Workaround for iChain Certificate Authentication Bug
Novell Cool Solutions: Tip
Digg This -
Posted: 4 Oct 2006
I've set up an accelerator with the option "Enable Secure Exchange" checked, because I want to enable SSL comunication from the browser to iChain (but plain http from iChain to the protected web server). If I use an LDAP authentication module with login and password, every thing works correctly: ichain lets me browse to the public resources of my application, and the ichain login page only appears if I try to browse to some protected resources.
My problem is when I use a mutual certificate authentication profile instead of the LDAP profile. With this configuration, the browser prompts the cerfificate request to pop up even when I try to browse my public resource. In fact, it seems that iChain asks me for authentication (using a certficate) even if I'm trying to get public pages! This happens only if I enable the certificate authentication module together with "Enable Secure Exchange". If I configure the accelerator in plain http (no SSL between the browser and iChain), even with the certificate authentication module every thing works as expected, and the browser asks for certificate only when I try to access protected resources.
There is a solution on a case opened on iChain 2.2. It seems there is a bug, and there is no patch yet. Fortunally there is a workaround.
To avoid the prompt for the Client certificate, enable the following option:
set accelerator <acc_name> authentication authovercd = Yes set accelerator
<acc_name> authentication authcddbenabled = Yes APPLY
Once this has been done, I can access the website without being prompted for a user certificate. The two set commands above enable the "Cross Domain Authentication". In summary, enabling cross-domain authentication solve this problem.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com