Asking specific client certificate (not certificates trusted by authority)

As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

Similar Messages

  • Certificates NOT trusted

    Hello all.......
    I have issues w/ "com.apple.systemdefault"  certificate (& other Apple certificates) not being trusted... I have yet to find a response to queries re: same.... Is this something no one can answer OR maybe a too simple a problem to take time with?
    TIA, Jack

    Hello all.......
    I have issues w/ "com.apple.systemdefault"  certificate (& other Apple certificates) not being trusted... I have yet to find a response to queries re: same.... Is this something no one can answer OR maybe a too simple a problem to take time with?
    TIA, Jack

  • 2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"

    Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
    its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
    and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
    authentication) working between a WL7 server acting as a client and another server
    such as Tomcat, acting as the server, I get a "Required peer certificates not
    supplied by peer" error. The initial ServerHello handshake is fine; the problem
    arises when the Tomcat server, for example, then requests WL7 to serve up its
    client certificate. It's as if WL7 does not know where to locate its "client"
    certificate.
    I had the same problem with Tomcat initially, where it would also not know how
    to locate its "client" certificte. I resolved the problem by setting the following
    system properties:
    javax.net.ssl.keyStore=...
    javax.net.ssl.keyStorePassword=...
    javax.net.ssl.trustStore=...
    javax.net.ssl.trustStorePassword=...
    Are their analogous system properties I need to set on the WL7 side of things,
    as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
    How do I configure WL7 to locate its "client" certificate?
    Thanks! Your help is greatly appreciated.
    -Dan

    Weblogic uses Certicom SSL implementation which has classes that conflict with
    JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
    SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
    are not supported and there is no replacement for the default identity keystore
    property.
    The best workaround I can think of in this case is to pass as the second parameter
    to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
    extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
    method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
    of the returned connection. For example:
    public class MyHandler extends weblogic.net.http.Handler {
    protected URLConnection openConnection(URL u) throws IOException {
    URLConnection c = super.openConnection();
    if (c instanceof weblogic.net.http.HttpsURLConnection) {
    // initialize ssl identity
    ((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
    privateKey);
    return c;
    URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
    replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
    Pavel.
    "ddumitru" <[email protected]> wrote:
    >
    Thanks, Pavel, for replying,
    I've been reading and re-reading that page for quite a while now. Unfortunately,
    the examples given are for when WL7 is acting as the "server" and not
    the "client";
    i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
    reaches
    out to the WL7 instance first, or when one WL7 instance talks to another
    WL7 instance
    via JNDI.
    In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
    needs
    to reach out to another server via a SAAJ (SOAP with Attachments) API
    call. My
    sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
    Service
    call to another server, as follows:
    SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
    SOAPConnection con = scf.createConnection();
    SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
    With the SAAJ API, as illustrated above, I don't see a direct way of
    configuring
    (using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
    prior
    to making a call, as suggested in the link you mentioned. Also, the
    receiving
    server may implement its Web Services using a non-BEA application server
    that
    may not even use the J2EE platorm. As such, I don't believe I can use
    the JNDI
    solution provided in that same link.
    Again, I was able to make 2-way SSL (Mutual Authentication) connections
    between
    Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
    initiating
    the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
    WL7
    served it up, and Tomcat then verified it. Then, in turn, WL7 asked
    Tomcat for
    its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
    certificate.
    I suppose I was able to make it all work under this scenario because
    I was able
    to configure Tomcat, which is using native JSSE API's, to locate its
    "client"
    certificate by setting the following system properties, as mentioned
    previously:
    javax.net.ssl.keyStore=...
    javax.net.ssl.keyStorePassword=...
    javax.net.ssl.trustStore=...
    javax.net.ssl.trustStorePassword=...
    Based upon your feedback, I now understand that WL7 cannot be configured
    in a
    similar manner because WL7 uses its own version of the JSSE API's. Any
    ideas
    on what I might try next?
    Thanks!
    -Dan
    "Pavel" <[email protected]> wrote:
    WLS SSL API does not support any system properties for SSL identity.
    The client's
    identity has to be configured via methods of SSL API. The trust configuration
    of SSL client running on WL server and using WLS SSL API will be the
    same as of
    the WL server.
    See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
    for more information on this. "Writing Applications that Use SSL" contains
    code
    examples that use different SSL APIs to connect over two-way SSL.
    Pavel.
    "ddumitru" <[email protected]> wrote:
    Background: WL7 is properly configured to use 2-way SSL, and worksfine
    whenever
    its acting as the Server; i.e., I have 2-way SSL working between a
    Web
    Browser
    and WL7, or between Tomcat and WL7. However, when trying to get 2-way
    SSL (mutual
    authentication) working between a WL7 server acting as a client andanother
    server
    such as Tomcat, acting as the server, I get a "Required peer certificates
    not
    supplied by peer" error. The initial ServerHello handshake is fine;
    the problem
    arises when the Tomcat server, for example, then requests WL7 to serve
    up its
    client certificate. It's as if WL7 does not know where to locate its
    "client"
    certificate.
    I had the same problem with Tomcat initially, where it would also not
    know how
    to locate its "client" certificte. I resolved the problem by setting
    the following
    system properties:
    javax.net.ssl.keyStore=...
    javax.net.ssl.keyStorePassword=...
    javax.net.ssl.trustStore=...
    javax.net.ssl.trustStorePassword=...
    Are their analogous system properties I need to set on the WL7 sideof
    things,
    as I noticed that WL7 seems to use its own proprietary version of JSSE
    API's?
    How do I configure WL7 to locate its "client" certificate?
    Thanks! Your help is greatly appreciated.
    -Dan

  • Certificate not Trusted Exception

    Hi,
    I am trying to invoke Axis soap call from webshpere (my requirement is to trust all certificates), but getting certificate not trusted exception. Appreciate any suggestions for fixing this issue.
    Code:
    public String transport(String strMessage, String strParticipantUrl, String methodName, String keyStorePwd) throws RouterException {
         String result = null;
         boolean isErrorOccured = false;
         String errorMessage = null;
         LOGGER.info("Calling Carrier Web Service.......");
         LOGGER.info("Web Service URL is :" + strParticipantUrl);
         LOGGER.info("Web Service Method Name is :" + methodName);
         ServiceFactory serviceFactory = new ServiceFactory();
         Service service = null;
         try {
              service = (Service) serviceFactory.createService(new QName(
              FundTransferConstants.QNAME_SERVICE));
              } catch (ServiceException e) {
              isErrorOccured = true;
         Integer connectionTimeOut = FundTransferContext.getInstance()
         .getConnectionTimeOut();
         org.apache.axis.client.Call call = null;
         if (null != service) {
              try {
                   LOGGER.info("setting ssl status to debug");
                   System.setProperty("javax.ssl.debug", "all");
                   String proxyHost = FundTransferUtil.getProperty("PROXY.HOST");
                   String proxyPort = FundTransferUtil.getProperty("PROXY.PORT");
                   String username = FundTransferUtil.getProperty("PROXY.USER");
                   String password = FundTransferUtil
                   .getProperty("PROXY.PASSWORD");
                   if (proxyHost != null && !"".equals(proxyHost)) {
                   System.setProperty("proxySet", "true");
                   System.setProperty("http.proxyHost", proxyHost);
                   if (proxyPort != null && !"".equals(proxyHost)) {
                        System.setProperty("http.proxyPort", proxyPort);
                   if (username != null && !"".equals(username)) {
                        System.setProperty("http.proxyUser", username);
                   if (password != null && !"".equals(password)) {
                        System.setProperty("http.proxyPassword", password);
                   String keyStoreLocation = FundTransferUtil
                   .getProperty("KEYSTORE_LOCATION");
                   String keystore = keyStoreLocation + "/"
                   + FundTransferConstants.KEYSTORE_FILE_NAME;
                   String storetype = FundTransferConstants.KEYSTORE_FILE_TYPE;
                   String][ props = {
                   { FundTransferConstants.TRUST_STORE, keystore, },
                   { FundTransferConstants.KEY_STORE, keystore, },
                   { FundTransferConstants.KEY_STORE_PWD, keyStorePwd, },
                   { FundTransferConstants.KEY_STORE_TYPE, storetype, },
                   { FundTransferConstants.TRUST_STORE_PWD, keyStorePwd, }, };
                   // Commented loading the keystore to test outbound calls
                   /*for (int index = 0; index < props.length; index++)
                   System.getProperties().setProperty(propsindex[0],
                   propsindex[1]);*/
                   // Commented all trusting trust manager
                   /*LOGGER.info("Creating TrustManager...");
                   TrustManager] trustAllCerts = new TrustManager[ { new X509TrustManager() {
                   public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                   LOGGER.info("Acception all issuers");
                   return null;
                   public void checkClientTrusted(
                   java.security.cert.X509Certificate[] certs,
                   String authType) {
                   LOGGER.info("checkClientTrusted method");
                   public void checkServerTrusted(
                   java.security.cert.X509Certificate[] certs,
                   String authType) {
                   LOGGER.info("checkServerTrusted method");
                   // Install the all-trusting trust manager
                   try {
                        LOGGER.info("Creating SSLContext...");
                        SSLContext sc = SSLContext.getInstance("SSL");
                        LOGGER.info("Created SSLContext..." + sc);
                        sc.init(null, trustAllCerts,
                        new java.security.SecureRandom());
                        LOGGER.info("Created SSLContext initiated...");
                        LOGGER.info("sslDefaultSocketFactory......"
                        + sc.getSocketFactory());
                        HttpsURLConnection.setDefaultSSLSocketFactory(sc
                        .getSocketFactory());
                        LOGGER.info("sslDefaultSocketFactory......"
                        + sc.getSocketFactory());
                   } catch (Exception e) {
                   LOGGER.error("Exception is occuring...");
                   LOGGER.error(e.getMessage());
              call = (Call) service.createCall();
         } catch (ServiceException ex) {
         LOGGER.error(ex.getMessage());
              errorMessage = ex.getMessage();
              isErrorOccured = true;
         if (null != call) {
              LOGGER.info("Web Service TimeOut setting :"
              + connectionTimeOut.intValue());
              LOGGER.info("Setting axis propeties to use IBMFakeTrustSocketFactory");
              // This will allow web service requests using the HTTPS protocol without having a valid SSL certificate installed and configured.
              AxisProperties.setProperty("axis.socketSecureFactory","org.apache.axis.components.net.IBMFakeTrustSocketFactory");
              call.setTimeout(connectionTimeOut);
              call.setTargetEndpointAddress(strParticipantUrl);
              call.setProperty(Call.SOAPACTION_USE_PROPERTY,
              new Boolean(true));
              call.setProperty(Call.SOAPACTION_URI_PROPERTY,
              FundTransferConstants.EMPTY_STRING);
              QName qnameTypeStr = new QName(FundTransferConstants.NS_XSD,
              FundTransferConstants.QNAME_TYPE);
              QName header = new QName(FundTransferConstants.NS_XSD,
              FundTransferConstants.QNAME_TYPE);
              call.setReturnType(qnameTypeStr);
              call
              .setOperationStyle(FundTransferConstants.WEB_SERVICE_OPERATION_RPC_STYLE);
              call
              .setOperationName(new QName(
              FundTransferConstants.BODY_NAMESPACE_VALUE,
              methodName));
              call.addParameter("String_1", qnameTypeStr, ParameterMode.IN);
              String[] params = { strMessage };
              if (FundTransferConstants.CARRIER_RESEND_METHOD
              .equalsIgnoreCase(methodName)) {
                   try {
                        call.invoke(params);
                   } catch (Exception ex) {
                        errorMessage = ex.getMessage();
                        isErrorOccured = true;
                        LOGGER.info(ex.getMessage());
              } else {
              int counter = 0;
              while (counter < 3) {
              counter++;
              try {
                   // Here making the call which is failing
                   result = (String) call.invoke(params);
                   counter = 4;
              } catch (AxisFault axisFault) {
                   axisFault.printStackTrace();
                   errorMessage = axisFault.getMessage();
                   isErrorOccured = true;
                   LOGGER.error(axisFault.getMessage());
              } catch (Exception ex) {
                   ex.printStackTrace();
                   errorMessage = ex.getMessage();
                   isErrorOccured = true;
    if (isErrorOccured) {
    throw new RouterException(errorMessage);
    return result;
    System Error:
    12/7/07 13:43:41:639 EST 000000bb SystemErr R AxisFault
    faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
    faultSubcode:
    faultString: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted
    faultActor:
    faultNode:
    faultDetail:
    {http://xml.apache.org/axis/}stackTrace: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted
    at com.ibm.jsse2.bx.a(bx.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java:473)
    at com.ibm.jsse2.w.a(w.java(Compiled Code))
    at com.ibm.jsse2.w.a(w.java(Compiled Code))
    at com.ibm.jsse2.v.a(v.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java(Compiled Code))
    at com.ibm.jsse2.by.l(by.java(Compiled Code))
    at com.ibm.jsse2.by.startHandshake(by.java(Compiled Code))
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:224)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:157)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:114)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
    at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
    at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
    at org.apache.axis.client.Call.invoke(Call.java:2553)
    at org.apache.axis.client.Call.invoke(Call.java:2248)
    at org.apache.axis.client.Call.invoke(Call.java:2171)
    at org.apache.axis.client.Call.invoke(Call.java:1691)
    at com.dtcc.insurance.fundtransfer.transport.TransportHandler.transport(TransportHandler.java:245)
    at com.dtcc.insurance.fundtransfer.router.MessageRouter.transport(MessageRouter.java:112)
    at com.dtcc.insurance.fundtransfer.controller.MessageController.processMessage(MessageController.java:155)
    at com.dtcc.insurance.fundtransfer.service.FundTransferServiceImpl.fundTransferRequest(FundTransferServiceImpl.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
    at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
    at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:402)
    at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:309)
    at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:333)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
    at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:481)
    at org.apache.axis.server.AxisServer.invoke(AxisServer.java:323)
    at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:854)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
    at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:339)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3174)
    at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:253)
    at com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:229)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1970)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:114)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
    at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java(Compiled Code))
    Caused by: java.security.cert.CertificateException: Certificate not Trusted
    at com.ibm.jsse.bi.a(Unknown Source)
    at com.ibm.jsse.bi.checkServerTrusted(Unknown Source)
    at com.ibm.jsse2.ba.checkServerTrusted(ba.java:16)
    ... 57 more
    12/7/07 13:43:41:640 EST 000000bb SystemErr R AxisFault
    faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
    faultSubcode:
    faultString: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted
    faultActor:
    faultNode:
    faultDetail:
    {http://xml.apache.org/axis/}stackTrace: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted
    at com.ibm.jsse2.bx.a(bx.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java:473)
    at com.ibm.jsse2.w.a(w.java(Compiled Code))
    at com.ibm.jsse2.w.a(w.java(Compiled Code))
    at com.ibm.jsse2.v.a(v.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java(Compiled Code))
    at com.ibm.jsse2.by.l(by.java(Compiled Code))
    at com.ibm.jsse2.by.startHandshake(by.java(Compiled Code))
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:224)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:157)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:114)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
    at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
    at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
    at org.apache.axis.client.Call.invoke(Call.java:2553)
    at org.apache.axis.client.Call.invoke(Call.java:2248)
    at org.apache.axis.client.Call.invoke(Call.java:2171)
    at org.apache.axis.client.Call.invoke(Call.java:1691)
    at com.dtcc.insurance.fundtransfer.transport.TransportHandler.transport(TransportHandler.java:245)
    at com.dtcc.insurance.fundtransfer.router.MessageRouter.transport(MessageRouter.java:112)
    at com.dtcc.insurance.fundtransfer.controller.MessageController.processMessage(MessageController.java:155)
    at com.dtcc.insurance.fundtransfer.service.FundTransferServiceImpl.fundTransferRequest(FundTransferServiceImpl.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
    at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
    at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:402)
    at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:309)
    at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:333)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
    at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:481)
    at org.apache.axis.server.AxisServer.invoke(AxisServer.java:323)
    at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:854)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
    at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:339)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3174)
    at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:253)
    at com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:229)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1970)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:114)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
    at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java(Compiled Code))
    Caused by: java.security.cert.CertificateException: Certificate not Trusted
    at com.ibm.jsse.bi.a(Unknown Source)
    at com.ibm.jsse.bi.checkServerTrusted(Unknown Source)
    at com.ibm.jsse2.ba.checkServerTrusted(ba.java:16)
    ... 57 more
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted
    at org.apache.axis.AxisFault.makeFault(AxisFault.java:129)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:131)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
    at org.apache.axis.client.AxisClient.invoke(AxisClient.java:180)
    at org.apache.axis.client.Call.invokeEngine(Call.java:2564)
    at org.apache.axis.client.Call.invoke(Call.java:2553)
    at org.apache.axis.client.Call.invoke(Call.java:2248)
    at org.apache.axis.client.Call.invoke(Call.java:2171)
    at org.apache.axis.client.Call.invoke(Call.java:1691)
    at com.dtcc.insurance.fundtransfer.transport.TransportHandler.transport(TransportHandler.java:245)
    at com.dtcc.insurance.fundtransfer.router.MessageRouter.transport(MessageRouter.java:112)
    at com.dtcc.insurance.fundtransfer.controller.MessageController.processMessage(MessageController.java:155)
    at com.dtcc.insurance.fundtransfer.service.FundTransferServiceImpl.fundTransferRequest(FundTransferServiceImpl.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java(Compiled Code))
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java(Compiled Code))
    at java.lang.reflect.Method.invoke(Method.java(Compiled Code))
    at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:402)
    at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:309)
    at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:333)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
    at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:481)
    at org.apache.axis.server.AxisServer.invoke(AxisServer.java:323)
    at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:854)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
    at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:339)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1572)
    at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:762)
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3174)
    at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:253)
    at com.ibm.ws.webcontainer.VirtualHost.handleRequest(VirtualHost.java:229)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1970)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:114)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:472)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:411)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:288)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:950)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:582)
    at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1704)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java(Compiled Code))
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java(Compiled Code))
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificate not Trusted
    at com.ibm.jsse2.bx.a(bx.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java:473)
    at com.ibm.jsse2.w.a(w.java(Compiled Code))
    at com.ibm.jsse2.w.a(w.java(Compiled Code))
    at com.ibm.jsse2.v.a(v.java(Compiled Code))
    at com.ibm.jsse2.by.a(by.java(Compiled Code))
    at com.ibm.jsse2.by.l(by.java(Compiled Code))
    at com.ibm.jsse2.by.startHandshake(by.java(Compiled Code))
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:224)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:157)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:114)
    ... 48 more
    Caused by: java.security.cert.CertificateException: Certificate not Trusted
    at com.ibm.jsse.bi.a(Unknown Source)
    at com.ibm.jsse.bi.checkServerTrusted(Unknown Source)
    at com.ibm.jsse2.ba.checkServerTrusted(ba.java:16)
    ... 57 more

    I found the fix from Oracle Support Knowlededge Base
    sslTool serverInfo --url https://HOST:9043 --certFile newcert.cer
    PStoreTool located in REGISTRY_HOME/bin/PStoreTool add -config
    WEBLOGIC_HOME/user_projects/domains/[osr_domain_name]/servers/[osr_server_name]/tmp/_WL_user/registry/[unique id]/public/conf/pstore.xml -certFile newcert.cer
    I was updating wrong file with the certificate. It had to be pstore.xml. This solved my issue.
    Thanks & Regards,
    Parshant

  • Designating the specific client certificate to use from within an applet

    With JRE 1.4.x, my applet will use a specific client certificate for connection to an https url which requires a client certificate - I did that by defining runtime parameters for the jre (-Djavax.net.ssl.keyStore=...) but with JRE 1.5.x, the same runtime options doesn't seem to have any effect (even if I configure the plugin not to use the browser's store of certificates).
    I like the new "use browser certifcate store" feature of the JRE 1.5.x, but can I have a way to designate, programmatically in the code of my applet, which specific certificate to use?

    With JRE 1.4.x, my applet will use a specific client certificate for connection to an https url which requires a client certificate - I did that by defining runtime parameters for the jre (-Djavax.net.ssl.keyStore=...) but with JRE 1.5.x, the same runtime options doesn't seem to have any effect (even if I configure the plugin not to use the browser's store of certificates).
    I like the new "use browser certifcate store" feature of the JRE 1.5.x, but can I have a way to designate, programmatically in the code of my applet, which specific certificate to use?

  • Cannot access common websites security certificate not trusted

    I am unable to get to many frequently accessed websites from either Chrome or Safari due to Security Certificate Trust issues. I have been attempting to access Paypal all afternoon without success, as there is no "Proceed anyway" button. I was only able to reach this forum by selecting "Proceed anyway"(!) Other machines on my local network accessing the web via UVerse are not having difficulties, so it seems to be Mavericks specific.

    This solved my problem:
    https://discussions.apple.com/message/18508863#18508863
    I solved this on my wife's computer by resetting the security certificate settings.  This might help others:
    Close all windows.
    Keychain Access ->  click on System Roots on the left, and then click on Certifcates on the bottom left.
    Check to see if any of the certificates on the right have the blue "+" symbol - this means they have custom trust settings.
    There is a bug in changing the policies, so you'll have to change them via the method below.  Changing them just by changing the access to "system defaults" doesn't seem to save.  The method below worked for me.
    Double-click on each certificate with the custom setting (blue "+"), expand the section labled "trust".  Change the "Secure Sockets Layer (SSL)" setting to "no value specified".  Close window - you should be prompted for the password.  Double-click on the certificate again, expand trust, change the "When using this certificate" setting to "Use System Defaults".  Close window, and re-enter password.
    If you didn't re-enter your password upon closing the window, the setting didn't take.  The blue "+" should disappear after a few seconds when it's set back to default.  Once all of the certificates are changed back to default, restart Safari.
    This solved all of the problems for my wife's computer with these issues and OSX 10.7.4
    Message was edited by: Barry Stock

  • There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server

    Hello,
    I have an issue with connecting client SB1H on Windows, the scenario is as follows:
    1.- Server:
         Suse Linux Enterprise Server 11.3 kernel version: 3.0.76-0.11 IBM
         NDB and Server are review 69 SP06
    2.- Client:
         Windows 8 Pro Virtual Machine on Microsoft Hyper-V
         SB1H PL 11 version 32bits    
         SAP HANA Studio version 1.0.60
    When I run SB1H the following message appears:
    There is a problem with the server's security certificate. The security certificate is not from a trusted certifying authority. SAP Business One is unable to connect to the server.
    Any idea what could be the solution?

    Hi,
    Please check SAP notes:
       1993392 - Server components setup wizard: New default values for certificates and single sign-on option
    1929288 - Do not configure SSL for XApp during installation or upgrade if XApp is installed on a different machine than the SAP HANA server
    Thanks & Regards,
    Nagarajan

  • Mac Client Certificate not found

    Hey all, i'm trying to install the ConfigMgr client on a mac system. The site is 2012 SP1 RTM however since there is no release yet of the mac client i'm using the mac client install from the SP1 beta install folder (Suggested by Microsoft)
    I followed the instructions on how to install clients on mac computer from technet. Everything from the install and the enrollment seems to complete fine no errors. After the enrollment when I open System Preferences > Configuration Manager it says "Certificate
    not found" If i check the ccmclient log file on the mac it shows the following errors
    Failed to Parse MgmtAuthority ServerList
    Failed to get server list
    Failed to GetProperty Mode from Configuration Provider : 80070490
    Requested certificates not available in store
    Certificate not found in store. Bailing out!
    Failed to validate certificate
    The certificate shows up under system in the keychain, the only strange thing is it shows for name the user who enrolled in the certificate. I figured it should have showed the system name. The root ca is also there. Any help would be appreciated, thanks

    Okay so figured this out, and i'll post in case this happens to someone else. The certificate will always show under the keychain with a name of whoever the user was that did the enrollment. So if you used Joe Smith, then the certificate will be called
    Joe Smith. In my case the account I used to enroll had a active directory display name of two words such as "Joe Smith" Because of this space in between, configuration manager client kept listing the certificate as "Joe". I was then realized that indeed just
    like the error said the certificate could not be found because its looking for Joe and the the certificate says Joe Smith. The fix was instead do the enrollment with a normal account with no spacing in the name. This may be a bug or Microsoft may not recommend
    creating AD accounts with display names with spaces.

  • SSL Error 61: chosen not to trust security certificate; How to bypass?

    I am trying to utilize Citrix XenApp to remotely access my work userid and applications from home. I can login and see my virtual desktop/applications, but when I try to run an application I get SSL Error 61: you have chosen not to trust "Equifax Secure Global eBusiness CA-1" the issuer of the server's security certificate. I have tried to update the certificate (FFx says its valid), add an exception (cannot because certif is valid), uninstall/reinstall application (no good), but still no luck. Have contacted my company's IT and they are baffled as well. Any ideas to bypass or redo a setting that says I do trust this certificate would be welcome.

    Pardon my ignorance, but can you please explain further. I've read over the info from the link provided but it is beyond my technical comprehension. Is the Citrix database on my end, on my company server's end?

  • Keychain root certificate not trusted (?)

    I see a couple of items in keychain access that say "root certificate not trusted"
    what is this and should they be deleted or somehow modified?
    I looked at certificates with Certificate assistant "evaluate certificate"
    but do not quite understand.
    Thanks

    Ok I'll try not to...
    Thanks

  • ISE: Guest SSL Certificate Not Trusted Error

    Team,
    We are building an ISE Demo for an event, I configured the Guest Access and it is working fine. the problem is that when the guests (Event attendess) try to access the internet they will be reditrected to teh ISE for Guest Authentication. The guest will get the below error message which doesn't look good because the ISE has the self-signed certificate and it doesn't have a public trusted certificate.
    I tried to generate a trail SSL certificate from Thawte and Symentec but both replied that we couldn't verify the information you have provided. I believe this is because my domain is not publicly resgitered (I created this domain internally for the event)
    Please advice what is the solution for this issue. I don't want my guest/attendees to see the error message. It doesn't look for to demonstrate ISE.
    Please advice
    Thanks in advance

    The only solution that can competely resolve your issue is to get a certificate from any trusted  CA, like Verisign, Thawte, etc. Cost for that is typically $100 per year. Other solution is to use certificate from StartSSL. They have easy procedure for issuing ceritifcates and it's free, but in some browsers that window still may  appear sometimes.

  • Linksys Certificate Not Trusted

    ...how can I trust it? Every time I go to my Linksys router with HTTPS, I receive a certificate not trusted error in my browser. I have already imported the certificate into my keychain on OS X, what else can I do?
    It would be great if there was a "Trust" option next to the various errors which are displayed.
    O.S. = OS X 10.73
    Browser = Chrome
    Thanks in advance for any ideas.

    I am using a WRT54GS running firmware 4.70.6. Mozilla Firefox has the option to explicitly trust the certificate and Safari will use keychains certs to repudiate. Google Chrome (my primary browser) shows the following result.
    Internet Explorer (9) shows the following, which is similar to the screen posted. I have tried to import the certificate into trusted publishers, but it won't take.

  • Apple root certificates not trusted?

    I was looking through Keychain Access, and came across these two Apple root certificates that Keychain reports as "This root certificate is not trusted."
    com.apple.kerberos.kdc
    com.apple.systemdefault
    There was also a "localhost" certificate with a Comcast email address that was similarly marked as not trusted.
    Any idea why any of these would not be trusted?
    Thanks,
    JC

    Yes, reinstalling is the backup plan.
    But this Macbook is about one year old. I should not cause that much trouble.

  • Certificate not trusted

    This shows up in my certificates in red: com.apple.systemdefault organization system identity certificate not trusted.  Should I be concerned about this...does it indicate a security breach?

    Can you please let us know, how you have resolved the issue. We are also getting the similar issue with the Certificate.

  • Trusted (not) Certificate

    I have two digital IDs in the Acrobat system.  One is self-signed, created, somehow, within Acrobat, if I remember correctly.  It is considered a trusted root, or something to that effect.  And, is totally useless for sending and having sent back forms created in the Designer.  The other certificate was purchased from VeriSign, exported (backed up) from Firefox, and added to the Digital IDs in Acrobat.  The issuance chain seems not to go back to some root certificate, and it is not trusted.  So, I cannot use it to send and receive the forms securely.
    How do I find the proper information for Acrobat to "trust" the furshluganeh thing?

    Hi,
    There are a couple of different concepts in play here.
    First, let's discuss trust. When it comes to digital signatures, without trust being assigned to a certificate in the signing chain, nothing happens. As an aside, trust is granted by the document recipient (the person that is verifying the signature), it is not assigned by the document signer. There is no way for the signer of the document to imbue the PDF with trust.
    When I talk about the signing chain I mean something that looks like this:
    Root CA Intermediate CA End-entity
    Note: I could have put the list in the opposite order; it's like being in outer space, there is no up or down, just moving in some direction.
    The recipient of the signed PDF may elect to make any of the three certificates (in this example, there could be more or less than three) in the signing chain the trust anchor (aka the trusted root). Acrobat only does revocation checking on the certificates below the trust anchor (below being relative to the way I typed out the signing chain), but not the trust anchor itself nor any certificates above the trust anchor. If you were to make the end-entity the trust anchor Acrobat wouldn't do any revocation checking as part of the signature validation routine. If you were to make the Intermediate CA the trust anchor, Acrobat would only do revocation checking on the end-entity, and if your were to make the Root CA the trust anchor Acrobat would do revocation checking on both the Intermediate CA and the end-entity. Although the signer cannot assign trust to the signature, it is important that they have trust set correctly so Acrobat will do the revocation checks as part of the signature creation process so the revocation information gets downloaded, and ultimately imbedded into the PDF signature in order to facilitate long term validation.
    When you tell Acrobat (and when I say Acrobat I always mean both Acrobat and Reader, but I too lazy to type both words) to trust the Root certificates from the Windows Certificate Store we're talking about the certificates listed on the "Trusted Root Certification Authorities" tab on the Windows Certificates dialog. The certificates listed on any of the other tabs (e.g. the Personal tab) are not being trusted for digital signatures in Acrobat.
    This brings us to issue #2, secured delivery. In order for secured delivery to work, the recipient must trust the signer that sent them the file. The only way that we can insure that the recipient will trust the signer is to insist that the signer uses a digital ID that chains to the Adobe Root CA. Although I said that the signer can't imbue a signed PDF file with trust, because every copy of Acrobat and Reader comes pre-configured with the Adobe Root CA already install and trusted  for certifying signatures, when using a digital ID issued by one of our partners it insures that the recipient won't need to fuss with the trust settings. Thus, when we added the feature we made it so the only time the Secured Delivery button is enabled is if you have a digital ID that chains to the Adobe Root CA.
    One thing about digital signatures, it's a one time creation event, and an many time validation event. I know it's frustrating for you as the signer to deal with this issue, but imagine if you were distributing the form to hundreds of people and they all had to get the trust anchor set before they could securely return their data, the frustration would be growing exponentially.
    Steve

Maybe you are looking for