Inconsistent Security Configuration - SSL

The problem appears to be that the version of WLS your using is only for
export, not domestic.
You should contact your account rep to discuss how to obtain a domestic
strenght kit
Paul Patrick
"Waldemar Thiel" <[email protected]> wrote in message
news:[email protected]..
Hi all
I've got certificate for my server (WBL 5.1) and ...
<Security> 1 certificate(s): fingerprint = b566b9920c64eb6f55d2e... -that is
ok.
<Security> WARNING: Exportable (weak) WebLogic Server build running and
domestic (full) strength SSL license detected. Only exportable strengthSSL
connections will be accepted.
<SSLListenThread> Inconsistent Security Configuration,java.lang.Exception:
Using a domestic (full) strength certificate with an exportable (weak)
strength WebLogic Server build.
<Security> Not listening for SSL: java.io.IOException: InconsistentSecurity
Configuration, java.lang.Exception: Using a domestic (full) strength
certificate with an exportable (weak) strength WebLogic Server build.
What to do ? Thanks for any help.
Waldemar Thiel
PS. my key is 1024 length... and CA is thawte

Similar Messages

NPE when configuring SSL in 9.2

Hi all,
I'm trying to configure SSL on WLS 9.2 mp4 but am getting a NullPointerException with no additional helpful information.
I'm using "Custom Identity and Java Standard Trust." I think the location, type, and password of my identity keystore are correct.
This is the output I'm getting:
####<Jun 7, 2011 11:02:05 AM CDT> <Debug> <SecuritySSL> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1307462525894> <000000> <SSLContextManager: initializing SSL context for channel DefaultSecure>
####<Jun 7, 2011 11:02:05 AM CDT> <Debug> <SecuritySSL> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1307462525894> <000000> <SSLContextManager: loading server SSL identity>
####<Jun 7, 2011 11:02:05 AM CDT> <Debug> <SecurityEncryptionService> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1307462525894> <000000> <1307462525894 : [ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' : starting decrypt operation>
####<Jun 7, 2011 11:02:05 AM CDT> <Debug> <SecurityEncryptionService> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1307462525894> <000000> <1307462525894 : [ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' : done with decrypt operation>
####<Jun 7, 2011 11:02:05 AM CDT> <Notice> <Security> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <> <1307462525894> <BEA-090171> <Loading the identity certificate and private key stored under the alias weblogicssl from the JKS keystore file c:\projects\ssl\keystore.>
####<Jun 7, 2011 11:02:05 AM CDT> <Error> <WebLogicServer> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <> <1307462525894> <BEA-000297> <Inconsistent security configuration, java.lang.NullPointerException>
####<Jun 7, 2011 11:02:05 AM CDT> <Error> <Server> <PCSHPQL0089851> <admin> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <> <1307462525894> <BEA-002618> <An invalid attempt was made to configure a channel for unconfigured protocol "null".>
I've turned on all the debug output I can find.
I also wrote a little java program that reads the keystore and prints out its contents. Nothing looks wrong to me. I also tried using a known-good keystore from one of our other servers, both in my test app and in WL. Test app shows the same output for both stores with the exception of the things I expect to be different, like DN. WL also fails with the same error.
Any idea what the problem is or how to debug this further?
thanks

Thanks for the response.
That is the correct name. I should probably change it to keystore.jks but I was following the example of the common trust store named cacerts.
SSL is enabled with port 7002.
JVM versions are the same.
Keytool works fine with it. It shows 1 cert, which is what I expect. The alias is correct. I know the keystore password but I don't know the private key password. I might try generating a new pw and make sure to set and remember a pw on the key itself.
thanks

Error in configuring SSL

Hi,
Working on bea weblogic 7.0 with sp1. Using keytool,
generated keystore with storetype jks, generated alias
generated certreq and obtained certificate from local MSCA, imported trustca to the keystore.
Passed the parameters in the bea weblogic admin console.
when restarted the weblogic following messages are displayed in startup
<Sep 30, 2005 12:21:07 PM IST> <Notice> <Management> <140005> <Loading configuration D:\bea\user_projects\valyd\.\config
.xml>
<Sep 30, 2005 12:21:12 PM IST> <Notice> <Security> <090082> <Security initializing using realm myrealm.>
<Sep 30, 2005 12:21:12 PM IST> <Notice> <WebLogicServer> <000327> <Starting WebLogic Admin Server "myserver" for domain
"valyd">
<Sep 30, 2005 12:21:20 PM IST> <Notice> <Management> <141052> <Application Poller started for development server.>
<Sep 30, 2005 12:21:21 PM IST> <Alert> <WebLogicServer> <000297> <Inconsistent security configuration, java.lang.NullPoi
nterException>
java.lang.NullPointerException
at weblogic.security.RSAKey.toString(RSAKey.java:212)
at java.lang.String.valueOf(String.java:1942)
at java.lang.StringBuffer.append(StringBuffer.java:365)
at weblogic.security.X509.toString(X509.java:289)
at java.lang.String.valueOf(String.java:1942)
at java.lang.StringBuffer.append(StringBuffer.java:365)
at weblogic.security.SSL.SSLCertificate.toString(SSLCertificate.java:218)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:248)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
<Sep 30, 2005 12:21:22 PM IST> <Emergency> <Security> <090034> <Not listening for SSL, java.io.IOException: Inconsistent
security configuration, null.>
<Sep 30, 2005 12:21:23 PM IST> <Notice> <WebLogicServer> <000354> <Thread "ListenThread.Default" listening on port 7001>
<Sep 30, 2005 12:21:23 PM IST> <Notice> <Management> <141030> <Starting discovery of Managed Server... This feature is o
n by default, you may turn this off by passing -Dweblogic.management.discover=false>
<Sep 30, 2005 12:21:23 PM IST> <Notice> <WebLogicServer> <000331> <Started WebLogic Admin Server "myserver" for domain "
valyd" running in Development Mode>
<Sep 30, 2005 12:21:23 PM IST> <Notice> <WebLogicServer> <000365> <Server state changed to RUNNING>
<Sep 30, 2005 12:21:23 PM IST> <Notice> <WebLogicServer> <000360> <Server started in RUNNING mode>
does any one has solution for this...
thanks
Ceenu

This is a bug that's been fixed for some time now.
I'd file a support case to get a patch.
Pavel.

WS Security Configuration error DELAY_L_ERE is inconsistent

Hello Colleagues,
if I try to activate the WS Securtiy Configuration (SE38 > WSS_SETUP) on a SAP ECC 6.0 System for a SAML Scenario over PI I get following notification:
WS Security Configuration
Service user 'DELAY_L_ERE' is inconsistent
Configuration for WS Security logon created
Service user 'DELAY_L_ERE' is consistent
Service: Name or password is incorrect (repeat logon)
The WS Security Configuration on PI was successfully without any errors!
Any ideas?
Many thanks in advanced!
Regards,
Jochen
Edited by: Jochen Schertel on Jun 18, 2010 10:43 AM

Hello Colleagues,
we found the solution.
Presumably it's required to have the profile "SAP_ALL" during executing WS Security Configuration.
Profile "SAP_ALL" solved the problem.
Regards,
Jochen

Securing file download with standard web security and ssl

Hi,
I want to put some files for download in my webapp. At the same time, I want to protect these files using standard servlet security and ssl. So I added <security-constraint> in my web.xml and configured tomcat to allow SSL connection. Now I got the files protected as I expected. When I try to access the file directly from browser, tomcat shows me the login page. However, after correct login, I.E. pops up an error saying something like "Internet Explorer cannot download XXX from XXX. The file could not be written to the cache.". The log file showed the following exception:
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1154)
 at com.sun.net.ssl.internal.ssl.AppInputStream.available(AppInputStream.java:40)
 at org.apache.tomcat.util.net.TcpConnection.shutdownInput(TcpConnection.java:90)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:752)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
 at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
 at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
 at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1407)
 at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
 at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:747)
 at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:403)
 at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:400)
 at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:961)
 at org.apache.coyote.Response.action(Response.java:182)
 at org.apache.coyote.Response.finish(Response.java:304)
 at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:281)
 at org.apache.catalina.connector.Response.finishResponse(Response.java:473)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
 ... 4 more
Caused by: java.net.SocketException: Connection reset by peer: socket write error
 at java.net.SocketOutputStream.socketWrite0(Native Method)
 at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
 at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
 at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
 at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
 at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
 ... 15 more
I've tried separating concerns, for example protect files but not require SSL, and enable SSL but do not protect files. Both works respectively but not together. I also tried using a download4j's DownloadServlet. Still doesn't work.
Have any of you encouter the same situation? If so, could you enlight me what I did wrong? It maybe just a simple SSL configuration or something. Thanks in advance!
Jack

My environment setup is:
JDK 1.5.01
Tomcat 5.5.7
For downloading files, I just use plain old <a href> method. I simply right-click the link and choose "save target as...".
Thanks,
Jack

Configure SSL in J2SE Plain adapter

I tryed to configure SSL in J2SE Plain adapter. (7.0)
I've generated a certificate file "certif_file.cer" and
while I put in GUIBrowserEngine Property File the following
line:
HTTP.SSLcertificate=F:\tech_adapter_70\certif_file.cer
I've got the following error message:
16:19:10 : Error(s) in GUIBrowserEngine configuration
parameters found:
ERROR: Certificate file 'F: ech_adapter_70certif_file.cer' not
found, must quit!
It seems that something wrong with my definition of full path
to this file. But I do not find from SAP Library any solution
about this problem.
Could you help me?

Hi Boris,
Please try to give the full path using backslash '/' :
e.g. F:/tech_adapter_70/certif_file.cer
I hope it will work.
 The J2SE Adapter Engine uses SSL only for communication line encryption, not for client and server authentications. Since this is a drawback with respect to security, you should use the J2EE Adapter Engine in insecure environments.
 All configuration data for the Plain J2SE Adapter Engine is maintained in flat property files.The file for the engine administration data itself is located in the following directory:
<installation directory>/tech_adapter/BaseConfiguration
The file for the adapter configuration data is located in the following directory:
<installation directory>/tech_adapter/Configuration
 The adapters of the Plain J2SE Adapter Engine are configured locally and not in the Integration Directory. Exchanged messages are also stored directly in the file system.
Therefore, ensure that only the operating system user, who has started and therefore owns the adapter engine process, can read the property files and has access to the directories used for message exchange.
*Pls: Reward points if helpful*
Regards,
Jyoti
Edited by: Jyoti Acharya on Dec 19, 2007 5:05 PM

Configuring SSL in Oracle Apps 11.5.10.2

Hi,
I am in the process of configuring SSL in oracle apps 11.5.10.2.
I am a bit confused with the Note ID: 123718.1. Could you please clarify me on the below things?
1. SSL can be implemented at three levels,
(a) Oracle Web/Apache Server Level
(b) Oracle Form Server Level
(c) Oracle Database Level
Can Implement SSL on any one or any two component levels? As per Note:123718.1, we MUST configure SSL for both the Oracle HTTP Server and Oracle Forms Level and these cannot be configured independently.
2. As per the Note ID: 123718.1, Option 2.1. Certificate Provisioning for Oracle HTTP Server
Point b in point 2 says to execute "$OPENSSL_TOP/bin/openssl sha1 or* > $HOME/.rnd"
But which will be the OPENSSL_TOP?
Please advise on these above two queries.
Thanks in advance
Regards,
Sravan

Thanks Hussien,
I have completed SSL configuration at all level including database. Forms are not getting launched. I am getting below error in the Java Console.
Java Plug-in 1.6.0_23
Using JRE version 1.6.0_23-b05 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\sdalav
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
proxyHost=null
proxyPort=0
connectMode=HTTPS
Exception in thread "thread applet-oracle.forms.engine.Main-2" java.lang.NoClassDefFoundError: oracle/security/ssl/OracleSSLSocketFactory
 at oracle.forms.net.HTTPSStream.<init>(Unknown Source)
 at oracle.forms.net.HTTPConnection.connect(Unknown Source)
 at oracle.forms.engine.Runform.initConnection(Unknown Source)
 at oracle.forms.engine.Runform.startRunform(Unknown Source)
 at oracle.forms.engine.Main.createRunform(Unknown Source)
 at oracle.forms.engine.Main.start(Unknown Source)
 at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: oracle.security.ssl.OracleSSLSocketFactory
 at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 ... 8 more
Caused by: java.io.IOException: open HTTP connection failed:https://sandispa.bp.com:8443/OA_JAVA/oracle/security/ssl/OracleSSLSocketFactory.class
 at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
 at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
 at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 ... 13 more
Thanks,
Sravan

Urgent Please..Error while configuring SSL protocol

Hi,
I am facing problems when I am trying to configure my WLS 6.0(on
Win 2000) for SSL protocol.I have used the CSR generator to generate
CSR & I have got a trial SSL id from VeriSign.I have now got the
following files:
hercules-key.der(private key generated by CSR generator)
cert.pem (digital certificate from VeriSign)
When I configured the server console with
Server Key file name =./config/mydomain/hercules-key.der
Server Certificate file name=./config/mydomain/cert.pem
Server Certificate chain file name=./config/mydomain/cert.pem
& restarted the server with the following command:
startWeblogic -Dweblogic.management.pkpassword=<the pwd I gave>
I am getting the following error:
<Mar 19, 2001 11:20:11 AM PST> <Alert> <WebLogicServer> <Security
configuration
problem with certificate file ./hercules-key.der, java.io.EOFException>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:393)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Please tell me where I went wrong.Do I need to make any more changes
in the console.
Thanks in advance.. Sita

The Server Certificate File Name should point to the cert that establishes
the server's identity.
The Server Certificate Chain File Name should contain as its first member
the cert used to sign the server's cert, the second member should contain a
cert used to sign the first cert in the file, etc. until the last cert in
the chain which should be self-signed. The Server Certificate Chain File
Name is required to have at least one cert in it (and if there is only one
it must be self-signed, ie a root CA cert and it must be the cert that was
used to sign the server's certificate).
If you got the trial cert from Verisign their email to you should have told
you how to obtain a root CA from them to use.
"Sita Mulomudi" <[email protected]> wrote in message
news:[email protected]...
>
Hi,
I am facing problems when I am trying to configure my WLS 6.0(on
Win 2000) for SSL protocol.I have used the CSR generator to generate
CSR & I have got a trial SSL id from VeriSign.I have now got the
following files:
hercules-key.der(private key generated by CSR generator)
cert.pem (digital certificate from VeriSign)
When I configured the server console with
Server Key file name =./config/mydomain/hercules-key.der
Server Certificate file name=./config/mydomain/cert.pem
Server Certificate chain file name=./config/mydomain/cert.pem
& restarted the server with the following command:
startWeblogic -Dweblogic.management.pkpassword=<the pwd I gave>
I am getting the following error:
<Mar 19, 2001 11:20:11 AM PST> <Alert> <WebLogicServer> <Security
configuration
problem with certificate file ./hercules-key.der, java.io.EOFException>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:393)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
Please tell me where I went wrong.Do I need to make any more changes
in the console.
Thanks in advance.. Sita

Livecycle on Websphere 6.1--configuring SSL problem

I have installed and set up adobe livecycle es 8.2 on websphere on an AIX platform. I'm on page 27 of the Administering Livecycle ES guide but have hit a brick wall in regards to the SSL implementation part.
I have an existing websphere DMGR console that i have security enabled on. The first parts of the document are not at all what I have already set up and have working and would undo some of my current settings. I browse through to step 25 and its now saying I should be logging into my admin console with the username and password I set up in step 2
NO.. I already have security enabled and have a login and password set up that I use.
It appears that the documentation for this part of the guide is not correct for websphere 6.1 and wants me to overwrite my current security settings

Configuring SSL is a purely WebSphere Application Server (AS) administrative task.
Although LiveCycle's documentation provides you with instructions on how to configure WebSphere AS for SSL, it is better if it is done based on your IT shop's WebSphere security policies. This is because in many cases, Adobe's instructions might run counter to your IT organization's procedures.
Also, verify that SSL works by using a non-LiveCycle application so that LiveCycle is kept out off the picture while SSL is being configured.
If configured properly, http://server:port/adminui should work as well as https://server:port/adminui.

Configuring ssl giving CipherException

after getting certificate from verisign i opened myserver and
on SSL tab gave the 1)Server Key File Name 2)Server Certificate File Name and
rest all with their default value.
but when i am restarting the weblogic it gives the following exception.
is it compulsory to specify
3) Server Certificate Chain File Name:....?
exception :---------
weblogic.security.CipherException: Incorrect encrypted block
at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:216)
at weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
at weblogic.security.X509.verifySignature(X509.java:243)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:443)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
<Dec 23, 2001 4:34:47 PM GST> <Alert> <WebLogicServer> <Inconsistent security
co
nfiguration, weblogic.security.AuthenticationException: Incorrect encrypted bloc
k possibly incorrect SSLServerCertificateChainFileName set for this server certi
ficate>
weblogic.security.AuthenticationException: Incorrect encrypted block possibly
in
correct SSLServerCertificateChainFileName set for this server certificate
at weblogic.security.X509.verifySignature(X509.java:251)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:443)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)

Nivas,
ServerCeritificateChain file that is in place appears to be the wrong one.
That is CA's root certificate, which you can download from CA site (e.g.,
verisign)
"nivas" <[email protected]> wrote in message
news:3c25d005$[email protected]..
>
after getting certificate from verisign i opened myserver and
on SSL tab gave the 1)Server Key File Name 2)Server Certificate File Nameand
rest all with their default value.
but when i am restarting the weblogic it gives the following exception.
is it compulsory to specify
3) Server Certificate Chain File Name:....?
exception :---------
weblogic.security.CipherException: Incorrect encrypted block
at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:216)
at weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
at weblogic.security.X509.verifySignature(X509.java:243)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:443)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
<Dec 23, 2001 4:34:47 PM GST> <Alert> <WebLogicServer> <Inconsistentsecurity
co
nfiguration, weblogic.security.AuthenticationException: Incorrectencrypted bloc
k possibly incorrect SSLServerCertificateChainFileName set for this servercerti
ficate>
weblogic.security.AuthenticationException: Incorrect encrypted blockpossibly
in
correct SSLServerCertificateChainFileName set for this server certificate
at weblogic.security.X509.verifySignature(X509.java:251)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:443)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)

Configuring SSL for Real-Time Collaboration

Hi,
We installed OCS10gR1 because we want to use Real-Time collaboration for delivering support. At this moment we are trying to configure SSL. We already worked through the following guides :
- Real-time collaboration admin guide
- OCS admin guide
- OCS Security guide
- OPMN admin guide
but it's still very fuzzy. It's hard to get a clear overview about the steps to follow to get SSL working for RTC. Is there some kind of "cookbook" or simple guide which describes all the steps in a clear way.
Thank you

Hi,
I ran the SSLconfigTool.sh script on the Infrastructure with success but the midtierSSLConfigTool.sh script didn't come to an end. Probably, I ran the script with the wrong options. I used the following options :
<oid hostname> gary.woerden.centric (hostname on which ocs resides)
<oid port> 389 (default)
<oid admin dn> I filled in orcladmin, but maybe dn=woerden,dn=centric would be better ???
<http server SSL port> 8250 (from portlist.ini)
<https> internet_appserver_registry (I really didn't know what value this must be)
<hostname of the computer> gary.woerden.centric
<True | False> False
The output of the script midtierSSLConfigTool.sh with the options mentioned above:
Modifying Collaboration Suite service registry
Exception in thread "main" javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at oracle.ldap.util.jndi.ConnectionUtil.returnInitialLdapContext(ConnectionUtil.java:492)
at oracle.ldap.util.jndi.ConnectionUtil.getDefaultDirCtx(ConnectionUtil.java:135)
at oracle.ldap.util.jndi.ConnectionUtil.getDefaultDirCtx(ConnectionUtil.java:157)
at URLUpdate.main(URLUpdate.java:32)
Done. Please go to /opt/oracle/product/10.1.1/ocs/apps/imeeting/logs/rtcctl directory to check the log file.
Starting the SSL Configuration Tool...
Log file recording the current execution is '/home/oracle/SSLConfigTool_20051104_091126.log'.
Below is the command line you have entered:
SSLConfigTool -config_w_default -opwd ******** -ptl_dad portal -ptl_inv_pwd ********
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/bin/ldapbind -h gary.woerden.centric -p 636 -U 1
Querying password for Portal from OID.
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/bin/ldapsearch -h gary.woerden.centric -p 636 -D cn=orcladmin -w ******** -U 1 -b "OrclResourceName=Portal,orclReferenceName=ocs.woerden.centric,cn=IAS Infrastructure Databases,cn=IAS,cn=Products,cn=OracleContext" -s sub "objectclass=*" orclpasswordattribute
Exit code: 0
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/dcm/bin/dcmctl updateConfig
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/opmn/bin/opmnctl stopproc ias-component=dcm-daemon
Configuring HTTPS for your ORACLE_HOME at:
/opt/oracle/product/10.1.1/ocs/apps
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/opmn/conf/opmn.xml' to file '/opt/oracle/product/10.1.1/ocs/apps/opmn/conf/opmn.xml.orig_SSLConfigTool'.
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/Apache/Apache/conf/ssl.conf' to file '/opt/oracle/product/10.1.1/ocs/apps/Apache/Apache/conf/ssl.conf.orig_SSLConfigTool'.
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/webcache/webcache.xml' to file '/opt/oracle/product/10.1.1/ocs/apps/webcache/webcache.xml.orig_SSLConfigTool'.
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/webcache/webcache.xml' to file '/opt/oracle/product/10.1.1/ocs/apps/webcache/webcache.xml.tmp'.
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/sso/bin/ssoreg.sh -oracle_home_path /opt/oracle/product/10.1.1/ocs/apps -site_name SSLConfigTool_ssl_ocsapps.gary.woerden.centric -config_mod_osso TRUE -mod_osso_url https://gary.woerden.centric:8250 -u root
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF/web.xml' to file '/opt/oracle/product/10.1.1/ocs/apps/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF/web.xml.orig_SSLConfigTool'.
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/portal/conf/iasconfig.xml' to file '/opt/oracle/product/10.1.1/ocs/apps/portal/conf/iasconfig.xml.orig_SSLConfigTool'.
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/portal/conf/ptlconfig -encrypt
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/portal/conf/ptlconfig -dad portal -pw ********
Backing up file '/opt/oracle/product/10.1.1/ocs/apps/sysman/emd/targets.xml' to file '/opt/oracle/product/10.1.1/ocs/apps/sysman/emd/targets.xml.orig_SSLConfigTool'.
Executing command:
/opt/oracle/product/10.1.1/ocs/apps/dcm/bin/dcmctl updateConfig
This last command didn't come to an end.
Can you tell me what options are wrong and can I run the script again or should I first backup the backupped files ?
Thanx in advance!

Configuring SSL

DB version: 11.1.0.6
Platform: AIX 5L
I'm planning to configure SSL authentication to the client. Per Oracle documentation, I don't see 'Oracle Advanced Security Profile' in Oracle Net Manager. I'm able to see only 'Naming' and 'General' tabs in the drop down. How can I install advanced security features?

I have already gone though these documents. But, it has just mentioned 'install advanced security features'. When I have seen the installed products, I'm able to see 'Oracle Advanced Security', SSL, etc. If so, why is the netmgr not displaying 'Oracle Advanced Security' in the dropdown.

WS-C2960S-24TS-S and WS-C2960S-24TS-S Basic Security configuration.

Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and a WS-C2960S-24TS-S switch that needs to be securely configured. I've done the basic of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
I wanted step-by-step guidance of:
1. Locking down ports by MAC address.
2. DDoS protection.
3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
4. Shutting down any services on the switch.
5. Shutting down password recovery.
Any other recommended security steps to secure the switch.
Thanking in advance,
Parth

Hi Parth,
I'm not sure if you got this figured out or not but a lot of the stuff you need can be found here: Cisco Guide to Harden Cisco IOS Devices
Regarding the "locking down ports by MAC address", you should think about Port-security.

I have Configured SSL, Do we need to make any further changes ??????

Hi all,
I am new to SSL.
I have a question.
We have just configured SSL in our Web Server to make the site secure.
We have a Registration Form in our site and Customer fills it and submit the form so we want to
make Registration Form secure.
I want to know that do we need to make any further changes in
our program (Servlet/JSP).
I mean, do we need to use/implement JSSE package API in our program.
Please help me in this way.
amitindia

Your engine may or may not use JSSE - nbut unless
you're opening your
own Sockets, you don't care.
What's this mean......
We are not using Socket Connection in our program (in
our database driven website).Then you're all set. What I meant was, if you're creating new Sockets in your Servlet (which is not typical, but I've seen it done), then you'd need to worry about how to make an SSLSocket. Since you're not, you're all set.
As u explain that we have to replace http to https.
Is this is the only changes we have to make or any
other changes tobe made?No - change your URLs, and then read up on how to set up your ServletEngine so that it supports SSL, and you should be all set.
Grant

WS-C2960S-24TS-S and WS-C2960X-24TS-L Basic Security configuration.

Greeting's, I would like to start by apologizing as I would require hand-holding, given my lack of experience in Cisco (or any other switches). I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a WS-C2960S-24TS-S and WS-C2960X-24TS-L switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures
I wanted step-by-step guidance of:
1. Locking down ports by MAC address.
2. DDoS protection.
3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
4. Shutting down any services on the switch.
5. Shutting down password recovery.
6. Enabling highest supported encryption for sensitive (passwords). While I'm posting this I've just read that level 7 encryption can be cracked.
Any other recommended security steps to secure the switch.
Thanking in advance,
Parth

Hello, Parth Maniar.
1. look at the command "switchport port-security" inside interfaces (documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf ).
2. There is not much you can do for DDoS protection. Also it depend on IOS version (is your IOS lite or base). You can use a command from 1 point, also use a commands of "storm-control" (inside interface), "switchport block [type]" (inside interface), and if your IOS is not lite you can also use arp-spoofing protection and dhcp-spoofing protection.
3. To turn off ssh and telnet:
line vty 0 4
transport input none
exit
line vty 5 15
transport input none
exit
For turning off http access: no ip http server
To limit access only from 1 IP address to HTTPS server:
access-list 1 remark ------- ACL for HTTPS access ------------------------
access-list 1 permit [permited IP]
access-list 1 deny any log
access-list 1 remark ------- END of ACL for HTTPS access -----------------
ip http access-class 1
And for configuration HTTPS server: http://www.cisco.com/c/en/us/td/docs/ios/termserv/command/reference/tsv_book/tsv_s1.pdf
4. Use the command "service ?" to see all possible services for your swith. And with "no" before the command you can turn off all service that is no need for you (for example "no service dhcp").
5. You can't shut it down because you can recover password only by rebooting switch and pushing "mode" button after this. Here is procedure for recovery password: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2950-series-switches/12040-pswdrec-2900xl.html
After reading it you can undenstand why you can't turn it off.
6. Yes, level 7 encryption can be cracked. So you can store your passwords as md5. You can use commands:
enable secret [password]
username [name] secret [password]
After this cisco will encrypt your password by md5 hash and at configuration you'll see it as "username [name] secret 5 [md5 hash]"
What else you can use for securety matters:
- logging (command "login on-failure log every [numbers of fails]" must be!). Documentation: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html
Also you can use a configuration bellow to log all changes at configuration:
archive
log config
exit
exit
- turn off lldp and cdp protocols to the end users sides (you can google it).
- use SNMP for getting status of the switch and ports and analyse it for anomalies.
- use a command inside interfaces: "spanning-tree guard root" (don't use this connamd at the ports where is connected your another switches) and "spanning-tree bpduguard enable" (use a second command if you are not planing to connect another switch to this port).
- use a command " switchport nonegotiate" at the all ports.
- also you can use this commands:
no ip source-route
ip arp proxy disable
no ip icmp redirect

Inconsistent Security Configuration - SSL

Similar Messages

Maybe you are looking for