Workaround for iChain Certificate Authentication Bug



By: coolguys

October 4, 2006 12:00 am

Reads: 176

Comments:0

Rating:0

Problem

I’ve set up an accelerator with the option “Enable Secure Exchange” checked, because I want to enable SSL comunication from the browser to iChain (but plain http from iChain to the protected web server). If I use an LDAP authentication module with login and password, every thing works correctly: ichain lets me browse to the public resources of my application, and the ichain login page only appears if I try to browse to some protected resources.

My problem is when I use a mutual certificate authentication profile instead of the LDAP profile. With this configuration, the browser prompts the cerfificate request to pop up even when I try to browse my public resource. In fact, it seems that iChain asks me for authentication (using a certficate) even if I’m trying to get public pages! This happens only if I enable the certificate authentication module together with “Enable Secure Exchange”. If I configure the accelerator in plain http (no SSL between the browser and iChain), even with the certificate authentication module every thing works as expected, and the browser asks for certificate only when I try to access protected resources.

Solution

There is a solution on a case opened on iChain 2.2. It seems there is a bug, and there is no patch yet. Fortunally there is a workaround.

To avoid the prompt for the Client certificate, enable the following option:

set accelerator <acc_name> authentication authovercd = Yes set accelerator
<acc_name> authentication authcddbenabled = Yes APPLY

Once this has been done, I can access the website without being prompted for a user certificate. The two set commands above enable the “Cross Domain Authentication”. In summary, enabling cross-domain authentication solve this problem.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , , ,
Categories: Access Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment