WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

WAS 9 - Mutual Authentication issue

  • 1.  WAS 9 - Mutual Authentication issue

    Posted Wed April 08, 2020 08:41 PM
    Hi All,

    Need help to troubleshoot issue with SSL cert authentication.

    Application used a mutual authentication on Websphere to trust the client and Client sends a certificate as part of the request invoking a JAX-WS webservice. After the mutual authentication , the request is received by server piece application layer which needs to have access to the client certificate which is passed from client. The Jax-WS service endpoint code is looking for a client certificate object HttpServletRequest attribute "javax.servlet.request.X509Certificate" and extract it for application purposes.

    The set-up is working with WAS 8.5 ND without any issue in production also and when trying to run the same application in WAS 9 stand alone environment where application is receiving a null certificate object in HttpServletRequest attribute "javax.servlet.request.X509Certificate".

    We are not sure if the certificate is getting dropped in the middle by WAS or some WAS setting that is missing making the certificate object as null to application code.


    Let me know if any additional information is required

    Regards

    ------------------------------
    Ravi Yeduvaka
    ------------------------------


  • 2.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 06:23 AM
    Hi Ravi -- can you observe the client certificate in a packet capture? In my experience the number 1 cause is that the server does not trust the client certificates issuer.  If the client cert is not sent in the handshake at all, you are already in the right spot in the capture to look at the list of CA's being sent from server to client that are acceptable for mutual auth.



    ------------------------------
    Eric Covener
    ------------------------------

    Original Message


  • 3.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 09:00 AM
    Hi all,

    I run into the exact same problem. What I did find was that in the WAS plugin logs I can find the $WSCC header (containing the certificate) for both WAS9 and WAS85. I cannot find the $WSRU header in the WAS plugin logs for WAS9. During tracing, I cannot find $WSCC and $WSRU information in the WAS9 logging, while this information is available for WAS85. So, I'm also very curious what the solution will be.

    Cheers,

    Jos

    ------------------------------
    Jos Koeken
    ------------------------------

    Original Message


  • 4.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 09:09 AM
    Hi Jos, is your issue possibly the 'known side effect' listed in recent fixpack documents?  While this affects both releases, your 8.5.5 might not be contemporary with your 9.0:

    https://www.ibm.com/support/pages/node/5694825#notice

    If a WebSphere application running behind a HTTP proxy server begins experiencing failures with client certificate based authentication, or if client IP addresses or connection information are reported incorrectly as those of the proxy server, then it might be necessary to configure the "trustedSensitiveHeaderOrigin" custom property.  On WebSphere Liberty, "trustedSensitiveHeaderOrigin" is configured as an HttpDispatcher custom property, and on traditional WebSphere the property is be configured as an HTTP channel custom property.  This property has a default value of "none", and it also accepts value a of "*" (all), or a comma-separated list of IP addresses.  For a secure deployment in which proxy servers are used, the "trustedSensitiveHeaderOrigin" property should be configured with a comma-separated list of IP addresses corresponding to those of any WebSphere-aware proxy servers in front of the WebSphere server.  
     
    Instructions to set HttpChannel custom properties in traditional WebSphere are here
    Instructions to set HttpDispatcher custom properties in WebSphere Liberty are here and here

    ------------------------------
    Eric Covener
    ------------------------------

    Original Message


  • 5.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 09:56 AM
    ​Hi Eric,

    You seem to have hit it...after adding the custom property trustedSensitiveHeaderOrigin it seems to be working again. I didn't expect this however, our setup is browser - loadbalancer (F5) - Ibm Http Server - WAS plugin - websphere (version 9.0.0.11). I do not consider this as a setup that contains a proxy server.

    Thanks a lot!

    Jos Koeken

    ------------------------------
    Jos Koeken
    ------------------------------

    Original Message


  • 6.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 10:04 AM
    I will look into expanding the wording in that section to include "... such as IBM HTTP Server and the WAS WebServer Plug-in...".

    ------------------------------
    Eric Covener
    ------------------------------

    Original Message


  • 7.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 09:01 AM
    Unfortunately I'm not able to offer any help, just wanted to let you know that I experience exactly the same issue. Tracing showed that the $WSCC and $WSRU were present in the WAS8.5 logging, but these were nowhere to be found in the WAS 9 logging (which could also be a logging issue). Tracing in the websphere plugin showed that the $WSSC header was present for WAS9, but $WSRU was not. So I'm very curious what the solution for this issue will be.

    ------------------------------
    Jos Koeken
    ------------------------------

    Original Message


  • 8.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 09, 2020 11:36 PM
    Thank you Eirc and Jos for the information.

    We tried the trustedSensitiveHeaderOrigin option but it did not resolve.
    Will share the details shortly

    ------------------------------
    Ravi Yeduvaka
    ------------------------------

    Original Message


  • 9.  RE: WAS 9 - Mutual Authentication issue

    Posted Wed April 15, 2020 01:15 PM
    Hi Eric and Jos.

    We are yet to find a solution for this.

    I describe the current set up and what we are trying below. Any help is welcome. 

    Https request is sent from SOAP UI 5.5. It has a PKCS12 keystore with a single certificate in it.
    IHS is 9.0.0.0
    WAS is Standalone WebSphere 9.0.0.11

    The IHS's keystore (kdb) has the client's certificate added in it.
    The WAS's trustore also has the client certificate added as a signer.  Enabled tracing both at the IHS and WAS side. 
    The IHS log is showing the certificate details and allowing it through. Following 2 lines from IHS log. Masked the cert details. 
    Peer certificate: DN [CN=xxx,OU=xxx,O=xxx,L=xxx,ST=xx,C=xx], SN [00:9e:45:1e:a1:4d:0b:32:f8], Issuer [CN=xxx,OU=xxx,O=xxx,L=xxx,ST=xx,C=xx]
    mod_authz_core.c(834): AH01628: authorization result: granted (no directives)

    However, the WAS log is not showing the certificate. The Java code that is getting executed in WAS, tries to capture the certificate details from the Servlet Request as mentioned below :x509Cert = (X509Certificate[])httpSR.getAttribute( "javax.servlet.request.X509Certificate");if(x509Cert[0] == null)
    {
        logger.error("Certifcate is null etc.");
    -----------
    }
    We are seeing the Error line "Certificate is null ..."
    • Tried enabling client authentication as required under Quality of Protection in SSL Configurations in WAS but to no avail.
    • Also Observed that the client certificate has the signature algorithm as Sha1WithRSA. Not sure if this is an issue, i.e. if it is mandatory to use Signature algorithm as SHA256WithRSA.

    Thanks.

    ------------------------------
    Ravi Yeduvaka
    ------------------------------

    Original Message


  • 10.  RE: WAS 9 - Mutual Authentication issue

    Posted Wed April 15, 2020 05:01 PM
    Edited by Stephanie Wilkerson Thu June 23, 2022 03:57 PM

    Hi Ravi, did you check the trustedSensitiveHeaderOrigin item i shared earlier in the thread with Jos? 

    On 9.0.0.11 it is necessary to allowlist your IHS/Plugin tier to pass this information.

    I should also ask -- what kind of proxy is in front of WebSphere?  Websphere uses proprietary headers to communicate this information from a reverse proxy (like IHS and the WAS Plugin) back to the appserver.



    ------------------------------
    Eric Covener
    ------------------------------

    Original Message


  • 11.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 16, 2020 06:30 AM
    My setup is a little different: we use smartcard authentication, so the certificate is being passed on from the browser towards websphere. I think you would want to verify if the certificate you expect can be found in each step, with the trustedSensitiveHeaderOrigin property set anyway. You should be able to find the $WSCC entry containing the certificate you expect in the webserver logs, the plugin logs (I expect you use the plugin) and the websphere logs with proper tracing put on.

    ------------------------------
    Jos Koeken
    ------------------------------

    Original Message


  • 12.  RE: WAS 9 - Mutual Authentication issue

    Posted Thu April 16, 2020 01:57 PM
    Hi Eric and Jos.
    Thank you for recommendation.

    Yes, the trustedSensitiveHeaderOrigin property was the issue. The issue is resolved after setting it to the IP address of server where IHS is installed. 

    Thank you very much for your help !!!! 

    Ravi

    ------------------------------
    Ravi Yeduvaka
    ------------------------------

    Original Message