Call servlet only with ssl
Hi, i'm a new J2EE developer.
I have created a servlet that reads some data by a form.
The servlet response is simply an xml text.
I should want to call this servlet only with https protocol
I use Tomcat 6.0 and i configured it reading official user guide.
The problem is that if i call with browser the servlet (called SimpleResponseServlet) with normal http, i obtain the response.
What can i do avoid this?
this is my web.xml:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>SimpleResponseServlet</web-resource-name>
<description/>
<url-pattern>/SimpleResponseServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>Thank you soo much.
There was an error in server.xml.
Thank you.
Similar Messages
-
How do I restrict access to JSP or servlet only through SSL Port
Hi
I want to restrict the access to few jsp and servlet only through SSL port,
so how can I block the acces to those jsp and servlet through normal port??? We
are using weblogic 5.1.
Any help on this highly appreciated.
ArunaHi,
To restrict access(56 bits or less). follow the below steps.
1. Go to your Webserver instance ServerManager
2. Click Preferences Tab ------> Encryption Preference
------> There disable "DES with 56 bit
encryption and MD5 message authentication."
for SSL 2.0 ciphers or SSL3.0 Ciphers. Which ever
needed.
3. Save and Restart the Webserver instance.
The above steps are for 4.x version.
Thanks,
Daks. -
Calling PSP procedure with SSL
I want to call a PSP (SCREEN_B) procedure from another PSP precedure(SCREEN_A) . The deal is the new page (SCREEN_B) should be called with SSL.
Here is the regular way of calling PSP.
document.form.action="SCREEN_B";
document.form.method="POST"
document.form.submit();
Please advise, How to call this SCREEN_B using SSL.
ThanksYou mean you have a Java client that calls the servlet, and within your
client you are using URLConnection.getConnection()? ... and the servlet
is only servers via HTTPS.
Then you need to get JSSE:
http://java.sun.com/products/jsse
John Salvo
Alejandro wrote:
>
Dear all,
we are trying to call a servlet by using the java
URLConnection.getConnection method.
Our Weblogic servlet is listening only throw the SSL port, and it's doesn't
work.
Someone knows how to solve this issue???
Please, help us!!!!
Thanks in advance,
Alejandro Mejías
CGE&Y -
Hello All,
I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
Any assistance would be greatly appreciated. I am really stuck with this
Thank you in advance
AlanjoOn 01/14/2014 06:11 AM, Alan Farroll wrote:
> Hi all,
>
> I could not find a more appropriate forum in Eclipse for this question
> so have placed it in newcomers as I am still quite new to Java\Eclipse
>
> We are working on a Java servlet application that involves security with
> SSL to allow the servlet to run from a server outside our firewall and
> interrogate databases inside our firewall. It runs on Tomcat 7 and built
> on Java 1.6.0.29
>
> We have had no problems running the servlet on the Test server within
> the firewall but when running on the Live server outside the firewall
> the SoapUI request returns nothing and the current Tomcat log error is
> "java.lang.RuntimeException: Could not generate dummy secret"
>
> The problems seem to be with the jce.jar and the sunJCE_provider.jar.
>
> Has anybody any assistance they could provide please.
>
> Thanks in advance
>
> AJF
The live server doesn't have access to the right JARs? Maybe this will help?
http://www.javahotchocolate.com/notes/jce-policy.html -
Hi, I am trying to use a secure connection to one of my servlets. The
problem is, it seems that the browser keeps looking for my servlet (I don't
get an error or anything), and then finally, when I hit the "stop" - button,
I get this warning:
<NT Performance Pack><Already cleaned up fd: '-1', socket:
'Socket[addr=127.0.0.1/127.0.0.1, port 1789, localport=7002]'>
I'm working with Weblogic Server 6.0 (Evaluation version), IExplorer 5.0,
Windows 2000 Pro.
Thanks
AlexThe native I/O. I haven't tried installing the service pack yet, but I'm
thinking of installing 6.1 then instead of the 6.0 I'm using now. I just
found it strange that I could use https if I'm doing a GET, and not if I'm
using a POST, and I've been experimenting a bit, but I still can't find an
answer. Maybe it's something with the server. Let's see what happens when I
install 6.1 then.
Thanks
Alex
"Jerry" <[email protected]> wrote in message
news:[email protected]..
Hey Alex --
Just so I'm clear -- which didn't work ? Upgrading to 60SP2 , ordisabling
native i/o? (or both?)
Thanks!
Joe Jerry
Alexander Bollaert wrote:
That doesn't solve the problem...
It seems that it's only the post-method that doesn't work. (I've only
discovered that today, sorry). If I use a "get" to post a form using
SSL, it
works. If I use a "post", the whole thing hangs.
If someone has an explanation for this, please mail it to me, becauseI'd
really like to know what's causing this.
Thanks anyway
Alexander
"Jerry" <[email protected]> wrote in message
news:[email protected]..
Hey Alex,
Try taking native i/o off and trying again.
Looks like a problem with the performance pack -- if it is disabled
then
SSL
should work correctly.
Get 6.0 GA with SP2 to solve the performance pack problem (I believe
that
it
will)
Cheers,
Joe Jerry
Alexander Bollaert wrote:
Hi, I am trying to use a secure connection to one of my servlets.
The
problem is, it seems that the browser keeps looking for my servlet(I
don't
get an error or anything), and then finally, when I hit the "stop" -button,
I get this warning:
<NT Performance Pack><Already cleaned up fd: '-1', socket:
'Socket[addr=127.0.0.1/127.0.0.1, port 1789, localport=7002]'>
I'm working with Weblogic Server 6.0 (Evaluation version), IExplorer5.0,
Windows 2000 Pro.
Thanks
Alex -
Calling web service with SSL (HTTPS) hangs client stub
If anyone can help it would make my day! I've spent way too much time on this!!!
I'm running:
- Web service is running on Linux RedHat with Oracle9iAS 9.0.3
- Client is running from Windows XP under Jdeveloper
I've successfully installed and run the web security demo "ws_security" at http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jar.
This demo goes through installing the web service, certificates, etc... and the demo runs fine. I'm also able to connect to the web service from a browser using https://server1:4443/CreditCardValidator/CreditCardValidator. I can download the proxy, look at the WSDL, etc...
Now I've written my own very simple stateless java class web service, deployed it to 9iAS , and then downloaded the proxy stub jar. Using the proxy stub I can call my web service and everything works fine.
Then I configure the web service to use HTTPS by making the following changes to the proxy stub (per the ws_security demo).
1) Copy the following 5 lines to the proxy stub
System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
System.setProperty("java.protocol.handler.pkgs","HTTPClient");
System.setProperty("oracle.wallet.location","C:\\Data\\Oracle\\WALLETS\\ws_security\\wallet.txt");
System.setProperty("oracle.wallet.password","thewalletpassword");
2) modify the "m_soapURL" by changing "http" to "https" and the port number to 4443
3) add the following 3 jar files to my projects library class list:
C:\Program Files\jdev9031\jlib\jssl-1_2.jar
C:\Program Files\jdev9031\jdk\jre\lib\ext\jcert.jar
C:\Program Files\jdev9031\lib\jsse.jar;C:\Program Files\jdev9031\jlib\javax-ssl-1_2.jar
When I run the proxy stub it just hangs. I've traced the hang to the "Response response = call.invoke(new URL(m_soapURL), soapActionURI);" statement in the "makeSOAPCallRPC" method in the proxy stub.
Again, this works fine if I simply change the "m_soapURL" to use "http" instead of "https". It looks like it's hanging on the client side and the call is never making it to the server.
Any help is GREATLY appreciated!!!!!Could you explain it a little more, please.
Since my first message, I used the wallet manager to add the certificate the server where the web service is at, uses.
What else do I need to make it work??
Thanks in advance again. -
Weblogic app server wsdl web service call with SSL Validation error = 16
Weblogic app server wsdl web service call with SSL Validation error = 16
I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
Cannot complete the certificate chain: No trusted cert found
Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
Validation error = 16
From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.
Here is how I load trustStore and keyStore in my java program:
System.setProperty("javax.net.ssl.trustStore",”cacerts”);
System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.keyStore", keyStoreName);
System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd); System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
Here is how I create cacerts using verisign hierarchy certs (in this order)
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"
Because my program is a weblogic app server, when I start the program, I have java command line options set as:
-Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.enforceConstraints=strong
That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.
In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.
I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
1. Do I create “cacerts” the correct order with right keeltool options?
2. Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
3. Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
4. Do I need to put the “cacerts” to some specific weblogic directory?
---------------------------------wsdl file
<wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
<wsp:Policy wsu:Id="TokenServices_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports">
<xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
<xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="ITokenServices_GetUserToken_InputMessage">
<wsdl:part name="parameters" element="tns:GetUserToken"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
<wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
<wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
<wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
</wsdl:message>
<wsdl:portType name="ITokenServices">
<wsdl:operation name="GetUserToken">
<wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
</wsdl:operation>
<wsdl:operation name="GetSSOUserToken">
<wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="TokenServices" type="tns:ITokenServices">
<wsp:PolicyReference URI="#TokenServices_policy"/>
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="GetUserToken">
<soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="GetSSOUserToken">
<soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="TokenServices">
<wsdl:port name="TokenServices" binding="tns:TokenServices">
<soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
<wsa10:EndpointReference>
<wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
----------------------------------application log
adding as trusted cert:
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>I received a workaround by an internal message.
The how to guide is :
-Download the wsdl file (with bindings, not the one from ESR)
-Correct it in order that the schema corresponds to the answer (remove minOccurs or other things like this)
-Deploy the wsdl file on you a server (java web project for exemple). you can deploy on your local
-Create a new logicial destination that point to the wsdl file modified
-Change the metadata destination in your web dynpro project for the corresponding model and keep the execution desitnation as before.
Then the received data is check by the metadata logical destination but the data is retrieved from the correct server. -
Coldfusion 11 java/jre ssl mutual auth api calls. Help with coldfusion/java logs.
Hello,
I am here because I have exhausted my Coldfusion/Java ssl keystore certs trouble shooting abilities. Here is the issue. I am developing a Coldfusion 11 application that must make api calls to Chase payconnexion SOAP services. I am using the coldfusion cfhttp tags to do this, which is using the java jre 1.7.x to accomplish this. The problem, I am getting generic 500 internal server errors from Chase. They claim that I am not sending a cert during the ssl exchange. What I have done is:
- put our wildcard cert/key pair in the coldfusion keystore
- put our root and chain in the keystore
- put the chase server cert in the keystore
- converted the key/crt files to .pfx and make the calls
to chase with those, something like:
<cfset objSecurity = createObject("java", "java.security.Security") />
<cfset storeProvider = objSecurity.getProvider("JsafeJCE")/>
<cfset Application.sslfix = true />
<cfhttp url="#chase_api_server#/"
result="http_response"
method="post"
port="1401" charset="utf-8"
clientCert = "#cert_path#/#cert_file1#"
clientCertPassword = "#cert_password#">
<cfhttpparam type="header" name="SOAPAction" value="updateUserProfileRequest"/>
<cfhttpparam type="header" name="Host" value="ws.payconnexion.com" />
<cfhttpparam type="xml" value="#trim(my_xml)#"/>
</cfhttp>
Here is what I see in the Cf logs, can anyone help me interpret what
is happening ??
Thanks,
Bob
=============================================================
found key for : 1
chain [0] = [
Version: V3
Subject: CN=*.payments.austintexas.gov, O=City of Austin, L=Austin, ST=Texas, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
Validity: [From: Mon Aug 11 12:39:37 CDT 2014,
To: Thu Sep 01 18:34:24 CDT 2016]
Issuer: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
SerialNumber: [<snip>7]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.entrust.net
accessMethod: caIssuers
accessLocation: URIName: http://aia.entrust.net/2048-l1c.cer
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.entrust.net/level1c.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113533.7.75.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[CertificatePolicyId: [2.23.140.1.2.2]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.payments.austintexas.gov
DNSName: payments.austintexas.gov
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [1] = [
Version: V3
Subject: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Fri Nov 11 09:40:40 CST 2011,
To: Thu Nov 11 20:51:17 CST 2021]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [ <snip>]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.entrust.net
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.entrust.net/2048ca.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [2] = [
Version: V3
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>public exponent: 65537
Validity: [From: Fri Dec 24 11:50:51 CST 1999,
To: Tue Jul 24 09:15:12 CDT 2029]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [<snip>]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
trustStore is: /opt/coldfusion11/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
<snip 85 certs>
trigger seeding of SecureRandom
done seeding SecureRandom
Jan 23, 2015 13:15:37 PM Information [ajp-bio-8014-exec-7] - Starting HTTP request {URL='https://ws.payconnexion.com:1401/pconWS/9_5/', method='post'}
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1405197529 bytes = { 191, 115, 95, 85, 79, 234, 145, 176, 62, 70, 36, 102, 168, 15, 127, 174, 88, 118, 4, 177, 226, 5, 254, 55, 108, 203, 80, 80 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: ws.payconnexion.com]
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 191
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 81
*** ServerHello, TLSv1
RandomCookie: <snip>
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
%% Initialized: [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
** TLS_RSA_WITH_AES_256_CBC_SHA
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 4183
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=ws.payconnexion.com, OU=PayConnexion, O=JPMorgan Chase, L=New York, ST=New York, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Sun Apr 20 19:00:00 CDT 2014,
To: Tue Jun 02 18:59:59 CDT 2015]
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ <snip>]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://se.symcd.com
accessMethod: caIssuers
accessLocation: URIName: http://se.symcb.com/se.crt
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://se.symcb.com/se.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: <snip>
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: ws.payconnexion.com
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [1] = [
Version: V3
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Sun Feb 07 18:00:00 CST 2010,
To: Fri Feb 07 17:59:59 CST 2020]
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ <snip>]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
<snip>
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.verisign.com
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3-g5.crl]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: <snip>
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=VeriSignMPKI-2-7
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [2] = [
Version: V3
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Tue Nov 07 18:00:00 CST 2006,
To: Sun Nov 07 17:59:59 CST 2021]
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
SerialNumber: [<snip>]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
Extension unknown: DER encoded OCTET string =
<snip>
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.verisign.com
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
codeSigning
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
Found trusted certificate:
Version: V3
Subject: CN=ws.payconnexion.com, OU=PayConnexion, O=JPMorgan Chase, L=New York, ST=New York, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: public exponent: 65537
Validity: [From: Sun Apr 20 19:00:00 CDT 2014,
To: Tue Jun 02 18:59:59 CDT 2015]
Issuer: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SerialNumber: [ <snip>]
Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://se.symcd.com
accessMethod: caIssuers
accessLocation: URIName: http://se.symcb.com/se.crt
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://se.symcb.com/se.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: <snip>
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
2.16.840.1.113730.4.1
[7]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: ws.payconnexion.com
Algorithm: [SHA1withRSA]
Signature:
<snip>
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 13
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: 1
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=*.payments.austintexas.gov, O=City of Austin, L=Austin, ST=Texas, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
<snip>public exponent: 65537
Validity: [From: Mon Aug 11 12:39:37 CDT 2014,
To: Thu Sep 01 18:34:24 CDT 2016]
Issuer: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
SerialNumber: [<snip>]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.entrust.net
accessMethod: caIssuers
accessLocation: URIName: http://aia.entrust.net/2048-l1c.cer
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.entrust.net/level1c.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.2.840.113533.7.75.2]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[CertificatePolicyId: [2.23.140.1.2.2]
[6]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
[7]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[8]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.payments.austintexas.gov
DNSName: payments.austintexas.gov
[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [1] = [
Version: V3
Subject: CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>
public exponent: 65537
Validity: [From: Fri Nov 11 09:40:40 CST 2011,
To: Thu Nov 11 20:51:17 CST 2021]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [<snip>]
Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.entrust.net
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
<snip>]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.entrust.net/2048ca.crl]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: <snip>
[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
chain [2] = [
Version: V3
Subject: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: <snip>public exponent: 65537
Validity: [From: Fri Dec 24 11:50:51 CST 1999,
To: Tue Jul 24 09:15:12 CDT 2029]
Issuer: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
SerialNumber: [<snip>]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
<snip>]
Algorithm: [SHA1withRSA]
Signature:
<snip>
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 3970
SESSION KEYGEN:
PreMaster Secret:
<snip>
CONNECTION KEYGEN:
Client Nonce:
<snip>
Server Nonce:
<snip>
Master Secret:
<snip>
Client MAC write Secret:
<snip>
Server MAC write Secret:
<snip>
Client write key:
<snip>
Server write key:
<snip>
Client write IV:
<snip>
Server write IV:
<snip>
*** CertificateVerify
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 262
ajp-bio-8014-exec-7, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 51, 254, 40, 56, 247, 218, 130, 183, 112, 239, 95, 4 }
ajp-bio-8014-exec-7, WRITE: TLSv1 Handshake, length = 48
ajp-bio-8014-exec-7, READ: TLSv1 Change Cipher Spec, length = 1
ajp-bio-8014-exec-7, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 89, 182, 137, 178, 177, 31, 27, 115, 151, 90, 169, 49 }
%% Cached client session: [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
ajp-bio-8014-exec-7, setSoTimeout(60000) called
ajp-bio-8014-exec-7, WRITE: TLSv1 Application Data, length = 1520
ajp-bio-8014-exec-7, READ: TLSv1 Application Data, length = 128
Jan 23, 2015 13:15:38 PM Information [ajp-bio-8014-exec-7] - HTTP request completed {Status Code=500 ,Time taken=1302 ms}
ajp-bio-8014-exec-7, READ: TLSv1 Application Data, length = 256
ajp-bio-8014-exec-7, READ: TLSv1 Alert, length = 32
ajp-bio-8014-exec-7, RECV TLSv1 ALERT: warning, close_notify
ajp-bio-8014-exec-7, called closeInternal(false)
ajp-bio-8014-exec-7, SEND TLSv1 ALERT: warning, description = close_notify
ajp-bio-8014-exec-7, WRITE: TLSv1 Alert, length = 32
ajp-bio-8014-exec-7, called closeSocket(selfInitiated)
ajp-bio-8014-exec-7, called close()
ajp-bio-8014-exec-7, called closeInternal(true)Ok, apparently Chase person who said we were not sending the certs and achieving mutual auth
was incorrect. The https calls were connecting, and mutual auth was taking place. The 500
error was about a soap envelope being delivered, and NOT SSL as I directed to. Everything
is working fine now.
Thanks,
Bob -
Calling servlet with out entry in web.xml
Hi
I want to know whether can a servlet be invoked with out having an entry in web.xml.Because to my knowledge when ever an entry is made in teh web.xml the <url-pattern> and the class file will be stored as key value combination it is only then when ever a request is made the server gets the class taht is to be invoked from the <url-pattern> that is passed from the client side.
Is ther any way by whihc we can call the servlet directly with out an entry in web.xml
Thanks in advance
Ajithkumar.SInteresting that it is possible on Tomcat anyway.
What's the real benefit of not having a Servlet
definied in web.xml?
The only benefit I see is that
you don't need to understand/read/change XML when
adding or removing a servlet. That isn't worth that
imho. What are the other benefits?The only thing I can think of is , to be able to quickly access a Servlet that you've just written, because it takes additional steps to define it in the web.xml.
I think it would be a security concern (of some sort) , if the Servlet's class is known, that's why it is better to access a Servlet with a mapping from web.xml -
After applying FQDN with SSL sharepoint2010 document library's document open as Read Only
Hi,
we have sharepoint server 2010 installed in windows server 2008 R2. We build a document library. After that we installed Office Web Apps. Now,edit in Browser or edit in word/excel etc. all options are working fine.
After that, we configured the site with FQDN (Fully Qualified Doman Name) with SSL. Now, the
edit in browser mode is working fine form both server and client machine (for both windows and form based users).
But, When we are trying toedit in word or other office application mode, the files open as Read Only mode (both from server and client machine).
The users cannot save the file.
After trouble shooting a lot, we found many forum says to edit windows registry or do some other operation on client machine. But, in our case it is not possible to edit registry or do some other experiment on every client's machine.
Is their any option to solve the problem from server end, so that each client automatically can open the office files on their own PC and save them to server (instead of re uploading the files to server )?
Please, help us to give the suggestion for solving our problem.
Thanks,Is Alternate Access Mappings configured correctly? Is the behavior consistent across different browsers? What are you seeing in ULS logs when the document is being opened from the library?
This post is my own opinion and does not necessarily reflect the opinion or view of Slalom. -
just updated my iphone with iOS 7.0.2 and when I call or people call me, only one party can hear the other. Would you know how to fix this problem? Thanks
Hi Apple_Mom,
Thanks for visiting Apple Support Communities.
If you've noticed issues after updating to iOS 7.0.2, you may want to first update to iOS 7.0.3 which was recently released.
iOS: How to update your iPhone, iPad, or iPod touch
http://support.apple.com/kb/HT4623
If the behavior persists, the troubleshooting steps in this article can help:
iPhone: Can't hear through the receiver or speakers
http://support.apple.com/kb/TS1630
Cheers,
Jeremy -
"user busy" only with one number i call
i always get the "user busy" signal, when calling a certain number.
(only realized with a certain one)
issue appears as follows:
after dialing the number/contact on my iphone 4 I can hear the ring once and after that always the "user busy" signal (plus the display showing "user busy", call back etc....)
already called my provider --> trial call, no issues with the provider
asked my friend about eventual call forwarding --> nothing thelike, no issues
hope you can help....Norton support is here. <br />
http://norton.lithium.com/norton/ -
RDS - External connections only for those with SSL Certifcate - how to accomplish that?
Hi,
we have a lot of partners for sales purposes and they need connect to our servers due to ERP access and then input 'sales order' and etc; there is a way to only accept connections from Computers/Tablets with enabled/installed an specific SSL?
If so, should we buy SSL from a valid external C.A for the server and clients? or just for Clients? or just for the server?
* I found similiar question but too old: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a254f1d0-43dd-4be3-8fe5-90f9fc97904a/securing-rds-with-ssl-certificate?forum=winserverTS#0f663d6e-aa58-4ad0-a315-b88bb3ec8c27
tks,
Renato PHi,
If you are looking to connect to a particular PC on your home network from outside then follow the steps
There are six steps you'll need to follow to set this up. Each one is explained in detail below.
Allow remote connections to the computer you want to access.
Make sure Remote Desktop is able to communicate through your firewall.
Find the IP address of the computer on your home network that you want to connect to.
Open your router's configuration screen and forward TCP port 3389 to the destination computer's IP address.
Find your router's public IP address so that Remote Desktop can find it on the Internet.
Open Remote Desktop Connection and connect.(Type in your public IP + the forwarded port to acces the desired PC- public IP : port )
If you have already done this and all you want is to decide who access it then give user permission in
Remote Desktop Users Group.
Apart using SSL cert you can limit the user access using your firewall/router.
SSL certificate is required for your server alone. -
How to configure sso with SSL step by step
Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1. How to configure OHS support SSL
2. How to Register SSO with SSL
3. Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1. Oracle AS 10g infrastructure installed (10.1.2)
2. OCA installed
Note:
1. “When you install Oracle infrastructure, please make sure you have select OCA.
2. How Certificate-Enabled Authentication Works:
a. The user tries to access a partner application.
b. The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c. The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l You must configure SSL on the computer where the single sign-on middle tier is running.
l You are configuring one-way SSL.
l You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1. Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2. In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3. Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4. Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5. Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6. Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7. Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8. Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9. Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1. Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
· HTTPMachine—the server host name
· HTTPPort—the server port number
· HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6. Reload the OracleAS console:
ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1. This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
-oracle_home_path $ORACLE_HOME
-config_mod_osso TRUE
-mod_osso_url https://myhost.mydomain.com:4443
2. Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1. Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2. Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance -
Hello Guys,
I am implementing solution where in I need to post http request to a secure server. I am using following mechanisam to talk to the ssl server. But when I run the program on my local machine I get following error. Can you guys please help me out since I have limited knowledge of security API and I need to get this done in very short time. Please help me understand necessary steps required to resolve this issue.
Thanks
Code
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
tunnelHost = "<my proxy server >";
tunnelPort = "<proxy server port>";
tunnel = new Socket(tunnelHost, tunnelPort);
doTunnelHandshake(tunnel, host, port ,username , password);
socket =(SSLSocket)factory.createSocket(tunnel, host, port, true);
socket.addHandshakeCompletedListener(
new HandshakeCompletedListener()
public void handshakeCompleted(
HandshakeCompletedEvent event)
{"\t CipherSuite:" + event.getCipherSuite());
System.out.println(
"\t SessionId " + event.getSession());
System.out.println(
"\t PeerHost "+
event.getSession().getPeerHost());
socket.startHandshake();
socket.close();
tunnel.close();
} catch (Exception e) {
e.printStackTrace();
private void doTunnelHandshake(Socket tunnel, String host, int port , String username , String password)
throws IOException
OutputStream out = tunnel.getOutputStream();
String AuthString = new String("NORTHAMERICA\\"+username+ ":" + password );
byte [] AuthBytes = AuthString.getBytes();
char []AuthChar = Base64encode(AuthBytes);
String test = String.valueOf(AuthChar);
String ProxyAuthorization = new String("Proxy-Authorization: Basic " + test);
String msg = "CONNECT " + host + ":" + port + " HTTP/1.0\n"
+ "User-Agent: Java SSL Sample\n"
+ "Host: FSM Gateway\n"
+ "Proxy-Connection: Keep-Alive\n"
+ "Pragma: No-Cache\n"
+ ProxyAuthorization
+ "\r\n\r\n";
byte b[];
try {
b = msg.getBytes("ASCII7");
} catch (UnsupportedEncodingException ignored) {
* If ASCII7 isn't there, something serious is wrong, but
* Paranoia Is Good �
b = msg.getBytes();
out.write(b);
out.flush();
byte reply[] = new byte[200];
int replyLen = 0;
int newlinesSeen = 0;
boolean headerDone = false; /* Done on first newline */
InputStream in = tunnel.getInputStream();
boolean error = false;
while (newlinesSeen < 2) {
int i = in.read();
if (i < 0) {
throw new IOException("Unexpected EOF from proxy");
if (i == '\n') {
headerDone = true;
++newlinesSeen;
} else if (i != '\r') {
newlinesSeen = 0;
if (!headerDone && replyLen < reply.length) {
reply[replyLen++] = (byte) i;
* Converting the byte array to a string is slightly wasteful
* in the case where the connection was successful, but it's
* insignificant compared to the network overhead.
String replyStr;
try {
replyStr = new String(reply, 0, replyLen, "ASCII7");
} catch (UnsupportedEncodingException ignored) {
replyStr = new String(reply, 0, replyLen);
/* We asked for HTTP/1.0, so we should get that back */
if (!replyStr.startsWith("HTTP/1.0 200")) {
throw new IOException("Unable to tunnel through "
+ tunnelHost + ":" + tunnelPort
+ ". Proxy returns \"" + replyStr + "\"");
System.out.println("tunneling Handshake was successful!");
Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.InputRecord.b(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at SSLSocketClient.doIt(SSLSocketClient.java:166)
at SSLSocketClient.main(SSLSocketClient.java:54)
Debug information is
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\j2re1.4.2_06\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000bf
Valid from Wed May 17 09:01:00 CDT 2000 until Sat May 17 18:59:00 CDT 2025
adding as trusted cert:
Subject: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
Issuer: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
Algorithm: RSA; Serial number: 0x374ad243
Valid from Tue May 25 11:09:40 CDT 1999 until Sat May 25 11:39:40 CDT 2019
adding as trusted cert:
Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Algorithm: RSA; Serial number: 0x20000b9
Valid from Fri May 12 13:46:00 CDT 2000 until Mon May 12 18:59:00 CDT 2025
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Net
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Net
Algorithm: RSA; Serial number: 0x9b7e0649a33e62b9d5ee90487129ef57
Valid from Thu Sep 30 19:00:00 CDT 1999 until Wed Jul 16 18:59:59 CDT 2036
adding as trusted cert:
init context
trigger seeding of SecureRandom
done seeding SecureRandom
tunneling Handshake was successful!
Socket is 15e83f9[SSL_NULL_WITH_NULL_NULL: Socket[addr=/10.0.1.38,port=80,localport=2133]]
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1115833203 bytes = { 119, 0, 234, 70, 240, 74, 55, 9, 64, 89, 133, 251, 64, 160, 105, 25, 113, 219, 252, 65, 240, 228, 184, 117, 235,
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.InputRecord.b(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at SSLSocketClient.doIt(SSLSocketClient.java:166)
at SSLSocketClient.main(SSLSocketClient.java:54)No it is not correct.
The socket creation should be provided with the proper host and the port. the resource on the host is something you should ask your server (HTTP GET ... whatever).
The https://abc.com:443 is equal to https://abc.com as the default port for https is 443. the host variable should be "abc.com" and the port "443" and the rest negotiated in application level (HTTP GET /XYZ [is not the proper syntax]).
Further, with this description, the first url (https://server/resource:port) is not making any sense.
You problem in first place is probably the host and port parameters (specifically the port has been set to 80 which most likely is wrong) . you need to consider the other port regarding newline and CRs buildging the proxy authentication header, but you debug logs suggest that your test proxy server takes it.
Maybe you are looking for
-
Enabling/Installing IE10 in Windows 8.1
Hi Hope everybody is doing well. I need to install IE10 on windows 8.1 as our web based software does not support IE11. As i turned off IE11 from Windows Features mentioned below and tried to install IE10 from standalone installer it gives the messag
-
Document search and knowledge search
Hi All, I have seen two work centres on interaction center: document search and knowledge serach. what is the difference between the two. how can we configure the same. please provide some docs. Thanks, Priya
-
Photoshop Opens 8bit TIFF files as Camera Raw
My normal workflow consists of opening RAW files in ACR, making adjustments, then moving on to Photoshop where I apply retouching and build clipping paths. I then save the file as an 8bit TIFF. I rarely reopen these 8bit TIFFs again, but when I did s
-
PDF files commented with Android MyLibrary
Hello. I read a pdf book using Android MyLibrary software, and I made comments and marks on the file. Now when I moved the pdf file back to my PC Adobe Reader shows neither comments or marks -- I got a clean file as when I downloaded it. I read aroun
-
Why am I seeing blocked plug-in where short videos are?
When I click on a video on Facebook a small box says Blocked Plug-in. I am unable to view the video. How can I change this?