EPM Client cert authentication

If you are planning to use client cert authentication against EPM (http://docs.oracle.com/cd/E17236_01/epm.1112/epm_security_11121/frameset.htm?ch02s13s04.html), there are a few additional elements to consider on top of the documentation:
  •  "SSLVerifyclient required|optional" in Oracle Http Server "OHS".
This ssl parameter is , amongst other tasks, using trusted certificates in OHS wallet to filter out client certificates in the digital certificates browser prompt. That is, if you have client certificates signed by a trusted root that is not in OHS wallet, then these certificates won't show up in the browser prompt to pick the certificate.
  • HYPLOGIN header sent by OHS through the following entry:
RequestHeader set HYPLOGIN "%{SSL_CLIENT_CERT}e"

OHS HYPLOGIN header value turns out to be like this (note the question marks):


When using the java certificate factory ((X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate) to get the DN, you need to remove these unneeded question marks in your CSS custom login class.
  •  It is good practice to add
 RequestHeader set HYPLOGIN ""

at the top of your VirtualHost, while the SSL_CLIENT_CERT header value will be set in your location entry.


Post a Comment:
  • HTML Syntax: NOT allowed