CSS - AVS implementation with SSL

Hi,
We are trying to design a solution with 2x CSSs 11501 and 2x AVS3120. The requirement is all the way SSL and cookie stickiness. Also, CSS will have to do URL rewriting from http to https.Is there a samle configuration for this kind of configuration? Will the CSS have to terminate SSL from client to AVS and then re-encrypt, terminate SSL from AVS to server and vice versa?

Hi Scott,
Do you have a showtech of the CSS with the previous configuration???
Cesar R

Similar Messages

Problem with SSL Activated on SSO Login

Hi Guys,
One of my applications has recently hit a few problems when SSL was activated on several environments. My application requires you to login using a SSO username and password before you can use the application. Before SSL was implemented, when you pressed the main menu button the page would redirect to the login server and the SSO login would remember your details and log you in again and then take you to the 1st page with a new session id. However, with SSL implemented, when the main menu button is pressed it redirects you to the login server but this time it asks you to enter your username and password. This is a problem as every time authentication is required on my application, it will keep telling you to login even if you have already done so before.
For extra information, the main menu button (which is a navigation bar entry) redirects you to a piece of javascript which is used to take you back to the 1st page depending on what page you are on.
I am also using the latest version of APEX.
Any help is much appreciated as I am not sure where to go with this problem.
Also is it a problem with the SSL setup or my application?
Thanks
-Mark

I have tried to pass the cookie through the URL to the login server but this does nothing.I can't imagine what you mean by that or what exactly you did.
it just takes me to the login page and resets the session id after i have logged in again!What do you mean by "reset"?
How can I make cookies be accepted by SSL?Have you constructed an experiment to prove that this is the problem?
Is there something i can put in the application itself?Definitely not.
Scott

Request management service issue with SSL Sites

Hi guys,
I've configured up the request management service, but after start the service on our wfe servers (even before to configure specific web applications), our ssl sites begin to fail and the event viewer start to alert several errors, by the other hand,
sites over 80 port with no SSL works as expected.
I've found some similiar scenarios without a happy ending. Below you can find some of the main errors in event viewer and ULS Logs. In
this post solved a very similar issue using ssl host headers with a unique ip but we are using fqdn certificates so it is not an option for us.
I've already checked the
good posts from Spencer Harbar and He says that is good idea to use host named site collection, but this is not an option for me because we need to use Self Service Creation and mixed authetnication, besides, None of the Technet literature that i've reviewed
says something about don't support path based site collection.
So far, the only way to avoid this errors is not using the service(discouraging finding), These are some errors we got on Event viewer and logs:
Machine 'MACHINENAME (AppPool(_LM_W3SVC_515444293_ROOT))' failed ping validation and has been unavailable since '3/28/2014 3:55:48 PM'. (Just starting the service Event viewer begis to have a bunch of this errors)
03/28/2014 13:34:01.96 w3wp.exe (0x1184)
0x154C SharePoint Foundation
Request Management ai2q3
High Reached maximum number of failed machines based on ping results for this routing group
53c2819c-8216-20f3-68c0-c0a3e55c92d5
03/28/2014 13:34:01.96 w3wp.exe (0x1184)
0x154C SharePoint Foundation
Request Management ai2q4
Medium Unavailable machines based on ping results: MACHINENAME
53c2819c-8216-20f3-68c0-c0a3e55c92d5
03/28/2014 13:34:01.97 w3wp.exe (0x1184)
0x1C2C SharePoint Foundation
Request Management adc7u
Medium Mapping URI from 'https://HOSTNAME:443/Style Library/somos-sura-css/inicio/inicio.css' to 'https://MACHINENAME/Style%20Library/somos-sura-css/inicio/inicio.css'
53c2819c-8217-20f3-68c0-cb2f392c388b
Seems like it tries to find a site with the machine name, not the host name registered in the Alter access mappings (like portal.acme.com) .
I would appreciate some feedback about this. Another posts with similar issues:
http://amolmeshe.blogspot.com/2013/05/sharepoint-2013-request-management.html
http://www.akspug.org/Blog/Post/4/Request-Management-and-Error-8316
Regards,

Hi,
According to your post, my understanding is that you had an issue about the Request management service with SSL sites.
It’s a known issue that the request management service could not work with the SSL site.
We had already reported the issue to the product team, as a workaround, if you want to use the request management service, you can change the https site back to http.
What’s more, the SharePoint 2013 SP1 has been relased, you can install it to check whether it works.
http://support.microsoft.com/kb/2817429/en-us
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support

Configuring JMS and loadbalancer with SSL termination? Has Anyone done it?

Hi all,
I'm having a problem getting JMS or even any JNDI lookup to work with a hardware load balancer and SSL termination. Has anyone used such a configuration? The load balancer in question is a Cisco CSS 11500 Series which has an SSL module. A client communicates with the CSS over SSL, the SSL module decrypts the packets and sends it for content switching and on to WebLogic as cleartext.
Without SSL termination everthing works fine. With SSL termination active, Web service and web content all work fine, but I can't get SSL tGetting Initial context from ms01
<29-Sep-2006 16:07:22 o'clock IST> <Debug> <TLS> <000000> <SSL/Domestic license found>
<29-Sep-2006 16:07:22 o'clock IST> <Debug> <TLS> <000000> <Not in server, Certicom SSL license found>
<29-Sep-2006 16:07:23 o'clock IST> <Debug> <TLS> <000000> <SSL Session TTL :90000>
<29-Sep-2006 16:07:23 o'clock IST> <Debug> <TLS> <000000> <Trusted CA keystore: D:/eclipse/workspace/LoadBalancerTest/ssl/keystores/cssKeyS
ore.keystore>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 886220>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <write SSL_20_RECORD>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> < cert[0] = [
Version: V3
Subject: EMAILADDRESS="[email protected] ", CN=10.51.0.200, OU=Web Administration, O=Revenue Commissioners, L=Dublin, ST=Dublin,
=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
a8f60248 b87c5860 229b9044 a666a9ae 27eb488c 424d9e67 e7b9d6d0 c292f081
cfa76c04 f3d89b28 1bf544f9 5de2b66d 576ebeca 5dc5ca8a fceead9a 52e2ce6c
2b91afef e4da5071 49b8784c 12d7f5f3 99f76482 79efe1d8 0a24f664 4c8d6e9e
b0bc63be 1faf8319 eeb23e8a 019b65b2 59dd086d 1b714d4c 01618804 66f416bb
Validity: [From: Fri Sep 08 11:44:28 BST 2006,
               To: Mon Sep 05 11:44:28 BST 2016]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [    0131]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0E 6E 72 2E B1 3B B6 A3 59 79 5A C5 41 26 B7 B6 .nr..;..YyZ.A&..
0010: A2 39 4C 73 .9Ls
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [    00]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [MD5withRSA]
Signature:
0000: 2C A0 0C 34 4E 0D CA 24 A5 C3 03 3A 71 A1 2D D3 ,..4N..$...:q.-.
0010: 65 A2 FA EF C1 5D D4 4A 28 8C 1A 70 5F 92 73 5E e....].J(..p_.s^
0020: 7B 13 D4 AE 36 A8 86 EA 60 7F A5 E3 86 6E 84 1F ....6...`....n..
0030: 5E 5F 30 06 B4 AA 2E 5C A7 65 74 32 09 0A 91 14 ^_0....\.et2....
]>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> < cert[1] = [
Version: V3
Subject: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
bc61b29f a830c97a 7a76883e 1665a241 a68b891f 8e4167eb 62e578ac 9e342c3e
53c9de8b e756634b e364010f 4d36c1c5 21a65b37 b64b4861 6f4dda29 b932191f
Validity: [From: Mon May 31 15:22:15 BST 2004,
               To: Thu May 29 15:22:15 BST 2014]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [    00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [    00]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [MD5withRSA]
Signature:
0000: 3C 64 7C 9E 0B 90 48 9D 70 74 06 80 7F 2C AF 73 <d....H.pt...,.s
0010: 92 1C C3 39 DD C3 45 B6 A4 8E 11 27 8E 21 18 4B ...9..E....'.!.K
0020: FD AA 31 5E 35 FC DF 9E 70 42 F4 65 5C DF 56 9A ..1^5...pB.e\.V.
0030: DD 8C 6B B7 3B BE E5 A7 D5 4A 16 23 C1 91 07 CA ..k.;....J.#....
]>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 0>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <Trust status (0): NONE>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <Performing hostname validation checks: 10.51.0.200>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 134>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 272>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3445873 read(offset=0, length=2048)>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3941240 received APPLICATION_DATA: databufferLen 0, contentLength 372>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read databufferLen 372>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read A returns 372>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 339>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read(offset=372, length=1676)>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 6771926>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 93>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received HANDSHAKE>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received HANDSHAKE>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 402>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 1707>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read(offset=0, length=2048)>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received APPLICATION_DATA: databufferLen 0, contentLength 174>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read databufferLen 174>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read A returns 174>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
at weblogic.net.http.HttpClient.closeServer(HttpClient.java:466)
at weblogic.net.http.KeepAliveCache$1.run(KeepAliveCache.java:120)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <avalable(): 23328673 : 0 + 0 = 0>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <write ALERT, offset = 0, length = 2>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 6771926>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3941240 received APPLICATION_DATA: databufferLen 0, contentLength 98>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3445873 read databufferLen 98>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3445873 read A returns 98>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 8406772>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 93>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received HANDSHAKE>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received HANDSHAKE>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 339>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <5618579 read(offset=0, length=2048)>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
Exception in thread "main" javax.naming.CommunicationException [Root exception is java.net.ConnectException: https://10.51.0.200:8143: Boot
trap to: 10.51.0.200/10.51.0.200:8143' over: 'https' got an error or timed out]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:47)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:636)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:306)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:239)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:135)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at TestAllManagedServers.main(TestAllManagedServers.java:54)
Caused by: java.net.ConnectException: https://10.51.0.200:8143: Bootstrap to: 10.51.0.200/10.51.0.200:8143' over: 'https' got an error or t
med out
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:200)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:125)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:296)
... 7 more
o work for a simple JNDI lookup. With SSL debugging turned on, the following output is given:
When I compare the Server HTTP logs I see that an initial context lookup involves 3 HTTP requests, e.g.
25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "GET /bea_wls_internal/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+8.1.5+dummy+%0A&r
and=3018901804201457976&AS=255&HL=19 HTTP/1.1" 200 17
25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=7332722597180897050 HTTP/1
.1" 200 2341
25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "POST /bea_wls_internal/HTTPClntSend/a.tun?connectionID=0&rand=3415396992694182025 HTTP/
1.1" 200 17
When my request goes through the load balancer I see the following in the HTTP logs:
10.51.0.200 - - [29/Sep/2006:16:31:33 +0100] "GET /bea_wls_internal/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+8.1.5+dummy+%0A&
rand=8279752507152372405&AS=255&HL=19 HTTP/1.1" 200 17
10.51.0.200 - - [29/Sep/2006:16:31:33 +0100] "POST /bea_wls_internal/HTTPClntSend/a.tun?connectionID=0&rand=1051450669479197885 HTTP
/1.1" 200 17
10.51.0.200 - - [29/Sep/2006:16:32:28 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=6035654607615870287 HTTP/
1.1" 200 5
10.51.0.200 - - [29/Sep/2006:16:33:13 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=8245112057388607005 HTTP/
1.1" 200 5
Notice the time delay in some of the messages.
The following error appears in the WebLogic server log, however I've verified that all IP addresses referenced by the load balancer configuration match those in the WebLogic configuration:
<29-Sep-2006 16:31:43 o'clock IST> <Error> <RJVM> <BEA-000572> <The server rejected a connection attempt JVMMessage from: '266014296
868812899C:25.2.1.210R:2462711729186814398S:10.51.0.2:[8113,8113,8114,8114,8113,8114,-1,0,0]:10.51.0.1:8103,10.51.0.1:8105,10.51.0.1
:8107,10.51.0.2:8109,10.51.0.2:8111,10.51.0.2:8113:risIntCluster01:ms06' to: '0S:10.51.0.200:[-1,-1,-1,8143,-1,-1,-1,-1,-1]' cmd: 'C
MD_IDENTIFY_REQUEST', QOS: '102', responseId: '0', invokableId: '0', flags: 'JVMIDs Sent, TX Context Not Sent', abbrev offset: '228'
probably due to an incorrect firewall configuration or admin command.>
When a JNDI lookup is made directly to a WebLogic server on the https port, the client gives the following output:
Getting Initial context from ms01
<29-Sep-2006 16:29:22 o'clock IST> <Debug> <TLS> <000000> <SSL/Domestic license found>
<29-Sep-2006 16:29:22 o'clock IST> <Debug> <TLS> <000000> <Not in server, Certicom SSL license found>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSL Session TTL :90000>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <Trusted CA keystore: D:/eclipse/workspace/LoadBalancerTest/ssl/keystores/cssKeySt
ore.keystore>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 7860099>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <write SSL_20_RECORD>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> < cert[0] = [
Version: V3
Subject: CN=10.52.0.3, OU=Revenue Integration Server, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
ac47cae5 45e55fe4 8ec06362 84aab923 af35d7f1 8b7e8aaa 32772d8a d8185106
0ba91363 07162207 6eaa33b4 db8a3fbb 1e228e93 841ff322 e319242a 04ae7447
Validity: [From: Mon May 31 16:45:21 BST 2004,
               To: Thu May 29 16:45:21 BST 2014]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [    05]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D7 B3 92 7B C7 4E 2F 5D F3 97 CB 3B F9 FB 0A 1E .....N/]...;....
0010: 97 C5 DD F1 ....
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [    00]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [MD5withRSA]
Signature:
0000: 57 B6 54 4E 1A 54 91 66 5C A8 FE AF B6 50 AB 23 W.TN.T.f\....P.#
0010: 6A 32 42 77 06 44 D5 7D 40 81 E4 DD 84 E3 7B 55 [email protected]
0020: 96 A6 BC E9 E9 51 96 B9 E4 01 56 F9 41 B7 0C C3 .....Q....V.A...
0030: 0A 92 C0 17 6E 6B 9D D6 9A 87 6D 6E 15 5A 86 F4 ....nk....mn.Z..
]>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> < cert[1] = [
Version: V3
Subject: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
bc61b29f a830c97a 7a76883e 1665a241 a68b891f 8e4167eb 62e578ac 9e342c3e
53c9de8b e756634b e364010f 4d36c1c5 21a65b37 b64b4861 6f4dda29 b932191f
Validity: [From: Mon May 31 15:22:15 BST 2004,
               To: Thu May 29 15:22:15 BST 2014]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [    00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [    00]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [MD5withRSA]
Signature:
0000: 3C 64 7C 9E 0B 90 48 9D 70 74 06 80 7F 2C AF 73 <d....H.pt...,.s
0010: 92 1C C3 39 DD C3 45 B6 A4 8E 11 27 8E 21 18 4B ...9..E....'.!.K
0020: FD AA 31 5E 35 FC DF 9E 70 42 F4 65 5C DF 56 9A ..1^5...pB.e\.V.
0030: DD 8C 6B B7 3B BE E5 A7 D5 4A 16 23 C1 91 07 CA ..k.;....J.#....
]>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 0>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <Trust status (0): NONE>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <Performing hostname validation checks: 10.51.0.1>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 70>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 270>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <30340343 read(offset=0, length=2048)>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TL

You will need an AAM set with the internal (http) address.
http://blogs.msdn.com/b/ajithas/archive/2009/09/11/alternate-access-mapping-in-reverse-proxy-configuration.aspx
Dimitri Ayrapetov (MCSE: SharePoint)

OEL ldap client setup with SSL against OID using either ldaps or starttls

Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger

Does certicom implementation support ssl renegotiation ?

does certicom implementation support ssl renegotiation ? We are talking to IIS server from OSB using 2 way ssl and get the below error . IIS doesn't request the client certificate in the initial handshake and it does a ssl renegotiation to request the client certificate.
<<WLS Kernel>> <> <ac73602e9b9282f3:7f182ebf:1342bdce06c:-8000-0000000000000568> <1323589084326> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 100 (means No- Renegotiation)
Is there a way to make certicom to allow renegotiation. ..don't want to use JSSE for certain reasons...
weblogic version 11.1.1.5
Thanks In advance
Regards
Atheek

ok we need a flag to make it to work : -Dweblogic.security.SSL.enable.renegotiation=true

REDUNDANT ACE 20 WITH SSL CERTIFICATE

Hi
I have an ACE 20 redundant infrastructure (Active-Standby),and it´s needed to implement a secure aplication with SSL certificate.
The question I have is, for this solution is neccesary to generate a digital certificate and key for each ACE module? and, It´s is possible to use the same certificate and key in both ACE modules?
Thanks for your help.
Regards

Ricardo,
You can just the same certificates for both devices.
Jorge

Securing the IIOP Listener/Handler with SSL

Hi,
I am looking into securing CORBA client connections to ISL/ISH with SSL. Client authentication is not needed, just encryption and server authentication. Having looked through the documentation I have a couple of questions about this.
1. The "Using Security in CORBA Applications" manual says that an LDAP server is used as the certificate repository for the ISL/ISH server certificate. Are there alternatives to this such as using a keystore or is LDAP the only option?
2. Is it possible to configure the LDAP server (server name, port etc) without re-installing Tuxedo?
Regards
Ian

Ian,
Tuxedo uses a plugin framework architecture to manage certificates and it is possible to replace any of the plugin framework implementations.
In order to change the plugin framework interfaces you will need to obtain information about the epif* commands and the plugin framework interfaces and you will need to write some code. The plugin framework documentation is made available on an as-needed basis.
As documented at http://download.oracle.com/docs/cd/E15261_01/tuxedo/docs11gr1/sec/secadm.html#wp1239453 , "For more information about security plug-ins, including installation and configuration procedures, see your Oracle account executive."
The command "epifregedt -g" shows the current plugin framework settings.
The command "epifregedt -g -k SYSTEM/impl/security/BEA/certificate_lookup" shows just the settings for the security/BEA/certificate_lookup interface.
The command "epifregedt -g -k SYSTEM/impl/security/BEA/certificate_lookup -a Params" shows just the instantiation parameters for this interface.
Assume that the output from this command is
IMPLEMENTATION security/BEA/certificate_lookup
Instantiation Parameters :
"userCertificateLdap=ldap://localhost:389/"
"filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat"
Then the command
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup \
-a Params=userCertificateLdap=ldap://abcxyz:1389/ \
-a Params=filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat
will change the LDAP location to ldap://abcxyz:1389/
Note that it is necessary to respecify the filterFileLocation with this command even though it is not changing.
Thus, it is not necessary to reinstall Tuxedo in order to change the LDAP parameters.
Since the registry modification commands can be tricky to use, you may want to experiment with these commands on a development system or you may want to
export REG_KEY_SYSTEM=<TEMPORARY_DIRECTORY>/System.rdp
cp $TUXDIR/udataobj/System.rdp $REG_KEY_SYSTEM
before experimenting with epifregedt -s. (The value of REG_KEY_SYSTEM will override the default of $TUXDIR/udataobj/System.rdp .)
Regards,
Ed

Applet with SSL Performance Issue

Hi All,
I tried posting this in the general java forum but I think it's more relavant in the Applet section. I have a program where JavaScript invokes an Applet which uses PrintService to retrieve a list of all the printers on the network and returns that string, the JS then does something with that String. The problem I'm seeing is that when a user tests this functionality without SSL enabled there are no issues. However, with SSL enabled, the first invocation of this functionality is successful but the second invocation always causes the CPU to spike to 50%. Any ideas what's happening here? Why is it spiking on the second call to this applet? Workarounds? Would it be possible to retrieve a list of printers directly with JS?
Thanks for your feedback.
Message was edited by:
javajiggs

what do you mean the sniffer trace is normal ?
Do you have the decrypted trace ?
It's important to know if the server sent an error message, or if the css corrupted the server response.
This should be seen in the trace.
Also, is the same client always having issue ?
Is it the only one ?
Can this client browse different webpages ?
Gilles.

ICal publication on IIS Website with SSL

Hi,
Can i publish iCal calendars on IIS Webdav directory with SSL configuration on an other port than default 443 ???
I try to publish on this server and this work for:
- "http" site
- "https" site with ssl port 443
but no with "https" site with ssl port 445 for example.
my publication url is "https://myserver.com:445/calendars/"
Where is the problem???
Thanks.

Hi Parth,
This forum discusses about web development including HTML, CSS and Script for Internet Explorer. So you post is off-topic here. I suggest you re-post a question to IIS forum for better support.
http://forums.iis.net/
Best regards,
Shu
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

CSS and ACE appliance SSL TPS

Hi,
Can someone explain how are SSL Transactions per second calculated on CSS and ACE?
We need to select appropriate SSL license needed for future ACE appliance, wich is defined in terms of TPS.
We also currently have CSS device with SSL module. Is there any way to find current SSL TPS info on a CSS device?
Thank you and regards,
Jasmina

What is the method used to calculate SSL TPS requirement.
example,
Current: Peak SSL Transactions 6,000
If I expect a peak concurrent connection of 200,000 what would be the methodology for calculating SSL TPS needs. (Some sample calculation steps would be appreciated.)
Can I interpret the licensing as follows,
SSL TPS: SSL Transactions per second: Number of NEW transactions that can be setup by ACE per second. (Does this mean established SSL transactions are not counted by the license, though each of the packets in established transactions require SSL termination!)
Thanks
Sri

Java Web Start Error in through codebase url with SSL

I have created one Java web-start plugin application in swing which is launched from PHP site at browser plugin.
All things were working fine, but when we implemented SSL in our site it stopped working. And when we try to start the application from browser it thorws error like:
Unable to launch Application.
In Java console it puts following log:
JNLP Ref (...): NULL !
#### Java Web Start Error:
#### null
Following is my JNLP file:
<jnlp spec="1.0+" codebase="https://<<server_domain>>/MyPlugin/">
<information>
    <title>Test Plugin</title>
    <vendor>The Java(tm) Tutorial</vendor>
    <homepage href="null"/>
    <description>Test Plugin</description>
    <description kind="short">Test Plugin</description>
    <offline-allowed/>
</information>
<security>
    <all-permissions/>
</security>
<update check="timeout" policy="always"/>
<resources>
    <java version="1.7+"/>
    <jar href="http://<<server_domain>>/MyPluginJar.jar" download="eager" main="false"/>
</resources>
<application-desc>
    <argument>test</argument>
    <argument>test</argument>
    <argument>test</argument>
    <argument>test</argument>
    <argument>test</argument>
</application-desc>
</jnlp>
The issue started only after implementation of SSL in our site. Please provide any solution for this. Many thanks in advance.
P.S. My Jar file is signed by third party authorized certificate.

Have you tried using Rosetta?

Weblogic app server wsdl web service call with SSL Validation error = 16

Weblogic app server wsdl web service call with SSL Validation error = 16
I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
Cannot complete the certificate chain: No trusted cert found
Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
Validation error = 16
From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.
Here is how I load trustStore and keyStore in my java program:
     System.setProperty("javax.net.ssl.trustStore",”cacerts”);
     System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
     System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.keyStore", keyStoreName);
     System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd);      System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
Here is how I create cacerts using verisign hierarchy certs (in this order)
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"
Because my program is a weblogic app server, when I start the program, I have java command line options set as:
-Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.enforceConstraints=strong
That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.
In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.
I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
1.     Do I create “cacerts” the correct order with right keeltool options?
2.     Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
3.     Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
4.     Do I need to put the “cacerts” to some specific weblogic directory?
---------------------------------wsdl file
<wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
     <wsp:Policy wsu:Id="TokenServices_policy">
          <wsp:ExactlyOne>
               <wsp:All>
                    <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                         <wsp:Policy>
                              <sp:TransportToken>
                                   <wsp:Policy>
                                        <sp:HttpsToken RequireClientCertificate="true"/>
                                   </wsp:Policy>
                              </sp:TransportToken>
                              <sp:AlgorithmSuite>
                                   <wsp:Policy>
                                        <sp:Basic256/>
                                   </wsp:Policy>
                              </sp:AlgorithmSuite>
                              <sp:Layout>
                                   <wsp:Policy>
                                        <sp:Strict/>
                                   </wsp:Policy>
                              </sp:Layout>
                         </wsp:Policy>
                    </sp:TransportBinding>
                    <wsaw:UsingAddressing/>
               </wsp:All>
          </wsp:ExactlyOne>
     </wsp:Policy>
     <wsdl:types>
          <xsd:schema targetNamespace="http://tempuri.org/Imports">
               <xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
               <xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
          </xsd:schema>
     </wsdl:types>
     <wsdl:message name="ITokenServices_GetUserToken_InputMessage">
          <wsdl:part name="parameters" element="tns:GetUserToken"/>
     </wsdl:message>
     <wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
          <wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
     </wsdl:message>
     <wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
          <wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
     </wsdl:message>
     <wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
          <wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
     </wsdl:message>
     <wsdl:portType name="ITokenServices">
          <wsdl:operation name="GetUserToken">
               <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
               <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
          </wsdl:operation>
          <wsdl:operation name="GetSSOUserToken">
               <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
               <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
          </wsdl:operation>
     </wsdl:portType>
     <wsdl:binding name="TokenServices" type="tns:ITokenServices">
          <wsp:PolicyReference URI="#TokenServices_policy"/>
          <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
          <wsdl:operation name="GetUserToken">
               <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
               <wsdl:input>
                    <soap12:body use="literal"/>
               </wsdl:input>
               <wsdl:output>
                    <soap12:body use="literal"/>
               </wsdl:output>
          </wsdl:operation>
          <wsdl:operation name="GetSSOUserToken">
               <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
               <wsdl:input>
                    <soap12:body use="literal"/>
               </wsdl:input>
               <wsdl:output>
                    <soap12:body use="literal"/>
               </wsdl:output>
          </wsdl:operation>
     </wsdl:binding>
     <wsdl:service name="TokenServices">
          <wsdl:port name="TokenServices" binding="tns:TokenServices">
               <soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
               <wsa10:EndpointReference>
                    <wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
               </wsa10:EndpointReference>
          </wsdl:port>
     </wsdl:service>
</wsdl:definitions>
----------------------------------application log
adding as trusted cert:
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
     at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
     at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at com.certicom.tls.record.WriteHandler.write(Unknown Source)
     at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
     at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
     at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
     at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
     at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
     at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
     at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
     at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
     at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
     at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
     at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
     at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
     at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
     at javax.xml.ws.Service.<init>(Service.java:56)
     at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
     at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
     at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
     at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(Unknown Source)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
     at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
     at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
     at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
     at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at com.certicom.tls.record.WriteHandler.write(Unknown Source)
     at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
     at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
     at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
     at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
     at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
     at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
     at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
     at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
     at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
     at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
     at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
     at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
     at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
     at javax.xml.ws.Service.<init>(Service.java:56)
     at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
     at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
     at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
     at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
     at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
     at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(Unknown Source)
     at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
     at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
     at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>

I received a workaround by an internal message.
The how to guide is :
-Download the wsdl file (with bindings, not the one from ESR)
-Correct it in order that the schema corresponds to the answer (remove minOccurs or other things like this)
-Deploy the wsdl file on you a server (java web project for exemple). you can deploy on your local
-Create a new logicial destination that point to the wsdl file modified
-Change the metadata destination in your web dynpro project for the corresponding model and keep the execution desitnation as before.
Then the received data is check by the metadata logical destination but the data is retrieved from the correct server.

Cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.

when Update to 10.7.2 ,I cannot access to any site with ssl connection and fail to open safari and keychain, unless restart computer and login in with Guest account.
OS:10.7.2
Macbook Pro 2010-mid 13inch

I also have the same problem, however if I use Firefox or Opera sites with ssl connection work fine. Still, I can't use Google Chrome (ssl), Safari (ssl), the Mac app store (generally), or the iTunes store (generally). Both the iTunes store, Safari and the app store won't respond, and Chrome displays this error: (net::ERR_TIMED_OUT). The problem persists regardless of what network I'm using. Also, when trying to access the keychain or iCloud, the process will not start (will hang). I didn't have these problems at all before updating to 10.7.2.
Sometimes rebooting helps, and sometimes not. If the problem disappears by rebooting, then it only lasts a few minutes before it reappears. It is very frustrating, especially since there doesn't seem to be any obvious or consistent way of which to fix it.
I'm also using a Macbook Pro 13-inch mid 2010.

Crystal Reports export and print fails with SSL / https but works with http

Windows 2008 Server, 32-bit (IIS7)
ASP.NET 2.0
Ajax 1.0
Crystal Reports version 10.5.3700.0
http: printing works, export works
https: printing not working, only export to MS Excel and MS Word work.
I am able to generate reports using both http and https, and the toolbar icons are all showing. However, I am unable to print or export properly with SSL.
Printing prompts me with a select printer window, and then a window 'Retrieving Page 1' follow by two messages from Crystal Print Control both stating:
A communication error occured. Printing will be stopped.
Exporting generates various errors depending on which export method is being selected (however Excel and Word work over https).
I've found the same problem on this site and other forums, but never a resolution to get exporting and printing to work with SSL. Will someone please provide me assistance or possibly relay what settings they're using if they have Crystal Reports export or printing working over SSL in IIS7? Everything works fine when I change the address from https to http.
Please let me know if I can help by providing further information. We've gone through a great deal of possible solutions with code and I'm currently looking in to IIS settings again.
Thank you.

Thanks Ludek. I got it by searching KB number.
Unfortunately, it didn’t fix my problem even my IE (IE8 and IE 9) has correct setting. I double check my version. PrintControl.CAB is version 10.2.0.1146. we use VS 2005 Crystal report and VB .NET. It works fine on HTTP. But when we use HTTPS (SSL Certificate from go daddy).
1: Crystal report export
            Export to MS Excel, Word: pop us “File download”, then click “Save”. It says “Internet Explorer cannot download ReportView.aspx from my site. Internet Explorer was not able to open this internet site. the requested site is either unavailable or cannot be found. Please try it again later”
            Export to RPt, Rich text format: It says “Internet Explorer cannot download ReportView.aspx from my site. Internet Explorer was not able to open this internet site. the requested site is either unavailable or cannot be found. Please try it again later”
            Export to PDF : nothing happened.
2: Print:
            Pop up dialog to select printer, click “Print” “. Shows windows “Crystal Report Viewer” and pop us error message box. Title is “Crystal Print Control”. Message is “An communication error occurred. Printing will be stopped”. Click “OK” and pop up error message box again.
Please advise.
Thank you very much!

CSS - AVS implementation with SSL

Similar Messages

Maybe you are looking for