Confirming connections are over ssl - OAS - advanced security

Similar Messages

• Advanced Security Server /Entrust-enabled SSL

  We are expermenting to configure Advanced Security Server to work with Entrust. I had a quick look on Oracle 9i Advanced Security Server /Administrators Guide, and found a lot more detailed instructions about configuring Entrust-enabled SSL.. In addition, there are samples of how sqlnet.ora will look like. The question: Can we use 9i manual to configure Entrust-enabled SSL for Oracle 817? If we can't use the 9i manual, is there any addendum document to the Chapter 10-Enabling Entrust
  Authentication in Oracle8i Advanced Security Administrators Guide, other than CR #281745 ....
  null

  Hi Justin,
  The Visual Basic application software uses Oracle OLEDB Provider 9.2.0.7.0
  We use various classes available in OLEDB for acessing the database. For example, the connection string looks like the following:
  Provider=oraoledb.oracle; data source=oraserve; user id=myuserid; password=mypasswd;
  The application uses ADODB objects to access data.
  Hope this clarifies
  Regards,
  SAM

• Cannot find api to implement RIDC connect WebCenter Content Server over SSL

  Hi WebCenter Content team,
  I find the following sample code from http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BJFIHEHI
  Example 23-6 IDC Protocol over SSL
  +// build a secure IDC client as cast to specific type+
  IntradocClient idcClient = (IntradocClient)
  manager.createClient("idcs://localhost:4443");
  +// set the SSL socket options+
  config.setKeystoreFile("ketstore/client_keystore");  //location of keystore file
  config.setKeystorePassword ("password");      // keystore password
  config.setKeystoreAlias("SecureClient");  //keystore alias
  config.setKeystoreAliasPassword("password");  //password for keystore alias
  I downloaded RIDC package from Individual Component Downloads in http://www.oracle.com/technetwork/middleware/webcenter/content/downloads/index.html.
  But cannot find the above methods in IdcClientConfig and its subclasses. For example, cannot compile the following code.
  IdcClientConfig config = idcClient.getConfig();
  config.setKeystoreFile("ketstore/client_keystore");  // no such method
  Could you please give a correct example.
  Thanks a lot.

  Most likely the port. RIDC listens usually at 4444, 16200 is the port for browser-based communication.

• Trying to determine if LDAP over SSL is working using LDP.exe

  Hi,
  I just wanted to confirm that LDAP over SSL is working properly on our domain controller.  When I connect using LDP.exe on my Windows 7 computer, I get the following output:
  ld = ldap_sslinit("dc1.domain.com", 636, 1);
  Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
  Error 0 = ldap_connect(hLdap, NULL);
  Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
  Host supports SSL, SSL cipher strength = 128 bits
  Established connection to dc1.domain.com.
  Retrieving base DSA information...
  Getting 1 entries:
  Dn: (RootDSE)
  <unnecessary details>
  It looks like it is working, but I wasn't sure if the Error 0's mean there is some sort of problem.
  Also, when I run a Simple bind with my credentials, I get the following output:
  res = ldap_simple_bind_s(ld, 'myuseraccount-at-domaindotcom', <unavailable>); // v.3
  Authenticated as: 'DOMAIN\myuseraccount'.
  Finally, when I run a Bind as currently logged on user (with Encrypt traffic after bind checked), I get the following output:
  53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
  res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
  {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
  Authenticated as: 'DOMAIN\myuseraccount'.
  I followed all the instructions found in Microsoft article KB-321051 to get LDAP over SSL working with a valid 3rd party certificate on one of our Windows 2008 R2 domain controllers.  However, when I test Active Directory Authentication on our
  WatchGuard Management Server after importing the CA certificate, the test fails.  In order to use Active Directory Authentication, LDAPS (LDAP over SSL) must be enabled in the Active Directory domain and I am not 100% sure that it is enabled properly.
  Any advice or additional insight would be greatly appreciated.
  Thanks!

  Some ideas:
  DNS Name: KB-321051 says that you need the DNS name in either Subject CN or Subject Alternative Name. Which one did you use? Windows clients are fine with an empty CN and only the SAN populated (there the "either or" statement in the article)
  but third-party tools often look for the DNS name in the Subject CN.
  Even if the WatchGuard Server runs on Windows it might use its own certificate checking logic.
  DC certificate(s): Does the DC have more than this certificate? If yes I'd run a network trace to check which one the machine is actually sending in the SSL handshake.
  Chaining issues at your LDAP client / the WatchGuard Management Server:
  Very often such issues are related to the fact that the certificate chain is not validated properly. Some typical issues:
  It is not clear whether the client uses the Windows certificate store (even if it runs on a Windows server).
  Tools / systems / PKI clients can only deal with a single root CA, not with a hierarchy.
  You need to import both Root and intermediate CAs as the client cannot fetch the intermediates from AIA URLs.
  The client cannot access CRL URLs because of firewalls rules or missing access (e.g.: A CRL URL in AD is used but the client does not have an AD user in whose context it would try to fetch the CRL).
  The client has issues with blanks or special characters in CDP or AIA URLs.
  Having a quick look at
  WatchGuard documentation it seems to me that they are using their own certificate stores you need to import CA certificates to. And they only mention a "Root CA" so if your PKI has two levels you might need to import both CAs to the so-called Root store.
  Elke

• LDAP over SSL

  A hosted service wants to authenticate against our AD.  They recommend using LDAPS. 
  What is best practice?  Install a public certificate on a DC. 
  For instance on DC1.contoso.com.  Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?

  A hosted service wants to authenticate against our AD.  They recommend using LDAPS. 
  What is best practice?  Install a public certificate on a DC. 
  For instance on DC1.contoso.com.  Then would I open up 443 on the firewall to that DC and allow from that IP? How would that affect other local LAN clients authenticating to that DC?
  If its hosted services & if its supports ADAM/AD LDS, then its much safe to use them instead of RWDC or RODC. Enabling LDAP over SSL enhances the security of the information how information is transmitted when client tries to contact DC for the information(authentication/authorization).
  Normally w/o LDAPs being configured in the environment, when client queries a DC in the domain, the information is transmitted in the plain text which ca be read by the hacker using tools available for free. The reason is simple the information on transit
  is not encrypted, but enabling LDAP over SSL prevent the unencrypted queries & provide more security.
  You can't simple implement LDAP over SSP, but it needs PKI infrastructure, planning & designing which is comprehensively listed into the document URL posted by Justin. You can also use ldap over SSL using AD LDS.
  http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx
  Awinish Vishwakarma - MVP
  My Blog: awinish.wordpress.com
  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

• Connecting to a remote OpenLDAP server over SSL.

  I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
  I've created a CA with a self-signed certificate.
  I used that CA to create a server and client certificate.
  The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
  The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
  ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
  Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
  I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
  It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
  The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
  My Mac Console shows something even more bizare, though:
  11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
  My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
  Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
  Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
  TLSVerifyClient never
  (And of course, the client:)
  TLS_REQCERT demand
  Message was edited by: lhunath

  By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
  * ldapsearchext - initiate an ldap search operation.
  * Parameters:
  * ld LDAP descriptor
  int
  ldapsearchext(
  LDAP *ld,
  assert( ld != NULL );

• How to configure Oracle 10g Advanced Security to use SSL concurrently with

  How to configure Oracle 10g Advanced Security to use SSL concurrently with database User names and passwords
  In Oracle Advanced Security Documentation it is mentioned that i can use SSL concurrently with DB user names and passwords. But when i configure the client certificate on the client my DB connection is getting authenticated using the certificate, which out passing user id or password.
  We want to connect to Oracle DB over SSL channel so that the data packets are not in clear text. Also we want the user to make a connection using user id and password.
  Basically we want SSL with out authentication.
  Need your expert advice

  Read the documentation (I have given following links assuming you are running a 32 bit architecture)
  Server installations:
  http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14316%2Ftoc.htm&remark=portal+%28Books%29
  Client installations:
  http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14312%2Ftoc.htm&remark=portal+%28Books%29
  You can find the required books (if not using 32 bit architecture) from
  http://www.oracle.com/pls/db102/portal.portal_db?selected=3

• Web service client behind a proxy server connecting to web service over SSL

  Hi Friends,
  A web service is exposed by an external system over SSL. We are behind a proxy server and are trying to get connected to web service over SSL. <p>
  We are getting the following error on the test browser of workshop<p><p>
  External Service Failure: FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters.<p><p>
  the whole trace is <p>
  <p>JDIProxy attached
  <Sep 24, 2005 9:27:25 AM EDT> <Warning> <WLW> <000000> <Id=creditCheckCtrl:salesExpertServiceControl; Method=creditcheckcontr
  ol.SalesExpertServiceControl.doCreditVerification(); Failure=com.bea.control.ServiceControlException: SERVICE FAULT:
  Code:javax.net.ssl.SSLHandshakeException
  String:FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters
  Detail:
  END SERVICE FAULT>
  <Sep 24, 2005 9:27:26 AM EDT> <Warning> <WLW> <000000> <Id=creditCheckCtrl; Method=creditcheckcontrol.CreditCheck.testCreditC
  heck(); Failure=com.bea.control.ServiceControlException: SERVICE FAULT:
  Code:javax.net.ssl.SSLHandshakeException
  String:FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters
  Detail:
  END SERVICE FAULT [ServiceException]>
  <Sep 24, 2005 9:27:26 AM EDT> <Warning> <WLW> <000000> <Id=top-level; Method=processes.CreditCheck_wf.$__clientRequest(); Fai
  lure=com.bea.wli.bpm.runtime.UnhandledProcessException: Unhandled process exception [ServiceException]>
  <Sep 24, 2005 9:27:26 AM EDT> <Error> <WLW> <000000> <Failure=com.bea.wli.bpm.runtime.UnhandledProcessException: Unhandled pr
  ocess exception [ServiceException]><p>
  I am not able to make out what could be possibly wrong. Please let me know if you guys have any ideas about how to resolve it.
  Thanks
  Sridhar

  did you resolve this problem. I am looking at the same issue. If you did I would really appreciate your response.
  Thanks.

• FTP over SSL connectivity in File Adapter

  Hi All,
    I request your suggestion on my problem.  I have a scenario idoc to file where I am connecting to my vendor server throught SFTP (Ftp over SSL).  In this my vendor specifically told that to obtain secure FTP connectivity to their server they require a pre-approved Secure FTP client be used to access the service.
  So as per this requirement first our XI server need to coneect to the pre-approved client and the connectivity will happen to the vender server.  He list the pre-approved client as below
  *Cleo Lexicom 2.1
  *TrailBlazer ZMOD FTP Client V3R1 PTF Level PFT3100034
  *QualEDI for Windows, 32-bit version
  *Ascential DataStage TX, Release 7.5
  *Future 3 - Advanced Communication Module Plus (ACM Plus)
  *eBridge FTPS Communicator for GXS version 5.3
  *Ipswitch Inc's WS_FTP Professional version 8.02.
  ·Robo-FTP version 3.2
  Please let me know will this be possible from our file adapter.  Currently as per this requirement we open up the port of XI server for SFTP connecvity but through this we can have host to host connection over SFTP and not sure whether we can connect to client software and from their to vendor sever.
  Kindly needful your suggestion/solution on this.
  Regards,
  Dhill

  Hi,
    Thank you,  Yes I have used FTPS only please find the below details given in the communication channel.
  <b>FTP Connection Parameters</b>
  Server: ServerName
  Port : 6366 (specified by vendor)
  Data connection : Passive
  Timeout(secs) : 65
  Connection Security: FTPS (FTP Using SSL/TLS) for Control and Data Connection
  Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
  Keystore: service_ssl
  X-509 Certificate and Private Key: ssl-credentials
  User Name : Vendor user name
  Password: Vendor given password
  Connect Mode: Permanantly
  Transfer Mode: Text
  Maximum Concurrency: 1
  and also as per he list given by vendeor we can use *Ipswitch Inc's WS_FTP Professional version 8.02.
  <b>Note:</b> We have Deploying the SAP Java Cryptographic Toolkit and also CA certificate used to sign the server certificate added to the TrustedCAs keystore view.
  So If possible i request you to kindly provide the details how we need to specify the client software between our XI server and Vender server as you mentioned in your solution.
  Please let me know your mail id, i will forward the screenshot of my communication channel.
  Kindly appreciate your help on this.
  Regards,
  Dhill.

• Connect MQ V6.0 from MQ adapter over SSL in BPEL 10g

  Hi All,
  I'm trying to connect to a remote MQ using MQ Adapter from my BPEL(10g) process. I'm able to deploy the process successfully after adding the jars file in server.xml.
  My process is a poller one it just dequeue the message upon any message arrival.
  But its not picking up the message in spite of having numerous message in queue,in log its showing ,
  Failed to create QueueManager.
  +[ManagedConnectionImpl] Error while creating QueueManager: "MQW1". [Caused by: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'JAVA.BSS_VSS.CLIENT'. [3=JAVA.BSS_VSS.CLIENT]]+
  Refer WebSphere MQ Reference Manual for Reason Code 2,397 and fix the cause of the error. Contact oracle support if error is not fixable.
  +[Caused by: CC=2;RC=2397;AMQ9641: *Remote CipherSpec error for channel* 'JAVA.BSS_VSS.CLIENT'. [3=JAVA.BSS_VSS.CLIENT]]+
  +; nested exception is:+
  +     ORABPEL-12511+
  I've got the SSL Cipher suite =SSL_RSA_WITH_3DES_EDE_CBC_SHA from client but don't know where to set that property.
  Would anyone let me know the procedures of invoking MQ over SSL in BPEL 10g.
  Thanks in Advance,
  Shreekanta

  I'm looking for exact property need to be set for SSL in Oracle MQ adapter.
  It would be very helpful if Oracle have some standard docs.

• Internet Explorer 11 'You are about to leave a secure connection'

  Hi there,
  I work in an IT Dept and we are testing Internet Explorer 11 for our latest build. It seems that when we switch the 'Warn if changing betwen secure and nonsecure mode' off, then webpages are stuggling to load.
  When the setting is turned on then a message is displayed tell me 'You are about to leave a secure connection. It will be possible for others to view information you send. Do you want to continue?'
  It then gives me an option to 'Do not display this again' which basically just turned the aforementioned setting to off - then webpages stop loading again. The webpage is just blank white space, no error, nothing.
  Is this a bug with Internet Explorer 11?

  Hi,
  I made a test in our testing enviroment, found that if I enable "Enable Enhanced Protected Mode" in IE Advanced settings. This problem is gone.
  Please make a test in your enviroment. Hope this is helpful.
  Roger Lu
  TechNet Community Support

• 10g Client connections over SSL

  Hello,
  I have some lightweight applications that need to connect to our 10g server over SSL. Right now, the scripts work fine using the Instantclient (10.2). I was told that the only way to connect over SSL is to have the full Oracle client installed, which I am loathe to do simply because the intent of the scripts is that they are as "light" as possible, though they do need to be encrypted.
  I'm having a hard time believing that my only option for an encrypted connection is the full Oracle client, which is waaaaaay bigger than the scripts that need to connect.
  Can anyone help point me in the right direction?
  Thank you!
  Todd

  To my knowledge, Oracle 10g comes with SSL Required Support Files for Instant Client. But whether that is enough for SSL connection, is another question. May be you can get help form the Instant Client Forum
  Instant Client

• Connecting to Space API Over SSL

  Does anyone know which jdeveloper keystore is used for trusted certs when connecting to the Spaces API? I've added my trusted CAs to every keystore that I can find but I still can't connect.
  I'm getting the all too familiar "Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" each time.

  It's simple, I'm trying to connect to spaces API over https(https://host/webcenter/SpacesWebService) instead of http(http://host/webcenter/SpacesWebService), and when I do, I'm getting the "javax.net.ssl.SSLHandshakeException" error. So where to I need to put the trustedcacert?

• HT201302 Even though there are over 200 photos on my ipad, after trying both methods of importing and connecting with a lead, a message appears saying that there are no photos on this device. Any ideas?

  Even though there are over 200 photos on my ipad, after trying both methods of importing and connecting with a lead, a message appears saying that there are no photos on this device. Any ideas?

  Did you connect your iPad to your computer then open the application on your computer that transfers photos from a camera? Your computer should recognize the iPad as a camera. All photos in the Camera Roll on the iPad should then be seen and you should be able to copy them to the computer using that application.
  Photos that were synced to your iPad by connecting to your syncing computer cannot be copied back this way as the master file for those photos are on the syncing computer.

• Server cannot be connected over ssl

  Installed self-signed certificate on the Messaging Server. And started up the messaing server with ssl.
  "netstat " shows port 993 is idle. But seems cannot connect to it .
  The messaing server was running on a standalone machine, not network connective.
  Does ssl require connections over the network?
  Thanks!

  Installed self-signed certificate on the Messaging
  Server. And started up the messaing server with ssl."started the messaging serve with ssl". Means what?
  Did you make the configutil settings to turn any of the ssl functions on?
  Did you edit the sslpassword.conf file to add the password for the certificate database?
  Did you make a typo? The default name of the cert is "Server-Cert". "server-cert" is not the same, as it's case sensitive.
  Did you examine any of the logs and see errors on the restart?
  I don't even know what version Messaging you're running. Frankly, you've a whole bunch of homework to do before I can be much help.
  jay
  >
  >
  "netstat " shows port 993 is idle. But seems cannot
  connect to it .
  The messaing server was running on a standalone
  machine, not network connective.
  Does ssl require connections over the network?
  Thanks!