Cert-auth / LDAP/ WAS failure
bogi_r79
IBM WSAD 5.1
IBM Directory Server 5.2
I configured websphere to use the DirectoryServer as a user registry.
Up until here all works fine, i can use usernames and passwords from the ldap server to authenticate to an application which has form login set in web.xml.
Now.
What i want to do is to authenticate to this application using certificates. So what i did was:
set the login method to CLIENT-CERT inside web.xml for the application.
from AdminConsole->security->SSL I checked Client Authentication
i enabled ssl for the port 8090
i set up the certificates, both for the client and for the server (the client is a web browser Internet Explorer 6.0)
from security->userregistries->ldap->advanced ldap settings I set up the certificate map mode to CERTIFICATE_FILTER
in the certificate filter box i entered: uid=${SubjectCN} (this should map the CN field of the subject from the certificate to an entry in the ldap server with the uid equal to this CN)
for example the subject of the certificate i use is CN=roscab (as you can see from the picture attached)
inside the ldap server there is a user configured with this uid (uid = roscab). This entry can be found with an ldap browser and i can also authenticate to the admin console with it, so the entry is valid.
the entry in the ldap server has teh following attributes : uid=roscab,cn=users,cn=was security,ou=e-card,o=svc
Now, when i start my application an request a protected resource, the integrated http transport (web server) asks me for a cerificate.
i present the cerificate and succesfully authenticate to the web server, but further on i get a message in the console saying :
[8/24/04 12:54:48:159 EEST] 65a94225 WebGroup I SRVE0180I: [TestWeb] [/TestWeb] [Servlet.LOG]: TestServlet: init
[8/24/04 12:54:48:409 EEST] 65a94225 WebCollaborat A SECJ0056E: Authentication failed for reason <null>
When i configure the certificate filter so that it is obviouselly wrong ( uid=${UniqueKey} ), i get the following message
[8/24/04 12:59:46:058 EEST] 676d4308 WebGroup I SRVE0180I: [adminconsole] [/admin] [Servlet.LOG]: /logonError.jsp: init
[8/24/04 12:59:49:310 EEST] 7fab8308 LdapRegistryI E SECJ0150E: Cannot credential map given credential token for certificate subject DN CN=roscab with filter uid=jtl7Amjj88VExF7gL9aH+w== into LDAP because no entry in LDAP matches the DN or filter
[8/24/04 12:59:49:430 EEST] 7fab8308 WebCollaborat A SECJ0056E: Authentication failed for reason The name in the certificate: CN=roscab cannot be found in the registry
What am i doing wrong?
My opinion is that the web server does not pass the security token to the application server after the authentication to the web server is done.
Is there something i missconfigured?