SSO Client Certificate Authentication Fails With 3rd Party SSL Accelerator (Doc ID 399616.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2.0.2 to 10.1.4.3 [Release 10gR2 to 10gR3]
Information in this document applies to any platform.
***Checked for relevance on 19-OCT-2015***

Symptoms

SSO has been configured for client certificate authentication and login is successful when the SSO HTTP Server is fully SSL configured.

When the SSO HTTP Server is reconfigured for routing via a 3rd party SSL accelerator such as Cisco client certificate authentication fails.

The debug ssoServer.log shows:

     Wed Oct 4 15:50:27 GMT 2006 [DEBUG] AJPRequestHandler-ApplicationServerThread-8 User's browser cerificate not found.

Architecture:
     Client <--HTTPS--> Hardware LBR (Cisco) <--HTTP(X.509 in header)--> 10gAS SSO HTTP Server

The 10gAS configuration appears to be correct to work with SSL Accelerator i.e.

The following are set in the SSO HTTP Server httpd.conf:
     AddCertHeader SSL_CLIENT_S_DN
     AddCertHeader HTTPS
     SimulateHttps On

The sso_apache.conf has the following at the top of the file (not within the <IfDefine SSL> tags):
     Oc4jExtractSSL on
     SSLOptions +ExportCertData +StdEnvVars

The debug HTTP Server error_log.<ts> file shows that certificate fields are being passed to HTTP Server in the HTTP headers and is_ssl is enabled for the requests:

.......
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(966): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0180: Request: is_ssl: 1
.....
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[5]: ClientCert-Fingerprint, header_value[5]: dc:cd:04:d0:8f:78:08:10:68:26:ad:7d:a7:0a:02:61.
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[6]: ClientCert-Issuer, header_value[6]: CN=test.
.....
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[17]: ClientCert-Subject, header_value[17]: CN=jdoe201.
[Wed Oct 4 15:50:27 2006] [debug] oc4j_ajp13_worker.c(1000): [client 172.30.30.30] [ecid: 1159962627:172.25.12.89:5165:0:15,0] MOD_OC4J_0040: Request: header_name[18]:
ClientCert-Subject-CN, header_value[18]: CN=jdoe201.
.....

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms