6.0sp5 ssl/acl problem

good day,
I'm using this acl file:
version 3.0;
acl "es-internal";
allow (read, list, execute,info) user = "anyone";
deny (write, delete) user = "anyone";
acl "default";
authenticate (user,group) {
database = "default";
method = "basic";
allow (read,execute)
(user = "anyone") and
(dns = "*.llnl.gov");
deny (write,delete,list,info)
(user = "anyone");
with two listeners on the same machine, one with ssl and one with no ssl. I have no problems with the non-ssl listener but
with the ssl listener I'm getting 403;forbidden message when I try posting a jsp/servlet form. yet the execute permission is granted .
the log file says:
[..] denied by ACL default directive 2

Don't do so!
Just add the path /web/server/vs2/doc/struts-blank/WEB-INF/classes/ to your IWS6 JVM classpath, it is OK forever!!
As follow:
Start administer web server-->Select a Server: your server, click manager-->Java-->Configure JVM Attributes-->Add your specifically path(such as ...../WEB-INF/classes/) to the Classpath-->Click OK-->restart webserver.

Similar Messages

SSL VPN Problem - ACL Parse Error

Hi there.
Testing some features in Cisco ASA SSL VPN(Clientless).
But when i connect to the portal, trying to login i get the following error, anybody seen this before?
It works if i ADD a ACL to the DAP, but dosn't if there is only a WEBACL applied??
It also works if i remove my "check" in "ssl-client" box in the global_policy (Group Policy).
6|Mar 20 2014|16:45:09|716002|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> WebVPN session terminated: ACL Parse Error.
7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Delete WebVPN Session message user [email protected], IP X.X.X.X to standby unit
4|Mar 20 2014|16:45:09|716046|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> User ACL <testcustomer_attribute> from AAA dosn't exist on the device, terminating connection.
7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL List message rule DAP-web-user-E4EAC90F, line 1 to standby unit
7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL Info message DAP-web-user-E4EAC90F to standby unit
6|Mar 20 2014|16:45:09|734001|||||DAP: User [email protected], Addr X.X.X.X, Connection Clientless: The following DAP records were selected for this connection: testcustomer_common_dap
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.tunnelgroup = common_tunnelgroup
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username2 =
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username1 = [email protected]
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username = [email protected]
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.grouppolicy = global_policy
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.radius["11"]["1"] = testcustomer_attribute
6|Mar 20 2014|16:45:09|113008|||||AAA transaction status ACCEPT : user = [email protected]
6|Mar 20 2014|16:45:09|113009|||||AAA retrieved default group policy (global_policy) for user = [email protected]
6|Mar 20 2014|16:45:09|113004|||||AAA user authentication Successful : server = X.X.X.X : user = [email protected]

If you have implemented SSLVPN i18n then I think you are hitting bug.

4506, ACL problem

I have 4506 that is used in a lab environment. We utilize the 192.168.X.X split up into vlans
vlan 2 assgined ip address 192.168.0.1
vlan 3 assigned ip address 192.168.1.1
vlan 4 assigned ip address 192.168.2.1
vlan 5 assinged ip address 192.168.3.1
and so on.
here is the problem:
I need the people using 192.168.3.X on vlan 5 to only be able to access outside their vlan on PING (ICMP), DNS (udp 53), Proxy server on port 8080, LDAP (tcp 369), and SSL (tcp 443) this is to all vlans.
And only host 192.168.0.180 on vlan 2
and host 192.168.2.181 on vlan 4
to be able to access all ip's on the vlan 5
Every thing I have tried with extended acls has failed to allow this to happen.
Ken Taylor

here's a small excerpt of something similar i set up on a 6509 using reflexive acl's. (adjust ip's and ports to your liking)...
ip access-list extended vlan232_acl_inbound
evaluate intraffic232
permit tcp any host 192.168.232.20 eq www reflect outtraffic232
permit tcp any host 192.168.232.20 eq 443 reflect outtraffic232
permit tcp any host 192.168.232.20 eq ftp reflect outtraffic232
permit tcp any host 192.168.232.20 range 1024 5000 reflect outtraffic232
permit tcp any host 192.168.232.42 eq ftp reflect outtraffic232
permit tcp any host 192.168.232.42 range 1024 5000 reflect outtraffic232
permit ip host 192.168.51.5 192.168.232.0 0.0.0.255
permit ip 192.168.231.0 0.0.0.255 192.168.232.0 0.0.0.255
permit ip host 206.195.31.0 192.168.232.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.232.0 0.0.0.255
ip access-list extended vlan232_acl_outbound
evaluate outtraffic232
permit ip 192.168.232.0 0.0.0.255 host 192.168.151.33 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 192.168.2.0 0.0.0.255 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect intraffic232
permit ip 192.168.232.0 0.0.0.255 host 192.168.51.5
permit ip 192.168.232.0 0.0.0.255 192.168.231.0 0.0.0.255
deny ip 192.168.232.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.232.0 0.0.0.255 any reflect intraffic232
interface Vlan232
ip access-group vlan232_acl_outbound in
ip access-group vlan232_acl_inbound out

ASA ACL Problems

I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration.
The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Every once in a while the ACL will start blocking traffic that is permitted by the ACL. When I do a 'sh access-list outside' it says that there are only two elements. They are there when I look at the running config. If I wait a while they start to work again and show up as 'active elements' again. I can force a failover and failback to fix it or restart the firewall. I will open a TAC case on Monday. I was hoping that maybe someone has seen this and has a quick solution.
Thanks,
Patrick

could you provide the show running-config?

Security update fixes ACL problems, almost

So far when running disk permissions, I've had one iMac C2D have no problems reported and the other iMac C2D only have ACL issues on /Library

Open the Terminal application and type:
man chmod
Look under the heading ACL MANIPULATION OPTIONS. The argument that you would use is:
"everyone deny delete"
If you can't understand the manual then leave your handy work alone. It's not a large security breach. chmod, chown, and chflags should only be used when you understand what you are doing.

FTP/SSL Connection Problem for FTP Receiver Adapter

Hello All,
We are trying to establish an FTPS/SSL connection with one of our customers from our XI(Unix) system, and are receive following error:
iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
Communication Channel Parameters:
Connection Security: FTP (FTP Using SSL/TLS) for Control Connection or FTP (FTP Using SSL/TLS) for Control Connection and Data Connection
Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
Checkbox - Use X.509 Certificate.... checked (Certificate was provided by third party (customer issued) and uploaded to service_ssl certificate store on J2EE server)
Data Connection: Passive
Port: 10021
Keystore: service_ssl
X.509 Certificate & Private Key: ssl-credentials
Note: Initial handshaking occurs but connection is being dropped by the third party FTP Server when SSL certificate credentials are being validated. We also tried connecting to the third party FTPS server using standard FTPS client(FileZilla software), this connection gets established successfully with no certificate issues which means certificate and third party FTP Server is functioning correctly.
We therefore are thinking that the problem lies with our XI system being unable to load the certificate information correctly at the point when FTPS session is being established.
Your help and suggestions will be greatly appreciated.
Thanks and Best Regards
Prashant Rajani

Hello All,
Further in order to test connection set up and communication channel configuration we tried simulating the FTP connection locally by configuring FTP Server using FileZilla at a local machine and accessed it from Client's XI Server.
This set up simulates the problem we encounter with our customer's FTP Server.
If connection security parameter in communication channel for Sender FTP Adapter is set to "FTPs( FTP Using SSL/TLS) with Control Connection" only, file gets successfully created with data at the FTP server but as soon as we switch the connection security parameter to "FTPs( FTP Using SSL/TLS) with Control and Data Connection", we receive error "Certificate rejected by Chain Verifier". The initial handshaking happens successfully and file gets created at the FTP Server but its empty, connection fails when attempt is made to write data into file and we end up with said error thereby closing the connection.
This is what the FTP (FileZilla) sees when the XI system attempts to set-up a fully encrypted data (FTPS) connection i.e., connection security parameter value as"FTPs( FTP Using SSL/TLS) with Control and Data Connection" :-
- (not logged in) (10.18.106.34)> Connected, sending welcome message...
- (not logged in) (10.18.106.34)> 220-FileZilla Server version 0.9.18 beta
- (not logged in) (10.18.106.34)> 220-written by Tim Kosse ([email protected])
- (not logged in) (10.18.106.34)> 220 Please visit http://sourceforge.net/projects/filezilla/
- (not logged in) (10.18.106.34)> AUTH TLS
- (not logged in) (10.18.106.34)> 234 Using authentication type TLS
- (not logged in) (10.18.106.34)> SSL connection established
- (not logged in) (10.18.106.34)> USER test
- (not logged in) (10.18.106.34)> 331 Password required for test
- (not logged in) (10.18.106.34)> PASS ***********
- test (10.18.106.34)> 230 Logged on
- test (10.18.106.34)> PBSZ 0
- test (10.18.106.34)> 200 PBSZ=0
- test (10.18.106.34)> PROT P
- test (10.18.106.34)> 200 Protection level set to P
- test (10.18.106.34)> SYST
- test (10.18.106.34)> 215 UNIX emulated by FileZilla
- test (10.18.106.34)> PWD
- test (10.18.106.34)> 257 "/" is current directory.
- test (10.18.106.34)> CWD /payment/
- test (10.18.106.34)> 250 CWD successful. "/payment" is current directory.- test (10.18.106.34)> TYPE I
- test (10.18.106.34)> 200 Type set to I
- test (10.18.106.34)> PASV
- test (10.18.106.34)> 227 Entering Passive Mode (10,27,7,103,15,63)- test (10.18.106.34)> STOR BHPDSB20060911-153840-834.txt
- test (10.18.106.34)> 150 Connection accepted
- test (10.18.106.34)> Data connection SSL warning: SSL3 alert read: fatal: bad certificate
- test (10.18.106.34)> Data connection SSL warning: SSL_accept: failed in SSLv3 read client certificate A- test (10.18.106.34)> Data connection SSL warning: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate- test (10.18.106.34)> Data connection SSL warning: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure- test (10.18.106.34)> 426 Connection closed; transfer aborted.- test (10.18.106.34)> QUIT
- test (10.18.106.34)> 221 Goodbye
- test (10.18.106.34)> SSL connection established
Please suggest your valuable inputs if we are missing out something. Any helpful inputs in this regard is highly appreciated.
Thanks and Best Regards
Prashant

SSL reading problem in server-side

Hi guys,
I have a problem in my server implemetation with SSL Server Socket. I have created a server socket with a specfic port and bind address. Whenever a client connecfed, i grap its inputstream and starts to read as bytes. There is no problem to open server socket and certifacate authorization, and also a client successfully connects to server. But when client writes some data to its connected socket, server cannot read anything. Server throws no exception and there is no problem in writing. But the available bytes in inputstream is always 0. When i replace SSL socket with normal socket, everything is ok, server can read everything. I confused very much. since i have no concrete exception and stack trace, I know it is hard to explain and get help about my problem. I have added some parts from my code.
Could you make any suggestions?
Listening and connection part
ServerSocketFactory socketFactory = SSLServerSocketFactory.getDefault();
socket = socketFactory.createServerSocket(port,backLog,bindAddress);
Socket clientSocket = socket.accept();
in = new BufferedInputStream(clientSocket .getInputStream());Reading part
 while (continueRunning){
 try {
 Thread.sleep(1);
 if(in.available()<1){
 System.err.println(in.available());
 continue;
 MessageDecoder decoder= new MessageDecoder();
 Message msg = decoder.decode(in);
 if(msg == null){
 System.out.println("Decoded message is null");
 continue;
 handler.messageReceived(msg);
 } catch (IOException e) {
 e.printStackTrace();
 continueRunning=false;
 try {
 clientSocket.close();
 } catch (IOException e1) {
 e1.printStackTrace();
 } catch (InterruptedException e) {
 continueRunning=false;
 e.printStackTrace();
 try {
 clientSocket.close();
 } catch (IOException e1) {
 // TODO Auto-generated catch block
 e1.printStackTrace();
 }

I process bytes whenever they are available in the
stream, thus i use available() for checking wheter
there is any bytes to decode.You are looping and sleeping and calling available(). What's the point? As you have nothing else to do in the loop except sleep according to the above code, the whole sleep/available business is still a waste of time. Why not just read()? You are also burning a lot of CPU cycles for nothing.
The problem is there is no data in the stream althogh client seems write some data. The problem is that regardless of whether there is data in the stream or not, SSLSocket.getInputStream().available() always returns zero. It always does this, and so you cannot use it for the purpose you intend.
This is no loss, as the purpose you intend adds no value to just doing a read(). Try it and see.
I discover the debugging utilities of JSSE and make
some debugs. I find that client is blocked on its
socket when it tries to write stream. I am not using
nio, so my sockets are blocking but i cannot find any
reasonable explanation for this SSL write blocking on
socket.The 'reasonable explanation' is that the peer is never reading, so its socket receive buffer is full, so the writer's send buffer eventually fills too, at which point the writer is blocked.
When i change my implementation and used
non-SSL socket, everything is ok and there is no
blocking.That's because Socket.getInputStream().available() returns positive numbers whereas SSLSocket.getInputStream.available() always returns zero.
Is there anyone who knows something about some kind
of SSL blocking?There is.

CSS SSL renewal problem

While renewing the ssl certification in CSS everything went fine while installation but after that when i checked with the following command
sh ssl associate rsakey | grep url(dont want to mention name)
i can see the previous as well as the new both key as associated and says yes
while the new should show yes and old should be no
same it is showing for cert
can anyone help me to sort out with this problem what it can be
Thanks in advance

Sagar,
Have you performed the "no ssl associate rsakey" and the "no ssl associate cert"?
After that, perform the "clear ssl file " and "clear ssl file rsakey "
HTH
Dave

Node Manager unable to start managed Server. SSL Handshake problem

I am getting the following Error:
weblogic.nodemanager.NodeManagerException: [Could not execute command start for server wecarebeadev via the Node Manager - reason: [CommandInvoker: Failed to send command: 'online to server 'wecarebeadev' to NodeManager at host: 'localhost:5555' with exception Write Channel Closed, possible SSL handshaking or trust failure. Please ensure that the NodeManager is active on the target machine].]
I have Weblogic Server 7.0 SP1 with Admin and Managed Server running on the same physical machine as Windows Services.
SSL port has been setup properly for Managed Server. Host Name Verification Ignored is checked for MS.

Hi Ajay,
This happens when the SSL communication between the admin and the node
manager fails. The SSL configuration of the admin server or the node
manager is the problem.
cheers,
gaurav.
On 30 Jun 2003 12:19:49 -0700, Ajay Kulkarni <[email protected]> wrote:
I am getting the following Error:
weblogic.nodemanager.NodeManagerException: [Could not execute command
start for server wecarebeadev via the Node Manager - reason:
[CommandInvoker: Failed to send command: 'online to server 'wecarebeadev'
to NodeManager at host: 'localhost:5555' with exception Write Channel
Closed, possible SSL handshaking or trust failure. Please ensure that the
NodeManager is active on the target machine].]
I have Weblogic Server 7.0 SP1 with Admin and Managed Server running on
the same physical machine as Windows Services.
SSL port has been setup properly for Managed Server. Host Name
Verification Ignored is checked for MS.
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

SSL certificate problem on most https websites

Some https sites can not be reached in my system, and it is going to include more https sites as times goes by. I have noticed that the problem is the SSL certificate. I even check an arch iso and there I have the same problem. I tetsted two thing in case it rings any bell for you
omid@localhost›~⁑ curl -v https://github.com
* Rebuilt URL to: https://github.com/
* Adding handle: conn: 0x1757250
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1757250) send_pipe: 1, recv_pipe: 0
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.128...
* Connected to github.com (192.30.252.128) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to github.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to github.com:443
in which you can see the problem. But
omid@localhost›~35↵⁑ curl -v3 https://github.com
* Rebuilt URL to: https://github.com/
* Adding handle: conn: 0xf31250
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0xf31250) send_pipe: 1, recv_pipe: 0
* About to connect() to github.com port 443 (#0)
* Trying 192.30.252.129...
* Connected to github.com (192.30.252.129) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=5157550; street=548 4th Street; postalCode=94107; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
* start date: 2013-06-10 00:00:00 GMT
* expire date: 2015-09-02 12:00:00 GMT
* subjectAltName: github.com matched
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance EV CA-1
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.33.0
> Host: github.com
> Accept: */*
>
< HTTP/1.1 200 OK
* Server GitHub.com is not blacklisted
< Server: GitHub.com
< Date: Fri, 06 Dec 2013 09:55:10 GMT
< Content-Type: text/html; charset=utf-8
< Status: 200 OK
< Cache-Control: private, max-age=0, must-revalidate
< Strict-Transport-Security: max-age=2592000
< X-Frame-Options: deny
< Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 06-Dec-2033 09:55:10 GMT; secure; HttpOnly
which seems OK. Is there even anyway to add certificate to avoid this strange behavior. I use an updated x86_64 KDE.
Last edited by nikta (2013-12-06 11:37:06)

[omid@localhost ~]$ ldd `which curl`
linux-vdso.so.1 (0x00007fff8bd7c000)
libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f9f479c6000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007f9f477b0000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f9f47592000)
libc.so.6 => /usr/lib/libc.so.6 (0x00007f9f471e7000)
libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f9f46fbe000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f9f46d51000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f9f46949000)
/lib64/ld-linux-x86-64.so.2 (0x00007f9f47c2b000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f9f46745000)
[omid@localhost ~]$ pacman -Q|egrep '(openssl|curl|ca-cert)'
ca-certificates 20130906-1
ca-certificates-java 20130815-1
curl 7.33.0-3
lib32-openssl 1.0.1.e-2
mingw-w64-openssl 1.0.1e-4
openssl 1.0.1.e-5
Last edited by nikta (2013-12-06 13:15:18)

ACL problem in 6 and 5.1 sp9? Bug?!

Hi all gurus:
I got this problem for several days, and still cannot solve it. Can
anyone help me?
My design is to put all my beans and connection pool under one "kbf"
acl. And "guest" servlet/jsp accesses these beans by using this "kbf"
account. And it works in 5.1 sp8.
Then i tried to use sp9. The very first time when jsp is compiling
by WLS, all the jsps work correctly! After that, immediately click the
link again, it throws jndi exception. Saying "guest" no permission to
access "kbf" jndi. But my "guest" actually is a servlet/jsp running
inside the server.
So then we tried to use 6 sp2, to see whether we can solve the
problem. And the funny things come out as follows.
I just click my URL link in browser, first time everything is fine,
my data is shown correctly. second time it throws ACL exception ,saying
guest no right to look up my JDBC pool. Click again, the data comes out
again. Clieck again throws same exception. It is a "toggle".
And, for another jsp page/link, (it gets data from two tables),
first time both two tables data are shown. Click some other link, then
come back to click this link, only one table data is shown, then click
this link again, both are shown. It is also a "toggle", slightly
different.
Something really funny going on for this ACL!
Can anyone in BEA tell me more about this ACL issue? Why always
nobody cares to answer these ACL questions? Both in ejb group and
security group?
Or simply nobody is using ACL in their project?
Or i missed out something important? or i am abusing ACL?
Or is it a bug?
Since we are going to production very soon, i need the solution
ASAP. Right now i only have two solutions:
1. stick to 5.1 sp8.
2. grant "guest" permission to all my beans, connection pool, which
means no use for the ACL at all.
Hope someone at least give me an hint. And sorry for the crossing
post.
Thanks.
minjiang

Thanks a lot!
The problem is that i cached the ejb homes and connection pool. So now i use
your first solution, create context everytime, although the performance may be
slow down.
But strange, it works in 5.1 sp6-8.
Thanks again, Dimitri!
minjiang
Dimitri Rakitine wrote:
The security context is associated with thread so, for example:
in a servlet, you create InitialContext as "user" and save it.
Next request which will be "guest" anyway.
So, if you want authentication, you can either
- create InitialContext everytime
- use j2ee security so container will do this automatically:
http://e-docs.bea.com/wls/docs61/webapp/security.html
Dimitri
On Fri, 13 Jul 2001, minjiang wrote:
Hi Dimitri:
Sorry to mail you directly.
I have this question for quite some time. And not receive any
response for my posting, cross posting.
Do you have any idea why my deployment works on 5.1 sp8, but not on
sp9 and 6 sp2?
I noticed bea changed the weblogic.ejb.interal.StatefulEJBObejct,
and StatefulEJBCache in sp9, and this is part of why my application
cannot work. (for one facade session bean looking up other beans in
another acl)
Another part is i described in the forward posting, for my "guest"
jsp/servelt cannot access other acl?
For my understanding, since my facade bean and jsp/servlet only run
inside the WLS server, so as long as the correct credential is supplied
while constructing the jndi context, they should be allowed, right? It
shoud not be only one credential in one thread, which seems WLS is doing
now.
Thanks for help, and any hint or document is appreciated.
minjiang

Azure WCF SSL latency problems

I have a WCF service running in Azure Worker Role. The service waits for client requests, then fetchs some data from SQL database and finally returns data to client. First, service was using plain unencrypted NetTcpBinding for communication, and latency
for each request was about 200ms which was acceptable. Lately I switched binding to use SSL (still with NetTcpBinding) and latency jumped to 500ms (which was expected, of course). However, usability of client suffered greatly because clients are doing requests
very frequently (like, there could be a burst of 10 requests going on at the same time) and almost all requests are really light at server side so increase of 300ms in latency really hurt.
Now I am not sure what I could do to help latency. Connection pooling does not seem to work very well with Azure because there is 1min idle timeout and I cannot realiably tell if connection has timeouted before doing new request. Also I am not sure how connection
pooling affects load balancer and scaling out instances: if I force every client to open 10 connections to WCF service and keep connections alive artificially, is it possible that load balancer does not work as expected?
Are there any other options? I was also thinking that maybe I could use SSL only when logging in and then exchange symmetric crypto-key and afterwards use unencrypted connection and encrypt messages in code, but this is probably a bad idea (maybe it would
be secure enough but then I couldn't say that all connections are encrypted with SSL which unfortunately is requirement for me).
Thank you for help!

Hello,
Thank you for your answers! However, the problem still remains so let me explain it with more details.
We're developing a new version of older software for our customers. Previously customers had to own and maintain their own servers which were running our software. Because we wanted to take this burden away from customers we decided to move all servers into
(Azure) cloud.
Now imagine following scenario:
A user is 5 button clicks away from doing whatever he wants to do. Every button click has to do one query to server, usually in order to fetch some data from database. In our old application this was very fast since customers had their own servers running
literally few meters from their workstations, so latency was minimal.
Then we moved servers to cloud which is 500km (not 5 or 50 meters) away so latency jumped to approximately 200ms per query (as expected). Now clicking 5 buttons would add 1 second as latency in total, and although our customers were not particularly happy
about this, they could still accept it. However, now we have to turn SSL on, and since it seems to add about 500ms latency per query, clicking 5 buttons add 2.5 seconds as latency in total which is simply too much, and the application becomes very sluggish
to use.
We are already trying to combine small requests into big ones but it is not possible in many cases because we don't know what action user is going to take before previous action has finished. We could try to collect data how users are using the software
and make decision based on it, and although it would surely help, it would not remove the problem entirely.
That is why I am hoping I could find a way to minimize the latency between client and server running in Azure cloud. Biggest part of latency comes from TCP or SSL handshaking: opening a channel, doing a request and closing the channel takes about 200ms when
using plain TCP and 500ms when using SSL. However, if I don't close the channel but instead of reuse it, latency is only about 60ms. The problem is that Azure tries to prevent me from reusing channels. In perfect world I would simply open 10 SSL connections
whenever application is started and reuse these channels throughout the lifetime of application, as this would result in approx. 60ms latency in every request (I chose number 10 simply because 10 simultaneous queries might be possible in some
cases). Now, 60ms is a LOT shorter time period than 500ms or even 200ms!
Now back to my original questions. Azure has 1min timeout for idle channels but there are libraries (e.g. http://code.msdn.microsoft.com/WCF-Azure-NetTCP-Keep-Alive-09f50fd9) that keep channels artificially open for longer time by sending empty packets every
X seconds so that Azure thinks that channel is active. We are already using this library to prevent Azure from closing channels during some of our longer queries that take more than 1min to finish (like generating a monthly report with lots of data). Now I
was wondering if I could extend this functionality so that I could open 10 connections at startup, keep them alive for X minutes (5, 10, 30, whole day?) and reuse them, as this would reduce latency to a good level. Some problems:
1) How is load balancer affected if I keep channels alive? What if I simply open 10 channels per user (lets say there are 1000 users) is it possible that all channels (10000) are opened to same server instance as there is no significant CPU load on the server
(at this point)?
2) If Azure still closes the connection for some reason, it is hard to know what happened at client side. Basically it seems that if connection is closed and I try to reuse it (note that at client side WCF does not know that connection has been closed before
I try to use that connection) WCF simply throws "timeout exception" with absurd timeout value (e.g. if I have configured timeout to be 5mins WCF throws exception "timeout 0.001 seconds"). Now I could catch this exception and parse the timeout value and see
if it is "too low" and then decide that "ok, Azure closed this channel, I will close it and open new one" but this seems hacky (see 4).
3) Is it ok to open this many connections to Azure? Would Azure think that it is under DoS attack if this many connections are opened in small time window (usually ppl come to work at specific time and so basically the connections would be opened in small
time window). Also, we expect our userbase to grow to at least 10000 simultaneous users (after which this approach would require 100k simultaneous channels)
4) This feels very hacky! Is it really so that applications don't usually behave like ours do? Are there other ways to achieve what I want?
Thanks!

Web Service - SSL handshake problem

I'm trying to stabilish a SSL connection to Web Service using the Jakarta AXIS WebService (client) API in WAS environment.
And sometimes i got the follow stacktrace:
; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
Does someone have any tip to help me solve this problem?
Thank you.

Hi,
you will have to import the server SSL certificate from the webservice into you client. To do this, you will have to import it into the keystore of your client.
br,
Tobias

WLC ACL Problem

Hi all,
I'm having problems when trying to apply an ACL to my WLC dynamic interfaces. I have three WLANs that I wish to keep separated and am using ACLs that I have configured on the controller, the only problem is they don't seem to work!
Ping test from 10.201.32.11 on WLAN1 to 10.201.27.41 on WLAN2 works and the current ACL is below:
     1 Out     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     2 In     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     3 Out     10.201.32.0/255.255.252.0       10.201.28.0/255.255.255.0    Any     0-65535     0-65535 Any   Deny           0
     4 In     10.201.28.0/255.255.255.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     5 Out     10.201.32.0/255.255.252.0     192.168.200.0/255.255.255.224 Any     0-65535     0-65535 Any   Deny           0
     6 In   192.168.200.0/255.255.255.224     10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     7 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535 Any Permit          69
DenyCounter : 0
Each WLAN is sat on its own separate dynamic interface and own unique subnet.
Any suggestions would be most appreciated.
Thanks.

Hi,
Keep in mind the direction of the ACL.
In means from client destined to WLC
Out means from WLC destined to client.
It should look like this:
Index Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP Action      Counter
     1 In     10.201.32.0/255.255.252.0       10.201.24.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
     2 Out     10.201.24.0/255.255.252.0       10.201.32.0/255.255.252.0    Any     0-65535     0-65535 Any   Deny           0
Don't forget to apply the ACL on interface or on WLAN.
Regards,
Christos.

Ace ssl-proxy problem, Online store.

Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#

Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard

6.0sp5 ssl/acl problem

Similar Messages

Maybe you are looking for