My Oracle Support Banner

SSO Client Certificate Authentication Fails With 3rd Party SSL Accelerator (Doc ID 399616.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2.0.2 to 10.1.4.3 [Release 10gR2 to 10gR3]
Information in this document applies to any platform.
***Checked for relevance on 19-OCT-2015***

Symptoms

SSO has been configured for client certificate authentication and login is successful when the SSO HTTP Server is fully SSL configured.

When the SSO HTTP Server is reconfigured for routing via a 3rd party SSL accelerator such as Cisco client certificate authentication fails.

The debug ssoServer.log shows:

     Wed Oct 4 15:50:27 GMT 2006 [DEBUG] AJPRequestHandler-ApplicationServerThread-8 User's browser cerificate not found.

Architecture:
     Client <--HTTPS--> Hardware LBR (Cisco) <--HTTP(X.509 in header)--> 10gAS SSO HTTP Server

The 10gAS configuration appears to be correct to work with SSL Accelerator i.e.

The following are set in the SSO HTTP Server httpd.conf:
     AddCertHeader SSL_CLIENT_S_DN
     AddCertHeader HTTPS
     SimulateHttps On

The sso_apache.conf has the following at the top of the file (not within the <IfDefine SSL> tags):
     Oc4jExtractSSL on
     SSLOptions +ExportCertData +StdEnvVars

The debug HTTP Server error_log.<ts> file shows that certificate fields are being passed to HTTP Server in the HTTP headers and is_ssl is enabled for the requests:

.......
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(966): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0180: Request: is_ssl: 1
.....
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[5]: ClientCert-Fingerprint, header_value[5]: dc:cd:04:d0:8f:78:08:10:68:26:ad:7d:a7:0a:02:61.
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[6]: ClientCert-Issuer, header_value[6]: CN=test.
.....
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[17]: ClientCert-Subject, header_value[17]: CN=jdoe201.
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[18]:
ClientCert-Subject-CN, header_value[18]: CN=jdoe201.
.....

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.