SSL + certificate (will login automatically)
I am using SSL with certificate and installed 3 certificates for 3 different user account on one PC.
On login, by click the Portal's Login URL, Web Browser will asking user to choose a certificate.
All of certs choosed will automatically logged on the right user without asking pasword again. I think this is an expected behaviour.
How could I configure to have user fill password according to certificate he/she choose?
TIA,
ferry sends.
believe that this is a setting in the browser. You should set this to "ask every time".
cu
Andreas
Similar Messages
-
[IMAP SSL] Certificate-Based Login problems
Hi,
I am trying to set up a Certificate-Based Login authentication for an installation of Java Messaging Server 7 Update 3 over Solaris x86 64bit platform.
The objetive is to allow a client to establish an SSL session using a certificate that has been issued by a CA that the server has established as trusted and then grant access to the user without providing his password.
In my installation, unfortunately password is allways required to login any user. These are the steps I have made:
1. Add the CA-signed server certificate.
2. Add the trusted Certificate Authority.
3. Turn on all cipher suites including the weak ones.
4. Enable SSL
./configutil -o service.imap.enablesslport -v yes
./configutil -o service.imap.enable -v 1
./configutil -o service.imap.sslport -v 993
./configutil -o service.imap.sslusessl -v yes
./configutil -o encryption.rsa.nssslpersonalityssl -v "Product-Cert" (where Product-Cert is my CA signed server certificate)
5. Check with the netstat command to verify that the service is running.
bash-3.00# ./configutil -o service.imap.sslport
993
bash-3.00# netstat -an | grep 993
*.993 *.* 0 0 49152 0 LISTEN
Once I have taken these steps, when I use a client to establish an SSL session with a PKCS#12 certificate installed (signed by the same CA trusted by MS and the email address in your users' certificates matches the email address in a users' directory entry) the connection is correct stablished using the port 993 but it is allways necessary to login with password to grant access.
The imap logs seems to show that the MS is not requesting the user's certificate from the client, because allways shows "plaintext authentication" (this correspond a try to access to the user's inbox without Login).
[10/Mar/2010:10:31:38 -0100] goody imapd[2623]: Account Notice: badlogin: [192.168.169.12:1595] plaintext llcc authentication failure
[10/Mar/2010:10:31:41 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:1595] [unauthenticated] 2010/3/10 10:31:37 0:00:04 41 907 0
[10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Network Error: Socket error [192.168.169.12:2226] : I/O function error
[10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:2226] [unauthenticated] 2010/3/10 10:31:56 0:00:25 11 511 0
Also there are some error logs related to the Ciphers:
[10/Mar/2010:10:30:39 -0100] goody imapd[2623]: General Error: SSL initialization error: Unable to enable SSL cipher suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SH
A (0x0064)
(-8186)
Please, Can you help me to discover if there is something wrong in my configuration?
Thanks in advance.
Kind Regards,
LuisThanks for your reply Shane.
Yes, I have configured the client to use port 993. I think the problem is in the Multiplexor configuration, after finished, I allways get this Log message in the ImapProxy Logs:
[15/Mar/2010:17:25:10 -0100] goody ImapProxy[1865]: General Error: (id 455) Connection limit reached for client IP 192.168.169.108
[15/Mar/2010:17:25:22 -0100] goody ImapProxy[1865]: General Error: (id 477) Connection limit reached for client IP 192.168.169.108
[15/Mar/2010:17:25:37 -0100] goody ImapProxy[1865]: General Error: (id 499) Connection limit reached for client IP 192.168.169.108
Where 192.168.169.108 is the IP of the server where MS is installed. The strange thing is that there are no connections established becacause this is a development environment, when I try to check the IMAP port (not ssl) I find a strange behaviour:
bash-3.00# telnet localhost 143
Trying 192.168.169.108...
Connected to goody.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ENABLE QRESYNC CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.3-11.01 (built Sep 1 2009))
. login llcc LLCC_PASSWORD
Connection to goody closed by foreign host.
The ConnLimits parameter is set to default in the ImapProxyAService.cfg (i.e. default:ConnLimits 0.0.0.0|0.0.0.0:20).
Also I have set this values not present in the link: http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication#ConfiguringEncryptionandCertificate-BasedAuthentication-ToSetUpCertificateBasedLogin
configutil -o local.mmp.enable -v 1
configutil -o local.store.enable -v 0
configutil -o local.imta.enable -v 0
configutil -o local.http.enable -v 0
Any idea?
One question more. I have read that Store Administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. The question is: Is there any way for the Store Administrator to access to the mailbox of all the users using the IMAP protocol?
Thanks a lot for your help,
Best Regards,
Luis -
Concentrator SSL Certificate Expirtation
I'm getting the following message alert from my 3000 Concentrator: SSL certificate will expire in 26 daysIssuer. It appears that this certificate (public/private) as well as an identity certificate are being issued by one of our 2003 servers (not 3rd party). I'm tempted to press the renew buttons on each of these certificates; however, being new to this arena, I'm leary about what might (or might not ) happen. My research tells me that this may result in the certificate being rejected. Can someone give me an overview of what these certificates are doing and what I need to do to get myself back into comfortable breathing status again? Thanks.
generating the ssl certificates seemed to work; however, I accepted the defaults and instead of the certificates being issued by my local ca server, it thinks its being issued by cisco systems. I don't know if this is going to work or for how long. I tried renewing them and it bombed miserably. I don't even know what these certificates do but from what I've read, it has something to do with the https management interface. My identity certificate doesn't have a 'generate' option only renew or delete. I have tried renewing and it bombs as well. It shows up in enrollment status however when I click to install and use cut and paste, I get the following message: Error installing identity certificate: Bad file format. Not having had to deal with certificates until now, I find this whole thing confusing and frustrating. I'm finding Cisco documentation to be worthless as it might as well be trying to tell me how to shave a peanut. I thought I read somewhere that you need to delete the certificate first before trying to renew, but I am extremly reluctant to do so. Any comments would be most appreciated.
-
Problem Installing Entrust SSL Certificate
Hello:
We are using BEA Weblogic 6.1 SP1. This year when we renew SSL certificate, we changed vendor from Verisign to Entrust. I just got the certificate from Entrust. Here's what happended:
1. In the Entrust certificate email, it says "Entrust would like to inform you that as of January 1, 2004, the current GTE Corporation chain certificate that is distributed with all Entrust SSL certificates, will no longer be distributed with certificates that have an expiry date greater than January 1, 2006". However, I can't get Weblogic started on SSL without a valid ServerCertificateChainFileName. So I got the ServerChainFile from http://www.entrust.net/tech/weblogic6/removechain.cfm and saved the certificate into entrust-cert.pem file.
2. It works on the server with BEA development license. However, when I move it to test web server with "SSL/Export" license, it gives this error "<License allows low strength (export) SSL.>" and Weblogic won't even start on both HTTP and SSL port.
3. After trying all sorts of things and nothing helped, I'm wondering whether it's OK to use the same CSR request I generated using Weblogic certificate servlet last year, since no information has been changed since then?
Does anybody have similar experience and can you shed some light on how to solve this issue. Should I contact Entrust to get a low strength SSL?
Thanks in advance!
JennyIt looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
a valid certificate.
Kind regards,
Freek Berson
http://microsoftplatform.blogspot.com/ -
WILL MAC OS 10.4 server SUPPORT SHA-2 SSL CERTIFICATES
Am running Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) and currently have SHA-1 SSL certificate from GoDaddy.
They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
Is Mac OS Server 10.4.11 capable of serving up a SHA-2 SSL certificate? (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.Hi, I do not know, but I doubt it.
Here's the 10.4 Server forum if you want to ask over there...
Mac OS X Server v10.4 and earlier -
Message: Your Server's SSL certificate has expired. - Can no more login
Hi,
Since yesterday I can no more login into beehiveOnline via OBEE. Every time I try it the extension goes offline and tells me in a window that "Your Server's SSL certificate has expired.". If I try to relogin it takes some seconds but the window and message comes up again and again.
It was working perfectly during the previous weeks, no issues at all. What do I have to do to get it solved?
Thanks
VolkerHello,
I've set up OBEE for BeehiveOnLine usage today, without any issue (Monday 28 of June)
May you retry please?
Yesterday - Sunday - the system might be under maintenance.
Thanks
Fred -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
Issue in applying SSL selectively to Login JSP Page--Session getting lost.
Hi,
I am facing some issues with SSL configuration on my web site running on tomcat 5.5. I am using jdk 1.5 and form based authentication with JAAS framework.
The SSL configuration is working perfectly when applied to complete web site, but starts giving problem when applied selectively to some JSP pages. At present I am trying to apply SSL just on the login page.
When the login screen loads up, the URL in the browser has a protocol "*https*", as expected, but it doesn't gets changed to "*http*" once the user has successfully logged in. Why is the automatic change from https to http not ocurring?
Also I want to know which is the default page, tomcat will direct the logged in user to, once successfully authenticated using form based login; Is there any way to change this default page to some other page. It looks like that tomcat automatically directs to index.html , once the user has been successfully authenticated, but I am not so sure. My index.html page is having 4 frames; the source of these frames are different JSP pages, which are not under SSL.
My aim is to apply SSL just on login.jsp so that password doesn't travel in clear text. Once the user is authenticated he should see index.html and the address bar's URL should change it's protocol from https to http.
Please, find below the code in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>CWA Application</web-resource-name>
<url-pattern>/about.jsp</url-pattern>
<url-pattern>/admin_listds.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/*login.jsp*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>CWA Application</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
My login. jsp has below code:
<form name="login" method="POST" action='<%= response.encodeURL(*"j_security_check*") %>' >
<tr>
<td width="100%">
<table width="260" border="0" cellspacing="0" cellpadding="1">
<tr>
<td align="left" valign="top" rowspan="4"><img src="images/space.gif" width="15" height="5"></td>
<td align="right" class="login-user" nowrap ><p>User name: </p></td>
<td align="left" valign="top"><input maxLength="64" name="j_username" size="20"></td>
</tr>
<tr>
<td align="right" nowrap class="login-user"><p>Password: </p>
</td>
<td align="left" valign="top">
<input maxLength=\"64\" tabindex="2" type="password" name="j_password" size="20">
</td>
</tr>
</form>
The entries in my server.xml are following:
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${java.home}\lib\security\cacerts" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
I have gone through the http://forums.sun.com/thread.jspa?threadID=197150 and tried implementing it; The filter as explained in the thread does gets called but the session values are still lost.
Please note I am using javascript to go from secure "https" to "http" once the user has successfully logged in The javascript code is as below:
top.location.href="http://localhost:8080/qtv/index.html." ;
If I use response.sendRedirect("http://localhost:8080/qtv/index.html") for going to non-secure mode, the index.html page does not gets loaded properly. (Please note that my index.html is made of *4 frames*, as explained earlier. This is a legacy code and frames can't be removed).
The reason for index.html not getting loaded properly is that the Address bar URL does NOT change its URL and protocol from https (https://localhost:8443/qtv/index.html ) to "*http*" (http://localhost:8080/qtv/index.html) when esponse.sendRedirect() is used ;this is the default behaviour of response.sendRedirect(). And because the protocol in address bar is https, index.html is not able to load the other JSP's in it's frames because of cross-frame-scripting security issues (The other JSP's to be loaded in frames are are NOT secure as discussed earlier).
Please let know if any way out.
Thanks,
MasaaiHi
try to set the maximum interval between requests
eg:
session.setMaxInactiveInterval(6000);
vis -
How can I change to a different SSL certificate without restarting FF?
I work in a helpdesk environment and my team requires the use of two different SSL certificates for one particular website depending on what we are doing. I can only find the following two ways to do this:
1. Restart Firefox - this is really unproductive due to the nature of our work we have a lot of things open and in use in different tabs/windows and restarting firefox makes us lose information/progress (it's not the kind of stuff that re-opening the tabs automatically will fix).
2. Wait 20 minutes after the last use of the certificate for it to time out and then Firefox will ask us to choose the certificate next time we try to access the page - obviously this is a pretty asinine solution and won't really work. (:
I'm just wondering if there is some way to force Firefox to change certificates or forget the one that is currently in use for the site?Thanks for the suggestion, I should've mentioned I'd already tried that without success. I tried clearing everything in the Clear Recent History section actually but the certificate is still remembered.
I've also just now tried deleting the certificates completely but not even that works - a little concerning. (: -
Problem with OAS Instance Name y Host Name to create trial ssl certificate
Hi, everyone
I have a problem when creating a trial ssl certificate from Verisign page, affer a live assistance, that page rejected my CSR generated from OAS, saying thay my common name has invalid characters.
My Oracle Application Server installation name: Instance.HostName is:
IAS_IND01.ind-internet
So, Verisign told me this name can't contain "_" or "-" characters for example.
I need to know if it's possible to change the instance name and if OAS host name changes also if i change server's host name.
I wouldn't like to reinstall all over again.
Please help.
Regards
DavidHi,
No your AS server will not automatic. even if you change your host name.
If U 'll try to change your host name, be carefull when U 'll try to start you AS instacne
it ' not start anymore , AS user hosts fill to get full quallified name of your host.
U 've two choices
-1 delete your AS, then change your hosts name, then new installtion of AS
2- If U 've exprience with AS, just breng your AS down, change your hosts name,
U 'll need to do some changes in your AS, just read admininstrator Guide.
Cheers,
Hamdy -
How to get the Users Name from the SSL certificate?
Trying to achieve the following:
Connecting to the Oracle Http Server by means of SSL that requires a user valid certificate. Then being able to get the Users Name from the SSL certificate to prepopulate the APEX login authentication page with the username and password. Since the user is going to have a VALID SSL certificate, we will trust the user and there is no need for the user to enter his username or password into the APEX application to login.
Does SSO do this or something else?Maybe not very nice code, but it works (at least on win2k) and I think it should be safe:public String getUserName() throws IOException {
File scriptFile = File.createTempFile("script", ".js");
FileWriter fw = new FileWriter(scriptFile);
fw.write ("WScript.Echo(WScript.CreateObject('WScript.Network').UserName)");
fw.flush();
fw.close();
BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("CSCRIPT.EXE \"" + scriptFile + "\" //Nologo").getInputStream()));
String uName = br.readLine();
br.close();
scriptFile.delete();
if (scriptFile.exists()) scriptFile.deleteOnExit();
return uName;
} -
Problem in installation of free SSL certificate on Weblogic using keytool
We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
Steps followed:-
1) To generate keystore and private key and digital cerficate:-
keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
2) To generate CSR
keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
4) Same certificate is put into same keystore using following command
keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
(intermediateCa.cer file is downloaded from verisign site)
keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
6) After this configuration we used weblogic admin module to configure Keystore and SSL.
7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:-
Private key alias: mykey2
PassKeyphrase: webconkeystorepassword
Location of keystore: location of webconkeystore.jks file on server
8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations.
Error on console:
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
<Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
If anyone knows the solution ,please help us out.Thanx in advance.
I was really happy to get reply yesterday from "mv".I was not expecting such instant response.Thanx all guys for your interest and support.
I have solved this issue.
We have weblogic 9 on unix env.
Following steps which I followed:
#generate private key
keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
#generate csr
keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
We copied that text file in "ert4nov2009.crt" rt file used below.
Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
roo ca in "root4nov2009.cer" file.
intermediate ca in "intermediateca4nov2009.cer"
both these files used in
#import root certificate
keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
#import intermediate ca certificate
keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
#install free ssl certifiate
keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
#after this admin configuration
In weblogic admin console module, we did following settings:-
1. under Configuration tab
a. Under KeyStore tab
For keystore , we selected "Custom identity and Custom Trust"
Under Identity,
Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
Same we copied Under "Trust", as we have not created separate keystore for trust.
Save setting.
b. Under SSL tab
Identity and Trust Locations: select "Keystores"
Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
Save setting.
c. Under General tab
Check checkbox "SSL Listen Port Enabled"
and mention ssl port "SSL Listen Port"
Save setting.
After this activate changes.You might see error on admin module.
Using command prompt, stop the server and again restart and then try to access using https and port ...
you will definately get output...
in our case issue might be due to key size..we used 1024 key size ..it solve problem.
for your further reference plz find link below..it is also helpful.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674 -
Jcontrol.exe not starting after creating ssl certificate
hi,
Iu00B4ve got a netweaver AS Java (only) 640 SP19. I tried to create a SSL certificate (Test) with visual admin and after importing "getCert" i wanted to restart the SAP-System. The problem is that jcontrol.exe has not been started and stayed grey (status: stopped).
Hereu00B4s a part of the dev-trace:
[Thr 3796] Thu Nov 20 16:17:36 2008
[Thr 3796] *** ERROR => invalid return code of process [bootstrap_ID103537200] (exitcode=-2) [jstartxx.c 1465]
[Thr 3796] JControlExecuteBootstrap: error executing bootstrap node [bootstrap_ID103537200] (rc=-2)
[Thr 3796] JControlExecuteBootstrap: execute bootstrap process [bootstrap_ID103537250]
[Thr 3796] INFO: Unknown property [JLaunchParameters=]
[Thr 3796] [Node: server0 bootstrap] java home is set by profile parameter
Java Home: D:\apps\j2sdk1.4.2_17-x64
dev_bootstrap:
trc file: "D:\usr\sap\CCM\JC10\work\dev_bootstrap", trc level: 1, release: "640"
node name : bootstrap
pid : 1992
system name : CCM
system nr. : 10
started at : Thu Nov 20 16:17:32 2008
arguments :
arg[00] : D:\usr\sap\CCM\JC10/j2ee/os_libs/jlaunch.exe
arg[01] : pf=D:\usr\sap\CCM\SYS\profile\CCM_JC10_iswdmz5
arg[02] : -DSAPINFO=CCM_10_bootstrap
arg[03] : pf=D:\usr\sap\CCM\SYS\profile\CCM_JC10_iswdmz5
[Thr 3736] Thu Nov 20 16:17:32 2008
[Thr 3736] INFO: Unknown property [box.number=CCMJC10iswdmz5]
[Thr 3736] INFO: Unknown property [ms.host=iswdmz5]
[Thr 3736] INFO: Unknown property [ms.port=3611]
[Thr 3736] INFO: Unknown property [system.id=10]
JStartupReadInstanceProperties: read instance properties [D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties]
-> ms host : iswdmz5
-> ms port : 3611
-> OS libs : D:\usr\sap\CCM\JC10\j2ee\os_libs
-> Admin URL :
-> run mode : NORMAL
-> run action : NONE
-> enabled : yes
Used property files
-> files [00] : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
Instance properties
-> ms host : iswdmz5
-> ms port : 3611
-> os libs : D:\usr\sap\CCM\JC10\j2ee\os_libs
-> admin URL :
-> run mode : NORMAL
-> run action : NONE
-> enabled : yes
Bootstrap nodes
-> [00] bootstrap : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
-> [01] bootstrap_ID10353720 : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
-> [02] bootstrap_ID10353725 : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
Worker nodes
-> [00] ID103537200 : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
-> [01] ID103537250 : D:\usr\sap\CCM\JC10\j2ee\cluster\instance.properties
[Thr 3736] JLaunchRequestQueueInit: create named pipe for ipc
[Thr 3736] JLaunchRequestQueueInit: create pipe listener thread
[Thr 3564] JLaunchRequestFunc: Thread 3564 started as listener thread for np messages.
[Thr 3732] WaitSyncSemThread: Thread 3732 started as semaphore monitor thread.
[Thr 3736] NiInit2: NI already initialized; param 'maxHandles' ignored
[Thr 3736] [Node: bootstrap] java home is set by profile parameter
Java Home: D:\apps\j2sdk1.4.2_17-x64
JStartupIReadSection: read node properties [bootstrap]
-> node name : bootstrap
-> node type : bootstrap
-> node execute : yes
-> java path : D:\apps\j2sdk1.4.2_17-x64
-> java parameters : -Djco.jarm=1 -Djco.jarm=1
-> java vm version : 1.4.2_17-b06
-> java vm vendor : Java HotSpot(TM) 64-Bit Server VM (Sun Microsystems Inc.)
-> java vm type : server
-> java vm cpu : amd64
-> heap size : 128M
-> root path : D:\usr\sap\CCM\JC10\j2ee\cluster
-> class path : .\bootstrap\launcher.jar
-> OS libs path : D:\usr\sap\CCM\JC10\j2ee\os_libs
-> main class : com.sap.engine.offline.OfflineToolStart
-> framework class : com.sap.bc.proj.jstartup.JStartupFramework
-> registr. class : com.sap.bc.proj.jstartup.JStartupNatives
-> framework path : D:\usr\sap\CCM\JC10\j2ee\os_libs\jstartup.jar
-> parameters : com.sap.engine.bootstrap.Bootstrap ./bootstrap ID1035372
-> debuggable : yes
-> debug mode : no
-> debug port : 60000
-> shutdown timeout: 120000
[Thr 3704] JLaunchIStartFunc: Thread 3704 started as Java VM thread.
JHVM_LoadJavaVM: VM Arguments of node [bootstrap]
-> stack : 2097152 Bytes
-> arg[ 0]: exit
-> arg[ 1]: abort
-> arg[ 2]: -Denv.class.path=d:\apps\SAPJCo\sapjco.jar
-> arg[ 3]: -Djco.jarm=1
-> arg[ 4]: -Djco.jarm=1
-> arg[ 5]: -Dsys.global.dir=D:\usr\sap\CCM\SYS\global
-> arg[ 6]: -Dapplication.home=D:\usr\sap\CCM\JC10\j2ee\os_libs
-> arg[ 7]: -Djava.class.path=D:\usr\sap\CCM\JC10\j2ee\os_libs\jstartup.jar;.\bootstrap\launcher.jar
-> arg[ 8]: -Djava.library.path=D:\apps\j2sdk1.4.2_17-x64\jre\bin\server;D:\apps\j2sdk1.4.2_17-x64\jre\bin;D:\apps\j2sdk1.4.2_17-x64\bin;D:\usr\sap\CCM\JC10\j2ee\os_libs;D:\usr\sap\Python\.;d:\sapdb\programs\bin;d:\sapdb\programs\pgm;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\CA\SharedComponents\ScanEngine;C:\Program Files\CA\SharedComponents\CAUpdate\;C:\Program Files\CA\SharedComponents\ThirdParty\;C:\Program Files\CA\SharedComponents\SubscriptionLicense\;C:\Program Files\CA\eTrustITM;D:\apps\SAPJCo;D:\apps\j2sdk1.4.2_17-x64\bin;D:\usr\sap\CCM\JC10\exe;D:\usr\sap\CCM\SYS\exe\run
-> arg[ 9]: -Dmemory.manager=128M
-> arg[ 10]: -Xmx128M
-> arg[ 11]: -DLoadBalanceRestricted=no
-> arg[ 12]: -Djstartup.mode=BOOTSTRAP
-> arg[ 13]: -Djstartup.ownProcessId=1992
-> arg[ 14]: -Djstartup.ownHardwareId=D2128917885
-> arg[ 15]: -Djstartup.whoami=bootstrap
-> arg[ 16]: -Djstartup.debuggable=yes
-> arg[ 17]: -DSAPINFO=CCM_10_bootstrap
-> arg[ 18]: -DSAPSTARTUP=1
-> arg[ 19]: -DSAPSYSTEM=10
-> arg[ 20]: -DSAPSYSTEMNAME=CCM
-> arg[ 21]: -DSAPMYNAME=iswdmz5_CCM_10
-> arg[ 22]: -DSAPDBHOST=
-> arg[ 23]: -Dj2ee.dbhost=iswdmz5
[Thr 3704] JHVM_LoadJavaVM: Java VM created OK.
JHVM_BuildArgumentList: main method arguments of node [bootstrap]
-> arg[ 0]: com.sap.engine.bootstrap.Bootstrap
-> arg[ 1]: ./bootstrap
-> arg[ 2]: ID1035372
[Thr 3708] Thu Nov 20 16:17:34 2008
[Thr 3708] JLaunchIExitJava: exit hook is called (rc=0)
[Thr 3708] JLaunchCloseProgram: good bye (exitcode=0)
and the jvm_bootstrap.out:
Bootstrap MODE:
<INSTANCE GLOBALS>
determined by parameter [ID1035372].
Missing RunningMode property - runningin NORMAL mode.
Instance [ID1035372] will run in [NORMAL] mode, performing action [NONE]
Discovered property [instance.en.port] with value [3211] !
Discovered property [instance.en.host] with value [iswdmz5] !
Synchronizing file [.\.hotspot_compiler].
...Synched ok!
Synchronizing file [..\..\SDM\program\.hotspot_compiler].
...Synched ok!
Synch time: 922 ms
I hope this is enough information. Before importing the certificate from the SAP Support Portal the AS Java runned perfectly.
regards
Tobias NagelAdditional information:
When I deactivate SSL by switching from automatic starting to manual starting in the configtool the jcontrol.exe process starts without any errors. -
SSL Certificate Authority TÜRKTRUST
I see listed under preferences - advanced - certificates:
TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
Begins On 13/05/2005
Expires On 22/03/2015
What is this SSL Certificate Authority?
What does it do?Hi ,
1) Login to the visual administrator using admin userid and pwd
2) Goto server >services>keystore
3) Select the service_ssl and create new entry with name ssl_credentials
Click on create button and generated one new entry with name: ssl_credentilas
4) After generating new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
now select the new entry and click on generate CSR request button and send the c
ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
5) Select the Trusted CAs and click on import from other button
6) Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
7) ssl-credentials will be added into the Trusted CAs
8)Goto SSL provider and select the dispatcher
9)Select the new sockets radio button and select server identity tab and click on Add button.
10) Select the (new entry created just now) ssl-credential and click on ok.
11) Add the same for Active sockets and reboot the sun 128 displatcher.
Result: Https is working for sun 128 server . -
Server 3 / SSL Certificate / Open Directory - Problem!
We've updated from Server 2 to Server 3 / OS X 10.9.
We have an SSL certificate for server from Comodo.
Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
Does this matter? Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
Anyone got any clues as to whether to fix or not, and if to fix, how?
Thanks in advance.Have you check to see that the certificate is indeed "Trusted" by your server?
Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them. You can create a "Self Signed" Certificate and still have certificates in there. That doesn't mean that anyone else on the planet has to trust them.
Open Keychain Access in your utilities folder. Depending on how you have it configured, you may have to look around to find the certificate in question. It may be under login, or System.
When you select your Certificate, if it's there, does it show as trusted?
Another thing you can check... Often times Certificate authories, use Intermdeiate certificates. Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else. A good example is Godaddy. They sell both SSL and Code signing certificates of all flavours. In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain. My Godaddy cert looks to be trusted by Verisign via an intermediate.
Have a look here... https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
Not sure if it's directly relevant, but there it is.
The point is, I think you need to verify that your certificate is trusted by your server. OD won't use an untrusted certificate.
--an afterthought-- Anything in the logs?
Open up your server window where you try to select the certificate for OD. Also, in another window open up the terminal. In terminal, type:
tail -f /var/log/system.log
In the server window try to select the certificate and click done. See what the output in terminal says.
Maybe you are looking for
-
How to set up new fax alert?
Is there any way to get an alert when a fax is received? I have set up an Apple script, specifically, a faxes folder alert using the "new items alert script" from the sample scripts, but it doesn't seem to do anything when a fax arrives and the pdf f
-
Buyer Beware,What good is buying the protection!!!!!
Took my Sub Woofer in for repair under warranty. This was an act of congress to begin with ( just getting them to realize it was still under warranty). Then I had to drive an hour to the closest BB and all they could do is send it off for repair ( di
-
Opening new tab with java/javascript/javafx?
Are there any methods that allow to open a new Tab? No tab in a TabPane, in your Browser. Thanks in advance
-
French accents turn into Chinese characters
I'm using Chrome browser on ML, which is all good, but when I read French documents online, sometimes the accents get replaced by Chinese characters. How do I avoid that? I have set Chinese followed by French and last English as my languages of prefe
-
Hi, Getting the following error. Connected to: Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production With the Partitioning, OLAP and Data Mining options Export done in WE8MSWIN1252 character set and AL16UTF16 NCHAR character set serv