Certificate Hostname Discrepency

Similar Messages

• How to disable the certificate hostname verification?

  In JSSE changes file <http://java.sun.com/products/jsse/CHANGES.txt>
  It states the following:
  "It is sometimes useful to "disable" the certificate hostname
  verification during project development. A single certificate can now be shared among many development machines so that the hostnames don't need to match. A bug was fixed in the HttpsURLConnection hostname verifier code that now allows this functionality to work."
  Any idea on how to disable it
  Thanks
  - rayed

  this is easily achieved :
  create your own class (for example 'MyHostNameVerifier' ..) as a subclass of the JSSE HostNameVerifier and overwrite the method :
  public boolean verify(String parm1, String parm2)
  to your special needs. This method implements the verifying of hostnames..
  For your HttpsURLConnection then call
  setHostnameVerifier(new MyHostNameVerifier());
  so the HttpsURLConnection will then use MyHostNameVerifier in order to verify the hostname registered in the certificate.

• Web service calling in HTTPS, certificate, hostname wrong

  Hi
  Im triying to call a web service running in WSO2 Carbon and I cant do it because I was geting a exception asking for a certificate.I had success importing a valid certificate, but now I get the following exception
  HTTPS hostname wrong: should be <10.36.15.100>
  this ip is the one where the WSO2 Carbon is running with the web service Im calling.
  When I consume services running in other places I gat no problem and I can consume the service running in the WsO2 with the SOAP UI, so I dont Know what happend?
  Thanks
  Ray

  Glad to help.
  I actually had a similar problem a few weeks ago. I created a remote enabled FM in our R/3 system that was called by a program in our SRM system. When I ran the FM in R/3 it worked, but from SRM, no joy.
  Eventually, I found that I had mispelled a parameter in the calling program. Since, the FM didn't exist in SRM, the calling program couldn't report any syntax error or give a dump. I corrected the spelling and it finally worked.
  Rob

• X509 certificates, hostname verification and SunCluster 3.1 failover.

  Hi,
  A newbie question - having an existing non clustered architecture and trying to decide how to use the SunCluster features.
  I have some self signed x509 certificates that are used by a process. When this process is (going to be) failed over to another machine, and the filsystem that contains the certificates also follows, what is the recommened way of ensuring that I can use the same certificates and that hostname verification etc still works.
  When I define a resource group for the filesystem and network interfaces required by this, can I also create a virtual hostname that will work on either of my cluster machines and will not confuse my SSL code when it verifies the certificates and the host?
  I think this is not a question of DNS, but a question of what happens when I want to type 'hostname' and would like to get the same result on either box that is part of our cluster. This way my certificates and application configuration would not need to be changed during a failover event.
  Thanks!

  Forget about the local hostname question - all that is important at the moment is that my keystores and truststores (created using Sun JVM keytool) are transportable and usuable on the other host without change. The network resources associated with the names in the certificates are planned to move across as part of the resource gorup).
  In theory I guess this shoud work, but I wanted to know if anyone has had any experience of doing this and there were any gotchas.
  Thanks.

• Problem connecting to HTTPS host with self signed certificate

  I have set up a tomcat server with SSL running in a vmware on my machine using a self signed certificate. I can connect to this no problem with a browser from my main machine with the url https://myserver:8443.
  However, I am not able to connect with a Java client. I always get the below exception. I read that I need to add it as a trusted certificate in the keystore. I went to the site with firefox and saved the certificate as a .cer file, and imported it into the default keystore at c:\users\louis\.keystore. I still have the same problem. I think the problem is the client is not using the keystore, and I don't know how to make it do so. I tried adding the following argument to the run command:
  -Djavax.net.ssl.trustStore=c:\users\louis\.keystore -Djavax.net.ssl.trustStorePassword=changeit
  but it doesn't help.
  Here is the exception I'm getting:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
       at Test.main(Test.java:39)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
       at sun.security.validator.Validator.validate(Validator.java:218)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
       ... 12 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
       ... 18 more

  I have worked around this problem by configuring the Java client to trust all certificates and disabling hostname verification. That way I don't need a trust store. I'll just have to remove that code in production. Not ideal since I'd rather have certificate/hostname verification working for testing, but it works at least.
  I have looked at the Java security documentation and as far as i can tell a keystore and trust store is still basically the same type of file and created the same way with the keytool. The difference is when you import a cert you use the -trustcacerts option. The client 'keystore' is only being used to store the trusted cert, so it essentially is a trust store. This is documented in the keytool doc for the command -importcert.
  http://download.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html
  I actually think my problem is more to do with the hostname, since my server doesn't have a real domain hostname like www.myserver.com. I am just using the machine name for the host, although web browsers do not have a problem with this. When I set my java client to trust all certs, I was getting the following error:
  java.io.IOException: HTTPS hostname wrong
  Disabling hostname verification fixed this, so I'm wondering if my cert has the wrong hostname. I originally created the self signed cert using the keytool with the command -genkey, which creates a key pair and also a self signed cert. I looked at the keytool docs, and I don't see any way of specifying the hostname or even seeing what the host name of a cert is. What does it put as the hostname by default? The IP address or machine name, or am I understanding this wrong?

• Certificates setup in server / keychain

  I have a server running OS-X Server 4.1. I had to reinstall completely and need to set up my SSL Certificates the right way.
  A) Since I am new to Certificates I think I might have messed up something. Since it did not work immediately and since I had te reinstall everything I tried to install all certificates I received everywhere: LOGIN + SYSTEM.
  In LOGIN I now have:
  Certificate hostname (issued by StartCom Class 1 Primary Intermediate Server CA)
  Certificate StartCom Certification Authority
  Certificate StartCom Class 1 Primary Intermediate Server CA
  Certificate StartCom Class 3 Primary Intermediate Server CA
  IN SYSTEM I have
  Certificate hostname (issued by IntermediateCA … OS-X Open Directory) + 2x public + 2x private keys
  Certificate hostname (issued by StartCom Class 1 Primary Intermediate Server CA)
  Certificate StartCom Certification Authority
  Certificate StartCom Class 1 Primary Intermediate Server CA
  Open Directory Server = hostname I don’t know if this is causing trouble, because I ended up with two certificates with the same name in keychain?
  I learned that I don't need the underlined entries in LOGIN, but on "Symantec SSL checker" website it recommends for best practices to remove the self-signed root from the server. Is this right? How do I do this? At the same website it says:
  "Multiple certificates were found with the same common name.
  The certificate installation checker cannot determine which certificate is correct. Remove the incorrect certificate and try again."
  Is this a problem? Why is this so? Maybe because SSL certificate and OD certificate have the same name?
  B) In OS-X Server I now have two certificates listed:
       1. Certificate: hostname - issued by StartCom Class 1 Primary Intermediate Server CA
       2. Certificate: hostname - hostname OD Intermediate CA
  I understand I need to use 1 (issued by SSL provider) to secure services? Could you use also the OD certificate?
  C) When I try to manage the server from a client and try to connect via SERVER APP I get a message saying:
            'Server can't verify the identity of the server "server-hostname".'
  Why is the connection not secured with my SSL certificate? I saw that you have KEYs and CERTIFICATEs in the Keychain in 4 different levels: Login, iCloud, System, System-Root. Sometimes you have "IDENTITY PREFERENCE". I guess that in identity preference you can choose which certificate to use for a particular service.
  In the Identity Preference for COM.APPLE.SERVERMGRD I have 18 certificates listed. 3 of them have the name of my SERVER. 2 of them where issued by my SSL CA and one belongs to OPEN DIRECTORY. Are the 2 SSL CA issued Certificates the reason why SSL checker reports multiple certificates? How can I solve this? I only see one instance of Certificate hostname (issued by StartCom Class 1 Primary Intermediate Server CA) in SYSTEM Keychain?
  If I try to change the Identity Preference for COM.APPLE.SERVERMGRD to one of the two Certificate hostname (issued by StartCom Class 1 Primary Intermediate Server CA) and try to login it does not get recognised on the client and is declared as self assigned CERTIFICATE.
  Can someone help?

  Hi Mikey,
  I am not sure why you have kept the corporate network under the dmz zone. In general security practice we use to keep the dmz zone/dmz firewall for having the server/hosting environment where external parties requires access to those.... for example web server / application server.....
  So your design requires some change in order to have a better architecture....
  internet
  |
  router
  |
  external SW
  |
  internet facing firewalls
  |
  DMZ SW and Junp Server / Application Server (DMZ Interface of the Firewall).
  Internet facing Firewall
  |
  LAN Interface SW (Inside Interface of the firewall)
  |
  LAN FW (If you really want to keep it)
  |
  Corporate Network
  Regards
  Karthik

• The Ultimate Guide to Resolving Profile and Device Manager Issues

  The following article also applies to issues after re-setting the severs' hostname. It also applies to situations where re-setting the Code Signing Certifictateas described by Apple has not resolved the issue.
  Hello,
  I have been plagued with Profile Manager and Device Manager issues since day one.
  I would like to share my experience and to suggest a way how to resolve issues such as device cannot be enrolled or Code Signing Certificate not accepted.
  I shall try to be as brief as possible, just giving an overview of the steps that resolved my issues. The individual steps have been described elsewhere in this forum. For users who have purchased commercial SSL certs the following may not apply.
  In my view many of these issues are caused by missing or faulty certificates. So let us first touch on the very complex matter of certificates.
  Certificates come in many flavours such as CA (Certificate Authority), Code Signing Certificate, S/MIME and Server Identification.
  (Mountain?) Lion Server creates a so-called Intermediate CA certificate (IntermediateCA_hostname_1") and Server Identification Certificate ("hostname") when it installs first. This is critical for the  operation of many server functionalities, including Open Direcory. These certs together with the private/public keys can be found in your Keychain. Profile  and Device Manager may need a Code Signing Certificate.
  The most straightforward way to resolve the Profile Manaher issues is in my view to reset the server created certicates.
  The bad news is that this procedure involves quite a few steps and at least 2 hours of your precious time because it means creating a fresh Direcory Master.
  I hope that I have not forgotten to mention an important step. Readers' comments and addenda are welcome.
  I shall outline a sensible strategy:
  1. Clone your dysfunctional server to an external harddrive (SuperDuper does a reliable job)
  2. Start the server fom the clone and shut down ALL services.
  3. It may be sensible to set up a root user access.
  4. Back-up all user data such as addess book, calendar and other data that you *may* need to set up your server.
  5. Open Workgroup Manager and export all user and workgroup accounts to the drive that you using to re-build your server (it may cause problems if you back-up to an external drive).
  6. Just in case you may also want to back-up the Profile Manager database and erase user profiles:
  In Terminal (this applies to Lion Server - paths may be diferent in Mountain Lion !)
  Backup: sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  Erase database:
  sudo /usr/share/devicemgr/backend/wipeDB.sh
  7. Note your Directory (diradmin) password for later if you want to re-use it.
  8. Open Open Server Admin and demote OD Master to Standalone Directory.
  9. In Terminal delete the old Certificate Authority
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  This step is crucial because else re-building you OD Master will fail.
  9. Go back to Server Admin and promote the Standalone Directory to OD Master. You may want to use the same hostname.
  10. When the OD Master is ready click on Overview and check that the LDAP and Keberos Realm reflect your server's hostname.
  11. Go back to Workgroup Manager and re-import users and groups.
  NOTE: passwords are not being exported. I do not know how to salvage user passwords. (Maybe passwords can be recovered by re-mporting an OD archive - comments welcome! ).
  12. Go to Server App and reset passwords and (not to forget) user homefolder locations, in particular if you want to login from a network account!
  If the home directory has not been defined you cannot login from a network account.
  13. You may now want to restore Profile Manager user profiles in Terminal. Issue the following commands:
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  14. You can now switch back on your services, including Profile Manager.
  In Profile Manager you may have to configure Device Management. This creates a correct Code Signng Certicate.
  15. Check the certificate settings in Server App -> Hadware -> Settings-> SSL Certificates.
  16. Check that Apple Push Notifications are set.(you easily check if they are working later)
  17. You may want to re-boot OS Server from the clone now.
  18. After re-boot open Server App and check that your server is running well.
  19. Delete all profiles in System Preferences -> Profiles.
  19. Login to Profile Manager. You should have all users and profiles back. In my experience devices have to be re-enrolled before profiles can be pushed and/or devices be enrolled. You may just as well delete the displayed devices now.
  20. Grab one of your (portable) Macs that you want to enrol and go to (yourhostname)/mydevices and install the server's trust profile. The profile's name  should read "Trust Profile for...) and underneath in green font "Verified".
  21. Re-enrol that device. At this stage keep your finger's crossed and take a deep breath.
  22. If the device has been successfully enrolled you may at last want to test if pushing profiles really works. Login to Profile Manager as admin, select the newly enrolled device. Check that Automatic Push is enabled (-> Profile -> General). Create a harmless management profile such as defining the dock's position on the target machine. (Do not forget to click SAVE at the end - this is easily missed here). If all is well Profile Manager will display an active task (sending) and the dock's position on the target will have changed in a few seconds if you are on a LAN (Note: If sending seems to take forever: check on the server machine and/or on your router that the proper ports are open and that incoming data is not intercepted by Little Snitch or similar software).
  Note: if you intend to enrol an Apple iPhone you may first need to install the proper Apple Configuration software.
  Now enjoy Profile and Device Manager !
  Regards,
  Twistan

  HI
  1. In Action profiles, logon to system and recheck correcion are available in action definition as well in condition configuration and the schedule condition is also maintained. but the display is not coming(i.e in the worklist this action is not getting displayed).
  You can check the schedule condition for the action and match the status values...or try recreating the action with schedule condition again....for customer specific ....copy the standard aciton with ur zname and make a schedule condition and check the same.
  2, In suppport team of incident when i give individual processor it throwing a warning that u r not the processor. but when i give org unit it is working perfectly. Could anyone guide on this.
  You need to have the empolyee role for BP ..goto BP and got here dropdown for ur bp and choose role Employee and then enter ur userid
  also make sure that u have the message processing role
  Hope it clarifies ur doubt and resolve ur prob
  Regards
  Prakhar

• Lion Server: VPN external ports to open on firewall

  With Leopard/SnowLeopard Server, opening ports back to my server @ 500, 1701 and 4500 were sufficient for L2TP VPN.  I had no issues trying to connect to my VPN until I upgraded to Lion (which I'm quickly learning was a big mistake).
  Now it appears that there might be undocumented, additional ports in the new (dumbed down) VPN on Lion Server
  I've got 500, 1701 and 4500 open now... and added 1723 (PPTP) as some people suggested (found via google search).  I still cannot connect from outside my nework - the client acts like the server does not exist.
  Please note that I can connect without an issue from within the network.  When I simply change the hostname to my external host, it no longer is able to connect.  (My firewall supports external reflection when trying to access my external IP - so don't worry about my firewall config, other than port redirection).
  Is there another port besides the four I've listed about that I need to open?

  Yup... all UDP.  I'll mess with getting it outside the firewall. 
  I'm thinking now that it might be a domain/certificate name issue - seeing that all the new certificate trust requirements have already broken other things for me (like web-based stuff, calendars and profile management)
  Is it required by the VPN server that the certificate hostname matches the external hostname?

• Lion Server VPN: Static IPs to Clients?

  Does anyone have any thoughts as to whether it might be possible to have the
  Lion L2TP server hand out static IPs to clients when they connect, based on the
  username they use to log in?
  Looking at this snippet from /Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist:
                                          <key>ConfigMethod</key>
                                          <string>Manual</string>
                                          <key>DestAddressRanges</key>
                                          <array>
                                                    <string>10.50.0.100</string>
                                                    <string>10.50.0.149</string>
                                          </array>
  ConfigMethod gives me a little hope that other methods may be available, and I
  might be able to do this, but am reaching out to see if anyone here has
  experience or insight on this topic.

  Yup... all UDP.  I'll mess with getting it outside the firewall. 
  I'm thinking now that it might be a domain/certificate name issue - seeing that all the new certificate trust requirements have already broken other things for me (like web-based stuff, calendars and profile management)
  Is it required by the VPN server that the certificate hostname matches the external hostname?

• Https not work in java1.6

  I have created a java application that communicates with a Server via HTTPS.
  I use both jdk and jre 1.4 application work find not error message but
  I use jdk 1.6 application not work and application have error message
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
  provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
  at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
  at HttpClient.execute(HttpClient.java:82)
  at HttpClient.main(HttpClient.java:254)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertP
  athBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
  at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
  at sun.security.validator.Validator.validate(Unknown Source)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
  ... 14 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques
  ted target
  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
  at java.security.cert.CertPathBuilder.build(Unknown Source)
  ... 20 more
  I set certificate by code
  System.setProperty("javax.net.ssl.trustStore", "certificate.cer");
  I don't understand error message
  Help me please.....

  Hello
  I connection by code
  System.setProperty("javax.net.ssl.trustStore", "certificate.cer");
                 Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
                   // override default hostname verifier, ignore hostname mismatch error
                   HostnameVerifier hnv = new HostnameVerifier() {
                        public boolean verify (String urlHostname, SSLSession session)
                           if (!urlHostname.equalsIgnoreCase(session.getPeerHost()))
                                if(DEBUG){
                               System.out.println("WARNING: Hostname mismatch (" +
                                                    urlHostname + "), certificate Hostname is "
                                                    + session.getPeerHost());
                           return true;
                HttpsURLConnection.setDefaultHostnameVerifier(hnv);
                 URL url = new URL("https","URL",443,"FILE");
  System.out.println("Opening connection: " + url);
  URLConnection conn = url.openConnection();
              conn.setRequestProperty("username", "USERNAME");
              conn.setRequestProperty("userpassword", "PASSWORD");
              conn.setRequestProperty("Content-Encoding", "gzip");
              conn.setDoOutput(true);
              conn.setDoInput(true);
              GZIPOutputStream out = new GZIPOutputStream(conn.getOutputStream());
              Properties requestProp = new Properties();
                try
                     requestProp.load(new FileInputStream("request.properties"));
                      System.out.println("HttPClient : Properties (request.properties) loaded.");
                catch (IOException ioe)
                     System.out.println("HttPClient: Failed loading properties: request.properties");
              System.out.println("sending contents..");
              requestProp.store(out, "Client Request");
              System.out.println("closing output");
              out.finish();
              out.close();
              // getting response
              GZIPInputStream input = new GZIPInputStream(conn.getInputStream());
              Properties responseProp = new Properties();
              responseProp.load(input);
              if (responseProp != null)
                   responseProp.store(new FileOutputStream("response.properties"), "response from server");
  System.out.println("Exiting...");

• Weblogic 9.2 cluster install across 2 linux servers - authentication errors

  Hello all,
                      I am currently trying to install a 9.2 cluster across two Linux machines, but am having a few problems that I was hoping someone here could help with. I?ve been reading the documentation, but feel as though it?s getting me nowhere.
                      I have two servers, on which I have installed weblogic portal 9.2. On the first I have then used the configuration wizard to great an admin server and cluster members 1, 2 and 3.
                      A cluster is created and the three cluster members are assigned to it.
                      Then I configure two unix machines, for the servers 1 and 2.
                      I assign the admin server and cluster member 1 to the first server. Cluster members 2 and 3 are assigned to the second server.
                      The connection pools and JMS stores I left as the default values.
                      The configuration completes and a domain is created on the first server.
                      I have copied the complete user_projects directory to the second server. I didn?t want to go through the configuration steps on each server that weblogic was to be installed on, so this looked like the easiest way to get the startManagedWeblogic scripts onto the second server. Also I didn?t find anything in the documentation that mentioned how to set up a cluster across multiple machines in any detail, only how to install multiple instances on a single server and run them as a cluster.
                      I manage to start the admin server ok and can connect through the web based admin console.
                      The first cluster member also starts up on the first server.
                      Now I go to the second server again, and when I try to start the cluster members here I get Authentication errors:
                      <Jan 31, 2007 2:56:22 PM CET> <Error> <Security> <BEA-090854> <SAMLCredentialMapper provider initialization failed: Could not retrieve credentials for AssertionSigningKey.>
            <Jan 31, 2007 2:56:23 PM CET> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
            <Jan 31, 2007 2:56:23 PM CET> <Error> <com.bea.weblogic.kernel> <000000> <[Security:090735]The DBMS connection was not usable>
            <Jan 31, 2007 2:56:23 PM CET> <Critical> <Security> <BEA-090403> <Authentication for user weblogic denied>
            <Jan 31, 2007 2:56:23 PM CET> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
            weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
                    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:947)
                    at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1029)
                    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:854)
                    at weblogic.security.SecurityService.start(SecurityService.java:141)
                    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
                    Truncated. see log file for complete stacktrace
            >
            <Jan 31, 2007 2:56:24 PM CET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
            <Jan 31, 2007 2:56:24 PM CET> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
            <Jan 31, 2007 2:56:24 PM CET> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
            Autonomy engine processes stopped
                                What am I doing wrong / forgetting to do.
                      Any help or suggestions are most helpful
                      Regards
                                IV

  Hello ,
            I can help you in this regard, (let me see).
            Let me start from the beginning.
            Assumptions:
            M1 is hosting 1-Admin server(AdminServer), 2-Managed Server(ms1,ms2),
            M2 is hosting 1 -managed server (ms3)
            1. Install WebLogic Server/Portal product on M1 and M2 say /home/user1/bea1 - on M1
            /home/user1/bea1 - on M2
            2. Create Cluster Domain using ConfigWiz/WLST.
                 [ here I will talk abt Config Wiz)
                 - Open config Wiz
            - Create domain in Production Mode.(ideally Cluster is not supported in Dev mode )
                 - Create 1 Admin server, 3 Managed server Host = <M1> and config SSL port
                      AdminServer ? Host_M1
                      Ms1     ? Host_M1
                      Ms2     ? Host_M1
                      Ms3     ? Host_M2
            NOTE: *** Don't use IP addresses - use hostnames. The hostnames need to be specified in the correct format. When specifying a hostname, use the receiving server side's rules for SSL certificate hostname format when specifying the server address. The address that a client uses needs to match up with the server's SSL certificate host identity field ((example: pint21.bea.com on both server/client side, not just pint21 and other pint21.bea.com)
            Using the 'keytool' Java utility, verify the content of hostname identity embedded in the demo SSL certificate
            $ keytool -list -v -alias demoidentity -keystore DemoIdentity.jks
            Owner: CN=pisol18, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
            -     Config Data Source (conn pool) to Any DB Type you like, test them and run the DB scripts if applicable (Run DB).
            3. Create Managed Server template Using Pack/Unpack tool
            3.1     Using <WL_HOME>\common\bin\pack.cmd with ?managed option create managed server template.
            3.2     Using <WL_HOME>\common\bin\unpack.cmd on M2 to create the domain on Host2
            4. Starting the Admin Server
            5. Start the Managed server in many way. As given on edocs.
            http://edocs.bea.com/wls/docs92/ConsoleHelp/taskhelp/clusters/StartOrStopAServer.html
            I hope this helps you,
            Thanks
            Viswa
            ------------

• What versions of Weblogic currently have Subject Alternative Name support?

  I would like to visit a comment I saw in an old forum thread from 2010
  Certificate hostname verification error with 10.3
  that "WebLogic currently does not support the Subject Alternative Name field." Can someone please let me know what versions of Weblogic currently have Subject Alternative Name support? We are currently on 10.3. Is there anything near that version that has support, or a patch available for it?
  Regards,
  John

  The KM number is the article number on the support site. Logon to Oracle support and paste the number into the knowledge search and you will get your answer. The article is called "How to Develop Custom Hostname Verifier for Subject Alternative Name (SAN) Certificates" and applies to WLS 10.3.3 and later.

• Gateway eror

  Hey all !
  I am getting this weird error in one of my Portal Gateways, does anyone know what could be happening??
  10/4/04 8:20:02 PM CDT: Thread[Thread-142,5,main]
  ERROR: ServerCertApprovalCallback: reason -8156
  10/4/04 8:20:02 PM CDT: Thread[Thread-142,5,main]
  ERROR: ServerCertApprovalCallback: reason -8172
  10/4/04 8:24:44 PM CDT: Thread[Thread-183,5,main]
  ERROR: ServerCertApprovalCallback: reason -8156
  10/4/04 8:24:44 PM CDT: Thread[Thread-183,5,main]
  ERROR: ServerCertApprovalCallback: reason -8172
  thank you very much

  Do you try to access Webservers via HTTPS?
  I had/have similiar problems, and could solve some problems by:
  - set "gateway.trust_all_server_certs=true" in the /etc/opt/SUNWps/platform.conf.* file,
  - set "com.iplanet.am.jssproxy.trustAllServerCerts=true" in /opt/SUNWam/lib/AMConfig.properties,
  - use a Rewriter Proxy between Gateway and the backend host.
  It would be useful that the "trust_all_server_certs" would allow
  access to backends with invalid certificates - hostname does not
  match the name in the certificate.
  This was the case in earlier versions.
  There are Webservers in our intranet which use such certificates,
  which are administered by other organizational units.
  HTH,
  Juergen Maihoefner

• CSA MC 6 - How can I create an SSL Certificate that points to a name other than the hostname?

  I have just installed CSA MC 6.0.2.  My company has a bunch of customer's that are on different domains.  We are all linked through VPN tunnels and would like to have all the agents point to a specific URL for updates rather than the hostname of the machine.
  FQDN:                    testserver.abc123.internal
  URL:                       thisserver.abc123.com
  We already have everything setup so that the clients can reach thisserver.abc123.com but I need to create a certificate with this name without changing the server's hostname.  We also don't wnat update their host files.  Any ideas?
  If anyone could help I would greatly appreciate it as we're looking to start upgrading the agents on all servers ASAP.
  Thank you,
  Cory

  What about putting the CSAMC in your DMZ and allowing those ports through your firewall?
  The nice thing is it allows hosts to communicate with the MC no matter where they are.
  You'd have to open up 80 to the MC for software updates but we haven't had any problems in 6 years with that setup.
  Tom

• Certificate chain received from localhost 127.0.0.1 failed hostname verification check.

  Hello friends. The dns name of our server recently changed. Since that time,
  nothing except the administration node will start up. Server logs reveal the
  following information:
  Certificate chain received from localhost - 127.0.0.1 failed hostname verification
  check. Certificate contained COTHUBT but check expected localhost>
  There is one trusted certificate that was added to the cacerts keystore. Does
  it need to be removed and re added? Any other insight would be appreciated.

  "brain" <[email protected]> wrote:
  Try this if you're running version 8
  In the admin node gui.
  Click on machines
  Click on the NodeManager tab for the machine that you are interested in.
  Change hostname in listen address.
  Bounce the app server
  >
  Hello friends. The dns name of our server recently changed. Since that
  time,
  nothing except the administration node will start up. Server logs reveal
  the
  following information:
  Certificate chain received from localhost - 127.0.0.1 failed hostname
  verification
  check. Certificate contained COTHUBT but check expected localhost>
  There is one trusted certificate that was added to the cacerts keystore.
  Does
  it need to be removed and re added? Any other insight would be appreciated.