SSL and mutual auth. for webservice

Does anyone have a simple example that runs OOTB to demonstrate calling a webservice
using SSL with mutual auth.? We are using WLS7.0.1. Thanks....

To get mutual authentication working over SSL, try the SSLClient example shipped
with WLS. Once you get this connecting to your remote HTTPS endpoint it is relatively
straighforward to make sure your web service activation code configures SSL in
the same way.
One gotcha is when creating certificate chains in PEM files, make sure you concatenate
the certificate files in the order of trust i.e. cert followed by CA cert.

Similar Messages

WS security, SSL and client auth

Hello all,
I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
Being a newbie i have no idea what are the options and how to implement them.
If good tutos are available on the subject it would be nice.
I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
Cheers

Hi
One of the best books I found that covers security is located at:
http://www.lulu.com/content/214643
You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

Hi,
I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
Please suggest how to pass both the certs from client Application..

Hi,
This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
And for more information, you could refer to:
http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
Regards

User specific material and plant auth for report MB52

Hello Experts,
Actually my client required the following thing that a User must have auth to view certain materilas for certain plant in report MB52. How to restrict it.
Kindly reply ASAP.
Thanks and Regards
Naveen Chawla

Hello experts,
Waitng for reply...
regards
Naveen

SSL and login form for form based login over ldap

Hello,
i have configured an apache reverse proxy with virtual named host and the the webgate is also running on this server.
On a second server i have configured a webserver with the login form.
Access to the protected ressources is working when i use the following parameters in my Authentication schema
form:/form/login.html
action:/dummy
creds:userid password
ssoCookie:httponly
passthrough:no
SSL Required No
Challenge Redirect http://dummyserver.dummy.org
Changing the SSL required to yes and the url to https has the following result.
After filling out the login form and pressing the submit button "the requested URL /dummy was not found on this server"
Any hints are welcome.
Kind regards

Hi Colin,
Yes the dummy url is protected. Otherwise it should not work when using http.
I assume that i am not redirected back to the origin source. The obSSOCookie should do this in some way, when i remember that correctly.
I can see that the obSSOCokkies are created for both urls but the content is "loggedoutcontinue". Thats the difference to the http communication.
Is there anything else to configure when using SSL with a form based login. Have i missed some basics?
In the documentation it looks really simple - just trning it on - looking for access - and everything works :-)
KR

SSL and Credentials configuration for webas

Hi..
I got a doubt in SSL certificate configuration.When i need to configure a JAVA engine for activating SSL.I would create .CSR and get signed from Trust center which inturn gives three certificate root,intermediate and original certificate and so we can configure the JAVA URL as https://<hostname>:<port no>:500001/...
Now the same can also can be configured for ABAP WEBAS engine.my doubt is as per note : 510007,SAP has said to generate .PSE file and SSL configuration which will work in 443 port and HTTPS port as in SMICM transaction
But I have two instances running on single host.I have already configured HTTPS 443 for one instance say for ABAP webas.And If i need to configure for another instance, <b><u>can i change the HTTPS port as per my requirement ????,</u></b>because 443 has been assigned to another instance (earlier) .And <b><u>Can i generate PSE file from that new port and get the certificate installed that is obtained from Trust center ???</u></b>
Expecting you Ideas and solution for this scenario..
Thanks
Gopalakrishnan M

Hello Gopalakrishnan,
To specify the https port of ABAP, you can use paramenter
icm/server_port_<X> as PROT=HTTPS,PORT=<port>
I think the default port for http is like below
icm/server_port_0 as PROT=HTTP,PORT=80<instance_number>
Then you can just specify icm/server_port_1 for https.
Good luck,
Victor

Wireless 3850 and Web-Auth for Wireless clients

Hi
I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
Internet is all tested and there is full IP connectivity.
Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
I am using local authentication for the guest users.
When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
Config below
interface Vlan302
description **** Wireless Guest ****
ip address 10.145.224.161 255.255.255.224
ip helper-address 10.144.214.134
ip helper-address 172.17.2.56
ip http server
ip http secure server
ip dhcp snooping
wlan XXXXX 2 XXXXXX
aaa-override
accounting-list default
client vlan 302
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list WEB_AUTH
security ft
security web-auth
security web-auth authentication-list WEB_AUTH
security web-auth parameter-map vit_web
no shutdown
parameter-map type webauth vit_web
type webauth
security web-auth parameter-map vit_web
user-name Guest1
creation-time 1390837878
privilege 15
password 7 022D0156060F1B351D
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
user-name Guest2
creation-time 1390838016
privilege 15
password 7 0724244143000D1145
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
aaa new-model
aaa authentication login WEB_AUTH local
aaa authorization network WEB_AUTH local

Hey Greg,
Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
parameter-map type webauth global
type webauth
virtual-ip ipv4 x.x.x.x wlc.whatever.org
max-http-conns 50
Also I had to enable http server in addition to secure server
ip http server
ip http secure-server
Are you using a self signed cert?
I saw windows clients take a long time to load the page when using a self signed cert.
MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE but I still have the problem.
-Kyle

Coldfusion 11 java/jre ssl mutual auth api calls. Help with coldfusion/java logs.

Hello,
I am here because I have exhausted my Coldfusion/Java ssl keystore certs trouble shooting abilities. Here is the issue. I am developing a Coldfusion 11 application that must make api calls to Chase payconnexion SOAP services. I am using the coldfusion cfhttp tags to do this, which is using the java jre 1.7.x to accomplish this. The problem, I am getting generic 500 internal server errors from Chase.   They claim that I am not sending a cert during the ssl exchange.    What I have done is:
- put our wildcard cert/key pair in the coldfusion keystore
- put our root and chain in the keystore
- put the chase server cert in the keystore
- converted the key/crt files to .pfx and make the calls
to chase with those, something like:
<cfset objSecurity = createObject("java", "java.security.Security") />
<cfset storeProvider = objSecurity.getProvider("JsafeJCE")/>
<cfset Application.sslfix = true />
<cfhttp url="#chase_api_server#/"
          result="http_response"
        method="post"
        port="1401" charset="utf-8"
        clientCert = "#cert_path#/#cert_file1#"
        clientCertPassword = "#cert_password#">
        <cfhttpparam type="header" name="SOAPAction" value="updateUserProfileRequest"/>
    <cfhttpparam type="header" name="Host" value="ws.payconnexion.com" />
    <cfhttpparam type="xml" value="#trim(my_xml)#"/>
    </cfhttp>
Here is what I see in the Cf logs, can anyone help me interpret what
is happening ??
Thanks,
Bob
=============================================================
found key for : 1
chain [0] = [
Version: V3
Subject: CN=*.payments.austintexas.gov, O=City of Austin, L=Austin, ST=Texas, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
Validity: [From: Mon Aug 11 12:39:37 CDT 2014,
               To: Thu Sep 01 18:34:24 CDT 2016]
Issuer: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
SerialNumber: [<snip>7]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.entrust.net
   accessMethod: caIssuers
   accessLocation: URIName: http://aia.entrust.net/2048-l1c.cer
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://crl.entrust.net/level1c.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113533.7.75.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[CertificatePolicyId: [2.23.140.1.2.2]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.payments.austintexas.gov
DNSName: payments.austintexas.gov
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [1] = [
Version: V3
Subject: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Fri Nov 11 09:40:40 CST 2011,
               To: Thu Nov 11 20:51:17 CST 2021]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [    <snip>]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.entrust.net
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://crl.entrust.net/2048ca.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [2] = [
Version: V3
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>public exponent: 65537
Validity: [From: Fri Dec 24 11:50:51 CST 1999,
               To: Tue Jul 24 09:15:12 CDT 2029]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [<snip>]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
trustStore is: /opt/coldfusion11/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
<snip 85 certs>
trigger seeding of SecureRandom
done seeding SecureRandom
Jan 23, 2015 13:15:37 PM Information [ajp-bio-8014-exec-7] - Starting HTTP request {URL='https://ws.payconnexion.com:1401/pconWS/9_5/', method='post'}
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1405197529 bytes = { 191, 115, 95, 85, 79, 234, 145, 176, 62, 70, 36, 102, 168, 15, 127, 174, 88, 118, 4, 177, 226, 5, 254, 55, 108, 203, 80, 80 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: ws.payconnexion.com]
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 191
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie: <snip>
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
%% Initialized: [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 4183
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=ws.payconnexion.com, OU=PayConnexion, O=JPMorgan Chase, L=New York, ST=New York, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Sun Apr 20 19:00:00 CDT 2014,
               To: Tue Jun 02 18:59:59 CDT 2015]
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [   <snip>]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://se.symcd.com
   accessMethod: caIssuers
   accessLocation: URIName: http://se.symcb.com/se.crt
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://se.symcb.com/se.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: <snip>
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: ws.payconnexion.com
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [1] = [
Version: V3
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Sun Feb 07 18:00:00 CST 2010,
               To: Fri Feb 07 17:59:59 CST 2020]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [    <snip>]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
<snip>
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://crl.verisign.com/pca3-g5.crl]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: <snip>
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=VeriSignMPKI-2-7
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [2] = [
Version: V3
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Tue Nov 07 18:00:00 CST 2006,
               To: Sun Nov 07 17:59:59 CST 2021]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
SerialNumber: [<snip>]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
<snip>
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.verisign.com
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://crl.verisign.com/pca3.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
codeSigning
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
Found trusted certificate:
Version: V3
Subject: CN=ws.payconnexion.com, OU=PayConnexion, O=JPMorgan Chase, L=New York, ST=New York, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus:   public exponent: 65537
Validity: [From: Sun Apr 20 19:00:00 CDT 2014,
               To: Tue Jun 02 18:59:59 CDT 2015]
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ <snip>]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://se.symcd.com
   accessMethod: caIssuers
   accessLocation: URIName: http://se.symcb.com/se.crt
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://se.symcb.com/se.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: <snip>
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: ws.payconnexion.com
Algorithm: [SHA1withRSA]
Signature:
<snip>
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: 1
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=*.payments.austintexas.gov, O=City of Austin, L=Austin, ST=Texas, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
<snip>public exponent: 65537
Validity: [From: Mon Aug 11 12:39:37 CDT 2014,
               To: Thu Sep 01 18:34:24 CDT 2016]
Issuer: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
SerialNumber: [<snip>]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.entrust.net
   accessMethod: caIssuers
   accessLocation: URIName: http://aia.entrust.net/2048-l1c.cer
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://crl.entrust.net/level1c.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113533.7.75.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[CertificatePolicyId: [2.23.140.1.2.2]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.payments.austintexas.gov
DNSName: payments.austintexas.gov
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [1] = [
Version: V3
Subject: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Fri Nov 11 09:40:40 CST 2011,
               To: Thu Nov 11 20:51:17 CST 2021]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [<snip>]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.entrust.net
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
     [URIName: http://crl.entrust.net/2048ca.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [2] = [
Version: V3
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>public exponent: 65537
Validity: [From: Fri Dec 24 11:50:51 CST 1999,
               To: Tue Jul 24 09:15:12 CDT 2029]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [<snip>]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 3970
SESSION KEYGEN:
PreMaster Secret:
<snip>
CONNECTION KEYGEN:
Client Nonce:
<snip>
Server Nonce:
<snip>
Master Secret:
<snip>
Client MAC write Secret:
<snip>
Server MAC write Secret:
<snip>
Client write key:
<snip>
Server write key:
<snip>
Client write IV:
<snip>
Server write IV:
<snip>
*** CertificateVerify
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 262
ajp-bio-8014-exec-7, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 51, 254, 40, 56, 247, 218, 130, 183, 112, 239, 95, 4 }
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 48
ajp-bio-8014-exec-7, READ: TLSv1 Change Cipher Spec, length = 1
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 89, 182, 137, 178, 177, 31, 27, 115, 151, 90, 169, 49 }
%% Cached client session: [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
ajp-bio-8014-exec-7, setSoTimeout(60000) called
ajp-bio-8014-exec-7, WRITE: TLSv1 Application Data, length = 1520
ajp-bio-8014-exec-7, READ: TLSv1 Application Data, length = 128
Jan 23, 2015 13:15:38 PM Information [ajp-bio-8014-exec-7] - HTTP request completed {Status Code=500 ,Time taken=1302 ms}
ajp-bio-8014-exec-7, READ: TLSv1 Application Data, length = 256
ajp-bio-8014-exec-7, READ: TLSv1 Alert, length = 32
ajp-bio-8014-exec-7, RECV TLSv1 ALERT: warning, close_notify
ajp-bio-8014-exec-7, called closeInternal(false)
ajp-bio-8014-exec-7, SEND TLSv1 ALERT: warning, description = close_notify
ajp-bio-8014-exec-7, WRITE: TLSv1 Alert, length = 32
ajp-bio-8014-exec-7, called closeSocket(selfInitiated)
ajp-bio-8014-exec-7, called close()
ajp-bio-8014-exec-7, called closeInternal(true)

Ok, apparently Chase person who said we were not sending the certs and achieving mutual auth
was incorrect.   The https calls were connecting, and mutual auth was taking place.   The 500
error was about a soap envelope being delivered, and NOT SSL as I directed to.   Everything
is working fine now.
Thanks,
Bob

Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30

Hey experts,
i need your help!
We make webservice calls to sap me with our own software.
We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
At the beginning the software runs without any problems and than we become the following message on all our webservice:
thats the webservice configurations
(configuration - connectivity - single service administration):
(configuration - security - authentication and single sign-on)
if we restart the software after the error display, the webservice call runs successfully again.
is it a timeout?
can anybody help us?
Thanks,
Markus
our system info:
NetWeaver 7.30 Java
SAP ME 6.0
software runs log looks as following
software doesn't runs log looks as following
security Log Entry
more info from security_00.0.log
#2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
Read data of type username and value MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
Read data of type username and value from HTTP header and set on module javax.security.auth.callback.NameCallback
Read data of type password and value xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

Hi,
the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
Cheers

Mutual SSL and NetBeans/JCAPS 6.2

Hi all,
i have a question about Mutual SSL for WebServices and NetBeans 6.5.1/JCAPS 6.2 and Metro 1.5 libs
I have created the Webservice and client example projects in the WSIT tutorial: CalculatorWS and CalculatorClient (https://wsit-docs.dev.java.net/releases/1.1/WSITTutorial.pdf)
I have also followed the guidelines in the pdf document "http://mediacast.sun.com/users/Michael.Czapski-Sun/media/CH05_WSSecurityExploration_r0.3.2.pdf" at paragraph 5.9 to make the WebService Mutual SSL. But for some reason it does not work in my opion as Michael is expecting at the start of paragraph 5.9.
In the client logfile i see that the server certificate is trusted, but in the server log i dont see such message. How do i know for sure that its mutual SSL?
Did someone else get the Mutual SSL working as described by Michael in paragraph 5.9?
Solutions are welcome.
Regards,
Madere.

This is a problem reported by many; search the forums for their experiences and solutions.

Auth Group for Accounting Doc and Account authorization for Vendors

Hi guys,
I have question regarding Accounting Doc for Vendor and G/l Account. I have a security client whree I build my business roles for end user but we we configuration client where all the functional focus wokring and doing configuration. My questiion when I start creating business roles and start going into these authorization objects and filling up the field values (F_BKPF_BEK, F_BKPF_BES, F_BKPF_BLA).
I won't see auth group that will be c reated by functional cocus because they are working on configuration Client and they probably create auth group for above authorization objects in Config lcient and I'm building Roles in my security client.
If it is true what would be the best way to create business role. I'm in realization face of the project Should I build my roles in Config client? Please advise.
Thanks in advance
Faisal

What is the benefit of a "security client" in DEV? I don't get it...
You anyway need to protect the namespace... and the authorizations for role development (SU24) and admin (PFCG).
Anyway, you have closed your question so we can only lick our wounds now
Cheers and good luck on your project (let is know how it goes if you stick around for long enough to experience a release upgrade...
Julius

What is "use SSL" and "S/MIME" mail settings for?

What is "use SSL" and "S/MIME" mail settings for?

it has do with encrypting your mail when sent over the web

Comms Express and proxy auth (ie for a portal or Identity system)

All, we'll be moving to Comms Express in about a month and we currently have an Identity/access management solution working with Mess Express (6.1) and using the proxy auth url (http://webmail.domain.com/?user=user1&proxy-auth=.....) We can pass the proxy auth from the access manager (SiteMinder) to ME and people can login into their Webmail (ME) without incident.
However UWC is a different animal. Does anyone know how to get a proxy auth url string for UWC to accomplish the same thing? I know UWC essentially does a proxy auth for messaging and calenar already, so we have to find something that does it to pass it to messaging and calendar to get the Comms Exprees interface.
We will be using the following version:
Sun Java(tm) System Messaging Server 6.2-4.03 (built Sep 22 2005)
libimta.so 6.2-4.03 (built 04:37:42, Sep 22 2005)
And UWC is at 118540-23
Any help would be appreciated.

pruebitas wrote:
Before, when we had Messenger Express, we have a web (like a portal) where users used to fill in a form with the user and the passwd to connect to the messenger express.
Now, with the UWC, is not posible to access the same way. I'm a bit lose with this.UWC provides Acess Manager Single-Sign-On (SSO). So if your web-application was to set an access-manager SSO cookie when the user logged in and redirected the user to the UWC login page, they would be automatically logged in (assuming you had configured UWC to allow access manager authentication).
For information on how to set access manager SSO cookies in web-interfaces, please refer to the access manager manuals on docs.sun.com.
Regards,
Shane.

Can i add a servlet in oracle database for webservices without java and how?

HI
can i add a servlet in oracle database for webservices without java and how?
Please help
Thanks

Dear Frank,
I have done as follows
created a form with a button, and in my button pressed event I wrote
WEB.SHOW_DOCUMENT('javascript:openMyURL("http://192.168.1.34/HELP/ADMF0005.html");', '_Self');
and in my formsweb.cfg I have the following
HTMLbeforeForm=<script> function OpenMyURL(page){window.open(page,"myURL","width=700,width=400,top=0,left=0,toolbar=no,menubar=no"); } </script>
When I click on the button it is coming with toolbar , etc as well as no page found is coming with the following in the address bar.
javascript:openMyURL("http://192.168.1.34/HELP/ADMF0005.html");
My html view source comes as below for the form
<HEAD><TITLE>Oracle9iAS Forms Services</TITLE></HEAD>
<BODY >
<script> function OpenMyURL(page){window.open(page,"myURL","width=700,width=400,top=0,left=0,toolbar=no,menubar=no"); } </script>

<OBJECT classid="clsid:CAFECAFE-0013-0001-0009-ABCDEFABCDEF"
codebase="/forms90/jinitiator/jinit.exe#Version=1,3,1,9"
WIDTH="1000"
HEIGHT="660"
HSPACE="0"
VSPACE="0">
<PARAM NAME="TYPE" VALUE="application/x-jinit-applet;version=1.3.1.9">
<PARAM NAME="CODEBASE" VALUE="/forms90/java">
<PARAM NAME="CODE" VALUE="oracle.forms.engine.Main" >
I am using Forms [32 Bit] Version 9.0.2.7.0

Exchange 2010, UCC SSL, and the "new" CA/BROWSER Forum not issuing for .local

I don't know how many people have run into this yet, but the CA/BROSWER Forum, the "standards" authority for SSL issuing, has mandated that CA's can no longer issue a certificate using a FQDN "intranet" name for new or renewal SSL certificates effective
Nov 1, 2012. i.e. the Microsoft standard of mydomain.local will no longer be accepted as a SAN on a UCC for Exchange 2010. I've looked thru the KBs and Social forums, but haven't really found any guidance on how to solve this. I'm presuming
that the certs will have to be split and the "external" domain name of server.mydomain.net will just become a single server SSL, and the internal name of server.mydomain.local will become a Self-Signed certificate. With the increasing prevalence of OA
and ActiveSync devices, is there any baseline guidance yet on how to make this happen without completely fouling up production servers and killing access to the user community?

On the same topic, though likely different environment...
Against recommended deployment, I have a number of clients running all their services on one box. Windows Server 2008, Active Directoy, DNS, Exchange 2010 ...and so on. These servers all have .local addresses, which means of course that the SAN
certificates have .local addresses as one of the SANs.
I've read alot online about this issue, and am trying to find the most cost effective solution to switch numerous production servers running this configuration.
The best solution I've come up with so far is...
1. Virtual AD with new external domain, 2. Migrate Exchange CAS to this domain, 3. Reconfigure network through the box.
Obviously these steps will contain alot more details, but this is just the outline atm. At best, I see me having to take a second box with me to each location to perform these steps, and I can't see it happening without disruption to the work flow
of employees.
Thankfully, all of these businesses are relatively smal...under 25 employees. Still, I'd like to find the smoothest transition solution possible.
Any suggestions would be greatly appreciated!
Regards

SSL and mutual auth. for webservice

Similar Messages

Maybe you are looking for