Connecting to Space API Over SSL

Does anyone know which jdeveloper keystore is used for trusted certs when connecting to the Spaces API? I've added my trusted CAs to every keystore that I can find but I still can't connect.
I'm getting the all too familiar "Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" each time.

It's simple, I'm trying to connect to spaces API over https(https://host/webcenter/SpacesWebService) instead of http(http://host/webcenter/SpacesWebService), and when I do, I'm getting the "javax.net.ssl.SSLHandshakeException" error. So where to I need to put the trustedcacert?

Similar Messages

Web service client behind a proxy server connecting to web service over SSL

Hi Friends,
A web service is exposed by an external system over SSL. We are behind a proxy server and are trying to get connected to web service over SSL. 
We are getting the following error on the test browser of workshop
External Service Failure: FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters.
the whole trace is 
JDIProxy attached
<Sep 24, 2005 9:27:25 AM EDT> <Warning> <WLW> <000000> <Id=creditCheckCtrl:salesExpertServiceControl; Method=creditcheckcontr
ol.SalesExpertServiceControl.doCreditVerification(); Failure=com.bea.control.ServiceControlException: SERVICE FAULT:
Code:javax.net.ssl.SSLHandshakeException
String:FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters
Detail:
END SERVICE FAULT>
<Sep 24, 2005 9:27:26 AM EDT> <Warning> <WLW> <000000> <Id=creditCheckCtrl; Method=creditcheckcontrol.CreditCheck.testCreditC
heck(); Failure=com.bea.control.ServiceControlException: SERVICE FAULT:
Code:javax.net.ssl.SSLHandshakeException
String:FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters
Detail:
END SERVICE FAULT [ServiceException]>
<Sep 24, 2005 9:27:26 AM EDT> <Warning> <WLW> <000000> <Id=top-level; Method=processes.CreditCheck_wf.$__clientRequest(); Fai
lure=com.bea.wli.bpm.runtime.UnhandledProcessException: Unhandled process exception [ServiceException]>
<Sep 24, 2005 9:27:26 AM EDT> <Error> <WLW> <000000> <Failure=com.bea.wli.bpm.runtime.UnhandledProcessException: Unhandled pr
ocess exception [ServiceException]>
I am not able to make out what could be possibly wrong. Please let me know if you guys have any ideas about how to resolve it.
Thanks
Sridhar

did you resolve this problem. I am looking at the same issue. If you did I would really appreciate your response.
Thanks.

Cannot find api to implement RIDC connect WebCenter Content Server over SSL

Hi WebCenter Content team,
I find the following sample code from http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BJFIHEHI
Example 23-6 IDC Protocol over SSL
+// build a secure IDC client as cast to specific type+
IntradocClient idcClient = (IntradocClient)
manager.createClient("idcs://localhost:4443");
+// set the SSL socket options+
config.setKeystoreFile("ketstore/client_keystore"); //location of keystore file
config.setKeystorePassword ("password"); // keystore password
config.setKeystoreAlias("SecureClient"); //keystore alias
config.setKeystoreAliasPassword("password"); //password for keystore alias
I downloaded RIDC package from Individual Component Downloads in http://www.oracle.com/technetwork/middleware/webcenter/content/downloads/index.html.
But cannot find the above methods in IdcClientConfig and its subclasses. For example, cannot compile the following code.
IdcClientConfig config = idcClient.getConfig();
config.setKeystoreFile("ketstore/client_keystore"); // no such method
Could you please give a correct example.
Thanks a lot.

Most likely the port. RIDC listens usually at 4444, 16200 is the port for browser-based communication.

Connecting to a remote OpenLDAP server over SSL.

I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
I've created a CA with a self-signed certificate.
I used that CA to create a server and client certificate.
The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
My Mac Console shows something even more bizare, though:
11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
TLSVerifyClient never
(And of course, the client:)
TLS_REQCERT demand
Message was edited by: lhunath

By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
* ldapsearchext - initiate an ldap search operation.
* Parameters:
* ld LDAP descriptor
int
ldapsearchext(
LDAP *ld,
assert( ld != NULL );

FTP over SSL connectivity in File Adapter

Hi All,
I request your suggestion on my problem. I have a scenario idoc to file where I am connecting to my vendor server throught SFTP (Ftp over SSL). In this my vendor specifically told that to obtain secure FTP connectivity to their server they require a pre-approved Secure FTP client be used to access the service.
So as per this requirement first our XI server need to coneect to the pre-approved client and the connectivity will happen to the vender server. He list the pre-approved client as below
*Cleo Lexicom 2.1
*TrailBlazer ZMOD FTP Client V3R1 PTF Level PFT3100034
*QualEDI for Windows, 32-bit version
*Ascential DataStage TX, Release 7.5
*Future 3 - Advanced Communication Module Plus (ACM Plus)
*eBridge FTPS Communicator for GXS version 5.3
*Ipswitch Inc's WS_FTP Professional version 8.02.
·Robo-FTP version 3.2
Please let me know will this be possible from our file adapter. Currently as per this requirement we open up the port of XI server for SFTP connecvity but through this we can have host to host connection over SFTP and not sure whether we can connect to client software and from their to vendor sever.
Kindly needful your suggestion/solution on this.
Regards,
Dhill

Hi,
Thank you, Yes I have used FTPS only please find the below details given in the communication channel.
FTP Connection Parameters
Server: ServerName
Port : 6366 (specified by vendor)
Data connection : Passive
Timeout(secs) : 65
Connection Security: FTPS (FTP Using SSL/TLS) for Control and Data Connection
Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
Keystore: service_ssl
X-509 Certificate and Private Key: ssl-credentials
User Name : Vendor user name
Password: Vendor given password
Connect Mode: Permanantly
Transfer Mode: Text
Maximum Concurrency: 1
and also as per he list given by vendeor we can use *Ipswitch Inc's WS_FTP Professional version 8.02.
Note: We have Deploying the SAP Java Cryptographic Toolkit and also CA certificate used to sign the server certificate added to the TrustedCAs keystore view.
So If possible i request you to kindly provide the details how we need to specify the client software between our XI server and Vender server as you mentioned in your solution.
Please let me know your mail id, i will forward the screenshot of my communication channel.
Kindly appreciate your help on this.
Regards,
Dhill.

Connect MQ V6.0 from MQ adapter over SSL in BPEL 10g

Hi All,
I'm trying to connect to a remote MQ using MQ Adapter from my BPEL(10g) process. I'm able to deploy the process successfully after adding the jars file in server.xml.
My process is a poller one it just dequeue the message upon any message arrival.
But its not picking up the message in spite of having numerous message in queue,in log its showing ,
Failed to create QueueManager.
+[ManagedConnectionImpl] Error while creating QueueManager: "MQW1". [Caused by: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'JAVA.BSS_VSS.CLIENT'. [3=JAVA.BSS_VSS.CLIENT]]+
Refer WebSphere MQ Reference Manual for Reason Code 2,397 and fix the cause of the error. Contact oracle support if error is not fixable.
+[Caused by: CC=2;RC=2397;AMQ9641: *Remote CipherSpec error for channel* 'JAVA.BSS_VSS.CLIENT'. [3=JAVA.BSS_VSS.CLIENT]]+
+; nested exception is:+
+ ORABPEL-12511+
I've got the SSL Cipher suite =SSL_RSA_WITH_3DES_EDE_CBC_SHA from client but don't know where to set that property.
Would anyone let me know the procedures of invoking MQ over SSL in BPEL 10g.
Thanks in Advance,
Shreekanta

I'm looking for exact property need to be set for SSL in Oracle MQ adapter.
It would be very helpful if Oracle have some standard docs.

10g Client connections over SSL

Hello,
I have some lightweight applications that need to connect to our 10g server over SSL. Right now, the scripts work fine using the Instantclient (10.2). I was told that the only way to connect over SSL is to have the full Oracle client installed, which I am loathe to do simply because the intent of the scripts is that they are as "light" as possible, though they do need to be encrypted.
I'm having a hard time believing that my only option for an encrypted connection is the full Oracle client, which is waaaaaay bigger than the scripts that need to connect.
Can anyone help point me in the right direction?
Thank you!
Todd

To my knowledge, Oracle 10g comes with SSL Required Support Files for Instant Client. But whether that is enough for SSL connection, is another question. May be you can get help form the Instant Client Forum
Instant Client

Dreamweaver (on Windows 7) wont connect to IIS (v7) Server using "FTP over SSL/TLS..."

I am evauating wether to purchase Dreamweaver CS6...
Dreamweaver CS6 trial (on Windows 7) wont connect to IIS (v7) Server using "FTP over SSL/TLS (explicit encryption)". I have a NEW Godaddy SSL certificate installed on the IIS server.
On connecting Dreamweaver states: "Server Certificate has expired or contains invalid data"
I have tried:
-ALL the Dreamweaver Server setup options
-Using multiple certificates (tried 2048 bit and 4096 bit Godaddy SSL certificates)
-Made sure the certificate 'issued to' domain name matches my domain name.
I am able to connect no problem using Filezilla, with equivalent Filezilla setting "Require explicit FTP over TLS". I can also connect fine using Microsoft Expression web.

Thanks for your prompt reply.
My comments:
1) You should update your tread (forums.adobe.com/thread/889530) to reflect that it still occurs on CS6 (I had already read it but figured it was an old tread and thus should be fixed by now).
2) You said “These warnings will also pop up for your users if you have a store saying the SSL certificate does not match the domain/ip and this can make users checking out in a storefront very nervous” . This does not seem to be correct – my https pages display properly using the same Godaddy certificate … using IE:
3) Godaddy is not my host (I use Amazon AWS) – but the SSL certificate is from them.

Trying to connect to an AD LDAP over SSL via OPEN_SSL

Hello,
We are getting the error below when we attempt to run this code. Any ideas? Does this point to an incorrectly configured wallet and/or certificate?
DECLARE
BEGIN
l_session := DBMS_LDAP.init ( hostname => l_ldap_host_in, portnum => l_ldap_port_in );
l_retval := DBMS_LDAP.OPEN_SSL(l_session, owallet_loc, owallet_pwd, 2); -- Over SSL
l_retval := DBMS_LDAP.simple_bind_s ( ld => l_session, dn => l_ldap_dn_in, passwd => l_ldap_password_in );
l_retval := DBMS_LDAP.unbind_s(l_session);
END;
Error report:
ORA-31202: DBMS_LDAP: LDAP client/server error: UnKnown Error Encountered
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
ORA-06512: at "SYS.DBMS_LDAP", line 1457
ORA-06512: at "SYS.DBMS_LDAP", line 1234
ORA-06512: at line 21
31202. 00000 - "DBMS_LDAP: LDAP client/server error: %s"
*Cause: There is a problem either on the LDAP server or on the client.
*Action: Please report this error to the LDAP server administrator or
your Database administrator.
Any help will be greatly appreciated! Thank you,
Alex.

We had never tried this before. I'm the Programmer trying to make the code work. I found this other thread Google'ing https://kr.forums.oracle.com/forums/thread.jspa?threadID=494022&start=15&tstart=0 and asked our Network Admin and our DBA to follow steps 1 and 2 and provide location to the wallet and password when they were done, which they did.
Now I'm testing the code and getting that error. I was about to report it to them, but I thought I should try and help by providing a possible fix, or maybe the code is the problem?
Alex.
Edited by: alarzabal on Dec 7, 2011 6:24 PM

Help with SQL over SSL

I'm running into a problem with configuring SQL over SSL on a SQL 2005 server. Hoping someone can tell me what I'm doing wrong....
Setup:
-Windows Server 2003
-SQL 2005
-Certificate from Thawte - Proper one for server authentication
-SQL Service runs under Administrator
Here's what I've done so far:
1. A Certificate has been purchased from Thawte, with the FQDN of "servera.domain.com" (to match the external DNS name of the SQL server)
2. I have provisioned the certificate on the server, by using the Certificates MMC to import the .CER file from Thawte into the Computer store (tried user store also, for kicks - didn't help)
3. Went into SQL Configuration Manager, which doesn't show the certificate (Certificate field is blank)
3a. Found a workaround, which was to add the certificate's thumbprint (cert hash) without spaces to the certificate value under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.x\MSSQLServer\SuperSocketNetLib" registry key.
At this point, I try to start the SQL service and it starts and then stops. An error appears in the event log - Event ID # 26014 - "Unable to load user-specified certificate. The server will not accept a connection. You should verify that the certificate is correctly installed".
I looked at the Microsoft's certificate requirements for SQL Server 2005 to load a SSL certificate. The cert meets all of the criteria, but the subject property of the certificate is making me wonder.... The requirement is for the subject property to "indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer". The CN of the cert is "servera.domain.com", in order for it to match the internet DNS record, but the server name is "servera.internal.local". Could SQL be refusing to use the cert due to the CN being a bit off? This is the only thing I can think of, but not sure how one would get around this issue without naming the server the external DNS name (not generally recommended).
Any ideas?
Thanks very much,
Vishnu

I have not run into this, but have only worked with this in a test environment sith self signed certs.
Try registering the cert using httpcfg, see the below link for more details:
http://technet2.microsoft.com/windowsserver/en/library/e17527d2-105a-451f-8e3f-d515479527011033.mspx?mfr=true
Also assure that the certificate meets:
The certificate must be in either the local computer certificate store or the current user certificate store.
The current system time must be after the Valid from property of the certificate and before the Valid to property of the certificate.
The certificate must be meant for server authentication. This requires the Enhanced Key Usage property of the certificate to specify Server Authentication (1.3.6.1.5.5.7.3.1).
The certificate must be created by using the KeySpec option of AT_KEYEXCHANGE. Usually, the certificate's key usage property (KEY_USAGE) will also include key encipherment (CERT_KEY_ENCIPHERMENT_KEY_USAGE).
The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer. If SQL Server is running on a failover cluster, the common name must match the host name or FQDN of the virtual server and the certificates must be provisioned on all nodes in the failover cluster.

PRoblem In Sending Mail OVER SSL

HI All,
I am using java mail api to send email using gmail smtp server address.And my application is running over SSL.
My Client is running in tomcat application and server side code is in Jboss.
I have written a code to send email and that code is der in client side , i mean in tomcat.
I am getting one error given below::
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc
eption: PKIX path building failed: sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
And given below my code ::
Properties props = new Properties();
System.out.println("Inside simple mail");
props.setProperty("mail.transport.protocol","smtp");
props.setProperty("mail.smtp.host","smtp.gmail.com");
System.out.println("Port is set");
props.setProperty("mail.user","xxxx");
props.setProperty("mail.password","xxxx");
props.put("mail.smtp.auth","true");
*// props.put("mail.smtp.ssl.enable","true");*
props.put("mail.smtp.starttls.enable","true");
*// props.put("mail.smtp.socketFactory.class","javax.net.ssl.SSLSocketFactory");*
MailSSLSocketFactory sf = new MailSSLSocketFactory();
*     sf.setTrustAllHosts(true);*
*     props.put("mail.smtp.ssl.socketFactory", sf);*
*     BasicAuthenticator auth = new BasicAuthenticator();      *
*     auth.getPasswordAuthentication();*
Session mailSession = Session.getDefaultInstance(props, auth);
mailSession.setDebug(true);
MimeMessage message = new MimeMessage(mailSession);
message.setSubject("Testing javamail plain");
message.setContent("This is a test", "text/plain");
*// message.setFrom(new InternetAddress())*
message.addRecipient(Message.RecipientType.TO,
new InternetAddress(pToMailId));
Address add = new InternetAddress("xxxx");
message.setFrom(add);
System.out.println("Before connect");
Transport.send(message);
Can anyone help me out on this...
Thanks in advance...
Regards
Deba

Hi Thanks for the response...
once again i ve tried but same problem...
my code is below ::
String host = "smtp.gmail.com";
               String username = "[email protected]";
               String password = "xxxx";
               Properties props = new Properties();
               props.put("mail.smtp.auth", "true");
               props.put("mail.smtp.starttls.enable", "true");
               props.put("mail.smtp.host", "smtp.gmail.com");
               props.put("mail.transport.protocol", "smtp");
               props.put("mail.smtp.auth", "true");
               BasicAuthenticator auth = new BasicAuthenticator();
               PasswordAuthentication lPasswordAuthentication = auth.getPasswordAuthentication();
               Session session = Session.getDefaultInstance(props, auth);
               session.setDebug(true);
               Message msg = new MimeMessage(session);
               InternetAddress addressFrom = new InternetAddress("[email protected]");
               msg.setFrom(addressFrom);
               InternetAddress addressTo = new InternetAddress(pToMailId);
               msg.addRecipient(Message.RecipientType.TO, addressTo);
               msg.setSubject("subject");
               msg.setContent("message", "text/html");
               Transport.send(msg);

How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

Solved it by some (a lot) of fiddling.
Turns out it's not a bug in the iPhone, it's a feature.
Here's how to make it work.
DOVECOT
If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
service imap-login {
inet_listener imap {
    port = --your port # here--
inet_listener imaps {
    port = 0
    ssl = yes
This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
ssl = required
This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
3. In /etc/dovecot/conf.d/10-auth.conf set
disable_plaintext_auth = yes
This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
Don't forget service dovecot restart.
To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
telnet your.host.name.here yourimapsportnumber
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
a STARTTLS
a OK Begin TLS negotiation now.
(The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
. OK Pre-login capabilities listed, post-login capabilities have more.
You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
a capability
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
a login username password
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
a OK Logged in
POSTFIX
Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
smtpd_tls_security_level = encrypt
3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
smtpd_tls_auth_only = yes
Don't forget postfix reload.
To test if this works, issue the following telnet and wait for the server's greeting:
telnet your.host.name.here yoursmtpsportnumber
220 your.host.name ESMTP Postfix (Ubuntu)
Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
ehlo your.host.name.here
250-STARTTLS
Then issue starttls and wait for the server's confirmation:
starttls
220 2.0.0 Ready to start TLS
Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
CERTIFICATES
You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
basicConstraints = critical,CA:true
keyUsage = critical, cRLSign, keyCertSign
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = DNS:your.domain.name.here
issuerAltName=issuer:copy
Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
IN CLOSING...
With all this, you can read and send email from your iPhone.
Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

How can i execute Spaces API in java main class?

Hi
I am able to execute Spaces API through portal application. However if i try to execute it in java main class, its throwing an exception
"SEVERE: java.io.FileNotFoundException: .\config\jps-config.xml (The system cannot find the path specified)"
oracle.wsm.common.sdk.WSMException: WSM-00145 : Keystore location or path can not be null or empty; it must be configured through JPS configuration or policy configuration override.
How can i set this path, so that i can execute Spaces API from java main class.
Need this main class to configure in cron job, to schedule a task.
Regards
Raj

Hi Daniel
Currently i have implemented create functionality in my portal application using Spaces API, which is working fine. Now the requirement is, i need to implement a "Cron Job" to schedule a task, which will execute to create space(for example once in a week). Cron job will execute only the main method. So I have created java main class, in which I have used Spaces API to perform create space operation. Then it was giving exception.
Later I understood the reason, as I am executing the Space API with a simple JSE client, its failing since a simple java program has no idea of default-keystore.jks, jps-config.xml, Security Policy. Hence i have included those details in main class. Now I am getting new error,
SEVERE: WSM-06303 The method "registerListener" was not called with required permission "oracle.wsm.policyaccess"
For your reference i have attached the code below, please help. How can i use Spaces API in java main method(i mean public static void main(String[] args) by giving all required information.
 public static void main(String[] args) throws InstantiationException,
 GroupSpaceWSException,
 SpacesException {
 Class2 class2 = new Class2();
 GroupSpaceWSContext context = new GroupSpaceWSContext();
 FactoryFinder.init(null);
 context.setEndPoint("http://10.161.226.30/webcenter/SpacesWebService");
 context.setSamlIssuerName("www.oracle.com");
 context.setRecipientKeyAlias("orakey");
 Properties systemProps = System.getProperties();
 systemProps.put("java.security.policy","oracle/wss11_saml_or_username_token_with_message_protection_client_policy");
 systemProps.put("javax.net.ssl.trustStore","C:\\Oracle\\Middleware11.1.7\\wlserver_10.3\\server\\lib\\cacerts.jks");
systemProps.put("oracle.security.jps.config","C:\\Oracle\\Middleware11.1.7\\user_projects\\domains\\workspace\\system11.1.1.7.40.64.93\\DefaultDomain\\config\\fmwconfig\\jps-config.xml");
 systemProps.put("javax.net.ssl.keyStore",C:\\Oracle\\Middleware11.1.7\\user_projects\\domains\\workspace\\system11.1.1.7.40.64.93\\DefaultDomain\\config\\fmwconfig\\consumer.jks");
 systemProps.put("javax.net.ssl.keyStorePassword", "Test12");
 System.setProperties(systemProps);
 GroupSpaceWSClient groupSpaceWSClient;
 try {
 groupSpaceWSClient = new GroupSpaceWSClient(context);
 System.out.println("URL: " +
 groupSpaceWSClient.getWebCenterSpacesURL());
 //delete the Space
 List<String> groupSpaces = groupSpaceWSClient.getGroupSpaces(null);
 System.out.println("GroupSpaces:: " + groupSpaces.size());
 } catch (Exception e) {
Regards
Raj

[solved] Owncloud over SSL: http works, but over https only apache

Hello,
I try to setup owncloud with SSL.
Accessing over http works, but over https, I reach the default apache page instead of the owncloud page.
(I set up SSL according to https://wiki.archlinux.org/index.php/LAMP#SSL )
How could I make the owncloud site available over https?
relevant files:
owncloud.conf:
<IfModule mod_alias.c>
Alias /owncloud /usr/share/webapps/owncloud/
</IfModule>
<Directory /usr/share/webapps/owncloud/>
Options FollowSymlinks
Require all granted
php_admin_value open_basedir "/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/owncloud/:/etc/webapps/owncloud/:/mt/daten/owncloud/"
</Directory>
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /usr/share/webapps/owncloud
ServerName http://example.com/owncloud
</VirtualHost>
I tried to change 80 to 443, but then, systemctl restart httpd didn't work. (apache failed)
httpd.conf:
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
ServerRoot "/etc/httpd"
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
# Mutex default:/run/httpd
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#Listen 12.34.56.78:80
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
# Dynamic Shared Object (DSO) Support
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
# Example:
# LoadModule foo_module modules/mod_foo.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_form_module modules/mod_auth_form.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
#LoadModule watchdog_module modules/mod_watchdog.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule data_module modules/mod_data.so
#LoadModule ratelimit_module modules/mod_ratelimit.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule request_module modules/mod_request.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
#LoadModule reflector_module modules/mod_reflector.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule sed_module modules/mod_sed.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule deflate_module modules/mod_deflate.so
#LoadModule xml2enc_module modules/mod_xml2enc.so
#LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule mime_module modules/mod_mime.so
#LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_debug_module modules/mod_log_debug.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule logio_module modules/mod_logio.so
#LoadModule lua_module modules/mod_lua.so
LoadModule env_module modules/mod_env.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
#LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
#LoadModule remoteip_module modules/mod_remoteip.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule session_module modules/mod_session.so
#LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_crypto_module modules/mod_session_crypto.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
LoadModule ssl_module modules/mod_ssl.so
#LoadModule dialup_module modules/mod_dialup.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
#LoadModule suexec_module modules/mod_suexec.so
#LoadModule cgid_module modules/mod_cgid.so
#LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
#LoadModule imagemap_module modules/mod_imagemap.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
#own additions:
LoadModule php5_module modules/libphp5.so
<IfModule unixd_module>
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User http
Group http
</IfModule>
# 'Main' server configuration
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. [email protected]
ServerAdmin [email protected]
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
# If your host doesn't have a registered DNS name, enter its IP address here.
#ServerName www.example.com:80
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
<Directory />
Options FollowSymLinks
AllowOverride none
Require all denied
</Directory>
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/srv/http"
<Directory "/srv/http">
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
Options Indexes FollowSymLinks
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
AllowOverride None
# Controls who can get stuff from this server.
Require all granted
</Directory>
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ".ht*">
Require all denied
</Files>
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog "/var/log/httpd/error_log"
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
<IfModule log_config_module>
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
CustomLog "/var/log/httpd/access_log" common
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#CustomLog "/var/log/httpd/access_log" combined
</IfModule>
<IfModule alias_module>
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
</IfModule>
<IfModule cgid_module>
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#Scriptsock cgisock
</IfModule>
# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory "/srv/http/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
TypesConfig conf/mime.types
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#AddType application/x-gzip .tgz
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
# Filters allow you to process content before it is sent to the client.
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#EnableMMAP off
#EnableSendfile on
# Supplemental configuration
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf
# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
Include conf/extra/httpd-autoindex.conf
# Language settings
Include conf/extra/httpd-languages.conf
# User home directories
Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
Include conf/extra/httpd-default.conf
# Include owncloud
Include /etc/httpd/conf/extra/owncloud.conf
Include conf/extra/php5_module.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# uncomment out the below to deal with user agents that deliberately
# violate open standards by misusing DNT (DNT *must* be a specific
# end-user choice)
#<IfModule setenvif_module>
#BrowserMatch "MSIE 10.0;" bad_DNT
#</IfModule>
#<IfModule headers_module>
#RequestHeader unset DNT env=bad_DNT
#</IfModule>
thanks!
Last edited by Carl Karl (2014-05-06 07:40:53)

OK, solved.
What I made wrong:
https://localhost leads to the apache page
https://localhost/owncloud leads to the owncloud page.
(Just as an information if there are other apache noobs like me...)

BAD_CERTIFICATE error calling a web service over SSL in ALSB 2.6

We have a business service on an ALSB 2.6 server (running on WL 9.2.1) that connects to a web service over SSL. When we try to run it, we get the following exception:
<Sep 17, 2009 7:49:17 AM PDT> <Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.
wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
com.bea.wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:146)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOu
tboundMessageContext.java:310)
at com.bea.wli.sb.transports.http.HttpsTransportProvider.sendMessageAsync(HttpsTransportProvider.java:435)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
Truncated. see log file for complete stacktrace
This exception only occurs when hitting the web service through the bus. I have written a standalone Java application that posts to the web service and it works fine. I ran the application on the server where the ALSB is running using the same jdk (1.5.0_06 - the version that ships with 9.2.1) and the same cacerts file so I know it's not a problem with the certificate not being trusted. I have tried updating the cacerts file to the latest one distributed with JRE 1.6 and it still doesn't work.
After 8 hours of troubleshooting, I'm out of ideas. Does anyone have any suggestiosn?
Thanks.
Matt
Edited by: user6946981 on Sep 17, 2009 7:58 AM

Are you sure that your standalone application is using the same keystore (eg. cacert)? Default WebLogic configuration uses different keystore (demo).
I saw BAD_CERTIFICATE error only once and the cause was in keytool that somehow corrupted certificate during import. Deleting and importing certificate again helped me, but I doubt you have the same problem as your standalone application works.
Another idea ... Is hostname varification used? I know that the error message would look different if this was the cause, but try to add this parameter to your weblogic startup script: -Dweblogic.security.SSL.ignoreHostnameVerification=true
Last but not least, there is difference between your standalone application and ALSB runtime as WebLogic uses Certicom SSL provider. If you don't find the reason, contact Oracle support. Maybe they can help you to tweak Certicom provider in some way.

Connecting to Space API Over SSL

Similar Messages

Maybe you are looking for