Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Rights Management Certificate Authentication

Avatar

Level 4
Hello,



We're trying to set up a test server to demonstrate Certificate Authentication with Rights Management 8.0.1 and Acrobat 8.1, and so far are a bit stumped. I'm using RSA 2048 at all stages of the key generation process.



I've basically used the guide linked below, but skipping the Web Server SSL key section and jumping on to creating client certs straight after creating the CA certs.



http://marc.info/?l=tomcat-user&m=106293430225790&w=2



Here's a quick outline of basic steps taken:



1. Set up Active Directory domain mapping with LDAP and sync. Assign a domain user Rights Management End User role.

2. Set up Rights Management to only accept Certificate Authentication and block Acrobat 7 clients.

3. Using OpenSSL, create a root CA.

4. Upload CA public key to Certificates in Admin UI.

5. Set up certificate mapping on E->Primary email for the AD domain

6. Create client certificate and signing request matching domain user with Rights Management End User role.

7. Sign client request using CA.

8. Bundle client request into p12.

9. Import CA public key into Acrobat trusted identities and Windows trusted root CA store.

10. Import p12 into Acrobat.

11. Export .cer file for this identity from Acrobat.

12. Using Admin UI, upload client certificate to the Test Certificate Mapping, get green verification (with mapping should be okay message)

13. Attempt to add Policy Server in Acrobat, when prompted select client certificate.



At this point the whole thing falls down, and a dialog box pops up saying:



"Acrobat Security



X - Unable to connect to the service at https://lces:443



You do not have permission to perform this operation."



Now, there's probably something I've done wrong or missed at some stage, but I'm wondering if the theory is good and I've just messed up creating the certificates (several times), or there is some key concept I've misunderstood.



If there is any documentation or guides around on setting up Rights Management to use Certificate Authentication, then I've yet to find them, so if anyone knows of any please let me know.



Any feedback from people who've successfully implementated Certificate Authentication using Acrobat 8 and LCRM 8.0.1 would be greatly appreciated, and if I do solve the problem myself I'll be sure to post whatever it was I missed or did wrong to get to the error message.



If there's any other information I can provide which might help figure out where the issue lies, then please let me know.



Thanks,



Robert Hirst
6 Replies

Avatar

Former Community Member
Hi Rob,<br /><br />I see that you are trying to connect to port 443. <br /><br />Can you connect to the adminui using the following?<br />https://lces/adminui <br />Note :443 isn't required as it is the default port for all browsers and Adobe Reader.<br /><br />If not this could mean that the SSL port on JBoss is pointing to the JBoss' default SSL port 8443. Try <br />https://lces:8443/adminui <br /><br />The server.xml can be found here<br /><LiveCycle8>\jboss\server\all\deploy\jbossweb-tomcat55.sar\server.xml<br /><br />Cheers<br /><br />Larry Bunton<br />Avoka Technologies<br />Sydney, Australia

Avatar

Former Community Member
Hi Robert,



It appears from your description that Acrobat is having trouble with the certificate you provided.



A couple of things for you to try:



1. Can you verify that the certificate shows up in the "Windows Personal Certificate Store." You can see this in Acrobat under:



Advanced->Security Settings->Digital Ids->Windows Digital IDs



2. If so, can you make sure it doesn't show up in any other section under "Digital Ids". This probably shouldn't cause a problem, but worth trying.

3. If that looks fine, can you post the certificate with the credential (private key) and we can take a quick look.



Thanks,



-Bill

Avatar

Level 4
Thanks Bill, that was really handy.



I'd used the Add ID option without being on a specific store, and it had placed it under Digital IDs. It was still offering me the option to use that certificate to authenticate against the server with. I imported the certificate into the Windows Digital ID section it now authenticates against the server perfectly.



So problem solved, although I'm still not 100% sure why the Import Digital ID places the certificates into a location which doesn't work with Rights Management, although I'm sure there's a good reason.



I'll make sure that we only add to the Windows Digital ID container in Acrobat/Reader or import directly into the Personal Certificate store in Windows for the demonstration.



Thanks for your help in fixing this.

Avatar

Former Community Member
Dear all,



I am having problem to add contact to my trust list from a Directory Server. I can connect to the directory server, but I don't know what to insert into the Directory name. So, I just can't find the search any contact by using this method.

Avatar

Former Community Member
Dear All,



I have installed LCES 8.0 TurnKey for JBOSS to evaluate the Rights Management. The system is running on Virtual PC and in the same VPC also Acrobat Pro 8 is installed. I have configured the server address for RM as http://localhost:8080/ and from Acrobat trying to connect to the same address as the RightsManagement Server. But Acrobat cannot connect to the server from that address.



I have been informed that I need SSL conncetion to JBOSS but I have no clue how to set it.



Any help about the connection is very welcomed.



Thanks and regards,