AD Password Filter - SSL Issues with MSFT CA ?
- We have completed implementing one way EXPORT profile sync between OID to AD
- SSL configs are complete as per documentation and password synchronizing from OID to AD
successfully
- We now want to implement a new import profile to synchronize ONLY password from AD to OID
- Following documentation at
http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/odip_adpasswordsync.htm#CHDBIIJC
- One of the first steps is to check if SSL is enabled at OID...when we do that using the tool(ldapbindssl.exe) we downloaded ...below
is the error we get...
+++++++++++++++++++++++++++++++++
C:\>ldapbindssl.exe -h oid-host -p 636 -D cn=orcladmin -w xxxx
Connecting server in SSL Mode
Checking if SSL is enabled
SSL not enabled.
SSL being enabled...
Binding ...
Ldap bindERROR
System Error Code: 1396
LDAP Error Code: 52
Error Message: Server Unavailable
C:\>
+++++++++++++++++++++++++++++++++
- We know for sure that SSL is configured on OID . The SSL is configured as "Server Authentication
Only" for Configset1 which is running on port 636
when we do ldapbind from the oidhost for this port it works...
ldapbind -U 2 -h oid-host -p 636 -W file://oracle/wallet -P xxxxx
bind successful
- For SSL configs we have used Micorsoft CA, hence the root certificate (CA) is also present on AD server and
there is no need to import Oracle CA as per the documentation.
Question:
1) What is th specific SSL set-up that we need to do on OID server such that AD is
able to detect SSL configuration ??? what is it that we are missing ?
You do have to import the certificate (the OID Server certificate, that is), or the SSL setup will reject the connection as "not from the intended host".
Apart from that - there's a bug, requiring the OID server certificate SUBJECT attribute matches the OID server hostname. (Note 430907.1/bug 5846519 ). I seem to hit that one :(
Similar Messages
-
MovieClip Filter Causing issues with EventListeners (mouseEvent.ROLL_OVER)
Hello,
I have been working on a flash photo gallery for the web. It loads thumbnails from an xml file into a loader which is then made the child of a movieclip.
The thumbnails are animated and triggered with mouse events of ROLL_OVER and ROLL_OFF. I have this working, or appearing to, when the movieclip containing the loaded thumbnail has no filters applied to it.
I want add a drop shadow on the ROLL_OVER event and remove the drop shadow on the ROLL_OFF event. I also have this working, however my problem arises when I mouse over the very edge of the movieclip. This cauese the ROLL_OVER and ROLL_OFF function to fire in rapid succession, creating a flashing dropshadow. This looks aweful and I really have no idea what would be causing this issue.
Thanks in advance for any advice!
Regards.Thanks for the reply.
I also found it difficult to believe that the filter was causing issues with the roll over/out events. I will expand on the example code you provided so you get an idea of what I am trying to accomplish and where my issues arise.
EDIT: I should add that the issue is only present when I tween AND add a filter. If I only add a filter or if I only tween I have no issues but the combination or adding a filter and tweening causes the OVER/OUT events to fire rapidly.
//This code does not result in a flashing animation
myClip.addEventListener(MouseEvent.ROLL_OVER, overClip);
myClip.addEventListener(MouseEvent.ROLL_OUT, outClip);
function overClip(e:MouseEvent):void
myTween = new Tween(myClip, "scaleX", Regular.easeOut, myClip.scaleX, 1.5 , 3, true);
myTween = new Tween(myClip, "scaleY", Regular.easeOut, myClip.scaleY, 1.5 , 3, true);
function outClip(e:MouseEvent):void
myTween = new Tween(myClip, "scaleX", Regular.easeOut, myClip.scaleX, 1 , 3, true);
myTween = new Tween(myClip, "scaleY", Regular.easeOut, myClip.scaleY, 1 , 3, true);
//However if i add these lines of code to add and remove a filter I can observe the flashing effect when the mouse is near the edge of the moveclip
myClip.addEventListener(MouseEvent.ROLL_OVER, overClip);
myClip.addEventListener(MouseEvent.ROLL_OUT, outClip);
function overClip(e:MouseEvent):void
myClip.filters = [myDropShadowFilter];
myTween = new Tween(myClip, "scaleX", Regular.easeOut, myClip.scaleX, 1.5 , 3, true);
myTween = new Tween(myClip, "scaleY", Regular.easeOut, myClip.scaleY, 1.5 , 3, true);
function outClip(e:MouseEvent):void
myClip.filters = [];
myTween = new Tween(myClip, "scaleX", Regular.easeOut, myClip.scaleX, 1 , 3, true);
myTween = new Tween(myClip, "scaleY", Regular.easeOut, myClip.scaleY, 1 , 3, true);
Is there something obviously wrong with this approach to adding a filter/tweening? I am fairly new to flash.
Thanks again!
Message was edited by: Dafunkz -
"This password is different" Issue with MobileMe Syncing
Hi all,
I am getting an issue on two of my Mac's at the moment, which are both MobileMe sync'd (Contacts, Calendar and recently, Bookmarks) which is that saved passwords are no longer being pre-filled and when i enter the password it states "This password is different. Would you like to replace the saved password with this one?" even though the password is correct and the one that is stored.
It's obviously something that has happened when i turned Bookmark sync on, but I don't know what, not how to undo it. Obviously I have taken Bookmark sync off now, but it hasn't rectified the issue.
Any help welcome.
Regards
BillO.K., I'm not a computer guy so I don't know why this caused it, but I found out what my problem was and maybe this will help. I had loaded a plug in for a school site that the only way to get it to run was to do a "Get info" on the safari app and check "Open Using Rosetta." The plug in ran fine and I forgot about it. I finally went back and unchecked that box and now my passwords/usernames are working fine after about a week of frustration.
Good Luck, -
Safari SSl Issue with Online Grading Site
I manage a department that offers grading of exams online. Users supply their answers and have the server grade the submissions.
We randomly have an issue where Safari users will have their exams graded incorrectly. Basically failing the student even though they have supplied the correct answers.
When we have them resubmit the same answers in IE for Mac the server correctly grades the exam.
This issue is not consistent. Some exams grade correctly in Safari and some do not.
Any advice would be appreciated.Hmmmm....
via MacWorld:
Nothing in Apple’s ridiculously minimal release notes suggested that this feature existed. But this time, the company’s intransigence in telling you what it has changed in the software you use may have further consequences. How Safari could “know” about these phishing and malware sites raises all kinds of interesting questions. Now we can tell you with reasonable confidence how it all works—but because Apple has not done the same thing, we cannot say with certainty that it is completely private, or that Safari is not sending information about the pages you visit to a third party. -
Ssl issues with sgd 4.4
Hi there,
I cannot start my sgd server with --ssl, i get the following error in the logs...
2012/08/13 13:04:33.169 ssl1112 ssldaemon/clientconnection/badforwardporterror
Sun Secure Global Desktop Software (4.4) ERROR:
The Security Daemon has received a connection to be forwarded onwards,
but it could not get the port to forward to from the
tarantella.config.server.proxiedhttpsurl attribute.
Please ensure this attribute is correctly correctly by using the Security
properties in the per-server section of the array manager. ssldaemon/clientconnection/badforwardporterror
2012/07/30 13:04:33.169 ssl1112 ssldaemon/clientconnection/badforwardporterror
Sun Secure Global Desktop Software (4.4) ERROR:
The Security Daemon has received a connection to be forwarded onwards,
but it could not get the port to forward to from the
tarantella.config.server.proxiedhttpsurl attribute.
Please ensure this attribute is correctly correctly by using the Security
properties in the per-server section of the array manager. ssldaemon/clientconnection/badforwardporterror
2012/07/30 13:04:33.170 ssl1112 ssldaemon/TTAservererror/badresponseinfo
Sun Secure Global Desktop Software (4.4) ERROR:
Secure Global Desktop server not responding on port 0, closing the connection.
TSP=SERVER IP:443 Client=CLIENT IP:35987 ssldaemon/TTAservererror/badresponseinfo
2012/07/30 13:04:33.170 ssl1112 ssldaemon/TTAservererror/badresponseinfo
Sun Secure Global Desktop Software (4.4) ERROR:
I cannot start array manager as its not used any more, and i cannot see any options on the gui config for this.
Any help is appreciated.
regardshi there,
thanks for the quick reply. please see below the output for config list...
array-audio-quality: medium
array-audio: 0
array-billingservices: 0
array-cdm-fallbackdrive: t+
array-cdm-wins: 0
array-cdm: 1
array-clipboard-clientlevel: 3
array-clipboard-enabled: 1
array-editprofile: 1
array-externallaservice: 0
array-logfilter: */*/fatalerror:.../_beans/com.sco.tta.server.log.ConsoleSink,server/login/*info:login%%PID%%_moreinfo.log,audit/session/*info:login%%PID%%_moreinfo.log,cdm/*/*:cdm%%PID%%.log,cdm/*/*:cdm%%PID%%.jsl,server/deviceservice/*:cdm%%PID%%.log,server/deviceservice/*:cdm%%PID%%.jsl,server/security/*:ssl%%PID%%.log,server/printing/*:print%%PID%%.log,server/printing/*:print%%PID%%.jsl
array-port-encrypted: 443
array-port-peer: 5427
array-port-unencrypted: 3144
array-resourcesync: 1
array-scard: 1
array-serialport: 1
array-unixaudio-quality: medium
array-unixaudio: 0
audiope-compression: never
chpe-compression: auto
chpe-compressionthreshold: 256
chpe-exitafter: 60
cpe-args: ""
cpe-exitafter: 60
cpe-maxsessions: 20
cpe-maxusers: 1
execpe-args: ""
execpe-exitafter: 60
execpe-maxsessions: 10
execpe-maxusers: 1
execpe-scriptdir: %%INSTALLDIR%%/var/serverresources/expect
iope-compression: never
launch-allowsmartcard: 0
launch-alwayssmartcard-initial: checked
launch-alwayssmartcard-state: enabled
launch-details-initial: shown
launch-details-showonerror: true
launch-details-state: enabled
launch-expiredpassword: manual
launch-loadbalancing-algorithm: sessions
launch-savepassword-initial: checked
launch-savepassword-state: enabled
launch-savettapassword: 1
launch-showauthdialog: user
launch-showdialogafter: 2
launch-trycachedpassword: 1
login-ad-base-domain: ""
login-ad-default-domain: ""
login-ad: 0
login-anon: 0
login-atla: 0
login-autotoken: 0
login-ens: 1
login-ldap-pki-enabled: 0
login-ldap-thirdparty-ens: 0
login-ldap-thirdparty-profile: 0
login-ldap-url: ldap://dc.domain.com
login-ldap: 0
login-mapped: 0
login-nt-domain: dc.domain.com
login-nt: 1
login-securid: 0
login-theme: sco/tta/standard
login-thirdparty-ens: 0
login-thirdparty-nonens: 1
login-thirdparty-superusers: sgd_trusted_user
login-thirdparty: 0
login-unix-group: 0
login-unix-user: 1
login-web-ens: 0
login-web-ldap-ens: 0
login-web-ldap-profile: 1
login-web-profile: 0
login-web-tokenvalidity: 180
ppe-compression: auto
ppe-compressionthreshold: 4096
ppe-exitafter: 240
printing-mapprinters: 1
printing-pdfdriver: ""
printing-pdfenabled: 0
printing-pdfisdefault: 0
printing-pdfprinter: "Universal PDF Printer"
printing-pdfprompt: 0
printing-pdfviewer: "Universal PDF Viewer"
printing-pdfviewerenabled: 0
printing-pdfviewerisdefault: 0
scardpe-compression: never
security-acceptplaintext: 0
security-applyconnections: 1
security-connectiontypes: "std,ssl"
security-firewallurl: ""
security-newkeyonrestart: 0security-printmappings-timeout: 1800
security-ssldaemon-failmode: reducesecurity
security-xsecurity: 1
server-dns-external: *:sgd1.domain.com
server-location: ""
server-logdir: /opt/tarantella/var/log
server-login: enabled
server-redirectionurl: ""
sessions-aipkeepalive: 100
sessions-loadbalancing-algorithm: .../_beans/com.sco.tta.server.loadbalancing.tier2.SessionLoadBalancingPolicy
sessions-timeout-always: 11500
sessions-timeout-session: 720
tuning-jvm-initial: 120
tuning-jvm-max: 2048
tuning-jvm-scale: 150
tuning-maxconnections: 1000
tuning-maxfiledescriptors: 4096
tuning-maxrequests: 7
tuning-resourcesync-time: 4:00
xpe-args: ""
xpe-cwm-maxheight: 1280
xpe-cwm-maxwidth: 3200
xpe-exitafter: 60
xpe-fontpath: "%%INSTALLDIR%%/etc/fonts/misc,%%INSTALLDIR%%/etc/fonts/TTF,%%INSTALLDIR%%/etc/fonts/Type1,%%INSTALLDIR%%/etc/fonts/CID,%%INSTALLDIR%%/etc/fonts/local,%%INSTALLDIR%%/etc/fonts/75dpi,%%INSTALLDIR%%/etc/fonts/100dpi,%%INSTALLDIR%%/etc/fonts/ibm,%%INSTALLDIR%%/etc/fonts/hp,%%INSTALLDIR%%/etc/fonts/andrew,%%INSTALLDIR%%/etc/fonts/icl,%%INSTALLDIR%%/etc/fonts/scoterm,%%INSTALLDIR%%/etc/fonts/cyrillic,%%INSTALLDIR%%/etc/fonts/hangul,%%INSTALLDIR%%/etc/fonts/oriental"
xpe-keymap: xuk.txt
xpe-maxsessions: 20
xpe-maxusers: 1
xpe-monitorresolution: 0
xpe-rgbdatabase: %%INSTALLDIR%%/etc/data/rgb.txt
xpe-sessionstarttimeout: 60
xpe-tzmapfile: %%INSTALLDIR%%/etc/data/timezonemap.txt
Edited by: 952573 on Aug 13, 2012 4:41 PM -
Flex + BlazeDS SSL issue with IE7
Hi there,
Am facing an unique issue when accessing my application using https (SSL) protocol. Actually my app is configured for "secure amf" and when it fails then it hits the "amf" of blazeds.
All is fine, when i try to open an IE window and hit the url for the first time. The client side is able to hit the server side thru secure amf and its receiving the response back from the server. But when i open another new IE7 tab/window then am getting a NetConnection issue....
i.e, NetConnection.Failed:HTTP error is popping up eventhough it tries to access the https url..
Let me know if any of you guys have a work around for this.
This works fine for FF & Chrome.
Thanks.So it's definitely due to a change in Firefox, but I was able
to find a workaround. We put headers in our flex pages so we can
incorporate our global navigation at the top of the page.
You're not going to believe the workaround. Here's what the
code looked like before I fixed it:
<cfinclude
template="/cfdocs/proddev/common/cf/flex_header.cfm">
<script src="AC_OETags.js"
language="javascript"></script>
Now, here's the fix:
<script src="AC_OETags.js"
language="javascript"></script>
<cfinclude template="common/flex_header.cfm">
So, I either had to put the script tag in the <head>
tag, or put it before my html declarations.
My guess is that Firefox over SSL doesn't allow <script
src=''> tags in the body of an html document anymore. -
SSL Issue with Dovecot Mac OS X Server 10.6.8
I run IMAP mail on SL Server using SSL. It's been running beautifully for a year or so till my (self signed) certificate expired. I created a new cert and configured SMTP & IMAP to use the new cert. SMTP is fine but IMAP refuses to use the cert. The message i get in the log is :mail dovecot [32551] can't use etc/ssl/certs/dovecot.pem no such file or directory. Invalid configuration, keeping old one. SSL simply doesn't start.
I've been right through the dovecot.conf file and checked and nowhere in the file is that location referred to. All the times SSL is mentioned in the conf file the correct location is referred to. I've looked and the certs are where they are supposed to be.
So what other configuration file can dovecot possibly be referring to when it attempts to load the new configuration after I've made changes using server admin?
I've even loaded a default conf file and started fresh and the same thing happens.
Appreciate any ideas
Mac OS X Server 10.6.8
RobNever Mind, I figured it out.
-
Hello,
I am trying to setup SSL in BPEL but need some help. This is what I have done so far.
Added signed cerificate in wallet C:\product\wallets
httpd.conf -
Listen 7777
Port 7777
ssl.conf -
Listen 4444
<VirtualHost default:4444>
Port 4444
SSLWallet file:C:\product\wallets
Verified in opmn.xml
<ias-component id="HTTP_Server">
<data id="start-mode" value="ssl-enabled"/>
When I access https://localhost:4444 I receive Server Connect Failed
When I access http://localhost:4444 I get the Welcome to Oracle SOA Suite (10.1.3.4) page
What am I doing wrong or missing that 4444 is accessible via http and not https.
Thanks in advance,
JimHi Jim,
Have you referred : http://download.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/security.htm#sthref102 and
10 Enabling SSL for Oracle HTTP Server in Oracle® BPEL Process Manager Administrator's Guide
10g (10.1.3.1.0)
Part Number B28982-03
Regards
A -
SSL Issue with reverse proxy module
Hi there,
I'm hoping someone can help me. I am using Sun ONE Web Server 6.1SP7 Reverse Proxy Plugin to connect to a backend server over SSL.
However the backend server is reporting errors on the SSL handshake: SSL_ERROR_NO_CYPHER_OVERLAP
I have installed ssldump and can see the following set of cipher suites are offered by the client (in this case, the reverse proxy module:
New TCP connection #6: dptettsw02(62951) <-> dptdevss01(31006)
6 1 0.0105 (0.0105) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
SSL2_CK_RC4
SSL2_CK_RC2
SSL2_CK_3DES
SSL2_CK_DES
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
How do I configure the reverse proxy module to use a different cipher suite?
Any help would be greatly appreciated and please let me know if anything is unclear
Thanks!
KevHi there.
The server.xml file is below:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
-->
<!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///opt/SUNWwbsvr/servers/bin/https/dtds/sun-web-server_6_1.dtd">
<SERVER qosactive="no" qosmetricsinterval="30" qosrecomputeinterval="100">
<PROPERTY name="docroot" value="/opt/iplanet/servers/docs"/>
<PROPERTY name="user" value=""/>
<PROPERTY name="group" value=""/>
<PROPERTY name="chroot" value=""/>
<PROPERTY name="nice" value=""/>
<PROPERTY name="dir" value=""/>
<PROPERTY name="accesslog" value="/opt/SUNWwbsvr/servers/https-ETT03WEB02/logs/accessSSL"/>
<LS id="group1" ip="0.0.0.0" port="2080" acceptorthreads="1" blocking="no" security="off" defaultvs="https-ETT03WEB02" servername="dptettsw02"/>
<LS id="ls2_default" ip="0.0.0.0" port="20443" acceptorthreads="1" blocking="no" security="on" defaultvs="https-ETT03WEB02" servername="ptpcam-ptpett-drs.dwpptp.londondc.com">
<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="+rc4,+rc4export,+rc2,+rc2export,+desede3,+des" ssl3="on" ssl3tlsciphers="-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,-rsa_3des_sha,-rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,+rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,+fortezza_null,-fips_3des_sha,-fips_des_sha" tls="on" tlsrollback="off" clientauth="off"/>
</LS>
<MIME id="mime1" file="mime.types"/>
<ACLFILE id="acl1" file="/opt/SUNWwbsvr/servers/httpacl/generated.https-ETT03WEB02.acl"/>
<VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
<PROPERTY name="docroot" value="/opt/iplanet/servers/docs"/>
<PROPERTY name="user" value=""/>
<PROPERTY name="group" value=""/>
<PROPERTY name="chroot" value=""/>
<PROPERTY name="nice" value=""/>
<PROPERTY name="dir" value=""/>
<VS id="https-ETT03WEB02" connections="group1" urlhosts="dptettsw02" mime="mime1" aclids="acl1" state="on">
<USERDB id="default" database="default"/>
</VS>
<VS id="ETT03WEB02_SSL" connections="ls2_default" urlhosts="ptpcam-ptpett-web.dwpptp.londondc.com" mime="mime1" aclids="acl1" state="on">
<USERDB id="default" database="default"/>
</VS>
</VSCLASS>
<JAVA javahome="/opt/SUNWwbsvr/servers/bin/https/jdk" serverclasspath="/opt/SUNWwbsvr/servers/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/opt/SUNWwbsvr/servers/bin/https/jar/webserv-ext.jar:/opt/SUNWwbsvr/servers/bin/https/jar/webserv-jstl.jar:/opt/SUNWwbsvr/servers/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" debug="false" debugoptions="" dynamicreloadinterval="2">
<JVMOPTIONS>-Dorg.xml.sax.parser=org.xml.sax.helpers.XMLReaderAdapter</JVMOPTIONS>
<JVMOPTIONS>-Dorg.xml.sax.driver=org.apache.crimson.parser.XMLReaderImpl</JVMOPTIONS>
<JVMOPTIONS>-Djava.security.policy=/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/server.policy</JVMOPTIONS>
<JVMOPTIONS>-Djava.security.auth.login.config=/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/login.conf</JVMOPTIONS>
<JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
<JVMOPTIONS>-Xmx256m</JVMOPTIONS>
<JVMOPTIONS>-Xrs</JVMOPTIONS>
<SECURITY defaultrealm="file" anonymousrole="ANYONE" audit="false">
<AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
<PROPERTY name="file" value="/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/keyfile"/>
<PROPERTY name="jaas-context" value="fileRealm"/>
</AUTHREALM>
<AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
<PROPERTY name="directory" value="ldap://localhost:389"/>
<PROPERTY name="base-dn" value="o=isp"/>
<PROPERTY name="jaas-context" value="ldapRealm"/>
</AUTHREALM>
<AUTHREALM name="certificate" classname="com.iplanet.ias.security.auth.realm.certificate.CertificateRealm"/>
</SECURITY>
<RESOURCES/>
</JAVA>
<LOG file="/opt/SUNWwbsvr/servers/https-ETT03WEB02/logs/errors" loglevel="finest" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
</SERVER> -
SSL certificate issue with WLS 10.3
Hi All,
I am facing this issue with my WLS cluster.
<21-Apr-2010 10:42:00 o'clock BST> <Warning> <Security> <BEA-090482> <BAD_CERTIF
ICATE alert was received from system.core.com - 10.15.135.30.
Check the peer to determine why it rejected the certificate chain (trusted CA co
nfiguration, hostname verification). SSL debug tracing may be required to determ
ine the exact reason the certificate was rejected.>
<21-Apr-2010 10:42:00> <Warning> <Uncaught exception in server handler: javax.ne
t.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from
system.core.com - 10.15.135.30. Check the peer to determine wh
y it rejected the certificate chain (trusted CA configuration, hostname verifica
tion). SSL debug tracing may be required to determine the exact reason the certi
ficate was rejected.>
Please suggest. I have also tried the below settings.
Node Manager:
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
Admin Server:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
Many thanks in advance.Hi Sandip,
I am facing this issue right after when I have configured the listen address to my system IP in Machine(NodeManager), earlier it was "localhost".
Also I have tried to generate the certificates e.g.
C:\bea\wlserver_10.3\server\bin>java utils.CertGen -cn system.core.com -keyfilepass DemoIdentityPassPhr
ase -certfile mycertificate -keyfile .keystore
Generating a certificate with common name system.core.com and key strength 1024
issued by CA with certificate from C:\bea\WLSERV~1.3\server\lib\CertGenCA.der file and key from C:\bea\WLSERV~1.3\server
\lib\CertGenCAKey.der file
C:\bea\wlserver_10.3\server\bin>java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePa
ssPhrase -keyfile .keystore.pem -keyfilepass DemoIdentityPassPhrase -certfile mycertificate.pem -alias demoidentity
No password was specified for the key entry
Key file password will be used
Imported private key .keystore.pem and certificate mycertificate.pem
into a new keystore DemoIdentity.jks of type jks under alias demoidentity
Tried the above but not wokring. Please advise.
Edited by: R Vashi on 21-Apr-2010 03:38 -
SSL VPN (WebVPN) issues with IOS 15.0(1)M1
Hello everyone... I need your help!
I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
Symptoms:
- AnyConnect Client prompts users with the following error:
"The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
Debug:
Mar 5 13:09:45:
Mar 5 13:09:45: WV-TUNL: Tunnel CSTP Version recv use 1
Mar 5 13:09:45: WV-TUNL: Allocating tunl_info
Mar 5 13:09:45: WV-TUNL: Allocating stc_config
Mar 5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
Mar 5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
Mar 5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
Mar 5 13:09:45: HTTP/1.1 401 Unauthorized
Mar 5 13:09:45:
Mar 5 13:09:45:
Mar 5 13:09:45:
Mar 5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
Mar 5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
Mar 5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
Mar 5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
WV-TUNL: Severity ERROR Type USER_LOGOUT
WV-TUNL: Text: HTTP response contained an HTTP error code.
Mar 5 13:09:45: WV-TUNL: Call user logout function
Mar 5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
When the error occurs, the "SVCIP install TCP failed" counter increments:
VPN-Router1# show webvpn stats detail context CUSTOMER-VPN
[snip]
Tunnel Statistics:
Active connections : 1
Peak connections : 3 Peak time : 19:09:04
Connect succeed : 9 Connect failed : 5
Reconnect succeed : 0 Reconnect failed : 0
SVCIP install IOS succeed: 14 SVCIP install IOS failed : 0
SVCIP clear IOS succeed : 18 SVCIP clear IOS failed : 0
SVCIP install TCP succeed: 9 SVCIP install TCP failed : 5
DPD timeout : 0
[snip]
IOS Version Details:
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
Config:
webvpn context CUSTOMER-VPN
title "SSL VPN for Customer"
ssl authenticate verify all
login-message "Enter username and passcode"
policy group CUSTOMER-VPN
functions svc-required
svc keep-client-installed
svc split include 10.1.16.0 255.255.240.0
svc split include 10.1.2.0 255.255.254.0
vrf-name CUSTOMER-VPN
default-group-policy CUSTOMER-VPN
aaa authentication list AAA-LIST
aaa authentication auto
aaa accounting list AAA-LIST
gateway vpn virtual-host customer.xx.com
logging enable
inservice
The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
At that point in time we were running with local pool definition.
As the http 401 rc happens very sporadically we still gathering incident reports internally.
Will open a case if you did not yet.
cheers, Andy -
Issue with SSL in web service.
Hi All,
We are having synchronous web service to proxy scenario in XI. We are trying to send a binary data using the SOAP web service to SAP via XI. Initially, we were posting large binary data using HTTP connection via XI from the SOAP client. The scenario was working without any issues.
Since the data is sensitive changed the web service from HTTP to HTTPS.The interface works without issues when we test it using the SOAP client for testing. When the data is sent using the Dot Net application (the end application) using the same webservice, URL (HTTPS connection) the message errors out. The connection is borken and the message fails. In this scenario, XI does not even receive the message which I can make out looking into the SOAP adapter communication channel.
The interesting fact here is the same Dot Net application is able to connect and send smaller binary data using HTTPS connection.
Could you please let us know if this could be the issue with HTTPS connection on XI side? I doubt it to be an issue on XI side because the adapter does not even receive any message when the scenario fails. But we used some HTTPS monitoring tools and found that the Dot Net Application receives some encrypted response from the server which the application is not able to decrypt and the handshake breaks.
Could you please throw some inputs into this issue.
Thanks,
Manohar.Hi Manohar
You have posted the same question with two different subject text
anyway follow these SAP notes your problem will be short out
Note 856597 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 SOAP Adapter
https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856597&_NLANG=E
Note 856599 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 Mail Adapter
https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856599&_NLANG=E
Note 870845 - XI 3.0 SOAP adapter SSL client certificate problem
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=916664&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=870845&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
check the OSS Note 554174 & see if it helps
Note 645357 - SAPHTTP: SSL error
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=645357&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1150980&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
one alternative may be Restart ICM (Internet Communication Manager) .This will solve your HTTP issue
Cheers!!!!
Regards
sandeep
if helpful kindly reward points -
We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules. I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution. There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.
We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit.
Here are the exact symptoms we saw:
Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds. Further requests on the same TCP connection would not be delayed
Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness. Accessing the same rule skipping SSL, would work fine
I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken. This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
2. Client sends HTTP 1.1 request for resource (nearly instantly)
3. 3 seconds of no traffic in our out of the CSS related to this request
4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
6. Response is sent to the client with the resource (nearly instantly)
7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse. 3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes. Decrypting these messages I found the first message was a
G
and the second message was:
ET /foobar HTTP/1.1
This essentially splits the initial request the client is sending into two pieces. This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
GET /foobar HTTP/1.1
(obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem. I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before.
A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic.
Solution:
Our ssl config looked something like this:
ssl-proxy-list SSL_ACCEL
ssl-server 10 vip address XX.XX.XX.XX
ssl-server 10 rsakey XXXX
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
ssl-server 10 unclean-shutdown
ssl-server 10 rsacert XXXXXX
Removing:
ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
Solves the problem. After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message. The 3 second delay goes away, and L5 stickiness is fixed. The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend. The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected. It's quite possible our customers were going through an SSL proxy. I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
-JoeHi Joe,
That's a very good analysis you did.
As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
Regards
Daniel -
I'm trying to connect to my home wifi with my imac gh5. After I enter the password it says connection timeout or password incorrect. I know there's no issue with the connection but I don't know what else to do. Does anyone know how to fix this problem?
What is the make & model of your home Wi-Fi router that you are attempting to connect your G5 iMac to? Which exact model of iMac do you have?
What wireless security type is your router using: WEP, WPA, or WPA2? If you temporarily disable wireless security, can the iMac connect to it now? -
Issue with one of the Managed server while enabling SSL.__ Issue Resovled
Weblogic version:wls 8.1sp6
SSL: internal
Environment:
1 AdminServer and 2 Managed servers. Admin and M1 are on same host. M2 is on different host. We have enabled SSL on M1 & M2 only. Configuration of M1 & M2 are identical. After restarting the servers M1 has no issue with SSL but M2 throws javax.net.ssl.SSLKeyException as shown below,
<Aug 4, 2008 12:29:01 PM BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<Aug 4, 2008 12:29:02 PM BST> <Info> <WebLogicServer> <BEA-000213> <Adding address: 10.96.201.249 to licensed client list>
<Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
<Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
<Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
<Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
<Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
<Aug 4, 2008 12:29:09 PM BST> <Error> <Cluster> <BEA-000141> <TCP/IP socket failure occurred while fetching statedump over HTTP from -6401422690190304510S:lonlxwebhost99:[16544,16544,16042,16042,16544,16042,-1,0,0]:etg:lonwpyq_16543_1.
javax.net.ssl.SSLKeyException: [Security:090773]The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:122)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:322)
at weblogic.cluster.HTTPExecuteRequest.connect(HTTPExecuteRequest.java:73)
at weblogic.cluster.HTTPExecuteRequest.execute(HTTPExecuteRequest.java:121)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)>
Please let me know where I am going wrong. Thnx in advance
Message was edited by:
Shashi_srSolution given by BEA Engineer:
<Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
The reason for this was
The CA Certificate was missing a required bit (according to RFC 3280).
keyEncipherment bit is not in the KeyUsage and KeyUsage is marked as critical.
As per RFC:
The keyEncipherment bit is asserted when the subject public key is
used for key transport. For example, when an RSA key is to be
used for key management, then this bit is set.
According to RFC3280, when the key will be used to encrypt other keys that are send over the wire ("key transport") the keyEncipherment bit of the KeyUsage extension must be set. If the KeyUsage extension is critical, the SSL certificate validation will check that the key can be used in the key agreement. That is, that the key can be used to encrypt the symmetric public key.
Your KeyUsage only contains the following bits:
[4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
Since it is marked Critical, it MUST have the keyEncipherment bit.
Otherwise, it should not be marked as Critical.
So the three solutions that should work are
1) Remove keyUsage
2) Don't mark keyUsage as critical
3) If keyUsage is critical, make sure keyEncipherment bit is set.
Maybe you are looking for
-
Hello friends, I would like to know the fields/views that we can not change by using mass maintenance of MMR if there are open PO for that particular material in concern. Likewise there was a question in SAP certification exam having option
-
Ni-DAQ single-point analog sample latency.
I am maybe in my own little world here in wanting to do software-triggered analog sampling and wanting to do it fast. Having bought a PCI-6014 which is capable of 4 microsecond analog sampling I found a simple AI_Read took 95usec. I was somewhat disa
-
My iphone has water damage is it covered for repacement by my applecare protection plan?
My iphone has water damage and does not work. can i get it replaces by my applecase protection plan?
-
Print sm rows on 1st pg, some content and then rest rows for xml report/RTF
Hi all, I am working in XML output Commercial Invoice format report and in that report there are shipper information and then item information, then total and then remaining item info. My requirement is like this, The Grand total of all items listed
-
Oracle on Linux vs. Oracle on NT (Performance)
Does someone have information about some benchmarks studies of Oracle on Linux vs. Oracle on NT? Thanks so much, Andre