Implement TLS (or SSL) communication
Hi all,
I wish to make a very Keep It Simple and Stupid client server application that will conduct secured communication between the client and the server.
The natural approach would be to use TLS (which supercedes SSL, but is a little new yet) or SSL.
I would like to get some reliable and simple sample code, or alternatively, straight forward documentation which will directly fascilitate adding security to the communication done by my client-server application to be.
Any help would be most welcome.
Regards,
Matan
First read the basic cryptographic architecture in Java http://java.sun.com/products/jdk/1.2/docs/guide/security/CryptoSpec.html
Then, if you want to implement application level security in the form of one side encrypting and other side decrypting, take a look at Java Cryptography Extension(JCE) http://java.sun.com/products/jce/index-121.html
Else, ff you want to transparently use SSL/TLS, i.e. security above application level, chekc out Java Secure Socket Extension (JSSE) http://java.sun.com/products/jsse/index-102.html Examples are available as a separate download from that page.
Similar Messages
-
How to implement 2-way SSL in OSB web services
Hi ,
I need to implement secured SSL communication in my OSB web services . For this I have used the self signed certificates in weblogic console and configured them .
I also enabled the https parameter in my proxy service but now when I am trying to open the proxy wsdl in browser it says unauthorised access.
Even in SOAP UI when I am trying to access it says "Error loading wsdl" .
Please help.Hi,
Do you have created a Service Key provider and attached the same to proxy service.
Oracle Service Bus verifies that you have associated a service key provider with the proxy service and that the service key provider contains a key-pair binding that can be used as a digital signature.
Service Key Providers
Regards,
Abhinav -
Hi i have configured the keystore as "Custom Identity and Custom Trust", given the key store names for both given the Identity alisa name under the 'SSL' tab, in 'Advanced' i am enforcing for client certificate. But when i start to access the application, i see the following error
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@16a86fc>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090481> <NO_CERTIFICATE alert was received from ASST218297.uk.pri.o2.com - 172.17.247.10. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, checking with TrustManager>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <validationCallback: validateErr = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Required peer certificates not supplied by peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: validateErr = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <weblogic user specified trustmanager validation status 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090508> <Certificate chain received from ASST218297.uk.pri.o2.com - 172.17.247.10 was incomplete.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Validation error = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Certificate chain is incomplete>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <SSLTrustValidator returns: 68>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, not trusted, sending HANDSHAKE_FAILURE to peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
any replies please....Hi,
thanks, actually while searching in the net, i found a blog where there were a few steps for implementing 2-way SSL in weblogic.
http://huyplus.blogspot.com/2010/02/2-way-ssl-with-weblogic-server-103.html?showComment=1267793234806_AIe9_BGsO6q6ENB4YZWtQyX53CzpN8TWcSn08RqNv6z8W3V7NRI3Qlcf4NuEM35O1niTSsYXd4rxjfUT63J2XFXOHjY8W56_sC-E3MGydylLHxDivVEjR0pQnSPv_Tx7CXOqT64AGNhhs06MEM9CBhpOtHcUHwvQMPtPeDAAJcwP1I9TzEIGNzNEQlWn9INrvLzP9_RAYESO3Wcxbl6b9eRgZt_jktfllVbxcvztIV3zoeQ8XlqgpN4S7Z82yCbUS1E7lFl46FZK#c8740869862805814451
fortunately, this is working, i mean the server is working as expected, but in the console, it says that the certificate chain is incomplete....
Anyways thanks for the links and suggestions...
if possible could you please provide me some reference for resolving this issue.
Thanks again
Sharma -
I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...
I am having trouble Trouble implementing one-way SSL on WebLogic 9.2. I am using Demo Identity and Demo Trust certificates with a SSL Listen Port Enabled on 7002, and a Two Way Client Cert Behavior of Client Certs Not Requested. I assume that by using Client Certs Not Requested that there is no need to install certificates on user's computers.
When weblogic is restarted, I get the following log telling me it works...
<Sep 11, 2012 9:35:16 AM PDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoIdentity.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoTrust.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file e:\bea\jdk150_12\jre\lib\security\cacerts.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.9.20.172:7000 for protocols iiop, t3, ldap, http.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.9.20.172:7002 for protocols iiops, t3s, ldaps, https.>
However, when I open the console in https://server:7002/console, I get the following error in log file...
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090481> <NO_CERTIFICATE alert was received from x.y.z.com - 10.37.10.54. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090508> <Certificate chain received from x.y.z.com - 10.37.10.54 was incomplete.>
I do not understand why I am getting this error when I assume there is no need to install certificates on user's computers. Can't someone please explain what is going on? Thanks in advance.<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/extension http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd">
<name>nctcis</name>
<domain-version>9.2.3.0</domain-version>
<security-configuration>
<name>nctcis</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:name>DefaultAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:name>DefaultIdentityAsserter</sec:name>
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<anonymous-admin-lookup-enabled>true</anonymous-admin-lookup-enabled>
<credential-encrypted>{3DES}PyUkjWRp8JGpk75BYSbvQ6OWYgA9SZq2nj2IuENa2vxrMy835GMRZ+GGKhJiWapjt0mMC2ohcxxlIMNUZJUH2gCjbB5kQUmA</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}KmaZDZGQC6spYVY12CbJGA==</node-manager-password-encrypted>
</security-configuration>
<jta>
<timeout-seconds>1800</timeout-seconds>
<abandon-timeout-seconds>3600</abandon-timeout-seconds>
<max-transactions>100000</max-transactions>
<max-resource-unavailable-millis>100000</max-resource-unavailable-millis>
</jta>
<log>
<name>nctcis</name>
<file-name>e:/netcracker/logs/wl-domain.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<server>
<name>nctcisAdmin</name>
<ssl>
<enabled>true</enabled>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>false</hostname-verification-ignored>
<client-certificate-enforced>true</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>tcisdevbpagov_cert</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</server-private-key-pass-phrase-encrypted>
<use-server-certs>false</use-server-certs>
</ssl>
<log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/weblogic.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<listen-port>7000</listen-port>
<web-server>
<name>nctcisAdmin</name>
<web-server-log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/access.log</file-name>
<file-min-size>5120</file-min-size>
</web-server-log>
</web-server>
<listen-address>tcis.dev.bpa.gov</listen-address>
<key-stores>DemoIdentityAndDemoTrust</key-stores>
<custom-identity-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_identity.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>JKS</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_trust.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>JKS</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>{3DES}I++r0/FEMRGFrqF47pYZJA==</custom-trust-key-store-pass-phrase-encrypted>
</server>
<embedded-ldap>
<name>nctcis</name>
<credential-encrypted>{3DES}i51JYfmoGyFTxPjiCjjtXWwza1t13k56Ls7fmdqtKB0=</credential-encrypted>
</embedded-ldap>
<configuration-version>9.2.3.0</configuration-version>
<app-deployment>
<name>NetCracker</name>
<target>nctcisAdmin</target>
<module-type>ear</module-type>
<source-path>applications\NetCracker</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>pictures</name>
<target>nctcisAdmin</target>
<module-type>war</module-type>
<source-path>e:\pictures</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<jms-server>
<name>NCJMSServer</name>
<target>nctcisAdmin</target>
<temporary-template-resource>NCJMSModule</temporary-template-resource>
<temporary-template-name>NetCrackerTemplate</temporary-template-name>
<message-buffer-size>100000</message-buffer-size>
</jms-server>
<self-tuning>
<max-threads-constraint>
<name>MaxThreadsConstraint</name>
<target>nctcisAdmin</target>
<count>40</count>
</max-threads-constraint>
<work-manager>
<name>default</name>
<target>nctcisAdmin</target>
<max-threads-constraint>MaxThreadsConstraint</max-threads-constraint>
<work-manager-shutdown-trigger>
<stuck-thread-count>1000</stuck-thread-count>
</work-manager-shutdown-trigger>
</work-manager>
</self-tuning>
<jms-system-resource>
<name>NCJMSModule</name>
<target>nctcisAdmin</target>
<sub-deployment>
<name>BEA_JMS_MODULE_SUBDEPLOYMENT_NCJMSServer</name>
<target>NCJMSServer</target>
</sub-deployment>
<descriptor-file-name>jms/ncjmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<admin-server-name>nctcisAdmin</admin-server-name>
<jdbc-system-resource>
<name>NetCrackerDataSource</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSource-5713-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>NetCrackerDataSourceNonTX</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSourceNonTX-6926-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>
Edited by: user6904153 on Sep 12, 2012 6:57 AM -
Hello, I´m stucked with this problem for 3 weeks now.
I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.
Thank you
JorgeHi Rik,
the Below are the certificate details
ISE Certificate Signed by XX-CA-PROC-06
User PKI Signed by XX-CA-OTHER-08
In ISE certificate Store i have the below certificates
XX-CA-OTHER-08 signed by XX-CA-ROOT-04
XX-CA-PROC-06 signed by XX-CA-ROOT-04
XX-CA-ROOT-04 signed by XX-CA-ROOT-04
ISE certificate signed by XX-CA-PROC-06
I have enabled - 'Trust for client authentication' on all three certificates
this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
when i check the certificates of current user in the Client PC this is how it shows.
XX-CA-ROOT-04 is listed in Trusted root Certification Authority
and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities -
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
Hi guys,
I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificateRefer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf
-
OSB: Implementing 2 way ssl for a particular proxy
Hi All,
We have a requirement to implement 2 way ssl support for one of our OSB proxy and 1 way ssl support for all other proxies in our project.
we have enabled HTTS on OSB and configured 2-way ssl on weblogic server. It is working fine.
But the 2 way ssl configuration on weblogic server impacts all other proxy services deployed on that node. Because of weblogic configuration "Two Way Client Cert Behavior: Client Certs Requested and Enforced", the server expects all request to present the client certificate..
But our requirement is, Only 1 proxy service should enforce 2-way ssl, all other proxies should only support 1 -way ssl(server authentication).
Is there any way to implement our requirement?.
we want to configure weblogic with "Two Way Client Cert Behavior: Client Certs Requested but not and Enforced OR Client Certs NOT Requested" and then in the proxy service we want to enforce client certificate..
Is it possible to implement? If so can anyone help to explain the steps?
Thanks in advance
Edited by: user13109986 on Oct 24, 2012 9:30 AMIt is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.
-
Changing from non-ssl to ssl communication in OAM
I have installed the Identity server and webpass on linux, I initially set them up for non ssl communication between them and the configuration/policy store & the user store. Now I must change that to use SSL. I have not configured them yet. how would I make this change without reinstalling?
When I try to set the configuration data location with SSL checked I get the following error
The files requires for SSL connection are missing.Hi Andy,
Note 740034.1 on My Oracle Support describes how to do this. After performing those steps, I would also verify that you do not have any remaining Open Mode directory profiles being used (in the Identity System Console/System Configuration/Directory Profiles).
Regards,
Colin -
CF & MS-SQL SSL communication?
I'm looking to do SSL communication between our CFMX8 server and MS-SQL 2005 server using the built in SQL SSL encryption.
I wanted to do some testing prior to enabling the features to see it in a broken connection state so when I got it working I knew I was actually encrypting. So I added ";EncryptionMethod=SSL" to the end of the connection string inside of the neo-datasource.xml file to force SSL connection from the CFMX8 side but I had not enabled SSL on the server side. What I expected to see was an SSL connection failure message because EncryptionMethod=SSL means the system will require SSL from the JDBC side and fail if not available. Well it connected right through with no issues... I've found a couple articles online talking about this and at this point I'm not even sure if CFMX8 supports SSL JDBC communications or not...
I've done a bunch of research and I've come up with nothing so far, and I know from looking at the CFAdmin that it's not a checkbox in there. Any assistance would be wonderful.I just came across this. From this article I see CFMX9 supportsSSL MS-SQL encryption, but we're running CFMX8 still. EncryptionMethod=SSL is what I have in the connection string area too...
http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-7f ff.html -
How can I test SSL communication
I have successfully imported a SSL certificate to d:\JRE\Sun\1.4.2\lib\security\cacerts in Windows 2003 server. How can I test this SSL communication between my server and the other SSL Windows server?
michaelfromchattanooga wrote:
There is a card plugged into the reader, and it has good data on it as I have just used the printers card reader to copy the pictures off of it. But the wireless printer is very slow.
I contacted Sonnos (manufacturer of the expresscard/34) and Eric from their support department was kind of smart-mouthed about it. He assured me with 100% certainty that I had inserted the card reader backwards. I replied to him that the card will NOT allow you to insert it backwards, by design. This was yesterday and he has yet to reply.
My main question is if the card reader is defective, or is the slot on my Macbook Pro defective? I only have one MBP so I can't test the card reader in another machine.
Anyone?
Is the slot being recognized in your system profiler? >(option key)About this Mac>Hardware.
You can also run the Apple Hardware test by booting with the D key held down.
You can try put the card in before you boot or reboot with it in. It may only recognize if present at boot.
MacBook Pro, Mac OS X (10.6.7), 2.4GHz IntelCore i5 320 HD 8GB RAM -
Reconfigure IDM 11g installation to Database for SSL communication.
Experts,
I've below environment.
Oracle IDM 11g (OID,OVD,OAM,OAAM,OIF,OIM,etc,.) 11g talking to Oracle Database RAC 11g.
At the time of IDM installation and configuration, database was not in SSL mode. Now I'm want to make SSL communication between IDM and Database.
My Questions:
1. Once I put Database in SSL mode, How can I reconfigure Oracle IDM suite so that it can talk to database in SSL mode ?
2. How much effort does it require ?
Please provide if you have any doc references.
ThanksHi,
Hope this helps:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/handlinglcm.htm
Thanks,
GP -
SSL communication with IBM Tivoli 5.2
Hi,
I have downloaded the free version of the IBM Tivoli 5.22 directory server. Its installed great and I can connect and query the sample data using port 389.
I am working on enabling SSL communication with the same.
I referred to
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc/am60_install33.html
Followed the steps provided to enable SSL communication, it gave me errors saying that the password for the key database file was incorrect.
Has anyone try to connect to the IBM Tivoli Directory server via SSL, is there a way to do it in the same way as we set up ssl with Active Directory.
Any help in this regard would be great,
Regards
ZoharatHey ,
I got SSL enalbed on the Tivoli server. I follwed the instructions availabe on the IBM site to set up the GSKIT and create the key database , the certificates and also the setting up the server to use them. I used self signed certificates.
For setting up the server I used the command line utilities.
The ldapsearch command always failed it kept saying bad password. So I took the certificate file that created added it to the cacerts of the java client and then communicated with the server on port 636.
It worked great.
Regards
Zoharat -
SSL communication issue with JDK 1.6.0_19
Hi,
I am facing issue with JDK 1.6.0_19. I have a Java client which communicate with the Server in SSL communication.so, It is able to communicate properly with the JDK <=1.6.0_18 version.But I got handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message exception when the client is trying to communicate with the server in JDK 1.6.0_19.
We are using mutual authentication.The client and the server both have the signed certificate.The client certificate has to be validated by the server to establish the connection.
I have seen in forum that it is a renegotiation issue.So, if I enable the renegotiation flag by -Dsun.security.ssl.allowUnsafeRenegotiation=true it's working fine.But enabling renegotiation itself is a vulnerability.So, I can't enable renegotiation.
I am using httpclient 4.0 and JSSE in client side and IIS in the server side for this SSL connection.
I am not sure which side client or server initiating the renegotiation?
Please help me out.
I have tried Openssl command from console.
The command is : openssl s_client -connect X.X.X:443 -CAfile "xxxxx" -cert "xxxxxxxx" -key "xxxxxxxxxx" -state -verify 20 here is the output:
Loading 'screen' into random state - done
CONNECTED(00000748)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
xxxxxxxxxxx.................
verify return:1
xxxxxxxxxxx.................
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
Certificate chain
xxxxxxxxxxx.................
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxx.................
-----END CERTIFICATE-----
xxxxxxxxxxx.................
No client certificate CA names sent
SSL handshake has read 1839 bytes and written 392 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: xxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxx
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1275564626
Timeout : 300 (sec)
Verify return code: 0 (ok)
read:errno=10054If you see the console output you can see that two statement is missing those are :
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 write client certificate ASo, I like to know if this is any clue which is asking for renegotiation.Thank you for your response.
Yes I have set the particular proerty SSLAlwaysNegoClientCert to True and it is able to establish the ssl conneciton without initiating renegotiation from IIS server side.The property has to be set the metabase.xml file.
Thank you very much once again.
Edited by: arpitak on Jun 23, 2010 2:10 AM -
Implementing your own SSL provider
Hello,
Im working on a new TLS/SSL implementations. I got all the classes(i.e. sslsocket, etc) ready. The problem i have is that i cant get my socketfactory using SSLFactory.getDefault, because when i do it an exception lang.runtime.exception:export restriction: SunJSSE only is thrown. Is there any way i can fix it?
I live outside the US
looking forward to any replies ;)
lukaszI assume you are on JDK 1.4.x? At this point, no, you can't plug in your own provider into the Sun JDK.
However, in 1.5.x, you can, as long as the sslsocket/sslengine only reports SSL/TLS ciphersuites that
are on the "approved" list.
http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/jsse-tiger-beta2.html#PLUG -
Implementing self-signed SSL on the coldfusion webserver
We've just recently implemented a self-signed SSL on the coldfusion webserver and find that the scheduled tasks are not running.
They don't even appear to "kick off". I'm not receiving an error or notice.
I've attempted pulling-in the cert directly into the Coldfusion JRE folder, and running through the most common answers on the internet regarding use of the cert keytool import - no luck.I currently have the configureation you are talking about. To allow an iOS device to connect do the following.
1. From the iOS device go to your servers homepage in safari.
2. Login to the profile manager using that individuals userid and password. For some reason I have to login twice the first time I enter the userid and password it will not authenticate the second time it will log the user in.
3. Click the install button next to the "Trust profile" to install it to the iOS device. This will make the iOS device trust the certificate from your personal server.
4. After that you may also install the server profile which will install your vpn and calendar etc... profiles for connecting to the services you have setup on the server onto the iOS device.
5. Once you accomplish this you will be able to access your services via your local lan or vpn.
Maybe you are looking for
-
Satellite A300-21H - What the hidden partition means?
Hi, I have a Satellite A300-21H and using MS vista but will be getting dual boot ubuntu soon. When i look up my disk size i see C drive is 148GB and then there is an E drive also at 147GB. The E drive is ntfs ( contains a folder called HDD recovery a
-
Performance issue on a select statement
Hi all @ SAPforums and thanks for your attention, the task is quite simple: given a Purchase Requisition number and position (banfn, bnfpo) I have to check if a contract with the same PR as source exists in the EKPO table. In order to check for it, I
-
I updated my Ipad( ios 7.1) & now it is asking for my PASSCODE ...I NEVER used a PASSCODE ,so now I am unable to use my IPAD because I DO NOT or NEVER have used a passcode ..my IPAD is useless ..I am locked out because I have NO passcode to use! HEL
-
Itunes 7.0.1.8 hangs when trying to update podcasts
I'm a newbie, recently got an 80 GB video ipod. I set a few podcasts to download, but when I start up itunes, and it starts to update multiple podcasts, it just hangs and I have to do an end task from the Task Manager manually. I've verified this by
-
AppName: illustrator.exe AppVer: 13.0.128.0 ModName: foconversionsuite.aip ModVer: 13.0.128.0 Offset: 00006eb8 I am experiencing a problem with cs 3 where it crashes immediately if I try to create a new document or open an existing (open by double cl