Authentication architecture

Similar Messages

• ORA-28007: the password cannot be reused

  Anytime I try and login with a user that has password verification profile I receive:
  ORA-28007: the password cannot be reused
  Please tell me that ApEx 2.2 did not actually just implement the 'change password' and see if the hashes match for the built in DB Authentication.

  In hindsight, perhaps we should have mentioned in the Release Notes that when this new authentication scheme is used in post-2.0 applications, the underlying mechanism used for password verification is database version dependent, explaining potential drawbacks of the pre-10.2.0.3 method. Then developers would have better information about the new authentication scheme type and could decide if it was right for them. They would also be able to decide whether importing post-2.0 applications that used this authentication scheme from a 10.2.0.3 database into a post-2.0 Application Express instance on a pre-10.2.0.3 database would be the right choice given the same potential issues. However, this technique, like it or not, is used as a workaround to the absence of exposed password verification methods in earlier server versions and has been used for many years in production systems, including large-scale HTML DB deployments, from well before this new authentication scheme was exposed for use as such, but where developers implemented the method themselves as components of their authentication architecture.
  In short, I think your objection to the method on technical grounds (citing known pitfalls) is valid but I think you're saying that anyone who's ever used the method in any application technology in a production system ought to have found a better alternative. Maybe you're right.
  Scott

• 802.1x Authentication in Extreme architecture

  Hi all,
  Objectives :
  Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2
  Supplicant = IP Phone
  Authenticator : Switch Extreme 450 E
  Authentication Server : ACS SE 1113 4.2.0.124.9
  1) We have done the tests with a Windows ACS 4.2.0.124 and everything runs correctly, the supplicant authenticates without any problem.
  2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.
  3) We have upload UDvs and VSA on the ACS SE and it still not work.
  These are the .csv file uploaded :
  accountactionsVsa.csv (used for the vendor)
  accountAttributes.csv (used for the vendor attributes)
  accountProfile.csv (used for the Attributes profile)
  accountvalues.csv (used for the Attributes values). This one is not on the attachment files :
  1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0
  2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0
  3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0
  4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0
  5,4,,,355,,,,,15/04/2009 10:00,,,,0
  The message in ACS Failed Attemps logs is : "Bad Request from NAS".
  We have verified the authenticator address and the secret key, everything is ok.
  With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.
  With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.
  We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).
  Have you already had this kind of problem. How can i Solve it?
  Thanks for your replies.
  Best regards.

  The Supplicant only use EAP MD5 since it is a Ip phone.
  EAP MD5 is already checked in Global authentication Setup.
  Just for remember :
  802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.

• Single Sign on in a 3 tier architecture between SAP Netweaver CE and R/3

  Hi All,
  I am trying to implement SSO using SAP logon tickets in a 3 tier architecture between NW CE and R/3. But so far I have not been able to crack this.
  Let me describe the scenario in detail:
  We have two Java EE applications on Netweaver CE7.2 Application Server:
  1. UI: Just handles all the UI logic : js, jsp, css, html, extjs .It calls the Business Layer Java EE application to get data from back-end systems.
  2. Business Layer: Calls R/3 SOAP services does some processing on them and exposes the data back to the UI via a Restful JSON service (implemented using Java Spring framework)
  Both UI and Business Layer Java EE applications define login modules to be used for SAP logon tickets. So the architecture is like this:
  UI-RESTfull-->Business LayerSOAP->ABAP R/3
  So ideally when the UI link is clicked it prompts the user for authentication (uses CE UME) and then the UI applications calls the Business Layer which then calls R/3. This unfortunately doesn't work. The authentication between UI and Business Layer Application fails.
  However if you remove the Business Layer Java EE application and call the SOAP service directly from the UI. SAP logon tickets starts working.
  So I have been able to make SAP logon tickets work with the following 2 tier architecture:
  UI---SOAP--->R/3
  So my Question is:
  Is there a way to use SAP logon tickets in a 3 tier architecture between NW CE and R/3 (For the scenario described above)? Any help/pointers/documentation links would be great

  Hey Martin,
  To enable SSO I updated web.xml and engine-j2ee.xml for both UI and Business Layer application according to the login module stacks defined (the first one) in the following link:
  http://help.sap.com/saphelp_NW70EHP1/helpdata/en/04/120b40c6c01961e10000000a155106/content.htm
  Initially both UI and Business Layer had the same entries for web.xml and engine.xml. But since this was not working I did all kinds of testing. For UI i used FORM based authentication and for Business Layer I was using "BASIC" authentication.
  I tested the following Scenarios:
  1. Without any changes to the above XML files: The Business layer rejects any requests from the UI . I checked the Browser and "MYSAPSSO2" cookie was created. Somehow UI doesnt use this to call Business Layer. Or the Business Layer rejects the token itself
  2. I removed authentication from the Business Layer application (Web.xml) keeping the UI same: The call went to R3 but returned a "UnAuthorized" error back. In this case also at the browser level "MYSAPSSO2" token was created but was not used by the business layer to call R3.
  3. The did all sorts of permutation and combination with the sample login modules provided (See link above) on both UI and Business Layer application . Nothing worked. All combinations led to two results which were the same as 1 and 2
  It seems all this is happening because of another application in between UI and R3.
  Hope this Clarifies.
  Thanks,
  Dhannajay

• 2504 with new-architecture enabled breaks MAC auth for guest access

  Hello,
  We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
  When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
  Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
  Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

  You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
  HTH
  Rasika

• How to bypass from OAM authentication for certain domain

  Hi All,
  We are trying to unprotect certain domain from OAM domain but coudn't. Please help us fix this issue.
  Environement details:
  We have two nodes, one node for OAM_OSSO and another one for OSSO_Portal application.
  OAM server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and OAM. Integrated OAM_OSSO using [ID 979827.1]
  Portal server details:
  In this server, oracle application server single sign on(services are HTTP, OC4J, and OID) and portal weblogic server(portal application) is running. portal weblogic is registered with thier own portal OSSO.
  In OAM, We protected following portal url's
  /sso/auth      
  /pls/orasso/orasso.wwsso_app_admin.ls_login
  portal _OAM integration is working fine.
  Now portal team come with new requirement for customer, application also running in their same portal weblogic server and that portal application domain is alreday registered with Portal OSSO and Portal OSSO page is protected by OAM. the requirement is bypass OAM authentication, and need to authentication against their own portal OSSO+OID.
  Please tell me how to bypass OAM authentication from this scenerio.
  -Sarath

  Hi MD,
  Thanks for your update.
  We are using oracle 10g. Please tell me how Anonymous scheme will help us to get out from this issue.
  Portal Weblogic server registered with portal IDM server and portal IDM server OSSO protected by IDM OAM. So if i tried any of the application which deployed under portal weblogic server will get protected by OAM right. Please correct me if iam wrong.
  In this scenerio we have two OSSO, one in OAM node and another one in portal server. Now portal team come up with new webserver domain for customer, in customer scenerio we want authenticate againt portal OSSO with their own OID rather than using OAM authentication. Here my concern is, customer or employee the portal weblogic server and portal OSSO are common for both user but only difference in webserver domain.
  So if i tried to access customer application, then customer webserver redirect to portal weblogic for open the requested page(note if webgate not in picture). portal weblogic server is register with portal OSSO and its redirect to portal OSSO for authentication but Portal OSSO server integrated with OAM using webgate.
  1. When tried to access customer application ,Portal OSSO server tried to show own sso login page for authentication but Portal OSSO server already integrated with OAM. so portal OSSO server requested to OAM to access portal sso login page not the request of customer page login.
  2. here,portal OSSO login page protected and OAM serve login page for OAM authentication against OAM OID. If i specify anonymous scheme for customer domain then how will work here, portal OSSO requested to OAM to access portal OSSO login page not the customer page or employee page...
  Here OAM authentication will come into picture for all scenario but need bypass for customer login.
  Requirement is when customer trying to access then authentication need to happen in portal OSSO not in OAM. Hope you understand the architecture.Please suggest how.
  -Sarath
  Edited by: 898990 on May 11, 2012 8:22 PM
  Edited by: 898990 on May 11, 2012 8:25 PM

• Client authentication not working

  Hi all,
  I am using Apache's HTTPClient to connect with a server running https. The server is the latest stable Tomcat (version 4.1.27). If I set clientAuth="false" in the Tomcat configuration, everything is working fine. I am able to comunicate with the server, since the server's certificate is in the trusted store. If I want to authenticate myself (by setting clientAuth="true") it doesn't work. It seems that the application I have written doesn't send the client's certificate.
  Here's the code:
  HttpClient httpclient = new HttpClient();
  Protocol myhttps =
       new Protocol(
            "https",
            new StrictSSLProtocolSocketFactory(false),
            8443);
  httpclient.getHostConfiguration().setHost("rigel", 8443, myhttps);
  GetMethod httpget = new GetMethod("/");
  httpclient.executeMethod(httpget);
  If I turn on all sorts of debugging this is what I get:
  2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java version: 1.4.0_02
  2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java vendor: Sun Microsystems Inc.
  2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java class path: f:\myhome\projects\NextiraOne\class;f:\myhome\projects\NextiraOne\lib\commons-httpclient-2.0-rc1.jar;f:\myhome\projects\NextiraOne\lib\log4j-1.2.6.jar;f:\myhome\projects\NextiraOne\lib\commons-logging.jar;f:\myhome\projects\NextiraOne\lib\commons-logging-api.jar;f:\myhome\projects\NextiraOne\lib\com.ibm.mq.jar;f:\myhome\projects\NextiraOne\lib\xmlparserv2new.jar;f:\myhome\projects\NextiraOne\lib\connector.jar
  2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system name: Windows 2000
  2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system architecture: x86
  2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system version: 5.0
  2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SUN 1.2: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
  2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunJSSE 1.4002: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
  2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunRsaSign 1.0: SUN's provider for RSA signatures
  2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunJCE 1.4: SunJCE Provider (implements DES, Triple DES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
  2003/10/08 14:54:27:088 CEST [DEBUG] HttpClient - -SunJGSS 1.0: Sun (Kerberos v5)
  2003/10/08 14:54:27:188 CEST [DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0)
  keyStore is :
  keyStore type is : jks
  init keystore
  init keymanager of type SunX509
  trustStore is: f:\client.keystore
  trustStore type is : jks
  init truststore
  adding private entry as trusted cert: [
  Version: V1
  Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@8fd984
  Validity: [From: Wed Oct 08 13:48:24 CEST 2003,
                 To: Tue Jan 06 12:48:24 CET 2004]
  Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  SerialNumber: [    3f83f988 ]
  Algorithm: [MD5withRSA]
  Signature:
  0000: 04 24 63 44 43 26 CA 79 BC 0B 96 2D 27 1A 40 DA .$cDC&.y...-'.@.
  0010: E0 92 FE D6 57 F8 4C C4 C6 97 F7 13 24 4B 30 F9 ....W.L.....$K0.
  0020: E7 C3 06 2B A3 67 FD 70 E1 A5 8E E7 16 3D 59 16 ...+.g.p.....=Y.
  0030: DB 7B 73 AC 30 B1 43 C1 F2 96 DD 8F 52 0E 61 1F ..s.0.C.....R.a.
  0040: 0E 23 0F 88 8E 1A 6F 24 54 B9 87 4C 2C A1 97 78 .#....o$T..L,..x
  0050: FD 80 6A A1 F8 65 C3 CE 39 F4 AA A6 6C 3C 7A 98 ..j..e..9...l<z.
  0060: 86 4E 5B 6A 2D 7F BC 89 E8 36 29 54 22 0A 3F C7 .N[j-....6)T".?.
  0070: B3 83 4E 47 36 F1 C9 09 25 E7 9C D6 11 10 3B 3C ..NG6...%.....;<
  adding as trusted cert: [
  Version: V1
  Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@f99ff5
  Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
                 To: Tue Jan 06 10:56:42 CET 2004]
  Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  SerialNumber: [    3f83df5a ]
  Algorithm: [MD5withRSA]
  Signature:
  0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
  0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
  0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
  0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
  0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
  0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
  0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
  0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
  init context
  trigger seeding of SecureRandom
  done seeding SecureRandom
  2003/10/08 14:54:32:456 CEST [DEBUG] HttpMethodBase - -Execute loop try 1
  2003/10/08 14:54:32:466 CEST [DEBUG] wire - ->> "GET / HTTP/1.1[\r][\n]"
  2003/10/08 14:54:32:466 CEST [DEBUG] HttpMethodBase - -Adding Host request header
  2003/10/08 14:54:32:476 CEST [DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.0rc1[\r][\n]"
  2003/10/08 14:54:32:476 CEST [DEBUG] wire - ->> "Host: rigel[\r][\n]"
  %% No cached client session
  *** ClientHello, v3.1
  RandomCookie: GMT: 1048840456 bytes = { 43, 4, 244, 103, 54, 110, 99, 128, 162, 132, 22, 2, 197, 112, 91, 105, 4, 133, 249, 114, 142, 122, 44, 203, 156, 188, 132, 100 }
  Session ID: {}
  Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 59
  0000: 01 00 00 37 03 01 3F 84 09 08 2B 04 F4 67 36 6E ...7..?...+..g6n
  0010: 63 80 A2 84 16 02 C5 70 5B 69 04 85 F9 72 8E 7A c......p[i...r.z
  0020: 2C CB 9C BC 84 64 00 00 10 00 05 00 04 00 09 00 ,....d..........
  0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
  main, WRITE: SSL v3.1 Handshake, length = 59
  [write] MD5 and SHA1 hashes: len = 77
  0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
  0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
  0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3F 84 09 .............?..
  0030: 08 2B 04 F4 67 36 6E 63 80 A2 84 16 02 C5 70 5B .+..g6nc......p[
  0040: 69 04 85 F9 72 8E 7A 2C CB 9C BC 84 64 i...r.z,....d
  main, WRITE: SSL v2, contentType = 22, translated length = 16310
  main, READ: SSL v3.1 Handshake, length = 2275
  *** ServerHello, v3.1
  RandomCookie: GMT: 1048840456 bytes = { 2, 207, 237, 54, 101, 119, 116, 33, 59, 54, 56, 111, 170, 110, 92, 129, 178, 67, 124, 46, 187, 153, 247, 27, 216, 197, 21, 232 }
  Session ID: {63, 132, 9, 8, 85, 66, 130, 20, 34, 100, 122, 131, 137, 133, 143, 214, 43, 232, 151, 61, 12, 216, 23, 84, 58, 241, 194, 116, 67, 44, 43, 44}
  Cipher Suite: { 0, 5 }
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
  ** SSL_RSA_WITH_RC4_128_SHA
  [read] MD5 and SHA1 hashes: len = 74
  0000: 02 00 00 46 03 01 3F 84 09 08 02 CF ED 36 65 77 ...F..?......6ew
  0010: 74 21 3B 36 38 6F AA 6E 5C 81 B2 43 7C 2E BB 99 t!;68o.n\..C....
  0020: F7 1B D8 C5 15 E8 20 3F 84 09 08 55 42 82 14 22 ...... ?...UB.."
  0030: 64 7A 83 89 85 8F D6 2B E8 97 3D 0C D8 17 54 3A dz.....+..=...T:
  0040: F1 C2 74 43 2C 2B 2C 00 05 00 ..tC,+,...
  *** Certificate chain
  chain [0] = [
  Version: V1
  Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b2a2d8
  Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
                 To: Tue Jan 06 10:56:42 CET 2004]
  Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  SerialNumber: [    3f83df5a ]
  Algorithm: [MD5withRSA]
  Signature:
  0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
  0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
  0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
  0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
  0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
  0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
  0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
  0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
  stop on trusted cert: [
  Version: V1
  Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b2a2d8
  Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
                 To: Tue Jan 06 10:56:42 CET 2004]
  Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
  SerialNumber: [    3f83df5a ]
  Algorithm: [MD5withRSA]
  Signature:
  0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
  0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
  0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
  0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
  0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
  0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
  0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
  0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
  [read] MD5 and SHA1 hashes: len = 552
  0000: 0B 00 02 24 00 02 21 00 02 1E 30 82 02 1A 30 82 ...$..!...0...0.
  0010: 01 83 02 04 3F 83 DF 5A 30 0D 06 09 2A 86 48 86 ....?..Z0...*.H.
  0020: F7 0D 01 01 04 05 00 30 54 31 0B 30 09 06 03 55 .......0T1.0...U
  0030: 04 06 13 02 42 45 31 0C 30 0A 06 03 55 04 08 13 ....BE1.0...U...
  0040: 03 4F 56 4C 31 0C 30 0A 06 03 55 04 07 13 03 4D .OVL1.0...U....M
  0050: 45 52 31 0B 30 09 06 03 55 04 0A 13 02 44 43 31 ER1.0...U....DC1
  0060: 0C 30 0A 06 03 55 04 0B 13 03 45 43 53 31 0E 30 .0...U....ECS1.0
  0070: 0C 06 03 55 04 03 13 05 72 69 67 65 6C 30 1E 17 ...U....rigel0..
  0080: 0D 30 33 31 30 30 38 30 39 35 36 34 32 5A 17 0D .031008095642Z..
  0090: 30 34 30 31 30 36 30 39 35 36 34 32 5A 30 54 31 040106095642Z0T1
  00A0: 0B 30 09 06 03 55 04 06 13 02 42 45 31 0C 30 0A .0...U....BE1.0.
  00B0: 06 03 55 04 08 13 03 4F 56 4C 31 0C 30 0A 06 03 ..U....OVL1.0...
  00C0: 55 04 07 13 03 4D 45 52 31 0B 30 09 06 03 55 04 U....MER1.0...U.
  00D0: 0A 13 02 44 43 31 0C 30 0A 06 03 55 04 0B 13 03 ...DC1.0...U....
  00E0: 45 43 53 31 0E 30 0C 06 03 55 04 03 13 05 72 69 ECS1.0...U....ri
  00F0: 67 65 6C 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D gel0..0...*.H...
  0100: 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 .........0......
  0110: F0 8B 5A 91 87 97 AB 55 2A 6A AA 96 1F CF 77 D7 ..Z....U*j....w.
  0120: 73 C2 23 4D 78 51 CF 6E 3F 10 46 C5 DA D7 9D 75 s.#MxQ.n?.F....u
  0130: 77 3A 94 4A 07 5B D6 38 82 18 AE 71 6A 76 F9 6F w:.J.[.8...qjv.o
  0140: 58 19 9D 2F 97 EE 4E 38 0E 3F E1 B2 5D 2D C1 1A X../..N8.?..]-..
  0150: 0E F2 08 B2 D6 FF 0A 5E FC BD 57 73 C1 F0 09 C3 .......^..Ws....
  0160: 8E E4 20 C2 CC 96 E3 DE 24 2C 76 DD 9C BA F3 D2 .. .....$,v.....
  0170: 14 FC 94 86 C6 A3 6D 90 02 6B 5C 6E C7 94 0A 44 ......m..k\n...D
  0180: A2 64 F6 A2 31 16 1E AC 97 36 17 84 7E 60 EC 2B .d..1....6...`.+
  0190: 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 .....0...*.H....
  01A0: 01 04 05 00 03 81 81 00 E0 21 80 C9 4C 8C BC FC .........!..L...
  01B0: 48 B3 36 6A 0B E1 C1 94 79 E1 E7 6B 27 B0 71 7D H.6j....y..k'.q.
  01C0: CF 17 A6 B9 E6 71 D6 85 6F 9F EB 66 73 4B CB A2 .....q..o..fsK..
  01D0: C1 A2 7F F3 38 A1 A7 8B 92 F0 82 1F 4A A4 E9 F5 ....8.......J...
  01E0: 8C 64 0B 7E 86 61 C0 D5 74 60 7D D3 B0 11 3F 77 .d...a..t`....?w
  01F0: B9 D8 EC 7D 17 22 D8 7C 77 42 CB C1 24 CC 26 5E ....."..wB..$.&^
  0200: CF 8A 20 7D 77 44 D4 29 DF 59 D1 17 CE D2 51 59 .. .wD.).Y....QY
  0210: BC 53 35 B0 EB CE 51 CE 79 F7 D2 53 CE FD 2F 9A .S5...Q.y..S../.
  0220: FD 1A A8 E3 3C 58 AF EB ....<X..
  *** CertificateRequest
  Cert Types: DSS, RSA,
  Cert Authorities:
  <OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
  <[email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
  <[email protected], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
  <OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US>
  <OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
  <OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
  <[email protected], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
  <[email protected], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
  <CN=kws, OU=Delaware, O=Delaware, L=BE, ST=BE, C=BE>
  <OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
  <[email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
  [read] MD5 and SHA1 hashes: len = 1645
  0000: 0D 00 06 69 02 02 01 06 64 00 61 30 5F 31 0B 30 ...i....d.a0_1.0
  0010: 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 ...U....US1.0...
  0020: 55 04 0A 13 0E 56 65 72 69 53 69 67 6E 2C 20 49 U....VeriSign, I
  0030: 6E 63 2E 31 37 30 35 06 03 55 04 0B 13 2E 43 6C nc.1705..U....Cl
  0040: 61 73 73 20 33 20 50 75 62 6C 69 63 20 50 72 69 ass 3 Public Pri
  0050: 6D 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 mary Certificati
  0060: 6F 6E 20 41 75 74 68 6F 72 69 74 79 00 D1 30 81 on Authority..0.
  0070: CE 31 0B 30 09 06 03 55 04 06 13 02 5A 41 31 15 .1.0...U....ZA1.
  0080: 30 13 06 03 55 04 08 13 0C 57 65 73 74 65 72 6E 0...U....Western
  0090: 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 Cape1.0...U....
  00A0: 43 61 70 65 20 54 6F 77 6E 31 1D 30 1B 06 03 55 Cape Town1.0...U
  00B0: 04 0A 13 14 54 68 61 77 74 65 20 43 6F 6E 73 75 ....Thawte Consu
  00C0: 6C 74 69 6E 67 20 63 63 31 28 30 26 06 03 55 04 lting cc1(0&..U.
  00D0: 0B 13 1F 43 65 72 74 69 66 69 63 61 74 69 6F 6E ...Certification
  00E0: 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 Services Divisi
  00F0: 6F 6E 31 21 30 1F 06 03 55 04 03 13 18 54 68 61 on1!0...U....Tha
  0100: 77 74 65 20 50 72 65 6D 69 75 6D 20 53 65 72 76 wte Premium Serv
  0110: 65 72 20 43 41 31 28 30 26 06 09 2A 86 48 86 F7 er CA1(0&..*.H..
  0120: 0D 01 09 01 16 19 70 72 65 6D 69 75 6D 2D 73 65 ......premium-se
  0130: 72 76 65 72 40 74 68 61 77 74 65 2E 63 6F 6D 00 [email protected].
  0140: CE 30 81 CB 31 0B 30 09 06 03 55 04 06 13 02 5A .0..1.0...U....Z
  0150: 41 31 15 30 13 06 03 55 04 08 13 0C 57 65 73 74 A1.0...U....West
  0160: 65 72 6E 20 43 61 70 65 31 12 30 10 06 03 55 04 ern Cape1.0...U.
  0170: 07 13 09 43 61 70 65 20 54 6F 77 6E 31 1A 30 18 ...Cape Town1.0.
  0180: 06 03 55 04 0A 13 11 54 68 61 77 74 65 20 43 6F ..U....Thawte Co
  0190: 6E 73 75 6C 74 69 6E 67 31 28 30 26 06 03 55 04 nsulting1(0&..U.
  01A0: 0B 13 1F 43 65 72 74 69 66 69 63 61 74 69 6F 6E ...Certification
  01B0: 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 Services Divisi
  01C0: 6F 6E 31 21 30 1F 06 03 55 04 03 13 18 54 68 61 on1!0...U....Tha
  01D0: 77 74 65 20 50 65 72 73 6F 6E 61 6C 20 42 61 73 wte Personal Bas
  01E0: 69 63 20 43 41 31 28 30 26 06 09 2A 86 48 86 F7 ic CA1(0&..*.H..
  01F0: 0D 01 09 01 16 19 70 65 72 73 6F 6E 61 6C 2D 62 ......personal-b
  0200: 61 73 69 63 40 74 68 61 77 74 65 2E 63 6F 6D 00 [email protected].
  0210: 61 30 5F 31 0B 30 09 06 03 55 04 06 13 02 55 53 a0_1.0...U....US
  0220: 31 20 30 1E 06 03 55 04 0A 13 17 52 53 41 20 44 1 0...U....RSA D
  0230: 61 74 61 20 53 65 63 75 72 69 74 79 2C 20 49 6E ata Security, In
  0240: 63 2E 31 2E 30 2C 06 03 55 04 0B 13 25 53 65 63 c.1.0,..U...%Sec
  0250: 75 72 65 20 53 65 72 76 65 72 20 43 65 72 74 69 ure Server Certi
  0260: 66 69 63 61 74 69 6F 6E 20 41 75 74 68 6F 72 69 fication Authori
  0270: 74 79 00 61 30 5F 31 0B 30 09 06 03 55 04 06 13 ty.a0_1.0...U...
  0280: 02 55 53 31 17 30 15 06 03 55 04 0A 13 0E 56 65 .US1.0...U....Ve
  0290: 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 37 30 35 riSign, Inc.1705
  02A0: 06 03 55 04 0B 13 2E 43 6C 61 73 73 20 34 20 50 ..U....Class 4 P
  02B0: 75 62 6C 69 63 20 50 72 69 6D 61 72 79 20 43 65 ublic Primary Ce
  02C0: 72 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 68 rtification Auth
  02D0: 6F 72 69 74 79 00 61 30 5F 31 0B 30 09 06 03 55 ority.a0_1.0...U
  02E0: 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0A 13 ....US1.0...U...
  02F0: 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 .VeriSign, Inc.1
  0300: 37 30 35 06 03 55 04 0B 13 2E 43 6C 61 73 73 20 705..U....Class
  0310: 31 20 50 75 62 6C 69 63 20 50 72 69 6D 61 72 79 1 Public Primary
  0320: 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 41 Certification A
  0330: 75 74 68 6F 72 69 74 79 00 D2 30 81 CF 31 0B 30 uthority..0..1.0
  0340: 09 06 03 55 04 06 13 02 5A 41 31 15 30 13 06 03 ...U....ZA1.0...
  0350: 55 04 08 13 0C 57 65 73 74 65 72 6E 20 43 61 70 U....Western Cap
  0360: 65 31 12 30 10 06 03 55 04 07 13 09 43 61 70 65 e1.0...U....Cape
  0370: 20 54 6F 77 6E 31 1A 30 18 06 03 55 04 0A 13 11 Town1.0...U....
  0380: 54 68 61 77 74 65 20 43 6F 6E 73 75 6C 74 69 6E Thawte Consultin
  0390: 67 31 28 30 26 06 03 55 04 0B 13 1F 43 65 72 74 g1(0&..U....Cert
  03A0: 69 66 69 63 61 74 69 6F 6E 20 53 65 72 76 69 63 ification Servic
  03B0: 65 73 20 44 69 76 69 73 69 6F 6E 31 23 30 21 06 es Division1#0!.
  03C0: 03 55 04 03 13 1A 54 68 61 77 74 65 20 50 65 72 .U....Thawte Per
  03D0: 73 6F 6E 61 6C 20 50 72 65 6D 69 75 6D 20 43 41 sonal Premium CA
  03E0: 31 2A 30 28 06 09 2A 86 48 86 F7 0D 01 09 01 16 1*0(..*.H.......
  03F0: 1B 70 65 72 73 6F 6E 61 6C 2D 70 72 65 6D 69 75 .personal-premiu
  0400: 6D 40 74 68 61 77 74 65 2E 63 6F 6D 00 D4 30 81 [email protected].
  0410: D1 31 0B 30 09 06 03 55 04 06 13 02 5A 41 31 15 .1.0...U....ZA1.
  0420: 30 13 06 03 55 04 08 13 0C 57 65 73 74 65 72 6E 0...U....Western
  0430: 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 Cape1.0...U....
  0440: 43 61 70 65 20 54 6F 77 6E 31 1A 30 18 06 03 55 Cape Town1.0...U
  0450: 04 0A 13 11 54 68 61 77 74 65 20 43 6F 6E 73 75 ....Thawte Consu
  0460: 6C 74 69 6E 67 31 28 30 26 06 03 55 04 0B 13 1F lting1(0&..U....
  0470: 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 53 65 Certification Se
  0480: 72 76 69 63 65 73 20 44 69 76 69 73 69 6F 6E 31 rvices Division1
  0490: 24 30 22 06 03 55 04 03 13 1B 54 68 61 77 74 65 $0"..U....Thawte
  04A0: 20 50 65 72 73 6F 6E 61 6C 20 46 72 65 65 6D 61 Personal Freema
  04B0: 69 6C 20 43 41 31 2B 30 29 06 09 2A 86 48 86 F7 il CA1+0)..*.H..
  04C0: 0D 01 09 01 16 1C 70 65 72 73 6F 6E 61 6C 2D 66 ......personal-f
  04D0: 72 65 65 6D 61 69 6C 40 74 68 61 77 74 65 2E 63 [email protected]
  04E0: 6F 6D 00 5D 30 5B 31 0B 30 09 06 03 55 04 06 13 om.]0[1.0...U...
  04F0: 02 42 45 31 0B 30 09 06 03 55 04 08 13 02 42 45 .BE1.0...U....BE
  0500: 31 0B 30 09 06 03 55 04 07 13 02 42 45 31 11 30 1.0...U....BE1.0
  0510: 0F 06 03 55 04 0A 13 08 44 65 6C 61 77 61 72 65 ...U....Delaware
  0520: 31 11 30 0F 06 03 55 04 0B 13 08 44 65 6C 61 77 1.0...U....Delaw
  0530: 61 72 65 31 0C 30 0A 06 03 55 04 03 13 03 6B 77 are1.0...U....kw
  0540: 73 00 61 30 5F 31 0B 30 09 06 03 55 04 06 13 02 s.a0_1.0...U....
  0550: 55 53 31 17 30 15 06 03 55 04 0A 13 0E 56 65 72 US1.0...U....Ver
  0560: 69 53 69 67 6E 2C 20 49 6E 63 2E 31 37 30 35 06 iSign, Inc.1705.
  0570: 03 55 04 0B 13 2E 43 6C 61 73 73 20 32 20 50 75 .U....Class 2 Pu
  0580: 62 6C 69 63 20 50 72 69 6D 61 72 79 20 43 65 72 blic Primary Cer
  0590: 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 68 6F tification Autho
  05A0: 72 69 74 79 00 C7 30 81 C4 31 0B 30 09 06 03 55 rity..0..1.0...U
  05B0: 04 06 13 02 5A 41 31 15 30 13 06 03 55 04 08 13 ....ZA1.0...U...
  05C0: 0C 57 65 73 74 65 72 6E 20 43 61 70 65 31 12 30 .Western Cape1.0
  05D0: 10 06 03 55 04 07 13 09 43 61 70 65 20 54 6F 77 ...U....Cape Tow
  05E0: 6E 31 1D 30 1B 06 03 55 04 0A 13 14 54 68 61 77 n1.0...U....Thaw
  05F0: 74 65 20 43 6F 6E 73 75 6C 74 69 6E 67 20 63 63 te Consulting cc
  0600: 31 28 30 26 06 03 55 04 0B 13 1F 43 65 72 74 69 1(0&..U....Certi
  0610: 66 69 63 61 74 69 6F 6E 20 53 65 72 76 69 63 65 fication Service
  0620: 73 20 44 69 76 69 73 69 6F 6E 31 19 30 17 06 03 s Division1.0...
  0630: 55 04 03 13 10 54 68 61 77 74 65 20 53 65 72 76 U....Thawte Serv
  0640: 65 72 20 43 41 31 26 30 24 06 09 2A 86 48 86 F7 er CA1&0$..*.H..
  0650: 0D 01 09 01 16 17 73 65 72 76 65 72 2D 63 65 72 ......server-cer
  0660: 74 73 40 74 68 61 77 74 65 2E 63 6F 6D [email protected]
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, v3.1
  Random Secret: { 3, 1, 183, 52, 32, 171, 15, 252, 104, 26, 122, 4, 33, 152, 207, 169, 53, 3, 54, 92, 207, 235, 108, 124, 43, 137, 189, 40, 155, 244, 16, 195, 171, 111, 45, 24, 118, 251, 161, 5, 255, 221, 102, 77, 136, 92, 253, 146 }
  [write] MD5 and SHA1 hashes: len = 141
  0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 E7 73 AF ..............s.
  0010: 77 3C B9 37 C3 23 58 BB 44 7E B0 E1 EE D1 6F 37 w<.7.#X.D.....o7
  0020: E9 C2 CB CD 5B 36 80 61 76 69 28 FA 66 E5 19 31 ....[6.avi(.f..1
  0030: AF C5 CE 1D D0 B1 C0 A3 31 D4 2E 1A DB 1E CC 21 ........1......!
  0040: 7F B9 9F 8C 6A B8 4C 43 50 78 95 CF 51 E3 9E 97 ....j.LCPx..Q...
  0050: BF 07 DC 25 DE 56 D7 A5 7C D7 7D 5C D4 47 16 5D ...%.V.....\.G.]
  0060: 54 FC FE 6C D8 C7 17 AB 18 A0 EE 31 B6 38 10 29 T..l.......1.8.)
  0070: C4 D6 75 5B DB 1F B2 2B 20 28 40 C5 96 E4 E3 7A ..u[...+ (@....z
  0080: 5C D6 85 C3 03 05 F5 38 FE 34 72 EF 3F \......8.4r.?
  main, WRITE: SSL v3.1 Handshake, length = 141
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 B7 34 20 AB 0F FC 68 1A 7A 04 21 98 CF A9 ...4 ...h.z.!...
  0010: 35 03 36 5C CF EB 6C 7C 2B 89 BD 28 9B F4 10 C3 5.6\..l.+..(....
  0020: AB 6F 2D 18 76 FB A1 05 FF DD 66 4D 88 5C FD 92 .o-.v.....fM.\..
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 3F 84 09 08 2B 04 F4 67 36 6E 63 80 A2 84 16 02 ?...+..g6nc.....
  0010: C5 70 5B 69 04 85 F9 72 8E 7A 2C CB 9C BC 84 64 .p[i...r.z,....d
  Server Nonce:
  0000: 3F 84 09 08 02 CF ED 36 65 77 74 21 3B 36 38 6F ?......6ewt!;68o
  0010: AA 6E 5C 81 B2 43 7C 2E BB 99 F7 1B D8 C5 15 E8 .n\..C..........
  Master Secret:
  0000: 92 AB 4A D6 D4 F1 35 46 3D F8 20 64 7D 0D 1D 3C ..J...5F=. d...<
  0010: 6D 12 61 D7 B6 21 1D F9 9E F2 A3 1E C8 72 16 48 m.a..!.......r.H
  0020: 7E EB ED BD 71 66 89 36 8D A4 AA 30 A7 B6 F9 E3 ....qf.6...0....
  Client MAC write Secret:
  0000: FB B5 C5 28 A0 EF A9 2C 6F 6E 9A 8E 46 21 F8 5D ...(...,on..F!.]
  0010: 21 3A F3 5A !:.Z
  Server MAC write Secret:
  0000: AC B4 8C 0C 19 E9 70 87 86 2C 88 19 74 96 CB 86 ......p..,..t...
  0010: E1 57 28 D0 .W(.
  Client write key:
  0000: 67 8C 40 8A 0E F6 66 02 AA 57 A9 46 3E 4C 2B 0B [email protected]>L+.
  Server write key:
  0000: 39 79 50 0C 26 2A 0C 06 34 57 9F D0 ED 9E 76 1A 9yP.&*..4W....v.
  ... no IV for cipher
  main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
  JsseJCE: Using JSSE internal implementation for cipher RC4
  *** Finished, v3.1
  verify_data: { 2, 131, 239, 184, 3, 52, 180, 31, 246, 47, 142, 241 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 02 83 EF B8 03 34 B4 1F F6 2F 8E F1 .........4.../..
  Plaintext before ENCRYPTION: len = 36
  0000: 14 00 00 0C 02 83 EF B8 03 34 B4 1F F6 2F 8E F1 .........4.../..
  0010: E8 92 3D 1E 0C A5 0A B2 E3 71 7A E9 02 41 91 20 ..=......qz..A.
  0020: 30 86 A2 47 0..G
  main, WRITE: SSL v3.1 Handshake, length = 36
  waiting for close_notify or alert: state 1
  Exception while waiting for close java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read
  main, SEND SSL v3.1 ALERT: warning, description = close_notify
  Plaintext before ENCRYPTION: len = 22
  0000: 01 00 BD 94 A3 63 BB DA 73 4F 7A 85 4B 79 25 76 .....c..sOz.Ky%v
  0010: 8B 08 0F FF CE FC ......
  main, WRITE: SSL v3.1 Alert, length = 22
  java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read
       at java.net.SocketInputStream.socketRead0(Native Method)
       at java.net.SocketInputStream.read(SocketInputStream.java:116)
       at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
       at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
       at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(DashoA6275)
       at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(DashoA6275)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.g(DashoA6275)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
       at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1344)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
       at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:779)
       at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2179)
       at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2534)
       at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1047)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:638)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:500)
       at kws.testing.out.HTTPClient.main(HTTPClient.java:60)
  Exception in thread "main"
  Does someone have an idea on how to get client authentication (without password) work?
  regards,
  Kenneth

  ... no IV for cipher
  This line is in my debug and the debug posted in the original message.
  Am having the same problem of accessing a page with a Client Side Cert that uses a password. I get debug that has the "no IV for cipher" message. It does not throw
  an exception, but gets a 403 from server.
  Does anyone know? Will a Client Side Cert with a Symmetric Key work in Java APIs?
  I load the .pfx cert into a Java KeyStore and send this to Apache HTTPClient.

• Introduction of New OAB Architecture in Exchange 2013 and Some General Troubleshooting methods

  Exchange 2013 is different from previous versions of Exchange server on architecture, some of the old features have been changed. In this FAQ, I will demonstrate the changes on OAB and list a common issue for your reference.
  [Agenda]
  1. Differences between Exchange 2007/2010 OAB and Exchange 2013 OAB
  a. Generation
  b. Distribution
  c. Download
  2. Common issue and troubleshooting
  3. More information
  [Difference between Exchange 2007/2010 and Exchange 2013 on OAB]
  As we know, OAB in Exchange 2007/2010 has 3 points, OAB files generated from MBX server, distributed to CAS server and downloaded to Outlook client. However in Exchange 2013, these 3 points have a little different from previous servers. For example, the OAB
  Distribution process doesn’t depend on Microsoft Exchange File Distribution service anymore. Now let me show you the changes of OAB in Exchange 2013.
  [OAB Generation]
  ====================
  Exchange 2007/2010:
  1. OAB generation server is the specific MBX server which has –server property.
  2. If MBX01 is down, OAB generation will be affected.
  3. Previous Server using Microsoft Exchange System Attendant service for OAB generation.
  4. OAB generation is a scheduled process. By default, OAB files generated at 5:00AM every day.
  5. The OAB files which generated from MBX server are located in following path:
  C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\GUID folder
  Exchange 2013:
  1. OAB generation server is the MBX server that hosts a special type of arbitration mailbox, called organization mailbox. Thus, the same OAB files could be generated from multiple
  MBX servers.
  2. If one of the MBX server down, other MBX server still have the ability to generate the specific OAB files.
  3. Exchange 2013 server using OABGeneratorAssistant for OAB Generation.
  4. OAB generation is a throttled process. It depend on the Server workload.
  5. The OAB files which generated from MBX server are located in following path:
  C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\GUID folder
  [OAB Distribution]
  ====================
  Exchange 2007/2010:
  Previous Servers use Microsoft Exchange File Distribution service to distribute OAB files from MBX server to CAS server. The distributed oab files stored in CAS server.
  Exchange 2013:
  The OAB files doesn’t distributed to CAS server. The OAB files only stored in MBX server.
  [OAB Download]
  ====================
  Exchange 2007/2010:
  If Autodiscover works fine, Outlook should use OAB URL to get the OAB files and download it.
  If Autodiscvoer doesn’t work, authenticated users can also get the OAB from the CAS server local disk.
  Exchange 2013:
  Microsoft Exchange File Distribution service has been removed from Exchange 2013 and the OAB files stored in MBX server. CAS server will proxy all OAB download requests to the appropriate MBX server.
  Outlook also use Autodiscover to get the OAB URL and download it.
  [Common issue and Troubleshooting]
  Issue: Outlook doesn’t download OAB files automatically. When I try to manually download OAB, get this error: Task xxx reported error (0x80190194): The operation failed.
  Troubleshooting:
  1. First, please run following command to check the information of OAB Generation Server.
  Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “*OAB*”} | ft Name, Servername, Database
  Example result as below:
  2. Please make sure the authentication settings and URLs are set properly.
  3. Try to verify whether the OAB files generated from MBX server successfully. Path as below:
  C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\GUID folder
  4. If all of the settings above set correctly, please try to check Autodiscover. Run “Test E-mail Autoconfiguration” to check whether there is anything abnormal on OAB. If has, please search the error code on MS official documents.
  5. If this issue is related to local cache, please try to delete the OAB caches from local PC and re-download OAB for testing. Path as below:
  C:\Users\Administrator.CU1(different)\AppData\Local\Microsoft\Outlook\Offline Address Books
  [More information]
  http://blogs.technet.com/b/exchange/archive/2012/10/26/oab-in-exchange-server-2013.aspx
  http://blogs.technet.com/b/exchange/archive/2013/01/14/managing-oab-in-exchange-server-2013.aspx
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi Techy,
  According to your description, I am still not quite sure about your environment. Could you please provide more information about it, such as:
  1. How many Exchange servers in your coexistence environment? One Exchange 2010 with all roles and one Exchange 2013 with all roles? Or several Exchange 2010 and multiple Exchange 2013?
  2. Are there two sites in your environment? What’s the Exchange deployment in different sites?
  3. Please confirm if both Exchange 2010 and Exchange 2013 are Internet-facing.
  Additionally, if you are using different namespaces for different services for internal access and external accessing, we need to include all service namespaces in your certificate with IIS service. Personal suggestion, we can follow ED Crowley’s suggestion
  to use split-brain DNS in your environment and only use the same namespace for Exchange service URLs.
  The following article described the details about how to configure different namespace for Exchange services by using Load Balance in Exchange 2013:
  http://www.msexchange.org/articles-tutorials/exchange-server-2013/high-availability-recovery/introducing-load-balancing-exchange-server-2013-part2.html
  Regards,
  Winnie Liang
  TechNet Community Support

• Multitenant application authentication in SharePoint Online (O365)

  I am able to use OAuth2 to authenticate using the mechanism described here: http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx - my intention is to allow my 3rd party WebApp to allow users to grant access to their SharePoint content via Azure OAuth.
  I am able to use the login.windows.net/common/oauth2 endpoints, and having registered my app in Azure, I do indeed get the right callback once the user authentiates, and I am able to post to the token endpoint.
  At this point, I have an auth-token that I can use, but I don't know the URL to the user's default (or root) SharePoint site. I am required to provide a 'resource' URI so that authentication can succeed, and if I hard-code this value to a known URL, then
  it works like a charm.  Unfortunately, this makes my application specific to one particular tenant.  Far from ideal...
  My question is - how can I detect the SharePoint URL to use as the resource parameter for access to - before the user logs-in? Or even better - is there a way to login using OAuth2 that allows me access to SharePoint endpoints, but which does not require
  me to know what the endpoints are ahead of time?
  If not, I don't see how it is possible to write multi-tenant applications with this model. I must be missing something.   Help!

  There are some interesting details on the stack overflow post here: http://stackoverflow.com/questions/27303590/building-a-multi-tenant-app-for-sharepoint-online-o365
  Bottom Line : SharePoint Online O365 applications only seem to be viable with hard-coded tenancy URLs - and there does not seem to be a mechanism for discovering a user's root web or site by the time it is required. This seems like a major hole in the multi-tenant
  application architecture, or more correctly the Azure login procedure for SharePoint, which has implications on a multi-tenant application.
  I am hoping someone has the magic silver bullet out there...

• GRC AC 10.0 - CUP User Authentication

  Hi All
  We have installed GRC AC 10.0 as a part of ramp up implementation. We will soon start with the configuration steps. For user interfacing we have 2 options (1) NWBC (2) Portal. Architecture of GRC AC 10.0 is based on webdynpro ABAP.
  Now we had a question wherein if we choose NWBC as a front end, then how do we integrate the LDAP for CUP user authentication.
  If we need to integrate LDAP as a authentication source for users in CUP, do we have the only option of going with Portal as a user interface.
  Please advise.
  Thank you.
  Anjan pandey

  > That feature in AC 10.0 is called End User Login and will have it's own URL to access via browser.
  Thanks Frank for your response. I did go through the RKT documents and seems that there is a link through which the end users will create request. we have also planned to setup a LDAP connectivity for user authentication.
  Thanks.
  Anjan Pandey

• Error in SSO authentication

  Hi,
  I have an apex application tied up with SSO. I have to make edits to this application now, but when I run the application I am getting following error:
  Error     Error processing SSO authentication.
  ORA-06550: line 1, column 7: PLS-00201: identifier 'WWV_FLOW_CUSTOM_AUTH_SSO.PORTAL_SSO_REDIRECT' must be declared ORA-06550: line 1, column 7: PL/SQL: Statement ignoredAny help to solve this issue is appreciated.
  I am using:
  Application Express 4.1.0.00.32
  DB details - Oracle Database 11g Enterprise Edition Release 11.2.0.1.0
  Web server architecture - APEX listener
  Browser(s) and version(s) used - Chrome version 24/ Firefox version 3.6 and version 18
  Thanks!

  Try searching this forum on WWV_FLOW_CUSTOM_AUTH_SSO.PORTAL_SSO_REDIRECT. You can do that in google as well and will get millions of answers.
  Denes Kubicek
  http://deneskubicek.blogspot.com/
  http://www.apress.com/9781430235125
  http://apex.oracle.com/pls/apex/f?p=31517:1
  http://www.amazon.de/Oracle-APEX-XE-Praxis/dp/3826655494
  -------------------------------------------------------------------

• Authentication and authorization capability in weblogic application server

  Hi,
  Need input from architecture point of view -
  Requirement is typical - have to build a web center portal application with authentication and authorization capability.
  I can think of three architecture options:
  1. weblogic server (where webcenter portal application will be deployed) with oracle IDM (or any other full blown IDM suite)...
  2. weblogic server with Active Directory (or any other LDAP directory), and a LDAP authenticator is configured in weblogic...
  3. only weblogic server (users created in weblogic admin console)...
  Obviously 1st one is costliest option (product cost, infrastructure cost, maintenance cost) and most flexible. However I am discarding it purely because of cost.
  Confused between 2nd and 3rd.
  2nd option - separate user store, user can be added/deleted without touching application server, cost wise - 1 extra server and 1 LDAP directory product (or open source LDAP server)...
  3rd option - application server becomes very 'heavy' with all users information, you need to access server to add/delete users, probably cheapest option money wise... However it might affect application performance if users grow large...
  Please let me know if I should consider more parameters/points before deciding. Is there any important thing I am missing? Your input appreciated.
  Thanks.

  Hi,
  You are right your first requirement make more costly and complex environment.
  I would recommend to go with Second option instead of the third one.
  In cause in future if you want to use different server also you will have option to use external AD.
  Well now you will think why I recommend you second option instead of the third option.
  external LDAP is more secure than internal one.
  If you have any further query let me know.
  Regards,
  Kal

• Advice on Security Model Architecture..

  Hi all,
  Just looking for the advice of the experts :)
  I am working on the security model architecture for multi-tiered java application. The application architecture breaks down roughly as follows:
  Presentation Layer (JSP/Java)
  Business Layer (Java)
  Persistence Layer (JDBC/Oracle DB)
  Now, in the DB we will preserve information about various users, as well as the user's application permissions. My question pertains to authentication/authorization. Where is it most appropriate or efficient to verify a user's access to a functionality? Assume that the user and permission information is retrieved upon login and is made available to all levels.
  The options, as I see them, include the following:
  Presention layer - UI exposes only functionality applicable to the user.
  Business layer - Encode the logic in this facade for the backend.
  Persistence layer - Encode the logic in the data access objects.
  Any thoughts?

  Well, the layered approach is one way in which java applications are constructed.. the user interface is the top layer, which is composed of jsp files and other java files, and the objects that talk to the database are the bottom layer. Maybe an example would help..
  You're looking at a page on the Java Discussion Forums. It's a jsp page. You click on the 'Watches' link (upper right). The link points to a servlet, which calls a method in an object that is in what I call the "business" or middle layer/tier. An object in this layer has methods that correspond to any request that needs to be made of the db.
  This method in turn calls method/methods in the backend, or data layer, which queries the database and returns the watches for this particular user...
  So, if you have a request/response transaction (click on a link or button, processing, and new page is loaded), it would make a round trip through the layers:
  Presentation -> Business -> Data -> DB -> Data -> Business -> Presentation

• External Authentication in 9.0.2

  I have an external authentication module with Login Server 3.0.9 and I'm migrating my applications to the new release.
  I checked for the ssoauthx.pks package specification and it says that external authentication module is no longer supported with this release. The only way to authenticate my users is to sync with oid.
  Is this is the only way to do external authentication?. Are future version of iAS will still depend on OID for authentication?

  Hi Nestor,
  Even i am looking for similar solution and thinking of giving you some suggetion....
  Oracle 9iAS R2 makes it madatory to use OID (or sync with OID) in SSO architecture.
  We are trying to implement plug-in procedure (when_compare_replace) in OID to replace the password comparison for SSO requests. we are planning to check for our cookie to authenticate the user.
  but i don't know how exactly this will work...
  hope this helps
  -vijay

• DocumentDB + (Social) Authentication: What's the best approach?

  So I want to create a web app (propably using AngularJS, mobile apps perhaps comming later but not important right now) where users can create their own datasets (define structure and add data). As this needs to be really flexible I'm thinkin about using
  DocumentDB.
  DocumentDB does offer some user management with permissions, but I'm unclear whether I'm supposed to create a database user for each end-user or if I just create users based on permission levels.
  Furthermore I'd like to offer social login options (like Facebook) which can be done easily through ASP.NET MVC and/or Azure Mobile Services. Would it make sense to create a Web API Project for wrapping an authentication layer around DocumentDB considering
  DocumentDB does already offer a RESTful API and user management or is there an easier / more straight forward way of doing this?

  Thanks for your reply!
  I wasn't trying to suggest that I want to create one database per user. I was wondering if it would make sense to create a
  database user with it's own set of keys for each user account using the app or if I should wrap something like Azure Mobile Services around the DocumentDB for authentication purposes (as I might want to make use of Facebook authentication).
  Your link was quite helpful as I was looking for something like this:
  "Security can be enforced at the application level simply by adding a tenant property inside your document and enforcing a tenant filter on all queries (e.g. SELECT * FROM collection c WHERE c.userId = “Andrew”). Security can be enforced at
  the DocumentDB level as well by creating a user for each tenant, assigning permissions to tenant data, and querying tenant data via the user’s authorization key."
  Regarding my question, it seems like "both" might be the answer, right?
  Here's how I'm thinking my architecture should look like - please correct me if something does not make sense or could be done more elegantly:
  Create Azure Mobile Service with .NET / Web API Backend for user / account / permission management (within SQL DB)
  Hook up DocuentDB with .NET SDK, store user id with documents for permission management
  OPTIONAL: Create DocumentDB user for each user account to further enforce permissions
  Create web & mobile apps using the AMS api
  Does that make sense?