Symantec Access Management

  • 1.  Java SDK certificate format

    Posted Sep 27, 2017 03:05 PM

    In a custom authentication scheme that implements an x509 scheme with the java sdk, what format is the certificate returned in from theUserCredentialsContext.getCertAsBinary()?

    I've tried converting this to a certificate a few ways, only to end up with 0 length or what seems valid but results in a

    java.security.cert.CertificateException: Could not parse certificate:

    java.io.IOException: Empty input

     

    Everything works if I pass the functions certs, but when getting a cert through Single Sign On, it fails.  I don't see any other function that looks like it returns the cert in any form, so it seems like that must be the right call to get it...

     

    It's possible that I'm not understanding the references to requiring SMAUTH_CRED_SSL_REQUIRED when you pass SMAUTH_CRED_X509CERT at the beginning of the scheme, but it looks like it's getting some sort of cert and failing to parse it.

     

    I can't find any examples working with certs through this at all.



  • 2.  Re: Java SDK certificate format

    Posted Sep 27, 2017 03:40 PM

    Oh... also is it sending a chain or just the main cert?



  • 3.  Re: Java SDK certificate format

    Posted Sep 27, 2017 05:05 PM

    There are 4 formats pkcs12, pkcs7, dear and pen. It will not be pkcs12, because that is base on password encryption. Pen is just a base 64 encoded version of dear, with start and end tags. I think of pkcs7 more for storing in a keystroke.

    I would dump the hex value to see if it is set (my suspition); or if it is base64 data, indicating pem.



  • 4.  Re: Java SDK certificate format

    Posted Sep 27, 2017 05:16 PM

    Sorry, it is pem not pen and der not dear.



  • 5.  Re: Java SDK certificate format
    Best Answer

    Broadcom Employee
    Posted Sep 27, 2017 07:36 PM
      |   view attached

    Hi, it's a bit old, but here was the X.509 cert sdk example I developed a while ago.

     

    It has the instructions built in. 

     

    Cheers - Mark

    ----
    Mark O'Donohue
    Snr Principal Support Engineer - Global Customer Success

    Attachment(s)

    zip
    javaauthapi-cert.zip   181 KB 1 version


  • 6.  Re: Java SDK certificate format

    Broadcom Employee
    Posted Sep 27, 2017 07:41 PM

    Also for debugging custom auth routines, it's good to run the smpolicysrv from the cmd line, so it displays stdout messages, or you can use the following module to redirect stdout/stderr to a file. 

     

    Helping to debug SSO Policy Server java processes - redirecting stdout/stderr to timestamped file. 

     

    Cheers - Mark



  • 7.  Re: Java SDK certificate format

    Posted Sep 28, 2017 10:14 AM

    Is there an attachment on this post I'm overlooking?  NM.  It shows up when clicking from another page to this thread... or you fixed it quickly.  TY.

    This sounds great though.

     

    I'm beginning to suspect I'm not getting a certificate at all, but perhaps random uninitialized junk, and something may be wrong in the initialization or other steps...  The web agent and everything else worked with the built in certificate scheme, so I would think that all of that would be set right, and it does prompt for a cert/pin...

     

    Looking at the file...

    It's ... interesting.  Not a clear conflict... gives me a little to tinker with.

    It does make me think even more that I'm not actually getting the cert - the length is doing... weird things.  Once it had a normal length, but a lot of times it does not, so is clearly not a cert.  I'll have to figure out if it's the initialization or some setting or another... looking into some earlier parts now.

     

    The instructions you've included are great - a lot more than is in the sdk documentation...  it might be in how I was setting the url/ .scc.

     

    All my custom parts are working, so old and simple is just find for troubleshooting this part.

     

    Thanks.