x.509 Authentication Server Cert Presented Instead of Client Cert When Using mod_wl_ohs 2 Way SSL Configuration
(Doc ID 1484527.1)
Last updated on SEPTEMBER 14, 2023
Applies to:
Oracle Access Manager - Version 11.1.1.5.0 and laterInformation in this document applies to any platform.
Symptoms
After implementing an OHS Proxy with 2-way SSL for x.509 certificate authentication (see note 1375426.1) using OHS 11.1.1.6.0 and WLS 10.3.6, the x.509 authentication fails with the following error in the OAM managed server log:
####<Aug 16, 2012 12:00:23 PM EDT> <Error> <HTTP> <HOSTNAME> <OAM_SERVER_NAME> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <
java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:109)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at com.bea.common.security.jdkutils.X509CertificateFactory.engineGenerateCertificate(X509CertificateFactory.java:118)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at weblogic.servlet.internal.VirtualConnection.initProxyClientCert(VirtualConnection.java:213)
at weblogic.servlet.internal.VirtualConnection.initCerts(VirtualConnection.java:189)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1480)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
at sun.security.util.DerValue.init(DerValue.java:347)
at sun.security.util.DerValue.<init>(DerValue.java:303)
at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:104)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at com.bea.common.security.jdkutils.X509CertificateFactory.engineGenerateCertificate(X509CertificateFactory.java:118)
at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
at weblogic.servlet.internal.VirtualConnection.initProxyClientCert(VirtualConnection.java:213)
at weblogic.servlet.internal.VirtualConnection.initCerts(VirtualConnection.java:189)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1480)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
In the OAM managed server diagnostic log, it appears that the OHS server cert is being presented for x.509 authentication, instead of the client certificate presented through the user's browser:
[2012-08-16T11:23:43.107-04:00] [OAM_SERVER_NAME] [ERROR] [OAMSSA-20040] [oracle.oam.user.identity.provider] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <USERNAME>] [ecid: <ECID>] [APP: oam_server] [URI: /oam/CredCollectServlet/X509] Could not modify user attribute for user : cn, attribute : <PROXY_HOSTNAME>, value : {2} .
[2012-08-16T11:23:43.109-04:00] [OAM_SERVER_NAME] [ERROR] [OAMSSA-12117] [oracle.oam.engine.authn] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <USERNAME>] [ecid: <ECID>] [APP: oam_server] [URI: /oam/CredCollectServlet/X509] Cannot validate the user certificate.[[
oracle.security.am.engine.authn.api.exception.AuthenticationException: OAMSSA-12111: No user found in User Identity Store for the User certificate with certificate attribute subject.CN value <PROXY_HOSTNAME>.
at oracle.security.am.engine.authn.internal.executor.X509AttributeMapper.map(X509AttributeMapper.java:165)
at oracle.security.am.engine.authn.internal.executor.X509ModuleExecutor.validateAndGetUserWithIdentityStore(X509ModuleExecutor.java:341)
at oracle.security.am.engine.authn.internal.executor.X509ModuleExecutor.execute(X509ModuleExecutor.java:245)
...
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |