Diagnosing Problems

Report any problems authenticating using X509 certificates as error messages on the login form.

For more complete diagnostics, enable trace on the Identity Manager server for these classes and levels:

• com.waveset.session.SessionFactory 1

• com.waveset.security.authn.WSX509CertLoginModule 1

• com.waveset.security.authn.LoginModule 1

If the client certificate attribute is named something other than javaxservlet.request.X509Certificate in the HTTP request, then you will receive a message that this attribute cannot be found in the HTTP request.

To Correct a Client Certificate Attribute Name in an HTTP Request

1. Enable trace for SessionFactory to see the complete list of HTTP attributes and determine the name of the X509 Certificate.

2. Use the Identity Manager debug facility (The Identity Manager Debug Page) to edit the LoginConfig object.

3. Change the name of the <AuthnProperty> in the <LoginConfigEntry> for the Identity Manager X509 Certificate Login Module to the correct name.

4. Save, and then retry.

   You may also need to remove, and then re-add the Identity Manager X509 Certificate Login Module in the login application.