Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Smart card authentication does not work in Eclipse, working in web client.

Questions
Tags
Users
Badges
Mathias Hermansson
(43166) edited
Jan 28 '14, 7:19 a.m.
We have successfully configured WebSphere to allow single sign-on through smart card authentication, and users can login using a regular web browser when their smart card is inserted in the smart card reader.

Unfortunately when using any of the Eclipse (RTC, RAD, RSA) clients, user authenticaton does not work. We have followed the steps outlined in "Connecting to repositories and project areas" and enabled the IBM Common Access Card (CAC) provider.

How do we debug this issue? Anybody had success configuring the Eclipse clients in this way?

Server OS: RHEL 6.4 64-bit
AS: Websphere AS 8.0.0.6
DB: Oracle 11g 11.2.0.2.0
RTC/JTS: 4.0.4

Client OS: Windows 7 Enterprise 64-bit.
RAD: 9.0.0
RTC: 4.0.4

1

0 votes

Comments
Krzysztof Kaźmierczyk
Jan 28 '14, 6:34 a.m.

Hi Mathias,
Let us start with following data:
1. show us print screen with error message
2. Please provide what error message (with stack trace) you see in <your-workspace>/.metadata/.log file on your client
3. Do you have any proxy or firewall between clients and server?

Mathias Hermansson
Jan 28 '14, 6:58 a.m.
Hi Krzysztof,

  1. When trying to add a repository connection a insert smart card windows pops up. Clicking cancel six times allows us to select smart card and the correct user ID is shown in the certificate selection box. But that certificate is never used for authentication, and if we continue the process the insert smart card windows pops up again indefinitely. 
      Smartcard error message
    Certificate selection

    1. How do I enable stack trace for the Eclipse Client? I guess there should be something added to the eclipse.ini?

  2. Not between the client and the server, but for external access (say RSS feeds etc) a proxy is needed.

Mathias Hermansson
Feb 03 '14, 5:12 a.m.

A small update.


I followed the instructions outlined in Installing the RAM Eclipse Client to export the certificates into a keystore using keytool.exe.

The same insert smart card window pops up, and after clicking cancel six times the following error message is shown:
C:\IBM\RTC>jdk\jre\bin\keytool.exe -genkey -keystore rtc.keystore -storepass ibmrtc
keytool error (likely untranslated): java.security.NoSuchAlgorithmException: KeyPairGenerator DSA implementation not found
Maybe that information can help resolve this issue.

2 answers
11,216 views
0 votes

2 answers

Permanent link
Kot T.
JAZZ DEVELOPER (1.5k11319) Jan 29 '14, 1:03 p.m.

In the install-directory \TeamConcert\jdk\jre\lib\security\java.security file, is your keystore.type set to Windows-MY?

   ==>  keystore.type=Windows-MY

What version of java are you running? To verify, you can see details in your Eclipse client -> Help -> About Rational Team Concert -> Installation Details.

java.runtime.version=pwa6460sr13fp1-20130325_01 (SR13 FP1)
java.vendor=IBM Corporation
java.version=1.6.0
java.vm.info=JRE 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr13-20130114_134867 (JIT enabled, AOT enabled)

Version 1.6 SR12+ and any v1.7 are required.

0 votes

Comments
Mathias Hermansson
Jan 30 '14, 8:04 a.m.

keystore.type was not set to Windows-MY. Changing it did not make a difference.


java.runtime.version=pwi3260sr13fp2-20130424_01 (SR13 FP2)
java.vendor=IBM Corporation
java.version=1.6.0
java.vm.info=JRE 1.6.0 IBM J9 2.4 Windows 7 x86-32 jvmwi3260sr13fp2-20130423_146146 (JIT enabled, AOT enabled)

Permanent link
Nate Decker
(37814761) Jul 17 '14, 9:34 a.m.
Was there ever a solution for this thread? We have the same issue in our organization.

0 votes

Comments
Mathias Hermansson
Jul 17 '14, 9:52 a.m.

Hi,

Yes. In short, there is a flaw in how Java selects certificates when there are multiple certificates available with the same common name, it just chooses the first available one, without checking the extended usage attribute of that certificate. The only fix available is to gives the certificates aliases (or at least the one with Smart Card Logon set as the extended usage attribute), and select that one in the client.

The keystore should be set to jks and not to Windows-MY, that was a documentation error.

That was the solution we used.

Other possible solutions would be:

  • auth-method is not set to CLIENT-CERT in web.xml's login-info.
  • More than one login-info exists in web.xml.
  • The certificate_filter in WAS is not configured correctly (eg sAMAccountName if AD).
  • QoP settings had not been updated from None to Supported for client authentication.

Article 606 is a good start for the WAS parts.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 6,126
× 58
× 18
× 8
× 1

Question asked: Jan 28 '14, 5:49 a.m.

Question was seen: 11,216 times

Last updated: Jul 17 '14, 9:52 a.m.

Confirmation Cancel Confirm