Symantec Access Management

 View Only
Expand all | Collapse all

X509_CLIENT_AUTHN_ERROR - Apache 2.4 ()

  • 1.  X509_CLIENT_AUTHN_ERROR - Apache 2.4 ()

    Posted Mar 28, 2023 03:15 AM

    Hi All,

    Am trying to configure SSL based authentication. Below is my VHOST configuration.

    Server version:

    Siteminder 12.8

    Apache/2.4.37

    Server built: Feb 21 2023 02:57:44 

    OpenSSL 1.1.1k FIPS 25 Mar 2021

    When i tried to access my application by setting "SSLVerifyClient require" at globally its working. The problem is for all the URI its validating the certificate (need to submit certificate for all URL, then the login page is displayed).

    I want certificate validation only for "/login/x509" for rest of application (where user navigates ) apache should not validate certificate.

    When i set SSLVerifyClient none globally am getting Access forbidden.

    192.168.10.1 - - [28/Mar/2023:12:18:43 +0530] "GET /login/x509/1679986123/smgetcred.scc?TYPE=16777244&REALM=-SM-DEV_APP_AUTHN_CERTONLY%20[12%3a18%3a43%3a139839840191780]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-oGB5JjP2CdzbzVlQMFgyLn1wWmfWrg53ZpP0HyCS8UXxx%2bV%2bx%2f583a7my1YtNRwWiDSX7t%2b2ZeHgWsb2ATJyM%2bKon%2fYVZeq2&TARGET=-SM-HTTPS%3a%2f%2fdev--app%2esmtestsso%2ecom%3a1700%2fsmtestsso%2fcertx509%2fheaders%2ephp HTTP/1.1" 403 17

    Can someone review below and let me know, what i did wrong.

    `Listen 192.168.10.30:1200
    
    <VirtualHost  192.168.10.30>
    
    ErrorLog        "|/usr/sbin/rotatelogs /data/logs/apache/conf1/dev-smauth.rp.agridamlabs.com/error.%Y%m%d.log 86400 -l"
    TransferLog     "|/usr/sbin/rotatelogs /data/logs/apache/conf1/dev-smauth.rp.agridamlabs.com/access.%Y%m%d.log 86400 -l"
    
    SSLEngine on
    SSLVerifyClient none
    #SSLVerifyClient require
    #SSLVerifyClient none SSLVerifyDepth 3 SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCertificateFile /appl/apache/w3_rp1_apps/certs/sm.crt SSLCertificateKeyFile /appl/apache/w3_rp1_apps/certs/sm.key SSLCertificateChainFile /appl/apache/w3_rp1_apps/certs/ca-chain.crt SSLCACertificateFile /appl/apache/w3_rp1_apps/certs/ca-chain.crt RewriteEngine On ProxyRequests off ProxyPreserveHost on ServerName dev-smauth.rp.agridamlabs.com DocumentRoot "/data/www/dev-smauth.rp.agridamlabs.com/conf1" <Directory "/data/www/dev-smauth.rp.agridamlabs.com/conf1"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny allow from all Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> <Location /keepalive> Require all granted </Location> <Directory "/login"> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all Require all granted SSLVerifyClient none SSLVerifyDepth 3 </Directory> <Directory "/login/x509"> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all Require all granted Require ssl Require ssl-verify-client SSLRequireSSL SSLOptions +FakeBasicAuth +StrictRequire #SSLVerifyClient require #SSLVerifyDepth 3 #Require ssl-verify-client #SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth </Directory> <Directory "/login/x509opt"> Options Indexes MultiViews AllowOverride None Order allow,deny allow from all Require all granted SSLVerifyClient optional SSLVerifyDepth 3 </Directory> </VirtualHost>`


    ------------------------------
    Regards,
    Gowtham.
    ------------------------------


  • 2.  RE: X509_CLIENT_AUTHN_ERROR - Apache 2.4 ()

    Posted Mar 31, 2023 06:17 AM

    Any help on this?



    ------------------------------
    Regards,
    Gowtham.
    ------------------------------