R: Client certificate authentication
Hi Esteban, I already put the lines you added to your web.xml file (as the user if I use BASIC authentication works fine) but I have the same 403 problem. Could you send me your actual configuration for principals.xml and web.xml? Can you attach also the response you get from ssl-user-registration.jsp? When I call this page I can't see the username (could it be the problem?) In general I can't understand why I need a username and password when using Client certificate authentication and how I have to use them. Thanks, Luciano -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: venerdì 6 ottobre 2000 20.58 A: Orion-Interest Cc: [EMAIL PROTECTED] Oggetto: RE: Client certificate authentication Hi Luciano: I could fix the 403 Forbidden problem!!! It's easy: In the WEB.XML file you must do anything like this: security-constraint web-resource-collection web-resource-nameMySecurity/web-resource-name url-pattern/servlet/MainMenu/url-pattern http-method*/http-method /web-resource-collection auth-constraint role-nameusers/role-name /auth-constraint /security-constraint I I had forgotten to put: auth-constraint role-nameusers/role-name /auth-constraint and then no Role cuold have access. Remember that in the WEB.XML we need to map the "users" Role: security-role description/description role-nameusers/role-name /security-role I hope this help you. Esteban Lopez -Original Message- From: Montebove Luciano [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, October 04, 2000 4:55 AM To: Orion-Interest Cc: [EMAIL PROTECTED] Subject: Re: Client certificate authentication Hi Lopez, Can you detail your "manual" identification? Luciano -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: martedì 3 ottobre 2000 21.53 A: Orion-Interest Oggetto: RE: Client certificate authentication I don't solve the 403 problem yet, but I can identify users using client certificates. I accept or not the user. If you are interested in this "manual" identification I can explain you more. -Mensaje original- De: Montebove Luciano [SMTP:[EMAIL PROTECTED]] Enviado el: Martes, 03 de Octubre de 2000 04:59 a.m. Para: Orion-Interest Asunto: R: Client certificate authentication I can help you partially. I had the same 403 Forbidden problem and I'm waiting for a response from official support (5 days). For the Cert ID use the sample page ssl-user-registration.jsp in demo SSL. It will show the cert id you are looking for. If you solve the 403 problem tell me. ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø Luciano Montebove - Software Architect - Finsiel S.p.a E-mail: [EMAIL PROTECTED] Phone: (+39) 06-4142-7663 "If you don't fail now and again, it's a sign you're playing it safe" -W. Allen ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: lunedì 2 ottobre 2000 14.57 A: Orion-Interest Oggetto: Client certificate authentication Hi I need to authenticate clients with digital certificates, I have a VeriSign trial client certificate and I'm using IE 5.0. The certificate is well installed in IE. I'm working with Orion 1.2.9 and HTTPS. I'm using auth-methodCLIENT-CERT/auth-method in de login config of WEB.XML file. When I connect to the WEB site I see the follow error: 403 Forbidden Your cert's user does not have access to this resource Please, anybody could help me about this? Note: In the PRINCIPAL.XML file when I set the user that has a certificate I do the follow: user username="A name here" descriptionno description/description certificate-issuerCN = VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, OU = www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98, OU = VeriSign Trust Network, O = VeriSign, Inc./certificate-issuer certificate-serial-idI don't know/certificate-serial-id group-membership group="users"/ group-membership group="guests"/ /user In certificate-serial-id tag I've an hexa number and when I put this serial number in it, the Orion throws the follow exception: java.lang.NumberFormatException: 297D6F02EA75C1 at java.lang.Long.parseLong(Unknown Source) at java.math.BigInteger.init(Unknown Source) at java.math.BigInteger.init(Unknown Source) at com.evermind.s
R: Client certificate authentication
Many Thanks Esteban, I finally solved it. The problem was the string for the certificate-issuer using your all works fine. Luciano -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: lunedì 9 ottobre 2000 14.35 A: Orion-Interest Oggetto: RE: Client certificate authentication My actual configuration for principals.xml and web.xml is: Principals.xml WEB.XML Application.xml I send you my application.xml configuration also (for the role mapping). I didn't use thr ssl-user-registration.jsp. I used the same classes in my servlet. I sent you how I read the username and serial ID in mai "manual" form mail. You must use a username when using a Client certificate, the password isn't needed. NOTE: Do the IE or Navigator ask you for a Certificate? If the answer is not, maybe you didn't install a personal certificate in you IE or Navigator. -Original Message- From: Montebove Luciano [SMTP:[EMAIL PROTECTED]] Sent: Monday, October 09, 2000 5:16 AM To: Orion-Interest Subject: R: Client certificate authentication Hi Esteban, I already put the lines you added to your web.xml file (as the user if I use BASIC authentication works fine) but I have the same 403 problem. Could you send me your actual configuration for principals.xml and web.xml? Can you attach also the response you get from ssl-user-registration.jsp? When I call this page I can't see the username (could it be the problem?) In general I can't understand why I need a username and password when using Client certificate authentication and how I have to use them. Thanks, Luciano -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: venerdì 6 ottobre 2000 20.58 A: Orion-Interest Cc: [EMAIL PROTECTED] Oggetto: RE: Client certificate authentication Hi Luciano: I could fix the 403 Forbidden problem!!! It's easy: In the WEB.XML file you must do anything like this: security-constraint web-resource-collection web-resource-nameMySecurity/web-resource-name url-pattern/servlet/MainMenu/url-pattern http-method*/http-method /web-resource-collection auth-constraint role-nameusers/role-name /auth-constraint /security-constraint I I had forgotten to put: auth-constraint role-nameusers/role-name /auth-constraint and then no Role cuold have access. Remember that in the WEB.XML we need to map the "users" Role: security-role description/description role-nameusers/role-name /security-role I hope this help you. Esteban Lopez -Original Message- From: Montebove Luciano [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, October 04, 2000 4:55 AM To: Orion-Interest Cc: [EMAIL PROTECTED] Subject:Re: Client certificate authentication Hi Lopez, Can you detail your "manual" identification? Luciano -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: martedì 3 ottobre 2000 21.53 A: Orion-Interest Oggetto: RE: Client certificate authentication I don't solve the 403 problem yet, but I can identify users using client certificates. I accept or not the user. If you are interested in this "manual" identification I can explain you more. -Mensaje original- De: Montebove Luciano [SMTP:[EMAIL PROTECTED]] Enviado el: Martes, 03 de Octubre de 2000 04:59 a.m. Para: Orion-Interest Asunto: R: Client certificate authentication I can help you partially. I had the same 403 Forbidden problem and I'm waiting for a response from official support (5 days). For the Cert ID use the sample page ssl-user-registration.jsp in demo SSL. It will show the cert id you are looking for. If you solve the 403 problem tell me. ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø Luciano Montebove - Software Architect - Finsiel S.p.a E-mail: [EMAIL PROTECTED] Phone: (+39) 06-4142-7663 "If you don't fail now and again, it's a sign you're playing it safe" -W. Allen ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: lunedì 2 ottobre 2000 14.57 A: Orion-Interest Oggetto: Client certificate authentication Hi I need to authenticate clients with digital certificates, I have a VeriSign trial client certificate and I'm using IE 5.0. The certificate is well installed in IE. I'm working with Orion 1.2.9 and HTTPS. I'm using auth-methodCLIENT-CERT/auth-method in de login config of WEB.XML file. When I connect to the WEB site I see the follow error:
R: Client certificate authentication
I can help you partially. I had the same 403 Forbidden problem and I'm waiting for a response from official support (5 days). For the Cert ID use the sample page ssl-user-registration.jsp in demo SSL. It will show the cert id you are looking for. If you solve the 403 problem tell me. ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø Luciano Montebove - Software Architect - Finsiel S.p.a E-mail: [EMAIL PROTECTED] Phone: (+39) 06-4142-7663 "If you don't fail now and again, it's a sign you're playing it safe" -W. Allen ¤º°`°º¤ø,¸¸,ø¤º°`°º¤ø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø -Messaggio originale- Da: Lopez Esteban [mailto:[EMAIL PROTECTED]] Inviato: lunedì 2 ottobre 2000 14.57 A: Orion-Interest Oggetto: Client certificate authentication Hi I need to authenticate clients with digital certificates, I have a VeriSign trial client certificate and I'm using IE 5.0. The certificate is well installed in IE. I'm working with Orion 1.2.9 and HTTPS. I'm using auth-methodCLIENT-CERT/auth-method in de login config of WEB.XML file. When I connect to the WEB site I see the follow error: 403 Forbidden Your cert's user does not have access to this resource Please, anybody could help me about this? Note: In the PRINCIPAL.XML file when I set the user that has a certificate I do the follow: user username="A name here" descriptionno description/description certificate-issuerCN = VeriSign Class 1 CA Individual Subscriber-Persona Not Validated, OU = www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98, OU = VeriSign Trust Network, O = VeriSign, Inc./certificate-issuer certificate-serial-idI don't know/certificate-serial-id group-membership group="users"/ group-membership group="guests"/ /user In certificate-serial-id tag I've an hexa number and when I put this serial number in it, the Orion throws the follow exception: java.lang.NumberFormatException: 297D6F02EA75C1 at java.lang.Long.parseLong(Unknown Source) at java.math.BigInteger.init(Unknown Source) at java.math.BigInteger.init(Unknown Source) at com.evermind.server.gs.init(JAX) at com.evermind.server.XMLUserManager.ajf(JAX) at com.evermind.server.XMLUserManager.ajd(JAX) at com.evermind.server.XMLUserManager.bw(JAX) at com.evermind.xml.XMLConfig.br(JAX) at com.evermind.xml.XMLConfig.ax(JAX) at com.evermind.xml.XMLConfig.ax(JAX) at com.evermind.xml.XMLConfig.update(JAX) at com.evermind.server.gw.run(JAX) at com.evermind.util.g.run(JAX) at com.evermind.util.f.run(JAX) What serial number I must to put in this tag? Thanks, Esteban
