Authentication card smart - authentication certificate user

I am developing an authentication solution for BlackBerry based on cryptographic SIM cards. I managed to create a pilot smart card reader and a driver of smart card using the RIM Crypto API. The use of these two, I'm able to import a
certificate stored on the SIM card, enable the authentication of users in two phases that checks the password device and the STEM to the certificate. I can also set up a TLS session using private keys and certificates stored on the card.

However, when you try to activate the "Authentication certificate" option in the password options panel, I encounter a problem. After selection of the certificate and click on save, the device asks me to enter the password device and the PIN smart card, what I'm doing. Debugging tells me, that the PIN is properly checked with the card. Subsequently, a 'Card access smart' popup appears with information that the 'Options' of RIM application attempts to access the card with the information "the private key will be used to initialize authentication certificate". When I enter PIN code OK, I said: 'failed to initialize authentication certificate. Check that the certificate is not on the smart card used for two-factor authentication. »

Can someone tell me why this is? Must the certificate be special in some way (content, restriction of the use of the key etc.)? The certificate is obviously present on the map, as there is for example a client certificate for TLS sessions setting. Also, what makes this "initialization" all of the average of certificate?

Well, I think I'll answer myself that I managed to solve this problem

After some debugging I realized that:

  • After the second PIN prompt appears, the method of signRSA (net.rim.device.api.crypto.RSACryptoSystem, net.rim.device.api.crypto.CryptoTokenPrivateKeyData, byte [], byte [], int, int, java.lang.Object) in our RSACryptoToken extension is called
  • This method gets a context (last parameter) object, which is a SmartCardSession
  • during the processing of the request of sign (cf. the smart card and examples of smart card of RIM drive) must not create an another smart card session, but instead reuse the provided in the framework.

Trying to establish a new session of chip due to the demand to block, because the sessions are exclusive, i.e. only can be opened simultaneously.

Tags: BlackBerry Developers

Similar Questions

  • ASA SSLVPN trustpoints authentication certificate

    Hello

    I have an Asa with a few set up Trustpoints. How can I allow only the client certificates to a trustpoint in a tunnel-group? I've seen client-side settings as a profile connection or certificate-cards, but they don't stop with the right certificate authentications.

    Could I send the client certificate to a RADIUS as with dot1x and check on the authentication server?

    Hi Marcel,.

    First of all, you can use certificate-card on the SAA for a new SSL session link to the connection profile desired.

    However as you said, the ASA will validate a certificate issued by a certification authority (the one for which you have the certification authority in a trustpoint), providing it is indeed valid and optional check CRL alright.

    If for some reason you have a scenario where you want to deny access SSLVPN to users who have a valid certificate issued by a given CA, you can use the card-certificate to bind these new SSL sessions to a "dead end" connection profile that has the maximum session set to 0:

    Example config:

    ! first set the group policy and profile to catch these sessions that should not have access:

    internal DeadEnd_GP group strategy

    attributes of Group Policy DeadEnd_GP

    VPN - concurrent connections 0

    client ssl-VPN-tunnel-Protocol

    remote access to tunnel-group DeadEnd type

    tunnel-group DeadEnd General attributes

    Group Policy - by default-DeadEnd_GP

    tunnel-group DeadEnd webvpn-attributes

    authentication certificate

    ! Then, set the criteria of certificate card, mapping of certificates to a 'good' profile:

    Crypto ca certificate card mycertmap 10

    name of the issuer attr cn eq myIssuer

    Crypto ca certificate card mycertmap 20

    ! This rule is a rule of 'catch-all '.

    ! Finally, define the mapping in the section overall webvpn:

    WebVPN

    Certificate-Group-map mycertmap 10 myProfile1

    Certificate-Group-map mycertmap 20 DeadEnd-profile

    --

    Note that:

    1. in the configuration of certificate card, your ASA will request certificates for SSL connections client-side. If you also have AAA only authenticated profiles, maybe that's a problem - I'm not sure it will work 100% ok, I would need to test.

    2. If you use ASDM, you will find the definition of certificate card in the menu

    Setup > remote access VPN > advanced > certificate Anyconnect and Clientess SSL VPN connection profile cards

    ===

    Secondly, on the use of RADIUS - it is not possible to send the certificate itself to RADIUS (AFAIK), but you can use Radius authorization as an extra step after the validation of the certificate.

    The ASA will extract everything first a username of the client certificate subject name - it is configurable, and can even be in Lua script.

    A Radius access request is sent to extract username - then you will probably need the user to exist on the Radius server.

    In ASDM, you will find this configuration by the connection profile, in advanced, subsection authorization of editing connection profile.

    You may be interested in research in this guide explaining a use case where this authority has been used to allow only certain users who have had a certificate from a national public key infrastructure:

    http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00808e00ec.shtml

    In step 6, point L, the authorization is configured.

    It's a pretty old guide remains real, you will see that it uses the LOCAL server for authorization, but apart from that it's the same principle.

    ===

    I hope this helps, please let us know.

    See you soon,.

    Chris

  • Dot1x in ISE authentication certificate more

    Hi all

    Can someone help me to configure Dot1x more authentication of the certificate in the box of the ISE. We have the ISE 3315 with 1.1.1 version to configure certificate based authentication.  The idea behind is that we want to restrict access to the device that do not belong to the personal active average active employee company must limit if they try to connect to the corporate network.

    How can we configure dot1x more basic authentication certificate in the ise cisco box?

    Can someone help me out to solve this kind of problem?

    Thank you

    Pranav

    Pranav,

    Here are the steps by activating / verfying if the machine authentication is enabled on the Win7 clients:

    http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/thread/5e1bbaa4-9dad-40DA-8e53-a7d67e17c20b/

    Also here are the steps in the configuration of the timer to cache for machine access restrictions to ISE

    http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158

    Here is some information on how EHT applies access restrictions machine:

    http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684

    In your political permission for domain users, you need to add the condition "authenticated machine was" and that the true value.

    Tarik Admani
    * Please note the useful messages *.

  • OSB: [Security: 090302] authentication failed: user... Jim

    Hi all

    I'm trying to set up my OSB so I can protect a Web service by using certificates.

    The problem is that when I add the security policies at the service of my proxy, I get the following error when you test the service proxy (although the sbconsole):

    Impossible to derive the token.javax.security.auth.login.FailedLoginException topic: [Security: 090304] authentication failed: user - Cert Test javax.security.auth.login.FailedLoginException company: [Security: 090302] authentication failed: user - Cert denied test company

    I used a few other posts in this forum to implement my wls and osb. For example How to call the service https OSB and how the CERT CN to the principal of ejb SessionContext?

    This means that I put the keys, ssl, defaultAuthenticator, defaultIdentityAsserter, enabled X.509 file, set suppliers etc.

    My key file contains 2 sets of key public and private keys and therefore should also be ok.

    Has anyone else had the same error after configuring their servers of wls and osb?

    Thank you

    William

    You have configured the default user name Mapper in the affirmation of identity by default to use the certificate CN as the mapped user, [Company - Cert Test is the CN name in the certificate] you will also need to create a user weblogic with the same name as the attribute certificate mapped... Check if you have done the steps as shown here:
    Re: How the proxy service can get the client certificate in Oracle Service Bus

  • I'm currently having a batch file. I need to enable authentication of users can u it... Please tell me how I can run?

    I'm currently having a batch file. I need to enable authentication of users can u it... Please tell me how I can run?

    the in-house batch file calls a few .jar files... the requirement is I need to restrict who uses this batch file.
    I can either store the user name and password in a separate file or...
    Please suggest me... Thanks in advance.

    Hi Alexander,.

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please ask your question in the following forum.

    Windows XP IT Pro category

  • is it possible to make the machine and authentication of users in the same permission profile?

    Hello

    I want to know is - it possible to machine authentication authentication of users arrive at the same time? Something like that...

    Condition

    IF (wired_802.1x and AD:externalgroup computer dommain EQUAL AND Some_domain_user_group EQUAL AD:exteranalgroup)

    Permissions

    then Vlan x

    Basically, I'm just checking a machine in the domain and user is valid only while he should be able to have full access.

    Any help will be of great value.

    Hello

    IF (wired_802.1x and AD:externalgroup computer dommain EQUAL AND Some_domain_user_group EQUAL AD:exteranalgroup)

    -Not possible

    As the authentication of the user and the machine occur in different contexts.

    ACS cannot check them both at the same time.

    With the help of MAR, you can, although club together and reach:

    "machine is part of the domain and user is valid only while he should be able to have full access"

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978

    Tips for MAR configuration:

    (1) set the client to authenticate user or computer.

    (2) create two rules in the authorization for the user and and the other for the machine (identity them using the ad group membership).

    (3) enable MAR on the AD on ACS configuration page and set the aging time.

    (4) in rule user, customize and use the condition "Has been authenticated machine" and the value is false.

    Rate if useful

  • Windows 7 slow login / delay authentication question user wireless via ACS 5.8

    Just set up a new ACS 5.8 farm (only 2 servers) here and which I hope someone here can shed light on the difficulties.

    The new ACS server is set up to correctly authenticate administration network device and I am currently working on the definition of profiles for our wireless users authentication and business laptops.

    Being new to this version of ACS (we will migrate manually ACS 4) I followed an excellent example of this task described in a video on this site: http://www.labminutes.com/sec0044_ise_1_1_wireless_dot1x_machine_auth_peap

    I managed to have a Windows XP sp3 client authenticate properly, first with the authentication of the computer, then the authentication of users... and the domain logon process takes place in a short period of time< 1min="" and="" the="" user="" gets="" all="" their="" networked="" drives="" via="" the="" domain="" login="">

    However, I'm fighting to get our Windows 7 clients to authenticate properly.  It seems that the machine authentication does not work as expected (I can ping the laptop test from another machine on the network while the test machine is sitting at the login screen; and I see Authentication host recorded in the papers of authentication Radius ACS).  But, when a domain user logs in with his credentials, the connection process takes 4-5 minutes before an event to authenticate the user is entered in the register authentication Radius ACS, after which the login process completes, except that the domain logon script does not work and the user does not receive the drive mappings.

    Can someone point me in the right direction here?  I would be grateful any entry on this.

    Thanks in advance,

    John

    I had a similar problem with Wireless 802.1 x Win 7 clients unable to connect unless they had cached credentials of the AD.  Authenticate in the machine, but the user would take a lot of time if the Windows credentials have been cached.

    I could solve the problem by expanding the ACL of the air space used during the user authentication to include all DC in the environment.

  • TWO_TASK settings prevents the OS authenticated the user DB

    Hi all
    I am facing problem while connecting to an OS authenticated database user.
    I install an application that a first affects the TWO_TASK parameter in the name of the database (e.g. TWO_TASK = DMDB. Here DMDB is also ORACLE_SID) then attempts to connect to the database with a user (say appuser) which is externally authenticated by the operating system.
    But the connection fails with an error:

    *****
    ERROR:
    ORA-01017: name of user and password invalid. connection refused


    SP2-0751: unable to connect to Oracle. Exit SQL * more

    ******

    I'm working on SunOS and Oracle db is 9iR2.

    Also note that authenticated users are still able to connect.
    This user (appuser) is created by the application itself as an external user and therefore cannot be changed. And in this scenario, TWO_TASK variable cannot be disabled.

    Help, please. Thanks in advance...


    Suggest also if I need to configure sqlnet.ora (I still did)?

    Remote_login_passwordfile = EXCLUSIVE lock


    Kind regards
    Saket BB

    This parameter is mandatory (TRUE) If you want SQLNet connections (TWO_TASK is a SQLNet connection) could have been authenticated by the remote host.

    Oracle recommend that DO NOT serve as a security breach.
    (you can think of ways to use!)

    See
    http://download.Oracle.com/docs/CD/B10501_01/server.920/a96536/ch1178.htm#REFRN10185

    This shows how much it should normally be set to FALSE
    http://download.Oracle.com/docs/CD/B10501_01/network.920/a96573/asoauth.htm#1005059

  • HOW smart card smart card slots look like? What are the differences between smart card slots and cards express?

    HOW smart card smart card slots look like? What are the differences between smart card slots and cards express?

    Hi Smitty,

    Yes, so ExpressCard is an interface that has a USB port to this topic where I can plug in external devices to be attached to my computer right? I did a search on google but could not find photo Card Slot smart. I need a picture to get an idea of how look like a smart card Slot.

    Next time try BING...

    http://tinyurl.com/95rgwxw
    http://tinyurl.com/9plc7zt

    http://tinyurl.com/8h96qsr

    Scroll to the left view (image 5)

    http://support.Dell.com/support/eDOCS/systems/latd610/en/ug_en/about.htm

  • AnyConnect: User based authentication certificate filtering Configuration

    Hello colleagues in the network.

    recently I needed to configure AnyConnect SSL VPN with certificate authentication to meet the needs of connection at the request of the features of Cisco Jabber.

    Everything is ok, but I need to filter users based on their personal certificate information. For example - all those who have a personal certificate from our CA can now access this VPN. I want to set the users by e-mail of the certificate and only these users are granted access.

    I used this command:

    WebVPN

    allow outside

    AnyConnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

    AnyConnect enable

    tunnel-group-list activate

    Certificate-Group-map Cert - filter 10 company-Jabber

    map of encryption ca Cert certificate - filter 10

    name of the object attr eq ea [email protected] / * /

    The problem is that I have to go can visit his profile - if I change [email protected] / * / to

    On the AnyConnect client - I connect to the GroupURL of the connection profile Company-Jabber

    Hi Alexandre

    There are several ways to approach this and this depends somewhat on the rest of the config, for example if you have other groups of tunnel etc..

    I guess the easiest way (if it does not interfere with the rest of your configuration) is to add something like this:

    crypto ca certificate map Cert-Filter 65535 subject-name ne ""

    This would attract all users/certificates does not not from your previous rules.

    Under webvpn you map these users to another tunnel-group (connection profile):

    certificate-group-map Cert-Filter 65535 NoAccess

    And configure the NoAccess group so that access is denied (for example, by setting simultaneous connections to 0 in the corresponding Group Policy).

    Other means would be to use DAP (dynamic access policies) to pretty much the same as the certmap, or permission to LDAP (for example retrieves the user name for the certificate, then perform an LDAP search to see if the user is allowed to use the VPN - in this scenario, there is no need to list all the users on the ASA but for example you need to create a new group on your LDAP server that contains all VPN users).

    Let me know if you want to go further in the foregoing

    see you soon

    Herbert

  • AAA authentication as user name failed

    I recently tried to install an ios CiscoWLC 4402 7.0.235.0 with RADIUS on Win Serv 2008r2, I implemented my type of wpa2-ent aes, Microsoft PEAP encryption security and exported a certificate from my CA server and installed on my client machine.

    I don't know what I'm missing, let me know what information should still help you. I have attached a few screenshots.

    0 My Jul 22 10:25:58 2013 Does not include client: MACAddress:8 c: 70:5 has: d2:f6:f8 Base Radio MAC: 00:1e:79:d6:25:e0 Slot: 0 username: unknown Ip address: reason: 802.1 x authentication has failed 3 times. Used: 4
    1 My Jul 22 10:25:58 2013 Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN
    2 My Jul 22 10:25:54 2013 Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN
    3 My Jul 22 10:25:49 2013 Authentication failure AAA for UserName:host/106LPT073.itserve.com the user Type: USER WLAN

    The issue seems to be with certificate server-side. Based on your first post, I realize you are using a third-party certificate. Is it possible that we will issue a new certificate and try again. Or please, export the certificate and attach it in your next reply.

    Conditions of certificates for PEAP and EAP

    http://TechNet.Microsoft.com/en-us/library/a1ac8d7e-3479-46B4-932b-ab43362e021b

    By default, these logs are located in the %windir%\System32\Logfiles

    http://TechNet.Microsoft.com/en-us/library/dd197464%28V=WS.10%29.aspx

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Authentication certificate ACS 5.1 Administrator?

    Is it possible to authenticate ACS directors [web INTERFACE] by client certificate in the ACS 5.1?

    This link is for 4.x, which is a different product to 5.x.

    Current administrator authentication is made by name of user and password only.

    The certificate can be changed, but this only changes the present certificate to the

    the user because they are logging in the TAS.

    -Jesse

  • Authentication of users invited without certififcate

    Hi team,

    I have employees doing a certificate based identification to connect to the network. But I have few users who donot have all certificates and that they want to have internet access only.

    I want to understand what all my options here are to ensure that guest users jump it authentication and don't get that the vlan internet and connect.

    Is it possible to have a rule stating ISE ignore authentication and push only internet VLAN by authorization profile. ?

    Or there is any other way available.

    Bellefroid

    Hi Bellefroid,

    There are several different ways, you can do it. The simplest and probably the best way to do this via comments portal that is already in the ISE. If it's for the wireless, you must:

    1. create a separate SSID and configure it to CWA (Central Web authentication). You can set the gate turn to AD for us Let's say allow all 'users area' authenticate

    2. you can restrict the real access either by ACL configured on the WLC (WLCs don't support the DACL) or support VLAN dynamic

    If it's a wiring, configuration is similar. You would:

    1. any of the sessions that fail 802. 1 x can be redirected to the portal of comments. The portal of the gust is adjustable again turn to AD for authentications

    2. access can be restricted via DACL (configured on ISE) or support VLAN dynamic

    Take a look at the following documentation:

    http://www.Cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-...

    http://www.Cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-...

    I hope this helps!

    Thank you for evaluating useful messages!

  • authentication certificate "don't ask again"

    I connect to a remote server using MS Server 2008 R2 of the House using a laptop Win7 and remote desktop. During the connection process, I am presented with a certificate of authentication failure message to which I respond usually "do it anyway". Last night as I clicked in the box 'Do not ask again' and now I can't connect at all. I see an error message saying: the server is not available or is turned off, etc..

    Anyone know how I can "reactivate" the failure of original certificate message?

    Carol

    This issue is beyond the scope of this site and must be placed on Technet or MSDN

    http://social.technet.Microsoft.com/forums/en-us/home

    http://social.msdn.Microsoft.com/forums/en-us/home

  • Cisco VCS and LDAP for authentication of users

    I have a question about setting up LDAP for authentication of the user on the VCS. I want to have redundancy in my LDAP link. I believe that this is possible by setting a FULL domain name to the address of the LDAP server, then selecting a type of SRV resolution. What I'm not clear on is what the value for the server address would be if I used actually as SRV type of resolution. I should also add that I am looking to use TLS

    To clarify, if my AD domain name is myad.netcraftsmen.net. I have set the field as server address:

    myad.netcraftsmen.NET: assuming that VCS properly interrogate the DNS for the _service._proto correct parameters?

    or would I need to create an SRV record to that effect and set the field server address with the address (including the fields of _service._proto)

    or I need to specify one of the SRV records formats used by MS AD areas (there are several).

    If the latter, then what SRV record for TLS. I don't see records with port 389 (non-secure).

    My intuition tells me that this is probably the first option, but I could be far away.

    Anyway, thanks in advance for any input.

    Kind regards

    Bill

    Hi William,.

    I just checked it on a X6.1 VCS, and it seems that VCS searches SRV _ldap._tcp.domain (where 'domain' has been entered as the server address), both when the encryption is set to 'None' and 'TLS '.

    Hope this helps,

    Andreas

Maybe you are looking for