It Works!

All that fiddling around with certificate authorities was for naught. I was trying to log in with a bad certificate stored in the browser. When I inserted a smartcard everything worked as advertised.

Following four files have to be updated to configure HTTP and SSO for client certifciates:

1. ORACLE_HOME\Apache\Apache\conf\ssl.conf
2. ORACLE_HOME\sso\conf\policy.properties
3. ORACLE_HOME\sso\conf\sso_apache.conf
4. ORACLE_HOME\j2ee\OC4J_SECURITY\application-deployments\sso\web\orion-web.xm

That's it - and don't confuse yourself trying to login with a bad certificate!

Listing of "SSL call to NZ function nzos_Handshake failed" error codes

Found Oracle Note 244527.1 which explains these wierd errors.

I am still trying to configure SSO to accept client-side certificiate authentication. I got the HTTP server to work with a wallet issued by the OCA and the Microsoft CA root added as a trusted certificate. SSO is still having issues with it though. Found these errors in the ssl_engine_log in the Apache logs:

[19/Apr/2007 10:45:23 04240] [error] SSL call to NZ function nzos_Handshake failed with error 28864 (server hw-05-0193.foo.bar.com:4443, client 10.11.13.3)
[19/Apr/2007 10:45:23 04240] [error] SSL IO error [Hint: the client stop the connection unexpectedly]

The 28864 error indicates a graceful exit with no error. But something is still causing the SSL IO error. . .

I think SSO is not recoginizing the client certificate's root.

Update: This error is unrelated to my problems (it's caused by something pinging the HTTP_Server and Oracle says it can be ignored). However, after following instructions found on Metalink to configure SSO to authenticate with client certificates I am getting a

"Certificate-based sign in failed. Please ensure that you have a valid certificate or contact the administrator." error.

It looks like SSO is still not recognizing the Microsoft CA trusted root I added to the wallet.

Looks like it's back to getting the Microsoft CA to issue a server certificate Oracle will play with.

SSO and Certificiates

Still trying to figure out how to configure SSO to accept a client-side certificate. Took a while to get the Oracle HTTP server to accept them; the key was to create a server wallet with Oracle Certificate Authority and add the Windows Root CA certificate to the wallet as a trusted certificate. Oracle HTTP server now accepts smart card certificates issued from the Windows CA.

Now I just have to get SSO to play nice, too.

Certficates Certificates Certificates

Tried creating an Oracle wallet using a Microsoft Certificate Authority, but kept getting invalid certificate errors when I tried to use them with the Oracle HTTP Server. The Microsoft site gave some guidance that seemed to go in the right direction (had to authenticate to the Microsoft CA web site) but still the wallets wouldn't work. Suspect Oracle was refusing them because the Microsoft CA wasn't recognized, even though it was added as a trusted root to the wallet.

Tried using the Oracle Certificate Authority component too, but having problems getting to the admin pages to download the user cert because the SSO server is configured for HTTPS and the OCA page keeps re-directing to the HTTP page. . .

I have to remember - this is all good training.