2-way handshake fails / "hanskake failure"
I'am trying to set up a 2-way hanshake with a server (Nortel Alteon SSL Accelerator).
I have the client certificate on my keystore as well as the CA Root certificate in the signers.
My java client works just fine if no client authentication is required by the server.
Also, if I test the 2-way handshake with my browser (IE), I have no problem to establish the connection after it prompted me for the appropriate (client) certificate (which I've imported into IE).
So I wonder if there is particular thing to define at the application level to explicitely return the client certificate at runtime (just like I do by clicking on the button in the IE popup) ?
Here is the main properties from JSSE, I'm using :
try {
// Use Sun's reference implementation of a URL handler
// for the HTTPS URL protocol
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
// Registers dynamically Sun's ssl provider.
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Specify the location of the truststore file
// truststore file contains key material for the TrustManager
// This file takes precedence over jssecacerts and cacerts
System.setProperty("javax.net.ssl.trustStore", _trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",
_trustStorePassword);
endpoint = new java.net.URL(rpcrouter_address);
Here is the exception I get :
stackTrace: javax.net.ssl.SSLHandshakeException: handshake failure
at com.ibm.jsse.bd.a(Unknown Source)
at com.ibm.jsse.bd.startHandshake(Unknown Source)
Tks for the help.
--MAS
Tanks for the attention ...
At first, I used the same file :
Ref : System.setProperty("javax.net.ssl.trustStore", _trustStorePath);
Then, I realized that it might be better to use a different one for the keys, so I've imported the client certificate into a new file and add in my code :
System.setProperty("javax.net.ssl.keyStore",_keyStorePath);
But I always get the same exception :
javax.net.ssl.SSLHandshakeException "handshake failure"
On the server's side, I have that client certificate defined. I still wonder if every thing is fine with the Alteon config (these Nortel's things are tricky ...) but again when I simulate the client authentication within IE, it works just fine.
--MAS
Similar Messages
-
Write Channel Closed, possible SSL handshaking or trust failure
Hi,
I Have a problem while working with Two-way SSL. I get Write Channel Closed, possible
SSL handshaking or trust failure error while contacting the server for invoking
a webservice secured by SSL.
I could figure out that the error is happening on client side while validating
the server certificate.
One more observation that i was able to find is, it works fine if the Server certificate
and the client certificate are signed by the same (root) CA.
I tried various options but couldn't find my luck. The BEA documentation in this
regards is not at all sufficient.
If i give strict checking false on my client end, the application works fine.
But for my scenario i want strict checking to be happend (otherwise there is no
point in going for SSL itself).
I am using WLSSLAdapter on my client side. The client application is a standalone
java class running out of weblogic (ideally running on JRun).
The way i have coded in my java class is:
String certificatePath = "C:/Cerificates/cert.pem";
String caCertificatePath = "C:/Cerificates/clientca.pem";
String targetURL = "https://localhost:443/feedservice/FeedService";
//set weblogic ServiceFactory
System.setProperty( "javax.xml.rpc.ServiceFactory",
"weblogic.webservice.core.rpc.ServiceFactoryImpl" );
System.setProperty("java.protocol.handler.pkgs","com.certicom.net.ssl");
System.setProperty("https.cipherSuites","SHA1withRSA,MD5withRSA");
SSLAdapterFactory sslFactory = SSLAdapterFactory.getDefaultFactory();
WLSSLAdapter adapter = (WLSSLAdapter) sslFactory.getSSLAdapter();
adapter.setProtocolVersion("SSL3");
adapter.setStrictChecking(true);
adapter.setVerbose(true);
FileInputStream clientCredentialFile = new FileInputStream (certificatePath);
String pwd = "password";
System.out.println("Loding Certificate from ........"+certificatePath);
adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
System.out.println("Loding CA Certificate from ........"+caCertificatePath);
adapter.setTrustedCertificatesFile(caCertificatePath);
// optionally set the Adapter factory to use this instance always.
sslFactory.setDefaultAdapter(adapter);
sslFactory.setUseDefaultAdapter(true);
// Webservice invocation code..
call.setTargetEndpointAddress(targetURL);
call.setProperty("weblogic.webservice.client.ssladapter",adapter);
Object result = call.invoke(new Object[]{"test.xml"});
The error that i get :
java.io.IOException: Write Channel Closed, possible SSL handshaking or trust failure
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:67)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:106)
at java.io.FilterOutputStream.write(FilterOutputStream.java:78)
at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:359)
at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:284)
at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:34)
at weblogic.webservice.core.HandlerChain.handleRequest(HandlerChain.java:131)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:421)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:363)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:423)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:292)
at com.chase.userspace.aceclient.Client.main(Client.java:253)
Exception in handler's handleRequest().
Exception in thread "main" javax.xml.rpc.soap.SOAPFaultException: Write Channel
Closed, possible SSL handshaking or trust fail
ure
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:479)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:363)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:423)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:292)
at com.chase.userspace.aceclient.Client.main(Client.java:253)
Can someone give the working phone number of ....BEA CUSTOMER SUPPORT...The signature validation failure means your trusted CA certificate is not the issuer
of the identity certificate. The identity certificate issuer name can match to
the trusted CA certificate name, but the signature check really determines whether
it is the issuer.
Pavel.
"Chandra Sekhar Rao" <[email protected]> wrote:
>
Hi payal,
I have the issuer of the server identity certificate in the trust file
on client
side. The problem is with signature validation
"Pavel" <[email protected]> wrote:
It looks like your client does not trust the server certificate. Make
sure the
certificate you pass in adapter.setTrustedCertificatesFile(caCertificatePath);
is the issuer of the server's identity certificate.
Pavel.
"Chandra Sekhar Rao" <[email protected]> wrote:
Hi,
I Have a problem while working with Two-way SSL. I get Write Channel
Closed, possible
SSL handshaking or trust failure error while contacting the server
for
invoking
a webservice secured by SSL.
I could figure out that the error is happening on client side whilevalidating
the server certificate.
One more observation that i was able to find is, it works fine if the
Server certificate
and the client certificate are signed by the same (root) CA.
I tried various options but couldn't find my luck. The BEA documentation
in this
regards is not at all sufficient.
If i give strict checking false on my client end, the application works
fine.
But for my scenario i want strict checking to be happend (otherwisethere
is no
point in going for SSL itself).
I am using WLSSLAdapter on my client side. The client application is
a standalone
java class running out of weblogic (ideally running on JRun).
The way i have coded in my java class is:
String certificatePath = "C:/Cerificates/cert.pem";
String caCertificatePath = "C:/Cerificates/clientca.pem";
String targetURL = "https://localhost:443/feedservice/FeedService";
//set weblogic ServiceFactory
System.setProperty( "javax.xml.rpc.ServiceFactory",
"weblogic.webservice.core.rpc.ServiceFactoryImpl" );
System.setProperty("java.protocol.handler.pkgs","com.certicom.net.ssl");
System.setProperty("https.cipherSuites","SHA1withRSA,MD5withRSA");
SSLAdapterFactory sslFactory = SSLAdapterFactory.getDefaultFactory();
WLSSLAdapter adapter = (WLSSLAdapter) sslFactory.getSSLAdapter();
adapter.setProtocolVersion("SSL3");
adapter.setStrictChecking(true);
adapter.setVerbose(true);
FileInputStream clientCredentialFile = new FileInputStream (certificatePath);
String pwd = "password";
System.out.println("Loding Certificate from ........"+certificatePath);
adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
System.out.println("Loding CA Certificate from ........"+caCertificatePath);
adapter.setTrustedCertificatesFile(caCertificatePath);
// optionally set the Adapter factory to use this instance always.
sslFactory.setDefaultAdapter(adapter);
sslFactory.setUseDefaultAdapter(true);
// Webservice invocation code..
call.setTargetEndpointAddress(targetURL);
call.setProperty("weblogic.webservice.client.ssladapter",adapter);
Object result = call.invoke(new Object[]{"test.xml"});
The error that i get :
java.io.IOException: Write Channel Closed, possible SSL handshakingor
trust failure
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:67)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:106)
at java.io.FilterOutputStream.write(FilterOutputStream.java:78)
at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:359)
at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:284)
at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:34)
at weblogic.webservice.core.HandlerChain.handleRequest(HandlerChain.java:131)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:421)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:363)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:423)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:292)
at com.chase.userspace.aceclient.Client.main(Client.java:253)
Exception in handler's handleRequest().
Exception in thread "main" javax.xml.rpc.soap.SOAPFaultException: Write
Channel
Closed, possible SSL handshaking or trust fail
ure
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:479)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:363)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:423)
at weblogic.webservice.core.rpc.CallImpl.invoke(CallImpl.java:292)
at com.chase.userspace.aceclient.Client.main(Client.java:253)
Can someone give the working phone number of ....BEA CUSTOMER SUPPORT... -
Hello, I have a sql 2005 server, and I am a developer, with the database on my own machine. It alwayws works for me but after some minutes the other developer cant work in the application
He got this error
Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: 192.168.1.140]
and When I see the log event after that error, it comes with another error.
SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 192.168.1.140]
He has IIS5 and me too.
I created a user on the domain called ASPSYS with password, then in the IIS on anonymous authentication I put that user with that password, and it works, on both machines.
and in the connection string I have.
<add key="sqlconn" value="Data Source=ESTACION15;Initial Catalog=GescomDefinitiva;Integrated Security=SSPI; Trusted_Connection=true"/>
I go to the profiler, and I see that when he browses a page, the database is accesed with user ASPSYS, but when I browse a page, the database is accesed with user SE\levalencia.
Thats strange.
The only way that the other developer can work again on the project is to restart the whole machine. He has windows xp profession, I have windows 2000.
If you want me to send logs please tellmeWell here's my problem, maybe you can help. Intermittenly I get a login failed when connecting to a db engine through Server Management Studio using Windows authentication. When this happens the following entries are generated on the server's application event log:
Event Type: Error
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 17806
Date: 1/14/2009
Time: 10:41:31 AM
User: N/A
Computer: <server name>
Description:
SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: <ip address>]
Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18452
Date: 1/14/2009
Time: 10:41:31 AM
User: N/A
Computer: <server name>
Description:
Login failed for user ''. The user is not associated with a trusted SQL Server connection. [CLIENT: <ip address>]
I've already ensured that the server is set to mixed authentication mode. Oddly enough, the workaround that I've found is that if I remote desktop into the server, log in and then log back out, Management Studio is suddenly able to connect again. No idea why it works.
As I said before, it is intermitten. Some days it errors on login, other days it doesn't and there are no configuration changes between them. Also, both client and server are in the same domain and same site so there is no VPN or anything in between. I'm really quite stumped. Any help would be great, or if you can point me in the right direction of where to look. Thank you in advance! -
Wireless ISE - 12508 EAP-TLS handshake failed
Hi guys,
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:,
Setup:
- Single standalone ISE 3355 appliance
- Two tier MS enterprise PKI (outside of my direct control)
- WLC 5508
- Windows 7 laptop\
- The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
- The test laptop has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
Now, I'm pretty new to certs so I'm sure I'm missing something simple here. One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that. Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
This is what TAC came back with, but none of the workarounds helped
Symptom:
========
EAP-TLS auth handshake failing with X509 decrypt error. The error presented to the ISE administrator is "12508: EAP-TLS handshake failed"
Conditions:
=========
EAP-TLS certificate based authentications ISE 1.1.2.145
Workaround:
===========
1) Reboot or restart ISE application service 2) Recreate CAP (Certificate Authentication Profile) 3) Toggle between ID sequence and single ID sourceHi Amjad,
Thanks for the response. I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year). On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
The certificate format has not been modified in any way. The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
Cheers,
Owen -
Possible SSL handshaking or trust failure in WLS 7.0
hi,
i have set Server Certificate File Name to democert.pem, Server Key File Name
to demokey.pem, and Server Certificate Chain File Name to ca.pem, using the demo
certificate. when running the client, i use -Dweblogic.webservice.client.ssl.strictcertchecking=false
from the cmd. still getting exception:
java.io.IOException: Write Channel Closed, possible SSL handshaking or trust failure
at com.certicom.tls.record.WriteHandler.write(Unknown Source) ...
i believe it no longer can be the wrong server name in the certificate, so it
must be the trusted CA's list. i cannot find any corresponding file though. what
should i be using for the Trusted CA File Name? i can access the webservices home
page by browser as well as the wsdl file, but once i try using the web service
methods, i get the same error through browser and with a soap client.
any ides?Taime
add this setting also to start you Weblogic - Server - Instance include the strictcert
- setting. Then you can use your webservice from a http - client. I do it the
same way.
Regards
"taime giamzone" <[email protected]> wrote:
>
thanks markus,
now i can use the service through a java client! weird enough, by browser,
i still
get the same exception. has somebody succeeded in using a secure web
service by
browser?
"Markus Gasser" <[email protected]> wrote:
Hi Claudia , Hi Taime
I had the same problem. It was a hard way to find out. Here's the solution
Add -Dtrustedfile=<your path>\trusted.crt
to the vm parameters starting your wls - server or client.
The problem is, that WLS 7 expects a trusted ceritficate and the demo
certificate
isn't trusted.
You will find the trusted.crt normally in the domain directory
Markus
"Claudia" <[email protected]> wrote:
Hi,
I have the same problem. I followed the instructions from the Configuring
Security
side, but it doesn't work.
I tried to test the WebService with the default web page generated
from
weblogic
and there I figured out, that I have to enter the default realm password.
I supposed
that would be the password I use to start the server, but it wasn't.
Still I haven't
guessed the password.
The security works too goog ;-)
Please help.
Claudia -
[ForumFAQ]How to troubleshoot error "SSPI handshake failed with error code 0x80090324"
Understanding the problem:
When connect to SQL Server with Windows authentication, you may receive the following message in the SQL Server error log:
SSPI handshake failed with error code 0x80090324, state 14 while establishing a connection with integrated security; the connection has been closed.
Security Support Provider Interface (SSPI) is a set of Windows APIs that allows for delegation and mutual authentication over any generic data transport layer, such as TCP/IP sockets. SQL Server supports Kerberos indirectly through the Windows Security Support
Provider Interface (SSPI) when SQL Server is using Windows Authentication.
"SSPI Handshake Failed" error happens usually when connection failed between the server and domain controllers or failed Kerberos Authentication. There are many reason for SSPI Handshake error to appear in SQL Server error log.
Troubleshot the problem:
Download and install the Windows error code lookup tool Err.exe to view error descriptions for Windows Error Codes.
The error code 0x80090324 (SEC_E_TIME_SKEW) means "clock on client and server machines are skewed". In most case, this is a Kerberos issue. Kerberos is using a timestamp to protect against replay attacks. The maximum time skew that can be tolerated
between a ticket's timestamp and the current time at the KDC is 5 minutes by default.
Also check the Windows Event Log of client machine, domain controller and the SQL Server machine for existence of W32time error messages.
The solution:
Make sure the clock of client server, domain controller and the server running SQL Server are within five minutes of each other. Or Resynchronize the clock by run w32tm /resync on client machine and SQL Server machine.
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.This error can happen due to Active Directory configuration issue or Network related issues. Assuming they are fine,
another reason could be related to fail Kerberos Authentication to connect to SQL Server.
In Windows 2003 and above, the default method of establishing a connection is Kerberos but if it fails, then connection may be established using NTLM. An error may be registered on SQL Server error log due to Kerberos failure.
To confirm if you have any database connection using Kerberos authentication, run this on your SQL Server
SELECT distinct auth_scheme FROM sys.dm_exec_connections
If you only see NTLM and SQL then, there is no Kerberos connection.
To use Kerberos, the client and SQL Server must be in the same domain or trusted domains and a Service Principal Name (SPN) must be registered with Active Directory for SQL Server service account.
You can check if the service account already has SPN, by running this on the SQL Server
setspn -l <domain\sqlserviceaccount>
If you don't see anything starting with MSSQLSvc\ then the account is not setup with SPN.
You can manually register SPN as a Domain Administrator using these commands.
To create an SPN for the NetBIOS name of the SQL Server use the following command:
setspn –A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>
To create an SPN for the FQDN of the SQL Server use the following command:
setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>
If SQL Server service account is granted "Validated write to service principal name" privilege in Active Directory, SQL Server database engine will register itself when it starts and unregisters at shutdown. If you Domain Administrators do not permit this setting
then you should manually register the SPN and the SSPI error will go away.
Also the SQL Server service account must be granted "Account is trusted for delegation" privilege in Active Directory. If your SQL Server connects to other SQL Server using Linked Server then the server must also be granted "Trust this computer for delegation
to any service" privilege.
For a named instance, you can use the FQDN of the named instance instead of SQL Server FQDN and use the port number.
For a clustered server, you should use the FQDN of the SQL Server virtual name. In this case you will need two entries, one with port name and one without such as
setspn -A MSSQLSvc/<Virtual SQL Server FQDN> <Domain\Account>
setspn -A MSSQLSvc/<Virtual SQL Server FQDN>:1433 <Domain\Account>
Kerberos authentication works when SQL Server, Service Account and Windows account accessing the SQL Server are in same windows domain. If anyone these are in different domain, there must be bidirectional trust established between the domains, otherwise it
does not work. -
regarding mountain lion server: clients experience intermittent service connections. the server system log has the following error- Client handshake failed (6):113: Server not accepting client connections. any suggestions would be greatly appreciated - thank you
Hi Jason
I was getting the same behavior after Apple support had me delete some plist files to get Airplay going. I was also getting the following error:
the error occurred while processing a command of type 'writesettings' in the plug-in 'server vpn'
I went into ~/Library/Preferences/ and /Library/Preferences/ and deleted every plist contating the word server. I had to re-set up my server (meaning walk through some intial steps) but all of my settings were still there after that and everything started working again.
Just a thought, obviously try at your own risk but it worked for me.
Kellen -
SSL handshake failed: X509CertChainIncompleteErr - How to call secure WS?
Hi all, I'm trying to use a third party web service over SSL. I'm using jdk 1.5.0_11 and jDev 10.1.3.0.4.
Here is what I've done so far:
1 - I generated a web service proxy using jDev's wizard.
2 - I created a simple keystore with keytool with the following cmd:
keytool -genkey -keystore techdspc.keystore -storepass ****** . I copied the .keystore file in my project under the src directory.
3 - I used the wizard "Secure Proxy" on my web service with the following options:
- "Use x509 to authenticate"
- I specified my newly created keystore file as the keystore path as well as the password.
- I left the default choice to all the other options.
Once the files were all created by the wizard, I tried out the proxy and got the following error:
ATTENTION: Unable to connect to URL: https://test.eai.adpclaims.com/WSProxy/WS_Proxy.asmx due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
java.rmi.RemoteException: ; nested exception is:
HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
at audatex3.runtime.WSProxySoap_Stub.transmit(WSProxySoap_Stub.java:679)
at audatex3.WSProxySoapClient.transmit(WSProxySoapClient.java:83)
at audatex3.WSProxySoapClient.main(WSProxySoapClient.java:43)
The owner of the Web Service told me that the error is without a doubt on the proxy side. Si my question is: What am I doing wrong?
Your help will be greatly appreciated.
thanks!I tried generating an other keystore with a slightly different cmd and I still get the same error so this does not seem to be the problem...
Any ideas?¸
Thanks -
Upload failed "network failure"
Why is it that I get upload failed "network failure" msg on folio builder, immedieatly hit retry and it goes thru, or after several trys it goes thru? Or sometimes it goes on the first try, and then I make a small change and the upload will not work again? My upload speed is 20 Mbps.
I am getting the same error message - I just updated the Folio producer tools that were released on OCT 10 for 5.5
-
SSL handshake failed: X509CertChainIncompleteErr
I am trying to send name-value pairs using https and JSSE. I am using JDev 9i, and first I create a war file and bundle JSSE with it, then deploy it to an ear file, and use Enterprise Manager of 9iAS Rel2 to deploy the ear file to the server (on Windows 2000).
I get the following error (please excuse the test output lines):
Response: xxx test000+ test0+ test1+ test2+ test3+ test4+ test4a+
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
Here's my code:
import java.net.*;
import java.io.*;
import com.sun.net.ssl.*;
public class testsend {
public testsend()
public String myTest () throws Exception {
String endresult = "xxx ";
String url = "https://www.mysite.com/myfile.php?" ;
endresult = endresult + "test000+ ";
// actual name-value pairs are sent out, this is just an example
String data = "name1=value1&name2=value2";
URL server = null;
try {
server = new URL(url);
endresult = endresult + "test0+ ";
catch(MalformedURLException e) {
endresult = endresult + e.getMessage();
ObjectInputStream myresponse = null;
Object result = null;
try {
URLConnection con = server.openConnection();
endresult = endresult + "test1+ ";
con.setDoOutput(true);
con.setUseCaches(false);
con.setRequestProperty("Content-Type", "application/octet-stream");
endresult = endresult + "test2+ ";
ObjectOutputStream request = new ObjectOutputStream(new BufferedOutputStream(con.getOutputStream()));
endresult = endresult + "test3+ ";
request.writeObject(data);
endresult = endresult + "test4+ ";
request.flush();
endresult = endresult + "test4a+ ";
request.close();
endresult = endresult + "test4b+ ";
// get the result input stream
myresponse = new ObjectInputStream(new BufferedInputStream(con.getInputStream()));
endresult = endresult + "test6+ ";
// read response back from the server
result = myresponse.readObject();
endresult = endresult + result.toString();
catch(Exception e) {
endresult = endresult + e.getMessage();
return endresult;
I've searched for the error message on the web but did not have much luck finding a solution. It obviously won't open a input stream.
Any one have any thoughts? Thanks.
jvHi Francisco,
I am(Oracle 9iAS) sending SOAP messages over SSL to a remote server(Microsoft IIS) hosting the web services. The remote HTTPS site is up and I can view the certificate. It has a 3 level chain. user certificate, intermediate and a root CA.
Through my application when I try to establish handshake, I have some code to display the certificate chain of the remote server. Here I see only the user and the intermediate certificate. I donot see the root CA. I understand that this is the reason for the Incomplete cert chain error. Is this something the remote server hosting the web services should do with their configuration?? Or can I do something at my end??
Please let me know,
Thank you -
Authorization of credit card transaction failed. Failure in Authorization
Hello All,
I am getting the below error while doing Auto-Receipts in R12.1.3.
Authorization of credit card transaction failed. Failure in Authorization
Please guide me to identify the issue.
Thanks and Regards,
MuthuHi,
Thank you very much for your support.
But still i'm getting the same error. I read in one site the below step(Marked as Bold), This could be the reason why the error is occurring..
But I don't know how to check, If any one know about the below step, let me know.
Depending upon the function security options set up by your system administrator, you might be able to create, format, and approve Automatic receipt batches in one step.
Thanks and Regards,
Muthu -
SSPI handshake failed with error code 0x8009030c and Login failed for user''
I got the following error when tried to connect to local machine in the
non-domain environment with Windows Authentication by SSMS.
"SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security."
"Login failed for user''. the user is nothing associated with a trusted SQL server connection."
questions
1,if I saw the "SSPI handshake failed ", does it means it must used Kerberos but failed? or it is also possible used the NTLM but failed?
2,Any ideas for this issue?
Please click the Mark as Answer button if a post solves your problem!Hi Michael,
Firstly, "SSPI Handshake Failed" error happens usually when connection failed between the server and domain controllers or failed Kerberos authentication. For more details about "SSPI Handshake Failed" error, please review this
FAQ.
Secondly, regarding to your error message, it could be caused by loopback check. To resolve the issue, please set the DisableLoopbackCheck registry entry to 1 by performing the following steps.
1.Click Start, click Run, type regedit, and then click OK.
2.Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3.Right-click Lsa, point to New, and then click DWORD Value.
4.Type DisableLoopbackCheck, and then press ENTER.
5.Right-click DisableLoopbackCheck, and then click Modify.
6.In the Value data box, type 1, and then click OK.
7.Exit Registry Editor.
8.Restart the computer.
There is a similar blog about your scenario for your reference.
http://www.bhcblog.com/2009/10/08/fix-for-login-failed-for-user-the-user-is-not-associated-with-a-trusted-sql-server-connection/
Thanks,
Lydia Zhang
If you have any feedback on our support, please click
here.
Lydia Zhang
TechNet Community Support -
How to implement 3 way handshake in TCP protocol
I am a newbie to socket programming. Can any one suggest me how to implement 3 way handshake?
Java comes with java.net including Socket and ServerSocket. On the Java level you use this higher-level API (or even URLConnection or HttpURLConnection) and do not have to worry about the TCP handshake. You have no access to that low level either.
-
SSPI handshake failed with error code 0x80090311
Hi guys,
I get this error and i know it comes from my Linux server in an IPA domain.
Error: SSPI handshake failed with error code 0x80090311
But i want to trust this connection. How do i do this?
Kind regards,
AndréHi,
0x80090311 error refers to "No authority could be contacted for authentication" which means the user cannot contact AD to get a ticket. I suggest turning on Kerberos logging and using Netmon to trace the authentication routes. You can find detailed
info on how to troubleshoot Kerberos here.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
There are probably some network issue on your system and you lost the connectivity to AD from time to time. Please let your network administror investigate any possible network issue.
Hope the below threads could be helpful for you:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/308f0f2b-2500-481d-aef3-6eb262e15783/sspi-handshake-failed-with-error-code-0x80090311?forum=sqldatabaseengine
http://social.technet.microsoft.com/Forums/sqlserver/en-US/74db708b-dcdf-4c0e-819b-861e8a22fa6b/sspi-handshake-failed-with-error-code-0x80090311?forum=sqldatabaseengine
Regards,
Yan Li
Regards, Yan Li -
Portfast case ping transmit failed general failure
Hi
today i add a host in a vlan, but it can't ping itself and get ping transmit failed general failure unless remove the spaning portfast command. i try difeerent vendor PC, IBX... ,HX..,DXl..., all host can't ping itself.
the reason is the portfast? but portfast isn't only fotr host pc,
the following is same our command about spaning.sorry for i can't past all command because our com private.
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery interval 30
power redundancy-mode redundant
no file verify auto
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-idwhat do you see under "show interface status" of the switch when the issue occurs?
do you see input/output rate on that interface when the issue occurs?
what is the spanning-tree state of that port?
when you say you get "ping transmit failed", are you getting that error when you try to ping the PC's IP address from the PC?
are you able to ping 127.0.0.1?
and, what does the PC's network connection say?
Maybe you are looking for
-
Why are some of the songs greyed out and i am no longer able to listen to them?
why are some of the songs greyed out and i am no longer able to listen to them?
-
Printing to acrobat pdf from other application in Leopard
Hi, I've upgraded to Leopard and to Adobe CS3. Whenever I want to print from any application to Acrobat pdf (for instance from Word 04), the acrobat printer pauses and the pdf is not created. Is this one of the known issues that will be fixed when Ad
-
Hi all, i'm in the process of making a fairly generic ELS functionality with by using eInsight Correlation. Have one inbound Queue that is being picked up by a JMS Receive, initialized the CorrelationSet, etcetera. Then goes on to a while loop which
-
HT201441 if the previous owner died, how can i get an Activation Lock for a iPhone 5
If the previous owner died, how can i get an Activation Lock for a iPhone 5
-
Hi, I'm moving out of my address and my BT phoneline & Internet Bills are in my name, however my friend who shares the flat is staying here. Would it be possible to switch the account into his name and also switch the direct debit details over to him