Single Sign-on
Paul Worth
single sign-on and maybe someone can enlighten me on a solution.
We have 2 instances( http:// - https://) running, one encrypted and one
not, both instances have basic authentication set. The challenge we
face is having a single sign-on that will identify the user across both
the encrypted and unencrypted instances of Enterprise server. Basic
authentication when moving form one instance to the other always
re-prompts, making it impossible for us to have a single sign-on.
One possible solution would be for us to move from basic authentication
to SSL authentication. I believe we could use SSL authentication on
both encrypted and unencrypted instances of the web server, and we
would not be re-prompted when moving between the instances.
Any ideas or comments?
Nelson B. Bolyard (At Home)
>
> Let me explain the problem my company is facing in dealing with the
> single sign-on and maybe someone can enlighten me on a solution.
>
> We have 2 instances( http:// - https://) running, one encrypted and one
> not, both instances have basic authentication set. The challenge we
> face is having a single sign-on that will identify the user across both
> the encrypted and unencrypted instances of Enterprise server. Basic
> authentication when moving form one instance to the other always
> re-prompts, making it impossible for us to have a single sign-on.
I believe it is possible to accomplish something like what you want, but
not with basic auth. You may find it necessary to implement your own
basic-auth-like authentication.
> One possible solution would be for us to move from basic authentication
> to SSL authentication. I believe we could use SSL authentication on
> both encrypted and unencrypted instances of the web server, and we
> would not be re-prompted when moving between the instances.
SSL client authentication only works with SSL (e.g. with https), not with
http.
> Any ideas or comments?
/Nelson
Speaking only for myself, as always.
Jay Davis
and will not coordinate between the two instances. What you
really want is multi-instance session tracking, which what the full
fledged application servers do, unfortuantly these tend to cost a lot
of money.
What you really need to do is to create your own authentication
scheme which coordinates sessions. You would most likely have
to use your own session module to track the logins and coordinate
the sessions. Then you could probably use a servlet to check
authentication and deliver the content pages, instead of users
directly accessing the pages.
One thing to remember is that if the users are logging into your
regular http server, the login information is being sent unencrypted,
so its not really secure.
I'm looking at a similar situation but haven't started digging into the
session module interface yet. Since most of my app is servlet based,
delivering the content via servlets is a given for me.
Jay Davis
Paul Worth wrote:
> Let me explain the problem my company is facing in dealing with the
> single sign-on and maybe someone can enlighten me on a solution.
>
> We have 2 instances( http:// - https://) running, one encrypted and one
> not, both instances have basic authentication set. The challenge we
> face is having a single sign-on that will identify the user across both
> the encrypted and unencrypted instances of Enterprise server. Basic
> authentication when moving form one instance to the other always
> re-prompts, making it impossible for us to have a single sign-on.
>
> One possible solution would be for us to move from basic authentication
> to SSL authentication. I believe we could use SSL authentication on
> both encrypted and unencrypted instances of the web server, and we
> would not be re-prompted when moving between the instances.
>
> Any ideas or comments?
Zoltan Rakonczai
I'd like to try the SSL, so I want to make a java servlet which can be
addressed and invoked by a java client. For this, I need SSL connection
between them. I have an iPlanet web server 4.1. I know I need a certificate
to do that. I made my certificate using the java keytool as follows:
keytool -genkey -keystore e:\temp\test\keystore -keypass password -storepass
password -alias testkey001 -dname "cn=MyName, ou=MyOrganizationUnit,
o=MyOrganization, L=MyLocation, S=Unknown, C=MyCountry"
After that listing the keys using this command:
keytool -list -keystore e:\temp\test\keystore -keypass password -storepass
password
I get this:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry:
testkey001, Mon Oct 02 10:20:58 GMT+03:00 2000, keyEntry,
Certificate fingerprint (MD5):
37:0A:C9:F1:7A:75:7E:C9:B3:2C:63:8E:82:64:54:7F
After that, I export the certificate:
keytool -export -keystore e:\temp\test\keystore -keypass password -storepass
password -alias testkey001 -file testkey1.cer -rfc
The result:
Certificate stored in file <testkey1.cer>
After that I have a text file beginnig with the "-----BEGIN
CERTIFICATE-----" ending with the "-----END CERTIFICATE-----" text and a
lots of characters between them.
It was said, in the beginning every certificate is a self signed
certificate.
My questions:
1. Can I use this self signed certificate with my iPlanet Web server 4.1
without any Certificate Authority?
2. Can I use any kind of certificate without any CA at all?
After that, I created a trust database, using the Security/create database
menu in the iPlanet web server 4.1.
It asked me a password.
after that the database had been created.
The next step was the Security/install certificate.
Pressing the OK button I get a page which showed all the properties of my
certificate.
Pressing the "Add server certificate" button I get "Unexpected
failure:cannot write, There was an error while writing certificate file"
Error message.
3. Why do I get this error message?
raki
Nelson B. Bolyard
>
> Hi,
>
> I'd like to try the SSL, so I want to make a java servlet which can be
> addressed and invoked by a java client. For this, I need SSL connection
> between them. I have an iPlanet web server 4.1. I know I need a certificate
> to do that. I made my certificate using the java keytool as follows:
[details of running Sun's keytool to generate a self signed cert snipped.]
> It was said, in the beginning every certificate is a self signed
> certificate.
It is certainly not true that every certificate is self signed.
> My questions:
> 1. Can I use this self signed certificate with my iPlanet Web server 4.1
> without any Certificate Authority?
No, I believe it will not work to use a self signed cert for your server cert.
I believe your server cert must have an issuer name different from its
subject name.
> 2. Can I use any kind of certificate without any CA at all?
No.
You could, however, be your own CA, for testing purposes, if you know how.
> After that, I created a trust database, using the Security/create database
> menu in the iPlanet web server 4.1.
> It asked me a password.
> after that the database had been created.
>
> The next step was the Security/install certificate.
>
> Pressing the OK button I get a page which showed all the properties of my
> certificate.
>
> Pressing the "Add server certificate" button I get "Unexpected
> failure:cannot write, There was an error while writing certificate file"
> Error message.
>
> 3. Why do I get this error message?
The ususal cause of this error is a file permission problem on the cert7.db
or key3.db file.
(Please continue to post all followup messasges to this newsgroup. Thanks.)
--
Nelson Bolyard Sun / Netscape Alliance
Disclaimer: I speak for myself, not for Netscape
Zoltan Rakonczai
I tried to install that. It worked first time, but after I deleted that
server instance, I was not able to install it again. I got that "Unexpected
> > failure:cannot write, There was an error while writing certificate file"
> > 3. Why do I get this error message?
>
> The ususal cause of this error is a file permission problem on the
cert7.db
> or key3.db file.
>
the files in the ../netscape/server4/alias directory has the 777 rights. So
they can be deleted, written by anybody. But it still does not work. I get
the same error message.
raki
Nelson B. Bolyard
>
> I got a 14 day trial certificate from the VeriSign.
> I tried to install that. It worked first time, but after I deleted that
> server instance, I was not able to install it again. I got that "Unexpected
> failure:cannot write, There was an error while writing certificate file"
> error message.
Ah! So, you deleted the instance! That's problably the problem.
When you create a certificate request, you actually create two things:
a) a private key which is saved (encrypted) in your private key database.
b) a request for a certificate, which contains the public key that is the
inverse of the private key.
The server needs BOTH (a) the private key, and (b) the certificate with the
public key that is the inverse of that private key, in order to do SSL.
Without the private key that corresponds to the public key in the certificate,
the certificate is useless to the server.
When you receive the certificate, and you go to install it, the installation
requires that the key database already contain the private key for that cert.
When you deleted the instance, you probably also deleted the private key
database that held the one and only copy of that private key. If that file
was deleted, there is NO known way to recover it. If you cannot restore
the missing key database (e.g. from backup), then you have no choice but to
generate a new certificate request, and get a new certificate.
A word of advice: __NEVER__ delete your key database. It can hold many
private keys, and should be allowed to accumulate them. Deleteing it can
be disastrous.
> raki
Patrick O. Cesard
I have not used Java's keytool but my first guess is that it uses certificate
and key stores different from the Web servers. Netscape server have a
certificate and key store called cert7.db and key3.db. So when you went to
import your certifcate in your Web server, it failed because the corresponding
private key was not found in the server's key store (key3.db). You would need to
use the Web server to generate the certificate request (instead of keytool)
because then the private key will be in the right place. Of course you would
also need to have a CA generate a cert from your request: you can use any of the
CAs that are trusted in your Web server by default or you can use a new CA in
which case you will have to import that CA's certificate in your Web server's
certificate store (cert7.db) and mark it as trusted.
Hope this help.
Zoltan Rakonczai wrote:
> Hi,
>
> I'd like to try the SSL, so I want to make a java servlet which can be
> addressed and invoked by a java client. For this, I need SSL connection
> between them. I have an iPlanet web server 4.1. I know I need a certificate
> to do that. I made my certificate using the java keytool as follows:
>
> keytool -genkey -keystore e:\temp\test\keystore -keypass password -storepass
> password -alias testkey001 -dname "cn=MyName, ou=MyOrganizationUnit,
> o=MyOrganization, L=MyLocation, S=Unknown, C=MyCountry"
>
> After that listing the keys using this command:
> keytool -list -keystore e:\temp\test\keystore -keypass password -storepass
> password
>
> I get this:
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 1 entry:
>
> testkey001, Mon Oct 02 10:20:58 GMT+03:00 2000, keyEntry,
> Certificate fingerprint (MD5):
> 37:0A:C9:F1:7A:75:7E:C9:B3:2C:63:8E:82:64:54:7F
>
> After that, I export the certificate:
> keytool -export -keystore e:\temp\test\keystore -keypass password -storepass
> password -alias testkey001 -file testkey1.cer -rfc
>
> The result:
> Certificate stored in file <testkey1.cer>
>
> After that I have a text file beginnig with the "-----BEGIN
> CERTIFICATE-----" ending with the "-----END CERTIFICATE-----" text and a
> lots of characters between them.
>
> It was said, in the beginning every certificate is a self signed
> certificate.
> My questions:
> 1. Can I use this self signed certificate with my iPlanet Web server 4.1
> without any Certificate Authority?
> 2. Can I use any kind of certificate without any CA at all?
>
> After that, I created a trust database, using the Security/create database
> menu in the iPlanet web server 4.1.
> It asked me a password.
> after that the database had been created.
>
> The next step was the Security/install certificate.
>
> Pressing the OK button I get a page which showed all the properties of my
> certificate.
>
> Pressing the "Add server certificate" button I get "Unexpected
> failure:cannot write, There was an error while writing certificate file"
> Error message.
>
> 3. Why do I get this error message?
>
> raki
Andrea LUCIANO
(www.openssl.org).
Generate e cert.request from keytool if you desire so.
Then create a 128 bit key for your own cert.Authority with the tool in
openssl and reply to cert.request from keytool.
Download and read carefully the documentation from openssl and after a few
experiments you'd be able to generate your CA (cert.authority) and your
client/server certificate.
Summing up, you need:
Generate a 128 key
Generate your CA root certificate containing public key
Generate a certificate request from your keytool
Reply to cer.req. generating a certificate signined by your CA
Installing in client and server the CA root certificate
Installing in server the certificate signed by CA
Let me know results if you decide to try.
Best Regards,
Andrea
P.S. I'm not an expert and eventually I miss something, so read suggested
documentation
Zoltan Rakonczai <zoltan.r...@mo.mailnet.fi> wrote in message
8r9dnm$fc...@secnews.netscape.com...