EPM Client cert authentication

If you are planning to use client cert authentication against EPM (http://docs.oracle.com/cd/E17236_01/epm.1112/epm_security_11121/frameset.htm?ch02s13s04.html), there are a few additional elements to consider on top of the documentation:
  •  "SSLVerifyclient required|optional" in Oracle Http Server "OHS".
This ssl parameter is , amongst other tasks, using trusted certificates in OHS wallet to filter out client certificates in the digital certificates browser prompt. That is, if you have client certificates signed by a trusted root that is not in OHS wallet, then these certificates won't show up in the browser prompt to pick the certificate.
  • HYPLOGIN header sent by OHS through the following entry:
RequestHeader set HYPLOGIN "%{SSL_CLIENT_CERT}e"

OHS HYPLOGIN header value turns out to be like this (note the question marks):

?----BEGIN CERTIFICATE---- MII....
-----BEGIN CERTIFICATE---- ?


When using the java certificate factory ((X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate) to get the DN, you need to remove these unneeded question marks in your CSS custom login class.
  •  It is good practice to add
 RequestHeader set HYPLOGIN ""

at the top of your VirtualHost, while the SSL_CLIENT_CERT header value will be set in your location entry.


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

A blog focused on Tips & Tricks about Oracle Business Intelligence (OBI), Oracle Exalytics and Oracle Enterprise Performance Management (EPM) products.
[Blog Admin: ahmed awan]

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today