#Customization
http://java.sun.com/j2se/1.4.1/docs/tooldocs/tools.html#security
see also:
http://forum.java.sun.com/thread.jsp?forum=2&thread=361995 -
Certificate based authentication to Reporting services (2008r2)
Is it possible to use certificate based authentication to reporting services website? I found solutions for windows basic and forms authentication types.
Best regardsHi,
Reporting Services uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate
to a Reporting Services URL reservation to support report server connections through an encrypted channel.
Server certificates are installed on the Web server and typically require no additional configuration on the clients. Server certificates allow the clients to verify the identity of the server.
Because, some Web sites and applications might require client certificates. Client certificates are installed on the client and allow the server to authenticate the clients. For more information about configuring client certificates, see
Enabling Client Certificates in IIS 6.0 . But Client certificates is not supported in the SSRS 2005 later version. So SSRS 2008 R2 will not allow the server to authenticate the clients.
More details information in article below for your reference:
Configuring a Report Server for Secure Sockets Layer (SSL) Connections
If you still have any problem, please feel free to ask.
Regards,
Vicky Liu
Vicky Liu
TechNet Community Support -
Exchange 2010 SP3 OWA with certificate based authentication
Hi,
I have a bizarre problem in my customer’s environment. Maybe someone has an idea.
Exchange 2010 with SP3, latest cumulative Update installed.
The problem I’m having is that when I enable Certificate based authentication (require client certificate option in IIS) on OWA and ECP virtual directories in conjunction with forms based authentication (this is the requirement – the user
must have a client certificate and type in username and password to log in to OWA), the result is that after the user selects the certificate he wants to use, he is logged into OWA automatically, but cannot use the website, because it’s being constantly automatically
refreshed (or redirected to itself or something like that). The behavior occurs with all users, with any browser. If client certificate is on required, forms based authentication works just fine. If I switch to “Basic Authentication” and enable client certificate
requirement, then OWA act’s as it should be – so no problems. The problem only occurs when authentication type is forms based and client certificates are required.
I have tried the exact same settings (as far as I can tell) on one other production server and one test server, and encountered no such problems.
Anyone – any ideas?Hi McWax,
According to your description and test, I understand that all accounts cannot login OWA when select require client certificate.
Is there any error message when open OWA or login? For example, return error ”HTTP error: 403 - Forbidden”. Please post relative error for further troubleshooting.
I want to confirm which authentication methods are used for OWA, Integrated Windows authentication or Digest authentication? More details about it, for your reference:
http://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
If you select another authentication method, please check whether Client Certificate Mapping Authentication services is installed, and also enabled in IIS, please refer to:
http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication
To prevent firewall factor, please try to sign in OWA at CAS server. Besides, I find a FAQ about certificate:
http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
Best Regards,
Allen Wang -
[IMAP SSL] Certificate-Based Login problems
Hi,
I am trying to set up a Certificate-Based Login authentication for an installation of Java Messaging Server 7 Update 3 over Solaris x86 64bit platform.
The objetive is to allow a client to establish an SSL session using a certificate that has been issued by a CA that the server has established as trusted and then grant access to the user without providing his password.
In my installation, unfortunately password is allways required to login any user. These are the steps I have made:
1. Add the CA-signed server certificate.
2. Add the trusted Certificate Authority.
3. Turn on all cipher suites including the weak ones.
4. Enable SSL
./configutil -o service.imap.enablesslport -v yes
./configutil -o service.imap.enable -v 1
./configutil -o service.imap.sslport -v 993
./configutil -o service.imap.sslusessl -v yes
./configutil -o encryption.rsa.nssslpersonalityssl -v "Product-Cert" (where Product-Cert is my CA signed server certificate)
5. Check with the netstat command to verify that the service is running.
bash-3.00# ./configutil -o service.imap.sslport
993
bash-3.00# netstat -an | grep 993
*.993 *.* 0 0 49152 0 LISTEN
Once I have taken these steps, when I use a client to establish an SSL session with a PKCS#12 certificate installed (signed by the same CA trusted by MS and the email address in your users' certificates matches the email address in a users' directory entry) the connection is correct stablished using the port 993 but it is allways necessary to login with password to grant access.
The imap logs seems to show that the MS is not requesting the user's certificate from the client, because allways shows "plaintext authentication" (this correspond a try to access to the user's inbox without Login).
[10/Mar/2010:10:31:38 -0100] goody imapd[2623]: Account Notice: badlogin: [192.168.169.12:1595] plaintext llcc authentication failure
[10/Mar/2010:10:31:41 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:1595] [unauthenticated] 2010/3/10 10:31:37 0:00:04 41 907 0
[10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Network Error: Socket error [192.168.169.12:2226] : I/O function error
[10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:2226] [unauthenticated] 2010/3/10 10:31:56 0:00:25 11 511 0
Also there are some error logs related to the Ciphers:
[10/Mar/2010:10:30:39 -0100] goody imapd[2623]: General Error: SSL initialization error: Unable to enable SSL cipher suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SH
A (0x0064)
(-8186)
Please, Can you help me to discover if there is something wrong in my configuration?
Thanks in advance.
Kind Regards,
LuisThanks for your reply Shane.
Yes, I have configured the client to use port 993. I think the problem is in the Multiplexor configuration, after finished, I allways get this Log message in the ImapProxy Logs:
[15/Mar/2010:17:25:10 -0100] goody ImapProxy[1865]: General Error: (id 455) Connection limit reached for client IP 192.168.169.108
[15/Mar/2010:17:25:22 -0100] goody ImapProxy[1865]: General Error: (id 477) Connection limit reached for client IP 192.168.169.108
[15/Mar/2010:17:25:37 -0100] goody ImapProxy[1865]: General Error: (id 499) Connection limit reached for client IP 192.168.169.108
Where 192.168.169.108 is the IP of the server where MS is installed. The strange thing is that there are no connections established becacause this is a development environment, when I try to check the IMAP port (not ssl) I find a strange behaviour:
bash-3.00# telnet localhost 143
Trying 192.168.169.108...
Connected to goody.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ENABLE QRESYNC CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.3-11.01 (built Sep 1 2009))
. login llcc LLCC_PASSWORD
Connection to goody closed by foreign host.
The ConnLimits parameter is set to default in the ImapProxyAService.cfg (i.e. default:ConnLimits 0.0.0.0|0.0.0.0:20).
Also I have set this values not present in the link: http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication#ConfiguringEncryptionandCertificate-BasedAuthentication-ToSetUpCertificateBasedLogin
configutil -o local.mmp.enable -v 1
configutil -o local.store.enable -v 0
configutil -o local.imta.enable -v 0
configutil -o local.http.enable -v 0
Any idea?
One question more. I have read that Store Administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. The question is: Is there any way for the Store Administrator to access to the mailbox of all the users using the IMAP protocol?
Thanks a lot for your help,
Best Regards,
Luis -
Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app
I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
I've installed server certificates to trusted pool and my certificate as personal.
Then I can connect thru Internet Explorer, but this is not comfortable to use.
I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
connect. Check your settings."
Is there any plans to implement this feature?For what it's worth we have CBA working with Windows 8.1 Pro. In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
it should work exactly the same to the Exchange server directly. I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store. Configured the Mail app
to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
So it definitely works with Windows Pro 8.1. -
Need Help about Certificate based Authentication
Hi friends..
Currently, i'm trying to develop an applet that using Certificate Based Authentication..
i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
these is what Safarmer says about steps to generate CSR :
0. Generate key pair on the card.
1. Get public key from card
2. Build CSR off card from the details you have, the CSR will not have a signature
3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
4. Generate a SHA1 hash of the CSR (without the signature section)
5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
6. Send DigestInfo to the card
7. On the card, the matching private key to encrypt the DigestInfo
8. Return the encrypted digest info to the host
9. Insert the response into the CSR as the signature
Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
on step 4,
Generate a SHA1 hash of the CSR (without the signature section)
Does it mean we have to "build" CSR looks like :
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
db:38:2f:5b:1f:85:c1:20:eb
Exponent: 65537 (0x10001)
Attributes:
a0:00
on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
Please help me regarding this..
Thanks in advance..
Leonardo CarreiraHi,
Leonardo Carreira wrote:
Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
I think its' easier to encode the public key by Off Card app..
Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
I have several some questions :
1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
- I think Applet must holds :
- its Private Key,
- its Public Key Modulus and its Public Key Exponent,
- its Certificate,
- Host Certificate
i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
~800 bytes for your private key
~260 bytes per public key for PKI hierarchy (CA trust points)
~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
Cheers,
Shane -
Certificate based authentication with sender SOAP adapter. Please help!
Hi Experts,
I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
.Net --->SOAP -
>XI -
>RFC -
R/3 System
Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test certificate based authentication?
Am I missing any steps for certificate based authentication?
Please help
Thanks
Gopal
Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AMHi!
Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
So, try to find other tool, which can use certificates or tey it directly with the sender system.
Peter -
Certificate based authentication
I have a client application that requires certificate based authentication.
I could not find any instructions on how to set this up in the 11g manuals. So I reverted to the 5.2 manual (http://docs.oracle.com/cd/E19850-01/816-6698-10/ssl.html#18500), and followed some instructions found online.
I have completed the setup, and the client is able to authenticate using his certificate, and I have verified this in the logs.
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuing,DC=corp,DC=company,DC=lan
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[22/Mar/2012:13:13:33 -0500] conn=34347 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
When adding the usercertificate attribute to the ID I used the following LDIF:
version: 1
dn: uid=userid,ou=employees,o=company
changetype: modify
replace: userCertificate
usercertificate: < file:///home/user/Certs/usercert.bin
the file was a binary encoded certificate file.
Here is the part that I don't understand when I do a search (or LDIF export) of the user object with the certificate it just returns a short base64 encoded string. when I decode this string, it is just the literal string of "< file:///home/user/Certs/usercert.bin".
So it appears that the certificate has not been stored on the user object in binary, and yet the certificate authentication still works. The file mentioned, does not exist on the LDAP server (the cert was loaded from another server), so there is no way that it is reading the cert from the file.
Anyone have any idea what is going on here? And why certificate auth works, when there appears to be not cert stored in LDAP?
If by chance this is how it is all suppose to work, then how do I go about backing up the usercertificate attribute when I do my LDAP data backups?
Thanks
BrianCyril,
Thanks for the reply.
I believe I am doing both types of certificate authentication, you are describing. My issue is that when I perform the steps to store the PEM formatted cert into the directory server, rather than storing a binary value of the cert, it appears to be storing the path to the file I attempted to import. The odd part is that I can still authenticate even after this is done.
I tried to post as much info as I could before without posting any sensitive data, I'll try and expand on that below.
Here is my documentation of the steps taken to configure the server and setup a user, for what I believe to be certificate based authentication, where the user is authenticated solely on the certificate that they provide (no password is sent).
1. Server must be running SSL, all connections for Certificate Auth are done over SSL (just a note)
2. From the DSCC
----a. Directory Servers Tab -> Servers Tab -> Click Server Name
----b. Security Tab -> General Tab
----c. In "Client Authentication" section, select:
--------i. LDAP Settings: "Allow Certificate-Based Client Authentication"
--------ii. This should be the default setting.
3. On the directory server setup the /ldap/dsInst/alias/certmap.conf file:
----a. certmap default default
----default:DNComps
----default:FilterComps uid,cn
4. restart the directory server
5. Do the following to setup the user who will be connecting. On their unix account (or similar)
----a. Create a directory to hold the certDB
--------i. mkdir certdb
----b. Create a CertDB
--------i. /ldap/dsee7/bin/certutil -N -d certdb
------------1) Enter a password when prompted
----c. Import the CA cert
--------i. /ldap/dsee7/bin/certutil -A -n "OurRootCA" -t "C,," -a -I ~/OurRootCA.cer -d certdb
----d. Create a cert request
--------i. /ldap/dsee7/bin/certutil -R -s "cn=userid,ou=company,l=city,st=state,c=US" -a -g 2048 -d certdb
----e. Send the cert request to the PKI Team to generate a user cert
----f. Take the text of the generated cert & save it to a file
----g. Import the new cert into your certdb
--------i. /ldap/dsee7/bin/certutil -A -n "certname" -t "u,," -a -i certfile.cer -d certdb
----h. Create a binary version of cert
--------i. /ldap/dsee7/bin/certutil -L -n "certname" -d certdb -r > userid.bin
----i. Add the binary cert to the user's LDAP entry (version: 1 must be included - I read this in a doc somewhere, but it doesn't seem to matter)
--------i. ldapmodify
------------1) ldapmodify -h host -D "cn=directory manager" -w password -ac
------------2)
------------version: 1
------------dn: uid=userid,ou=employees,o=company
------------sn: Service Account
------------givenName: userid
------------uid: userid
------------description: Service Account for LDAP
------------objectClass: top
------------objectClass: person
------------objectClass: organizationalPerson
------------objectClass: inetorgperson
------------cn: Service Account
------------userpassword: password
------------usercertificate: < file:///home/userid/Certs/userid.bin
------------nsLookThroughLimit: -1
------------nsSizeLimit: -1
------------nsTimeLimit: 180
After doing this setup I am able to perform a search using the certificate:
ldapsearch -h host -p 1636 -b "o=company" -N "certname" -Z -W CERTDBPASSWORD -P certdb/cert8.db "(uid=anotherID)"
This search is successful, and I can see it logged, as having been a certificate based authentication:
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from x.x.x.x:53574 to x.x.x.x
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuer,DC=corp,DC=company,DC=lan
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[23/Mar/2012:13:25:20 -0500] conn=44605 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
If I understand correctly that would be using the part 2 of your explanation as using the binary encoded PEM to authenticate the user. If I am not understanding that corretly please let me know.
Now the part that I am really not getting is that the usercertificate that is stored on the ID is as below:
dn: uid=userid,ou=employees,o=company
usercertificate;binary:: PCBmaWxlOi8vL2hvbWUvdXNlcmlkL0NlcnRzL3VzZXJpZC5iaW4
which decodes as: < file:///home/userid/Certs/userid.bin
So I'm still unclear as to what is going on here, or what I've done wrong. Have I set this up incorrectly such that Part 2 as you described it is not what I have setup above? Or am I missunderstanding part 2 entirely?
Thanks
Brian
Edited by: BrianS on Mar 23, 2012 12:14 PM
Just adding ---- to keep my instruction steps indented. -
Certificate based authentication with SSL load balancer
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?I think the simplest and most secure way is to have the servers configured for
2-way ssl, since this would ensure that the certificate they receive and use for
authentication has been validated during the ssl handshake. In this case the load
balancer itself does not need to and cannot do the handshaking, and would need
to pass the entire SSL connection through to the WLS server (ie: act similar to
a router)
Pavel.
"George Coller" <[email protected]> wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?
Maybe you are looking for
-
Dear Sir, My niece bought the Apple TV to me, but I could not use it because I do not know how to install. My friend said it does not support in my country, Thailand. I have wifi and rounter to play internet. Please advise me how to install. Also,
-
The RAW files I just downloaded on new MacBook Pro are designated as JPEG in the photo info box. Why??
-
My app has been trying to update for the past two days. It gets 3/4 of the way through and then crashes.
-
How to customize a nacha report in r12
Hello , How to customize a NACHA report in r12. And to use a logic in custom template . Thanks Raju
-
hi all, i am using utl_file for the first time and got the error. pl. help. 1 declare 2 x utl_file.file_type; 3 begin 4 x := utl_file.fopen('d:\babu\oracle','first.txt','w'); 5 utl_file.putf(x,'hi there how are you'); 6* end ; SQL> / declare ERROR at