This section provides the following information:
Problem
Challenge Redirect URL can be NULL; however, Challenge Method cannot be NULL.
If you open the Anonymous authentication scheme to edit, and click Apply without adding a value for Challenge method, the following errors might appear:
Messages for this page are listed below. * Challenge Method You must make at least one selection. * Challenge Redirect You must enter a value.
Solution
You must include both a challenge method and a challenge redirect whenever you edit an anonymous authentication scheme.
The Access Manager X.509 Authentication Scheme relies on SSL to deliver the user's X.509 certificate to the OAM Server. The X.509 Authentication Scheme requires the X.509Plugin as the value of the Challenge Method (not the Authentication Module).
Problem
User has selected his certificate in the Browser but the Certificate is not available to the OAM Server.
Solution
The specific solution will depend on the reason for the SSL Handshake failure. For instance:
For debugging SSL connections terminating on the Weblogic Server, please refer to http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/ssl.html
For debugging SSL connections terminating on the OHS server, see http://docs.oracle.com/cd/E12839_01/web.1111/e10144/under_mods.htm#i1007687.
Determine the reason for the SSL Handshake failure and the peer that is terminating the SSL Handshake. The solution will fall into the following categories:
If you are encountering problems establishing a SSL connection with the default WebLogic server SSL implementation, switch to using the JSSE SSL implementation which is supported with WLS 10.3.3+.
The following list identifies other possible configuration issues.
OHS plugin is incorrectly configured and not sending the user certificate to the WebLogic server.
Cipher suites: As configured, are not compatible with the user certificate.
Smart cards: The browser is not communicating with the smart card reader.
PKCS#11 (or hardware cryptography): Ensure that the devices are in working order.
The server name within the certificate does not match the host name. This check can be disabled through configuration.
The server does not contain a CA certificate on the user certificate path in its trust store.
Problem
Single Sign Off might not work after accessing the resource with X.509 authentication. When the user is logged out with the logout URL and tries to access the resource in the same browser, authentication might not occur. Instead, the user should be asked for authentication using the certificate pop up.
This can occur with any Agent type.
Solution
After executing the logout URL, click on Clear SSL State from the browser as follows, and the access the X.509-protected resource:
From the browser window, open the Tools menu, click Internet Options, choose Content, and then Clear SSL state.
Problem
Client certificate authentication works fine using the standard X509 Authentication Module after importing the root and sub CA certificates into the WebLogic Server and .oamkeystore keystores.
However, a certificate validation error can occur when using a Custom X509Plugin Authentication Module and root and sub CA certificates into the WebLogic Server and .oamkeystore keystores.
Solution
With the Custom X509Plugin Authentication Module the root and sub CA certificates must be added to the DOMAIN_HOME/config/fmwconfig/amtruststore because the X509CredentialExtractor plug-in loads certificates from this location.