NET8에서 SSL사용하기

Similar Messages

• HOWTO: Setting up Server-Side Authentication with SSL

  This howto covers the configuration of server-side SSL authentication for both Net8 and IIOP (JServer) connections. It documents the steps required to set up an SSL encrypted connection; it does not cover certificate authentication.
  It is worthwhile noting that although the setup of SSL requires the installation of certificates, these certificates do not have to be current, only valid. For some reason, in order to enable SSL connections, it is necessary to set up valid certificate file on the server whether you intend to use certificate authentication or not.
  NOTE: I have been unable to determine whether or not the above statement is entirely correct. If anyone can confirm or disprove it, please let me know.
  The steps described below must all be carried out from the same logon account. They have been tested on both 816 and 817 databases, but will probably work for all versions, including 9i (unless there have been some drastic changes in 9i that I'm not aware of).
  1. Log on to the database server with an administrative login.
  Configure the database and listener to run under the current login account (Control Panel -> Services). It is not necessary to restart these services at this time.
  2. Create an Oracle wallet and set up the required certificates
  (i) Open the Oracle Wallet Manager:
  Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet Manager
  (ii) Create a new wallet (Wallet -> New).
  (iii) When prompted, elect to generate a certificate request.
  (iv) On the request form, the only field that matters is the Common Name. Enter the fully qualified domain name (FQDN) of the database server (i.e. the name with which the database server will be referenced by clients).
  (v) Export the certificate request to file (Operations -> Export Certificate Request).
  (vi) Obtain a valid server certificate from an authorised signing authority. It will also be necessary to download the signing authoritys publicly available trusted root certificate. Certificates can be obtained from Verisign (http://www.verisign.com/)
  (vii) Install the trusted root certificate obtained in (vi) into the wallet (Operations -> Import Trusted Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
  (viii) Install the server certificate obtained in (vi) into the wallet (Operations -> Import User Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
  (ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user home]\Oracle\Wallets directory.
  3. Configure the listener for SSL.
  (i) Open the Oracle Net8 Assistant:
  Start -> Programs -> [Oracle Home] -> Network Administration -> Net8 Assistant
  (ii) Select Net8 Configuration -> Local -> Profile.
  (iii) From the drop-down list at right, select Oracle Advanced Security. Select the SSL tab.
  (iv) Select the Server radio button.
  (v) In the wallet directory field, enter the location of the wallet created in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
  (vi) Uncheck the Require Client Authentication checkbox.
  (vii) Select Net8 Configuration -> Listeners -> [listener name].
  (viii) Add a new address:
  Protocol: TCP/IP with SSL
  Host: [database server FQDN] (e.g. oraserver)
  Port: 2484
  (ix) Add a second new address:
  Protocol: TCP/IP with SSL
  Host: [database server FQDN] (e.g. oraserver)
  Port: 2482
  Check the Dedicate this endpoint to IIOP connections checkbox.
  (x) Save the Net8 configuration (File p Save Network Configuration).
  (xi) Restart the listener service.
  4. Configure the database to accept SSL connections.
  (i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or equivalent).
  (ii) At the bottom of the file, uncomment the line that reads
  mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
  (iii) Save the file and restart the database service.
  5. Test the SSL confi guration using the Net8 Assistant.
  (i) Open the Oracle Net8 Assistant.
  (ii) Select Net8 Configuration -> Local -> Service Naming.
  (iii) Add a new net service (Edit p Create).
  Net service name: [SID].auth (e.g. iasdb.auth)
  Protocol: TCP/IP with SSL
  Host: [database server] (e.g. oraserver)
  Port: 2484
  Service Name/SID: [SID] (e.g. iasdb.orion.internal)
  Note: at the end of the net service configuration, click Finish, not Test. The test can hang if run from the wizard.
  (iv) Test the connection (Command -> Test Service). If the only error to appear is username/password denied, the test has succeeded.
  null

  Dear Alex,
  Thank you for reaching the Small Business Support Community.
  I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side.  If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.
  Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587
  Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• Confirming connections are over ssl - OAS - advanced security

  I have both ssl encrypted, via OAS, and non-ssl connection support configured. During a transition time, before I disable the clear text connection support, I'd like to monitor how clients are making the connection and hopefully, be able to identify them so they can "adjusted" away from clear text. I can do this with a tcpdump filter on the server, but is there some way to collect this information in the database?
  I consider net8 tracing on the server a silly response to this question, too much overhead and it requires a restart to turn tracing on. tcpdump is a much easier way to attack the problem down near that layer. This query will tell you about your current session, but I need to know about all sessions.
  select sys_context('USERENV','NETWORK_PROTOCOL') from dual;
  Thanks.

  I was curious about why I would get the periodic close() callsBecause RMI does connection pooling, which you can also control via those system properties, and part of that is closing idle connections.
  and also about why the ServerHello might be timing out. Any further insight?Network problems?
  Would the DNS configuration still come into play even if we were connecting purely to the IP address?Yes because Java does reverse DNS lookups when opening sockets.
  Do the domain names in the cert chain(s) possibly get resolved every time?No.

• SSL in mod_ose

  Hi
  We are using the Oracle 9i AS, with the OSE component.
  We are starting up Apache with SSL support and can access our servlets by both reqular http and https.
  According to the Servlet API 2.2 you can use the method HttpServletRequest.isSecure() to decide whether the servlet is used with SSL.
  But no matter if I call the servlet with https or http isSecure() returns false.
  Is isSecure() supported by Oracle?
  Is it really telling me the status of the net8 connection between Apache and OSE?
  If all communication between Apache and OSE is SSL encrypted will it return true no matter if I use http or https?
  How do I setup mod_ose to use a SSL-net8 connection when https is used and a normal net8 connection when http is used.

  HttpServletRequest.isSecure() and ServletRequest.getScheme() are returning the nature of connection and protocol between Apache and OSE/OJVM. OSE/OJVM has no information about the connection between the client and Apache.
  We checked the behavior of mod_ose here is what we have:
  - mod_ose does not send such ( SERVER_PROTOCOL) environment variable
  - there is however provision in mod_jserv & mod_jk to send environment variables. We have looked into the mod_jserv and mod_jk code and found that it( passing environment
  variables) was not implemented.
  - Oracle development will look into ways of passing these environment variable thru' mod_ose.
  - the servlet 2.2 spec, is not clear what the behavior should be when there is a proxy server or Apache. but we do agree with the end user's expectation and we should look into ways to passing the environment variable info to the servlet engine.
  But until we make that enhancement then the answer is that HttpServletRequest.isSecure() and ServletRequest.getScheme() are returning the nature of connection and protocol between Apache and OSE/OJVM.

• How do i open a web page with VeriSign Class 3 Extended Validation SSL SGC SS CA certfificate i can't open web pages with this, how do i open a web page with VeriSign Class 3 Extended Validation SSL SGC CA certfificate i can't open web pages with this

  how do i open a web page with VeriSign Class 3 Extended Validation SSL SGC SS CA ?

  Hi
  I am not suprised no one answered your questions, there are simply to many of them. Can I suggest you read the faq on 'how to get help quickly at - http://forums.adobe.com/thread/470404.
  Especially the section Don't which says -
  DON'T
  Don't post a series of questions in  a single post. Splitting them into separate threads increases your  chances of a quick answer.
  PZ
  www.pziecina.com

• IP Phone SSL VPN and Split tunneling

  Hi Team,
  I went throught the following document which is very useful:
  https://supportforums.cisco.com/docs/DOC-9124
  The only things i'm not sure about split-tunneling point:
  Group-policy must not be configured with split tunnel or split exclude.  Only tunnel all is the supported tunneling policy
  I could see many implementation when they used split-tunneling, like one of my customer:
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  banner value This system is only for Authorized users.
  dns-server value 10.64.10.13 10.64.10.14
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value prod.mobily.lan
  address-pools value SSLClientPool
  webvpn
    anyconnect keep-installer installed
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask none default anyconnect
  username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
  username manager-max attributes
  vpn-group-policy GroupPolicy1
  tunnel-group PhoneVPN type remote-access
  tunnel-group PhoneVPN general-attributes
  address-pool SSLClientPool
  authentication-server-group AD
  default-group-policy GroupPolicy1
  tunnel-group PhoneVPN webvpn-attributes
  group-url https://84.23.107.10 enable
  ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
  access-list split-tunnel remark split-tunnel network list
  access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
  It is working for them w/o any issue.
  My question would be
  - is the limitation about split-tunneling still valid? If yes, why it is not recommended?
  Thanks!
  Eva

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

  Hi,
  Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
  some relevant config
  webvpn
  enable wan
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy vpnpolicy1 internal
  group-policy vpnpolicy1 attributes
  vpn-tunnel-protocol svc
  tunnel-group admins type remote-access
  tunnel-group admins general-attributes
  address-pool sslpool2
  default-group-policy vpnpolicy1
  username myuser password 1234567890 encrypted privilege 15
  username myuser  attributes
  vpn-group-policy vpnpolicy1
  Debug:
  asa01# debug webvpn 255
  INFO: debug webvpn  enabled at level 255.
  asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from default
  webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
  webvpn_add_auth_handle: auth_handle = 17
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5138]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: (myuser) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2938]
  webvpn_session.c:http_webvpn_create_session[184]
  WebVPN: error creating WebVPN session!
  webvpn_remove_auth_handle: auth_handle = 17
  webvpn_free_auth_struct: net_handle = CD5734D0
  webvpn_allocate_auth_struct: net_handle = CD5734D0
  webvpn_free_auth_struct: net_handle = CD5734D0

  AnyConnect says:
  "The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
  The following message was received from the secure gateway: Host or network is 0"
  Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
  ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
  asa01# debug webvpn 255
  INFO: debug webvpn  enabled at level 255.
  asa01# debug http 255
  debug http enabled at level 255.
  asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_login_resolve_tunnel_group: tgCookie = NULL
  webvpn_login_resolve_tunnel_group: tunnel group name from default
  webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
  webvpn_portal.c:http_webvpn_kill_cookie[790]
  webvpn_auth.c:http_webvpn_pre_authentication[2321]
  WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
  webvpn_add_auth_handle: auth_handle = 22
  WebVPN: started user authentication...
  webvpn_auth.c:webvpn_aaa_callback[5138]
  WebVPN: AAA status = (ACCEPT)
  webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
  webvpn_portal.c:webvpn_login_validate_net_handle[2234]
  webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
  webvpn_portal.c:webvpn_login_assign_app_next[2272]
  webvpn_portal.c:webvpn_login_cookie_check[2289]
  webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
  webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
  webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
  webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
  webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
  webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
  webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
  webvpn_portal.c:webvpn_login_check_cert_status[2733]
  webvpn_portal.c:webvpn_login_cert_only[2774]
  webvpn_portal.c:webvpn_login_primary_username[2796]
  webvpn_portal.c:webvpn_login_primary_password[2878]
  webvpn_portal.c:webvpn_login_secondary_username[2910]
  webvpn_portal.c:webvpn_login_secondary_password[2988]
  webvpn_portal.c:webvpn_login_extra_password[3021]
  webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
  webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
  webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
  webvpn_portal.c:webvpn_login_aaa_resuming[3093]
  webvpn_auth.c:http_webvpn_post_authentication[1485]
  WebVPN: user: (myuser) authenticated.
  webvpn_auth.c:http_webvpn_auth_accept[2938]
  HTTP: net_handle->standalone_client [0]
  webvpn_session.c:http_webvpn_create_session[184]
  webvpn_session.c:http_webvpn_find_session[159]
  WebVPN session created!
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_remove_auth_handle: auth_handle = 22
  webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE9C3208
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C3208
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_allocate_auth_struct: net_handle = CE863DE8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE863DE8
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  webvpn_auth.c:webvpn_auth[581]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  WebVPN: session has been authenticated.
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_allocate_auth_struct: net_handle = CE9C32C8
  ewsStringSearch: no buffer
  Close 0
  webvpn_free_auth_struct: net_handle = CE9C32C8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_allocate_auth_struct: net_handle = CC894AA8
  webvpn_session.c:http_webvpn_find_session[159]
  webvpn_session.c:webvpn_update_idle_time[1463]
  Close 1043041832
  webvpn_free_auth_struct: net_handle = CC894AA8

• SSL private key password

  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
  SSL certificate. By defaul the private key is not encrypted with password
  (SSL.KeyEncrypted = false by default, according to the documentations) in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key from file
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is the same
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

  Thanks Tony - it worked!!
  "Tony" <TonyV> wrote in message news:[email protected]...
  It may be because the private key is both unprotected and in DER format.
  There are some things to try:
  1) Convert the private key file from a DER file to a PEM file and try
  that:
  a) Follow the for converting an unprotected private key at:
  http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
  b) Look at the resulting PEM file, it should look something like
  this:
  -----BEGIN RSA PRIVATE KEY-----
  -----END RSA PRIVATE KEY-----
  (Be sure there is no extra lines or whitespace after thefooter)
  >
  c) Change your configuration to point at the PEM file
  If that doesn work, then you can try protecting the key with apassword
  using
  the wlkeytool utility (It should be in the server/bin directory). The
  tool should prompt
  for a password to use to protect it:
  wlkeytool inputkey.pem outputkey.pem
  Then change your configuration to use the protected private key, andset
  the passwod to use.
  Tony
  "Makoto Suzuki" <[email protected]> wrote in message
  news:[email protected]...
  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
  same
  SSL certificate. By defaul the private key is not encrypted withpassword
  (SSL.KeyEncrypted = false by default, according to the documentations)in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key fromfile
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword
  is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true
  and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is thesame
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

• SSL TEST IN R12

  Hi,
  we are about to implement SSL in ebs r12.0.4 to ensure that the user name and password get passed over the browser as encrypted(by default which is passed as simple text).
  Now i am following metalink document Enabling SSL in Release 12 [ID 376700.1]
  Initially i was testing with the demo certifcatest at the $INST_TOP/certs/Apache.
  All the middle tier setups has been done.Then when i restarted the Application and tried to connect my url that get redirected to the SSL port correctly but then failed with following:--
  500 Internal Server Error
  java.lang.NoClassDefFoundError     at oracle.apps.fnd.sso.AppsLoginRedirect.AppsSetting(AppsLoginRedirect.java:120)     
  at oracle.apps.fnd.sso.AppsLoginRedirect.init(AppsLoginRedirect.java:161)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.loadServlet(HttpApplication.java:2231)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.findServlet(HttpApplication.java:4617)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.findServlet(HttpApplication.java:4541)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:2821)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:740)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)     
  at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)     
  at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:230)     
  at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:33)     
  at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:831)     
  at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)     
  at java.lang.Thread.run(Thread.java:595)Please help.
  Edited by: Susmit on Dec 24, 2010 4:24 PM

  Hi;
  please check below notes:
  "500 Internal Server Error - java.lang.NoClassDefFoundError: oracle.apps.fnd.profiles.Profiles" on 10G [ID 567554.1]
  R12: Troubleshooting 500 Internal Server Error in Oracle E-Business suite [ID 813523.1]
  Regard
  Helios

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Error while adding a connector for SSL..help!!!

  i'm getting this error when i added a connector for SSL and restarted tomcat
  my connector tag is
  <Connector keystorePass="kalima" scheme="https" port="8443" sslProtocol="TLS" redirectPort="-1" enableLookups="true" keystoreFile="Mykeystore" protocol="TLS" keystore="C:\Documents and Settings\santhoshyma\Mykeystore" clientauth="false" algorithm="SunX509" keypass="changeit" secure="true" keytype="JKS">
        <Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory" keystorePass="kalima" keystoreFile="C:\SSLTest\Mykeystore"/>
      </Connector>
  LifecycleException:  Protocol handler instantiation failed: java.lang.NullPointe
  rException
          at org.apache.coyote.tomcat5.CoyoteConnector.initialize(CoyoteConnector.
  java:1368)
          at org.apache.catalina.core.StandardService.initialize(StandardService.j
  ava:609)
          at org.apache.catalina.core.StandardServer.initialize(StandardServer.jav
  a:2384)
          at org.apache.catalina.startup.Catalina.load(Catalina.java:507)
          at org.apache.catalina.startup.Catalina.load(Catalina.java:528)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
  java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
  sorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:324)
          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:250)
          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:424)

  The question is answered in CRM 7.0 forum:
  Getting error while adding a custom field (with input help) through AET

• Error while invoking web service over SSL

  While making a SSL Connections to web service i am getting the below mentioned error in spite of configuring the certificate provided by the client onto WLS.
  I tried adding the certificate to the default DemoTrust and DemoIdentity Keystores. The error still persisted.
  I also tried importing the certificate(into cacerts keystore) as Java Standard Trust as well as tried pointing it to the custom keystores. None of it worked :(
  Could somebody please give a solution to resolve this error ASAP.
  The error is:
  Message:exception occured, due to org.apache.axis2.AxisFault: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  org.apache.axis2.AxisFault: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
       at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:83)
       at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84)
       at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
       at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
       at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
       at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:542)
       at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
       at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:76)
       at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:400)
       at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:225)
       at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:435)
       at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:402)
       at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
       at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
       at com.intel.services.warrantyservice.Get_Warranty_Details_OutServiceStub.get_Warranty_Details_Out(Get_Warranty_Details_OutServiceStub.java:184)
       at com.intel.www.PortalServices.PortalServicesSOAPImpl.getWarrantyDetails(PortalServicesSOAPImpl.java:1865)
       at com.intel.www.PortalServices.PortalServicesSOAPSkeleton.getWarrantyDetails(PortalServicesSOAPSkeleton.java:213)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397)
       at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186)
       at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)
       at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
       at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
       at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
       at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454)
       at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
       at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused by: javax.xml.stream.XMLStreamException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at weblogic.xml.stax.XMLWriterBase.flush(XMLWriterBase.java:504)
       at org.apache.axiom.om.impl.MTOMXMLStreamWriter.flush(MTOMXMLStreamWriter.java:168)
       at org.apache.axis2.databinding.utils.writer.MTOMAwareXMLSerializer.flush(MTOMAwareXMLSerializer.java:79)
       at org.apache.axis2.databinding.ADBDataSource.serialize(ADBDataSource.java:94)
       at org.apache.axiom.om.impl.llom.OMSourcedElementImpl.internalSerializeAndConsume(OMSourcedElementImpl.java:738)
       at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerialize(OMElementImpl.java:966)
       at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:995)
       at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.serializeInternally(SOAPEnvelopeImpl.java:254)
       at org.apache.axiom.soap.impl.llom.SOAPEnvelopeImpl.internalSerialize(SOAPEnvelopeImpl.java:242)
       at org.apache.axiom.om.impl.llom.OMElementImpl.internalSerializeAndConsume(OMElementImpl.java:995)
       at org.apache.axiom.om.impl.llom.OMNodeImpl.serializeAndConsume(OMNodeImpl.java:486)
       at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:79)
       ... 48 more
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at org.apache.commons.httpclient.ChunkedOutputStream.flush(ChunkedOutputStream.java:191)
       at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:278)
       at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:122)
       at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:212)
       at java.io.BufferedWriter.flush(BufferedWriter.java:236)
       at weblogic.xml.stax.XMLWriterBase.flush(XMLWriterBase.java:502)
       ... 59 more
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
       at sun.security.validator.Validator.validate(Validator.java:218)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
       ... 74 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
       ... 80 more

  Which version/platform are you using?
  The thing you need to consider here is that the JDev proxy settings do not affect the BPEL server.
  So if the BPEL server cannot connect to your webservice, it will not be because of any Jdev setting.
  Check the proxy settings on your BPEL server (on 10.1.2 developer install it will be in obsetenv.bat, on 10.1.3 it will be a commandline property of the JVM - see AS Control administration page for the JVM)

• Error while trying SSL on OHS

  I'm getting "Init: SSL call to NZ function nzos_OpenWallet failed with error 29248" error in log file HTTP_Server~1 while starting OHS (using opmnctl startall).
  I created a Wallet with auto login option checked. I was able to create certificate Request and got a certificate from verisign (14 days Validity). I imported Root certificate and intermediate certificate from verisign into the wallet and then successfully imported the trial certificate. After saving the wallet in default location I got 2 files (cwallet.sso and ewallet.p12) there.
  Configuration in opmn.xml is :
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <environment>
  <variable id="PERL5LIB" value="D:\product\10.1.3\OracleAS_1\Apache\Apache\mod_perl\site\5.8.3\lib\MSWin32-x86-multi-thread;$ORACLE_HOME\perl\5.8.3\lib;$ORACLE_HOME\perl\site\5.8.3\lib"/>
  <variable id="PHPRC" value="D:\product\10.1.3\OracleAS_1\Apache\Apache\conf"/>
  <variable id="PATH"
  value="$ORACLE_HOME\Perl\5.8.3\bin\MSWin32-x86-multi-thread" append="true"/>
  </environment>
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  my httpd.conf file is as follows:
  ## httpd.conf -- Apache HTTP server configuration file
  # Based upon the NCSA server configuration files originally by Rob McCool.
  # This is the main Apache server configuration file. It contains the
  # configuration directives that give the server its instructions.
  # See <URL:http://www.apache.org/docs/> for detailed information about
  # the directives.
  # Do NOT simply read the instructions in here without understanding
  # what they do. They're here only as hints or reminders. If you are unsure
  # consult the online docs. You have been warned.
  # After this file is processed, the server will look for and process
  # D:\product\10.1.3\OracleAS_1\Apache\Apache/conf/srm.conf and then D:\product\10.1.3\OracleAS_1\Apache\Apache/conf/access.conf
  # unless you have overridden these with ResourceConfig and/or
  # AccessConfig directives here.
  # The configuration directives are grouped into three basic sections:
  # 1. Directives that control the operation of the Apache server process as a
  # whole (the 'global environment').
  # 2. Directives that define the parameters of the 'main' or 'default' server,
  # which responds to requests that aren't handled by a virtual host.
  # These directives also provide default values for the settings
  # of all virtual hosts.
  # 3. Settings for virtual hosts, which allow Web requests to be sent to
  # different IP addresses or hostnames and have them handled by the
  # same Apache server process.
  # Configuration and logfile names: If the filenames you specify for many
  # of the server's control files begin with "/" (or "drive:/" for Win32), the
  # server will use that explicit path. If the filenames do not begin
  # with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
  # with ServerRoot set to "D:\product\10.1.3\OracleAS_1\Apache\Apache" will be interpreted by the
  # server as "D:\product\10.1.3\OracleAS_1\Apache\Apache/logs/foo.log".
  # NOTE: Where filenames are specified, you must use forward slashes
  # instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
  # If a drive letter is omitted, the drive on which Apache.exe is located
  # will be used by default. It is recommended that you always supply
  # an explicit drive letter in absolute paths, however, to avoid
  # confusion.
  ### Section 1: Global Environment
  # The directives in this section affect the overall operation of Apache,
  # such as the number of concurrent requests it can handle or where it
  # can find its configuration files.
  # ServerType is either inetd, or standalone. Inetd mode is only supported on
  # Unix platforms.
  ServerType standalone
  # ServerRoot: The top of the directory tree under which the server's
  # configuration, error, and log files are kept.
  # Do NOT add a slash at the end of the directory path.
  ServerRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache"
  # PidFile: The file in which the server should record its process
  # identification number when it starts.
  PidFile logs/httpd.pid
  # ScoreBoardFile: File used to store internal server process information.
  # Not all architectures require this. But if yours does (you'll know because
  # this file will be created when you run Apache) then you must ensure that
  # no two invocations of Apache share the same scoreboard file.
  ScoreBoardFile logs/httpd.scoreboard
  # In the standard configuration, the server will process httpd.conf (this
  # file, specified by the -f command line option), srm.conf, and access.conf
  # in that order. The latter two files are now distributed empty, as it is
  # recommended that all directives be kept in a single file for simplicity.
  # The commented-out values below are the built-in defaults. You can have the
  # server ignore these files altogether by using "/dev/null" (for Unix) or
  # "nul" (for Win32) for the arguments to the directives.
  #ResourceConfig conf/srm.conf
  #AccessConfig conf/access.conf
  # Timeout: The number of seconds before receives and sends time out.
  Timeout 300
  # SendBufferSize: controls setsockopt() call made to set send buffer size on
  # all sockets. Default OS value on most Windows platforms is too small.
  # Larger values can help if the average page size served by OHS is
  # large (~64 k)
  SendBufferSize 16384
  # KeepAlive: Whether or not to allow persistent connections (more than
  # one request per connection). Set to "Off" to deactivate.
  KeepAlive On
  # MaxKeepAliveRequests: The maximum number of requests to allow
  # during a persistent connection. Set to 0 to allow an unlimited amount.
  # We recommend you leave this number high, for maximum performance.
  MaxKeepAliveRequests 100
  # KeepAliveTimeout: Number of seconds to wait for the next request from the
  # same client on the same connection.
  KeepAliveTimeout 15
  # Apache on Win32 always creates one child process to handle requests. If it
  # dies, another child process is created automatically. Within the child
  # process multiple threads handle incoming requests. The next two
  # directives control the behaviour of the threads and processes.
  # MaxRequestsPerChild: the number of requests each child process is
  # allowed to process before the child dies. The child will exit so
  # as to avoid problems after prolonged use when Apache (and maybe the
  # libraries it uses) leak memory or other resources. On most systems, this
  # isn't really needed, but a few (such as Solaris) do have notable leaks
  # in the libraries. For Win32, set this value to zero (unlimited)
  # unless advised otherwise.
  # NOTE: This value does not include keepalive requests after the initial
  # request per connection. For example, if a child process handles
  # an initial request and 10 subsequent "keptalive" requests, it
  # would only count as 1 request towards this limit.
  MaxRequestsPerChild 0
  # Number of concurrent threads (i.e., requests) the server will allow.
  # Set this value according to the responsiveness of the server (more
  # requests active at once means they're all handled more slowly) and
  # the amount of system resources you'll allow the server to consume.
  ThreadsPerChild 50
  # Server-pool size regulation. Rather than making you guess how many
  # server processes you need, Apache dynamically adapts to the load it
  # sees --- that is, it tries to maintain enough server processes to
  # handle the current load, plus a few spare servers to handle transient
  # load spikes (e.g., multiple simultaneous requests from a single
  # Netscape browser).
  # It does this by periodically checking how many servers are waiting
  # for a request. If there are fewer than MinSpareServers, it creates
  # a new spare. If there are more than MaxSpareServers, some of the
  # spares die off. The default values are probably OK for most sites.
  #MinSpareServers 5
  #MaxSpareServers 20
  # Limit on total number of servers running, i.e., limit on the number
  # of clients who can simultaneously connect --- if this limit is ever
  # reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
  # It is intended mainly as a brake to keep a runaway server from taking
  # the system with it as it spirals down...
  #MaxClients 150
  # Listen: Allows you to bind Apache to specific IP addresses and/or
  # ports, in addition to the default. See also the <VirtualHost>
  # directive.
  #Listen 3000
  #Listen 12.34.56.78:80
  # BindAddress: You can support virtual hosts with this option. This directive
  # is used to tell the server which IP address to listen to. It can either
  # contain "*", an IP address, or a fully qualified Internet domain name.
  # See also the <VirtualHost> and Listen directives.
  #BindAddress *
  # Dynamic Shared Object (DSO) Support
  # To be able to use the functionality of a module which was built as a DSO you
  # have to place corresponding `LoadModule' lines at this location so the
  # directives contained in it are actually available before they are used.
  # Please read the file README.DSO in the Apache 1.3 distribution for more
  # details about the DSO mechanism and run `apache -l' for the list of already
  # built-in (statically linked and thus always available) modules in your Apache
  # binary.
  # Note: The order in which modules are loaded is important. Don't change
  # the order below without expert advice.
  # Example:
  # LoadModule foo_module libexec/mod_foo.dll
  LoadModule mime_magic_module modules/ApacheModuleMimeMagic.dll
  LoadModule mime_module modules/ApacheModuleMime.dll
  LoadModule dbm_auth_module modules/ApacheModuleAuthDBM.dll
  LoadModule digest_auth_module modules/ApacheModuleAuthDigest.dll
  LoadModule anon_auth_module modules/ApacheModuleAuthAnon.dll
  LoadModule cern_meta_module modules/ApacheModuleCERNMeta.dll
  LoadModule digest_module modules/ApacheModuleDigest.dll
  LoadModule expires_module modules/ApacheModuleExpires.dll
  LoadModule headers_module modules/ApacheModuleHeaders.dll
  LoadModule proxy_module modules/ApacheModuleProxy.dll
  LoadModule speling_module modules/ApacheModuleSpeling.dll
  LoadModule status_module modules/ApacheModuleStatus.dll
  LoadModule info_module modules/ApacheModuleInfo.dll
  LoadModule usertrack_module modules/ApacheModuleUserTrack.dll
  LoadModule vhost_alias_module modules/ApacheModuleVhostAlias.dll
  LoadModule agent_log_module modules/ApacheModuleLogAgent.dll
  LoadModule referer_log_module modules/ApacheModuleLogReferer.dll
  LoadModule perl_module modules/ApacheModulePerl.DLL
  LoadModule fastcgi_module modules/ApacheModuleFastCGI.dll
  LoadModule php4_module modules/ApacheModulePHP4.dll
  LoadModule onsint_module modules/ApacheModuleOnsint.dll
  LoadModule wchandshake_module modules/ApacheModuleWchandshake.dll
  ClearModuleList
  AddModule mod_so.c
  AddModule mod_onsint.c
  AddModule mod_mime_magic.c
  AddModule mod_mime.c
  AddModule mod_access.c
  AddModule mod_auth.c
  AddModule mod_negotiation.c
  AddModule mod_include.c
  AddModule mod_autoindex.c
  AddModule mod_dir.c
  AddModule mod_cgi.c
  #AddModule mod_userdir.c
  AddModule mod_alias.c
  AddModule mod_env.c
  AddModule mod_log_config.c
  AddModule mod_asis.c
  AddModule mod_imap.c
  AddModule mod_actions.c
  AddModule mod_setenvif.c
  AddModule mod_isapi.c
  AddModule mod_vhost_alias.c
  AddModule mod_log_referer.c
  AddModule mod_log_agent.c
  AddModule mod_auth_anon.c
  AddModule mod_auth_dbm.c
  AddModule mod_auth_digest.c
  AddModule mod_cern_meta.c
  AddModule mod_digest.c
  AddModule mod_expires.c
  AddModule mod_headers.c
  AddModule mod_proxy.c
  AddModule mod_speling.c
  AddModule mod_info.c
  AddModule mod_status.c
  AddModule mod_usertrack.c
  AddModule mod_perl.c
  AddModule mod_fastcgi.c
  AddModule mod_php4.c
  AddModule mod_wchandshake.c
  <IfDefine SSL>
  LoadModule ossl_module modules/ApacheModuleOSSL.DLL
  </IfDefine>
  # ExtendedStatus controls whether Apache will generate "full" status
  # information (ExtendedStatus On) or just basic information (ExtendedStatus
  # Off) when the "server-status" handler is called. The default is Off.
  ExtendedStatus On
  ### Section 2: 'Main' server configuration
  # The directives in this section set up the values used by the 'main'
  # server, which responds to any requests that aren't handled by a
  # <VirtualHost> definition. These values also provide defaults for
  # any <VirtualHost> containers you may define later in the file.
  # All of these directives may appear inside <VirtualHost> containers,
  # in which case these default settings will be overridden for the
  # virtual host being defined.
  # Port: The port to which the standalone server listens. Certain firewall
  # products must be configured before Apache can listen to a specific port.
  # Other running httpd servers will also interfere with this port. Disable
  # all firewall, security, and other services if you encounter problems.
  # To help diagnose problems use the Windows NT command NETSTAT -a
  Port 7777
  Listen 7777
  # ServerAdmin: Your address, where problems with the server should be
  # e-mailed. This address appears on some server-generated pages, such
  # as error documents.
  ServerAdmin [email protected]
  # ServerName allows you to set a host name which is sent back to clients for
  # your server if it's different than the one the program would get (i.e., use
  # "www" instead of the host's real name).
  # Note: You cannot just invent host names and hope they work. The name you
  # define here must be a valid DNS name for your host. If you don't understand
  # this, ask your network administrator.
  # If your host doesn't have a registered DNS name, enter its IP address here.
  # You will have to access it by its address (e.g., http://123.45.67.89/)
  # anyway, and this will make redirections work in a sensible way.
  # 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your
  # machine always knows itself by this address. If you use Apache strictly for
  # local testing and development, you may use 127.0.0.1 as the server name.
  ServerName IFLMUD5DLHY4G.i-flex.com
  # DocumentRoot: The directory out of which you will serve your
  # documents. By default, all requests are taken from this directory, but
  # symbolic links and aliases may be used to point to other locations.
  DocumentRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache\htdocs"
  # Each directory to which Apache has access, can be configured with respect
  # to which services and features are allowed and/or disabled in that
  # directory (and its subdirectories).
  # First, we configure the "default" to be a very restrictive set of
  # permissions.
  <Directory />
  Options FollowSymLinks MultiViews
  AllowOverride None
  </Directory>
  # Note that from this point forward you must specifically allow
  # particular features to be enabled - so if something's not working as
  # you might expect, make sure that you have specifically enabled it
  # below.
  # This should be changed to whatever you set DocumentRoot to.
  <Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\htdocs">
  # This may also be "None", "All", or any combination of "Indexes",
  # "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
  # Note that "MultiViews" must be named explicitly --- "Options All"
  # doesn't give it to you.
  Options FollowSymLinks MultiViews
  # This controls which options the .htaccess files in directories can
  # override. Can also be "All", or any combination of "Options", "FileInfo",
  # "AuthConfig", and "Limit"
  AllowOverride None
  # Controls who can get stuff from this server.
  Order allow,deny
  Allow from all
  </Directory>
  # UserDir: The name of the directory which is appended onto a user's home
  # directory if a ~user request is received.
  # Under Win32, we do not currently try to determine the home directory of
  # a Windows login, so a format such as that below needs to be used. See
  # the UserDir documentation for details.
  <IfModule mod_userdir.c>
  UserDir "D:\product\10.1.3\OracleAS_1\Apache\Apache\users\"
  </IfModule>
  # Control access to UserDir directories. The following is an example
  # for a site where these directories are restricted to read-only.
  #<Directory /home/*/public_html>
  # AllowOverride FileInfo AuthConfig Limit
  # Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
  # <Limit GET POST OPTIONS PROPFIND>
  # Order allow,deny
  # Allow from all
  # </Limit>
  # <LimitExcept GET POST OPTIONS PROPFIND>
  # Order deny,allow
  # Deny from all
  # </LimitExcept>
  #</Directory>
  # DirectoryIndex: Name of the file or files to use as a pre-written HTML
  # directory index. Separate multiple entries with spaces.
  <IfModule mod_dir.c>
  DirectoryIndex index.html
  </IfModule>
  # AccessFileName: The name of the file to look for in each directory
  # for access control information.
  AccessFileName .htaccess
  # The following lines prevent .htaccess files from being viewed by
  # Web clients. Since .htaccess files often contain authorization
  # information, access is disallowed for security reasons. Comment
  # these lines out if you want Web visitors to see the contents of
  # .htaccess files. If you change the AccessFileName directive above,
  # be sure to make the corresponding changes here.
  # Also, folks tend to use names such as .htpasswd for password
  # files, so this will protect those as well.
  <Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  </Files>
  # CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
  # document that was negotiated on the basis of content. This asks proxy
  # servers not to cache the document. Uncommenting the following line disables
  # this behavior, and proxies will be allowed to cache the documents.
  #CacheNegotiatedDocs
  # UseCanonicalName: (new for 1.3) With this setting turned on, whenever
  # Apache needs to construct a self-referencing URL (a URL that refers back
  # to the server the response is coming from) it will use ServerName and
  # Port to form a "canonical" name. With this setting off, Apache will
  # use the hostname:port that the client supplied, when possible. This
  # also affects SERVER_NAME and SERVER_PORT in CGI scripts.
  UseCanonicalName On
  # TypesConfig describes where the mime.types file (or equivalent) is
  # to be found.
  <IfModule mod_mime.c>
  TypesConfig conf/mime.types
  </IfModule>
  # DefaultType is the default MIME type the server will use for a document
  # if it cannot otherwise determine one, such as from filename extensions.
  # If your server contains mostly text or HTML documents, "text/plain" is
  # a good value. If most of your content is binary, such as applications
  # or images, you may want to use "application/octet-stream" instead to
  # keep browsers from trying to display binary files as though they are
  # text.
  DefaultType text/plain
  # The mod_mime_magic module allows the server to use various hints from the
  # contents of the file itself to determine its type. The MIMEMagicFile
  # directive tells the module where the hint definitions are located.
  # mod_mime_magic is not part of the default server (you have to add
  # it yourself with a LoadModule [see the DSO paragraph in the 'Global
  # Environment' section], or recompile the server and include mod_mime_magic
  # as part of the configuration), so it's enclosed in an <IfModule> container.
  # This means that the MIMEMagicFile directive will only be processed if the
  # module is part of the server.
  <IfModule mod_mime_magic.c>
  MIMEMagicFile conf/magic
  </IfModule>
  # HostnameLookups: Log the names of clients or just their IP addresses
  # e.g., www.apache.org (on) or 204.62.129.132 (off).
  # The default is off because it'd be overall better for the net if people
  # had to knowingly turn this feature on, since enabling it means that
  # each client request will result in AT LEAST one lookup request to the
  # nameserver.
  HostnameLookups Off
  # ErrorLog: The location of the error log file.
  # If you do not specify an ErrorLog directive within a <VirtualHost>
  # container, error messages relating to that virtual host will be
  # logged here. If you do define an error logfile for a <VirtualHost>
  # container, that host's errors will be logged there and not here.
  ErrorLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/error_log 43200"
  # LogLevel: Control the number of messages logged to the error.log.
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  # The following directives define some format nicknames for use with
  # a CustomLog directive (see below).
  # Alternate "common" format to use when fronted by webcache:
  # LogFormat "%{ClientIP}i %l %u %t \"%r\" %>s %b %h" common_webcache
  # When webcache is forwarding requests to OHS, %h becomes the IP of
  # the originating webcache server and the real client IP is stored
  # in the ClientIP header. The common_webcache format can be used
  # in place of the common format when using webcache but with one
  # important caveat: if clients are capable of bypassing webcache
  # then it is possible to spoof the client IP by manually setting
  # the ClientIP header so the %h field should be monitored in such
  # an environment. Another alternative to specifying the ClientIP
  # header directly in a LogFormat is to use the "UseWebCacheIp"
  # directive:
  # UseWebCacheIp On
  # When this is specified, %h is derived internally from the ClientIP
  # header and the access log format does not need to be modified.
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  LogFormat "%{Referer}i -> %U" referer
  LogFormat "%{User-agent}i" agent
  # The location and format of the access logfile (Common Logfile Format).
  # If you do not define any access logfiles within a <VirtualHost>
  # container, they will be logged here. Contrariwise, if you do
  # define per-<VirtualHost> access logfiles, transactions will be
  # logged therein and not in this file.
  CustomLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/access_log 43200" common
  # If you would like to have agent and referer logfiles, uncomment the
  # following directives.
  #CustomLog logs/referer.log referer
  #CustomLog logs/agent.log agent
  # If you prefer a single logfile with access, agent, and referer information
  # (Combined Logfile Format) you can use the following directive.
  #CustomLog logs/access.log combined
  # Optionally add a line containing the server version and virtual host
  # name to server-generated pages (error documents, FTP directory listings,
  # mod_status and mod_info output etc., but not CGI generated documents).
  # Set to "EMail" to also include a mailto: link to the ServerAdmin.
  # Set to one of: On | Off | EMail
  ServerSignature On
  # Apache parses all CGI scripts for the shebang line by default.
  # This comment line, the first line of the script, consists of the symbols
  # pound (#) and exclamation (!) followed by the path of the program that
  # can execute this specific script. For a perl script, with perl.exe in
  # the C:\Program Files\Perl directory, the shebang line should be:
  #!c:/program files/perl/perl
  # Note you mustnot_ indent the actual shebang line, and it must be the
  # first line of the file. Of course, CGI processing must be enabled by
  # the appropriate ScriptAlias or Options ExecCGI directives for the files
  # or directory in question.
  # However, Apache on Windows allows either the Unix behavior above, or can
  # use the Registry to match files by extention. The command to execute
  # a file of this type is retrieved from the registry by the same method as
  # the Windows Explorer would use to handle double-clicking on a file.
  # These script actions can be configured from the Windows Explorer View menu,
  # 'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
  # button allows you to modify the Actions, of which Apache 1.3 attempts to
  # perform the 'Open' Action, and failing that it will try the shebang line.
  # This behavior is subject to change in Apache release 2.0.
  # Each mechanism has it's own specific security weaknesses, from the means
  # to run a program you didn't intend the website owner to invoke, and the
  # best method is a matter of great debate.
  # To enable the this Windows specific behavior (and therefore -disable- the
  # equivilant Unix behavior), uncomment the following directive:
  #ScriptInterpreterSource registry
  # The directive above can be placed in individual <Directory> blocks or the
  # .htaccess file, with either the 'registry' (Windows behavior) or 'script'
  # (Unix behavior) option, and will override this server default option.
  # Aliases: Add here as many aliases as you need (with no limit). The format is
  # Alias fakename realname
  <IfModule mod_alias.c>
  # Note that if you include a trailing / on fakename then the server will
  # require it to be present in the URL. So "/icons" isn't aliased in this
  # example, only "/icons/"..
  Alias /icons/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\icons/"
  Alias /javacachedocs/ "D:\product\10.1.3\OracleAS_1\javacache\javadoc/"
  <IfModule mod_perl.c>
  Alias /perl/ "D:\product\10.1.3\OracleAS_1\Apache\Apache/cgi-bin/"
  </IfModule>
  <Directory "icons">
  Options MultiViews
  AllowOverride None
  Order allow,deny
  Allow from all
  </Directory>
  # ScriptAlias: This controls which directories contain server scripts.
  # ScriptAliases are essentially the same as Aliases, except that
  # documents in the realname directory are treated as applications and
  # run by the server when requested rather than as documents sent to the client.
  # The same rules about trailing "/" apply to ScriptAlias directives as to
  # Alias.
  ScriptAlias /cgi-bin/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\cgi-bin/"
  # "D:\product\10.1.3\OracleAS_1\Apache\Apache/cgi-bin" should be changed to whatever your ScriptAliased
  # CGI directory exists, if you have that configured.
  <Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\cgi-bin">
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all
  </Directory>
  </IfModule>
  # End of aliases.
  # Redirect allows you to tell clients about documents which used to exist in
  # your server's namespace, but do not anymore. This allows you to tell the
  # clients where to look for the relocated document.
  # Format: Redirect old-URI new-URL
  # Directives controlling the display of server-generated directory listings.
  <IfModule mod_autoindex.c>
  # FancyIndexing is whether you want fancy directory indexing or standard
  # Note, add the option TrackModified to the IndexOptions default list only
  # if all indexed directories reside on NTFS volumes. The TrackModified flag
  # will report the Last-Modified date to assist caches and proxies to properly
  # track directory changes, but it does not work on FAT volumes.
  IndexOptions FancyIndexing
  # AddIcon* directives tell the server which icon to show for different
  # files or filename extensions. These are only displayed for
  # FancyIndexed directories.
  AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
  AddIconByType (TXT,/icons/text.gif) text/*
  AddIconByType (IMG,/icons/image2.gif) image/*
  AddIconByType (SND,/icons/sound2.gif) audio/*
  AddIconByType (VID,/icons/movie.gif) video/*
  AddIcon /icons/binary.gif .bin .exe
  AddIcon /icons/binhex.gif .hqx
  AddIcon /icons/tar.gif .tar
  AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
  AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
  AddIcon /icons/a.gif .ps .ai .eps
  AddIcon /icons/layout.gif .html .shtml .htm .pdf
  AddIcon /icons/text.gif .txt
  AddIcon /icons/c.gif .c
  AddIcon /icons/p.gif .pl .py
  AddIcon /icons/f.gif .for
  AddIcon /icons/dvi.gif .dvi
  AddIcon /icons/uuencoded.gif .uu
  AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
  AddIcon /icons/tex.gif .tex
  AddIcon /icons/bomb.gif core
  AddIcon /icons/back.gif ..
  AddIcon /icons/hand.right.gif README
  AddIcon /icons/folder.gif ^^DIRECTORY^^
  AddIcon /icons/blank.gif ^^BLANKICON^^
  # DefaultIcon is which icon to show for files which do not have an icon
  # explicitly set.
  DefaultIcon /icons/unknown.gif
  # AddDescription allows you to place a short description after a file in
  # server-generated indexes. These are only displayed for FancyIndexed
  # directories.
  # Format: AddDescription "description" filename
  #AddDescription "GZIP compressed document" .gz
  #AddDescription "tar archive" .tar
  #AddDescription "GZIP compressed tar archive" .tgz
  # ReadmeName is the name of the README file the server will look for by
  # default, and append to directory listings.
  # HeaderName is the name of a file which should be prepended to
  # directory indexes.
  # If MultiViews are amongst the Options in effect, the server will
  # first look for name.html and include it if found. If name.html
  # doesn't exist, the server will then look for name.txt and include
  # it as plaintext if found.
  ReadmeName README
  HeaderName HEADER
  # IndexIgnore is a set of filenames which directory indexing should ignore
  # and not include in the listing. Shell-style wildcarding is permitted.
  IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
  </IfModule>
  # End of indexing directives.
  # Document types.
  <IfModule mod_mime.c>
  # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
  # information on the fly. Note: Not all browsers support this.
  # Despite the name similarity, the following Add* directives have nothing
  # to do with the FancyIndexing customization directives above.
  AddEncoding x-compress Z
  AddEncoding x-gzip gz tgz
  # AddLanguage allows you to specify the language of a document. You can
  # then use content negotiation to give a browser a file in a language
  # it can understand.
  # Note 1: The suffix does not have to be the same as the language
  # keyword --- those with documents in Polish (whose net-standard
  # language code is pl) may wish to use "AddLanguage pl .po" to
  # avoid the ambiguity with the common suffix for perl scripts.
  # Note 2: The example entries below illustrate that in quite
  # some cases the two character 'Language' abbriviation is not
  # identical to the two character 'Country' code for its country,
  # E.g. 'Danmark/dk' versus 'Danish/da'.
  # Note 3: In the case of 'ltz' we violate the RFC by using a three char
  # specifier. But there is 'work in progress' to fix this and get
  # the reference data for rfc1766 cleaned up.
  # Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
  # French (fr) - German (de) - Greek-Modern (el)
  # Italian (it) - Korean (kr) - Norwegian (no)
  # Portugese (pt) - Luxembourgeois* (ltz)
  # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
  # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
  # Russian (ru)
  AddLanguage ar .ar
  AddLanguage da .dk .da
  AddLanguage nl .nl
  AddLanguage en .en
  AddLanguage et .ee
  AddLanguage fi .fi
  AddLanguage fr .fr
  AddLanguage de .de
  AddLanguage el .el
  AddLanguage es .es_ES .es
  AddLanguage he .he .iw
  AddLanguage hu .hu
  AddCharset ISO-8859-8 .iso8859-8
  AddLanguage it .it
  AddLanguage ja .ja
  AddCharset ISO-2022-JP .jis
  AddLanguage ko .ko
  AddLanguage kr .kr
  AddCharset ISO-2022-KR .iso-kr
  AddLanguage nn .nn
  AddLanguage no .no
  AddLanguage pl .po
  AddCharset ISO-8859-2 .iso-pl
  AddLanguage pt .pt
  AddLanguage pt-br .pt_BR .pt-br
  AddLanguage ltz .lu
  AddLanguage ca .ca
  AddLanguage sk .sk
  AddLanguage sv .sv
  AddLanguage th .th
  AddLanguage tr .tr
  AddLanguage cz .cz .cs
  AddLanguage ro .ro
  AddLanguage ru .ru
  AddLanguage zh-cn .zh_CN
  AddLanguage zh-tw .zh_TW
  AddCharset Big5 .Big5 .big5
  AddCharset WINDOWS-1251 .cp-1251
  AddCharset CP866 .cp866
  AddCharset ISO-8859-5 .iso-ru
  AddCharset KOI8-R .koi8-r
  AddCharset UCS-2 .ucs2
  AddCharset UCS-4 .ucs4
  AddCharset UTF-8 .utf8
  # LanguagePriority allows you to give precedence to some languages
  # in case of a tie during content negotiation.
  # Just list the languages in decreasing order of preference. We have
  # more or less alphabetized them here. You probably want to change this.
  <IfModule mod_negotiation.c>
  LanguagePriority ar en da nl et fi fr de el it ja ko kr no pl pt pt-br ro ru ltz ca es sk sv th tr zh-cn zh-tw zh-cn
  </IfModule>
  # AddType allows you to tweak mime.types without actually editing it, or to
  # make certain files to be certain types.
  # For example, the PHP 3.x module (not part of the Apache distribution - see
  # http://www.php.net) will typically use:
  #AddType application/x-httpd-php3 .php3
  #AddType application/x-httpd-php3-source .phps
  # And for PHP 4.x, use:
  AddType application/x-httpd-php .php .phtml
  AddType application/x-httpd-php-source .phps
  AddType application/x-tar .tgz
  # AddHandler allows you to map certain file extensions to "handlers",
  # actions unrelated to filetype. These can be either built into the server
  # or added with the Action command (see below)
  # If you want to use server side includes, or CGI outside
  # ScriptAliased directories, uncomment the following lines.
  # To use CGI scripts:
  #AddHandler cgi-script .cgi
  # To use server-parsed HTML files
  #AddType text/html .shtml
  #AddHandler server-parsed .shtml
  # Uncomment the following line to enable Apache's send-asis HTTP file
  # feature
  #AddHandler send-as-is asis
  # If you wish to use server-parsed imagemap files, use
  #AddHandler imap-file map
  # To enable type maps, you might want to use
  #AddHandler type-map var
  </IfModule>
  # End of document types.
  # Action lets you define media types that will execute a script whenever
  # a matching file is called. This eliminates the need for repeated URL
  # pathnames for oft-used CGI file processors.
  # Format: Action media/type /cgi-script/location
  # Format: Action handler-name /cgi-script/location
  # MetaDir: specifies the name of the directory in which Apache can find
  # meta information files. These files contain additional HTTP headers
  # to include when sending the document
  #MetaDir .web
  # MetaSuffix: specifies the file name suffix for the file containing the
  # meta information.
  #MetaSuffix .meta
  # Customizable error response (Apache style)
  # these come in three flavors
  # 1) plain text
  #ErrorDocument 500 "The server made a boo boo.
  # n.b. the single leading (") marks it as text, it does not get output
  # 2) local redirects
  #ErrorDocument 404 /missing.html
  # to redirect to local URL /missing.html
  #ErrorDocument 404 /cgi-bin/missing_handler.pl
  # N.B.: You can redirect to a script or a document using server-side-includes.
  # 3) external redirects
  #ErrorDocument 402 http://some.other_server.com/subscription_info.html
  # N.B.: Many of the environment variables associated with the original
  # request will not be available to such a script.
  # Customize behaviour based on the browser
  <IfModule mod_setenvif.c>
  # The following directives modify normal HTTP response behavior.
  # The first directive disables keepalive for Netscape 2.x and browsers that
  # spoof it. There are known problems with these browser implementations.
  # The second directive is for Microsoft Internet Explorer 4.0b2
  # which has a broken HTTP/1.1 implementation and does not properly
  # support keepalive when it is used on 301 or 302 (redirect) responses.
  BrowserMatch "Mozilla/2" nokeepalive
  BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
  # The following directive disables HTTP/1.1 responses to browsers which
  # are in violation of the HTTP/1.0 spec by not being able to grok a
  # basic 1.1 response.
  BrowserMatch "RealPlayer 4\.0" force-response-1.0
  BrowserMatch "Java/1\.0" force-response-1.0
  BrowserMatch "JDK/1\.0" force-response-1.0
  </IfModule>
  # End of browser customization directives
  # Allow server status reports, with the URL of http://servername/server-status
  # Change the ".your_domain.com" to match your domain to enable.
  <Location /server-status>
  SetHandler server-status
  Order deny,allow
  Deny from all
  Allow from localhost IFLMUD5DLHY4G.i-flex.com IFLMUD5DLHY4G
  </Location>
  # Allow remote server configuration reports, with the URL of
  # http://servername/server-info (requires that mod_info.c be loaded).
  # Change the ".your_domain.com" to match your domain to enable.
  #<Location /server-info>
  # SetHandler server-info
  # Order deny,allow
  # Deny from all
  # Allow from .your_domain.com
  #</Location>
  # There have been reports of people trying to abuse an old bug from pre-1.1
  # days. This bug involved a CGI script distributed as a part of Apache.
  # By uncommenting these lines you can redirect these attacks to a logging
  # script on phf.apache.org. Or, you can record them yourself, using the script
  # support/phf_abuse_log.cgi.
  #<Location /cgi-bin/phf*>
  # Deny from all
  # ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
  #</Location>
  # Proxy Server directives. Uncomment the following lines to
  # enable the proxy server:
  #<IfModule mod_proxy.c>
  # ProxyRequests On
  # <Directory proxy:*>
  # Order deny,allow
  # Deny from all
  # Allow from .your_domain.com
  # </Directory>
  # Enable/disable the handling of HTTP/1.1 "Via:" headers.
  # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
  # Set to one of: Off | On | Full | Block
  # ProxyVia On
  # To enable the cache as well, edit and uncomment the following lines:
  # (no cacheing without CacheRoot)
  # CacheRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache\proxy"
  # CacheSize 5
  # CacheGcInterval 4
  # CacheMaxExpire 24
  # CacheLastModifiedFactor 0.1
  # CacheDefaultExpire 1
  # NoCache a_domain.com another_domain.edu joes.garage_sale.com
  #</IfModule>
  # End of proxy directives.
  ### Section 3: Virtual Hosts
  # VirtualHost: If you want to maintain multiple domains/hostnames on your
  # machine you can setup VirtualHost containers for them. Most configurations
  # use only name-based virtual hosts so the server doesn't need to worry about
  # IP addresses. This is indicated by the asterisks in the directives below.
  # Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
  # for further details before you try to setup virtual hosts.
  # You may use the command line option '-S' to verify your virtual host
  # configuration.
  # Use name-based virtual hosting.
  #NameVirtualHost *
  #NameVirtualHost 12.34.56.78:80
  #NameVirtualHost 12.34.56.78
  # VirtualHost example:
  # Almost any Apache directive may go into a VirtualHost container.
  # The first VirtualHost section is used for requests without a known
  # server name.
  #<VirtualHost *>
  # ServerAdmin [email protected]
  # DocumentRoot /www/docs/dummy-host.example.com
  # ServerName dummy-host.example.com
  # ErrorLog logs/dummy-host.example.com-error_log
  # CustomLog logs/dummy-host.example.com-access_log common
  #</VirtualHost>
  #<VirtualHost default:*>
  #</VirtualHost>
  # Required for cgi perl scripts that are run from /cgi-bin/.
  SetEnv PERL5LIB "D:\product\10.1.3\OracleAS_1\perl\5.8.3\lib;D:\product\10.1.3\OracleAS_1\perl\site\5.8.3\lib"
  <IfModule mod_perl.c>
  # Perl Directives
  # PerlWarn On
  # PerlFreshRestart On
  # PerlSetEnv PERL5OPT Tw
  # PerlSetEnv PERL5LIB "D:\product\10.1.3\OracleAS_1\perl\5.8.3\lib;D:\product\10.1.3\OracleAS_1\perl\site\5.8.3\lib"
  PerlModule Apache
  # PerlModule Apache::Status
  PerlModule Apache::Registry
  # PerlModule Apache::CGI
  # PerlModule Apache::DBI
  # PerlRequire
  <Location /perl>
  SetHandler perl-script
  PerlHandler Apache::Registry
  AddHandler perl-script .pl
  Options +ExecCGI
  PerlSendHeader On
  </Location>
  # <Location /perl-status>
  # SetHandler perl-script
  # PerlHandler Apache::Status
  # order deny,allow
  # deny from all
  # allow from localhost
  # </Location>
  </IfModule>
  #Protect WEB-INF directory
  <DirectoryMatch /WEB-INF/>
  Order deny,allow
  Deny from all
  </DirectoryMatch>
  # Setup of FastCGI module
  <IfModule mod_fastcgi.c>
  Alias /fastcgi/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\fastcgi/"
  ScriptAlias /fcgi-bin/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\fcgi-bin/"
  <Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\fcgi-bin">
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all
  SetHandler fastcgi-script
  <IfModule mod_ossl.c>
  SSLOptions +StdEnvVars
  </IfModule>
  </Directory>
  </IfModule>
  # Include the mod_oc4j configuration file
  include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\mod_oc4j.conf"
  # Include the mod_dms configuration file
  include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\dms.conf"
  # Loading rewrite_module here so it loads before mod_oc4j
  LoadModule rewrite_module modules/ApacheModuleRewrite.dll
  # Include the SSL definitions and Virtual Host container
  include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\ssl.conf"
  # Include the mod_osso configuration file
  #include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\mod_osso.conf"
  # Include the Oracle configuration file for custom settings
  include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\oracle_apache.conf"
  my ssl.conf is as follows:
  <IfDefine SSL>
  ## SSL Global Context
  ## All SSL configuration in this context applies both to
  ## the main server and all SSL-enabled virtual hosts.
  # Pass Phrase Dialog:
  # Configure the pass phrase gathering process.
  # The filtering dialog program (`builtin' is a internal
  # terminal dialog) has to provide the pass phrase on stdout.
  SSLPassPhraseDialog builtin
  # Inter-Process Session Cache:
  # Configure the SSL Session Cache: First either `none'
  # or `dbm:/path/to/file' for the mechanism to use and
  # second the expiring timeout (in seconds).
  #SSLSessionCache none
  #SSLSessionCache dbm:logs\ssl_scache
  #SSLSessionCache shmht:logs\ssl_scache(512000)
  SSLSessionCache shmcb:logs\ssl_scache(512000)
  # SessionCache Timeout:
  # This directive sets the timeout in seconds for the information stored
  # in the global/inter-process SSL Session Cache. It can be set as low as
  # 15 for testing, but should be set to higher values like 300 in real life.
  SSLSessionCacheTimeout 300
  # Semaphore:
  # Configure the path to the mutual explusion semaphore the
  # SSL engine uses internally for inter-process synchronization.
  SSLMutex sem
  # Logging:
  # The home of the dedicated SSL protocol logfile. Errors are
  # additionally duplicated in the general error log file. Put
  # this somewhere where it cannot be used for symlink attacks on
  # a real server (i.e. somewhere where only root can write).
  # Log levels are (ascending order: higher ones include lower ones):
  # none, error, warn, info, trace, debug.
  SSLLog logs\ssl_engine_log
  SSLLogLevel warn
  ## SSL Virtual Host Context
  # NOTE: this value should match the SSL Listen directive set previously in this
  # file otherwise your virtual host will not respond to SSL requests.
  # Some MIME-types for downloading Certificates and CRLs
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
  ## SSL Support
  ## When we also provide SSL we have to listen to the
  ## standard HTTP port (see above) and to the HTTPS port
  # NOTE: if virtual hosts are used and you change a port value below
  # from the original value, be sure to update the default port used
  # for your virtual hosts as well.
  Listen 443
  <VirtualHost IFLMUD5DLHY4G.i-flex.com:443>
  # General setup for the virtual host
  DocumentRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache\htdocs"
  ServerName IFLMUD5DLHY4G.i-flex.com
  #ServerAdmin [email protected]
  ErrorLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/error_log 43200"
  TransferLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/access_log 43200"
  Port 443
  # SSL Engine Switch:
  # Enable/Disable SSL for this virtual host.
  SSLEngine on
  # SSL Cipher Suite:
  # List the ciphers that the client is permitted to negotiate.
  SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  # Server Wallet:
  # The server wallet contains the server's certificate, private key
  # and trusted certificates. Set SSLWallet at the wallet directory
  # using the syntax: file:<path-to-wallet-directory>
  SSLWallet D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\ssl.wlt\default\ewallet.p12
  #SSLWalletPassword iflex2007
  # Certificate Revocation Lists (CRL):
  # Set the CA revocation path where to find CA CRLs for client
  # authentication or alternatively one huge file containing all
  # of them (file must be PEM encoded)
  # Note: Inside SSLCARevocationPath you need hash symlinks
  # to point to the certificate files. Use the provided
  # Makefile to update the hash symlinks after changes.
  #SSLCARevocationPath conf\ssl.crl
  #SSLCARevocationFile conf\ssl.crl\ca-bundle.crl
  # Client Authentication (Type):
  # Client certificate verification type and depth. Types are
  # none, optional and require
  SSLVerifyClient optional
  # Access Control:
  # With SSLRequire you can do per-directory access control based
  # on arbitrary complex boolean expressions containing server
  # variable checks and other lookup directives. The syntax is a
  # mixture between C and Perl. See the mod_ssl documentation
  # for more details.
  #<Location />
  #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
  # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
  # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
  # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
  # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
  # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
  #</Location>
  # SSL Engine Options:
  # Set various options for the SSL engine.
  # o FakeBasicAuth:
  # Translate the client X.509 into a Basic Authorisation. This means that
  # the standard Auth/DBMAuth methods can be used for access control. The
  # user name is the `one line' version of the client's X.509 certificate.
  # Note that no password is obtained from the user. Every entry in the user
  # file needs this password: `xxj31ZMTZzkVA'.
  # o ExportCertData:
  # This exports two additional environment variables: SSL_CLIENT_CERT and
  # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  # server (always existing) and the client (only existing when client
  # authentication is used). This can be used to import the certificates
  # into CGI scripts.
  # o StdEnvVars:
  # This exports the standard SSL/TLS related `SSL_*' environment variables.
  # Per default this exportation is switched off for performance reasons,
  # because the extraction step is an expensive operation and is usually
  # useless for serving static content. So one usually enables the
  # exportation for CGI and SSI requests only.
  # o CompatEnvVars:
  # This exports obsolete environment variables for backward compatibility
  # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
  # to provide compatibility to existing CGI scripts.
  # o StrictRequire:
  # This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  # under a "Satisfy any" situation, i.e. when it applies access is denied
  # and no other module can change it.
  # o OptRenegotiate:
  # This enables optimized SSL connection renegotiation handling when SSL
  # directives are used in per-directory context.
  #SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire
  <Files ~ "\.(cgi|shtml)$">
  SSLOptions +StdEnvVars
  </Files>
  <Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\cgi-bin">
  SSLOptions +StdEnvVars
  </Directory>
  SetEnvIf User-Agent "MSIE" nokeepalive ssl-unclean-shutdown
  # Per-Server Logging:
  # The home of a custom SSL log file. Use this when you want a
  # compact non-error SSL logfile on a virtual host basis.
  CustomLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/ssl_request_log 43200" \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  </VirtualHost>
  </IfDefine>
  Please help me rectifying this error.
  Thanks a lot in advance.

  Hi,
  Found a note explaining the significance of these errors.
  It says:
  "NZE-28862: SSL connection failed
  Cause: This error occurred because the peer closed the connection.
  Action: Enable Oracle Net tracing on both sides and examine the trace output. Contact Oracle Customer support with the trace output."
  For further details you may refer the Note: 244527.1 - Explanation of "SSL call to NZ function nzos_Handshake failed" error codes
  Thanks & Regards,
  Sindhiya V.

• FRM-41211 Integration Error SSL - OracleAS 10g

  Hi.
  I have error Frm-41211 Integration Error SSL Failure Running Another Product error while calling a report from web form in oracleAS 10g.
  I have problem with RUN_REPORT_OBJECT in web forms.
  I have error: FRM-41211 SSL integration error .....
  OracleAS server began on Windoes XP SP2.
  Do you help me ?

  Hi,
  I remember having seen this issue in teh apst. My best recommendation is to work with customer support (metalink.oracle.com)
  Frank

• FRM-41211 Integration Error SSL - Oracle Forms 10g

  Hi all.
  I have FRM-41211 Integration Error SSL Failure Running Another Product error while calling a report from web form in oracleAS 10g.
  I have problem with RUN_REPORT_OBJECT in web forms in this code:
  =====================================================
  DECLARE
  BEGIN
  repid := find_report_object('MODULE21');
  v_rep := RUN_REPORT_OBJECT(repid);
  -- jobid := substr(v_rep, length('rep60_WS70004')+2, length(v_rep));
  -- web.show_document('/reports/rwservlet/getjobid'||jobid||'?server=rep3945','_blank');
  END;
  =====================================================
  I have error: FRM-41211 SSL integration error .....
  OracleAS 10g server began on Windows XP SP2.
  Do you help me ?
  Very thanks !!

  Do you help me ?
  Thanks.