It's all about the answers!

Ask a question

Smart card authentication does not work in Eclipse, working in web client.

Mathias Hermansson (43166) | asked Jan 28 '14, 5:49 a.m.
edited Jan 28 '14, 7:19 a.m. by Krzysztof Kaźmierczyk (7.5k477103)
We have successfully configured WebSphere to allow single sign-on through smart card authentication, and users can login using a regular web browser when their smart card is inserted in the smart card reader.

Unfortunately when using any of the Eclipse (RTC, RAD, RSA) clients, user authenticaton does not work. We have followed the steps outlined in "Connecting to repositories and project areas" and enabled the IBM Common Access Card (CAC) provider.

How do we debug this issue? Anybody had success configuring the Eclipse clients in this way?

Server OS: RHEL 6.4 64-bit
AS: Websphere AS
DB: Oracle 11g
RTC/JTS: 4.0.4

Client OS: Windows 7 Enterprise 64-bit.
RAD: 9.0.0
RTC: 4.0.4

Krzysztof Kaźmierczyk commented Jan 28 '14, 6:34 a.m.

Hi Mathias,
Let us start with following data:
1. show us print screen with error message
2. Please provide what error message (with stack trace) you see in <your-workspace>/.metadata/.log file on your client
3. Do you have any proxy or firewall between clients and server?

Mathias Hermansson commented Jan 28 '14, 6:58 a.m.
Hi Krzysztof,

  1. When trying to add a repository connection a insert smart card windows pops up. Clicking cancel six times allows us to select smart card and the correct user ID is shown in the certificate selection box. But that certificate is never used for authentication, and if we continue the process the insert smart card windows pops up again indefinitely. 
      Smartcard error message
    Certificate selection

    1. How do I enable stack trace for the Eclipse Client? I guess there should be something added to the eclipse.ini?

  2. Not between the client and the server, but for external access (say RSS feeds etc) a proxy is needed.

Mathias Hermansson commented Feb 03 '14, 5:11 a.m. | edited Feb 03 '14, 5:12 a.m.

A small update.

I followed the instructions outlined in Installing the RAM Eclipse Client to export the certificates into a keystore using keytool.exe.

The same insert smart card window pops up, and after clicking cancel six times the following error message is shown:
C:\IBM\RTC>jdk\jre\bin\keytool.exe -genkey -keystore rtc.keystore -storepass ibmrtc
keytool error (likely untranslated): KeyPairGenerator DSA implementation not found
Maybe that information can help resolve this issue.

2 answers

permanent link
Kot T. (1.5k11219) | answered Jan 29 '14, 1:03 p.m.

In the install-directory \TeamConcert\jdk\jre\lib\security\ file, is your keystore.type set to Windows-MY?

   ==>  keystore.type=Windows-MY

What version of java are you running? To verify, you can see details in your Eclipse client -> Help -> About Rational Team Concert -> Installation Details.

java.runtime.version=pwa6460sr13fp1-20130325_01 (SR13 FP1)
java.vendor=IBM Corporation
java.version=1.6.0 1.6.0 IBM J9 2.4 Windows 7 amd64-64 jvmwa6460sr13-20130114_134867 (JIT enabled, AOT enabled)

Version 1.6 SR12+ and any v1.7 are required.

Mathias Hermansson commented Jan 30 '14, 8:04 a.m.

keystore.type was not set to Windows-MY. Changing it did not make a difference.

java.runtime.version=pwi3260sr13fp2-20130424_01 (SR13 FP2)
java.vendor=IBM Corporation
java.version=1.6.0 1.6.0 IBM J9 2.4 Windows 7 x86-32 jvmwi3260sr13fp2-20130423_146146 (JIT enabled, AOT enabled)

permanent link
Nate Decker (37814561) | answered Jul 17 '14, 9:34 a.m.
Was there ever a solution for this thread? We have the same issue in our organization.

Mathias Hermansson commented Jul 17 '14, 9:52 a.m.


Yes. In short, there is a flaw in how Java selects certificates when there are multiple certificates available with the same common name, it just chooses the first available one, without checking the extended usage attribute of that certificate. The only fix available is to gives the certificates aliases (or at least the one with Smart Card Logon set as the extended usage attribute), and select that one in the client.

The keystore should be set to jks and not to Windows-MY, that was a documentation error.

That was the solution we used.

Other possible solutions would be:

  • auth-method is not set to CLIENT-CERT in web.xml's login-info.
  • More than one login-info exists in web.xml.
  • The certificate_filter in WAS is not configured correctly (eg sAMAccountName if AD).
  • QoP settings had not been updated from None to Supported for client authentication.

Article 606 is a good start for the WAS parts.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.