IDS, detection of encrypted packets within non-SSL traffic streams?

Similar Messages

• Detecting HDCP Encrypted Content or non-HDCP Supporting Devices

  I'd like to detect non HDCP supporting devices, and alert users that it is not supported and switch to a lower quality (non-HDCP) stream.
  Is there a way from within OSMF to detect if content has been encrypted with Output Protection, and can you detect at what level of protection was added (NO_PROTECTION, NO_PLAYBACK,  etc.)?

  Here's a more detailed description of what Derek said:
  Create a policy called “test_for_HDCP” with the restriction “REQUIRED” (using AdobePolicyManager.jar)
  Use the policy to package a content dummycontent.f4v (use the AdobePackager.jar tool).  Grab the .drmmeta file that it generates and toss out the encrypted dummycontent.f4v.
  Host your dummycontent.drmmeta on a webserver somewhere
  On your client/player-application, load the dummycotent.drmmeta and then do DRMManager.loadVoucher()
  If you get an error code, computer doesn’t have OP
  If you don’t see an error code, computer does have OP
  Depending on what you see in step #5 or #6, you can then decide to go down your SD video route, or HD video route.
  cheers,
  /Eric.

• Custom sig: Non-SSL over SSL port

  I am trying to build a custom signature for detecting non-SSL traffic on a specific SSL port (let's say tcp/443). This has to do with CONNECT tunnels through an HTTP proxy. Conceptually, it's not a complicated idea. Whether or not it can technically be done effectively with the Cisco IPS I don't know.
  It seems that very early in every SSL connection, there is an SSL "client hello" message(SYN,SYN/ACK,ACK,CLIENT HELLO). There are two relevant record formats, SSLv2 and SSLv2/TLS. I would like to create a signature that fires when it DOES NOT see the client hello message very early in a given TCP session. I would want the signature to only need to check the very first n packets of any given TCP session (n = max size of connection establishment + max size of client hello packet). Has anyone created such a beast or willing to help? Here are a couple packets.
  SSLv3 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 8e 33 b8 40 00 3e 06 94 16 ce c3 c3 6c 40 22 ..3.@.>......l@"
  0020 a2 49 58 27 01 bb b7 42 c6 92 fd 36 a3 d1 50 18 .IX'...B...6..P.
  0030 44 70 08 e2 00 00 16 03 00 00 61 01 00 00 5d 03 Dp........a...].
  0040 00 44 5f 9a 77 69 49 5a 85 52 a0 96 38 b3 b4 15 .D_.wiIZ.R..8...
  0050 8f db f2 0f c9 0e ea 10 f5 69 39 8c 58 87 e5 33 .........i9.X..3
  0060 70 20 ba 06 1e 3f d4 4e 3c d0 de a8 ea 4e a3 7f p ...?.N<....N..
  0070 0f 07 fd 5f 88 07 17 ef 50 ce 6b cf 10 e3 84 99 ..._....P.k.....
  0080 04 a2 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 .............d.b
  0090 00 03 00 06 00 13 00 12 00 63 01 00 .........c..
  TLSv1 Client Hello
  0000 00 0f 20 6c 99 8b 00 a0 8e 82 c4 c1 08 00 45 00 .. l..........E.
  0010 00 96 a2 89 40 00 7f 06 32 b3 ce c3 c2 29 ce c3 [email protected]....)..
  0020 c6 74 0d 13 01 bb 38 17 d5 89 98 0f fc 73 50 18 .t....8......sP.
  0030 44 70 6c 75 00 00 16 03 01 00 69 01 00 00 65 03 Dplu......i...e.
  0040 01 44 5f 9a 84 8a 94 ab f3 78 e7 b1 c9 ca 04 34 .D_......x.....4
  0050 3b 95 1b 86 51 05 5f ac 9d a0 b0 69 fe 0c 27 e5 ;...Q._....i..'.
  0060 9c 20 78 08 00 00 ce c3 c2 29 58 58 58 58 58 58 . x......)XXXXXX
  0070 58 58 58 58 58 58 58 58 58 58 48 9a 5f 44 8c 4b XXXXXXXXXXH._D.K
  0080 05 00 00 1e 00 04 00 05 00 2f 00 33 00 32 00 0a ........./.3.2..
  0090 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
  00a0 00 11 01 00 ....
  SSLv2 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 82 fb a7 40 00 3e 06 cf 32 ce c3 c3 6c 9f 35 ....@.>..2...l.5
  0020 40 36 58 6d 01 bb b7 78 06 1b cd e2 e2 3d 80 18 @6Xm...x.....=..
  0030 44 70 47 6b 00 00 01 01 08 0a 31 fd f9 51 00 00 DpGk......1..Q..
  0040 00 00 80 4c 01 03 00 00 33 00 00 00 10 00 00 04 ...L....3.......
  0050 00 00 05 00 00 0a 01 00 80 07 00 c0 03 00 80 00 ................
  0060 00 09 06 00 40 00 00 64 00 00 62 00 00 03 00 00 [email protected].....
  0070 06 02 00 80 04 00 80 00 00 13 00 00 12 00 00 63 ...............c
  0080 7b af 57 75 f8 a9 72 54 23 29 32 50 bf ef 1e a9 {.Wu..rT#)2P....

  Hi mhellman:
  I can see 3 difficulties with this kind of sign.
  1) To determine the order of the packets.
  2) To determine that happen at the very begining of the conection
  3) fire when the traffic doesn't match with the signature.
  The difficulty number 3, I think, is imposible to resolve because the sensor can compare the trafic with a well defined pattern and fire when it match, but not when it doen't.
  The difficult number 2
  You need a kind of state signature because this can be classified like a machine state (first three way handshake, then hello packet) but I can't see fields in the state engine that help in this case.
  The difficult number 1 could be resolved by a Meta signature.
  You will need to create an a custom atomic signature for the syn packet, another for the syn ack, another to ack, and the last one for hellow packet.
  Then create a meta signature and add the fourth atomic singatures whith a strict order.
  but guess what...
  Meta signature doesn't permit custom signatures.
  I think this kind of signature is imposible to write.
  But I'd try.
  Regards
  Alberto Giorgi from spain.

• Web Server 7 - Switch to SSL - Automatic forwarding from non-SSL

  I just posted a similar question regarding Web server 6. This question is for Web server 7!
  I maintain Web tools on a non-SSL Web Server 7. I need to turn on SSL, because our organization requires the security feature for certain functions in the tool.
  The current non-SSL address for the tool is similar to http://mytool.com/. I want to make the switch to SSL transparent for users, so I want http://mytool.com/ to automatically forward to https://mytool.com. What is the best way to do that in Web server 7?
  Also, I'd like to make the changes without using the GUI, what are the XML commands for the server.xml file (I assume that's what I'll need to change, right?)
  Sincerely,
  dailysun
  THIS IS FOR WEB SERVER 7

  Hi
  Assuming you have figured out the way to setup a listener with SSL enabled, you can the following
  1. find out what object file is currently used by server
  bin/wadm get-virtual-server-prop user=admin config=<hostname> object-file
  this will either return as obj.conf or <vs>-obj.conf
  2. now open this file and add the following lines after <Object name="default" line
  <Object name="default">
  #add the following lines
  <Client match="all" security="false" urlhost="mytool.com">
  NameTrans fn="redirect" from="/" url-prefix="https://mytool.com"
  NameTrans fn="redirect" from="/*" url-prefix="https://mytool.com/"
  </Client>
  # end
  now save this file and test to see if this is what you are expecting.
  if you are satisfied, you will need to bring over this manual change into admin config repository by doing something like
  bin/wadm pull-config user=admin  config=<..>
  You can also save the commonly used parameter like <user> and <password> within the .wadmrc file. Please see - http://blogs.sun.com/natarajan/date/20070131
  hope this helps

• Session Cookies Being Overwritten Browsing From SSL to Non SSL

  I have created a bug report for this issue as well.
  Please note I am using J2EE session variables so keep that in mind.
  I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
  For example:
  Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
  Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
  Here's the problem:
  Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
  Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
  Steps to Reproduce:
  1. Clear your cookies.
  2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
  3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
  This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
  Has anyone else experience this?

  Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

• Non SSL website on port 443

  Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
  I access the website as http://xyz:443.
  Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
  Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
  Firefox 32.0.3
  Error message:
  The connection was reset
  The connection to the server was reset while the page was loading.
  The site could be temporarily unavailable or too busy. Try again in a few moments.
  If you are unable to load any pages, check your computer's network connection.
  If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

  What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
  You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible.

• ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

  Hi
  Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
  Example:
  Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
  The "client" Server does not support SSL.
  Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
  Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
  Regards

  Hello Byron,
  Yes, the ACE can do it
  Here you have some of the flavors of SSL with the ACE.
  Here you have a sample about it:
  parameter-map type http CASE_PARAM
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  class-map match-all CLEAR_TEXT_VIP
    2 match virtual-address 172.20.120.19 tcp eq www
  policy-map multi-match JORGE-MULTIMATCH
    class CLEAR_TEXT_VIP
      loadbalance vip inservice
      loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
    class class-default
      serverfarm ENCRYPTED-SERVERFARM
      ssl-proxy client SSL-PROXY-JORGE
  ssl-proxy service SSL-PROXY-JORGE
    key TAC-key
    cert TAC-cert
  serverfarm host ENCRYPTED-SERVERFARM
    rserver JORGE-SERVER 443
      inservice
  Here you have some additional details under the configuration guide:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
  Here you have some additional samples:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
  Hope this helps for you and fix your issue
  Jorge

• How do i know the ssl over non ssl

  Hello Gurus,
  Your answer is greatly aprreciaied ;
  a)
  https://ebusdockel.9dc.com:243/DockerMasterAJX/services/DockerMaster
  b)
  http://ebusmodel.9dc.com/DockerMasterAJX/services/DockerMaster
  How do to dtermine from the above 2 URLS difference betwenn SSL and non SSL ,your answer is appreciated.

  Hi,
  There is a way within Forms to programmatically tell whether users are in SSL or not - if you're in 11g Forms. You can use the new 11g javascript built-ins to execute javascript. Javascript will pull the URL and return it to as a VARCHAR. Then you can have PL/SQL logic to see if the url contains "https" or "http", then you can execute whatever logic you want.
  The PL/SQL Built-in you want to use is: web.javascript_eval_function
  The javascript command you want to run is: document.location.href
  If you are looking for a way to force users to go to SSL, there are some options you can do with OHS(Oracle HTTP Server) - which comes with the 11g Forms.
  I hope this helps.
  Thank you,
  Gavin
  http://pitss.com/us

• Cisco CSS as non-HTTPS SSL-traffic terminator

  Hi!
  Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
  Regards, Amir

  Hi!
  Thank you very much for your reply.
  I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
  Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
  I mention that I am using the OffDM because the unit I bought has no Flash Card.
  Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
  Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
  Thank you!

• How can the IPS inspect the encrypted packets?

  dear experts, hello
  i'd like to ask a question about how the IPS can inspect and prevent any atteck in the encrypted packets in some sessions
  such as vpn or ssh sessions, is there a technique helping for
  that in the IPS?
  thanks alot for your help
  labib makar

  Labib;
    For traffic exiting a VPN tunnel, you can place the IPS sensor behind the VPN termination point so it has access to the unencrypted traffic.
    There is not an option to inspect SSL encrypted traffic; you would need to rely on a host-based system such as Cisco Security Agent to assist in providing such protection.
  Scott

• %DOT11-4-CKIP_REPLAY: CKIP SEQ replay was detected on a packet

  I have a site that generating the following error message:
  %DOT11-4-CKIP_REPLAY: CKIP SEQ replay was detected on a packet (SEQ 0x4035A) received from 0040.96a5.7359.
  The error message definition is the following:
  CKIP SEQ replay was detected on a frame. A replay of the CKIP SEQ in a received packet almost indicates an active attack."
  Recommended Action None.
  Is this really an attack or not? Should I do some type of debugging to figure this out or is it really just an informational error message?
  Any help would be appreciated.
  Rich

  how often is this message generated?
  the following link has information on this message. not much more than the switch provided.
  their recommended action is none.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080606ca0.html#wp1009096
  (down the page a bit for the DOT11-4-CKIP message)

• How can I detect a certain text within a field within CASE using IF

  Dear all,
  for a transformation / generation of values receiving from R/3 into BW I try to
  manupulate three fields. I have a problem detecting a string in a field.
  I am using a CASE with several WHEN clauses on one field. Depending on the
  value, an IF is integrated. There I look into another field evaluating, if it contains
  a certain string. E.g. IF STRING CP 'xyz' OR 'abc'.
  System gives error for the locigal expression. I also tried CS, but same error.
  How can I detect a certain text within a field and which is the right logical
  expression.
  Many thanks in advance!!!
  Claudia

  Hi,
  Folow the blow example...
  May be it helps....
  DATA: hex1 TYPE string,
        hex2 TYPE string.
  hex1 = 'FFFF'.
  hex2 = '123FF'.
  IF hex1 CP hex2.
  ENDIF.
  Cheers,
  SImha.

• How to know Global zone name within Non-Global zone?

  Hi everybody.
  My answer is very simple: How can I (command or file) to know Global zone name within Non-Global zone? zoneadm command with all its options don�t work fine to me for this information. Thanks a lot for any idea with my question. Regards.

  Hi. Global Zone�s name is unknow for me from Non-Global zone. I don�t know it, but "Global" isn�t name neither hostname, is just Solaris 10 OS in my machine. However, your link was useful for me.
  Thanks a lot.

• Move from NON-SSL to SSL (OAS 9.0.4.1)

  We installed OAS 9.0.4.1 (two Midtier and 1 Infst).
  We have Application based on forms. We installed and configure OAS default like non-ssl and forms using port 7778. Now we need to use SSL.
  If somebody give me detail what should be done?
  Actually, what I did
  1. I stop midtier Using EM.
  2. I modified httpd.conf file changed only "Listen from 7778 to 4445" I didn't change port.
  3. Run dcmctl updateconfig -ct ohs
  4. start midtier using EM.
  I can run forms using //http:localhost:4445/forms90/f90servlet? -succesufully
  but My portal is not available. Did I miss something?
  Please help. It is emergency we need to go to PROD.
  Thanks

  I started from beginning install again OAS 9.0.4 and followed instruction in
  whitepaper in the Internet deployment section titled "Oracle Forms 10g - Configuring Security with SSL ".
  Everything was goung okay until last peice run test form using ssl -- https
  I have error
  java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
       at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
       at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
       at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
       at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
       at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
       at sun.misc.URLClassPath$2.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getLoader(Unknown Source)
       at sun.misc.URLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  WARNING: Unable to cache https://houorcl324.corp.kbr.com:4444/forms90/java/f90all_jinit.jar
  load: class oracle.forms.engine.Main not found.
  java.lang.ClassNotFoundException: java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
       at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.openServer(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.net.www.http.HttpClient.<init>(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
       at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
       at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
       at java.net.HttpURLConnection.getResponseCode(Unknown Source)
       at sun.applet.AppletClassLoader.getBytes(Unknown Source)
       at sun.applet.AppletClassLoader.access$100(Unknown Source)
       at sun.applet.AppletClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.applet.AppletClassLoader.findClass(Unknown Source)
       at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at sun.applet.AppletClassLoader.loadCode(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Do I need SSL webcache too? It was not in instruction
  please help

• Non ssl - gives 403 forbidden

  I can access the EM 12c with the ssl address https://server:7799/em
  but I would like to use the non-ssl side of it... I can access http://server:7788 and get the welcome index page.. but if I use http://server:7788/em I get Error 403 Forbidden...

  It sounds like your console is Locked. You can check the status with the command 'emctl status oms -details'.
  To unlock the console use 'emctl secure unlock -console'
  If you also want to unlock agent/OMS communication use 'emctl secure unlock -upload'
  See the Administrators Guide for further details.