Hi All,

I am testing X509 client Authentication. Below is my ENV.

Policy-Server : 12.52-sp01-cr08
WebAgent : 12.52-sp01-cr08
Apache : 2.2 (Enabled SSL — Working fine for normal form based authn)

Certificates : Root-CA —-> Inter-CA —-> Server-Cert (apache)
                       Root-CA —-> Inter-CA —-> client-Cert (installed on IE)

 

1. Configured a realm with X509-AUTHN-SCHEMA
   Error: 403.17 (Access Forbidden) —- After submitting client cert.

 

Could see below errors on logs:

 

Apache:

[Sun Aug 26 10:56:32 2018] [error] [client 192.168.10.1] Re-negotiation handshake failed: Not accepted by client!?
[Sun Aug 26 10:56:37 2018] [error] [client 192.168.10.1] Certificate Verification: Error (20): unable to get local issuer certificate
[Sun Aug 26 10:56:37 2018] [error] [client 192.168.10.1] Re-negotiation handshake failed: Not accepted by client!?
[Sun Aug 26 10:59:42 2018] [error] [client 192.168.10.1] File does not exist: /data/www/dev-smauth.sso.com/conf1/favicon.ico
[Sun Aug 26 11:48:31 2018] [error] [client 192.168.10.1] Re-negotiation handshake failed: Not accepted by client!?
[Sun Aug 26 11:59:09 2018] [error] [client 192.168.10.1] Re-negotiation handshake failed: Not accepted by client!?

 

Webagent-trace:

[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResource][Resolved hostname: ‘dev-smauth.sso.com:1200’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResource][Resolved agentname: ‘dev_wa_smauth.sso.com_conf1’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address ‘192.168.10.1’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResource][Resolved URL: ‘/logon/x509/1535266202/smgetcred.scc?TYPE=16777244&REALM=-SM-dev_certx509_authn_login%20[12%3a20%3a02%3a140733193391239]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-pAm7jHcxN8kvF8x1e4pfbKjBBt%2f9An2ncY7FIF8ahfHi5wVgj6t1e8dIq3M45n8nQUhAAOusbGE7wPFNoZz52No9X1oHCAl1&TARGET=-SM-https%3a%2f%2fdev–smauth%2esso%2ecom%3a1200%2fcertx509%2fdump%2ephp’.]
[08/26/2018][12:20:02][4358][1995892480][][CSmHttpPlugin::AutoAuthorizedUrl][Auto-authorizing resource, matches IgnoreExt filter.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResource][Autoauthorizing URL : ‘https://dev-smauth.sso.com:1200/logon/x509/1535266202/smgetcred.scc?TYPE=16777244&REALM=-SM-dev_certx509_authn_login%20[12%3a20%3a02%3a140733193391239]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-pAm7jHcxN8kvF8x1e4pfbKjBBt%2f9An2ncY7FIF8ahfHi5wVgj6t1e8dIq3M45n8nQUhAAOusbGE7wPFNoZz52No9X1oHCAl1&TARGET=-SM-https%3a%2f%2fdev–smauth%2esso%2ecom%3a1200%2fcertx509%2fdump%2ephp‘ , Method: ‘GET’ ]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResource][Resolved METHOD: ‘GET’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResource][Resolved cookie domain: ‘.sso.com’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmResourceManager::ProcessResource][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmSessionManager::EstablishSession][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmSessionManager::EstablishSession][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][ProcessRequest][ProtectionManager returned SmNo, end new request.]
[08/26/2018][12:20:02][4358][1995892480][][ReportHealthData][Accumulating HealthMonitorCtxt.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][ProcessAdvancedAuthentication][Start new request.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmResourceManager::ProcessAdvancedAuthResource][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessAdvancedAuthResource][Resolved HTTP_HOST: ‘dev-smauth.sso.com:1200’.]
[08/26/2018][12:20:02][4358][1995892480][][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][dev-smauth.sso.com:1200]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address ‘192.168.10.1’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain ‘.sso.com’.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmResourceManager::ProcessAdvancedAuthResource][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][IsResourceProtected][Resource is protected from cache.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][ProcessResponses][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][SmScc::getCredentials][Failed to get the certificate credentials.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmExit.]
[08/26/2018][12:20:02][4358][1995892480][0000000000000000000000000a0aa8c0-1106-5b824d9a-76f6e700-1f1175bac30e][ProcessAdvancedAuthentication][CredentialManager returned SmExit, end new request.]
[08/26/2018][12:20:02][4358][1995892480][][ReportHealthData][Accumulating HealthMonitorCtxt.]

SMTRACE: NONE

Below is my apache config

#### Begin Virtual dev-smauth.sso.com TEST####
Listen 192.168.10.10:1200
NameVirtualHost 192.168.10.10:1200

<VirtualHost 192.168.10.10:1200>

SSLEngine on
SSLProtocol All -SSLv2 -SSLv3

SSLCertificateFile /appl/apache/conf1/certs/dev-smauth.sso.com/dev-smauth.sso.com.cert.pem
SSLCertificateKeyFile /appl/apache/conf1/certs/dev-smauth.sso.com/dev-smauth.sso.com.key.pem
SSLCertificateChainFile /appl/apache/conf1/certs/ca-chain.crt
#SSLCACertificateFile /appl/apache/conf1/certs/ca-chain.crt

#SSLCADNRequestFile /data/www/dev-pki.sso.com/conf1/acceptlist.crt
#SSLCARevocationPath /data/www/dev-pki.sso.com/conf1/crl/
SSLCARevocationFile /data/www/dev-pki.sso.com/conf1/interCA.crl.pem

ProxyRequests off
ProxyPreserveHost On

ServerName dev-smauth.sso.com
ServerAlias dev-pki.sso.com
DocumentRoot /data/www/dev-smauth.sso.com/conf1

ErrorLog “|/opt/apache/bin/rotatelogs /data/logs/apache/conf1/dev-smauth.sso.com/error.%Y%m%d.log 86400 -l”
TransferLog “|/opt/apache/bin/rotatelogs /data/logs/apache/conf1/dev-smauth.sso.com/access.%Y%m%d.log 86400 -l”

<Directory “/data/www/dev-smauth.sso.com/conf1”>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>

<IfModule dir_module>
#DirectoryIndex dump.php
DirectoryIndex index.html
</IfModule>

# <Location /login/x509>
# SSLVerifyClient require
# SSLVerifyDepth 3
# SSLRequire %{SSL_CLIENT_I_DN_CN} eq “bfreessl”
# SSLRequire %{SSL_CLIENT_S_DN_O} eq “ARG_IAM”
# SSLCACertificatePath /appl/apache/conf1/certs/
# Order allow,deny
# Allow from all
# </Location>

 

Alias /logon/ “/data/www/dev.smlogon.com/conf1/”
<Directory “/data/www/dev.smlogon.com/conf1/”>
SSLVerifyClient require
SSLVerifyDepth 3
# SSLCACertificateFile /appl/apache/conf1/certs/ca-chain.crt
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
#### End Virtual Host SMAUTH TEST ####

Could someone help me on this issue.

 

Regards,
Gowtham.


Source: New feed
{pubDate}

Leave a Reply

Your email address will not be published. Required fields are marked *