Enabling SSL using Demo keystores

Similar Messages

• How to enable SSL in order to access web appln. deployed in CE using https?

  Hi,
  I am new to Netweaver and this forum. Not sure if I am posting my question in right forum category. Please let me know otherwise.
  Question -
  I would like to know how to enable SSL in order to access the deployed web application in Netweaver environment using https instead of http.
  System Info:
  Netweaver 7.1
  Database: SAP DB (KERNEL    7.7.04   BUILD 021-123-186-883)
  OS: Linux (amd64) 2.6.18-194.el5
  Note: I have general idea about how to enable SSL in a non-SAP application server like tomcat using valid certificate (like enabling SSL in tomcat and adding certificate to server & Java keystore). But since I am new to Netweaver, not sure how to enable the same in Netweaver environment.
  Any help would be much appreciated.
  Thanks
  Edited by: Gopi.j on Oct 15, 2010 8:04 PM

  hi
  check the following sap help.
  http://help.sap.com/saphelp_nwce71core/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  Best regards,
  John

• Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

  In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
  Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

  Hi,
  Sorry, I could not understand what your are trying to do with iWS.
  Could you please berifly explain your question. So that I can help you.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• Enable SSL for SQL used by ConfigMgr

  Hello guys,
  My DBA has decided to enable SSL encryption for an instance of SQL Server that is in use by our ConfigMgr.
  some background setup: Windows 2008 R2, SQL Server 2008, ConfigMgr 2007 R2
  My question is, how is enabling SSL for the SQL server will affect our ConfigMgr environment?
  Is there's anything I should change in ConfigMgr in case the SSL was enforced e.g all communication should use https instead of http?
  Sorry for being blunt here as we don't have this SSL on SQL setup before.
  Please share your suggestion & thoughs, really appreciate it! Thank you.
  ---Pat

  Just another reason not to use a shared SQL Server.
  First, I would bring this up as an issue to management -- folks shouldn't just be able to change configuration on something that your system depends upon without it being approved by you. There are ramifications and costs associated with any change such
  as this.
  Next, as far as ConfigMgr goes, I've never ever seen a discussion on it so doubt that it is supported; however, ultimately, the actual SQL connection is just something used by ConfigMgr, not created or controlled by ConfigMgr. ConfigMgr uses a System DSN
  based ODBC connection to connect to the DB on site system's with roles that directly connect to the DB. Thus, *in theory*, you could modify the connection string to use SSL.
  If you can't convince management that what the DBA did was reckless and costly, then you should open an advisory case with Microsoft via CSS to discuss your options -- this will cost $$$.
  Jason | http://blog.configmgrftw.com

• Enabling ssl on Weblogic server 5.1 using Verisign certificate.

  "Hi,I am trying to enable ssl in Weblogic server 5.1The properties set in my properties file areweblogic.security.certificate.server=servercert.pem(sent from the verisign via email)weblogic.security.key.server=cp8212-2d2-key.der(generated by the Certificate Servlet of Weblogic Server)

  "Hi,I am trying to enable ssl in Weblogic server 5.1The properties set in my properties file areweblogic.security.certificate.server=servercert.pem(sent from the verisign via email)weblogic.security.key.server=cp8212-2d2-key.der(generated by the Certificate Servlet of Weblogic Server)

• Can I re-enable SSL in Firefox without downgrading? When I hit an SSL-only site, my only current option is to use another browser.

  Just hit an SSL-only site that I needed to access that FF 35 blocked. I don't see an obvious way to create an exception or re-enable it. We need this option... many users understand POODLE and can make an intelligent decision regarding the risks. TLS has its vulnerabilities as well.

  hello ancistrus, as you know ssl3.0 encrypted connections can be no longer considered secure since an attack vector against them ("POODLE") has become known. please contact the webmaster in charge of the site and urge them to update their encryption to something contemporary.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  if you want to re-enable ssl 3.0 in firefox you can do that - however keep the consequences in mind, that you will become vulnerable to the attack mentioned above: enter '''about:config '''into the firefox address bar (confirm the info message in case it shows up) & search for the preference named '''security.tls.version.min'''. double-click it, change its value to '''0''' and restart the browser.

• Issue with one of the Managed server while enabling SSL.__ Issue Resovled

  Weblogic version:wls 8.1sp6
  SSL: internal
  Environment:
  1 AdminServer and 2 Managed servers. Admin and M1 are on same host. M2 is on different host. We have enabled SSL on M1 & M2 only. Configuration of M1 & M2 are identical. After restarting the servers M1 has no issue with SSL but M2 throws javax.net.ssl.SSLKeyException as shown below,
  <Aug 4, 2008 12:29:01 PM BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Aug 4, 2008 12:29:02 PM BST> <Info> <WebLogicServer> <BEA-000213> <Adding address: 10.96.201.249 to licensed client list>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Error> <Cluster> <BEA-000141> <TCP/IP socket failure occurred while fetching statedump over HTTP from -6401422690190304510S:lonlxwebhost99:[16544,16544,16042,16042,16544,16042,-1,0,0]:etg:lonwpyq_16543_1.
  javax.net.ssl.SSLKeyException: [Security:090773]The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at com.certicom.tls.record.WriteHandler.write(Unknown Source)
  at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
  at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
  at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
  at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
  at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:122)
  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:322)
  at weblogic.cluster.HTTPExecuteRequest.connect(HTTPExecuteRequest.java:73)
  at weblogic.cluster.HTTPExecuteRequest.execute(HTTPExecuteRequest.java:121)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)>
  Please let me know where I am going wrong. Thnx in advance
  Message was edited by:
  Shashi_sr

  Solution given by BEA Engineer:
  <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  The reason for this was
  The CA Certificate was missing a required bit (according to RFC 3280).
  keyEncipherment bit is not in the KeyUsage and KeyUsage is marked as critical.
  As per RFC:
  The keyEncipherment bit is asserted when the subject public key is
  used for key transport. For example, when an RSA key is to be
  used for key management, then this bit is set.
  According to RFC3280, when the key will be used to encrypt other keys that are send over the wire ("key transport") the keyEncipherment bit of the KeyUsage extension must be set. If the KeyUsage extension is critical, the SSL certificate validation will check that the key can be used in the key agreement. That is, that the key can be used to encrypt the symmetric public key.
  Your KeyUsage only contains the following bits:
  [4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
  Since it is marked Critical, it MUST have the keyEncipherment bit.
  Otherwise, it should not be marked as Critical.
  So the three solutions that should work are
  1) Remove keyUsage
  2) Don't mark keyUsage as critical
  3) If keyUsage is critical, make sure keyEncipherment bit is set.

• Using different keystore at runtime

  Hi everybody,
  I have the following problem:
  I've written an application which is able to send different kind of requests to an https server by using the jakarta HTTPClient.
  For the connection you can specify the url, the keystore and the corresponding password.
  If you send a request for the first time it works fine but if you change the parameters(application is still running) an exception occures: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found (the keystore should be correct)
  what could be the problem and how can I solve it
  here is my code:
  public void sendRequest() {
  HttpClient client = null;
  Header header = null;
  int statusCode = -1;
  try {
  System.setProperty("javax.net.ssl.trustStore", this.szKeyStore);
  System.setProperty("javax.net.ssl.trustStorePassword", this.szPassword);
  System.out.println(System.getProperty("javax.net.ssl.trustStore"));
  client = new HttpClient();
  // Create a method instance.
  post = new PostMethod(szUrl);
  header = new Header("Content-Type", "text/xml");
  post.addRequestHeader(header);
  header = new Header("Charset", "ISO-8859-1");
  post.addRequestHeader(header);
  post.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  RequestEntity re = new StringRequestEntity(szRequest);
  post.setRequestEntity(re);
  try {
  statusCode = client.executeMethod(post);
  } catch (Exception exc) {
  JOptionPane.showMessageDialog(listener, "not able to connect via HTTPS\n check settings");
  System.err.print("Exception while sending request: " + exc.toString());
  //post = null;
  //header = null;
  //client = null;
  // return;
  if (statusCode != HttpStatus.SC_OK) {
  System.err.println("Method failed: " + post.getStatusLine());
  // Read the response body.
  byte[] responseBody = post.getResponseBody();
  // Deal with the response.
  // Use caution: ensure correct character encoding and is not binary data
  szResponse = new String(responseBody);
  listener.requestReceived(szResponse);
  post = null;
  header = null;
  client = null;
  } catch (Exception e) {
  System.err.println("Execption in sendRequest: " + e.getMessage());
  e.printStackTrace();
  } finally {
  // Release the connection.
  if (post != null) post.releaseConnection();
  Thanks a lot

  Presumably the following would work:public class Demo {
     private KeyStore keyStore;
     public Demo() {
        keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
     public void setKeyStore(String filename, String password) {
        FileInputStream fis = new FileInputStream(filename);
        keyStore.load(fis,  password.toCharArray());  //NB: Should overwrite String password ?
        fis.close();
  }

• Problem enabling SSL on a MQSeries Adapter

  I'm trying to enable SSL and so far these are the steps I've done:
  - I've been using the DemoIdentity.jks and DemoTrust.jks files located under <MIDDLEWARE_HOME>\wlserver_10.3\server\lib for all my certificate operations.
  - I created a PrivateKey and imported it to my DemoIdentity store, created a certificate request and when I got the response imported it back using the same alias. Something I want to highlight here is that when I created the PrivateKey I left the password field empty so it supposed inherit the keystore's.
  - I also imported the CA cert into the DemoTrust.jks
  My MQAdapter is all set and when I used it with no SSL it was working just fine so I think I have the problem isolated.
  Anyway, now when I try to connect this is what I'm getting in the logs:
  at oracle.integration.platform.blocks.adapter.fw.jca.cci.JCAConnectionMa
  nager$JCAConnectionPool.createJCAConnection(JCAConnectionManager.java:1335)
  ... 59 more
  Caused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
  at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121
  at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java
  :38)
  at java.security.KeyStore.getKey(KeyStore.java:763)
  at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyM
  anagerImpl.java:113)
  at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit
  (KeyManagerFactoryImpl.java:48)
  at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
  at oracle.tip.adapter.mq.ManagedConnectionImpl.setupSSLSocketFactory(Man
  agedConnectionImpl.java:670)
  Googling this it seems like it's a problem with the keystore and private key passwords being different but I changed the private key's to match the keystore (something that I shouldn't be necessary because of the keytool's default behavior when generating the key) with no positive results.
  Anyway, any ideas would be really appreciated. I've been spinning my wheels on this issue for 3 days now.
  BTW, here's I'm using Oracle SOA11g.

  What are the steps you are doing to create a FlexConnect WLAN
  Check wether you have done this
  1. You should havee a flexconnect mode AP in your network
  2. That AP should connect via a trunk link back to your switch port
  3. Under "FlexConnect" tab of that AP configuration you need to map required vlans where native vlan should be the AP managment in this trunk (AP connected Switch port)
  4. Under WLAN advanced settings, you have to enable "Local Switching" if you want to do local switching. Leave it untick if you want to do central switching.
  This is some of my notes when I did this on a WLC 7.0.116.0 (feature was called H-REAP in that time & later modified to FlexConnect). This should help you as well
  http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
  HTH
  Rasika

• Enable SSL to LDAP / MS AD : Portal will not start

  Hi all ,
  We have successfully enabled portal User Authentication to MS AD/LDAP over port 389 in a EP6 SP2 portal . Portal use                                       
  Now we wish to switch to LDAP over SSL .We did the following for a Ad with SSL enabled on port 636 :
  1) Import the AD server cert into the keystore using Visual admin tool
  2) Log into portal as adminstrator > Go to UM Administration          
  3) Change DataSource to AD , Flat heirarchy                           
  4) Enter hostname of AD server , user . password , paths etc.., Enable SSL    
  5) Save config and restart portal     
  Now the Portal will not start and we get the following error messages in the 
  console_logs...any ideas ???                            
  Loading services:                                                       
    Loading service: com.sap.portal.license.runtime license                
  java.lang.NullPointerException
          at com.sap.security.core.util.imp.UMTrace.debug(UMTrace.java:      
  739)                                                                               
  at com.sap.security.core.util.imp.UMTrace.debug(UMTrace.java:      
  840)                                                                               
  at com.sap.security.core.util.imp.UMTrace.fatalT(UMTrace.java:     
  586)                                                                               
  at com.sap.security.core.persistence.datasource.imp.               
  LDAPConnectionManage                                                       
  r.initConnectionPools(LDAPConnectionManager.java:556)                      
          at com.sap.security.core.persistence.datasource.imp.               
  LDAPConnectionManage                                                       
  r.initialize(LDAPConnectionManager.java:77)

  Here's another option that might work for you:
  Check out this note: 789590.  From reading between the lines it looks like you can change your um config without the portal being up by creating a file called 'sapum.properties.upgrade'.  That note talks about modifying some logging parameters but you should be able to substitute the um parameters to change your config back to using just the portal database.
  Here's what sap explained about the process:
  "you can update single um.properties by defining a file called sapum.properties.upgrade and storing it in the
  directory \ume\. During the next startup, these properties are uploaded and update the older values from the UME properties stored in the PCD.
  Values that are not listed in the .upgrade file are not touched. The upload is done before the service is starting, so that the updated values are taken as start parameters. Again in note 789590, you can find an example for an upgrade file (in this case for updating the information on the logging settings)."
  Once you get the portal up and running, when you try to change the UM config, make sure you click on the 'Test Connection' button after you've saved the new ldap settings to make sure that everything is ok.  The ldap server might be accessable but you might have a problem with the user, password, group or user path.  Also if you're using SSL then make sure the 'Use SSL for Ldap access' is checked.
  Hope that helps.
  Regards,
  Robin.

• SSL with custom keystores question

  Hi,
  I am trying to configure certificates and keystores to enable SSL for WLS 8.1
  sp1.
  First, I generated the certs with CertGen. Then created custom keystores for digital
  certificates and imported the cert successfully into my custom keystore. Imported
  CertGenCA.pem into the custom keystore for trust certificates. I used SUN's Keytool
  to import certs.
  Upon making changes to config.xml, the server starts up with the following error
  message...
  <Jan 5, 2004 3:07:38 PM PST> <Notice> <Security> <BEA-090171>
  <Loading the identity certificate stored under the alias MyCertAlias from the
  jks keystore fil
  e C:\projects\SSL\MyCertKeyStore.jks.>
  <Jan 5, 2004 3:07:38 PM PST> <Alert> <Security> <BEA-090168>
  <No identity key/certificate entry was found under alias MyCertAlias in keystore
  C:\projects\SSL
  \MyCertKeyStore.jks on server myPlatformServer>
  <Jan 5, 2004 3:07:38 PM PST> <Critical> <WebLogicServer> <BEA-000306>
  <Cannot use SSL, no certificates have been specified in the WebLogic configuration.>
  <Jan 5, 2004 3:07:38 PM PST> <Error> <WebLogicServer> <BEA-000297>
  <Inconsistent security configuration, java.lang.Exception: Cannot use SSL, no
  certificates ha
  ve been specified in the WebLogic configuration.>
  <Jan 5, 2004 3:07:38 PM PST> <Emergency> <Security> <BEA-090034>
  <Not listeningfor SSL, java.io.IOException: Inconsistent security configuration,
  Cannot use SS
  L, no certificates have been specified in the WebLogic configuration..>
  To make sure the import of certs happened successfully, I did this..
  keytool -list -alias MyCertAlias -keystore MyCertKeyStore.jks -storepass MyCertKeyStorePass
  MyCertAlias, Jan 5, 2004, trustedCertEntry,
  Certificate fingerprint (MD5): C7:DE:CC:C7:50:33:15:21:90:D9:C3:55:51:CC:35:3E
  This indicates that the import was successful. I am not why WLS is not able to
  fetch the cert using the alias..
  Any input is greatly appreciated.
  Thanks,
  Ajay

  JKS keystore can have two types of entries: key entries and trusted cert entries.
  keytool import command only allows to create trusted cert entries, while the identity
  public/private key pair need to be imported as a key entry. utils.ImportPrivateKey
  can do this for you. It does this via java keystore api.
  The output of the keytool -list command that you provided shows that you have
  trustedCertEntry under MyCertAlias: "MyCertAlias, Jan 5, 2004, trustedCertEntry"
  This is why when you boot the server you get the error message about it not being
  able to find identity key/certificate under MyCertAlias.
  Pavel.
  "Ajay Oruganti" <[email protected]> wrote:
  >
  Pavel,
  I had separate key stores for digital certs and trust certs. I imported
  digital
  certs (with the key file) into the keystore1 and imported trust certs
  into keystore2.
  I did not understand what you meant by this..
  The identity certificate
  and private key need to be imported as a key entry. keytool does not
  provide a way to do that. Could you please elaborate?
  Ajay
  "Pavel" <[email protected]> wrote:
  The command you used created trusted certificate entry. The identity
  certificate
  and private key need to be imported as a key entry. keytool does not
  provide a
  way to do that. You will need to use weblogic utility: utils.ImportPrivateKey
  for this.
  Pavel.
  "Ajay Oruganti" <[email protected]> wrote:
  Hi,
  I am trying to configure certificates and keystores to enable SSL for
  WLS 8.1
  sp1.
  First, I generated the certs with CertGen. Then created custom keystores
  for digital
  certificates and imported the cert successfully into my custom keystore.
  Imported
  CertGenCA.pem into the custom keystore for trust certificates. I used
  SUN's Keytool
  to import certs.
  Upon making changes to config.xml, the server starts up with the following
  error
  message...
  <Jan 5, 2004 3:07:38 PM PST> <Notice> <Security> <BEA-090171>
  <Loading the identity certificate stored under the alias MyCertAlias
  from the
  jks keystore fil
  e C:\projects\SSL\MyCertKeyStore.jks.>
  <Jan 5, 2004 3:07:38 PM PST> <Alert> <Security> <BEA-090168>
  <No identity key/certificate entry was found under alias MyCertAlias
  in keystore
  C:\projects\SSL
  \MyCertKeyStore.jks on server myPlatformServer>
  <Jan 5, 2004 3:07:38 PM PST> <Critical> <WebLogicServer> <BEA-000306>
  <Cannot use SSL, no certificates have been specified in the WebLogic
  configuration.>
  <Jan 5, 2004 3:07:38 PM PST> <Error> <WebLogicServer> <BEA-000297>
  <Inconsistent security configuration, java.lang.Exception: Cannot use
  SSL, no
  certificates ha
  ve been specified in the WebLogic configuration.>
  <Jan 5, 2004 3:07:38 PM PST> <Emergency> <Security> <BEA-090034>
  <Not listeningfor SSL, java.io.IOException: Inconsistent security configuration,
  Cannot use SS
  L, no certificates have been specified in the WebLogic configuration..>
  To make sure the import of certs happened successfully, I did this..
  keytool -list -alias MyCertAlias -keystore MyCertKeyStore.jks -storepass
  MyCertKeyStorePass
  MyCertAlias, Jan 5, 2004, trustedCertEntry,
  Certificate fingerprint (MD5): C7:DE:CC:C7:50:33:15:21:90:D9:C3:55:51:CC:35:3E
  This indicates that the import was successful. I am not why WLS isnot
  able to
  fetch the cert using the alias..
  Any input is greatly appreciated.
  Thanks,
  Ajay

• Enabling SSL in R12

  Is it possible to enable SSL on R12 without using a valid certificate? I am currently reviewing doc 376700.1 but do not have a working instance yet.

  Hi,
  You can try a [free trial certificate|http://www.verisign.com/ssl/buy-ssl-certificates/free-ssl-certificate-trial/index.html] which is valid for 14 days only -- This is already mentioned in the document (under "Digital Certificate (Public Key)").
  Regards,
  Hussein

• Enabling SSL for Oracle Enterprise Manager 10.1.3.1 is Failing!!!

  Hi All,
  I have followed the steps described in
  http://download-uk.oracle.com/docs/cd/B31017_01//core.1013/b28940/em_app.htm#BABCEEAH.
  However when I am trying to start the application server using 'opmnctl startall' the server is not starting and some timeout is getting generated in the log file.
  Is it that enabling SSL will only make the EM console secured? Then how to enable SSL for other soa components like - BPEL,ESB,OWSM? Are there any documentations available?
  Also please let me know how can I enable SSL for Oracle Application server console?
  Please any advice will be appreciated. I am in the middle of a project delivery.
  Thanks

  Hi,
  Let me first highlight the installation that I have done. I have installed SOA components with 'basic installation' mode.
  The log file under <ORACLE_SOA_HOME>/opmn/config/ has generated the following stack:-
  08/07/25 11:03:34 Start process
  08/07/25 11:03:37 WARNING: XMLApplicationServerConfig.overwriteSiteConfigPort Port assignment is ignored: web-site not found in the server OC4JServiceInfo id: default-web-site protocol: http hostname: null port: 8890 description: null
  08/07/25 11:03:37 WARNING: XMLApplicationServerConfig.overwriteSiteConfigPort Port assignment is ignored: web-site not found in the server OC4JServiceInfo id: secure-web-site protocol: https hostname: null port: 1156 description: null
  08/07/25 11:03:47 log4j:WARN No appenders could be found for logger (wsif).
  08/07/25 11:03:47 log4j:WARN Please initialize the log4j system properly.
  08/07/25 11:03:53 WARNING: OC4J Service: ascontrol-web-site with protocol: https and port: 1156 was not declared in opmn.xml
  08/07/25 11:03:53 Oracle Containers for J2EE 10g (10.1.3.1.0) initialized
  08/07/25 11:03:53 WARNING: OC4J will not send ONS ProcReadyPort messages to opmn for service: OC4JServiceInfo id: default-web-site protocol: http hostname: null port: 8890 description: null
  08/07/25 11:03:53 default-web-site hostname was null
  08/07/25 11:03:53 WARNING: OC4J will not send ONS ProcReadyPort messages to opmn for service: OC4JServiceInfo id: secure-web-site protocol: https hostname: null port: 1156 description: null
  08/07/25 11:03:53 secure-web-site hostname was null
  On the command prompt I am getting the following error:-
  opmn id=CALTP8BB32:6203
  0 of 1 processes started.
  ias-instance id=home.CALTP8BB32.cts.com
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  default_group/home/default_group/
  Error
  --> Process (index=1,uid=301928631,pid=2944)
  failed to start a managed process after the maximum retry limit
  Log:
  D:\product\SOASuite\opmn\logs\\default_group~home~default_group~1.log
  --------------------------------------------------------------+---------
  ias-component | process-type | pid | status
  --------------------------------------------------------------+---------
  OC4JGroup:default_group | OC4J:home | N/A | Down
  ASG | ASG | N/A | Down
  Please let me know where am I going wrong?
  Thanks,
  Mandrita.

• How to enable ssl in ohs

  I installed the web tier (ohs and web cache) 11.1.1.2 on 2008 r2 64 bits. Also I patched that to 11.1.1.3 I did not think and this may
  be where I went wrong, I needed to install weblogic?. I have not done anything with webcache. yet.
  I had imagined I could enable ssl in apache the way it is done on other installations just by putting entries in
  the ssl.conf like SSLCertificateFile and SSLCertificateKeyFile . But no. The software will not allow you to do that.
  I believe the certificate has to go in a wallet (for ohs. Other fusion things want a different plan). There's multiple
  wallet programs already there such as from installing the database. I find that the wallet program will not allow
  me to use the csr I already created that was used to get the certificate I have gotten. oops!
  So anyone know if there is a way around this so I can use the .crt and .key I have for this domain name?
  This is really taking a lot of time. I suppose I could install apache, the regular one, on this machine so that I
  could use an ssl connection to that and then hand it over to ohs. Since it wasn't going anywhere it wouldn't
  be much of a problem the traffic wasn't encrypted.
  Edited by: lake on Nov 23, 2010 7:11 PM

  I thought I'd never get this to work. No one should bother trying without reading the docs
  1226484.1 and 1218603.1 on metalink.
  While it could be that one could use a reverse proxy such as using proxypass and proxypass reverse
  in an apache web server so that ssl could be configured in the other server, I saw reports of that not always working.
  Otherwise if one did not install weblogic I believe the only way to configure ssl with this version of ohs is with orapki the command line
  interface for handling wallets, or the gui wallet application which I found on the 11gr2 database menu under "integrated management tools". You may be able to add an existing csr to a wallet via the orapki interface.
  If you were using a separate key and certificate you may be able to change them to the wallet requirements given sufficient knowledge of opensll. That was more knowledge than I had. So what I did
  was start over from scratch totally. I created the csr in the wallet gui, exported it, submitted it, and got a totally new cert from our cert source.
  What I used for the wallet "operations, import user certificate" was a .cer file, and it worked. The wallet already had our CA in it so I did not have to fight that battle. Hallelujah.
  It is essential to check on the "Wallet" menu the "Auto Login" selection before saving it. When you save a wallet
  it will be called cwallet.sso if it is autologin. If the saved file is called ewallet.p12 it is not autologin and will not
  work for ohs.
  After you have saved your wallet as cwallet.sso say in
  "....instances\instance1\config\OHS\ohs1\mykeys"
  then you would need to check the ssl.conf and it would need to be like so:
  SSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/mykeys"
  Note that is to the directory the sso file is in.
  But wait there's more....
  on windows 2008 r2, you need to get fire up windows explorer and navigate to your cwallet.sso file
  Under properties, security you need to add SYSTEM in "group or user names" and give it all permissions possible.
  Secondly, you need to go under properties, security, advanced, owner and change the owner to SYSTEM.
  Without these changes it will never work because the web server cannot open the wallet.
  Remember by default the logs go in
  "....instances\instance1\diagnostics\logs\OHS\ohs1"
  I became very familiar with them :-)

• To enable SSL in Apex 3.1.2, wallet must or not

  Hi Experts,
  We have to enable SSL in Apex 3.1.2. We are using Companion HTTP server as a Application Server.
  My question is,
  To enable SSL we need to create wallet or not?
  Please clarify my doubt.
  Thanks
  R.Sundaravel

  Usually a Wallet is created at installation time with a dummy certificate for SSL.
  If you are planning to use a certificate from any commercial CA, you should go ahead and create a new Wallet, then create the certificate request and send it to the CA to get your certificate.
  After that change the ssl virtual host configuration to point to the new wallet.