Changing from non-ssl to ssl communication in OAM

Similar Messages

• Web Server 7 - Switch to SSL - Automatic forwarding from non-SSL

  I just posted a similar question regarding Web server 6. This question is for Web server 7!
  I maintain Web tools on a non-SSL Web Server 7. I need to turn on SSL, because our organization requires the security feature for certain functions in the tool.
  The current non-SSL address for the tool is similar to http://mytool.com/. I want to make the switch to SSL transparent for users, so I want http://mytool.com/ to automatically forward to https://mytool.com. What is the best way to do that in Web server 7?
  Also, I'd like to make the changes without using the GUI, what are the XML commands for the server.xml file (I assume that's what I'll need to change, right?)
  Sincerely,
  dailysun
  THIS IS FOR WEB SERVER 7

  Hi
  Assuming you have figured out the way to setup a listener with SSL enabled, you can the following
  1. find out what object file is currently used by server
  bin/wadm get-virtual-server-prop user=admin config=<hostname> object-file
  this will either return as obj.conf or <vs>-obj.conf
  2. now open this file and add the following lines after <Object name="default" line
  <Object name="default">
  #add the following lines
  <Client match="all" security="false" urlhost="mytool.com">
  NameTrans fn="redirect" from="/" url-prefix="https://mytool.com"
  NameTrans fn="redirect" from="/*" url-prefix="https://mytool.com/"
  </Client>
  # end
  now save this file and test to see if this is what you are expecting.
  if you are satisfied, you will need to bring over this manual change into admin config repository by doing something like
  bin/wadm pull-config user=admin  config=<..>
  You can also save the commonly used parameter like <user> and <password> within the .wadmrc file. Please see - http://blogs.sun.com/natarajan/date/20070131
  hope this helps

• Move from NON-SSL to SSL (OAS 9.0.4.1)

  We installed OAS 9.0.4.1 (two Midtier and 1 Infst).
  We have Application based on forms. We installed and configure OAS default like non-ssl and forms using port 7778. Now we need to use SSL.
  If somebody give me detail what should be done?
  Actually, what I did
  1. I stop midtier Using EM.
  2. I modified httpd.conf file changed only "Listen from 7778 to 4445" I didn't change port.
  3. Run dcmctl updateconfig -ct ohs
  4. start midtier using EM.
  I can run forms using //http:localhost:4445/forms90/f90servlet? -succesufully
  but My portal is not available. Did I miss something?
  Please help. It is emergency we need to go to PROD.
  Thanks

  I started from beginning install again OAS 9.0.4 and followed instruction in
  whitepaper in the Internet deployment section titled "Oracle Forms 10g - Configuring Security with SSL ".
  Everything was goung okay until last peice run test form using ssl -- https
  I have error
  java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
       at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
       at sun.misc.URLClassPath$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  WARNING: Unable to cache https://houorcl324.corp.kbr.com:4444/forms90/java/f90all_jinit.jar
  load: class oracle.forms.engine.Main not found.
  java.lang.ClassNotFoundException: java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
       at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at java.net.HttpURLConnection.getResponseCode(Unknown Source)
       at sun.applet.AppletClassLoader.getBytes(Unknown Source)
       at sun.applet.AppletClassLoader.access$100(Unknown Source)
       at sun.applet.AppletClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Do I need SSL webcache too? It was not in instruction
  please help

• Web Server 6 - Switch to SSL - Automatic forwarding from non-SSL

  I maintain Web tools on a non-SSL Web Server 6. I need to turn on SSL, because our organization requires the security feature for certain functions in the tool.
  The current non-SSL address for the tool is similar to http://mytool.com/. I want to make the switch to SSL transparent for users, so I want http://mytool.com/ to automatically forward to https://mytool.com. What is the best way to do that in Web server 6.1?
  Also, I'd like to make the changes without using the GUI, what are the XML commands for the server.xml file (I assume that's what I'll need to change, right?)
  Sincerely,
  dailysun
  THIS IS FOR WEB SERVER 6.1

  edit the https-<instancename>/config/obj.conf and add the following lines
  <Object name="default">#add the following lines
  <Client match="all" security="false" urlhost="mytool.com">
  NameTrans fn="redirect" from="/" url-prefix="https://mytool.com"
  NameTrans fn="redirect" from="/*" url-prefix="https://mytool.com/"
  </Client>
  ...

• Changing from non non smartphone to iphone 4

  trying to switch from non smartphone to iphone 4. same provider. cant get phone service but internet works.

  And what did your cellular carrier say when you reported the problem to them?

• SD Cond. type changes from non statistic to statistic when creating invoice

  Hi gurus!,
  I have a problem with a condition type. Though I set it as NON statistic at the procedure, once I create the sales order it's ok but when I create the invoice from the delivery, then the same condition type appears as statistic.
  Do you know how to solve this?
  Its config is:
  On procedure:
  Condtype      Description         Print      req.      Cont. key      
  Z001     test description  S           777      MWS
  Its properties:
  http://imageshack.us/photo/my-images/831/screenshot080d.png/
  Thanks in advance
  Edited by: John Smith on Nov 4, 2011 2:34 PM Reason: not finished

  Hello!
  After testing many things I debugged the VF01 code and noticed that a code into a standard enhancement was setting the condition type statistic because it has not an invoice cycle (IS-OIL) set. This must be new on ECC 6 where we move some months ago because in 4.72 never happened.
  Once I have set the value for this flag, all the flow is working like a charm
  Thanks a lot for your answers, this was a difficult one because is specific for IS-OIL installations.
  Regards,
  John

• Session Cookies Being Overwritten Browsing From SSL to Non SSL

  I have created a bug report for this issue as well.
  Please note I am using J2EE session variables so keep that in mind.
  I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
  For example:
  Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
  Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
  Here's the problem:
  Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
  Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
  Steps to Reproduce:
  1. Clear your cookies.
  2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
  3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
  This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
  Has anyone else experience this?

  Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

• Remote non-SSL image served from SSL site?

  I have an SSL site and I need to display images located on an external non-SSL site. When I do this using a standard graphicImage tag and URL=http://whatever IE will throw a warning every time the page is displayed saying the page has secure and non-secure content. I need to avoid this somehow. Is there a way to have the image pulled to the server and then server over SSL? Surely this is a common problem!
  I really appreciate any help!
  Jeff

  You cannot suppress this warning without changing the browser's default settings.
  Serve the images through SSL, preferably from the same server. You could also create a servlet for this which gets the images from other non-SSL server by URLConnection.

• Changes to Verizon email servers and Non-SSL capable email clients

  Need to change over my pop/smtp settings to the new settings as per Verizon notification.  I have quite a few non-SSL capable email clients.  Does Verizon provide a non-SSL email server on port other than 25 I can use ?

  blottje wrote:
  Need to change over my pop/smtp settings to the new settings as per Verizon notification.  I have quite a few non-SSL capable email clients.  Does Verizon provide a non-SSL email server on port other than 25 I can use ?
  Not once they turn off the old incoming/outgoing servers. (Supposedly coming in September.)
  What email clients are you using that don't allow for SSL???
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."

• SSL communication issue with JDK 1.6.0_19

  Hi,
  I am facing issue with JDK 1.6.0_19. I have a Java client which communicate with the Server in SSL communication.so, It is able to communicate properly with the JDK <=1.6.0_18 version.But I got handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected  handshake message exception when the client is trying to communicate with the server in JDK 1.6.0_19.
  We are using mutual authentication.The client and the server both have the signed certificate.The client certificate has to be validated by the server to establish the connection.
  I have seen in forum that it is a renegotiation issue.So, if I enable the renegotiation flag by -Dsun.security.ssl.allowUnsafeRenegotiation=true it's working fine.But enabling renegotiation itself is a vulnerability.So, I can't enable renegotiation.
  I am using httpclient 4.0 and JSSE in client side and IIS in the server side for this SSL connection.
  I am not sure which side client or server initiating the renegotiation?
  Please help me out.
  I have tried Openssl command from console.
  The command is : openssl s_client -connect X.X.X:443 -CAfile "xxxxx" -cert "xxxxxxxx" -key "xxxxxxxxxx" -state -verify 20 here is the output:
  Loading 'screen' into random state - done
  CONNECTED(00000748)
  SSL_connect:before/connect initialization
  SSL_connect:SSLv2/v3 write client hello A
  SSL_connect:SSLv3 read server hello A
  xxxxxxxxxxx.................
  verify return:1
  xxxxxxxxxxx.................
  verify return:1
  SSL_connect:SSLv3 read server certificate A
  SSL_connect:SSLv3 read server done A
  SSL_connect:SSLv3 write client key exchange A
  SSL_connect:SSLv3 write change cipher spec A
  SSL_connect:SSLv3 write finished A
  SSL_connect:SSLv3 flush data
  SSL_connect:SSLv3 read finished A
  Certificate chain
  xxxxxxxxxxx.................
  Server certificate
  -----BEGIN CERTIFICATE-----
  xxxxxxxxxxx.................
  -----END CERTIFICATE-----
  xxxxxxxxxxx.................
  No client certificate CA names sent
  SSL handshake has read 1839 bytes and written 392 bytes
  New, TLSv1/SSLv3, Cipher is RC4-MD5
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : RC4-MD5
      Session-ID: xxxxxxxxxxx
      Session-ID-ctx:
      Master-Key: xxxxxxxxxxx
      Key-Arg   : None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1275564626
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
  read:errno=10054If you see the console output you can see that two statement is missing those are :
  SSL_connect:SSLv3 read server certificate request A
  SSL_connect:SSLv3 write client certificate ASo, I like to know if this is any clue which is asking for renegotiation.

  Thank you for your response.
  Yes I have set the particular proerty SSLAlwaysNegoClientCert to True and it is able to establish the ssl conneciton without initiating renegotiation from IIS server side.The property has to be set the metabase.xml file.
  Thank you very much once again.
  Edited by: arpitak on Jun 23, 2010 2:10 AM

• SCSM 2012 Portal change from http to https to get silverlight to work on non domain computers?

  Hi
  Wanting to change our Self Service Portal from http to https and make it accessible from non domain computers.
  Non domain computers - the sharpoint parts load (the silverlight does not load). Domain computers can access the portal with no problem.
  Does this mean I need to reinstall the portal or can it be changed while in operation now?
  Would something like the below link be enough to get https going?
  http://blogs.technet.com/b/babulalghule/archive/2013/01/10/how-to-create-alternate-url-for-service-manager-self-service-portal.aspx
  Thanks!

  the silverlight part not loading due to SSL certification. import the certification into non domain computer will fix this issue.

• The graphs created in non ssl endeca server run in ssl endeca server

  Hi All,
  I created the graphs to run in non-ssl endeca server and when I gave the code for testing its failing with error:
  Unable to read WSDL file from location 'http://slc06xkc.us.oracle.com:7001//endeca-server/ws/manage?wsdl'. Response status: HTTP/1.1 404 Not Found WSDLException: faultCode=PARSER_ERROR: Wsdl not found
  http://slc06xkc.us.oracle.com:7001//endeca-server/ws/manage?wsdl
  Can someone please let me know whether the graphs which are created in non ssl endeca server will work in ssl endeca serve ror not.Do we need to do some modifications?
  Thanks,
  Amrit

  Amrit,
  If SSL is enabled, the default wsdl port is 7002.
  See http://docs.oracle.com/cd/E40521_01/server.760/es_install/toc.htm#Creating%20SSL%20certificates
  This is the doc about generating SSL certificates, when you install Endeca Server in the SSL mode.
  "The generate_ssl_keys utility:
  Creates the SSL certificates in the $DOMAIN_HOME/config/ssl directory.
  Updates the EndecaServer.properties and EndecaCmd.properties files (in the $DOMAIN_HOME/config directory) with the pathnames of the key files.
  Enables the SSL Listen Port of 7002 in WebLogic Server, and sets 7002 as the port on which Endeca Server is started."
  To summarize:
  If you installed Endeca Server in non-SSL mode, you access the Manage web service of the Endeca Server as discussed in "Accessing the Manage Web Service", using this path: http://host:port/endeca-server/ws/manage, or to access the WSDL: http://<host>:<port>/endeca-server/ws/manage/?wsdl, where the default non-SSL port is 7001.
  If you installed Endeca Server in the SSL mode, the protocol in the path changes to HTTPS, and the default port changes to 7002 (it can be any other port, depending on the one you configure during the installation process).
  Note: any other public web service of the Endeca Server is accessible in the same way: http://host:port/endeca-server/ws/<name_of_the_web_service>.

• Custom sig: Non-SSL over SSL port

  I am trying to build a custom signature for detecting non-SSL traffic on a specific SSL port (let's say tcp/443). This has to do with CONNECT tunnels through an HTTP proxy. Conceptually, it's not a complicated idea. Whether or not it can technically be done effectively with the Cisco IPS I don't know.
  It seems that very early in every SSL connection, there is an SSL "client hello" message(SYN,SYN/ACK,ACK,CLIENT HELLO). There are two relevant record formats, SSLv2 and SSLv2/TLS. I would like to create a signature that fires when it DOES NOT see the client hello message very early in a given TCP session. I would want the signature to only need to check the very first n packets of any given TCP session (n = max size of connection establishment + max size of client hello packet). Has anyone created such a beast or willing to help? Here are a couple packets.
  SSLv3 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 8e 33 b8 40 00 3e 06 94 16 ce c3 c3 6c 40 22 ..3.@.>......l@"
  0020 a2 49 58 27 01 bb b7 42 c6 92 fd 36 a3 d1 50 18 .IX'...B...6..P.
  0030 44 70 08 e2 00 00 16 03 00 00 61 01 00 00 5d 03 Dp........a...].
  0040 00 44 5f 9a 77 69 49 5a 85 52 a0 96 38 b3 b4 15 .D_.wiIZ.R..8...
  0050 8f db f2 0f c9 0e ea 10 f5 69 39 8c 58 87 e5 33 .........i9.X..3
  0060 70 20 ba 06 1e 3f d4 4e 3c d0 de a8 ea 4e a3 7f p ...?.N<....N..
  0070 0f 07 fd 5f 88 07 17 ef 50 ce 6b cf 10 e3 84 99 ..._....P.k.....
  0080 04 a2 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 .............d.b
  0090 00 03 00 06 00 13 00 12 00 63 01 00 .........c..
  TLSv1 Client Hello
  0000 00 0f 20 6c 99 8b 00 a0 8e 82 c4 c1 08 00 45 00 .. l..........E.
  0010 00 96 a2 89 40 00 7f 06 32 b3 ce c3 c2 29 ce c3 [email protected]....)..
  0020 c6 74 0d 13 01 bb 38 17 d5 89 98 0f fc 73 50 18 .t....8......sP.
  0030 44 70 6c 75 00 00 16 03 01 00 69 01 00 00 65 03 Dplu......i...e.
  0040 01 44 5f 9a 84 8a 94 ab f3 78 e7 b1 c9 ca 04 34 .D_......x.....4
  0050 3b 95 1b 86 51 05 5f ac 9d a0 b0 69 fe 0c 27 e5 ;...Q._....i..'.
  0060 9c 20 78 08 00 00 ce c3 c2 29 58 58 58 58 58 58 . x......)XXXXXX
  0070 58 58 58 58 58 58 58 58 58 58 48 9a 5f 44 8c 4b XXXXXXXXXXH._D.K
  0080 05 00 00 1e 00 04 00 05 00 2f 00 33 00 32 00 0a ........./.3.2..
  0090 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
  00a0 00 11 01 00 ....
  SSLv2 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 82 fb a7 40 00 3e 06 cf 32 ce c3 c3 6c 9f 35 ....@.>..2...l.5
  0020 40 36 58 6d 01 bb b7 78 06 1b cd e2 e2 3d 80 18 @6Xm...x.....=..
  0030 44 70 47 6b 00 00 01 01 08 0a 31 fd f9 51 00 00 DpGk......1..Q..
  0040 00 00 80 4c 01 03 00 00 33 00 00 00 10 00 00 04 ...L....3.......
  0050 00 00 05 00 00 0a 01 00 80 07 00 c0 03 00 80 00 ................
  0060 00 09 06 00 40 00 00 64 00 00 62 00 00 03 00 00 [email protected].....
  0070 06 02 00 80 04 00 80 00 00 13 00 00 12 00 00 63 ...............c
  0080 7b af 57 75 f8 a9 72 54 23 29 32 50 bf ef 1e a9 {.Wu..rT#)2P....

  Hi mhellman:
  I can see 3 difficulties with this kind of sign.
  1) To determine the order of the packets.
  2) To determine that happen at the very begining of the conection
  3) fire when the traffic doesn't match with the signature.
  The difficulty number 3, I think, is imposible to resolve because the sensor can compare the trafic with a well defined pattern and fire when it match, but not when it doen't.
  The difficult number 2
  You need a kind of state signature because this can be classified like a machine state (first three way handshake, then hello packet) but I can't see fields in the state engine that help in this case.
  The difficult number 1 could be resolved by a Meta signature.
  You will need to create an a custom atomic signature for the syn packet, another for the syn ack, another to ack, and the last one for hellow packet.
  Then create a meta signature and add the fourth atomic singatures whith a strict order.
  but guess what...
  Meta signature doesn't permit custom signatures.
  I think this kind of signature is imposible to write.
  But I'd try.
  Regards
  Alberto Giorgi from spain.

• Non ssl - gives 403 forbidden

  I can access the EM 12c with the ssl address https://server:7799/em
  but I would like to use the non-ssl side of it... I can access http://server:7788 and get the welcome index page.. but if I use http://server:7788/em I get Error 403 Forbidden...

  It sounds like your console is Locked. You can check the status with the command 'emctl status oms -details'.
  To unlock the console use 'emctl secure unlock -console'
  If you also want to unlock agent/OMS communication use 'emctl secure unlock -upload'
  See the Administrators Guide for further details.

• Disable non-SSL session tracking?

  Hi, all,
  I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
  I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
  Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
  Thanks,
  Dmitri.

  I don't think you can do this programatically.
  However I also don't think it is a problem.
  Cookies are related to zone names aren't they?
  http://mysite and https://mysite are two different
  zones as far as cookies are concerned. One should
  not be able to see the other.
  It issues a new cookie for the http site you are just
  navigating to. That cookie has nothing to do with
  the secure site you just came from, and shouldn't be
  able to tell them any info about the secure site.
  I think you are worrying about something that isn't
  really there.
  What is your concern? That they pick up a JSESSIONID
  from the cookie and can then pretend to be a
  different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
  I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?