x.509 Authentication Server Cert Presented Instead of Client Cert When Using mod_wl_ohs 2 Way SSL Configuration

(Doc ID 1484527.1)

Last updated on FEBRUARY 10, 2017

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms

After implementing an OHS Proxy with 2-way SSL for x.509 certificate authentication (see note 1375426.1) using OHS 11.1.1.6.0 and WLS 10.3.6, the x.509 authentication fails with the following error in the OAM managed server log:

####<Aug 16, 2012 12:00:23 PM EDT> <Error> <HTTP> <iamps9> <oam_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1345132823651> <BEA-101257> <Failed to parse the client certificate in header: WL-Proxy-Client-Cert. Ignoring this certificate.
java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:109)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at com.bea.common.security.jdkutils.X509CertificateFactory.engineGenerateCertificate(X509CertificateFactory.java:118)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at weblogic.servlet.internal.VirtualConnection.initProxyClientCert(VirtualConnection.java:213)
at weblogic.servlet.internal.VirtualConnection.initCerts(VirtualConnection.java:189)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1480)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:347)
at sun.security.util.DerValue.<init>(DerValue.java:303)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:104)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at com.bea.common.security.jdkutils.X509CertificateFactory.engineGenerateCertificate(X509CertificateFactory.java:118)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at weblogic.servlet.internal.VirtualConnection.initProxyClientCert(VirtualConnection.java:213)
at weblogic.servlet.internal.VirtualConnection.initCerts(VirtualConnection.java:189)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1480)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

 

In the OAM managed server diagnostic log, it appears that the OHS server cert is being presented for x.509 authentication, instead of the client certificate presented through the user's browser:

 

[2012-08-16T11:23:43.107-04:00] [oam_server1] [ERROR] [OAMSSA-20040] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000iHPh^DV13jgkDC7EFw0000r700001B,0:1] [APP: oam_server] [URI: /oam/CredCollectServlet/X509] Could not modify user attribute for user : cn, attribute : ohsproxy.oracle.com, value : {2} .
[2012-08-16T11:23:43.109-04:00] [oam_server1] [ERROR] [OAMSSA-12117] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000iHPh^DV13jgkDC7EFw0000r700001B,0:1] [APP: oam_server] [URI: /oam/CredCollectServlet/X509] Cannot validate the user certificate.[[
oracle.security.am.engine.authn.api.exception.AuthenticationException: OAMSSA-12111: No user found in User Identity Store for the User certificate with certificate attribute subject.CN value ohsproxy.oracle.com.
at oracle.security.am.engine.authn.internal.executor.X509AttributeMapper.map(X509AttributeMapper.java:165)
at oracle.security.am.engine.authn.internal.executor.X509ModuleExecutor.validateAndGetUserWithIdentityStore(X509ModuleExecutor.java:341)
at oracle.security.am.engine.authn.internal.executor.X509ModuleExecutor.execute(X509ModuleExecutor.java:245)

...

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms