Does an SSLServerSocket cache the trusted certs???

I implemented a TrustStoreManager for an SSLServerSocket so that checkClientTrusted() returns if the cert is acceptable. But through debugging code I see that once checkClientTrusted() returns normally, it doesn't get invoked when a subsequent connection is made to the same server socket.
This is causing a problem because I have a "trust all certs" override in the app. If I send a bad cert, the TrustManager correctly rejects it. Then I set the "trust all certs" override and the server accepts the connection as expected. But then when I turn the override off again, the server does not reject the connection. And my debug tells me that checkClientTrusted() is not even invoked.
The only conclusion I can draw is that the socket remembers that a specific cert is trusted, and doesn't check it again for subsequent connections. Is this correct? If so, is there a way to make the socket "forget" trusted certs? I'd prefer not to tell the user she has to restart the app whenever she resets the "trust all cert" override.

Why? This is very bad practice. SSL is not secure
without correct authentication of certificates.The app I'm writing permits a client to copy its clipboard and/or selected files to the server. It may be used across a public network or the client and server may reside on a local LAN that is either not connected to a public network or at least the port in use is not open through the firewall. In the latter case, the user can forgo setting up and maintaining certs in the TrustStore if they choose (private key entries for the SSL session to use are created automatically). The user is warned with a pop-up of the consequences of trusting all certs, when that option is selected.
Another use case where the same issue arises is when the user removes a trusted cert from the TrustStore, and the client using that cert subsequently attempts to connect. The user can remove certs from the TrustStore very easily, from a control panel while the server is running. If I didn't invalidate the session, the user would believe that the cert in question was no longer trusted, but the server would still accept connections authenticated with it.
At any rate, your answer solved my problem. I was closing the connection after each client-server transaction, but overlooking the fact that a subsequent connection on the same socket would continue the SSL session. Now I'm invalidating the session after closing the connection, and changes to the trust policy are effective on the next connection.
Thanks for your help.
-Mark

Similar Messages

Does the Browser cach the jnlp-file?

I have a problem, I think with the browser's caching. As I modify the *.jnlp-File, the old version is loaded, not the new one!
Or is the old version cached by the webStart-Caching-Mechanism?
To update the jnlp-file, sometimes it is helpful to clear the Clients webStart cache.
Is that correct?
regards,
ulli

The browser does in fact cache the jnlp and it can be a real problem. If there is no expiration on the JNLP then the browser may load it from cache instead of going to your web server on the next access. This means you may have modified your JNLP on the server for a new release, but users can start your application WITHOUT GETTING THE LATEST JNLP!
You can solve this problem by serving the JNLP file from your own servlet (or other HTTP serving technique) and setting the expire header. Setting it to 0 does the right thing.
Do NOT however, set "Pragma", "no-cache". no-cache stops the browser from writing the JNLP to the file system...this in turn causes a problem when Web Start tries to find the jnlp file after the browser starts Web Start....the jnlp file is not there.
Note that the JnlpDowloadServlet provided by Sun in the Web Start developers kit does NOT expire the JNLP file...you must fix this code yourself if you want it to work correcly. Sun was supposed to make this source code available but I can't find it anywhere. We used a de-compiler to de-compile the code, fix it and re-jar it.

Deployment.certs deployment.jssecerts trusted.certs and cacerts

I'm struggling to find any decent explanation of the exact purpose and use of the above files.
From what I can tell, the deployment.* files and the trusted.certs files end up in a user's personal %appdata% folder. The cacerts file is a system-wide file.
I'd be very grateful if somebody could please confirm:
1. What is the relationship between these files and the various certificate categories listed in the Java Plug-in Control Panel (i.e. Signed Applet, Secure Site, Signer CA, Secure Site CA)?
2. If I wish to remove ALL the pre-defined entries under the Signer CA and Secure Site CA categories, how do I do this? - I suspect I just need to use keytool to remove every entry from the cacerts file?
3. If I then wish to pre-define my own trusted CA for all users of my system, how do I do this? Again presumably I use keytool to import my CA certificate into one of the above files. Can I import it into cacerts? - I'd prefer to locate it in a system-wide file rather than have to deploy individual copies of, say, deployment.certs to every user.
4. I also wish to pre-trust some applet signing certificates and a web server certificate. Is there an accepted method of doing this?
Sorry for the rather lengthy request - it seems to me that these are the kinds of things that quite a lot of people would want to do but I've found surprisingly little information on it all.
Many thanks!!!

Hello Bursche.
I have also recently run into some "issues" related to signed applets and certificates. I have tried numerous searches and found nothing to indicate how the deployment.certs keystore is protected. I would also be interested to know if anyone has successfully dealt with it.
As a side note/question have you suffered any weird "lingering permissions" related to policy files in JDK 1.4.1/1.4.2 ? Recently I have experienced an applet that is still being granted permissions for restricted operations even though it is no longer in the policy file(s). The appletviewer properly refuses to execute it, but the Java 2 plugin ( via IE 5.5 and Netscape 7.1 ) runs it without complaint. If I revert to unsigned versions the applet fails ( as it should ). Is there somewhere else ( other than deployment.certs ) that this relationship may be cached ? These tests were all on Windows 2000 Professional.
Regards,
James.

Trusted.certs question with regards to Installation and Upgrading Java

Greetings,
Thank you to all who take the time to read this especially those who can provide some answers!
Question #1:
I read that trusted.certs was not backwards compatible for Java. By this I mean that a "Java Runtime 6 Update 11" generated trusted.certs could not be read / used by "Java Runtime 6 Update 26". Is this correct?
Question #2:
Part A: Does a fresh install of Java create the trusted.certs file upon installation or at the time Java is first run after install?
Part B: When the trusted.certs is created does it do a file check to see if trusted.certs file already exists? If so does it delete and generate a fresh trusted.certs or does it leave the existing file?
Reason I ask this is that we are getting a java.io.FileNotfoundException for the trusted.certs file. This I believe to be caused by a failed upgrade of Java. When uninstalling "Java Runtime 6 Update 26" it displays "Java Runtime 6 Update 11". This leads me to believe that the trusted.certs is still for Update 11 and not Update 26 which would cause this error even after a fresh install of Java.
I would love your input and knowledge! Thank you again for your time!

I am not aware of any trusted.certs file being distributed with Java. Are you referring to the cacerts file?

Changing SSL Cert, how do you update the trust profile for devices.

I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert). How do you update the trust profile on the devices already paired with the server.

Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are. SO can be embedded or linked to an outside file. Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it. otherwise it will update when you save the linked file. Yes, there still is an advantage to having an embedded SO. You may not want to maintain the links - send a file off and forget to include the linked files. You may want to alter the SO, but not the original file.
Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
And if so,
1. Can this linked file be either raster or vector?
2. Do edits to it automatically update the Photoshop file?
3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked?

Path does not chain with any of the trust anchors, but included in cacerts?

I have implemented a CA that has a self-signed certificate:<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE>
I have a cert from this CA: <CN=realAnonym>
With this cert, I want to make a SSL connection to some server with client authentication.
<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> is included in the cacerts-file of the server.
<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> (Part of trusted CA's) in my opinion match with <CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> (second certificate in certificatechain of <CN=realAnonym>).
But it doesn't ???
execute the server with -Djavax.net.debug=ssl,handshake gives:
<CN=GeoTrust Global CA, O=GeoTrust Inc., C=US>
<CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited,
OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net>
<CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US>
<OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
>
<CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 V
eriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
, Inc.", C=US>
<CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE> (Part of trusted CA's)<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.",
C=US>
<OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use onl
y", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.",
C=US>
*** ServerHelloDone
main, WRITE: TLSv1 Handshake, length = 7383
main, READ: TLSv1 Handshake, length = 3784
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=realAnonym (client certificate)Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 127355714484211456591612779667470666909980708602501730899657524388577
49850208930275081977822300971032883864332221450883863390126466833031349667099122
38288059447802849568096837640845268449147677304455823253593898716430967402259872
25271396467992796337646786345774935629264123070013042903682567551911526037603651
public exponent: 65537
Validity: [From: Fri Nov 18 00:00:00 CET 2005,
               To: Fri Nov 03 12:04:28 CET 2006]
Issuer: C=BE, L=Leuven, O=KUL, OU=JurgenAgten, CN=ps (Clent certificate issuer) SerialNumber: [    0107a404 7764]
Certificate Extensions: 3
[1]: ObjectId: 2.1.2.3.102 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 02 31 00 ..1.
[2]: ObjectId: 2.1.2.3.101 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1D 31 1B 30 19 13 02 4C 64 02 02 03 E8 13 06 ..1.0...Ld......
0010: 61 7A 65 72 74 79 13 07 41 72 62 69 74 65 72 azerty..Arbiter
[3]: ObjectId: 2.1.2.3.100 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 09 F7 30 82 09 F3 03 82 09 6B 00 AC ED 00 ....0......k....
0010: 05 73 72 00 19 6A 61 76 61 78 2E 63 72 79 70 74 .sr..javax.crypt
0020: 6F 2E 53 65 61 6C 65 64 4F 62 6A 65 63 74 3E 36 o.SealedObject>6
0030: 3D A6 C3 B7 54 70 02 00 04 5B 00 0D 65 6E 63 6F =...Tp...[..enco
0040: 64 65 64 50 61 72 61 6D 73 74 00 02 5B 42 5B 00 dedParamst..[B[. .
09D0: C8 18 22 75 E9 23 56 96   9E 7E 71 C5 7B 6B 95 5B .."u.#V...q..k.[
09E0: DF AB 6D 0A 39 0C E3 74   F1 BA 5A 9C 50 76 0B 3E ..m.9..t..Z.Pv.>
09F0: 13 79 20 2E B5 B1 FC 83   76 97 A2                 .y .....v..
Algorithm: [MD5withRSA]
Signature:
0000: 78 DC AF 04 6F D9 F2 54 6A 5D CB 99 4E 45 90 25 x...o..Tj]..NE.%
0010: 8D 4B 24 17 BF BB B9 1D AB 1D 7C EF 3D F5 01 9C .K$.........=...
0020: 49 9C 81 CC 64 0C F4 38 37 F5 BB CF 28 F7 FB 2F I...d..87...(../
0030: 5E 91 21 E3 A1 B0 92 90 F7 DC 92 F6 A8 6C E3 78 ^.!..........l.x
0040: 36 B7 36 B8 05 6B 17 8D C8 CF AF D2 9B F6 89 B2 6.6..k..........
0050: 5B 20 E4 14 0B 98 1C 50 69 FC CC C1 6F 6C F0 EA [ .....Pi...ol..
0060: 63 1E 64 71 BA 41 3D B6 23 7A 72 91 01 B4 B2 23 c.dq.A=.#zr....#
0070: 40 2D 62 48 E0 84 0E FA D7 EF E1 9C F5 92 DF 42 @-bH...........B
chain [1] = [
Version: V1
Subject: CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE (Client certificatechain[1] the CA) Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 117566584630083419996551735329369567910739541932314407531248741596590
25394436071793849489119529408325801928292164157908793562030900052755912331352764
88920380150146179015561996002426862508085279249965768014151302583170908492349232
49673303864165396475282399840755746956422674084689146502252850565325504345529883
public exponent: 65537
Validity: [From: Fri Nov 18 16:31:50 CET 2005,
               To: Thu Feb 16 16:31:50 CET 2006]
Issuer: CN=ps, OU=JurgenAgten, O=KUL, L=Leuven, C=BE (is self-signed)SerialNumber: [    437df3e6]
Algorithm: [MD5withRSA]
Signature:
0000: A5 0B D2 F7 C9 4A BF E5 00 C2 42 50 DF EB 33 A6 .....J....BP..3.
0010: DB 1A 7F C5 38 DE 4A FA 23 09 5C 09 5D 68 73 CD ....8.J.#.\.]hs.
0020: 72 B7 A4 9A 50 30 ED BE 35 28 6D 19 21 77 B6 32 r...P0..5(m.!w.2
0030: FE 83 22 CE EF 7F F4 3E 6E 52 B0 E9 9D 14 EA 48 .."....>nR.....H
0040: A4 0B DC 41 C2 86 D4 48 6A AD 49 46 84 10 FA 69 ...A...Hj.IF...i
0050: 7D C6 81 0C AF BA 88 D5 C1 30 BA 1A 5A E5 D3 24 .........0..Z..$
0060: 0A 3E 15 5A B5 99 A8 B2 32 80 85 D4 72 3F F4 60 .>.Z....2...r?.`
0070: 18 BA 11 3A 91 35 D9 F9 CA D3 C9 AE 2F 3E 39 E1 ...:.5....../>9.
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
main, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

It is not even done the first validation part on the client side ( if you have not cut the debugs).
On both, your client and your server, you should add your CA certificate to the trust set. You can first leave the client authentication aside, and do it on the client code to be sure the client authenticates the server's certificate properly; later you can add the same functionality to your server when checking the client certificate. The mechanism provided to deploy this, is either through system property javax.net.ssl.trustStore to introduce your truststore or introcuding your own trustmanager in the codes.
In case, you want to set it dynamically in the program code, you should consider using your extension of X509TrustManager() . Aussuming it be YourTrustManager, you go like this:
//YourTrustManager implements javax.net.ssl.X509TrustManager
SSLContext sslContext = SSLContext.getInstance("SSLv3");
YouTrustManager tm = new YourTrustManager();
TrustManager tms[] = {tm};
sslContext.init(null, tms, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());Further, you might need to change the default hostname verifier on the HttpsConnection before you can establish a successful handshake with the pattern you used for your certificates.
Read http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html in case this does not make it clear enough.

Error ACLContainer: 65315 does NOT EXIST in the Object Cache for parentID:

Expert,
I did the following steps to upgrade the OWB repository from 10g to 11g
• Created a dummy workspace in the 11.2 repository
• Created users in the destination environment
• Run Repository Assistant against the 11.1 source database
• Then selected *“Export entire repository to a file”* and selected the MDL(10g) to import
After 99% of completing I have got the below error
Error ACLContainer: 65315 does NOT EXIST in the Object Cache for parentID: 65314
Please let me know the solution.
Thanks,
Balaa...

Hi I had the same error and worked on it for almost a week with no success but there is few work around for this try it it might work for you.
Step 1>Run a health check on OWB 10.2 enviroment(make sure you clone your OWB 10.2 enviroment and then do this healthcheck ,these checks are tricky )
refer
Note 559542.1 Health Check of the Oracle Warehouse Builder 10.2 Metadata Repository
This will give you info about your missing ACL
Step 2> download these two scripts fixLostACLContainer.sql ,fixAllACLContainers.sql
please refer :
Note 559542.1 Health Check of the Oracle Warehouse Builder 10.2 Metadata Repository
OWB 10.2 - Internal ERROR: Can not find the ACL container for object (Doc ID 460411.1)
Note 754763.1 Repository Cleanup Script for OWB 10.2 and OWB 11.1
Note 460411.1 Opening Map Returns Cannot find ACL Containter for Object
Note 1165068.1 Internal Error: Can Not Find The ACL Containter For for object:CMPPhysical Object
It might resolve this ACL issue but it did not work for me.
If none of these work then
Perform export from design center of OWB 10.2 and import through design center of OWB 11.2.(ONLY OPTION)
It worked for me.
Varun

Does the MBP support the 'Trust Wireless Bluetooth PC Audio System BT-9300'

Hi, I have just ordered my MBP from apple which won't be delivered until the end of March 2008.
I want to be able to wirelessly transmit the sound from my MBP to my HiFi or other similar audio system, without using any bulky devices.
The 'Trust Wireless Bluetooth PC Audio System BT-9300' offers exactly what I am looking for, but does not state if it is compatible with MacBook Pro's.
Does anyone have any information which might help me out?
Many thanks in advance.
Regards,
uklady.
Message was edited by: uklady

Every time I've tried to use Trust stuff it's been flakey, they do not accept the existence of Apple or Mac OS X in general so it may not be the best choice...
It should also be noted that audio over BlueTooth isn't exactly brilliant - perhaps an Airport Express would answer your problem?

Does coherence cache the value from the cache?

Hi, I have the question about if the coherence caches the value from the cache? I believe it does from my test, just want to get the confirmation.
I like to use an example to describe my question. For example:
If (key1, value1) are in the cache1, (value1 is an object),
for the first time, if cache1.get(key1), coherence will deserialize value1 and return. But if in the same JVM, when cache1.get(key1) is invoked again, coherence will return value1, which I believe is cached by coherence in the current JVM, and return; instead of deserializing and return it. Is that right?
I am asking this question because I found a problem in our project when use coherence. As the above example, if I use value1 = cache1.get(key1), and in our project, value1 object has a set method to change one of its internal attributes, and this method was indeed invoked after value1 get from cache1. Then in another class, value2 = cache1.get(key1) is called again, and I found out that value2's attribute will have the modified value, even cache1.put(key1, value1) is never invoked in the first place.
Of course, this kind of behavior matches the java.util.Map. But coherence cache is a cluster/distributed environment. In the above example, if on another data node, value3 = cache1.get(key1) will get the original attribute value in value3, since the deserialize object will always get the original value, unless the new value is put in explicitly by cache1.put(key1, value1).
In this case, should cache1.get(key1) always return a clone object make more sense?
Thanks

You observation is correct. More specifically for cache topologies which include an in-process cache Coherence may return the same object reference for repeated get requests on the same key. I say "may" because for any variety of reasons we may also have to retrieve a fresh copy from a remote cache server. When possible we will return existing objects for performance reasons avoiding costly things like network hops, and de-serialization. Any modifications made to an object returned from the cache will not be made automatically available to other cluster members. Additionally if these modifications are made concurrently with another thread performing a cache.put() on the same value could result in a corrupt cached value if your serialization methods are not thread-safe. Best practice dictates that unless you are sure that you are using a cache topology which does not include an in-process cache that you treat the values returned from the cache as immutable, and instead deep clone() it before making any modifications.
The distributed-scheme and remote-scheme are the only types of caches which do not include in-process caching, and thus always return "mutation safe" values. The most common in-process cache topology is near-scheme, but others include replicated-scheme, optimistic-scheme, local-scheme, and the programatically created ContinuousQueryCache.
thanks,
mark

Clear cache does not clear all the cache

Hi,
After clearing the cache, the browser assumes some of the files are still cached so it won't try to get the file from the server. This causes the website to hang as it does not timeout.
It does not always happen, for example in my machine is OK, but a colleague's machine has it consistently and other people too.
The only way that they could make it work is going to about:support and doing a reset.
The Troubleshooting Information I've added is from the problematic machine.
regards,
Daniel.

They use the built-in means to clear the cache.
Tried deleting the cache folder but it did not help.
Tried also deleting the profile folder contents and it did work. I guess that is similar to reset functionality.
Still, if clearing the cache folder worked would be a a workaround for us, as developers but not something we could ask from our customers.
You can try it with this URL:
https://hornbill.socialworkforce.com/socialworkforce/user/lib/hux/server/comboloader/comboloader.php?ver=1.1.0&../../ext/yui3/../../../esp_hux/components/Xmlmc/Xmlmc-min.js
Again, they are able to load it for the first time, but if they clear the cache, they cannot get the response from that url, in fact there is not even a request from the browser.

Deploy Trusted Cert with the deployment J2SE Runtime Environment 5.0

I want to deploy J2SE Runtime Environment 5.0 Update 2.msi using active directory. I have tested my deployment and all is good, now I want to know how to deploy a trusted cert with the the deployment of J2SE Runtime Environment 5.0 Update 2.msi. I am using active directory for the deployment. I do not know much about Java or cert, but want my users not to have to grant permission to the only cert we have on ouir web page the first time they hit the page.
Is there a way to pre-answer the Grant always box for the cert we have. I hope I have asked the question correctly. Thank in advance.

Hello, I've inserted the following content
#Thu Sep 15 11:36:07 CEST 2005
deployment.system.security.trusted.certs=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.jssecerts=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.cacerts=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.jssecacerts=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.clientcerts=C\:\\temp\\SSL_applet\\client.com
to the file:
C:\Documents and Settings\UserName\Application Data\Sun\Java\Deployment\deployment.config
When a signed applet is opened I get:
security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts
security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts
security: Loading Deployment certificates from C:\temp\SSL_applet\client.com
java.io.IOException: Keystore was tampered with, or password was incorrect
     at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
     at java.security.KeyStore.load(Unknown Source)
     at com.sun.deploy.security.DeploySigningCertStore$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.deploy.security.DeploySigningCertStore.load(Unknown Source)
     at com.sun.deploy.security.DeploySigningCertStore.load(Unknown Source)
     at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
     at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
     at sun.plugin.security.PluginClassLoader.getPermissions(Unknown Source)
     at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
     at java.security.SecureClassLoader.defineClass(Unknown Source)
     at java.net.URLClassLoader.defineClass(Unknown Source)
     at java.net.URLClassLoader.access$100(Unknown Source)
     at java.net.URLClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(Unknown Source)
     at sun.applet.AppletClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadCode(Unknown Source)
     at sun.applet.AppletPanel.createApplet(Unknown Source)
     at sun.plugin.AppletViewer.createApplet(Unknown Source)
     at sun.applet.AppletPanel.runLoader(Unknown Source)
     at sun.applet.AppletPanel.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)All fine and dandy you can specify your own keystore to be used but no where
to give it a storepass so you can use it.
Can someone tell me how to use my own keystore for SSL auth, trust and
signature trust that WILL work.
Setting the system property in an applet won't auth and or trust SSL:
System.setProperty("javax.net.ssl.keyStore", "file:/C:/temp/SSL_applet/client.com");
System.setProperty("javax.net.ssl.keyStorePassword", "storepass");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.trustStore", "file:/C:/temp/SSL_applet/client.com");
System.setProperty("javax.net.ssl.trustStorePassword", "storepass");
System.setProperty("javax.net.ssl.trustStoreType","JKS");Ends up with a trace telling me cacerts wil be opened, client.com is never used.
C:\Documents and Settings\UserName\Application Data\Sun\Java\Deployment\security\trusted.jssecerts
Googling for the combination of
site:sun.com "deployment.system.security.trusted.certs" password
will give me no results. Searching the entire web won't do much either.
Anyway, assuming the password is changit will end up with an unpleasent
surprise after installing a new version jre.
Because SUN actually changed it in 1.5
Anything short of the programmer loading a keystore when an applet is run
will not work.
This is not good enough, is there a way for administrators to use their own
keystore and give it a password so a jre update won't screw up everything?

Cannot complete the certificate chain: No trusted cert found

Hi:
I am currently working on a application that makes a web service call to a third party service provider. I am using weblogic 10 application server and session bean makes a call to the gateway class which in turn initiates a web service call using SSL layer. I get the following error when gateway class is trying to make a SSL connection with the third party server. I have set the keystore to be custom and java standard and both Identity key store and turst key store points to C:\bea10\jdk160_05\jre\lib\security\cacerts key store. The interesting thing is when I tried with different other URLs www.bankofamerica.com and www.freshdirect.com
I get the same error. I am not sure why certificate validation fails even if it is a trusted CA and I would believe java keystore should contain all valid Certificate authorities such as verisign, Secure Trust etc. The third party certificate is issued by secure trust CA which in turn issued by Entrust.net
Can someone shed me somelight whats going on here? I also took a look at thread Re: SSL issues tried to import the server certificates into java keystore. but nothing worked out. Appreciate your help.
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: Cannot complete the certificate chain: No trusted cert found
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: Validating certificate 0 in the chain: Serial number: 805312903
Issuer:C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Subject:C=CA, ST=Ontario, L=Toronto, O=Givex Corp., CN=*.givex.com
Not Valid Before:Wed Nov 21 09:56:03 EST 2007
Not Valid After:Sat Nov 20 09:56:03 EST 2010
Signature Algorithm:SHA1withRSA
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: Validating certificate 1 in the chain: Serial number: 1116160170
Issuer:C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Subject:C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Not Valid Before:Sun Oct 01 01:00:00 EDT 2006
Not Valid After:Tue Nov 26 13:25:48 EST 2013
Signature Algorithm:SHA1withRSA
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
     at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
     at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at com.certicom.tls.record.WriteHandler.write(Unknown Source)
     at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
     at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:436)
     at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:224)
     at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:38)
     at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:144)
     at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:235)
     at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:146)
     at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:473)
     at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:459)
     at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:306)
     at com.freshdirect.client.TransPortType_Stub.getBalance(TransPortType_Stub.java:254)
     at com.freshdirect.payment.ejb.GivexPaymentServiceImpl.getBalance(GivexPaymentServiceImpl.java:59)
     at com.freshdirect.payment.ejb.GivexServerGateway.getBalance(GivexServerGateway.java:211)
     at com.freshdirect.payment.ejb.GivexServerGateway.main(GivexServerGateway.java:388)
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: write ALERT, offset = 0, length = 2
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: SSLIOContextTable.removeContext(ctx): 29310343
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: SSLIOContextTable.removeContext(ctx): 29310343
<Sep 16, 2009 6:18:17 PM EDT> <Info> <WebService> <BEA-220048> <A exception was thrown from the client handler sending a JAXM message.>
<Sep 16, 2009 6:18:17 PM EDT> <Info> <WebService> <BEA-220034> <A stack trace associated with message 220048 follows:
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
     at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at com.certicom.tls.record.WriteHandler.write(Unknown Source)
     at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
     at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:436)
     at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:224)
     at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:38)
     at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:144)
     at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:235)
     at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:146)
     at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:473)
     at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:459)
     at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:306)
     at com.freshdirect.client.TransPortType_Stub.getBalance(TransPortType_Stub.java:254)
     at com.freshdirect.payment.ejb.GivexPaymentServiceImpl.getBalance(GivexPaymentServiceImpl.java:59)
     at com.freshdirect.payment.ejb.GivexServerGateway.getBalance(GivexServerGateway.java:211)
     at com.freshdirect.payment.ejb.GivexServerGateway.main(GivexServerGateway.java:388)
>

I would believe java keystore should contain all valid Certificate authorities such as verisign, Secure Trust etc. The third party certificate is issued by secure trust CA which in turn issued by Entrust.net<You can list the contents of your cacerts file to see if exact matching version of the SecureTrust signer cert is present.
You can also use a simple java program to test whether you can connect to the 2 servers that your're having issues with:
import java.net.*;
import java.io.*;
public class SSL_Test {
public static void main(String[] args) throws Exception {
URL sslURL = new URL("https://someserver.com/someservice.wsdl");
BufferedReader in = new BufferedReader( new InputStreamReader( sslURL.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
compile and run with something like:
javac SSL_Test.java
# all on one line
java -D -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=***** -Djavax.net.debug=ssl,handshake SSL_Test
This just tests whether your truststore can trust the server cert.

Error – SAML Single Logout request does not correspond to the logged-in session participant

We are relatively new to ADFS, having set up working rp-trusts with three partners in the last few months. Our 4th partner is proving problematic. Single sign in works, but the ADFS
responds the single logout request from the RP with a status of Requester. The ADFS event log shows
The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: https://test-sso.rp.com/fed/sp
Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, NameQualifier: http://fs.idp.com/adfs/services/trust SPNameQualifier:
https://test-sso.rp.com/fed/sp, SPProvidedId:
Logged-in session participants:
Count: 1, [Issuer: https://test-sso.crmondemand.com/fed/sp, NameID: (Format: , NameQualifier:
SPNameQualifier: , SPProvidedId: )]
This request failed.
User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier
in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS 2.0 Management snap-in.
The LogoutRequest looks like this
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://fs.timken.com/adfs/ls/"
                ID="id-HAScmHCfwfuYk76bce6YBfO2uOM-"
IssueInstant="2013-01-14T13:24:04Z"
Version="2.0">
. . . cert, etc. omitted . . .
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
NameQualifier="http://fs.idp.com/adfs/services/trust"
SPNameQualifier="https://test-sso.rp.com/fed/sp"
>jsmith</saml:NameID>
<samlp:SessionIndex>_df13d31b-162e-42e1-8331-f36be6bf1194</samlp:SessionIndex>
</samlp:LogoutRequest>
The session index and the username in NameID matches the Response we got from our AuthRequest. I don't know how to figure out what ADFS thinks does not match.
Any suggestions would be appreciated.
For completeness sake, the Response to AuthRequest looked like this.
<Subject>
            <NameID>jsmith</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2013-01-14T13:28:52.199Z"
                                         Recipient="https://test-sso.rp.com/fed/sp/authnResponse20"
                                         />
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2013-01-14T13:23:52.183Z"
                    NotOnOrAfter="2013-01-14T14:23:52.183Z"
                    >
            <AudienceRestriction>
                <Audience>https://test-sso.rp.com/fed/sp</Audience>
            </AudienceRestriction>
        </Conditions>
        <AuthnStatement AuthnInstant="2013-01-14T13:10:43.826Z"
                        SessionIndex="_df13d31b-162e-42e1-8331-f36be6bf1194"
>

Okay, here are the relevant SAML messages.
The <AuthnRequest>
<samlp:AuthnRequest ID="_ced78e65-14d2-4c4d-8417-51f664a9e2e3"
                    Version="2.0"
                    IssueInstant="2013-02-04T13:29:20.887Z"
                    Destination="https://fs.timken.com/adfs/ls/"
                    Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://fs.timken.com/adfs/services/trust</Issuer>
    <Conditions xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <AudienceRestriction>
            <Audience>https://test-sso.salesdemand.com/fed/sp</Audience>
        </AudienceRestriction>
    </Conditions>
</samlp:AuthnRequest>The AuthnRequest Response<samlp:Response ID="_890f3128-6cae-414e-8272-30cde3bda94a"               Version="2.0"                IssueInstant="2013-02-04T13:29:29.748Z"                Destination="https://test-sso.salesdemand.com/fed/sp/authnResponse20"                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                >    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://fs.timken.com/adfs/services/trust</Issuer>    <samlp:Status>        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />    </samlp:Status>    <Assertion ID="_82f82c5c-2653-4e18-9308-349ebeb67743"               IssueInstant="2013-02-04T13:29:29.748Z"               Version="2.0"               xmlns="urn:oasis:names:tc:SAML:2.0:assertion"               >        <Issuer>http://fs.timken.com/adfs/services/trust</Issuer>        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">            <ds:SignedInfo>                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />                <ds:Reference URI="#_82f82c5c-2653-4e18-9308-349ebeb67743">                    <ds:Transforms>                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                    </ds:Transforms>                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />                    <ds:DigestValue>RxZZLlbdh5eD6Ht4+aVna3Rtbnc=</ds:DigestValue>                </ds:Reference>            </ds:SignedInfo>            <ds:SignatureValue>Es8LAN9noqGIJEbgZe/...XW8LAv5Mgr3tOXpHRlcsJNss/A==</ds:SignatureValue>            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">                <ds:X509Data>                    <ds:X509Certificate>MIIFDDCCA/SgAwIB...</ds:X509Certificate>                </ds:X509Data>           </KeyInfo>        </ds:Signature>        <Subject>            <NameID>mooreta</NameID>            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">                <SubjectConfirmationData NotOnOrAfter="2013-02-04T13:34:29.748Z"                                         Recipient="https://test-sso.salesdemand.com/fed/sp/authnResponse20"                                         />            </SubjectConfirmation>        </Subject>        <Conditions NotBefore="2013-02-04T13:29:29.732Z"                    NotOnOrAfter="2013-02-04T14:29:29.732Z"                    >            <AudienceRestriction>                <Audience>https://test-sso.salesdemand.com/fed/sp</Audience>            </AudienceRestriction>        </Conditions>       <AuthnStatement AuthnInstant="2013-02-04T13:29:29.545Z"                        SessionIndex="_82f82c5c-2653-4e18-9308-349ebeb67743"                        >            <AuthnContext>                <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>            </AuthnContext>        </AuthnStatement>    </Assertion></samlp:Response>The LogoutRequest<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                     Destination="https://fs.timken.com/adfs/ls/"                     ID="id-uvoTioVCLdMycE88o-6CU5RrSNM-"                     IssueInstant="2013-02-04T13:29:57Z"                     Version="2.0"                     >    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"                 >https://test-sso.salesdemand.com/fed/sp</saml:Issuer>    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">        <dsig:SignedInfo>            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />            <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />            <dsig:Reference URI="#id-uvoTioVCLdMycE88o-6CU5RrSNM-">                <dsig:Transforms>                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />                </dsig:Transforms>                <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />                <dsig:DigestValue>ZT0yQqiaL2dD2a7rt6ywJ9EoM1I=</dsig:DigestValue>            </dsig:Reference>        </dsig:SignedInfo>        <dsig:SignatureValue>Z7F7zYS31y1K48FbUHevJT86+txOlPM9awlHiMNj1TiMxRAEVz1rOj2uG0oVMd7NkblkneCrE8aVtJuebdUY4Q0DAcXR8lSTuNEFocT2R6eCIwQb48xQqQMs8ZE6siPsPFMS+QAhpgDom/IY61L/.../NNxVg==</dsig:SignatureValue>        <dsig:KeyInfo>            <dsig:X509Data>                <dsig:X509Certificate>MIIFxTCCBK2gAwIBAgIQAN+.../G6p95pNm1ZAqroUjufLeHO4q34Mx3xNyw0tmyjmWgkxY11Pa+M0gCeLOdLzxafIOXUFXOhKfOUg4Jp4S+/sCVcd9fBDPvfEHSr8uMmQC2IdQaRE7IvZdRF0OUP+l1MpRBkMsy98hPXTBK6n1ivklOxzmWie88jav8gzjWhwQC5Ia2/JNYxVBkPsNkRw86n8KBnlsumU9EV0dAeXTOaehKtG+RNnD1Gt4Y34TQccaIbf7OTLisY4kMkjZbRu3sJnX9KjM=</dsig:X509Certificate>            </dsig:X509Data>        </dsig:KeyInfo>    </dsig:Signature>    <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"                 NameQualifier="http://fs.timken.com/adfs/services/trust"                 SPNameQualifier="https://test-sso.salesdemand.com/fed/sp"                 >mooreta</saml:NameID>    <samlp:SessionIndex>_82f82c5c-2653-4e18-9308-349ebeb67743</samlp:SessionIndex></samlp:LogoutRequest>The LogoutRequest Response<samlp:LogoutResponse ID="_bf7199a8-3248-4201-9ca4-609bec5404d6"                      Version="2.0"                      IssueInstant="2013-02-04T13:29:59.076Z"                      Destination="https://test-sso.salesdemand.com/fed/sp/samlv20"                      Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"                      InResponseTo="id-uvoTioVCLdMycE88o-6CU5RrSNM-"                      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"                      >    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://fs.timken.com/adfs/services/trust</Issuer>    <samlp:Status>        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />    </samlp:Status></samlp:LogoutResponse>The ADFS Error Log EntryThe SAML Single Logout request does not correspond to the logged-in session participant. Requestor: https://test-sso.salesdemand.com/fed/sp Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, NameQualifier: http://fs.timken.com/adfs/services/trust SPNameQualifier: https://test-sso.salesdemand.com/fed/sp, SPProvidedId: Logged-in session participants: Count: 1, [Issuer: https://test-sso.salesdemand.com/fed/sp, NameID: (Format: , NameQualifier: SPNameQualifier: , SPProvidedId: )] This request failed. User Action Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS 2.0 Management snap-in.

Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

Hi,
SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
the SharePoint Logs I found out the below exception
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4)        0x2D24 SharePoint Foundation         Database
8u1d High    Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.78 WebAnalyticsService.exe (0x06D4)        0x2D24 SharePoint Foundation         Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4)        0x12AC SharePoint Foundation         Database
8u1d High    Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15'
11/30/2011 12:14:53.79 WebAnalyticsService.exe (0x06D4)        0x12AC SharePoint Foundation         Topology
2myf Medium Enabling the configuration filesystem and memory caches.
11/30/2011 12:14:55.54 mssearch.exe (0x0864)                   0x2B24 SharePoint Server Search      Propagation Manager
fo2s Medium [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes) [indexpropagator.cxx:1607] d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx
11/30/2011 12:14:55.99 OWSTIMER.EXE (0x1DF4)                   0x1994 SharePoint Foundation         Topology
75dz High    The SPPersistedObject with
Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()
at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip...
11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                   0x1994 SharePoint Foundation         Topology
75dz High    ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4)                   0x1994 SharePoint Foundation         Topology
8xqx High    Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.
11/30/2011 12:14:56.00 OWSTIMER.EXE (0x1DF4)                   0x1994 SharePoint Foundation         Timer
2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
T denyRightsMask)     at Microsoft.SharePoint.Administrati...
11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                   0x1994 SharePoint Foundation         Timer
2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()
at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
currentVe...
Please guide me on the above issue ,this will be of great help
Thanks.

I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped.
The problem is caused by User profile Synch Service:
UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
identifier, T grantRightsMask, T denyRigh...
08/23/2014 13:00:20.96*        w3wp.exe (0x2204)
        0x293C        SharePoint Portal Server              User Profiles
        eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)
at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
Please let me know if you any solution found for this?
Regards,
Kunal

OBIEE 11g SSL Configuration Issue : Unable to import the Server certs

Hello All,
We are trying to configure OBIEE 11.1.1.6.0 with SSL using Windows server 2003 (IIS) and facing some issues with that.
Followed the document : OBIEE11g SSL Setup and Configuration [1326781.1]
http://obieedue.blogspot.sg/2012/08/obiee11g-ssl-setup-and-configuration.html
and also completed generating the required certificate signing request and keystores for SSL communication and sent it to the CA (IT Admin team) to to have the certificate signed by CA. The issue comes when I am trying to import the CA certificate (Root certificate) and Server Certificate into the Java Keystore.
I am importing the Root CA Certificate first which is successfully added to the keystore.
keytool -import -trustcacerts -alias mycacert -file cacert.pem -keystore mykeystore.jks -storepass Welcome1
Trust this certificate? [no]: yes
Certificate was added to keystore.
But when trying to add the Server Certificate to the keystore using the command below :
keytool -import -v -alias testserver -file server.cer -keystore mykeystore.jks -keypass Welcome1 -storepass Welcome1
Certificate reply was installed in keystore
I get the following error:
keytool error: java.lang.Exception: Failed to establish chain from reply
java.lang.Exception: Failed to establish chain from reply
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Read many forums and tried to convert it to the PKCS#7 format and import the cert to the identity keystore, but was not successful in that either. I have also checked with the IT Admin team and found there is only one RootCA and no other intermediate CA's.
Please advice if any one has similar issues or suggestions.
Thanks in advance,
SVS

Hi,
One obvious reason would be that you did not specify -trustcacerts, and the root CA is not included in the present server keystore. In that case, using the -trustcacerts option would solve the problem, if the root CA is indeed in the JDK cacerts.
To print out the certificates present in the JDK cacerts, use the following command:
keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -v
Then check if the root CA that signed your server certificate is present, and has not expired (in which case,you would need to re-import a newer one into cacerts).
Another common reason for that error message is when you have used a proprietary CA to sign your server certificate. Then it would obviously not be in the JDK cacerts. The solution in that case is to import your proprietary root CA into the JDK cacerts, using the following command:
keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -file yourRootCA.pem -storepass changeit -alias youralias
A third reason for that error message is when your server was signed by an intermediate certificate. In that case, you would have received from your CA a chain of certificates. One way to solve this (not the only one, but this one works well): Prepend your intermediate CA file to your server cert file, and import the obtained concatenated file into the server keystore. Be careful, the intermediate CA must be BEFORE the server cert. Example:
copy rootca.cer certchain.p7b
type server.cer >> certchain.p7b
The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts
If you only prepend the intermediate root CA, you must make sure the the final root CA is in cacerts. But you can also prepend your whole chain of trust inside the server keystore.
Regards,
Kal

Does an SSLServerSocket cache the trusted certs???

Similar Messages

Maybe you are looking for