IPlanet authentication over SSL

Similar Messages

• LDAP over SSL for Solaris 9 / Solaris 10

  I have successfully configured Solaris-10 clients to use Windows 2003 R2 Active Directory for LDAP authentication over SSL. However, my production environment is still running on Solaris-9. I am able to make Kerberos and ldapsearch working on Solaris-9, but I am still NOT able to use PuTTY to make authentication with AD.
  I reviewed all my steps that I configured on Solaris-10, but somewhat I could not make it work on Solaris-9. If anybody sucessfully deployed on Solaris-9, please advices! Any helps greatly appreciated.
  Here are what I got so far on Solaris-9
  =======================================================
  KERBEROS
  =======================================================
  #getent passwd aduser
  aduser:1000:1000:aduser:/export/home/aduser:/bin/sh
  #kinit [email protected]
  Password for [email protected]:
  #klist
  Ticket cache: /tmp/krb5cc_0
  Default principal: [email protected]
  Valid starting Expires Service principal
  Fri Jan 04 17:22:34 2008 Sat Jan 05 03:22:34 2008 krbtgt/[email protected]
  renew until Fri Jan 11 17:22:34 2008
  =======================================================
  LDAPSEARCH / SSL
  =======================================================
  #ldapsearch -v -h sundc1.consoto.com -p 636 -Z -P /var/ldap/cert8.db -D cn=administrator,cn=users,dc=consoto,dc=com -w - -b "dc=consoto,dc=com" -v -s base "objectclass=*"
  Enter bind password:
  ldapsearch: started Fri Jan 4 17:23:52 2008
  LDAP Library Information -
  Highest supported protocol version: 3
  LDAP API revision: 2005
  API vendor name: Sun Microsystems Inc.
  Vendor-specific version: 5.08
  LDAP API Extensions:
  SERVER_SIDE_SORT (revision 1)
  VIRTUAL_LIST_VIEW (revision 1)
  PERSISTENT_SEARCH (revision 1)
  PROXY_AUTHORIZATION (revision 1)
  X_LDERRNO (revision 1)
  X_MEMCACHE (revision 1)
  X_IO_FUNCTIONS (revision 1)
  X_EXTIO_FUNCTIONS (revision 1)
  X_DNS_FUNCTIONS (revision 1)
  X_MEMALLOC_FUNCTIONS (revision 1)
  X_THREAD_FUNCTIONS (revision 1)
  X_EXTHREAD_FUNCTIONS (revision 1)
  X_GETLANGVALUES (revision 1)
  X_CLIENT_SIDE_SORT (revision 1)
  X_URL_FUNCTIONS (revision 1)
  X_FILTER_FUNCTIONS (revision 1)
  ldap_init( sundc1.consoto.com, 636 )
  ldaptool_getcertpath -- /var/ldap/cert8.db
  ldaptool_getkeypath -- .
  ldaptool_getdonglefilename -- (null)
  filter pattern: objectclass=*
  returning: ALL
  filter is: (objectclass=*)
  version: 1
  dn: dc=consoto,dc=com
  objectClass: top
  objectClass: domain
  objectClass: domainDNS
  distinguishedName: DC=consoto,DC=com
  instanceType: 5
  whenCreated: 20071220204021.0Z
  whenChanged: 20071226231851.0Z
  subRefs: DC=ForestDnsZones,DC=consoto,DC=com
  subRefs: DC=DomainDnsZones,DC=consoto,DC=com
  subRefs: CN=Configuration,DC=consoto,DC=com
  uSNCreated: 4098
  uSNChanged: 16663
  name: consoto
  objectGUID:: bM0hWw8HKEOYCFN3yQ==
  creationTime: 128426572605937500
  forceLogoff: -9223372036854775808
  lockoutDuration: -18000000000
  lockOutObservationWindow: -18000000000
  lockoutThreshold: 0
  maxPwdAge: -37108517437440
  minPwdAge: -864000000000
  minPwdLength: 7
  modifiedCountAtLastProm: 0
  nextRid: 1003
  pwdProperties: 1
  pwdHistoryLength: 24
  objectSid:: AQQAAAAAAAUAAYA4LaLGUspxVHsMP
  serverState: 1
  uASCompat: 1
  modifiedCount: 129
  auditingPolicy:: AAE=
  nTMixedDomain: 0
  rIDManagerReference: CN=RID Manager$,CN=System,DC=consoto,DC=com
  fSMORoleOwner: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Nam e,CN=Sites,CN=Configuration,DC=consoto,DC=com
  systemFlags: -1946157056
  wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=sunl
  ab,DC=com
  wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
  m Data,DC=consoto,DC=com
  wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=sun
  lab,DC=com
  wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
  cipals,DC=consoto,DC=com
  wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
  consoto,DC=com
  wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=s
  unlab,DC=com
  wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=sun
  lab,DC=com
  wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=consoto,DC
  =com
  wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
  DC=consoto,DC=com
  wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=consoto
  ,DC=com
  wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=consoto,DC=
  com
  objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=consoto,DC=com
  isCriticalSystemObject: TRUE
  gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
  m,DC=consoto,DC=com;0]
  masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Name,C
  N=Sites,CN=Configuration,DC=consoto,DC=com
  ms-DS-MachineAccountQuota: 10
  msDS-Behavior-Version: 2
  msDS-PerUserTrustQuota: 1
  msDS-AllUsersTrustQuota: 1000
  msDS-PerUserTrustTombstonesQuota: 10
  msDs-masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-N
  ame,CN=Sites,CN=Configuration,DC=consoto,DC=com
  dc: consoto
  1 matches
  I am thinking about pam.conf file or ldapclient's configuration file, any suggestion?

  I have now sat down and looked at your suggestion and I am pretty certain we can't implement it ... :( I was hoping it was just going to be configuration files that were copied (maybe a naive hope, but there you go!) This system is going to be deployed as a live service for a government agency so I do not think we can, in all good conscience, have binaries from two different OS releases residing on the same server as it will make the system nigh-on non-patchable.
  Let's hope Sun have somethig constructive to say about our issue which, I am slowly beginning to think, is related to the password.
  If I su to the test AD user we have whilst logged in as a root user (which does not, of course, prompt for a password) it all works nicely - home directory, shell, the id command gives all that is expected of uid and gid. Now, should I be in a as a non-root user and try the same I get prompted for a password and it all fails - despite me providing what should be the correct password.
  If I do a getent for the user the returned data has a blank for the password field (as opposed to the usual x).
  I think that somewhere, somehow, in the transmission of data that the password is getting a level of encryption that the AD is not setup to unravel. The packets are all encrypted through ldap (we are using tls simple) but what of the password within the packet? Does anything encrypt that first, and if so, does AD know how to decrypt it?

• Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

  In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
  Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

  Hi,
  Sorry, I could not understand what your are trying to do with iWS.
  Could you please berifly explain your question. So that I can help you.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• Authenticated SMTP/SSL over port 465

  Does Oracle E-mail support authenticated SMTP over SSL on port 465? - E

  Yes,
  both TLS and SSL are possible with 10.1.1. Tried myself. A little bit tweaking essmi's accordingly, applying certificates, and adjusting listener.ora for LISTENER_ES.
  Note: essmi only.
  - Torsten

• Firewall settings for Authenticated SMTP over SSL?

  I'm trying to set up mail servives on a server hosted at a host company with a firewall. I think I need to open ports 587 and 465 but the hosting company says I should only open port 465 for this SMTP over SSL. When I try to send email locally thru an account on the server using the server's SMTP server, Apple Mail says it can't. I think part of the problem is the firewall at my end hosted by my ISP might be interacting with everything else.
  Should i have both ports open? Thanks!

  You will need to open the ports that you have added/enabled in Postfix. By default, Postfix only listens to port 25.
  Typically, port 587 should be used. Often you will also need port 465 for backwards compatibility with some Microsoft mail clients.
  To enable those ports in Postfix, see this:
  http://mac007.com/?Tips:AlternateSMTPPorts
  HTH,
  Alex

• How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

  Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
  Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

  Solved it by some (a lot) of fiddling.
  Turns out it's not a bug in the iPhone, it's a feature.
  Here's how to make it work.
  DOVECOT
  If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
  More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
  So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
  1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
  service imap-login {
    inet_listener imap {
      port = --your port # here--
    inet_listener imaps {
      port = 0
      ssl = yes
  This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
  2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
  ssl = required
  This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
  3. In /etc/dovecot/conf.d/10-auth.conf set
  disable_plaintext_auth = yes
  This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
  When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
  Don't forget service dovecot restart.
  To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
  telnet your.host.name.here yourimapsportnumber
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
  Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
  a STARTTLS
  a OK Begin TLS negotiation now.
  (The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
  Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
  openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
  . OK Pre-login capabilities listed, post-login capabilities have more.
  You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
  a capability
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
  a login username password
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
  a OK Logged in
  POSTFIX
  Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
  1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
  2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
  smtpd_tls_security_level = encrypt
  3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
  smtpd_tls_auth_only = yes
  Don't forget postfix reload.
  To test if this works, issue the following telnet and wait for the server's greeting:
  telnet your.host.name.here yoursmtpsportnumber
  220 your.host.name ESMTP Postfix (Ubuntu)
  Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
  ehlo your.host.name.here
  250-STARTTLS
  Then issue starttls and wait for the server's confirmation:
  starttls
  220 2.0.0 Ready to start TLS
  Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
  CERTIFICATES
  You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
  basicConstraints = critical,CA:true
  keyUsage = critical, cRLSign, keyCertSign
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
  basicConstraints=CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
  subjectAltName = DNS:your.domain.name.here
  issuerAltName=issuer:copy
  Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
  You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
  Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
  IN CLOSING...
  With all this, you can read and send email from your iPhone.
  Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

• How to get JSP to forward a request over SSL?

  I'm new to JSP and servlets, although I've been working with Java for a long time. I'm trying to write a simple user registration and login system to teach myself JSP. I would like to set things up so that the user is able to login securely over https. I'm not sure how to do that, though. There seems to be no place in the relative URLs to indicate that you should be forwarding a request over SSL. I've got sample login page below - would anyone know how to modify it so that it happens securely?
  Also, do I need to install a certificate on my web server?
  index.jsp
  <html>
      <body>
          <h1>Index</h1>
          <a href="login.jsp">Login</a>
      </body>
  </html>login.jsp
  <%@page contentType="text/html" pageEncoding="UTF-8"%>
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html4/loose.dtd">
  <html>
      <body>
          <h1>Login</h1>
          <jsp:useBean id="userLogin"
                       class="com.kitfox.webrpg.UserLogin"/>
          <jsp:setProperty name="userLogin"
                           property="*"/>
          <%if (userLogin.isValid()) {%>
          <jsp:useBean id="userId"
                       class="com.kitfox.webrpg.UserIdent"
                       scope="session"/>
          <jsp:setProperty name="userId" property="*"/>
          <jsp:forward page="index.jsp"/>
          <%} else {%>
          <form action="login.jsp" method="post">
              <fieldset>
                  <legend>Enter login information</legend>
                  <label for="login">Login</label>
                  <input type="text" name="login" value="${userLogin.login}"/> <br/>
                  <label for="password">Password</label>
                  <input type="password" name="password"/> <br/>
                  <input type="submit" value="submit">
              </fieldset>
          </form>
          <%}%>
      </body>
  </html>

  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Secure Login</web-resource-name>
  <url-pattern>/login.jsp</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  This code is used basically for different authentication type . Forward to any jsp under any layer works with <jsp:forward> or else try with request.getRequestDispatcher(" url (can be absolute or accurate path)").forward(request,response);
  Edited by: user8483670 on Mar 13, 2011 9:46 PM

• LC + ActiveDirectory + LDAP over SSL = doesn't work

  Hi,
  I installed Active Directory Certificate Services. Now I want setup LDAP over SSL. Unfortunatelly it doesn't work. I pressed "Test" and always get "Invalid username or invalid password" (
  German: "Ungültiger Benutzername oder ungültiges Kennwort"). I'm pretty sure username and password are fine (it worked before I installed Active Directory Certificate Services and used LDAP without SSL).
  On server.log, I got this:
  2011-11-12 00:51:28,202 INFO  [com.adobe.idp.um.businesslogic.synch.LdapHelper] Following stacktrace is generated due to the Test LDAP Server Configuration action
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
          at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
          at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
          at javax.naming.InitialContext.init(InitialContext.java:223)
          at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.createContext(LdapHelper.java:663)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.testServerConfig(LdapHelper.java:682)
          at com.adobe.idp.um.ui.config.ConfigDirectoryEditAction.testServerSettings_onClick(ConfigDirectoryEditAction.java:215)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
          at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
          at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
          at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:91)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:41)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:619)
  Do you have some Idea?
  cu Floh

  I have not done it for Netscape yet but I have done it for Novell and JNDI.. Here is the settings for Novell
  // Dynamically set JSSE as a security provider
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Dynamically set the property that JSSE uses to identify
  // the keystore that holds trusted root certificates
  System.setProperty("javax.net.ssl.trustStore", m_connectionData.getLocal("KeyStore").toString());
  ssf = new LDAPJSSESecureSocketFactory();
  // Set the socket factory as the default for all future connections
  LDAPConnection.setSocketFactory(ssf);

• SOAP over SSL

  Hi
  I have certificate ForKaraganda.pfx.
  I need to connect to web service .NET-SOAP application using client-certificate authentication uses HTTP over SSL and execute remote function.
  String file = "c:\\tmp\\ForKaraganda.pfx";
  String pass = "123456";
  System.setProperty("javax.net.ssl.keyStoreType","pkcs12");
  System.setProperty("javax.net.ssl.keyStore", file);
  System.setProperty("javax.net.ssl.keyStorePassword", pass);
  url = new URL("https://something.kz");
  SOAPConnectionFactory fac = SOAPConnectionFactory.newInstance();
  con = fac.createConnection();
  MessageFactory messageFactory  = MessageFactory.newInstance();
  SOAPMessage message = messageFactory.createMessage();
  SOAPHeader header = message.getSOAPHeader();
  SOAPBody body = message.getSOAPBody();
  SOAPFactory soapFactory = SOAPFactory.newInstance();
  javax.xml.soap.Name bodyName = soapFactory.createName("SelectUserByUIN","", "http://something2.kz/");
  javax.xml.soap.Name name = soapFactory.createName("uin");
  SOAPBodyElement bodyElement = body.addBodyElement(bodyName);
  SOAPElement uin = bodyElement.addChildElement(name);
  uin.addTextNode("234234234242");
  SOAPMessage response = con.call(message, url);But happened error
  WT-EventQueue-0, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  AWT-EventQueue-0, SEND TLSv1 ALERT:  fatal, description = internal_error
  AWT-EventQueue-0, WRITE: TLSv1 Alert, length = 2
  [Raw write]: length = 7
  0000: 15 03 01 00 02 02 50                               ......P
  AWT-EventQueue-0, called closeSocket()
  24.01.2008 14:39:56 com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
  SEVERE: SAAJ0009: Message send failed
  com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
  Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:140)
       ... 29 more
  ...How it fix?

  Hi
  I have certificate ForKaraganda.pfx.
  I need to connect to web service .NET-SOAP application using client-certificate authentication uses HTTP over SSL and execute remote function.
  String file = "c:\\tmp\\ForKaraganda.pfx";
  String pass = "123456";
  System.setProperty("javax.net.ssl.keyStoreType","pkcs12");
  System.setProperty("javax.net.ssl.keyStore", file);
  System.setProperty("javax.net.ssl.keyStorePassword", pass);
  url = new URL("https://something.kz");
  SOAPConnectionFactory fac = SOAPConnectionFactory.newInstance();
  con = fac.createConnection();
  MessageFactory messageFactory  = MessageFactory.newInstance();
  SOAPMessage message = messageFactory.createMessage();
  SOAPHeader header = message.getSOAPHeader();
  SOAPBody body = message.getSOAPBody();
  SOAPFactory soapFactory = SOAPFactory.newInstance();
  javax.xml.soap.Name bodyName = soapFactory.createName("SelectUserByUIN","", "http://something2.kz/");
  javax.xml.soap.Name name = soapFactory.createName("uin");
  SOAPBodyElement bodyElement = body.addBodyElement(bodyName);
  SOAPElement uin = bodyElement.addChildElement(name);
  uin.addTextNode("234234234242");
  SOAPMessage response = con.call(message, url);But happened error
  WT-EventQueue-0, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  AWT-EventQueue-0, SEND TLSv1 ALERT:  fatal, description = internal_error
  AWT-EventQueue-0, WRITE: TLSv1 Alert, length = 2
  [Raw write]: length = 7
  0000: 15 03 01 00 02 02 50                               ......P
  AWT-EventQueue-0, called closeSocket()
  24.01.2008 14:39:56 com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
  SEVERE: SAAJ0009: Message send failed
  com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
  Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:140)
       ... 29 more
  ...How it fix?

• LDAP over SSL

  A hosted service wants to authenticate against our AD.  They recommend using LDAPS. 
  What is best practice?  Install a public certificate on a DC. 
  For instance on DC1.contoso.com.  Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?

  A hosted service wants to authenticate against our AD.  They recommend using LDAPS. 
  What is best practice?  Install a public certificate on a DC. 
  For instance on DC1.contoso.com.  Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?
  If its hosted services & if its supports ADAM/AD LDS, then its much safe to use them instead of RWDC or RODC. Enabling LDAP over SSL enhances the security of the information how information is transmitted when client tries to contact DC for the information(authentication/authorization).
  Normally w/o LDAPs being configured in the environment, when client queries a DC in the domain, the information is transmitted in the plain text which ca be read by the hacker using tools available for free. The reason is simple the information on transit
  is not encrypted, but enabling LDAP over SSL prevent the unencrypted queries & provide more security.
  You can't simple implement LDAP over SSP, but it needs PKI infrastructure, planning & designing which is comprehensively listed into the document URL posted by Justin. You can also use ldap over SSL using AD LDS.
  http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• POP over SSL in Messaging 5.2

  I'm running Messaging 5.2, build 2002.51.1611 (iPlanet Messaging Server 5.2 HotFix 2.08 (built Sep 22 2005)) and would like to see if I can enable POP over SSL on that host.
  According to BugID, 4712887 pop over SSL works. When I follow the instructions in that document, I get the following errors:
  ./configutil -o service.pop.enablesslport -v 1
  General Error: func=configmsg_setkeys; func=psetSetAttrList; error=Attribute does not exist
  NO Unable to set option(service.pop.enablesslport)
  ./configutil -o service.pop.sslport -v 995
  [18/Nov/2005:18:34:45 +0000] mocbox5 [16332]: General Error: func=configmsg_setkeys; func=psetSetAttrList; error=Attribute does not exist
  NO Unable to set option(service.pop.sslport)
  service.pop.sslusessl is set to "yes"
  Is this wrong? Does POPS only run on Sun Java Enterprise Messaging (6.x)?
  Thanks,
  Don Holtzer

  try using the -l with your configutil setting
  configutil -o -l service.pop.enablesslport -v yes
  etc.

• Ldapbind failed over SSL  (U2 – "one way", "U3-two way") from Oracle DB to

  Hi
  I am facing the below error when I try ldapbind (database server to OID) over SSL (U2 – “one way”, “U3-two way”)
  *** ACTION NAME:() 2010-09-29 07:09:46.691
  *** MODULE NAME:(sqlplus@alddbux01 (TNS V1-V3)) 2010-09-29 07:09:46.691
  *** SERVICE NAME:(SYS$USERS) 2010-09-29 07:09:46.691
  *** SESSION ID:(121.274) 2010-09-29 07:09:46.691
  kzld_discover received ldaptype: OID
  KZLD_ERR: DB-OID SSL auth failed. Err=0
  KZLD is doing LDAP unbind
  KZLD_ERR: found err from kzldini
  Environment details:
  OID Server:
  OS: Enterprise Linux Enterprise Linux AS release 5.3
  Hostname : aldidmux02
  Oracle Internet Directory 11.1.1.2.0
  Realm in this OID is “dc=mycmsc,dc=com”
  Oracle Database Server:
  OS: Sun Solrais 5.10
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  Hostname: alddbux01
  Key points:
  1.     As per metalink notes 466662.1, I am trying to setup EUS between DB - OID.
  First difference I see here is OID version (10.1.4.0.1) in notes & using OID 11g (11.1.1.2.0) in my environment for testing.
  a)     Are these steps applicable for OID11g(11.1.1.2.0) version?
  b)     If not please provide me the references for achieving ldap authentication from Oracle database server with OID 11g as ldap user repository.
  c)     As per task1 > step3 For the first time oidctl command is used to connect & start the instance before starting services using opmnctl. What is the procedure to do the same in OID11g?
  2.     Wallet certificates in my environment OID & Database server status shows “Ready”

  Is it possible to get an answer on this one from someone who knows?
  "Leif Kristian Vadseth" <[email protected]> wrote in
  message news:[email protected]..
  In WLS 6.0 I was able to configue the server SSL protocol so that when
  accessing the server (web application) from a web browser over https, the
  browser showed a list of matching installed client certificates that the
  client can choose, but the client could choose not to present his/hers
  certificate and still continue to access the requested resources.
  In WLS 6.1 I have not been able to repeat this behaviour, even if the SSL
  configuration is exactly the same.
  The project I work in wants to have both one-way SSL (using only username
  and password for authentication) and two-way SSL (using both
  username/password and certificate for authentication) in the same server.
  Is it possible to configure the server the way I want or do we have to
  configue two servers; one that does not require mutual authentication, and
  one that requires this?
  Leif Kristian Vadseth

• Trying to determine if LDAP over SSL is working using LDP.exe

  Hi,
  I just wanted to confirm that LDAP over SSL is working properly on our domain controller.  When I connect using LDP.exe on my Windows 7 computer, I get the following output:
  ld = ldap_sslinit("dc1.domain.com", 636, 1);
  Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
  Error 0 = ldap_connect(hLdap, NULL);
  Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
  Host supports SSL, SSL cipher strength = 128 bits
  Established connection to dc1.domain.com.
  Retrieving base DSA information...
  Getting 1 entries:
  Dn: (RootDSE)
  <unnecessary details>
  It looks like it is working, but I wasn't sure if the Error 0's mean there is some sort of problem.
  Also, when I run a Simple bind with my credentials, I get the following output:
  res = ldap_simple_bind_s(ld, 'myuseraccount-at-domaindotcom', <unavailable>); // v.3
  Authenticated as: 'DOMAIN\myuseraccount'.
  Finally, when I run a Bind as currently logged on user (with Encrypt traffic after bind checked), I get the following output:
  53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
  res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
  {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
  Authenticated as: 'DOMAIN\myuseraccount'.
  I followed all the instructions found in Microsoft article KB-321051 to get LDAP over SSL working with a valid 3rd party certificate on one of our Windows 2008 R2 domain controllers.  However, when I test Active Directory Authentication on our
  WatchGuard Management Server after importing the CA certificate, the test fails.  In order to use Active Directory Authentication, LDAPS (LDAP over SSL) must be enabled in the Active Directory domain and I am not 100% sure that it is enabled properly.
  Any advice or additional insight would be greatly appreciated.
  Thanks!

  Some ideas:
  DNS Name: KB-321051 says that you need the DNS name in either Subject CN or Subject Alternative Name. Which one did you use? Windows clients are fine with an empty CN and only the SAN populated (there the "either or" statement in the article)
  but third-party tools often look for the DNS name in the Subject CN.
  Even if the WatchGuard Server runs on Windows it might use its own certificate checking logic.
  DC certificate(s): Does the DC have more than this certificate? If yes I'd run a network trace to check which one the machine is actually sending in the SSL handshake.
  Chaining issues at your LDAP client / the WatchGuard Management Server:
  Very often such issues are related to the fact that the certificate chain is not validated properly. Some typical issues:
  It is not clear whether the client uses the Windows certificate store (even if it runs on a Windows server).
  Tools / systems / PKI clients can only deal with a single root CA, not with a hierarchy.
  You need to import both Root and intermediate CAs as the client cannot fetch the intermediates from AIA URLs.
  The client cannot access CRL URLs because of firewalls rules or missing access (e.g.: A CRL URL in AD is used but the client does not have an AD user in whose context it would try to fetch the CRL).
  The client has issues with blanks or special characters in CDP or AIA URLs.
  Having a quick look at
  WatchGuard documentation it seems to me that they are using their own certificate stores you need to import CA certificates to. And they only mention a "Root CA" so if your PKI has two levels you might need to import both CAs to the so-called Root store.
  Elke

• Code sample to access imap server over ssl via javamail 1.3.2

  I'm trying to access an imap mailbox over ssl and have downloaded the javamail 1.3.2 release. I understand this introduces the "imaps" protocol for this but has anyone got a simple code example and/or links to articles that describe the steps you need to get a working piece of code ? The release notes and samples seem a bit light on this area. I'm using Tomcat 5.5.4 and Java 5 in my environment.
  Thanks in advance.

  Hi,
  this article should help you to get on the way: http://www.javaworld.com/javatips/jw-javatip115.html.
  To access an IMAP-server via ssl, you could use the following code:
        String SSL_FACTORY = "javax.net.ssl.SSLSocketFactory";
        Properties props = new Properties();
        props.setProperty("mail.store.protocol", "imap");
        props.setProperty("mail.imap.host", hostname);
        props.setProperty("mail.imap.port", port);
        if (mustUseSSL())
          props.setProperty( "mail.imap.socketFactory.class", SSL_FACTORY);
          props.setProperty( "mail.imap.socketFactory.fallback", "false");
          props.setProperty( "mail.imap.socketFactory.port", secureport);
          java.security.Security.setProperty( "ssl.SocketFactory.provider", SSL_FACTORY);
        Session s = Session.getDefaultInstance(props, null);
        Store store = s.getStore(protocol);
        try
            store.connect(hostname, port, user, pwd);
        catch (AuthenticationFailedException afe)
            // no valid authentication
        catch (Exception ge)
             // different exception
        }

• Help with SQL over SSL

  I'm running into a problem with configuring SQL over SSL on a SQL 2005 server. Hoping someone can tell me what I'm doing wrong....
  Setup:
  -Windows Server 2003
  -SQL 2005
  -Certificate from Thawte - Proper one for server authentication
  -SQL Service runs under Administrator
  Here's what I've done so far:
  1. A Certificate has been purchased from Thawte, with the FQDN of "servera.domain.com" (to match the external DNS name of the SQL server)
  2. I have provisioned the certificate on the server, by using the Certificates MMC to import the .CER file from Thawte into the Computer store (tried user store also, for kicks - didn't help)
  3. Went into SQL Configuration Manager, which doesn't show the certificate (Certificate field is blank)
  3a. Found a workaround, which was to add the certificate's thumbprint (cert hash) without spaces to the certificate value under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib" registry key.
  At this point, I try to start the SQL service and it starts and then stops. An error appears in the event log - Event ID # 26014 - "Unable to load user-specified certificate. The server will not accept a connection. You should verify that the certificate is correctly installed".
  I looked at the Microsoft's certificate requirements for SQL Server 2005 to load a SSL certificate. The cert meets all of the criteria, but the subject property of the certificate is making me wonder.... The requirement is for the subject property to "indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer". The CN of the cert is "servera.domain.com", in order for it to match the internet DNS record, but the server name is "servera.internal.local". Could SQL be refusing to use the cert due to the CN being a bit off? This is the only thing I can think of, but not sure how one would get around this issue without naming the server the external DNS name (not generally recommended).
  Any ideas?
  Thanks very much,
  Vishnu

  I have not run into this, but have only worked with this in a test environment sith self signed certs. 
  Try registering the cert using httpcfg, see the below link for more details:
  http://technet2.microsoft.com/windowsserver/en/library/e17527d2-105a-451f-8e3f-d515479527011033.mspx?mfr=true
   Also assure that the certificate meets:
  The certificate must be in either the local computer certificate store or the current user certificate store.
  The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.
  The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1).
  The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
  The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer. If SQL Server is running on a failover cluster, the common name must match the host name or FQDN of the virtual server and the certificates must be provisioned on all nodes in the failover cluster.