Certs
Just a question about Linux certs. Is Linux+ a good one or is there a better one that is not a Red Hat cert. I am going to get my Linux+ but just seeing if there is a non-RH cert that is a good one to have also.
cactus wrote:I don't know anyone that hires linux admins based on 'linux certs'.
If they do..do you really want to be working for them?
Hmm... You haven't worked for much staffing companies if you believe so.
Those ties, who knows nothing about theirs own windows box, need to hire someone. How do they check you up if they have -nobody- in this field in the company, to gauge your knowledge?
Over that, certified personnel is often asked for in submissions. You may have the best staff around, if the client specifies he wants people with papers you must feed them with it or pass on it.
I'm stuck in this kind of world right now and I'll be taking a couple certs (LPI's) soon.
Mind you, I worked in the field before even without certs, but now it's just different.
Similar Messages
-
Untrusted server cert chain - while connecting with ldap
Hi All,
I am getting the following error while running a standalone java program in windows 2000+jdk1.3 environment to connect with LDAP.
javax.naming.CommunicationException: hostname:636 [Root exception is ja
vax.net.ssl.SSLException: untrusted server cert chain]
javax.naming.CommunicationException: hostname:636. Root exception is j
avax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA12
275)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at java.io.OutputStream.write(Unknown Source)
at com.sun.jndi.ldap.Connection.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapClient.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at Test2.getProxyDirContext(Test2.java:66)
at Test2.main(Test2.java:40)
Any help would be appreciated
Thanks in Advance
SomuThis got resolved when in the code the following
System.setProperty("javax.net.ssl.tmrustStore", CertFileName);
where cert file name is the filename with complete path.the file is a CA certificate of the LDAP server
in X509 format -
DAP LUA match ipad device unique id to cert
Hi,
I am trying to configure a DAP policy using LUA to perform a check that a cert has not been moved. I cert has been configured to store the ipads device unique id in the subject cn field, which i have verified on the device. I have configured the following LUA statement but i am not getting a match:
EVAL(endpoint.anyconnect.deviceuniqueid, "NE", endpoint.certificate.user[“0”].subject_cn, "caseless")
Is this check posssible with ipads?
Thank you.So in the end I had the same problem with this script. Never really fixed it but did workaround with that script by making local match_valueX for X number of certs you think folks will have in the their store. So most people won't have 64....but really you could cut and paste to any number you like.
assert(function()
local match_pattern = endpoint.device.hostname..".domain.com"
local match_value0 = endpoint.certificate.user["0"].subject_cn
local match_value1 = endpoint.certificate.user["1"].subject_cn
local match_value2 = endpoint.certificate.user["2"].subject_cn
if match_pattern==match_value0 then
return true
elseif match_pattern==match_value1 then
return true
elseif match_pattern==match_value2 then
return true
else
return false
end
end ) ()
Another option is to do a username to mapping from certificate script that simply
returns cert.subject.cn "/" cert.subject.ou (where the UDID was populated)
And the use a DAP to parse to verify anyconnect deviceuniqueid and aaa.cisco.username match (ie the UDID from anyconnect and what is in the cert)
assert function ()
local match_pattern = endpoint.anyconnect.deviceuniqueid
local match_value = aaa.cisco.username
if (type(match_value) == "string") then
if (string.find(match_value, match_pattern) ~= nil) then
return false
end
elseif (type(match_value) == "table") then
local k,v
for k,v in pairs(match_value) do
if (string.find(v, match_pattern) ~= nil) then
return false
end
end
end
return true
end) () -
We are trying to use HTTPS client certificate based authentication to access a Java Applet in Firefox v21.0. We have followed the instructions as per the below two urls to enable JSS 4 -
https://developer.mozilla.org/en-US/docs/JSS/Using_JSS<br />
http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/keystores.html<br />
http://download.java.net/jdk8/docs/technotes/guides/deployment/deployment-guide/keystores.html
We are using JRE version 1.7.0_25-b16 Java HotSpot(TM) Client VM in Firefox v21 but we are getting - <br />
security: Accessing keys and certificate in Mozilla user profile: null<br />
security: JSS is not configured
followed by SSK handshake failure when trying to load the client certificate.
<pre><nowiki>javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source)
at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source)
at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)</nowiki></pre>
The client cert based authentication is working when using IE v8 and IE v9 with the same JRE version (JRE version 1.7.0_25-b16 Java HotSpot(TM) Client VM)
Any help to resolve this issue will be very much appreciated.Thank you for your response.
Yes we have added the client certificate file (.pfx) in the Firefox browser Certificate manager / Store. It's also showing the certificate in the View Certificate window. We could not resolve it yet. -
Expiring Exchange certs on a SBS 2011 Standard server
We have many servers running SBS 2011 standard. On one particular server (which just passed the three year mark this past weekend) we are seeing MSExchangeTransport Event ID 12015 and 12016, telling us that an internal transport certificate has expired.
Based upon research, using the Get-ExchangeCertificate command, I have found that there are five different thumbprints indicating certificates. We currently have a commercial 5 year cert for the web user interface and AD synchronization.
Looking at the results of Get-ExchangeCertificate | fl, I can see that the first certificate (server.domain.local) goes from 4/10/2014 to 4/10/2015, the second (remote.domainname.com) goes from 8/16/2011 to 8/16/2016 (this is the commercial cert), the third
goes from 8/15/2011 to 8/12/2021, the fourth (this is the thumbprint referenced in the 12015 error) goes from 8/15/2011 to 8/14/2013 and the fifth goes from 8/15/2011 to 8/14/2013.
Reviewing the event log shows that the fifth certificate (also expired) is never referenced.
Several accepted answers on technet and other sites show that running Fix My Network will correct the problem, but running FMN on this server just shows me that my DHCP server is not running (which it is) and it wants me to create a static IPv6 address (which
it did not accomplish.)
What is the best way to fix a problem where important self-signed certificates expire after only two years?
Randy
MCP SBSCHi Randy,
I suggest run following command to get Self-signed certificate on your Exchange 2010 server:
Get-ExchangeCertificate | FL
Please collect the certificate which "IsSelfSigned" parameter value is True.
If it is not expired, please binding the existing certificate with IIS and SMTP service. Detailed command as below:
Get-ExchangeCertificate -Thumbprint
XXXXX876C45D19BA885E9FA96C48DD0C7DCXXXXX | Enable-ExchangeCertificate
-Services "IIS,SMTP"
If it is expired, I suggest re-create a new one. Detailed command as below:
Get-ExchangeCertificate -Thumbprint
XXXXX876C45D19BA885E9FA96C48DD0C7DCXXXXX | New-ExchangeCertificate
-Services "IIS,SMTP,IMAP,POP"
Please note, the Thumbprint in the example above in the result of running Get-ExchangeCertificate | FL
command.
Since SBS is different from Exchange server, I also suggest ask SBS Forum to double confirm this issue so that you can get more professional suggestions. For your convenience:
http://social.technet.microsoft.com/Forums/en-US/home?forum=smallbusinessserver
Please correct me if there is any misunderstanding.
Thanks
Mavis
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support -
Need Help with fixing our Address book in Lync 2013 (cert issue?)
Updated our external (digicert) certificate last month. Tried doing it with the Certificate wizard but it failed and disconnected all our users from Lync. Had to restore the snapshot to get it
to work. Did some googling and found that I could just update IIS with the new cert and all is good.. YAY! (or so I thought.... )
Since then users are no longer able to download the address books (galcontacts etc).
If I put my client policy to websearchonly I cant look up anyone either.
If I test-csaddressbookwebquery it fails with a 500 internal server error
If I look at the IIS logs on the front end server I see many POST /groupexpansion/service.svc/WebTicket_Bearer lines getting 500 errors as well.
Also in the IIS logs /WebTicket/WebTicketService.svc/cert is 200 (OK?)
Also in the IIS logs when what I think are requests to get the delta files for the address book GET /abs/handler/C-13e1-13f8.lsabs gives a 401 error.
Finally (?) get-cscertificate lists 2 certs (both from our internal CA). One is used for Default,WebservicesInternal, WebservicesExternal and the othe ris the OAuthTokenIssuer.
Any thoughts would be really great.. I have been bangin on this since Tuesday.What are you using as a reverse proxy? Sounds like your Front End was only using internal CA certs, so if they haven't expired you shouldn't need to change the cert assignment. Install the new digicert certificate on your reverse proxy (guessing the edge
probably expired as well?, so that cert will need to be updated.) On the Front End run the certificate wizard and assign the corresponding internal certs to the services to correct the changes you did in IIS.
My guess was the certificate wizard didn't like you assigning the digicert to the Webservices internal and default service due to an internal namespace or missing SAN entries.
You can use Digicert's
certutil on the server: https://www.digicert.com/util/ to
validate certificate installation (how to test Private Key and Revoke list: http://www.digicert.com/util/utility-test-private-key-and-revocation-status.htm).
Please mark posts as answers/helpful if it answers your question.
Blog
Lync Validator - Used to assist in the validation and documentation of Lync Server 2013. -
Jabber and Messages: error with cert
Hi all,
Since upgrading to Mavericks, I'm not able to connect to my company's Jabber server. I get a cert error, even after I've trusted the cert. All Mavericks users at our company are having the same problem, so the problem isn't just on my computer. I've enclosed a screen shot of the error.
Is anyone else having the same problem? The same setup - Jabber and Messages - works fine in Mountain Lion and previous OS versions.
Thanks!Hi,
Look at item 4 in this article
http://support.apple.com/kb/TS3970
Some people deliberately alter this file to prevent some apps from "phoning home"
If I am reading this Cert info correctly you are one of the companies that someone might block.
9:58 pm Monday; November 4, 2013
iMac 2.5Ghz 5i 2011 (Mavericks 10.9)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
Couple of iPhones and an iPad -
Java.security.cert.CertificateException
Hi,
I am using a JAVA client to connect to a https server which uses certificates for authentication.
The server uses gSOAP certificates for client authentication and encryption of messages.
I am using JSSE coming along with JDK1.6 and generated keystore file from client.pem and cacert.pem files used by the server.
I need to send SOAP messages with attachments.
I am using SAAJ API with JDK 1.6 .
When I try to connect to the server through javax.xml.soap.SOAPConnection, I am getting java.security.cert.CertificateException. Please see the exception below.
Note: Server is responding properly to SOAP UI tool(java testing tool) with certifcates authentication.
I have enabled debug option in SSL.
E:\test\properties\storefile.jks
keyStore is : E:\test\properties\storefile.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: E:\test\properties\storefile.jks
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Sat Oct 02 22:38:06 IST 2004 until Tue Oct 02 22:38:06 IST 2007
adding as trusted cert:
Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Algorithm: RSA; Serial number: 0x7
Valid from Sun Dec 25 01:01:53 IST 2005 until Wed Dec 24 01:01:53 IST 2008
adding as trusted cert:
Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Algorithm: RSA; Serial number: 0x8
Valid from Sun Dec 25 01:03:13 IST 2005 until Wed Dec 24 01:03:13 IST 2008
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1155448094 bytes = { 120, 70, 246, 123, 195, 47, 61, 191, 223, 241, 23, 204, 98, 143, 212, 251, 80, 10, 100, 183, 82, 82, 215, 228, 212, 47, 68, 224 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
Thread-3, WRITE: TLSv1 Handshake, length = 73
Thread-3, WRITE: SSLv2 client hello message, length = 98
Thread-3, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1155531752 bytes = { 248, 141, 63, 154, 117, 213, 184, 250, 239, 237, 26, 225, 175, 38, 151, 65, 101, 127, 134, 46, 180, 80, 153, 133, 215, 120, 102, 11 }
Session ID: {100, 201, 98, 232, 113, 191, 163, 129, 1, 101, 251, 29, 233, 245, 144, 203, 231, 208, 202, 248, 160, 99, 84, 248, 86, 16, 235, 234, 20, 73, 231, 148}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
Thread-3, READ: TLSv1 Handshake, length = 1868
*** Certificate chain
chain [0] = [
Version: V3
Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 144881101064455404788814091404981462608080902688277626878350142057531273562236240952084735254146287262789443540177122740514352105900513219519909051335421867736741713195463254360663999239941476817345303119999799829037388457231058611674562175705514528085594563474765367007497034178272408363177194954006361904887
public exponent: 65537
Validity: [From: Sun Dec 25 01:03:13 IST 2005,
To: Wed Dec 24 01:03:13 IST 2008]
Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
SerialNumber: [ 08]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3D C1 C8 B5 19 17 C3 8C 12 64 3C 05 C3 22 EE 7B =........d<.."..
0010: BA 27 B4 C1 .'..
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
0010: 49 95 77 CA I.w.
[[email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US]
SerialNumber: [ 00]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: 6E D0 0E EC 85 EA A9 71 60 5D CB 13 3A 0C C2 C6 n......q`]..:...
0010: A1 92 15 14 2A BB 86 2A 1D 68 B1 4B 41 C0 0B FB ....*..*.h.KA...
0020: 35 C7 0F 6E 51 99 B3 25 95 4F 58 18 3D 73 F2 06 5..nQ..%.OX.=s..
0030: 18 63 40 21 A7 44 1D AB 46 DB DD 6C 20 7D 23 23 .c@!.D..F..l .##
0040: 08 84 92 CE 04 93 10 B3 CB 84 67 FD 3F 53 81 51 ..........g.?S.Q
0050: 25 60 EE D1 02 89 06 58 E6 E0 B4 C2 20 D8 E8 84 %`.....X.... ...
0060: 8A 4E 8D 59 62 67 33 4C 95 BD A3 F7 68 76 5E BA .N.Ybg3L....hv^.
0070: D9 84 3F 80 C8 1E 49 3A 59 D0 B4 74 9E 2D CD F6 ..?...I:Y..t.-..
chain [1] = [
Version: V3
Subject: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 106482211752195899275275639329238789380560290379431640534106480581317795742917955972475513891969031216742557266096088552725987675210922796797720103531106400345818891764659480805498923495886457178236281557583158652266656923442983245641013901721295378444704296581436391012531718274035287004196101203604693764023
public exponent: 65537
Validity: [From: Sat Oct 02 22:38:06 IST 2004,
To: Tue Oct 02 22:38:06 IST 2007]
Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
SerialNumber: [ 00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
0010: 49 95 77 CA I.w.
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
0010: 49 95 77 CA I.w.
[[email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US]
SerialNumber: [ 00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 59 9B F6 45 7E 10 3C 79 3B 88 FB 74 B3 2E F7 4F Y..E..<y;..t...O
0010: 67 16 09 C1 2F 4E AC 7A 98 EA B4 12 08 6D 96 37 g.../N.z.....m.7
0020: 1A 70 A0 79 FC 4A A7 54 BA 21 FD 35 FE 67 55 EF .p.y.J.T.!.5.gU.
0030: D9 D9 18 99 5D 7A 03 3B EE DC F8 54 89 73 B8 86 ....]z.;...T.s..
0040: B3 FB 63 4E F8 6A 9B AF A1 2B 39 1F B7 50 63 AB ..cN.j...+9..Pc.
0050: 46 E1 F7 F5 A3 13 D4 3B F0 1D 8A 54 E4 65 3E 94 F......;...T.e>.
0060: 6D 5A 58 77 50 A7 CB 99 E7 2E 28 90 C8 37 67 D2 mZXwP.....(..7g.
0070: 19 E6 78 A3 91 49 E9 08 74 0E FA AF FC 16 B3 0B ..x..I..t.......
Feb 24, 2007 9:50:47 AM com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
SEVERE: SAAJ0009: Message send failed
com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
at SOAPConnector$1.run(SOAPConnector.java:145)
Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at java.security.AccessController.doPrivileged(Native Method)Found trusted certificate:
Version: V3
Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 144881101064455404788814091404981462608080902688277626878350142057531273562236240952084735254146287262789443540177122740514352105900513219519909051335421867736741713195463254360663999239941476817345303119999799829037388457231058611674562175705514528085594563474765367007497034178272408363177194954006361904887
public exponent: 65537
Validity: [From: Sun Dec 25 01:03:13 IST 2005,
To: Wed Dec 24 01:03:13 IST 2008]
Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
SerialNumber: [ 08]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3D C1 C8 B5 19 17 C3 8C 12 64 3C 05 C3 22 EE 7B =........d<.."..
0010: BA 27 B4 C1 .'..
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
0010: 49 95 77 CA I.w.
[[email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US]
SerialNumber: [ 00]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: 6E D0 0E EC 85 EA A9 71 60 5D CB 13 3A 0C C2 C6 n......q`]..:...
0010: A1 92 15 14 2A BB 86 2A 1D 68 B1 4B 41 C0 0B FB ....*..*.h.KA...
0020: 35 C7 0F 6E 51 99 B3 25 95 4F 58 18 3D 73 F2 06 5..nQ..%.OX.=s..
0030: 18 63 40 21 A7 44 1D AB 46 DB DD 6C 20 7D 23 23 .c@!.D..F..l .##
0040: 08 84 92 CE 04 93 10 B3 CB 84 67 FD 3F 53 81 51 ..........g.?S.Q
0050: 25 60 EE D1 02 89 06 58 E6 E0 B4 C2 20 D8 E8 84 %`.....X.... ...
0060: 8A 4E 8D 59 62 67 33 4C 95 BD A3 F7 68 76 5E BA .N.Ybg3L....hv^.
0070: D9 84 3F 80 C8 1E 49 3A 59 D0 B4 74 9E 2D CD F6 ..?...I:Y..t.-..
Thread-3, SEND TLSv1 ALERT: fatal, description = certificate_unknown
Thread-3, WRITE: TLSv1 Alert, length = 2
Thread-3, called closeSocket()
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
... 2 more
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
... 3 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
... 5 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(Unknown Source)
at sun.security.util.HostnameChecker.match(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 17 more
CAUSE:
java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
at SOAPConnector$1.run(SOAPConnector.java:145)
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
... 3 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
... 5 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(Unknown Source)
at sun.security.util.HostnameChecker.match(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 17 more
CAUSE:
java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
at SOAPConnector$1.run(SOAPConnector.java:145)
Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
... 3 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
... 5 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(Unknown Source)
at sun.security.util.HostnameChecker.match(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 17 more
Any help is appreciated.did you find the solution for the issue i am using jscape now...
-
Java.security.cert.CertificateException: Untrusted Cert Chain
Hi all,
While sending transaction to our supplier I am facing below error, Actually Our trading partner has given .p7b cert, I converted it into base 64 and i m using in b2b server. I am doing the same with all the suppliers but I am facing issue with only this trading partner. I asked him to send a new trusted certificate but he said that he is having 100's of customers, all are using the same certficate.
Error
http.sender.timeout=0
2010.05.20 at 10:52:20:711: Thread-19: B2B - (DEBUG) scheme null userName null realm null
2010.05.20 at 10:52:22:159: Thread-19: B2B - (WARNING)
Message Transmission Transport Exception
Transport Error Code is OTA-HTTP-SEND-1006
StackTrace oracle.tip.transport.TransportException: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
at oracle.tip.transport.TransportException.create(TransportException.java:91)
at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:627)
at oracle.tip.transport.b2b.B2BTransport.send(B2BTransport.java:311)
at oracle.tip.adapter.b2b.transport.TransportInterface.send(TransportInterface.java:1034)
at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequestPostColab(Request.java:1758)
at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequest(Request.java:976)
at oracle.tip.adapter.b2b.engine.Engine.processOutgoingMessage(Engine.java:1167)
at oracle.tip.adapter.b2b.transport.AppInterfaceListener.onMessage(AppInterfaceListener.java:141)
at oracle.tip.transport.basic.FileSourceMonitor.processMessages(FileSourceMonitor.java:903)
at oracle.tip.transport.basic.FileSourceMonitor.run(FileSourceMonitor.java:317)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Cert Chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:112)
at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3018)
at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2843)
at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2635)
at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1107)
at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:590)
... 8 more
Caused by: java.security.cert.CertificateException: Untrusted Cert Chain
at oracle.security.pki.ssl.C21.checkClientTrusted(C21)
at oracle.security.pki.ssl.C21.checkServerTrusted(C21)
at oracle.security.pki.ssl.C08.checkServerTrusted(C08)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
... 21 more
2010.05.20 at 10:52:22:164: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.transport.TransportInterface:send Error in sending message
2010.05.20 at 10:52:22:168: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab Request Message Transmission failed
2010.05.20 at 10:52:22:170: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Enter
2010.05.20 at 10:52:22:173: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Transaction.begin()
2010.05.20 at 10:52:22:176: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Leave
2010.05.20 at 10:52:22:179: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
Untrusted Cert Chain
2010.05.20 at 10:52:22:226: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.engine.Engine:notifyApp retry value <= 0, so sending exception to IP_IN_QUEUE
2010.05.20 at 10:52:22:232: Thread-19: B2B - (DEBUG) Engine:notifyApp Enter
2010.05.20 at 10:52:22:248: Thread-19: B2B - (DEBUG) notifyApp:notifyApp Enqueue the ip exception message:
<Exception xmlns="http://integration.oracle.com/B2B/Exception" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<correlationId>543222</correlationId>
<b2bMessageId>543222</b2bMessageId>
<errorCode>AIP-50079</errorCode>
<errorText>Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
Untrusted Cert Chain</errorText>
<errorDescription>
<![CDATA[Machine Info: (usmtnz-sinfwi02)Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
Untrusted Cert Chain ]]>
</errorDescription>
<errorSeverity>2</errorSeverity>
</Exception>
2010.05.20 at 10:52:22:298: Thread-19: B2B - (DEBUG) Engine:notifyApp Exit
2010.05.20 at 10:52:22:301: Thread-19: B2B - (DEBUG) DBContext commit: Enter
2010.05.20 at 10:52:22:307: Thread-19: B2B - (DEBUG) DBContext commit: Transaction.commit()
2010.05.20 at 10:52:22:310: Thread-19: B2B - (DEBUG) DBContext commit: Leave
2010.05.20 at 10:52:22:313: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequest Exit
2010.05.20 at 10:52:22:317: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.engine.Engine:processOutgoingMessage:
***** REQUEST MESSAGE *****
Exchange Protocol: AS2 Version 1.1
Transport Protocol: HTTPS
Unique Message ID: <543222@EMRSNS>
Trading Partner: ZZEASY_PROD
Message Signed: RSA
Payload encrypted: 3DES
Attachment: NoneHi CNU,
1st they has given me in .p7b certificateIs it a self-signed certificate? If no then do you have the CA certs as well?
Open the certificate by double clicking on it. If "Issued To" and "Issued By" fields are same then it is a self signed cert and you need to import only this cert (in base64 format) into wallet.
If it is not a self-signed cert then open the certificate and click on "Certification Path" tab. You should be able to see the issue's certificate here. Make sure that you have imported all issuers certificate along with your TP's cert in the wallet. Moreover, check that all the certs (TP cert and it's issuer cert's) are valid in terms of dates. You can see the "Certificate status" in "Certification Path" tab of certificate.
Please provide the certificate chain details here along with list of certs in wallet (you may mail it to my id as well - [email protected])
Regards,
Anuj -
AD password change comes up, user changes password.
Tries to send signed or encrypted email with a Comodo S/MIME certificate, and gets the following error:
""An error occurred in the underlying security system. Key not valid for us in specified state."
I now have two reports of this error - one on Windows 7, and one on Windows 8.0 (remote user).
The one on Windows 8.0, we tried removing their S/MIME cert from Outlook/Windows and re-adding, this did NOT resolve the issue.
Plan was originally to have the 8.0 user ship their machine in, and wipe it, since nothing else could fix it and I wasn't finding anyone else with the same issue. Now that I've got a second user with the same issue, its looking like a bug/issue and
not a random glitch.
Thanks in advance for any and all help with this!Hi,
Thank you for your question.
I am trying to involve someone familiar with this topic to further look at this issue.
Thanks,
Melon Chen
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here -
OBIEE 11g SSL Configuration Issue : Unable to import the Server certs
Hello All,
We are trying to configure OBIEE 11.1.1.6.0 with SSL using Windows server 2003 (IIS) and facing some issues with that.
Followed the document : OBIEE11g SSL Setup and Configuration [1326781.1]
http://obieedue.blogspot.sg/2012/08/obiee11g-ssl-setup-and-configuration.html
and also completed generating the required certificate signing request and keystores for SSL communication and sent it to the CA (IT Admin team) to to have the certificate signed by CA. The issue comes when I am trying to import the CA certificate (Root certificate) and Server Certificate into the Java Keystore.
I am importing the Root CA Certificate first which is successfully added to the keystore.
keytool -import -trustcacerts -alias mycacert -file cacert.pem -keystore mykeystore.jks -storepass Welcome1
Trust this certificate? [no]: yes
Certificate was added to keystore.
But when trying to add the Server Certificate to the keystore using the command below :
keytool -import -v -alias testserver -file server.cer -keystore mykeystore.jks -keypass Welcome1 -storepass Welcome1
Certificate reply was installed in keystore
I get the following error:
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Read many forums and tried to convert it to the PKCS#7 format and import the cert to the identity keystore, but was not successful in that either. I have also checked with the IT Admin team and found there is only one RootCA and no other intermediate CA's.
Please advice if any one has similar issues or suggestions.
Thanks in advance,
SVSHi,
One obvious reason would be that you did not specify -trustcacerts, and the root CA is not included in the present server keystore. In that case, using the -trustcacerts option would solve the problem, if the root CA is indeed in the JDK cacerts.
To print out the certificates present in the JDK cacerts, use the following command:
keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -v
Then check if the root CA that signed your server certificate is present, and has not expired (in which case,you would need to re-import a newer one into cacerts).
Another common reason for that error message is when you have used a proprietary CA to sign your server certificate. Then it would obviously not be in the JDK cacerts. The solution in that case is to import your proprietary root CA into the JDK cacerts, using the following command:
keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -file yourRootCA.pem -storepass changeit -alias youralias
A third reason for that error message is when your server was signed by an intermediate certificate. In that case, you would have received from your CA a chain of certificates. One way to solve this (not the only one, but this one works well): Prepend your intermediate CA file to your server cert file, and import the obtained concatenated file into the server keystore. Be careful, the intermediate CA must be BEFORE the server cert. Example:
copy rootca.cer certchain.p7b
type server.cer >> certchain.p7b
The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts
If you only prepend the intermediate root CA, you must make sure the the final root CA is in cacerts. But you can also prepend your whole chain of trust inside the server keystore.
Regards,
Kal -
Web service call with v3 client cert in CF8
I'm trying to call an external web service which requires a
v3 client certificate be installed on our end. Our code platform is
CF8, which I understand supports v3 certs. I've imported the
external party's client cert into the CF server's cert store
(cacerts) via keytool, and confirmed it's there. I've restarted the
CF server. How do I attach the certificate to the cfhttp call to
the external web service? I figure I can use a cfhttpparam, but am
not sure what type to use, and what the value should be. Thanks in
advance.DrewBlah wrote:
> I'm trying to call an external web service which
requires a v3 client
> certificate be installed on our end. Our code platform
is CF8, which I
> understand supports v3 certs. I've imported the external
party's client cert
> into the CF server's cert store (cacerts) via keytool,
and confirmed it's
> there.
You should not import the client certificate, but the server
certificate:
http://www.talkingtree.com/blog/index.cfm/2004/7/1/keytool
http://jochem.vandieten.net/2008/02/28/cfhttp-and-client-certificates/
> I've restarted the CF server. How do I attach the
certificate to the
> cfhttp call to the external web service? I figure I can
use a cfhttpparam, but
> am not sure what type to use, and what the value should
be. Thanks in advance.
The certificate for the HTTP call should be on the filesystem
in PKCS#12
format. Then use the following code:
<cfset variables.certificatePath =
ExpandPath("certificate.pkcs") />
<cfset variables.certificatePass =
"fillOutYourOwnPassword"/>
<cfset variables.webserviceURL = "https://server/service"
/>
<cfsavecontent variable="theSoap">
<soapenv:Envelope
xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns="https://server/service">
<soapenv:Header/>
<soapenv:Body>
<ns:GetXXX>
<xxx>YYY</xxx>
</ns:GetXXX>
</soapenv:Body>
</soapenv:Envelope>
</cfsavecontent>
<cfhttp
url = "#variables.webserviceURL#"
clientCert = "#variables.certificatePath#"
clientCertPassword = "#variables.certificatePass#"
method = "get"
port="443"
>
<cfhttpparam type="header" name="Connection"
value="Keep-Alive">
<cfhttpparam type="header" name="SOAPAction"
value="service">
<cfhttpparam type="xml" value="#theSoap#">
</cfhttp>
<cfdump var="#XMLParse(cfhttp.filecontent)#">
Jochem
Jochem van Dieten
Adobe Community Expert for ColdFusion -
Web App Security Fallback (client-cert then form-based)
Can you setup a web application to fall back to form-based login if the
client-cert (i.e. identity assertion token) is not available. I think this
would be very valuable because once you've configured the web app to use the
"client-cert" authentication, you can't access the web app directly (i.e.
browser->weblogic server). You will always need to go through the perimeter
authenticator so the token gets sent.Solution found:
The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
In your web.xml, forward your 401 code to login page:
<error-page>
<error-code>401</error-code>
<location>/form_login_page.html</location>
</error-page>
There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works -
Client-cert auth impl in web.xml does not work in Oracle Application Server
Hi,
I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
My server details are:
Oracle Application Server 10g Release 2 (10.1.2)
Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WSCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
</login-config>
It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
Thanks,
MsI am having the same problem with doc and xsl. I have added this
<mime-mapping>
<extension>xls</extension>
<mime-type>application/vnd.ms-excel</mime-type>
</mime-mapping>
<mime-mapping>
<extension>doc</extension>
<mime-type>application/msword</mime-type>
</mime-mapping>
to my web.xml. I even restarted the server. I still see doc and xsl in binary.
Is there some other setting that needs to take place?
I am using WL6.1 with fixpack 1.
I can see the doc and excel files in the browser if I don't go through the weblogic
server. That just confirms it's not my browser.
Kumar Allamraju <[email protected]> wrote:
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
It works fine for me in 6.1 SP1.
<br><br>
If the following doesn't work , can you
<br>try application/winword instead of application/msword?
<p>--
<br>Kumar
<p>Siming Mu wrote:
<blockquote TYPE=CITE>Hi,
<p>I setup in my web.xml a mime mapping as follows,
<p><mime-mapping>
<br><extension>doc</extension><mime-type>application/msword</mime-type>
<br></mime-mapping>
<p>When I specify a test.doc url, the doc file appears in my browser
as
binary data
<br>instead of download.
<p>Please reference change request 055002, which decribes this problem.
According
<br>to edocs, it has been fixed in wls6.1sp1.
<p>But I am seeing it fixed. Am I doing anything wrong? Thanks.
<p>Siming</blockquote>
</html> -
Using keytool to generate self signed cert. for Microsft Certificate Mrg.
Hi All,
I want to be able to generate a self signed certificate that I can Import into
Microsoft's Certificate Manager, to enable an HTTPS Listener for
Microsoft's WinRM and WinRS.
The certificate would only be for internal use, not used externally.
Here's the problem. I can create a certificate using this (path obscured):
"C:\Program Files\.....\jre\bin\keytool" -genkey -al
ias dMobX -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=your-f5c57803
53" -keypass changeit -validity 90 -storetype pkcs12 -keystore "C:\Program Files
\......\jre\lib\keystore\.keystore" -storepass changeit
"C:\Program Files\......\jre\bin\keytool" -export -alias dMob
X -file "C:\Program Files\......\jre\lib\keystore\dMobX.cer" -stor
etype pkcs12 -keystore "C:\Program Files\.......\jre\lib\keystore\.
keystore" -storepass changeit -v
Microsoft's Certificate Manager will accept it, the .cer, using "Import", into
Trusted Root Certification Authorities, but when I run the command to create the HTTPS Listener, I get this error message:
The WS-Management service cannot find the certificate that was requested.
If I use another tool, like selfssl, I can generate a self signed certificate using:
selfssl /N:CN=your-f5c5780353 /K:1024 /V:90 /P:443 /T
This will populate a certificate in Trusted Root Certification Authorities,
and when I run the command to create the HTTPS Listener, it succeeds with
no problem.
So my question is, am I doing something wrong with keytool, or are there
extra steps that I need to take, or is it even capable of generating a "self signed
certificate" that will work in the above case?
There are some concepts involved, certificate wise, that I'm not sure about.
Do I need to create a CSR and use a tool like openssl, as a CA, and
use the resulting certificate?
I just want to be able to programmatically create the needed certificate using keytool, or
using an API.
Thanks,Download the latest JDK on http://download.java.net/jdk7/binaries/.
Run "keytool -genkeypair -ext KU=? -ext EKU=? ...". Substitute the "?" with the usages you see in the other cert (for example, "digitalSignature" or "codeSigning". If there are multiple ones, separate with comma). -
Jax-RPC Client side: How to use multiple X509 client certs ?
hi, (excuse me for my english)
i'm looking for an answer to this question:
I'm using the JAX-RPC libraries (JWSDP 2.0) for a web services client application in my app server (tomcat 4 under 1.4 Sun JVM) with HTTPS connection. All works fine when i'm using system.Setproperties for keystore and trustore.
Buk now, I want to use different client SSL keys for the same app to consume the web service (one SSL client key for a group of users).
Is it possible ?
i've tried using custom SSLSocketFactory and custom KeyManager but it won't works: when the SSL connection is well established once, i can connect to the app with an invalide client cert ! (it seems SSL connection is in cache and i dont't know how to disable this cache).
I have read some threads on this problem without answers ! (http://forum.java.sun.com/thread.jspa?forumID=331&threadID=333010 and http://forum.java.sun.com/thread.jspa?forumID=331&threadID=600372)
Thanks
Edited by: Buck007 on May 26, 2008 9:14 AMI have the same problem. If you find the solution please post it here :)
thanks
Maybe you are looking for
-
IPod 80gb classic not showing in iTunes or Finder.
Recently my Ipod has started to give trouble - it would have difficulty syncing in iTunes (some times requiring 4 or 5 eject/connects before iTunes would recognise it and start to sync). Then new symptoms started - after connecting the iPod to the ma
-
My old computer had a Vista operating system, my new one has Windows 8. I am able to print and copy, but not scan. . I tried downloading the software that came with the printer, but it is too outdated to recognize the Windows 8 operating system.
-
How to install first forest and active directory on the windows server 2012 R2 core?
hi to all i installed a windows server 2012 R2 Core edition on the server platform and i want install first forest and Domain on this server core by cmdlet...but i cannot install it. i search in the technet and other sites and blogs on the internet a
-
I tried to install a wireless router with our cable service, using a PC, and now the mac cannot get back online. However, the PC can get online through the router and without. I then tried taking the router out and going back to the original setup to
-
Can someone share (or) give me an url for learn ABAP-Workflow
Hi all, can someone share (or) give me an url for learn (or) online sessions for better understanding ABAP-Workflow? because i'm a new & fresh in this module. Thanks in advance Srinivas.....