Custom Trust and Key Store

Similar Messages

• Trust and Key Store config values? - OBPM 10g (Linux) With Websphere6 (AIX)

  HI,
  We installed OBPM 10gR3 on Linux (10.3.2 for Websphere) with Websphere 6.1.0.21 on AIX,
  When we try to save values in following section we are getting an error:
  Engines > Edit Engine bpmengine > JMX Engine Management Configuration
  Attributes are:
  Host / Port / Security Enabled / Principal / Credentials / Trust store / Trust store password / Key store / Key store password
  Can anybody please help what values to put for following parameters under JMX Engine Management Configuration with respect to Websphere Application Sever 6.1.0.21:
  Trust store: ?
  Trust store password: ?
  Key store: ?
  Key store password: ?
  Please help us in case anybody came across this.
  Thanks and Regards
  SH

  Well it seems that my trouble all started when I began using the 'printable = yes' option for shares. Since I removed that the troubles seem to have left me.
  Does anyone know why that is listed as on option in smb.conf here:
  # A publicly accessible directory, but read only, except for people in
  # the "staff" group
  ;[public]
  ; comment = Public Stuff
  ; path = /home/samba
  ; public = yes
  ; writable = yes
  ; printable = no
  ; write list = @staff
  As well as in a few other examples if it doesn't work? I seen the example and assumed that option was needed to print from those shared directories.
  Also, it seems that the comma is not needed between the 'valid users' names.
  Also, I guess it wasn't Windows XP's fault either but rather my own ignorance. I like the idea of blaming Windows better though.....
  I hope this servers to help others to aviod my mistakes.

• Trust store and key store

  What is the fundamental difference between trust store and key store ?

  what this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
  A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever.

• WLST/start AdminServer - problems with trusted cert key store

  Hello,
  I have clustered environment. Machine1: AdminServer and odi_server1. Machine2: odi_server2. There is NodeManager running on each machine. This is my nodemanager.properties for NodeManager on Machine1:
  #Thu Dec 19 13:18:30 CET 2013
  #Thu Dec 19 11:29:43 CET 2013
  #Thu Dec 19 11:17:53 CET 2013
  #Tue Dec 11 11:40:20 CET 2012
  DomainsFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains
  LogLimit=0
  PropertiesVersion=10.3
  DomainsDirRemoteSharingEnabled=false
  javaHome=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64
  AuthenticationEnabled=true
  NodeManagerHome=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager
  JavaHome=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
  LogLevel=INFO
  DomainsFileEnabled=true
  StartScriptName=startWebLogic.sh
  ListenAddress=
  NativeVersionEnabled=true
  ListenPort=5556
  LogToStderr=true
  SecureListener=true
  LogCount=1
  DomainRegistrationEnabled=false
  StopScriptEnabled=false
  QuitEnabled=false
  LogAppend=true
  StateCheckInterval=500
  CrashRecoveryEnabled=false
  StartScriptEnabled=true
  LogFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.log
  LogFormatter=weblogic.nodemanager.server.LogFormatter
  ListenBacklog=50
  KeyStores=CustomIdentityAndCustomTrust
  CustomIdentityKeystoreType=jks
  CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/keystore.jks
  CustomIdentityKeyStorePassPhrase={3DES}VRCBXCfDocQ=
  CustomTrustKeystoreType=jks
  CustomTrustKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/cacerts.jks
  CustomTrustKeyStorePassPhrase=
  CustomIdentityAlias=keyAlias
  CustomIdentityPrivateKeyPassPhrase={3DES}VRCBXCfDocQ=
  As you can see, I have my custom trust (cacerts,jks) and identity (keystore.jks) keystores and they are set for node manager in this file. Next, nodemanager is started via wlst, like this:
  bea_home = '/home/oracle/Oracle/Middleware';
  pathseparator = '/';
  listen_port = '5556';
  listen_address = 'eb-etl1';
  node_manager_home = bea_home + pathseparator + 'wlserver_10.3' + pathseparator + 'common' + pathseparator + 'nodemanager';
  startNodeManager(verbose='true', NodeManagerHome=node_manager_home, ListenPort=listen_port, ListenAddress=listen_address);
  I want to start my AdminServer via wlst (by connectiong to nodemanager), like this:
  bea_home = '/home/oracle/Oracle/Middleware';
  pathseparator = '/';
  admin_username = 'weblogic';
  admin_password = '1q2w3e1q2w3e';
  listen_address = 'eb-etl1';
  listen_port = '5556';
  admin_server_url='t3://eb-etl1:7005'
  domain_name = 'odi_cluster';
  domain_home = bea_home + pathseparator + 'user_projects' + pathseparator + 'domains' + pathseparator + domain_name;
  print 'CONNECT TO NODE MANAGER';
  nmConnect(admin_username, admin_password, listen_address, listen_port, domain_name, domain_home, 'ssl');
  print 'START ADMIN SERVER ONLY ON THE MACHINE WHERE THE ADMIN SERVER IS PRESENT';
  nmStart('AdminServer');
  print 'CONNECT TO ADMIN SERVER';
  connect(admin_username, admin_password, admin_server_url);
  print 'START MANAGED SERVERS ON THE MACHINE';
  start('odi_server1','Server');
  But I can't even connect to node manager:
  CONNECT TO NODE MANAGER
  Connecting to Node Manager ...
  <2013-12-19 13:48:23 CET> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
  <2013-12-19 13:48:23 CET> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <2013-12-19 13:48:24 CET> <Warning> <Security> <BEA-090542> <Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
  This Exception occurred at Thu Dec 19 13:48:24 CET 2013.
  javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
  Problem invoking WLST - Traceback (innermost last):
    File "/home/oracle/Oracle/Middleware/deploy/scripts/startBiatelbit_puw.py", line 12, in ?
    File "<iostream>", line 123, in nmConnect
    File "<iostream>", line 648, in raiseWLSTException
  WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090542]Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
  Use dumpStack() to view the full stacktrace
  So - it seems my trust keystore is not even used, why? Why still demo key store is used??
  If I remove this:
  KeyStores=CustomIdentityAndCustomTrust
  CustomIdentityKeystoreType=jks
  CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/keystore.jks
  CustomIdentityKeyStorePassPhrase={3DES}VRCBXCfDocQ=
  CustomTrustKeystoreType=jks
  CustomTrustKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/cacerts.jks
  CustomTrustKeyStorePassPhrase=
  CustomIdentityAlias=keyAlias
  CustomIdentityPrivateKeyPassPhrase={3DES}VRCBXCfDocQ=
  from my nodemanager.properties, there is no exception while connecting to node manager and I can start admin server. But - I can't start odi_server1 (weblogic console says that node manager for Machine1 is unreachable). From other hand, when I run AdminServer via startWebLogic script (with above keystore definitions), I can start my odi_server1 via weblogic administration console without any problems.
  Also, NodeManager for Machine2 is always unreachable, no matter what I do (with or without keystore definitions).
  Do you have any idea what am I doing wrong?

  Hi,
  If the admin URL is specified with the https protocol, then http tunneling must be enabled for the server from the console -> servers -> AdminServer ->Protocols -> http.
  Moreover we also need to add following java options to the stopWebLogic.cmd or setDomainEnv.cmd:
  set JAVA_OPTIONS=$JAVA_OPTIONS$ -Dweblogic.security.IdentityKeyStore=CustomIdentity -Dweblogic.security.CustomIdentityKeyStoreFileName=identity.jks -Dweblogic.security.CustomIdentityKeyStorePassPhrase=password -Dweblogic.security.Identity.KeyStoreType=JKS -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=trust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.IgnoreHostNameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Regards,
  Kal

• Unable to load custom trust store in cluster

  Weblogic 9.2 cluster with three nodes. Each is configured to use custom trust store. The same jks is copied to every node.
  On node1 ssl works perfectly but on node2 and node3 certificate validation fails. Interesting is the stack that is thrown after first validation request, when Weblogic starts to load truststore:
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211972> <000000> <SSLSetup: loading trusted CA certificates>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211984> <000000> <SSLContextManager: loading server SSL identity>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211986> <000000> <MBeanKeyStoreConfiguration: constructor - using mbean trust config>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211989> <000000> <PreMBeanKeyStoreConfiguration: constructor - explicitly configured=true>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211992> <000000> <PreMBeanKeyStoreConfiguration: constructor - TrustKeyStore[0]=FileName=/bea/keystores/MyTrust.jks, Type=jks, PassPhraseUsed=true>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211994> <000000> <MBeanKeyStoreConfiguration: constructor - TrustKeyStore[0]=FileName=/bea/keystores/MyTrust.jks, Type=jks, PassPhraseUsed=true>
  ####<Jan 17, 2011 5:46:51 PM EET> <Notice> <Security> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1295279211998> <BEA-090171> <Loading the identity certificate and private key stored under the alias beal2.srv.sise from the jks keystore file /bea/keystores/MyIdentity.jks.>
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212009> <000000> <Failed to load server trusted CAs
  java.lang.NullPointerException
       at weblogic.security.utils.SSLContextManager.getRealmName(SSLContextManager.java:594)
       at weblogic.security.utils.SSLContextManager.getServerSSLIdentity(SSLContextManager.java:535)
       at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:276)
       at weblogic.security.utils.SSLContextManager.getDefaultServerSSLContext(SSLContextManager.java:221)
       at weblogic.security.utils.SSLContextManager.getServerTrustedCAs(SSLContextManager.java:183)
       at weblogic.security.utils.SSLSetup.getTrustedCAs(SSLSetup.java:505)
       at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:384)
       at weblogic.security.SSL.SSLSocketFactory.setSSLClientInfo(SSLSocketFactory.java:218)
       at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:36)
       at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:28)
       at weblogic.security.SSL.SSLSocketFactory.getDefault(SSLSocketFactory.java:55)
       at com.liferay.portal.security.auth.WeblogicSocketFactory.createSocket(WeblogicSocketFactory.java:21)
       at com.liferay.portal.security.auth.WeblogicSocketFactory.createSocket(WeblogicSocketFactory.java:30)
       at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
       at com.liferay.portal.servlet.filters.sso.cas.Cas20ProxyTicketValidator.retrieveResponse(Cas20ProxyTicketValidator.java:73)
       at com.liferay.portal.servlet.filters.sso.cas.Cas20ProxyTicketValidator.validate(Cas20ProxyTicketValidator.java:46)
       at com.liferay.portal.servlet.filters.sso.cas.CASFilter.processFilter(CASFilter.java:172)
       at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3242)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
  >
  ####<Jan 17, 2011 5:46:52 PM EET> <Deb...
  during the validation I get following:
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212020> <000000> <Cannot complete the certificate chain: No trusted cert found>
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212020> <000000> <Validating certificate 0 in the chain: Serial number: 1283510590
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212023> <000000> <validationCallback: validateErr = 16>
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212025> <000000> <weblogic user specified trustmanager validation status 16>
  I have run out of ideas. The certificate is in trustore. I think my issues are related to that NullPointer but because it is Weblogic internal code I have no idea what's causing it. I know somehow node1 has to be different but I don't know where to look anymore.
  After decompiling SSLContextManager getRealmName looks like this:
  private final String getRealmName()
  return runtimeAccess.getDomain().getSecurity().getRealm().getName();
  What configuration am I missing?

  Maybe this helps....
  I would try to check the following steps:
  - Are node2 and node3 on the same machine as node1?
  - Is present and readable "/bea/keystores/MyTrust.jks" on each machine?
  - Who signs the trust certificate in "MyTrust.jks"? I.E.: it is needed a trust chain to validate MyTrust?
  From your decompilation it seems that one of these
  - runtimeAccess;
  - runtimeAccess.getDomain();
  - runtimeAccess.getDomain().getSecurity();
  - runtimeAccess.getDomain().getSecurity().getRealm();
  is null ...
  Bye
  Mariano

• Trust Key Store - Interesting question ....

  Hi,
  Currently, using one way SSL, we get a 200 millisecond overhead from the client perspective. I have a gut feel that the trust key store check adds a lot of overhead (since it does an I/O check)
  if my gut is right ...
  IS there anyway to cache the trust keys store (I am using a stand alone java client running it on Junit)
  Thanks

  what this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
  A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever.

• Help with understanding SSL on Netweaver 7.1 and the relevant key stores.

  I am having a great difficulty in understanding how SAP manages and uses SSL certificates in Netweaver 7.1.  More specifically, what the difference is between System, Server, and Client.
  As I can see, there are three PSE key stores I see within STRUST. 
  1. SSL System PSE
  2. SSL Server PSE 
  3. SSL Client PSE
  The System PSE I believe is installed by default and enables the systems to communicate between each other, such as Application Servers and the Central Instance. 
  The Server PSE is the where I store the certificate I generated and had signed by a CA (certificate authority).  It contains a root and intermediate certificate and both have been imported back into the Server PSE store.  When partners connect to me and I agree to accept server only authentication, it is this cert that identifies my server as a trusted server the partner.  Do I need to add the partneru2019s u201Crootu201D or u201Cintermediateu201D certs to my Server PSE in order to allow SSL login?
  The Client PSE is where I store partneru2019s client certificates that I allow to login via u201Cclientu201D authentication.  Without their key installed in this store, they will not be allowed to login via SSL.
  When I wish to make connections to partners, I will take my Server key from the Server PSE, export the key, and send it to the partner so they can import it in their key store.
  Does the above sounds right?  Any clarification would be greatly appreciated.
  Thanks,
  Mike.
  P.S.  I also have questions about how and if certificates are synchronized from the ABAP stack (STRUST) to the JAVA stack (Netweaver Administrator), as keys can be stored in either direction.  If not, does where you store the certificate depend if it is an ABAP or JAVA type connection?

  hi michael,
  <br />
  please be careful - actually, there is NO SSL System PSE.<br />
  There is only a so called "System PSE", which is not at all related to SSL.<br />
  <br />
  The PSEs actually available for SSL as default are:<br />
  <br />
  - the SSL Server PSE (which is a rather complicated construction ... see below) [mandatory]<br />
  - the SSL Client PSE (standard) <br />
  - the SSL Client PSE (anonymous)<br />
  <br />
  Looking at connections using HTTPS/SSL, you always have two communication partners: an entity issuing a request, named the "client", and another entity, to which the request is sent in order to be responded to, named the "server".
  Since an SAP ABAP system can be either client or server in this setup, we have the chance to provide different security environments (= PSE) for these communication roles.<br />
  <br />
  When the SAP system initializes a HTTPS communication, it will make use of one of the SSL Client PSEs. These PSEs mainly serve the purpose of storing the CA certificates that are trusted. Only servers whose server certificate is signed by a CA where the CA root certificate is contained in the SSL Client PSE can be connected to. If the server's certificate is not trusted, the error message "verification of the server's certificate chain faile" will appear in the ICM trace (see note 1094342).<br />
  <br />
  The difference between SSl Client PSEs "standard" and "anonymous" is the actual certificate - the "anonymous" PSE always contains the distinguished name (DN) "CN=anonymous", which can not be used for client authentication. In contrast, the "standard" PSE's DN can be defined freely, so this PSE can be signed by a CA and furthermore used for client authentication.<br />
  <br />
  Now for the SSL Server PSE.<br />
  As mentioned already, the SSL Server PSE can be a complicated thing ... actually, this PSE is only a container for more PSEs. There must be at least the "default" PSE (unfortunately also called "standard"), and there can be up to 1 PSE for each application server.<br />
  In a standard setup, the default PSE is used only for those cases where no application server specific PSE applies. The application server specific PSEs are supposed to be the ones that are actually used by the ICM.<br />
  <br />
  What does "up to 1 per AS" mean? Well - as soon as two SSL Server PSEs use the same DN, these PSEs are no longer distinguished, and will be mapped to the same PSE data (key pair, certificate list). So, if you define the same DN for several application servers, only one PSE is created and used by both application servers.<br />
  <br />
  I hope this (lengthy) epistle anwers more question than opens new ones...<br />
  <br />
  regards,<br />
  sebastian
  Edited by: Sebastian Broll on Apr 8, 2010 8:07 AM (formatting)

• Custom domains and primary keys

  hi to all;
  I've in troubles, with custom domains and the fact that sometimes, they must be as primary keys.
  Searching in this news i see that we have to code, equals() and hashcode() methods, trying it i've got better behaviors , but still in problems.
  My domain is an String , in "show time" i need it masked and query time ( as in database it is stored without mask ) i need it without any mask;
  findByKey method i never know when it will work and when it will not;
  Could some one point me to a right solution ?
  fowards thanks

  Dan:
  Yes. Provide the correct equals() and hash() is the most important thing you need to do. There are other things you need to think about if the domain is NOT a scalar domain (single value). But, BC4J assumes that the PK is a scalar value, so your custom domain should be a scalar value value ==> equals and hash are two thing you'd need.
  Thanks.
  Sung

• What is an alternative to bins? Sometimes I want to make custom transitions and I need a place to store them for easy use.

  What is an alternative to bins? Sometimes I want to make custom transitions and I need a place to store them for easy use.

  Either projects or events. You can make a compound clip in a event used to hold favorites. Add a couple of generator items to it and apply the custom transition. You can copy and paste from the compound clip to any project. Hold everything you want into the one event. It probably won't ever get very big, and the render files can be dumped at any time. You can simply move the event from machine to machine or place to place as needed, just as you can other custom content, like keyboard layouts and custom color presets.

• How to store a RSA pair key in Java Key Store (jks) and VS

  Hi Everyone ,
  I have generated a RSA pair key . now I need to store my public key in a Java Key Store (.jks file) . and then I need to read this .jks file in another application and get this public key to use for verification .
  I'll appreciate it if anyone could help me with this matter with a sample code for import/export public key to/from a java key store file or any hints.
  Best Regards,
  Vivian

  I don't think this makes sense. How have you generated an RSA key pair and where is the result stored?

• WLST and SSL Custom Trust

  Hi,
  Does anyone know if WLST works with a custom trust file? weblogic.Admin lets you
  specify this, but I can't find any reference to it in the WLST Docs

  Nathan,
  It should be same as what you specify for weblogic.Admin, i.e you will
  start wlst by specyfing the same System properties when you used wl.Admin.
  Thanks,
  -satya
  Nathan wrote:
  Hi,
  Does anyone know if WLST works with a custom trust file? weblogic.Admin lets you
  specify this, but I can't find any reference to it in the WLST Docs

• I have Pages 09.  I have created custom templates and want to delete them.  How do I delete a template I have created in Pages 09?

  I have Pages 09.  I have created custom templates and want to delete them.  How do I delete a template I have created in Pages 09?

  Pages stores those you created & saved as templates in (your account) > Library > Application Support > iWork > Pages > Templates > My Templates. The door to the user's Library is hidden in Lion but it is easy to open. In Finder, hold down the Option key while clicking on the Go menu & your users Library will appear about halfway down the list.

• Built two OIF 11.1.1.2 instances in same IDMDomain, second instance cannot read key store

  I asked about loading two versions of OIF onto two different managed servers listening on two different ports but within the same IDMDomain that gets bootstrapped here: Different instances of OIF within the same IDMDomain
  I have built this out. Here is what it looks like in EM. Ports are highlighted.
  AdminServer 7001
       wls_oif1 7499 (bootstrapped at config)
            OIF 11.1.1.2 (bootstrapped at config)
       wls_oif2 7498 (cloned from wls_oif1 in WL Console)
            OIF 11.1.1.2 (changed target from bootstrapped instance to hit both servers)
  I had to do a few other hacky things to get this up without any erratic EM or application errors. I had to change the targets on several libraries and other EAR/WARs to hit both wls_oif1 and wls_oif2, and then edited my config.xml for IDMDomin to reference all three servers where it would only reference Admin and wls_oif1 before, and change single references to wls_oif1 to both wls_oif1 and wls_oif2. This got me a stable EM and deployment.
  I can pull metadata from http://dlaxoifs101:7499/fed/idp/metadata, but I get an HTTP 500 error when trying http://dlaxoifs101:7498/fed/idp/metadata. The only error in the logs of wls_oif2 OIF instance is:
  Message ID
  FED-20000
  Message Level
  1
  Relationship ID
  0
  Component
  wls_oif2
  Module
  oracle.security.fed.sec.key.select.CryptoStore
  Host
  dlaxoifs101.devapollogrp.edu
  Host IP Address
  10.87.1.3
  User
  <anonymous>
  Thread ID
  [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'
  ECID
  37391fee28ccc45c:-13d3734e:13ff2932ce7:-8000-0000000000000570
  Message
  Cannot open the key store.
  I altered the config of the Admin Server and wls_oif2 Identity and Trust to reference some new keystores of my own creation to make sure the cloned server and the Admin server were speaking the same language, but that just prevented me from being able to start wls_oif2 due to an "SSL not trusted" error- which was odd because I am not using SSL in any of these connections.
  So am I missing any other keystores, or do I just need to admit that running two distinct OIF instances on the same IDMDomain is not supported and a bad idea?

  First, I sent an email to the author of PhotoME to inform him of the serious issues his addon caused with Firefox latest versions.
  Now, for those of you who do not have the PhotoME addon and yet experience the same problem that I had and that I described above, I suggest the following strategy.
  As PhotoME did cause these problems with Firefox latest versions, I am pretty covinved other addons probably might cause these problems too. Therefore, adopt the following method.
  Test one addon at a time to see if this particular addon is behind your Firefox issues like the ones I had.
  So, disable one addon only at a time. Then close your Firefox and restart it from scratch and see if you still have your Firefox problems. You must restart the Firefox browser from scratch. If you still have these Firefox problems, re-enable the disabled addon, restart your Firefox (again!) and repeat the same method for every single addon that you have.
  Try to be selective by choosing first addons that are more likely to cause your Firefox problems such as not very well-known or not very popular addons (like it was the case for the PhotoME addon).
  If this method works or if it does not work, report it on this web page so that others can be helped with your comments.
  I hope this method will help you because I was really upset that I had these Firefox problems and I first thought it was the fault of Firefox, only to discover later that this PhotoME addon was the culprit and had caused me such upset.

• How to make reference wbs custom data carried to new wbs when using custom tab and custom table

  I created a custom tab for WBS elements by using user exit CNEX0007 and custom screen and put a table control in it.
  As table control's data has to be stored in a table I could not use append structure of PRPS.
  When I used reference wbs, PRPS custom fields were carried also but I could not find any solution to fill table control data with reference table.
  I need to get correspondence between reference number's and new id's key data. Is there any exit, enh. that I can store the relationship.

  Solved...
  I've used an enhancement point in include LCNPB_MF38.  CJWB_SUBTREE_COPY exports a table called newnumbers. Here you can find correspondances between copied WBS and new WBS.
  Exported table to memory id.
  And imported it in another user-exit. You can use proper user exit for your need.  ( EXIT_SAPLCNAU_002)

• I have a new Macbook pro, I cannot get past the country selection screen.  'Continue' is greyed out and keys just make error sounds. How do I move it on?

  I have a new Macbook pro, I cannot get past the country selection screen.  'Continue' is greyed out and keys just make error sounds. How do I move it on?

  sideeque wrote:
  I have the same problem. What did you do last time?
  What  should I do now? Its around 40 miles away the apple store? Would they pay my taxi fare to go and return?
  How can we trust this apple product?
  You are still under warranty.  Call Apple Care.