HTTPS over SSL

Similar Messages

• Enable HTTP Over SSL: New documentation

  Hi,
  Fyi, a new article has been published in the CQ5.5 documentation:
  Enabling HTTP Over SSL
  hope that helps 
  scott

  Enable ssl for HTTP
  In the administration guide, you shoud find this
  you have to modify ssl.conf to enable ssl, as well in th eopmn.xml there is an option for enable ssl. but more accurant check the guide.
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/sslmid.htm#CHDDGBGF

• BizTalk Tracking Profile Editor not tracking the data and how to implement the Orchestration as wcf service over SSL

  Hi Ashwinprabhu,
  thank you very much for your answer.
  i have one more query, I have orchestration published as wcf service in IIS and internally orchestration calling one more service , it means orchestration sending a request and getting response back from the service.
  actually we are implementing the copy of that called service through biztalk orchestration for system automatic and tracking failed messages and n/w failures.
  But tracking profiler not tracking the Data.
  And we need to develop the http service as https(Over SSL), we implemented in iis using self 
  signed certificate, it is working just browser for wsdl(in browser), we are not able to test the service in wcf test client, it is giving wsdl error, in wsdl schema reference showing with HTTP only,
  please help me how to resolve the issue.
  Teegala

  First things first, I think it's best to publish only schemas as WCF service for dependency management reasons. That said - WSDL availability is covered in the WCF adapter under the behaviors. If you're using HTTPBasic this may be hard to modify, but using
  WCFCustom allows you to add the WSDL behavior and specify that it should be available via HTTPS.
  As to the BAM, are you using TPE within the orchestration or at the port level?  I'd imagine your TPE tracks the start and end events of your orchestration using the Orchestration Schedule.  If you're fairly confident that the TPE is correct and
  yet don't see BAM data 1) make sure your SQL Agent is running healthy and all jobs look OK and 2) check the TDDS tables in both the message box and the BAMPrimaryImport databases.  These will show you if there has been some sort of sync issue. There's
  even a TDDS errors tables - so check that out.
  Kind Regards,
  -Dan
  If this answers your question, please Mark as Answer

• SOAP over SSL

  Hi
  I have certificate ForKaraganda.pfx.
  I need to connect to web service .NET-SOAP application using client-certificate authentication uses HTTP over SSL and execute remote function.
  String file = "c:\\tmp\\ForKaraganda.pfx";
  String pass = "123456";
  System.setProperty("javax.net.ssl.keyStoreType","pkcs12");
  System.setProperty("javax.net.ssl.keyStore", file);
  System.setProperty("javax.net.ssl.keyStorePassword", pass);
  url = new URL("https://something.kz");
  SOAPConnectionFactory fac = SOAPConnectionFactory.newInstance();
  con = fac.createConnection();
  MessageFactory messageFactory  = MessageFactory.newInstance();
  SOAPMessage message = messageFactory.createMessage();
  SOAPHeader header = message.getSOAPHeader();
  SOAPBody body = message.getSOAPBody();
  SOAPFactory soapFactory = SOAPFactory.newInstance();
  javax.xml.soap.Name bodyName = soapFactory.createName("SelectUserByUIN","", "http://something2.kz/");
  javax.xml.soap.Name name = soapFactory.createName("uin");
  SOAPBodyElement bodyElement = body.addBodyElement(bodyName);
  SOAPElement uin = bodyElement.addChildElement(name);
  uin.addTextNode("234234234242");
  SOAPMessage response = con.call(message, url);But happened error
  WT-EventQueue-0, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  AWT-EventQueue-0, SEND TLSv1 ALERT:  fatal, description = internal_error
  AWT-EventQueue-0, WRITE: TLSv1 Alert, length = 2
  [Raw write]: length = 7
  0000: 15 03 01 00 02 02 50                               ......P
  AWT-EventQueue-0, called closeSocket()
  24.01.2008 14:39:56 com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
  SEVERE: SAAJ0009: Message send failed
  com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
  Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:140)
       ... 29 more
  ...How it fix?

  Hi
  I have certificate ForKaraganda.pfx.
  I need to connect to web service .NET-SOAP application using client-certificate authentication uses HTTP over SSL and execute remote function.
  String file = "c:\\tmp\\ForKaraganda.pfx";
  String pass = "123456";
  System.setProperty("javax.net.ssl.keyStoreType","pkcs12");
  System.setProperty("javax.net.ssl.keyStore", file);
  System.setProperty("javax.net.ssl.keyStorePassword", pass);
  url = new URL("https://something.kz");
  SOAPConnectionFactory fac = SOAPConnectionFactory.newInstance();
  con = fac.createConnection();
  MessageFactory messageFactory  = MessageFactory.newInstance();
  SOAPMessage message = messageFactory.createMessage();
  SOAPHeader header = message.getSOAPHeader();
  SOAPBody body = message.getSOAPBody();
  SOAPFactory soapFactory = SOAPFactory.newInstance();
  javax.xml.soap.Name bodyName = soapFactory.createName("SelectUserByUIN","", "http://something2.kz/");
  javax.xml.soap.Name name = soapFactory.createName("uin");
  SOAPBodyElement bodyElement = body.addBodyElement(bodyName);
  SOAPElement uin = bodyElement.addChildElement(name);
  uin.addTextNode("234234234242");
  SOAPMessage response = con.call(message, url);But happened error
  WT-EventQueue-0, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  AWT-EventQueue-0, SEND TLSv1 ALERT:  fatal, description = internal_error
  AWT-EventQueue-0, WRITE: TLSv1 Alert, length = 2
  [Raw write]: length = 7
  0000: 15 03 01 00 02 02 50                               ......P
  AWT-EventQueue-0, called closeSocket()
  24.01.2008 14:39:56 com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
  SEVERE: SAAJ0009: Message send failed
  com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
  Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:140)
       ... 29 more
  ...How it fix?

• How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

  Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
  Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

  Solved it by some (a lot) of fiddling.
  Turns out it's not a bug in the iPhone, it's a feature.
  Here's how to make it work.
  DOVECOT
  If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
  More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
  So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
  1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
  service imap-login {
    inet_listener imap {
      port = --your port # here--
    inet_listener imaps {
      port = 0
      ssl = yes
  This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
  2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
  ssl = required
  This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
  3. In /etc/dovecot/conf.d/10-auth.conf set
  disable_plaintext_auth = yes
  This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
  When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
  Don't forget service dovecot restart.
  To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
  telnet your.host.name.here yourimapsportnumber
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
  Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
  a STARTTLS
  a OK Begin TLS negotiation now.
  (The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
  Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
  openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
  . OK Pre-login capabilities listed, post-login capabilities have more.
  You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
  a capability
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
  a login username password
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
  a OK Logged in
  POSTFIX
  Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
  1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
  2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
  smtpd_tls_security_level = encrypt
  3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
  smtpd_tls_auth_only = yes
  Don't forget postfix reload.
  To test if this works, issue the following telnet and wait for the server's greeting:
  telnet your.host.name.here yoursmtpsportnumber
  220 your.host.name ESMTP Postfix (Ubuntu)
  Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
  ehlo your.host.name.here
  250-STARTTLS
  Then issue starttls and wait for the server's confirmation:
  starttls
  220 2.0.0 Ready to start TLS
  Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
  CERTIFICATES
  You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
  basicConstraints = critical,CA:true
  keyUsage = critical, cRLSign, keyCertSign
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
  basicConstraints=CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
  subjectAltName = DNS:your.domain.name.here
  issuerAltName=issuer:copy
  Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
  You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
  Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
  IN CLOSING...
  With all this, you can read and send email from your iPhone.
  Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

• BAD_CERTIFICATE error calling a web service over SSL in ALSB 2.6

  We have a business service on an ALSB 2.6 server (running on WL 9.2.1) that connects to a web service over SSL. When we try to run it, we get the following exception:
  <Sep 17, 2009 7:49:17 AM PDT> <Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.
  wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  com.bea.wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:146)
  at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOu
  tboundMessageContext.java:310)
  at com.bea.wli.sb.transports.http.HttpsTransportProvider.sendMessageAsync(HttpsTransportProvider.java:435)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  Truncated. see log file for complete stacktrace
  javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  Truncated. see log file for complete stacktrace
  This exception only occurs when hitting the web service through the bus. I have written a standalone Java application that posts to the web service and it works fine. I ran the application on the server where the ALSB is running using the same jdk (1.5.0_06 - the version that ships with 9.2.1) and the same cacerts file so I know it's not a problem with the certificate not being trusted. I have tried updating the cacerts file to the latest one distributed with JRE 1.6 and it still doesn't work.
  After 8 hours of troubleshooting, I'm out of ideas. Does anyone have any suggestiosn?
  Thanks.
  Matt
  Edited by: user6946981 on Sep 17, 2009 7:58 AM

  Are you sure that your standalone application is using the same keystore (eg. cacert)? Default WebLogic configuration uses different keystore (demo).
  I saw BAD_CERTIFICATE error only once and the cause was in keytool that somehow corrupted certificate during import. Deleting and importing certificate again helped me, but I doubt you have the same problem as your standalone application works.
  Another idea ... Is hostname varification used? I know that the error message would look different if this was the cause, but try to add this parameter to your weblogic startup script: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Last but not least, there is difference between your standalone application and ALSB runtime as WebLogic uses Certicom SSL provider. If you don't find the reason, contact Oracle support. Maybe they can help you to tweak Certicom provider in some way.

• Web Service over SSL failing in BEA Workshop

  I have deployed a web service on weblogic 9.2
  I have enabled one-way ssl on it. got a trial ssl certificate from verisign. installed them on the keystore/truststore on the server as well as the jre (cacerts and jssecacerts truststores) being used by the client. the client is on different machine than the server.
  i have developed the service through 'bea weblogic workshop 9.2' now when i try to test the service through the 'web services explorer' within bea weblogic workshop i receive the following error:
  IWAB0135E An unexpected error has occurred.
  IOException
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  on server:
  <Jul 13, 2009 6:45:44 PM EDT> <Warning> <Security> <BEA-090485> <CERTIFICATE_UNKNOWN alert was received from yunus.l1id.local - 10.10.2.72. The peer has an unspecified issue with the certificate. SSL debug tracing should be enabled on the peer to determine what the issue is.>
  if i try to access the web service (over ssl) through the browser (ie/firefox), it works fine. i have generated a proxy class to access this web service through the same bea workshop and that works fine too. certificates are identified and all. i also created a small .net (c#) application that calls this secure web service over ssl from another machine and it works fine too!
  of course non-secure url for the web service is working fine in every case.
  what can be the reason for this failing only in 'web services explorer' in bea workshop?
  cross posted at: http://www.coderanch.com/t/453879/Web-Services/java/Web-Service-over-SSL-failing
  thanks.

  Hello,
  I used this example, when I made my experiments with SSL and Glassfish (GF):
  http://java.sun.com/developer/EJTechTips/2006/tt0527.html#1
  If you have problems with GF I suggest to post a message here:
  http://forums.java.net/jive/forum.jspa?forumID=56
  e.g. here is one thread:
  http://forums.java.net/jive/thread.jspa?threadID=59993&tstart=0
  Miro.

• Ftp over ssl

  Hi All,
  I would like to check if it is possible to have a ftp server (ftp over ssl) hosted externally to be accessible via the cisco switches, routers etc? Can this result be achieved?
  Thanks
  Alex

  It should. Check out https://packetpros.com/cisco_kb/ios_http.html. Change the http commands to https.

• WebDAV not working over SSL on CSS11503

  SOME HISTORY
  As you may recall we had an issue with interoperability between our WebCT Vista application and the Cisco CSS11503 Load Balancer. In a nutshell the Load Balancer would inject custom HTTP headers into HTTP packets, but only into the first HTTP packet of a TCP session. With your help we've learned that Cisco will change this in the August release of the CSS software.
  OUR NEW PROBLEM
  We are now having a related problem. In short, we cannot get WebDav to work over SSL. That is, when connect from Client to Load Balancer via SSL, and then Load Balancer to Web Server via plaintext, our application fails. Conversely, when we maintain a clear text connection straight through from Client to Web sever WebDav works.
  After doing some network traces of WebDav connections both with and without SSL I think we've discovered the cause of the problem: the Load Balancer fails to add our custom HTTP header "WL-Proxy-SSL: true" to HTTP "PROPFIND" requests, even though it correctly adds them to the HTTP "OPTIONS" requests.
  HOW WE CONFIGURED THE LOAD BALANCER
  We configured our Load Balancer with the Global configuration of
  http-method parse RFC2518-methods
  and with the command
  ssl-server 20 http-header static "WL-Proxy-SSL: true"
  so that the header "WL-Proxy-SSL: true" will be passed with the HTTP headers used for WebDav was well as with the 'standard' HTTP headers "GET, POST, HEAD", etc.
  Below is the relevant passage from the "CSS Command Reference" at
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdgloba.htm#wp1432749
  ======================================================================
  "By default, a Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST, and PUT methods. Unless configured, the CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment, but does not load balance them:
  OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, and DELETE.
  When you enable the CSS to support all RFC-2518 methods, the CSS parses the Request-URI field in an attempt to match a Layer 5 rule. If the contents of the Request-URI field are not in a compliant format of an absolute URI or an absolute path, the CSS tries to match the field to the next best wildcard ("/*") rule. If the match fails, the CSS attempts to match the Layer 4 rule, and then the Layer 3 rule."
  ========================================================================
  I interpret this to mean that when we configure "http-method parse RFC2518-methods" that the load balancer will treat all the HTTP headers in the group "OPTIONS, TRACE, PROPFIND, ...", etc the same as the "standard" HTTP headers "GET, POST, HEAD", etc.
  As I said earlier our network traces show that the "WL-Proxy-SSL: true"
  header present in the HTTP header OPTIONS but *not* in the header "PROPFIND".
  A BUG IN THE CSS COMMAND PROCESSOR?
  By my reckoning, this behaviour must be a bug in the CSS Command processor, because whatever the CSS does for the "OPTIONS" header it should also do for the "PROFIND" header.
  ATTACHMENTS
  I've included three attachments.
  trace.txt
  - text output from Ethereal of the network trace
  on the web server, with comments.
  webdav.ssl.snoop
  - the original network trace in Sun's 'snoop' format.
  css.2.cfg
  - the running configuration on the CSS11503
  Thanks in advance for your help.

  Hi
  I finally discovered what is the issue here. In appears that in case of unsigned applets, the code is unable to access SunJCE provider which contains most of the ciphers used by SSL protocol. This means that a session with SSL server is broken and effectively applet is not initialised.
  This problem is related to configuration of JRE under linux due to export control restrictions. Unfortunately I don't know how to make JRE to use SunJCE by default.
  As a workaround I have set up the following policies using Policy Manager:
  grant {
  permission java.security.SecurityPermission "putProviderProperty.SunJCE";
  grant {
  permission java.lang.RuntimePermission "getProtectionDomain";
  grant {
  permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
  I don't know how insecure my actions are, but this definitely fixed problems with applets under SSL / HTTPS.
  Feel free to send me your ideas how to fix this issue in more elegant way.
  Best,
  Marcin

• How to get JSP to forward a request over SSL?

  I'm new to JSP and servlets, although I've been working with Java for a long time. I'm trying to write a simple user registration and login system to teach myself JSP. I would like to set things up so that the user is able to login securely over https. I'm not sure how to do that, though. There seems to be no place in the relative URLs to indicate that you should be forwarding a request over SSL. I've got sample login page below - would anyone know how to modify it so that it happens securely?
  Also, do I need to install a certificate on my web server?
  index.jsp
  <html>
      <body>
          <h1>Index</h1>
          <a href="login.jsp">Login</a>
      </body>
  </html>login.jsp
  <%@page contentType="text/html" pageEncoding="UTF-8"%>
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html4/loose.dtd">
  <html>
      <body>
          <h1>Login</h1>
          <jsp:useBean id="userLogin"
                       class="com.kitfox.webrpg.UserLogin"/>
          <jsp:setProperty name="userLogin"
                           property="*"/>
          <%if (userLogin.isValid()) {%>
          <jsp:useBean id="userId"
                       class="com.kitfox.webrpg.UserIdent"
                       scope="session"/>
          <jsp:setProperty name="userId" property="*"/>
          <jsp:forward page="index.jsp"/>
          <%} else {%>
          <form action="login.jsp" method="post">
              <fieldset>
                  <legend>Enter login information</legend>
                  <label for="login">Login</label>
                  <input type="text" name="login" value="${userLogin.login}"/> <br/>
                  <label for="password">Password</label>
                  <input type="password" name="password"/> <br/>
                  <input type="submit" value="submit">
              </fieldset>
          </form>
          <%}%>
      </body>
  </html>

  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Secure Login</web-resource-name>
  <url-pattern>/login.jsp</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  This code is used basically for different authentication type . Forward to any jsp under any layer works with <jsp:forward> or else try with request.getRequestDispatcher(" url (can be absolute or accurate path)").forward(request,response);
  Edited by: user8483670 on Mar 13, 2011 9:46 PM

• Rmi over ssl in jdk1.5.0

  hi,
  i am trying to connect a remote machine with rmi over ssl. but i got the following exceptions;
  java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
  Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
  Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding
  Caused by: java.lang.IllegalArgumentException: can't support mode ECB
  i am using jdk1.5.0. i have tried many samples but i have not run them successfully however they were running successfully in j2sdk1.4.2.
  also i downloaded the bouncycastle provider but it did not work.
  is there anybody who knows about a running sample about rmi and ssl in jdk1.5.0? please send me....
  email: [email protected]

  Hi!
  I know it's not the exactly right topic, but I've nearly the same problem with a https connection for a webService. I'm not using turkish locale, I'm using BouncyCastle and the "Unlimited Strength" policy files. I've no problems if i start my application with eclipse, starting it with jdk1.5.0_03\jre\bin\java or jre1.5.0_03\bin\java form commandline i get the same stacktrace:
  javax.net.ssl.SSLKeyException: RSA premaster secret error
  Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
  Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding
  Caused by: java.lang.IllegalArgumentException: can't support mode ECB
  if i try to get the cipher with
  Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
  I'll get the same stacktrace, with
  Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC");
  i works fine, but I've no idea how to run this code out of axis...
  Thanks & Regards
  Helmut

• LC + ActiveDirectory + LDAP over SSL = doesn't work

  Hi,
  I installed Active Directory Certificate Services. Now I want setup LDAP over SSL. Unfortunatelly it doesn't work. I pressed "Test" and always get "Invalid username or invalid password" (
  German: "Ungültiger Benutzername oder ungültiges Kennwort"). I'm pretty sure username and password are fine (it worked before I installed Active Directory Certificate Services and used LDAP without SSL).
  On server.log, I got this:
  2011-11-12 00:51:28,202 INFO  [com.adobe.idp.um.businesslogic.synch.LdapHelper] Following stacktrace is generated due to the Test LDAP Server Configuration action
  javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
          at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
          at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
          at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
          at javax.naming.InitialContext.init(InitialContext.java:223)
          at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.createContext(LdapHelper.java:663)
          at com.adobe.idp.um.businesslogic.synch.LdapHelper.testServerConfig(LdapHelper.java:682)
          at com.adobe.idp.um.ui.config.ConfigDirectoryEditAction.testServerSettings_onClick(ConfigDirectoryEditAction.java:215)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
          at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
          at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
          at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
          at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
          at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:91)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter(CSRFFilter.java:41)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:543)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
          at java.lang.Thread.run(Thread.java:619)
  Do you have some Idea?
  cu Floh

  I have not done it for Netscape yet but I have done it for Novell and JNDI.. Here is the settings for Novell
  // Dynamically set JSSE as a security provider
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Dynamically set the property that JSSE uses to identify
  // the keystore that holds trusted root certificates
  System.setProperty("javax.net.ssl.trustStore", m_connectionData.getLocal("KeyStore").toString());
  ssf = new LDAPJSSESecureSocketFactory();
  // Set the socket factory as the default for all future connections
  LDAPConnection.setSocketFactory(ssf);

• ORA-29266: end-of-body reached - using SOAP_API over SSL

  Hey guys. I have a simple SOAP_API I am using to send SOAP over SSL. It seems to connect fine but give off some shaky results. This is the error I keep getting:
  ERROR at line 1:
  ORA-29266: end-of-body reached
  ORA-06512: at "SYS.UTL_HTTP", line 1321
  ORA-06512: at "LOANADMIN.SOAP_API", line 229
  ORA-06512: at "LOANADMIN.GET_CITY_FROM_ZIPCODE", line 29
  ORA-06512: at line 2
  it seems to mainly happen on these two peices of code:
  UTL_HTTP.write_text(l_http_request, l_envelope);
  UTL_HTTP.read_text(l_http_response, l_envelope);
  Sometimes the first and sometimes the latter. I know my XML is well formed, and im thinking the response is to big for the variable (im thinking the response could be larger than 32k. not sure though).
  I've searched all over this forum, but it seems like the people who have solutions to this particular problem found it on meta-link. I dont have a meta-link account. Could someone please simply explain the solution and problem im running into?
  That would help a lot. Thanks.
  Mo

  I'm having the same problem, and it is inside the SOAP_API package from http://www.oracle-base.com/dba/miscellaneous/soap_api.sql :
  ORA-29266: end-of-body reached
  ORA-06512: at "SYS.UTL_HTTP", line 1330
  ORA-06512: at "NAPS.SOAP_API", line 119
  I understand the responses given:
  EXCEPTION WHEN UTL_HTTP.end_of_body THEN
  utl_http.end_response(resp);
  END;
  and the suggestion to use UTL_HTTP.read_line instead of UTL_HTTP.read_text, but would like some assistance in modifying the procedure to ensure I get the full response returned.
  The procedure with the error is:
  FUNCTION invoke(p_request IN OUT NOCOPY t_request,
  p_url IN VARCHAR2,
  p_action IN VARCHAR2)
  RETURN t_response AS
  l_envelope VARCHAR2(32767);
  l_http_request UTL_HTTP.req;
  l_http_response UTL_HTTP.resp;
  l_response t_response;
  BEGIN
  generate_envelope(p_request, l_envelope);
  show_envelope(l_envelope);
  l_http_request := UTL_HTTP.begin_request(p_url, 'POST','HTTP/1.1');
  UTL_HTTP.set_header(l_http_request, 'Content-Type', 'text/xml');
  UTL_HTTP.set_header(l_http_request, 'Content-Length', LENGTH(l_envelope));
  UTL_HTTP.set_header(l_http_request, 'SOAPAction', p_action);
  UTL_HTTP.write_text(l_http_request, l_envelope);
  l_http_response := UTL_HTTP.get_response(l_http_request);
  UTL_HTTP.read_text(l_http_response, l_envelope);
  UTL_HTTP.end_response(l_http_response);
  l_response.doc := XMLTYPE.createxml(l_envelope);
  l_response.envelope_tag := p_request.envelope_tag;
  l_response.doc := l_response.doc.extract('/'||l_response.envelope_tag||':Envelope/'||l_response.envelope_tag||':Body/child::node()',
  'xmlns:'||l_response.envelope_tag||'="http://schemas.xmlsoap.org/soap/envelope/"');
  -- show_envelope(l_response.doc.getstringval());
  check_fault(l_response);
  RETURN l_response;
  END;
  I have tested the exact call I am making using 'soapUI 2.5.1' so I can compare results to ensure I get the code right, and I am expecting a response of 1755 bytes (well short of the 32767 that is said to cause this error).
  My call is not over SSL, the call I am trying to make is:
  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:abr="http://abr.business.gov.au/ABRXMLSearchRPC/">
  <soapenv:Header/>
  <soapenv:Body>
  <abr:ABRSearchByABN soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <searchString xsi:type="xsd:string">11006489103</searchString>
  <includeHistoricalDetails xsi:type="xsd:string">N</includeHistoricalDetails>
  <authenticationGuid xsi:type="xsd:string">?</authenticationGuid>
  </abr:ABRSearchByABN>
  </soapenv:Body>
  </soapenv:Envelope>
  The calling code is:
  DECLARE
  l_request soap_api.t_request;
  l_response soap_api.t_response;
  l_return VARCHAR2(32767);
  l_url VARCHAR2(32767);
  l_namespace VARCHAR2(32767);
  l_method VARCHAR2(32767);
  l_soap_action VARCHAR2(32767);
  l_result_name VARCHAR2(32767);
  BEGIN
  l_url := 'http://abr.business.gov.au/abrxmlsearchRPC/ABRXMLSearch.asmx';
  l_namespace := 'http://abr.business.gov.au/ABRXMLSearchRPC/"';
  l_method := 'ABRSearchByABN';
  l_soap_action := 'http://abr.business.gov.au/ABRXMLSearchRPC/ABRSearchByABN';
  l_request := soap_api.new_request(p_method => l_method,
  p_namespace => l_namespace);
  soap_api.add_parameter(p_request => l_request,
  p_name => 'searchString',
  p_type => 'xsd:string',
  p_value => '11006489103');
  soap_api.add_parameter(p_request => l_request,
  p_name => 'includeHistoricalDetails',
  p_type => 'xsd:string',
  p_value => 'N');
  soap_api.add_parameter(p_request => l_request,
  p_name => 'authenticationGuid',
  p_type => 'xsd:string',
  p_value => '?');
  l_response := soap_api.invoke(p_request => l_request,
  p_url => l_url,
  p_action => l_soap_action);
  l_return := l_response.doc.getStringVal();
  dbms_output.put_line('-----------------------------------------------------------');
  dbms_output.put_line(l_return);
  END;
  Edited by: 873298 on 18-Jul-2011 15:41

• SOAP Receiver over SSL - server certificate troubles

  Hello all,
  I have a scenario with SOAP receiver communication channel with comunnication over SSL. In the URL there is a IP address for a reason I will not mention ... simply there must be IP address in URL and not a host name.
  When I access the SOAP server with internet browser it gives me a server certificate with HOST NAME in CN. I placed this certificate to the "trusted container" in J2EEVisAdmin - Key Storage.
  Now you might already suspect the trouble: the certificate CN doesn't match with URL. This is obvios error we got many times on the internet (even in e-banking sector .. but we are able to skip it with our internet browsers' possibilities.
  Could I set up something in J2EE server as same as in internet browser ???
  Thank you in advance.
  Rgds
  Tom

  Got it,
  SAP Note : 791655
  HTTPS/SSL Properties
  Property Name = [default]
  messaging.ssl.httpsHandler=iaik.protocol.https.Handler
  messaging.ssl.securityProvider=iaik.security.provider.IAIK
  messaging.ssl.trustedCACerts.viewName=TrustedCAs
  messaging.ssl.serverNameCheck=false
  Description:
  The properties "httpsHandler" and "securityProvider" specify the class names of the HTTPS handler and Security provider used. The AF only supports IAIK. Never change these values! To activate HTTP/SSL, you must install the IAIK libraries on your J2EE Engine as described in the Installation Guide.
  The property "trustedCACerts.viewName" defines which J2EE keystore is used during the SSL Handshake for trusted CA certificates. You should never change this value either. With "serverNameCheck" you can specify whether the host name in outbound HTTPS requests should be checked against the host name in the certificate of the server.
  Regards,
  Bhavesh

• Cannot find api to implement RIDC connect WebCenter Content Server over SSL

  Hi WebCenter Content team,
  I find the following sample code from http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BJFIHEHI
  Example 23-6 IDC Protocol over SSL
  +// build a secure IDC client as cast to specific type+
  IntradocClient idcClient = (IntradocClient)
  manager.createClient("idcs://localhost:4443");
  +// set the SSL socket options+
  config.setKeystoreFile("ketstore/client_keystore");  //location of keystore file
  config.setKeystorePassword ("password");      // keystore password
  config.setKeystoreAlias("SecureClient");  //keystore alias
  config.setKeystoreAliasPassword("password");  //password for keystore alias
  I downloaded RIDC package from Individual Component Downloads in http://www.oracle.com/technetwork/middleware/webcenter/content/downloads/index.html.
  But cannot find the above methods in IdcClientConfig and its subclasses. For example, cannot compile the following code.
  IdcClientConfig config = idcClient.getConfig();
  config.setKeystoreFile("ketstore/client_keystore");  // no such method
  Could you please give a correct example.
  Thanks a lot.

  Most likely the port. RIDC listens usually at 4444, 16200 is the port for browser-based communication.