DPS 6.3.1.1 Does Not Request Client Certificate When "allow-cert-based-auth" Is Set To "require" (Doc ID 1324962.1)

Last updated on OCTOBER 22, 2016

Applies to:

Oracle Directory Server Enterprise Edition - Version 6.3 SP1 to 6.3.1 SP1 DPS6.3.1.1 [Release 6.0]
Information in this document applies to any platform.



Symptoms

# dpadm -V
[dpadm]
dpadm               : 6.3.1.1 B2009.1106.0259 NAT

[DPS]
Sun Microsystems, Inc.
Sun-Java(tm)-System-Directory-Proxy-Server/6.3.1.1 B2009.1106.0259


DPS is not requesting the client's certificate when the client authentication is set to "require".

See some examples about different values for Client authentication bellow:

* Client authentication set to "Require":

# openssl s_client -connect <HOST>:<SSL_PORT>
CONNECTED(00000004)
...
---
No client certificate CA names sent
---
SSL handshake has read 961 bytes and written 314 bytes
---




* Client authentication set to "Allow":

# openssl s_client -connect <HOST>:<SSL_PORT>
CONNECTED(00000004)
...
---
Acceptable client certificate CA names
/C=FR/L=Grenoble/OU=Services/O=Oracle/CN=TestName
/CN=XYZ:2233
/O=Oracle/CN=Directory Server/CN=6656/CN=XYZ
/O=Oracle/CN=Directory Server/CN=6656/CN=XYZ
---
SSL handshake has read 1327 bytes and written 326 bytes
---





* Client authentication set to "Do Not Allow":

# openssl s_client -connect <HOST>:<SSL_PORT>
CONNECTED(00000004)
...
---
No client certificate CA names sent
---
SSL handshake has read 961 bytes and written 314 bytes
---


Note.- To verify the current authentication setting you can run the following Directory Proxy command and check the allow-cert-based-auth attribute value:

$ dpconf get-server-prop -h host -p port

Also, you can look up the value to allow-cert-based-auth attribute inside of conf.ldif file.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms