Problem with Siteminder Client Cert Authentication.
hi,
i'm facing problem related to client side authentication. It is as follows :
If we have understood the Siteminder X509 Client Cert Authentication
Correctly, this is what we have done.
We have a webserver <webserver1> with a web agent which is not configured to
provide Advanced Authentication. Resources on this Webserver are protected
by Client Side Authentication Scheme.
We also have another Webserver <SecureWebserver> which is configured for
Client Side SSL certificates amd has a webagent installed & configured for
X509 Certificates only.
On requesting a protected resource from <webserver1>, the Request is
redirected to the <SecureWebserver> which first presents its server
certificate and then asks for the Client Side certificate. On Providing the
Client Side Certificate however , the Page is not displayed.
I have also checked the logs. In the <SecureWebserver> , i get the following
message.
[03/Jul/2001:10:26:27-1716-2] SmGetCred - user_dn='UID=UUMManager,
CN=UUMManager, O=XYZ, C=US" ssl-id="AADNVRBb7VGOHxwUM
Ap7UjcFQ5DRKzdn/+HboOC6BNo='.
[03/Jul/2001:10:26:27-1716-2] SmGetCred - issuer_dn='CN=Certificate Manager,
OU=ABCD, O=XYZ, L=ZZZZ, ST=ZZ, C=US'.
[03/Jul/2001:10:26:27-1716-1] SmGetCred - Redirecting back to caller at
<webserver>/protectedresource.html
This shows that the user & client certificate have been retrieved properly
and the request is redirected to the oroginal webserver.
however, in the original webserver, the user name it gets for the UID from
the Certificate is very different. for example, it gets a user name like
'AIE=' which is obviously not present in the directory and hence siteminder
fails to authenticate.
There could be a number of reasons for this.
I checked the Certificate Mapping. it was a single Attribute called UID
being mapped. as seen in the logs, the UID is seen in the UserDN of the
Certificate. therefore, it should get that but what it gets is an altogether
different value.
I also tried Custom Certificatre mapping where irerespective of what
certificate was presented, the String going to the Directory for
Authentication was always hardcoded to be a registered user but still it
always found the same string to send.
Both the SSL Server certtificate and the Client Certificates come from the
Same CMS ver 4.2 sp2 so i dont think there is a problem with the trust
verification of the Certificate.
also in the <webserver1> web agent logs, the message printed says that Valid
SSL credentials are found. SO there isnt a problem with the trust factor.
Could U please tell me what could be going wrong ?
also how exactly does the Certificate Mapping work. For example , in the
above case, for the User certificate mentioned what would be the UID
extracted from the Certificate be.
Any insight will be appreciated.
TIA
- toohey
[3158 byte] By [
] at [2007-11-25 7:18:15]
hi,
just wanted to add that without siteminder, it works just fine. I mean if i
use client cert authentication using iPlanet Webserver, it works.
--
- toohey
"Toohey Shroff" <toohey_shroff@hotmail.com> wrote in message
news:9hrreq$6cq1@secnews.netscape.com...
> hi,
>
> i'm facing problem related to client side authentication. It is as follows
:
> If we have understood the Siteminder X509 Client Cert Authentication
> Correctly, this is what we have done.
> We have a webserver <webserver1> with a web agent which is not configured
to
> provide Advanced Authentication. Resources on this Webserver are protected
> by Client Side Authentication Scheme.
> We also have another Webserver <SecureWebserver> which is configured for
> Client Side SSL certificates amd has a webagent installed & configured for
> X509 Certificates only.
> On requesting a protected resource from <webserver1>, the Request is
> redirected to the <SecureWebserver> which first presents its server
> certificate and then asks for the Client Side certificate. On Providing
the
> Client Side Certificate however , the Page is not displayed.
> I have also checked the logs. In the <SecureWebserver> , i get the
following
> message.
> [03/Jul/2001:10:26:27-1716-2] SmGetCred - user_dn='UID=UUMManager,
> CN=UUMManager, O=XYZ, C=US" ssl-id="AADNVRBb7VGOHxwUM
> Ap7UjcFQ5DRKzdn/+HboOC6BNo='.
> [03/Jul/2001:10:26:27-1716-2] SmGetCred - issuer_dn='CN=Certificate
Manager,
> OU=ABCD, O=XYZ, L=ZZZZ, ST=ZZ, C=US'.
> [03/Jul/2001:10:26:27-1716-1] SmGetCred - Redirecting back to caller at
> <webserver>/protectedresource.html
> This shows that the user & client certificate have been retrieved properly
> and the request is redirected to the oroginal webserver.
> however, in the original webserver, the user name it gets for the UID from
> the Certificate is very different. for example, it gets a user name like
> 'AIE=' which is obviously not present in the directory and hence
siteminder
> fails to authenticate.
> There could be a number of reasons for this.
> I checked the Certificate Mapping. it was a single Attribute called UID
> being mapped. as seen in the logs, the UID is seen in the UserDN of the
> Certificate. therefore, it should get that but what it gets is an
altogether
> different value.
> I also tried Custom Certificatre mapping where irerespective of what
> certificate was presented, the String going to the Directory for
> Authentication was always hardcoded to be a registered user but still it
> always found the same string to send.
> Both the SSL Server certtificate and the Client Certificates come from the
> Same CMS ver 4.2 sp2 so i dont think there is a problem with the trust
> verification of the Certificate.
> also in the <webserver1> web agent logs, the message printed says that
Valid
> SSL credentials are found. SO there isnt a problem with the trust factor.
> Could U please tell me what could be going wrong ?
> also how exactly does the Certificate Mapping work. For example , in the
> above case, for the User certificate mentioned what would be the UID
> extracted from the Certificate be.
>
> Any insight will be appreciated.
>
> TIA
>
> - toohey
>
>
>
>
at 2007-6-29 17:55:03 >
