How to disable hostname verification on iplanet reverse proxy

Similar Messages

• How to disable hostname verification without code

  Hello.
  Is there a way to disable the hostname verification during SSL connection, ? I mean something like a system property, since i use an existing application and i've not the source to set my own custom hostname verifier.
  Thanks.
  Ephemeris Lappis

  Hi
  I faced the same problem and as I see now I'm not the only one :o)
  Did you find the way to do it, please?
  Very appreciating any inputs,
  Sincerely,
  Jabb
  null

• How to configure SharePoint HNSC with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.

  Could you please let me know how SharePoint HNSC can be configured with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.
  In normal path based site collections/web applications, reverse proxy configuration can be done using alternate access mappings with  Public URL = "proxy URL", internal = "HNSC Share Point URL" so that share point sends response back
  to Public URL = "proxy URL".
  In Host Named Site Collections,  alternate access mappings  are not supported. Each HNSC is designed to have only one URL in each zone. Zone is one of the five zones(Default,Intranet,Internet,Custom,Extranet) with each of which only one alternate
  URL is associated.  This is what we are able to get using power shell command "Set-SPSiteUrl", but this will not help us to get the response back to proxy URL after a request sent to share point because we could not find any mechanism in share
  point HNSC to respond  to a different URL(proxy URL). Consequently, Share Point URLs are exposed to  external users.
  Below share point article in MSDN blog is symmetrical to what we are observing with Share Point 2013 and Proxy Server. It mentions that internal HNSC URLs can’t be hidden using any proxy server. If  hiding the internal Share Point URLS is a requirement,
  it suggests to use a web application instead of host named site collections.
  Though I’m also observing the same behavior with Share Point 2013 HNSC, Could you please confirm my understanding is correct.
  http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx
  Excerpt from above article-
  "Host Named Site Collections Only Use One Host Name
  Continuing on the discussion on AAMs and host named site collections, you cannot use multiple host names to address a site collection in SharePoint 2010. Because host-named site collections have a single URL, they do not support alternate access mappings and
  are always considered to be in the Default zone.  This is important if you are using a reverse proxy to provide access to external users. Products like Unified Access Gateway 2010 allow external users to authenticate to your gateway and access a site
  as http://uag.sharepoint.com and forward the call to http://portal.sharepoint.com. Remember that URL rewriting is not permitted. Further, a site collection can only respond to one host name. This means if you are using a reverse proxy, it must forward the
  calls to the same URL.  If your networking team has a policy against exposing internal URLs externally, you must instead use web applications and extend the web application using an alternate access mapping."<u5:p></u5:p>

  Hi Satish,
  You are right that only one URL is allowed for each zone of the host-name site collections in both SharePoint 2010 and SharePoint 2013.
  It is by design that each host-name site collection only support one URL for each zone.
  The article below is about RTM version of SharePoint, and it is the same for SharePoint 2013 with the latest CU.
  https://support.microsoft.com/en-us/kb/2826457
  So to make the URL of HNSC not exposed to external users is not supported, you need to use path-based sites instead.
  Best regards.
  Thanks
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• How to disable query-string evaluation in OSB proxy service?

  OSB 10.3 proxy service evaluates the query String ?WSDL (are there more such parameters?). Usually the assigned WSDL will be returned this way.
  I want to use OSB as simple HTTP-proxy. There is no WSDL assigned. The proxy service should simply pass all parameters to the request pipeline. This works fine for parameters in general but not for WSDL. This produces the exception below.
  Does anyone have an idea how to disable this query string evaluation within OSB proxy service?
  Thanks
  Daniel
  <25.11.2009 15:43 Uhr MEZ> <Error> <WliSbTransports> <BEA-381304> <Exception in HttpTransportServlet.service: java.io.IOException: This service is not associated to a wsdl
  java.io.IOException: This service is not associated to a wsdl
  at com.bea.wli.sb.transports.http.ResourceRequestProcessor.securedInvoke(ResourceRequestProcessor.java:108)
  at com.bea.wli.sb.transports.http.ResourceRequestProcessor.process(ResourceRequestProcessor.java:61)
  at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper.handleMetadataRequest(HttpTransportServlet.java:314)
  at com.bea.wli.sb.transports.http.HttpTransportServlet$RequestHelper.service(HttpTransportServlet.java:215)
  at com.bea.wli.sb.transports.http.HttpTransportServlet.service(HttpTransportServlet.java:133)
  at weblogic.servlet.FutureResponseServlet.service(FutureResponseServlet.java:24)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(Unknown Source)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

  Daniel,
  http://hostServer/contextpath?WSDL is common way of retrieving WSDL for service whcih supports one. The case you are suggesting is if the service does not have any wsdl associated, then it is good practice that caller be notified appropriately which is being done by OSB. OSB is indicating that the service for which we have used ?wsdl has no wsdl associated.
  I guess there is no way we can disable this feature for un-typed OSB services (services which doesn't have wsdl associated). Any reason why would we don't want exception when '?wsdl' is used?
  Manoj

• SWF verification behind a reverse proxy cache

  Hi!
  If I place an set of FMS servers behind some reverse proxy caches, will I get problem with SWF verification if the cache layer caches the .f4m meta data file with the SWF verification data? Is there any documented best practice on the requirements to build large scale deployment with security enabled?
  best regards
  Johan Acevbedo

  Hello Johan,
  Is in your case drm is embedded inside the f4m??
  HLS-VOD
  Set the TTL for your f4m to max equal to an interval at which you are expecting the swf hashes to update.
  For example, if you expect, you may add/remove swf hashes at interval of say 1 hr, then set the TTL for the f4m as say 50 min (10 min taken as allowed error in your estimation of swf hash update).
  You may set HttpStreamingF4MMaxAge under hds-vod (if that is hds vod case) as per your required TTL. Most proxy cashes should ideally respect the TTL dictated by origin response an should re-request the f4m after that period.
  HDS-LIVE
  Otherwise if this is hds-live case, then I don't think drm is embedded into the f4m. Just verify. Drm is a serperate request. In that case, you can set TTL on drm (HttpStreamingDrmmetaMaxAge) request also under hls-live in httpd.conf.
  Read more about these configs http://help.adobe.com/en_US/flashmediaserver/devguide/WSd391de4d9c7bd609a95b3f112a373a7115 -7fff.html#WSae20eaa80bf612516499f756131e06fb583-7fff
  You can also set the drm update interval time in the recording section of the  application.xml as per your need. Read more about the config at http://help.adobe.com/en_US/flashmediaserver/devguide/WSd391de4d9c7bd609a95b3f112a373a7115 -7fff.html#WSc1a546382286f18f-4a910076130ddc59d17-7ffe . Config setting will only update drm on the disk. But you will still have to set the proper TTL in Apache httpd.conf for the request of the DRM to be sent by the proxy to the origin to fetch it.
  -Nitin

• How to disable hostname checking in SSL client?

  I have a java client using Sun's JDK 1.6. It makes a SSL connection to a server which provides a certificate that does not match the hostname of the server. The result is:
  Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching myserver found
          at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
          at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
          at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
          at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
          at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
          at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
          at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:418)My question is how can hostname checking be disabled? I don't have the option of modifying the client source code. I am hoping a system property exists for this.

  javax.net.ssl.HostnameVerifier is the only mechanism.

• How to disable signature verification/validation.

  The platform I'm working with is Adobe Acrobat Pro 11.
       The forms that my place of employment uses require signatures from the client and our representative. We are using an Ipad on the field to present forms and obtain signatures from clients. The forms once singed are emailed to ourselves so that we can store them in our server. The problem we have encountered is that once the documents is signed and we try to open it on our PCs (windows) we get the infamous message- "At least one signature is invalid..."  Our agency does not need the signature to be certified or validated, all we require is that the signature be carried over digitally with the form so we can keep in our records. Is there a way around this problem? I have searched on the forum for an answer but I haven't found one yet.
  Thank you.

  Thanks for the file. The problem is you're using digital signature fields with PDF Expert, but Acrobat/Reader don't have a way to validate such signatures (because they can't be). I assumed that you would not use signature fields and instead simply use the signature tool in PDF Expert to e-sign. These two different methods result in the same type of things, namely an appearance of a hand drawn signature, but neither are digital signatures. In the case of the digital signature field, it merely sets the field appearance. So I would suggest removing the signature fields and use the signature tool in PDF Expert instead.
  Here's a bit more info: https://helpspot.readdle.com/en/index.php?pg=kb.page&id=124

• How to disable put command?.

  Hi,
  I need to know how to disable "put" command on iPlanet Web Server?.
  Would appreciate any comments/response. Please reply to [email protected]
  Thanks,
  Renga

  Set document security on the PDF.
  Aandi Inston

• How to configure ARR to Reverse Proxy to RD Gateway

  We have an ARR server in the DMZ working fine providing reverse proxy for our internal Exchange Server 2013 environment and I've tried to create rules to allow access to the internal RD Gateway as well but when testing from an external client it never connects.
  Does anyone have any configuration notes for how ARR should be configured to allow reverse proxy of RD Gateway?
  Cheers for now
  Russell

  Hi,
  I think you can refer this below article might get some insight from this case.
  RD Gateway/RD Web Access & IIS Reverse Proxy/ARR
  http://forums.iis.net/t/1210901.aspx?RD+Gateway+RD+Web+Access+IIS+Reverse+Proxy+ARR
  Apart seem this as the configurations need to be done in IIS side, I would like to suggest you post the question in our IIS forum for further assistance.
  http://forums.iis.net/
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Certificate and Reverse Proxy

  Hi everyone,
  I'm trying to configure a Push Mail solution with my Iphone 2 (2.1) in my company.
  The goal is to access my Exchange server through a reverse proxy with a certificate for authentication.
  FIRST TEST:
  - Set up configuration on the Iphone to connect a public IP adress as Exchange Server.
  - On the reverse proxy, this IP is forwarded to the Exchange Front-End server.
  - On the reverse proxy, NO certificate configured for authentication -> It's working fine ! I can see my e-mails&calendar on my Iphone !
  Bad solution for security reasons...
  SECOND TEST:
  - Activate certificate on the reverse proxy.
  - Install the certificate on the Iphone with Web Configuration utility: The certificate is shown in the General Tab on the Iphone.
  - Trying to connect, ERROR... I can see in the event log of my reverse proxy that no valid certificate from my Iphone were submitted.
  Any idea why the Iphone doesn't send the certificate to allow authentication on my reverse proxy ?
  Thank you,
  Stan

  Kristoffer,
  The answer will depend on how you have NGINX configured from a reverse proxy standpoint.  The certificate will need to match the hostname entered on the client in this case sapmobile.customer.com.   Since the traffic from the client will never get directly to the SMP 3 server the certificate should be installed on the NGINX installation as this is where the Agentry client will connect to and receive the certificate to validate against the hostname entered.
  NGINX will need to also be configured to validate the connection between itself and SMP 3.0 or to ignore the certificate if it doesn't trust it.
  The certificate on the SMP 3 server should be able to stay as the internal machine name assuming NGINX is acting as a true proxy and not just passing traffic through to the SMP 3 server.
  Unfortunately I am unable to open the link you included on SDN to review what it says.
  --Bill

• Apache reverse proxy and SSL termination

  Hi Guru's
      Can anyone tell me, how to do SSL termination at apache reverse proxy. I am using apache reverse proxy for accesing portal from internet. Apache is configured for SSL and portal is NON SSL.
  I am using header variable login module in portal. i wanted to terminate SSL at apache reverse proxy and then all traffic after that should be clear text.
  should i maitain any property. is there any documentation for it.
  Please help me
  Tom

  The majority of the work here is around configuring your Web Dispatcher and Apache Reverse proxy. The work on the portal is straight forward enabling of SSL.
  You can follow http://help.sap.com/saphelp_nw2004s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm for setting this up.
  what level I need to configure SSL and how do I proceed in both scenarios?
  Your question itself says where you need SSL. SSL is required where ever you need HTTPS communication.
  how do I proceed in both scenarios?
  From a portal perspective, the configuration should remain the same.
  Do I have to install SSL at portal, web dispatcher or at Apache level?
  SSL needs to be configured at all the 3 levels if you are looking at end to end SSL implementation.
  See the following for possible SSL implementation options:
  http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
  https://cw.sdn.sap.com/cw/docs/DOC-115509
  Will SSL termination work for scenario 2?
  Yes this should work - see http://help.sap.com/saphelp_nw2004s/helpdata/en/36/fd39eacf4cde4a8fe32d7f29b3db16/frameset.htm
  However in case of SSL Termination, the request to your portal from the web dispatcher will be sent as HTTP.
  I would recommend you to take a step by step (backward approach).
  First, enable SSL on your portal and make sure it works - going directly to the server.
  Then, you can introduce the Web Dispatcher - and test if every thing works going through the web dispatcher.
  Finally - you can test the end to end flow - with your Reverse proxy involved.
  - Shanti

• Example of a successful reverse proxy to APEX using Apache and Oracle HTTP

  If this helps anyone, I was able to set up a reverse proxy to APEX with Apache running on the reverse proxy server and Oracle HTTP server and APEX 3.2 on the APEX hosting server. I want to post this due to there is no
  documentation on this that I can find. Oracle Metalink could not produce any "How To" document either.
  On the reverse proxy server in the httpd.conf file:
  ProxyRequests Off
  SetEnv force-proxy-request-1.0.1
  SetEnv proxy-nokeepalive 1
  ProxyPassReverse /pls/apex/ http://apex_server:8080/pls/apex/
  ProxyPass /pls/apex/ http://apex_server:8080/pls/apex/
  ProxyPassReverse /i/ http://apex_server:8080/i/
  ProxyPass /i/ http://apex_server:8080/i/
  AddType text/xml .xbl
  AddType text/x-component .htc
  OR
  ProxyRequests off
  RewriteEngine On
  RewriteRule ^/pls/apex/(.*)$ http://apex_server:8080/pls/apex/$1 [P,NE]
  ProxyRequests off
  ProxyPassReverse /i/ http://apex_server:8080/i/
  RewriteEngine On
  RewriteRule ^/i/(.*)$ http://apex_server:8080/i/$1 [P,NE]
  And in the Oracle HTTP server httpd.conf file of the APEX hosting server:
  NameVirtualHost 999.99.99.9:8080
  <VirtualHost 999.99.99.9:8080>
  ServerAdmin [email protected]
  DocumentRoot "/u01/app/ora11g/product/11.1.0/http_1/ohs/htdocs"
  ServerName reverse_proxy_server.com
  </VirtualHost>

  Here is what I saw :
  I have one Web Server 7.0 instance with the following obj.conf :
  <Object name="default">
  <If $uri =~ "/xyz">
  NameTrans fn="map" from="/" name="reverse-proxy-/xyz" to="/"
  </If>
  <ElseIf $uri =~ "/abc">
  NameTrans fn="map" from="/" name="reverse-proxy-/abc" to="/"
  </ElseIf>
  </Object>
  <Object ppath="*">
  Service fn="proxy-retrieve" method="*"
  </Object>
  <Object name="reverse-proxy-/abc">
  Route fn="set-origin-server" server="http://server1.sun.com:80"
  </Object>
  <Object name="reverse-proxy-/xyz">
  Route fn="set-origin-server" server="http://server2.sun.com:80"
  </Object> ...When I send a request to URI :
  /abc/test1.html : the request gets served from server1 from docs/abc/test1.html.
  /xyz/test2.html : the request gets served from server2 from docs/xyz/test2.html
  Where as when you change obj.conf to (note the change in "from" parameter in "map" SAF)
  <Object name="default">
  <If $uri =~ "/xyz">
  NameTrans fn="map" from="/xyz" name="reverse-proxy-/xyz" to="/"
  </If>
  <ElseIf $uri =~ "/abc">
  NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="/"
  </ElseIf>
  </Object>
  <Object ppath="*">
  Service fn="proxy-retrieve" method="*"
  </Object>
  <Object name="reverse-proxy-/abc">
  Route fn="set-origin-server" server="http://server1:80"
  </Object>
  <Object name="reverse-proxy-/xyz">
  Route fn="set-origin-server" server="http://server2:80"
  </Object> ...In this case when I send a request to URI :
  /abc/test1.html : the request gets served from server1 from docs/test1.html.
  /xyz/test2.html : the request gets served from server2 from docs/test2.html.

• How to disable the certificate hostname verification?

  In JSSE changes file <http://java.sun.com/products/jsse/CHANGES.txt>
  It states the following:
  "It is sometimes useful to "disable" the certificate hostname
  verification during project development. A single certificate can now be shared among many development machines so that the hostnames don't need to match. A bug was fixed in the HttpsURLConnection hostname verifier code that now allows this functionality to work."
  Any idea on how to disable it
  Thanks
  - rayed

  this is easily achieved :
  create your own class (for example 'MyHostNameVerifier' ..) as a subclass of the JSSE HostNameVerifier and overwrite the method :
  public boolean verify(String parm1, String parm2)
  to your special needs. This method implements the verifying of hostnames..
  For your HttpsURLConnection then call
  setHostnameVerifier(new MyHostNameVerifier());
  so the HttpsURLConnection will then use MyHostNameVerifier in order to verify the hostname registered in the certificate.

• Failed hostname verification check - even when disabled

  Hello Experts,
  I'm using WLS 923 configured as Admin Server that controls two Managed Servers.
  When i go to "Environment ---> Machines ---> Managed Machine ---> Monitoring ---> Node Manager Status
  It says:
  Status - Inactive
  failed hostname verification check. Certificate contained +v-ebpqadmz1+ but check expected +v-ebpqadmz1.dmzntqa.corp.adija.co.il+
  I've disabled verification check in:
  Servers ---> Managed Server -->SSL ---> Advanced ---> Hostname Verification = NONE
  How come hostname verification check is still being performed ?
  Does anyone knows how can i fix this ?
  Meanwhile i had to edit my hostsfile in order to work around it...
  Regards
  Adi J

  Please add the following parameter in your startup argument.
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Thanks
  Togotutor
  <b><a class="jive-link-external" href="http://www.togotutor.com">http://www.togotutor.com</a> (Learn Programming and Administration for Free)</b>
  Edited by: togotutor on Aug 12, 2010 3:38 PM

• How to disable one email account in iPlanet Messaging Server 4.5

  Hi,
  Any one can tell me how to disable a single user in iPlanet Messaging Server 4.5.
  Thanks
  Abid

  I wonder what product you're really talking about.
  There was never a product called, "Netscape Messaging Server 4.5". There was 4.1 and 4.15, but the next product was 5.0.
  These are all long discontinued, and nobody should be using them anymore.
  Assuming it's 4.1, check your ldap record for "inetuserstatus" and set it to "disabled", or even "deleted"