ACE and SSLM support Subject Alternative Name (SAN)

Similar Messages

• What versions of Weblogic currently have Subject Alternative Name support?

  I would like to visit a comment I saw in an old forum thread from 2010
  Certificate hostname verification error with 10.3
  that "WebLogic currently does not support the Subject Alternative Name field." Can someone please let me know what versions of Weblogic currently have Subject Alternative Name support? We are currently on 10.3. Is there anything near that version that has support, or a patch available for it?
  Regards,
  John

  The KM number is the article number on the support site. Logon to Oracle support and paste the number into the knowledge search and you will get your answer. The article is called "How to Develop Custom Hostname Verifier for Subject Alternative Name (SAN) Certificates" and applies to WLS 10.3.3 and later.

• CF10, CFHTTP and SSL subject alternative names

  I have an SSL certificate where the Common Name doesn't match the url, but the Subject Alternative Name does.  The Common Name is the actualMachineName.subnet.subnet.mynetwork.com and the SAN is www.prettyurl.com.  I understand older versions of CF don't support this, but the comments regarding Bug #3566218 say that CF10 does.  However, I am still getting connection failures telling me the name doesn't match.
  Can anyone confirm this should/shouldn't work in CF10?  I have imported all of the certs via the keytool and explored all of those issues.  The only remaining issue is that the url doesn't match the CN.
  TIA,
  Eric

  I received the message,"this site has sent an untrusted certificate", on my N95.  It would prompt me to continue or view certificate.   If I select Continue, everything worked fine.  It got annoying after a awhile.  I went thru 2 pages of google results and could not find the answer to fix my issue.  I gave up and then somehow figured it out on my own at the bar the next day.  
  The issue was that I had the incorrect date.  This was actually one of the first things I checked.  However I overlooked that the date format was ddmmyyyy.  I simply updated to mmddyyyy and fixed the date and the issue was resolved.
  Hope this helps.

• Nodemanager configuration with SSL and Subject Alternative Names.

  We want to configure serveral nodemanagers in serveral machines using SSL. Is possible to use only one certificate with one CN and several subject alternative names (one per machine)?
  We cannot configure the nodemanager, we always get an SSLHandShake exception.
  Thanks.

  Hi,
  Hope you found out resolution to your issue. 
  incase you havent , presuming the CN used in your certificate is not the host name and all the host servers can resolved/ identify that CN. Dont see major problem in the way you explained.
  However handshake exception only points at certain specific case
  - where the certs are not imported into keystores ( client or server side) or
  - certs mismatching at clent & server
  - too many certs with the same CN in the same keystore or CN resolving to more than 1 cert ( if its possible).
  Let me know if you need help in reolving this and also paste the error trace of 'handshake' exception you see.
  Sri

• Certificate signing request with subject alternative names?

  Has anyone been successful at generating a certificate signing request for a certificate that uses subject alternative names via the Server Manager GUI? It seems to skip the entire X509 section of the CSR for me.
  Command line via openssl works but I'd like to stick with the GUI for the encryption on the certificates.

  I just checked the documentation and found that your code is incorrect. IAlternativeName::StrValue contains value for an email address, a Domain Name System (DNS) name, a URL, a registered object identifier (OID), or a user principal name (UPN). It doesn't
  contain string value for directory name (and other non-mentioned types). Instead, you need to instantiate an IX500DistinguishedName interface and initialize it from an alternative name value:
  class Program {
  static void Main(string[] args) {
  String RequestString = "Base64-encoded request");
  CX509CertificateRequestPkcs10 request = new CX509CertificateRequestPkcs10();
  request.InitializeDecode(RequestString, EncodingType.XCN_CRYPT_STRING_BASE64_ANY);
  Console.WriteLine("Subject: {0}", request.Subject.Name);
  foreach (IX509Extension ext in request.X509Extensions) {
  if (ext.ObjectId.Name == CERTENROLL_OBJECTID.XCN_OID_SUBJECT_ALT_NAME2) {
  CX509ExtensionAlternativeNames extensionAlternativeNames = new CX509ExtensionAlternativeNames();
  string rawData = ext.RawData[EncodingType.XCN_CRYPT_STRING_BASE64];
  extensionAlternativeNames.InitializeDecode(EncodingType.XCN_CRYPT_STRING_BASE64, rawData);
  foreach (CAlternativeName alternativeName in extensionAlternativeNames.AlternativeNames) {
  switch (alternativeName.Type) {
  case AlternativeNameType.XCN_CERT_ALT_NAME_DIRECTORY_NAME:
  IX500DistinguishedName DN = new CX500DistinguishedName();
  DN.Decode(alternativeName.RawData[EncodingType.XCN_CRYPT_STRING_BASE64]);
  Console.WriteLine("SAN: {0}", DN.Name);
  break;
  default:
  Console.WriteLine("SAN: {0}", alternativeName.strValue);
  break;
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Error: Subject alternative name did not match site name (JavaME)

  When I try and connect to my RESTFul Web Service using SSL I get this exception:
  "Subject alternative name did not match site name".
  I did Google searches and as far as I can tell my 'Subject' matches my 'site name'. I know this because when I connect using my Browser (IE or Firefox) they say our SSL certificate is a-ok (no mismatches). Also, my Windows Mobile 5/6 REST application works fine under SSL. So, I am doubting it's a server side setting?
  Godaddy's root certificate is installed on the Java Emulator. If I disable the root cert I get a different error.
  I am using the QwertyDevice Emulator with 'identified_third_party' security. Wireless Toolkit 2.5.2 and NetBeans Mobility 6.0.1.
  My Web Server is IIS 6.0 that is hosting a WCF .NET 3.5 WebService using the webHttp binding (for those who don't know that's makes it a RESTFul Web Service).
  IIS 6.0 Settings:
  -Web Service is under Default Web Site and in Default Application Pool.
  -'Require secure channel (SSL)' is selected as well as 'Require 128-bit encryption'.
  Here is my client Code:
  InputStream is = null;
  HttpConnection conn = null;
  try
  conn = (HttpConnection)Connector.open("https://ourwebserver.ourdomain.com/RESTServer/Service.svc/REST/getmyopentasks/", Connector.READ_WRITE);
  conn.setRequestProperty("Authorization", "Basic " +
  BasicAuth.encode(userName, password));
  conn.setRequestMethod(HttpConnection.GET.toString());
  conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  is = conn.openInputStream();
  catch (IOException ex)
  ex.printStackTrace();
  A few notes: We are using Basic HTTP Authentication, and "BasicAuth.encode" method is, a helper method, that I found code for out on the Internet. It works fine though.
  Because when I run this above code with SSL turned off, on the server, it works fine (authenticating and getting RESTFul XML back). I did try HttpsConnection as well. Did not work. Same SSL error.
  When this line is executed: "is = conn.openInputStream();" I get this exception: "Subject alternative name did not match site name". I have searched this forum and Google and can't figure this one out! Thanks!

  When I try and connect to my RESTFul Web Service using SSL I get this exception:
  "Subject alternative name did not match site name".
  I did Google searches and as far as I can tell my 'Subject' matches my 'site name'. I know this because when I connect using my Browser (IE or Firefox) they say our SSL certificate is a-ok (no mismatches). Also, my Windows Mobile 5/6 REST application works fine under SSL. So, I am doubting it's a server side setting?
  Godaddy's root certificate is installed on the Java Emulator. If I disable the root cert I get a different error.
  I am using the QwertyDevice Emulator with 'identified_third_party' security. Wireless Toolkit 2.5.2 and NetBeans Mobility 6.0.1.
  My Web Server is IIS 6.0 that is hosting a WCF .NET 3.5 WebService using the webHttp binding (for those who don't know that's makes it a RESTFul Web Service).
  IIS 6.0 Settings:
  -Web Service is under Default Web Site and in Default Application Pool.
  -'Require secure channel (SSL)' is selected as well as 'Require 128-bit encryption'.
  Here is my client Code:
  InputStream is = null;
  HttpConnection conn = null;
  try
  conn = (HttpConnection)Connector.open("https://ourwebserver.ourdomain.com/RESTServer/Service.svc/REST/getmyopentasks/", Connector.READ_WRITE);
  conn.setRequestProperty("Authorization", "Basic " +
  BasicAuth.encode(userName, password));
  conn.setRequestMethod(HttpConnection.GET.toString());
  conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
  is = conn.openInputStream();
  catch (IOException ex)
  ex.printStackTrace();
  A few notes: We are using Basic HTTP Authentication, and "BasicAuth.encode" method is, a helper method, that I found code for out on the Internet. It works fine though.
  Because when I run this above code with SSL turned off, on the server, it works fine (authenticating and getting RESTFul XML back). I did try HttpsConnection as well. Did not work. Same SSL error.
  When this line is executed: "is = conn.openInputStream();" I get this exception: "Subject alternative name did not match site name". I have searched this forum and Google and can't figure this one out! Thanks!

• Used a Subject Alternative Names certificate with an ESA IronPort C170

  Hi all,
  Is  someone know if it is possible to use a "Subject Alternative Names" Certificate (SAN / UCC SSL) for an Email Security Appliance C170.
  Is it possible to do this, with an IronPort ?
  Thank you very much, for your reply.
  Regards,
  David

  Hello RYAN,
  Thank you for your reply, It is a very good new for us.
  Have a nice day!
  David

• CSS 11501 - wildcard certificate with subject alternative names

  Hi,
  I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
  For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
  I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
  Thank you very much,
  Cláudio Soares

  Hi,
  The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
  so using a wildcard certificate would be no different than using a standard certificate.
  If using the CSS to generate the Certificate Signing Request, just enter the Common
  Name with the leading asterisk for the subdomain portion of the hostname. Example:
  Common Name (your domain name) [www.mycompany.com]*.domain.com
  The only difference in configuring SSL termination would be that you could
  reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
  subdomains resolve to without having to worry about pop-up warnings on client's browsers
  (example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
  wouldn't be any different.
  Regards,
  Siva

• Migration: Ex 2007 to Ex 2013 and co-exist scenario: Subject Alternative Name certificate

  We are planning the migration of Exchange 2007 to Exchange 2013. In our Existing SAN certificate for Exchange services (OWA,ActiveSync), we have a URL that we included that we no longer have a service for or anything associated with it. For
  example: mail.contoso.com.
  Can we use this URL in the new Exchange 2013 certificate (3rd Party) we request/obtain as opposed to putting an entry for legacy.contoso.com? Or will we get errors?
  Thanks for your answers!

  Hello,
  No problem. For example, currently, you have two records in SAN, the last one is not in use.
  {a.domian.com, b.domain.com}
  You can:
  a.domain.com -> Exchange 2007
  b.domain.com -> Exchange 2013
  BTW, you must have autodiscover.domain.com point it to Exchange 2013.
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• When I try to sign in to the support community using one of my email addresses it asks for my apple support community user name and when I type in what I think it might be I get one of several messeges Ie. An account using this e-mail address already exis

  When I try to sign in to the support community using one of my e-mail addresses and I put in nothing or what I thought was my apple support community user name I can get one of several messages
  Ie.1. Please specify a user name
  2.An account using this e-mail address already exists; only one account per e-mail address is allowed on Apple Support Communities
  How do I find out what my Apple Support Communities user name is

  Good luck with this!!!
  EVEN USING what WAS my Username, this is the exact problem I am having having entered my correct ID and Password.
  Rgds
  Rod

• HT201232 Support Subject : iTunes Cards and Codes Sub Issue : hi i want to change my iTunes account from US Store to Kuwait Store and i want to reset My balance.

  Support Subject : iTunes Cards and Codes
  Sub Issue : hi i want to change my iTunes account from US Store to Kuwait Store and i want to reset My balance.

  Try contacting iTunes Support (these are user-to-user forums) and ask them if they can remove the balance from your account so that you can change countries : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page

• Hyper-V 3 Virtual SAN and Linux support

  Hello!!
  Please, I'd like to know about Hyper-V 3 Virtual SAN and Linux support. I need to bind some LUNs to a hosted SuSE (or even other distro, I can migrate if needed).
  Thanks a lot.
  narf

  Unfortunatelly I have to work with my actual SAN.
  Do you know which one is faster: access my disk via Virtual HBA or mapped via SCSI on Hyper-V?
  narf
  map it via scsi which will keep it away from the system volume and safer
  Corsair Carbide 300R with window
  Corsair TX850V2 70A@12V
  Asus M5A99FX PRO R2.0 CFX/SLI
  AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
  G.SKILL RipjawsX DDR3-2133 8 GB
  EVGA GTX 6600 Ti FTW Signature 2(Gk104 Kepler)
  Asus PA238QR IPS LED HDMI DP 1080p
  ST2000DM001 & Windows 8.1 Enterprise x64
  Microsoft Wireless Desktop 2000
  Wacom Bamboo CHT470M
  Place your rig specifics into your signature like I have, makes it 100x easier to understand!
  Hardcore Games Legendary is the Only Way to Play!

• Why do iPhones/iPad not support Flash Player/Java and what are my alternatives for browsing sites using these plug-ins?

  Why do iPhones/iPad not support Flash Player/Java and what are my alternatives for browsing sites using these plug-ins?

  There are also iSwifter, Photon, Skyfire, etc., some only support Flash some support Java and Flash.
  Adobe never made a version of Flash for iOS and closed their mobile flash division a couple of years ago. You can get Flash on other personal devices but you will be using a 2 year old version that has not been patched for security vulnerabilities.
  When the original iPhone was released Mr. Jobs said it would never run Java as it was old technology and a security risk. Nothing has changed since.

• N95 HTML and CSS support

  Hello,
  I work on a Web site optimisation for the Nokia N95 phone terminal. I did not find, in the Nokia Web site, any reference documents on the HTML and CSS supported by the N95 Web browser. Where can I get such technical references ?
  Actually, I try to use the command max-device-width and min-device-width which allows to select a stylesheet according to the device dispay mode (width = 240 or width = 320). I noticed that it is not supported by this browser. Are there any alternative ? I would like also to know if the meta tag name = "viewport" is available on the N95 browser.
  Any answear would be appreciated.
  Best regards,
  Xavier Ottolini

  You will find info about this on nokia's developers forum:
  www.forum.nokia.com

• It's my 3000 post – Oracle ACE and Oracle employees

  Hello,
  So, this is my post number 3000. In this forum, it’s not so unique, but still I decided to dedicate it to the subject of Oracle ACE and Oracle employees.
  Recently, Joel blogged about Carl awarded Oracle ACE (http://joelkallman.blogspot.com/2009/02/carl-backstrom-oracle-ace.html), after special efforts made by Sharon, because “the folks at the Oracle Technology Network decided that Oracle employees could no longer be awarded the ACE designation”. I truly wish I could write that Carl is a living proof of this decision being misguided. Unfortunately, I can’t. However, Carl’s case paints the situation in strong colors. Only after his death, Carl was honored with something that I’m sure seems so obvious to most of us.
  I’m thinking that if this decision, not to award Oracle employees with Oracle ACE, was made sooner, people like Scott and Joel would not have awarded Oracle ACE, not to mention Tom Kyte, and probably others I’m not familiar with. Scott and Joel deals with APEX all day long, as part of their job, and this forum is not part of their day job description. Still, they find the time to help us all. Just look at the post counter of Scott. I’m amazed each time I see it. Scott, with all his experience, doesn’t limit himself to only the most complicated issues. You can see his replies, to the most basic issues, almost every day. Joel never failed helping me, and many others on this forum, every time there is an issue only he can help with. Scott and Joel were lucky, and have been awarded Oracle ACE, prior to this decision. Carl was less lucky, and as Joel wrote, I can’t think of anyone who better represent the true meaning and spirit of the Oracle ACE program.
  The point I’m trying to make is that Oracle ACE should not be left for luck and timing, or place of work, for that matter. I’m sure that the OTN folks had best intensions when making this decision. I can understand that people might suspect favoritism toward Oracle employees; however, the solution shouldn’t be the easy one – no to every Oracle employee.
  While writing, I can think of Tyler. He’s no longer a member of the APEX team, but we can still enjoy his wisdom and experience on this forum, not to mention his APEX dedicated blog entries, were he covers special and more complex aspects of working with this tool. I don’t know if Tyler qualifies to become Oracle ACE (and, of course, I’m only using him as an example) but it seems wrong to me not to even consider it, just because he happens to work for Oracle. I’m sure there are others like Tyler, in the other forums. I believe that this kind of behavior, by Oracle employees, should be encouraged, and not taken for granted. Certainly, they shouldn’t be penalized.
  So, what all of this has to do with my 3000 posts? I believe I earned the right to call myself a frequent poster on this forum. As such, I know how time consuming this forum can be, not to mention the hard and tedious job of keep repeating the same answers to the same questions, keep pointing to old references, and such. So, I want to take this opportunity to thank all the active participants of this forum, Oracle employees and others. In spite of all the hardship, this forum can also be very rewarding, and at least for me, a very educated experience. I learned a lot in my attempts to help others. I can all heartedly recommend it to everyone who enjoys helping others, and enriching him /her self in the process.
  Regards,
  Arie.

  If I understand you correctly, you ought to reinstall. At this point, even if you're able to resurrect this installation, it might be severely unstable. Mostly because of my proclivity for messing around with settings until I screw something up, I have a tremendous amount of experience with the recovery console, and my success rate is not inspiring. If you have data you need on the drive, your best course of action is to reinstall to a different boot drive, and once you’re able to boot, archive the files you want from the corrupted installation. Then you can wax both drives, restore the data and get everything back the way you want it. Getting your data back from the recovery console is basically a lost cause since it doesn't support wildcards (as in, you'd have to copy every freaking file one at a time).
  I re-read the above paragraph, and it's not the clearest thing I've ever written, so if you need clarification on anything, let me know.