E.9 Authentication Issues

E.9.1 Anonymous Authentication Issues


Challenge Redirect URL can be NULL; however, Challenge Method cannot be NULL.

If you open the Anonymous authentication scheme to edit, and click Apply without adding a value for Challenge method, the following errors might appear:

Messages for this page are listed below. 

* Challenge Method You must make at least one selection. 
* Challenge Redirect You must enter a value. 


You must include both a challenge method and a challenge redirect whenever you edit an anonymous authentication scheme.

E.9.2 X.509Scheme and SSL Handshake Issues

The Access Manager X.509 Authentication Scheme relies on SSL to deliver the user's X.509 certificate to the OAM Server. The X.509 Authentication Scheme requires the X.509Plugin as the value of the Challenge Method (not the Authentication Module).


User has selected his certificate in the Browser but the Certificate is not available to the OAM Server.


The specific solution will depend on the reason for the SSL Handshake failure. For instance:

Determine the reason for the SSL Handshake failure and the peer that is terminating the SSL Handshake. The solution will fall into the following categories:

E.9.2.1 Configuration Issues

If you are encountering problems establishing a SSL connection with the default WebLogic server SSL implementation, switch to using the JSSE SSL implementation which is supported with WLS 10.3.3+.

The following list identifies other possible configuration issues.

  • OHS plugin is incorrectly configured and not sending the user certificate to the WebLogic server.

  • Cipher suites: As configured, are not compatible with the user certificate.

  • Smart cards: The browser is not communicating with the smart card reader.

  • PKCS#11 (or hardware cryptography): Ensure that the devices are in working order.

E.9.2.2 Trust Issues

The server name within the certificate does not match the host name. This check can be disabled through configuration.

The server does not contain a CA certificate on the user certificate path in its trust store.

E.9.2.3 Certificate Validation Issues

The following list identifies possible configuration issues.

  • Certificate has expired.

  • Certificate has been revoked.

  • Certificate validation is not working because this is incorrectly configured or there are connectivity issues.

E.9.3 X.509 Protected Resource and Single Sign Off


Single Sign Off might not work after accessing the resource with X.509 authentication. When the user is logged out with the logout URL and tries to access the resource in the same browser, authentication might not occur. Instead, the user should be asked for authentication using the certificate pop up.

This can occur with any Agent type.


After executing the logout URL, click on Clear SSL State from the browser as follows, and the access the X.509-protected resource:

From the browser window, open the Tools menu, click Internet Options, choose Content, and then Clear SSL state.

E.9.4 X509CredentialExtractor Certificate Validation Error


Client certificate authentication works fine using the standard X509 Authentication Module after importing the root and sub CA certificates into the WebLogic Server and .oamkeystore keystores.

However, a certificate validation error can occur when using a Custom X509Plugin Authentication Module and root and sub CA certificates into the WebLogic Server and .oamkeystore keystores.


With the Custom X509Plugin Authentication Module the root and sub CA certificates must be added to the DOMAIN_HOME/config/fmwconfig/amtruststore because the X509CredentialExtractor plug-in loads certificates from this location.