2-way SSL, Server to Server - How?

Similar Messages

• Apache 2.2 21 forward Proxy 2 way SSL for weblogic server as a client

  Hi All,
  Currently, i am trying to implement a forward SSL proxy. The client will hit my apache server which in return will hit a IIS Server.
  scenarios 1
  client(weblogic)--*2 way SSL*Apache(forward proxy)*2 way SSL*-- IIS
  If i were to implement 1 way ssl, i am able to see the content of the website.
  client(weblogic) --- Apache(forward proxy) --- IIS
  If i were to launch the web browser from the client machine (with the client certificate imported in the browser), i am able to view the content in the IIS. But if i were to simulate the connection from weblogic server, it just give me end of file exception (response contain no data) on the logs.
  Below is my configuration
  Listen 8080
  <VirtualHost default:8080>
  ServerName serverA
  ErrorLog "logs/ssl_error_log"
  CustomLog "logs/ssl_access_log" common
  SSLProxyEngine On
  SSLProxyMachineCertificateFile /certificate/servercert.cer
  SSLProxyCACertificateFile /certificate/rootCA.cer
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  ProxyRequests On
  ProxyVia On
  AllowConnect 12345
  <Proxy *>
  Order allow,deny
  Allow from all
  </Proxy>
  </VirtualHost>
  For 2 way SSL, will the client forward their client certificate to my apache proxy server and apache will on the client behalf forward the client certificate to the IIS server for authenication?
  Or the SSL authenication still happen between the client (weblogic) and the end server (IIS) bypassing the proxy server.
  Please help.

  It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

• Implementing 2-way ssl

  Hi i have configured the keystore as "Custom Identity and Custom Trust", given the key store names for both given the Identity alisa name under the 'SSL' tab, in 'Advanced' i am enforcing for client certificate. But when i start to access the application, i see the following error
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@16a86fc>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090481> <NO_CERTIFICATE alert was received from ASST218297.uk.pri.o2.com - 172.17.247.10. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, checking with TrustManager>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <validationCallback: validateErr = 0>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Required peer certificates not supplied by peer>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: validateErr = 4>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <weblogic user specified trustmanager validation status 4>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090508> <Certificate chain received from ASST218297.uk.pri.o2.com - 172.17.247.10 was incomplete.>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Validation error = 4>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Certificate chain is incomplete>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <SSLTrustValidator returns: 68>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, not trusted, sending HANDSHAKE_FAILURE to peer>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
       at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
       at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  any replies please....

  Hi,
  thanks, actually while searching in the net, i found a blog where there were a few steps for implementing 2-way SSL in weblogic.
  http://huyplus.blogspot.com/2010/02/2-way-ssl-with-weblogic-server-103.html?showComment=1267793234806_AIe9_BGsO6q6ENB4YZWtQyX53CzpN8TWcSn08RqNv6z8W3V7NRI3Qlcf4NuEM35O1niTSsYXd4rxjfUT63J2XFXOHjY8W56_sC-E3MGydylLHxDivVEjR0pQnSPv_Tx7CXOqT64AGNhhs06MEM9CBhpOtHcUHwvQMPtPeDAAJcwP1I9TzEIGNzNEQlWn9INrvLzP9_RAYESO3Wcxbl6b9eRgZt_jktfllVbxcvztIV3zoeQ8XlqgpN4S7Z82yCbUS1E7lFl46FZK#c8740869862805814451
  fortunately, this is working, i mean the server is working as expected, but in the console, it says that the certificate chain is incomplete....
  Anyways thanks for the links and suggestions...
  if possible could you please provide me some reference for resolving this issue.
  Thanks again
  Sharma

• OSB: Implementing 2 way ssl for a particular proxy

  Hi All,
  We have a requirement to implement 2 way ssl support for one of our OSB proxy and 1 way ssl support for all other proxies in our project.
  we have enabled HTTS on OSB and configured 2-way ssl on weblogic server. It is working fine.
  But the 2 way ssl configuration on weblogic server impacts all other proxy services deployed on that node. Because of weblogic configuration "Two Way Client Cert Behavior: Client Certs Requested and Enforced", the server expects all request to present the client certificate..
  But our requirement is, Only 1 proxy service should enforce 2-way ssl, all other proxies should only support 1 -way ssl(server authentication).
  Is there any way to implement our requirement?.
  we want to configure weblogic with "Two Way Client Cert Behavior: Client Certs Requested but not and Enforced OR Client Certs NOT Requested" and then in the proxy service we want to enforce client certificate..
  Is it possible to implement? If so can anyone help to explain the steps?
  Thanks in advance
  Edited by: user13109986 on Oct 24, 2012 9:30 AM

  It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

• What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

  To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

  have you out.flush() and out.close() before you call connection.getInputStream()?

• Two-Way SSL does not work until "Use Server Certs" is selected on client

  We have a web service application and a client application. Both applications are deployed in WebLogic 10.3. The web service application is secured by Two-Way SSL. When the client attempts to access the service, we got the following error logs on the server side:
  <Dec 8, 2009 3:25:42 PM EST> <Warning> <Security> <BEA-090508> <Certificate chain received from ... was incomplete.>
  CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0
  CertPathTrustManagerUtils.certificateCallback: validateErr = 4
  CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors
  We got the same error even if the WebLogic 10.3 domain on the client side uses the same identity and trust keystores as the server side.
  The problem was solved when we selected Environment -> Servers -> <server> -> SSL, expanded "Advanced" and selected "Use Server Certs". Could anyone tell me what "Use Server Certs" does to make the difference?
  Another question is how we can invoke this web service in a Java application since "Use Server Certs" solution only works for web application deployed in weblogic.

  "Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.
  This is a great feature in 9 & 10; client SSL was much more difficult in WL 8.
  If you are using a standalone client application to invoke anything over 2-way SSL, you are responsible for presenting the certificate. For instance, if you invoke the page from your browser, your browser can maintain client certificates and you'll get a popup to select which cert to use.

• WebLogic 10.3.3 - 2-Way SSL setup between WLS JMS Foregin Server & IBM MQ 6

  Hi,
  I am trying to configure 2-Way SSL between WebLogic 10.3.3 using JMS Foreign Server and IBM MQ 6. I could not find any documentation on this.
  Can someone provide with steps for setting up 2-Way between WebLogic and IBM MQ?
  Also I want to use SSLPEERNAME attribute in MQ Connection Factory and generate bindings so that I can connect to correct queuemanager on MQ side. Please let me know the configuration steps and check's that have to be done on WLS and IBM MQ side on this.
  Thanks in advance
  - BoyelT

  Check this:
  http://www.ibm.com/developerworks/websphere/library/techarticles/0510_fehners/0510_fehners.html

• Managed Server will not start with 2-way SSL enabled

  When attempting to start a managed server, using the nodemanager (all of the servers have two-way ssl configured...using the same keystores) the start-up fails, giving the following error:
  <Warning> <Security> <BEA-090497> <HANDSHAKE_FAILURE alert received from hostname - ip address. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.>
  Hostname verification is off for all of the servers and the trust store should trust the certificate in the identity store.
  Is this an issue with the managed server not being able to pass the identity certificate during the handshake?
  Thanks in advance for any help!

  hi
  the following link may hekpful to you
  http://webservices.bea.com:8080/Clarify/getCaseDetails.do?caseID=537204
  open a support case with bea
  Regards
  Prasanna Yalam

• Server to Server 2 way SSL

  Has anyone any links or experience with 2 way SSL for Server to Server? Web Server A to Web Server B for web services.
  The norm is Server to Client.
  Any help is appreciated. Thanks!

  The only possibility is server to client. One of your servers has to listen passively, which makes it a TCP or SSL server, and the other one has to initiate the connection, which makes it a TCP or SSL client. But that doesn't stop it being a server from other points of view.

• ICal Server email invitations - how to test and get this feature working

  iCal Server email invitations - how to test and get this feature working
  Thanks Apple for introducing this nice little feature into iCal but then completely neglecting to write any sort of useful manual that can explain what to do when it doesn't work after you set it up for the first time.
  At long, long last we have finally got there after about 6 months of fiddling on and off, so I thought I had better post up the process since many have similar issues and it is hard to ascertain what is going on.
  Using an external email server was just a waste of time and it still wouldn't handle the replies properly even though it was supposed to handle '+addressing'. In the end I set up a special gmail account for the iCal server and finally got it working. I list here the process of configuring and testing the system to check that each little stage is working.
  Set up a Gmail account in Apple Mail to access and test in the usual way for any email account (e.g. [email protected].);
  Set the iCal server email to access the same email using the following settings:
  IMAP
  SMTP
  [email protected]
  smtp.gmail.com
  Port: 993 [x] Use SSL
  Port: 587 [x] Use SSL
  User & Pwd
  Login
  User & Pwd
  To test the settings:
  send out a test email from Apple Mail to a non-server email address that you can access to check it has been received;
  send out a test email from your non-server email account to [email protected] and check that it is received;
  this tells you that the GMail account is setup correctly and working
  Testing iCal:
  I noted that iCal was deleting any emails that arrive in the inBox in Apple Mail as soon as they arrived (this is to be expected);
  test that the invites are being sent from iCal by setting an event in iCal and inviting your non-server address (you may not see any sign of this in Apple Mail but you should catch it in the iCal server log and possibly in the Gmail sent mail box);
  check that the invite is received at your non-server account and Accept it in iCal on another machine - the reply is automatically sent back;
  the replies appear in Apple Mail but are quickly deleted by iCal. But their record for you to see is left in Gmail under 'All Mail';
  Accepted invites appear as a notification button on the top left hand bar on iCal where you click to acknowledge them and then the attendee is shown as a green circled tick instead of a grey circled ?.
  this shows that iCal invitations are working correctly. Whenever an event is updated, all invitees should be updated by email automatically.
  I hope this helps anyone - I could certainly have done with something similar when I started with looking at this.
  Anatole
  The Error and Access logfile in the Server app under iCal server are very useful in determining any errors. I got lots of imip errors when I didn't quite have the settings right. The port is critical and it won't tell you this is the problem if it fails.

  iCal Server email invitations - how to test and get this feature working
  Thanks Apple for introducing this nice little feature into iCal but then completely neglecting to write any sort of useful manual that can explain what to do when it doesn't work after you set it up for the first time.
  At long, long last we have finally got there after about 6 months of fiddling on and off, so I thought I had better post up the process since many have similar issues and it is hard to ascertain what is going on.
  Using an external email server was just a waste of time and it still wouldn't handle the replies properly even though it was supposed to handle '+addressing'. In the end I set up a special gmail account for the iCal server and finally got it working. I list here the process of configuring and testing the system to check that each little stage is working.
  Set up a Gmail account in Apple Mail to access and test in the usual way for any email account (e.g. [email protected].);
  Set the iCal server email to access the same email using the following settings:
  IMAP
  SMTP
  [email protected]
  smtp.gmail.com
  Port: 993 [x] Use SSL
  Port: 587 [x] Use SSL
  User & Pwd
  Login
  User & Pwd
  To test the settings:
  send out a test email from Apple Mail to a non-server email address that you can access to check it has been received;
  send out a test email from your non-server email account to [email protected] and check that it is received;
  this tells you that the GMail account is setup correctly and working
  Testing iCal:
  I noted that iCal was deleting any emails that arrive in the inBox in Apple Mail as soon as they arrived (this is to be expected);
  test that the invites are being sent from iCal by setting an event in iCal and inviting your non-server address (you may not see any sign of this in Apple Mail but you should catch it in the iCal server log and possibly in the Gmail sent mail box);
  check that the invite is received at your non-server account and Accept it in iCal on another machine - the reply is automatically sent back;
  the replies appear in Apple Mail but are quickly deleted by iCal. But their record for you to see is left in Gmail under 'All Mail';
  Accepted invites appear as a notification button on the top left hand bar on iCal where you click to acknowledge them and then the attendee is shown as a green circled tick instead of a grey circled ?.
  this shows that iCal invitations are working correctly. Whenever an event is updated, all invitees should be updated by email automatically.
  I hope this helps anyone - I could certainly have done with something similar when I started with looking at this.
  Anatole
  The Error and Access logfile in the Server app under iCal server are very useful in determining any errors. I got lots of imip errors when I didn't quite have the settings right. The port is critical and it won't tell you this is the problem if it fails.

• 2 way SSL: How does Sun implement handling malformed certificate requests?

  Hi
  I'd like to know how sun implements the following 2 way ssl-scenario:
  When an SSL server requests client authentication, it sends a message
  to the client that says "here is a list of the names of CAs that I trust
  to issue client certs. If you have a client cert from one of these
  CAs, then send it to me". That list is NEVER supposed to be empty.
  But the hint above suggests that it is. If your server has not been
  configured with the names of CAs that it trusts to issue client certs,
  it's sending an empty list.
  When an SSL client receives such a malformed request, with an empty
  list of trusted client CA names, it may either (a) choose to send
  back a response that means "I have no cert issued by any of the
  issuers you have named", ***or (b) send back any certificate you have***
  ***and hope the misconfigured server will accept it.***
  Please advice? What is the switch to tell the client to send any certificate?
  Thanks a lot
  Christian

  That list is NEVER supposed to be empty.It doesn't actually say that anywhere in the RFC.
  When an SSL client receives such a malformed request, with an empty
  list of trusted client CA names, it may either (a) choose to send
  back a response that means "I have no cert issued by any of the
  issuers you have named", ***or (b) send back any certificate you have***
  ***and hope the misconfigured server will accept it.***That's not how I read the RFC. I would say the client should decide there is no suitable certificate available, and send back an empty ClientCertificate message. That in turn may provoke the server into sending a fatal handshake failure alert.
  What is the switch to tell the client to send any certificate?There is no such switch.
  More to the point, why is the server's CA list empty? That must mean that it has an empty truststore. That's the problem you should fix.

• Configuring SSL for SOA Server

  Hi All,
  I wrkin on SOA suite 11g. I am tryin to implement transport level security. Firstly 1-way authentication and than 2-way mutual authentication. For that I need to enable the SSL for SOA server which is managed by the WLS admin server. As per my knowledge the WLS comes with demoidentity and demotrust keystores. If I need to configure the SSL for SOA server do i need to create new keystores and CA,s or I can use the demo keystores.
  Now, in case i need to create new keystores than can i do the same using keytool utility. Additionally, is it possible to make CA using keytool utility? If yes, kindly provide me some links about how to do the same.
  Thanks in advance.

  Hi Shomit,
  If I need to configure the SSL for SOA server do i need to create new keystores and CA,s or I can use the demo keystores.You can use the Demo keystores for dev purpose but it is NOT recommended to use demo keystores for production use.
  in case i need to create new keystores than can i do the same using keytool utilityYes, you can do it using Keytool utility.
  is it possible to make CA using keytool utility?Actually you can generate a self-signed cert and use that as a CA for signing CSR's.
  kindly provide me some links about how to do the sameYou should get everything here -
  http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/ssl.htm#i1200848
  Regards,
  Anuj

• Can port 25 be used for SSL-enable SMTP server ?

  Hi,
  Our customer is using port 25 for a SSL-enabled SMTP server without certificate. When our email client tried to connect to it, the following exception thrown:
  DEBUG SMTP: exception reading response: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  Since we don't want to ask our customer to change their port configuration unless absolutely necessary, we did some tests with our own SSL-enabled SMTP server that uses certificate. Here is what I got:
  1) with port 25, got the same exception as above;
  2) with port 465, worked fine;
  3) with any other randomly pick up valid port, worked fine.
  This made me wonder if 25 is for non SSL SMTP server ONLY. By the way, I'm using Javamail 1.3.4 and JSDK 1.4.2_02. My question is whether we can configure javamail so that port 25 can be used by SSL-enabled SMTP server?
  Your help will be appreciated.

  Yes, port 25 is intended for non-SSL servers only, although that doesn't
  prevent a client from making a plain text connection and then using the
  STARTTLS command to switch the connection to SSL/TLS. JavaMail 1.4
  supports that usage.
  You can configure JavaMail to use port 25 for SSL connections if you
  really want to. JavaMail 1.3.x requires you configure an appropriate
  socket factory to get SSL connections; you can configure whatever port
  you want for use with that socket factory.

• How to install yosemite on lion server without server application

  I have osx 10.7.5  (that's all it says when I click about this app, but I know the computer was installed with lion with server app originally).  I don't need nor want the server app, and am happy to remove it one way or another.  Server is currently disabled.  I want to know how to upgrade to mavericks or yosemite without any server aspect at all.  Can it be done?  I have googled until my head has exploded and am none the wiser.  Most people seem to be unsuccessful.  I did previously try to install mavericks when it came out but it came up with some random scary message and I cancelled it. 
  Both my mac mini 2011 disks are in use  for different reasons - one tends to be more operational such as the operating system and apps, the other to save all my photos, videos and files mainly.   I have a separate ext hard drive for time machine back ups.
  I have no tech skills whatsoever, so baby language please.  Be specific.  Outline EVERY step in simple language.  Or I will cry! 
  Thanks!
  Jodi

  There's nothing special you have to do. Just upgrade. The Server app won't come back.

• I am unable to update any add-ons at all. Every time I try and install an add-on or even the new "show hidden add-ons" add-on, I get a server error. How do I fix this?

  I am unable to update any add-ons at all. Every time I try and install an add-on or even the new "show hidden add-ons" add-on, I get a server error. How do I fix this?

  You may have triggered some intermittent database issues but it should be running smooth by now. Let us know if you still see server errors.
  Also, if your addons appear to go missing after updating there is a workaround http://blog.mozilla.com/addons/2011/09/28/issue-discovered-with-firefox-add-on-upgrades/ And there is a 7.0.1 fix on its way.

• Webdispatcher SSL load balance server mismatch errors

  We are setting up a webdispatcher to access an Enterprise Portal with multiple instances.  Currently it is working but we are having to overide host mismatches.  in webdispacther log we see
  [Thr 4856] Mon Mar 07 11:38:02 2011
  [Thr 4856] MatchTargetName("aaa.mycompany.com", "CN=bbb.mycompany.com, OU=xxx, O=ooo, L=ccc, SP=sss, C=US") FAILS
  [Thr 4856] SSL NI-sock: local=##.21.13.137:50746 peer=##.21.13.131:51001
  [Thr 4856] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000008565100)==SSSLERR_SERVER_CERT_MISMATCH
  The Portal instances are on
  aaa.mycompany.com
  bbb.mycompany.com
  Currently have a CA approved certificate for each server installed in the portal.  Dispatcher on aaa uses aaa cert, dispatcher on bbb uses bbb cert.
  Message server is on aaa, but it will load balance and place you on either instance.
  have following related parameters
  wdisp/ssl_encrypt = 2
  wdisp/ssl_auth = 2
  wdisp/ssl_cred = C:\usr\sap\XXX\W00\sec\XXX.pse
  wdisp/ssl_certhost = aaa.mycompany.com
  wdisp/ssl_ignore_host_mismatch = TRUE
  C:\usr\sap\XXX\W00\sec\XXX.pse has ssl cert of both aaa and bbb servers.
  All seems to be working, as users are load balancing.  They are not getting certificate mismatches in their browser anymore.  We are getting the SSSLERR_SERVER_CERT_MISMATCH errors, but the messages do not seem to cause an issue since we have wdisp/ssl_ignore_host_mismatch set.
  Can we eliminate those mismatch errors instead of masking the problem with wdisp/ssl_ignore_host_mismatch?
  Should each portal instance have their own ssl cert, or is there a way to use one cert such as the aaa.mycompany.com cert on each portal instance?  It seems like that might eliminate the mismatch errors.  However, what happens when you go directly to the bbb.mycompany.com portal instance? there is a certificate error if you specify aaa's and you go to bbb.  I was wondering if the wdisp/ssl_auth and wdisp/ssl_certhost are valid in the portal system so that each server uses the aaa server and certificate.  I could not tell if this parameter is valid for java-only portal systems.
  Thanks for your help.
  Edited by: Fett Patrick on Mar 7, 2011 8:35 PM

  Thank you Martin for your prompt reply.  Can you clarify please, can we use the wdisp/ssl_certhost parameter in the instance profiles of the portal instances?  I wasn't sure if that is only valid for webdispatchers or can also be used in abap/java systems?
  We orginally had the aaa server certificate listed for each dispatcher in the portal under ssl provider runtime server identity.  That caused a browser "certificate error" when accessing the bbb server.  So we then installed an ssl certificate for bbb for its dispatcher.  We could then go to either server with no browser "certificate mismatch" error.
  Then when we added the webdispatcher, we started getting the server mismatch errors at the webdispatcher level.  If the wdisp/ssl_certhost can be used in the portal profiles, then that would hopefully resolve direct access or via web dispatcher aceess mismatches.  I.E. only the aaa ssl certificate would be used and parameters would be set at both the webdispatcher and portal profiles
  Thanks, Pat.