IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Browser not supplying a certificate for cert based authentication.

  • 1.  Browser not supplying a certificate for cert based authentication.

    Posted Tue December 19, 2023 09:19 AM
    Hi, I am following the tutorial at https://learn.ibm.com/course/view.php?id=15020 and ran into an issue. On exercise 3, step 26 (page 20/21 in the pdf) brower is not prompting for the certificate to be sent to webseal. I am not seeing the "User Indentification Request" dialog box on Firefox. My runtime is available at https://www.iamlab.ibm.com:4000 as opposed to https://www.ibmemm.edu - would that make a difference as the CA and user certs were generated for IBMEMM. I get redirected to https://www.iamlab.ibm.com:4000/pkmscertpromptstagen with the error message "An attempt to authenticate with a client certificate failed. A valid client certificate is required to make this connection.".  Any traces/logs I can view to troubleshoot or review the configuration?

    Also, on step 12 of Exercise 4 (page 24) I am not seeing the SSL method getting promted - I am seeing an EAI method getting prompted instead. Exact message is "DPWWA1061E Provide your authentication details for method: ext-auth-interface." Any reason, why it's prompting for EAI in the step up authentication instead of SSL/Cert-based authentication?
    Thanks!


    ------------------------------
    Narayan Verma
    ------------------------------


  • 2.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Wed December 20, 2023 11:37 AM

    I figured out the Step 12 issue for Exercise - I had to change the Authentication level to 3 on the IP Auth.  In my junction Authentication tab 3 is for SSL and 2 is for EAI.  I have them set as 0- Unauthenticated, 1 - Password, 2 - EAI, 3 - SSL.

    However, I still can't get any of the browser, including Firefox, to prompt for a certificate to be sent to the ISAM.  Are there any differences in how cert based authentication would work between a virtual appliance vs a container based installation?  My LMI is at https://lmi.iamlab.ibm.com:3000 and runtime at https://www.iamlab.ibm.com:4000/.  Would port numbers impact on how TLS/SSL is performed?  Or should the scripts to generate the self-signed certs be changed?  BTW, I retried the cookbook after generating the certificates with O=IBMLAB.IBM instead of the original O=IBMEMM but that didn't help.  I am still getting "An attempt to authenticate with a client certificate failed. A valid client certificate is required to make this connection" error and the browser is not prompting to select a certificate to be sent to ISAM. What should I check or review to troubleshoot this?



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 3.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu December 21, 2023 01:50 AM

    Check that the signer of the WebSEAL certificate is in the browser's trust store, and that the signer of your client certificate is in the pdsrv keystore on ISVA. Then of course check the [certificate] stanza in the WebSEAL configuration file.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu December 21, 2023 08:50 AM
    Thanks Shane, here is what I have in the WebSeal configuration under [certificate]:
    accept-client-certs = prompt_as_needed

    I added cacert.pem file generated from the genkey.sh into both the locations:
    • pdserv keystore in ISVA under Signer Certificate tab with subject and issuer set to O=IAMLAB.IBM
    • Authorities section in the Firefox's certificate manager. Is this supposed to be something else? If so, where can I find the signer of the WebSEAL certificate? BTW, Firefox also indicates Connection is not secure warning for the runtime (https://www.iamlab.ibm.com:4000/). Could this be related?

    Thanks!



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 5.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu December 21, 2023 02:36 PM

    The certificate that you install into the browser has to be WebSEAL's server certificate. This typically comes from the "Personal Certificates" tab of the "pdsrv" keystore. Select the personal certificate, "Manage" -> "Export". 

    There should be no certificate warnings on the browser.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 6.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu December 21, 2023 03:15 PM
    Edited by Narayan Verma Thu December 21, 2023 04:48 PM

    Thanks Shane, I do see a cert in the pdserv Personal Certificate named/labeled - WebSeal-Test-Only.  It has Issuer and Subject both set to CN=ISVACONFIG.  I am not sure it was configured by default or I added it at some point.  My reverse proxy config also has the following entry under [ssl]:

    webseal-cert-keyfile-label = WebSEAL-Test-Only

    I am able to export it out of ISVA as .cer file but not sure where to import it in Firefox - my choices are "Your certificates", People, Servers, and Authorities.  Seems like I get one error or the other when I try to import it into any of these stores in Firefox on Mac.

    Can't seem to get rid of the certificate warnings on the browser either because it's self-signed or Organization/Organization Unit/both are missing - storing exceptions doesn't seem to help.  Also, not sure if the certificate can be recreated in any way and if it has to match with or be issued from the new CA IBMEMM or IAMLAB.IBM.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 7.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu December 21, 2023 07:48 PM

    Do yourself a favour and using the LMI in the pdsrv keystore create a new self-signed key with the CN matching the exact fully-qualified hostname that the browser sees when connecting to the WebSEAL. As for importing the server cert into firefox on MacOS - just google it.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 8.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Fri December 22, 2023 02:42 PM

    Did the first part and created a new personal self-signed certificate with Issuer and Subject both set to CN=iamlab.ibm.com to match with runtime browser URL of https://www.iamlab.ibm.com:4000 on the browser side.  Selected this certificate to be used on the WebSeal's SSL tab using SSL Server Certificate as well.  Exported the certificate out of LMI as a .cer file and imported that into MacBook's system and login keychains.  However, the browser warning does not go away.  Same thing is happening on Windows as well even after importing the .cer file as Trusted Root Certificate Authority.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 9.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Tue December 26, 2023 06:36 PM

    Got the browser warning o go away on Mac Safari but the browser still does not prompt for a cert to be sent.  login 302s to https://www.iamlab.ibm.com:4000/pkmscertpromptstagen a bunch of times before it ultimately shows the error message without prompting for a cert. 



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 10.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu December 28, 2023 12:22 PM
    I think I made some progress on this.  I got the Safari, Chrome, and Firefox browsers to prompt for certificate with accept-client-certs = required instead of prompt_as_needed - even though I am now getting prompted for each HTTP request instead of only on the first login, even after login.  However, for prompt_as_needed I understand I need to configure a secondary port.  When I configure a secondary port of 4444 I am seeing that the form action changes to  action="https://www.iamlab.ibm.com:4444/pkmslogin.form".  At this point the "Certificate Login" button refuses to post the form and displays the following error:


    Refused to send form data to 'https://www.iamlab.ibm.com:4444/pkmslogin.form' because it violates the following Content Security Policy directive: "form-action 'self'".

    I believe I need to configure a network-interface in the reverse proxy config but when I try to put in the IP address of my webSEAL runtime as 192.168.1.182 I get the following error:

    Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: 192.168.1.182

    Same thing occurs if I try to use www.iamlab.ibm.com. So, in a way, I am not able to complete the Secondary Port configuration as it relates to the network-interface entry under the [server] section and interface1 under the [interfaces] section as documented on https://www.ibm.com/docs/en/sva/10.0.7?topic=authentication-enabling-certificate#tsk_enbl_cert_authe . Please guide me on how I can configure the IP address for the network-interface in those two places. How can I get the LMI to recognize as a valid IP address?
    Thanks!


    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 11.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu January 04, 2024 04:54 PM

    In a recent version of ISVA the default content-security-policy was set to follow current best practices to the following entry which you can find in your WebSEAL configuration file:

    [acnt-mgt]
http-rsp-header = content-security-policy:TEXT{default-src 'self'; frame-ancestors 'self'; form-action 'self';}

    For testing you can just comment this line out completely. If you want to set it to something that will allow the secondary port, then take the hostname that you are using in your browser for the WebSEAL server (in my example below this was www.myidp.ibm.com), and set it like this:

    [acnt-mgt]
http-rsp-header = content-security-policy:TEXT{default-src 'self'; frame-ancestors 'self'; form-action 'self' www.myidp.ibm.com:*;}

    To use a secondary port for certificate authentication, you do not need to configure any new entry in the network-interface entry of the [server] stanza. Instead just include the entry as documented on the page you shared. That is, in the [interfaces] stanza put something like:

    [interfaces]
interface1 = network-interface=192.168.1.124;https-port=444;certificate-label=myidp;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

    The IP address should typically match that which you already have in the [server] network-interface entry.

    The  certificate-label should typically match that you already have in the [ssl] webseal-cert-keyfile-label entry.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 12.  RE: Browser not supplying a certificate for cert based authentication.

    Posted Thu January 04, 2024 05:59 PM
    1. With Accept Client Certificate = Required I get prompted for certificate as soon as I access https://www.iamlab.ibm.com:4000/ and I get authenticated.
    2. With Accept Client Certificate = Prompt as needed and with the http-rep-header completely removed and with secondary port in proxy properties/Authentication tab blanked out I get the earlier error at https://www.iamlab.ibm.com:4000/pkmscertpromptstagen as below when I click on Certificate Login button instead of getting prompted. An attempt to authenticate with a client certificate failed. A valid client certificate is required to make this connection.
    3. When I try to add the secondary port I do the following:
    • Add as 4444 as the secondary port in the LMI
    • Comment the network-interface under the [server] stanza
    • keep the http-rep-header as http-rsp-header = content-security-policy:TEXT{default-src 'self'; frame-ancestors 'self'; form-action 'self' www.iamlab.ibm.com:*;}
    • Add the following under the [intefaces] stanza: interface1 = network-interface=192.168.1.182;https-port=4444;certificate-label=iamlab.ibm.com;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

    On the last step LMI rejects my save with the below error:

    Error: DPWAP0073E An IP address which is not valid was located in the supplied entry: network-interface=192.168.1.182;https-port=4444;certificate-label=iamlab.ibm.com;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

    Somehow it doesn't like the IP address 192.168.1.182 and I am unable to complete a full cycle of secondary port configuration.  Is there a way to white-list this IP address or get it saved in the configuration through LMI or outside of LMI?  May be I am missing some other configuration steps which are forcing this behavior.



    ------------------------------
    Narayan Verma
    ------------------------------

    Original Message


  • 13.  RE: Browser not supplying a certificate for cert based authentication.
    Best Answer

    Posted Fri January 05, 2024 04:13 PM
    Edited by Narayan Verma Fri January 05, 2024 04:20 PM

    For completeness, this was investigated and I'm writing down the findings here for anyone reading this thread later.

    The deployment was on containers, which varies slightly from what happens on the appliance. In container-based deployments you do not specify IP addresses for interfaces that the WRP listens on. There is, for example, no [server] network-interface entry.

    Instread, when specifying the secondary port interface in the [interfaces] stanza, an entry like this worked successfully:

    [interfaces]

interface1 = network-interface=0.0.0.0;https-port=9444;certificate-label=www.myidp.ibm.com;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes

    Additionally there was a problem with macro replacement of the %SECONDARY_BASE% macro in both certlogin.html and stepuplogin.html. On appliance based deployments this is filled in with the full URL to the secondary port, such as https://www.myidp.ibm.com:444. On the contaniers I saw it being replaced with the empty string, leaving the FORM action for certificate login as just "/pkmslogin.form" which is incorrect. The workaround is to not use the macro at all, but instead manually edit those files and replace the form action with the correct URL showing the secondary port. On my container-based deployment that was "https://www.myidp.ibm.com:30444/pkmslogin.form". The development team will investigate this issue.

    Finally, because in container-based deployments you need to declare exposed ports, the runtime command for launching the container will need to be updated to reflect the additionally listening endpoint. How this is done will depend on whether you are using docker, docker-compose, kubernetes, etc. In my example environment I was using kubernetes and had to add an additional Service entry for the secondary port to be accessible by browsers.  In my example above I exposed container port 9444 (the second port defined in the webseal config file) as NodePort 30444 (which is what the browser uses, and what I updated certlogin.html and stepuplogin.html to include).

    Having made those updates, using prompt_as_needed for certificate authentication (either primary login or step-up) works as expected.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message