Individual client SSL PSE

Hi all,
We tried to create an individual client SSL PSE. In order to do that, we went to: environment ->SSL-> Client identities
But there we got that message:
SAPCRYPTOLIB not installed
Message no. TRUST059
Diagnosis
The SAP Cryptographic Library (SAPCryptolib) is not installed on the application server. It is therefore not possible to maintain PSEs that allow encryption.
Procedure
Download the SAP Cryptographic Library from the SAP Service Marketplace (Alias Security).
Unfortunately, we did not find the relevant library in the market place (maybe it is there but we missed it, and maybe it is not there). The question is how do we get and use that library?
Many thanks,
Tuvia.

See the relevant comments in OSS note 397175.

Similar Messages

Webdav with client ssl certificate

I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.

Some more checking using wireshark on the destination server.
I created a simple html page that is contained under a directory that requires SSL and a client certificate, as configured in the apache configuration.
This works fine from the IE and Firefox desktop browsers.
Now, using Safari on the iPad with the appropriate certificates installed (client cert and CA cert) using the profile management tool, I attempted to connect to this page.
Wireshark shows the iPad contacting the server and the TLSv1 protocol selection (Client Hello and Server Hello).
Following this the server issues the requested server certificate and the CA cert to the iPad device.
The iPad device responds with an ACK and this is where it stops the communication. No further packets appear.
During this time, the iPad has requested that a client certificate be selected using the dialog and the appropriate client cert is selected, however the network transaction does not show the iPad ever sending this certificate to the server.

How to authenticate BPEL process to a PL with Client SSL Cerificate

Hi,
I need to invoke a partner link which requires authentication with Client SSL certificate. So, here is the use case:
- The PL's endpoint is https://some.server.com/web_service;
- I have a client SSL certificate supplied by the web service provider in the form of PKCS12 (PFX) file. I should use this certificate for authentication.
I read carefully the BPEL Administration Guide, the part about SSL authentication (http://download.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/security.htm#CHDHIBEG), but in this guide is described how outer services can be authenticated by the BPEL Process Manager with client SSL certificates, not the vice versa.
So, I completed the following tasks:
- I imported the server certificate of https://some.server.com/web_service into $ORACLE_HOME/jdk/jre/lib/security/cacerts file;
- since I didn't find a way to import the client certificate as a PFX file, I converted it PEM file, using OpenSSL utilities and manage to import in cacerts client certificate's public key, but not the private key. Of course this didn't help me in any way to get authenticated.
I would appreciate any help on this topic!
Thank you!
Simeon

i get this action plan and works for me...
1. Download the new Client Certificate.
2. Convert the Client PFX to JKS as per:
http://www.cb1inc.com/2007/04/30/converting-pfx-certificates-to-java-keystores
3. Using firefox go to the WSDL site:
* Add the exception, if Firefox ask for it.
* Import the server certificate to Firefox following the instructions displayed
4. Once you imported the certificate on Firefox, go to:
* Tools -> Options
* Select Advanced and click on "Encryption" tab
* Click on View Certificates
* Go to the Servers tab
* Select the "servercfa" and click on "Export"
* Save the certificate adding the .cer extention to the name.
* Ensure that you select in Save as Type "X.509 Certificate with Chain (PEM)"
5. Import using keytool the exported certificate from step 4 to the JKS obtained in step
2:
* i.e: keytool -import -alias servercert -file servercfa.crt -keystore client.jks -storepass welcome1
6. Add both keyStore and trustStore properties to the jdev.conf pointing to the same JKS :
AddVMOption -Djavax.net.ssl.keyStore=C:\jdevstudio10133\jdk\jre\lib\security\client.jks
AddVMOption -Djavax.net.ssl.keyStorePassword=welcome1
AddVMOption -Djavax.net.ssl.keyStoreType=JKS
AddVMOption -Djavax.net.ssl.trustStoreType=JKS
AddVMOption -Djavax.net.ssl.trustStore=C:\jdevstudio10133\jdk\jre\lib\security\client.jks
AddVMOption -Djavax.net.ssl.trustStorePassword=welcome1
7. Open Jdev and retest the issue.
Tocarli.

Configure OWA to require a client ssl certificate only for external connection

Hello.
At now i migrated OWA client from Exchange 2003 to Exchange 2010 and faced with a problem.
I want to then external client (somebody like user from home PC) connect to Outlook Web App, client certificate will be required.
But then client connect (somebody from work PC) to internal Outlook Web App Url, Integrate Windows Auth will be used and client ssl certificate not required.
Is it possible? Or i need to enable Outlook Anywhere?

Hi,
Base on my konwledge, I don't think it is possible.
When you install Exchange 2003, only one Default Web Site in Internet Information Services (IIS). if you change the authentication method and enable SSL on OWA, client ssl certificate always be required whether it's external or internal.
I recommend you refer to the following articles:
http://www.msexchange.org/articles-tutorials/exchange-server-2003/mobility-client-access/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft.
Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Thanks.
Niko Cheng
TechNet Community Support

VSphere Client SSL error build 10041

So I'm seeing an odd error after upgrading to build 10041 (from 9926). The vSphere client (both 5.1 and 5.5) will no longer connect to my vCenter instance. I receive the following error
"vSphere Client could not connect to "<server>" An unknown connection error occured. (The request failed due to an SSL error. (The request was aborted: Could not create SSL/TLS secure channel.))"
Checking the event log I see Schannel 36888 errors with the following message: "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows
SChannel error state is 813."
I managed to find out that error 40 means "handshake_failure". The error state (813) I haven't been able to find additional information on.
When I look at the vpxd.log file I see the following log lines which seems to confirm its a handshake error.
2015-04-02T13:26:08.442-05:00 [07548 error 'Default'] SSLStreamImpl::DoServerHandshake for SSL(TCPStreamWin32(socket=TCP(fd=38244) local=xxx:443, peer=yyy:64839)): SSL_accept failed with BIO Error
2015-04-02T13:26:08.442-05:00 [07548 warning 'ProxySvc'] SSL Handshake failed for stream TCPStreamWin32(socket=TCP(fd=38244) local=xxx:443, peer=yyy:64839), error: class Vmacore::Ssl::SSLException(SSL Exception: BIO Error)
Does anyone know if there were any changes around Schannel that would be causing a handshake error? I can't seem to find any additional information. It looks like vCenter accepts TLS 1.0, which in IE at least is enabled.

Hi Jeff,
I think we'd better involve the VMware side to further look at this issue.
For Windows 10 build 10049, you might need to notice the information below:
No access to Internet Protocol (v4 or v6) in 10049
Best regards
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Restriction of Session of individual clients

Hello,
How can i make the restriction on server for not connecting sessions
more than 1 from the client machine. i.e. my connection should fail if
my session already connected whether it is active or inactive.
Please reply....
Thanks
Ramesh Ganji

weightings are controlled when you add the column to the template.
the application has logic so that it doesn't exceed 100% within the criterion group, each of your sections individual goals, team goals, corporate goals, will be setup as a criterion in your template with a free enhancement.
then at the criterion level you can define weightings on the "element" level of your template.
so i think the best way you could make this work is with this example:
individual goals = 50%
team goals = 25%
corporate goals = 15%
corporate values = 10%
employee and manager would not have control on the weightings above...
then within each criterion group, as the employee adds things such as individual goals...
they have control..
so goal1 = 10%
goal2 = 20%
goal 3 = 70%
(this 100% reflects 50% towards the overall appraisal weighting)
and then the manager when defining team goals does weightings:
goal 1 = 40%
goal2 = 10%
goal 3 = 10%
goal 4 = 20%
goal 5 = 20%
then similar logic for corporate goals and values...

Probleme mit Mail Client in PSE 9

Hallo Zusammen,
ich habe ein Problem mit dem Auswählen des Mail Client's in PSE 9. Wenn ich unter "Weitergeben/E-Mail-Client" den Auswahlbutton öffne, dann erscheint bei mir nur der Adobe-E-Mail-Service. Normalerweise müsste auch Thunderbird erscheinen der bei mir als Standart-Client installiert ist. Als ich versuchte Bilder über die "Weitergabe" per E-Mail zu verschicken, bekam ich eine Fehlermeldung das ein Problem mit der Firewall vorliegen könnte oder die Verbindung zum Internet unterbrochen ist. Beides war nicht der Fall. Wenn ich versuche Bilder über den Kodak Printservice zu senden kommt die selbe Meldung.
Mein Betriebssystem ist Windows 7 Home Premium 64 Bit.
Wenn ich die Systemabfrage mit PSE im Hilfe Menü mache bekomme ich diese Meldung:
Betriebssystem: 2000
Betriebssystem-Version: 6.1
Systemarchitektur: Intel Prozessor Familie:6 Modell:7 Stepping:10 mit MMX, SSE Integer, SSE FP
Ich hoffe es hat jemand eine Lösung
LG
Michel

Hallo Michael,
auch bei mir funktioniert es nicht mit Thunderbird. Ich habe allerdings auch noch PSE 6.
Ich finde das auch nicht so toll. Besser gesagt, es k.... mich an.
Wollte eben mal sehen, ob es dafür eine Lösung gibt. So bin ich auf Deinen Beitrag gestoßen.
Es hat auch nicht mit dem Adobe-Dienst geklappt bei ausgeschalteter Firewall?
Wenn das Problem überhaupt für Dich noch relevant ist, würde ich Dir gerne helfen.
LG Thomas

Auth via client SSL cert problem

web server:iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49
Am trying to setup ACL's to allow only certain clients access to web server via client side certificates.
The LDAP entry does NOT have a "uid" attribute for the user's entry.
Snooping show me that the LDAP server is returning the correct LDAP entry. Web server says "get_auth_user_ssl: unable to map cert to LDAP entry. Reason: ldap entry is missing the 'uid' attribute value"
ACL files looks like
version 3.0;
acl "default";
authenticate (user, group) {
prompt = "foobar";
method = "ssl";
allow (read, list, execute,info) user = "*happy*" ;
allow (write, delete) user = "all";
Client cert CN looks like
CN=happy.fmr.com test happy.fmr.com, OU=B2B, OU=Applications, O=FMR Co
rp., C=US
Any suggestions on how to allow only a user whose client CN contains a certain word? Also anyway to increse the debug level in the error logs, I know 6.1 can do more but we are limited to using 6.0
Thanks
Ashish

Hi Faisal -- thanks for your reply. We had an offline chat where you said:
>>>>>>>>
These are the steps that u can follow
Configure Weblogic Server for 2-way SSL
mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced
mydomain> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
Trusted Client Principals: provide CN of the Client Certificate
Types: X509
Details:
Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked
Go the security realm and create a user wih the username as CN of the certificate
Dont forget to Import the client cert's root CA in the trust store of WLS.
If you still face issues, enable SSL Debug, securityATN debug and mail me the log file.
<<<<<<
I think there are a few minor config differences and I may have a different version of WLS to you -- the DefaultIdentityAsserter did not contain some of the fields you refer to. Instead I have an LDAPX509IdentityAsserter at the top of the Providers list, and I have made the changes there. My Providers list is:
- LDAPX509IdentityAsserter
- ActiveDirectory
- DefaultAuthentictor
- DefaultIdentityAsserter
I suspect you might be thinking I don't have two-way SSL working at all, but I do, and that's not my question. I can successfully validate a client based on SSL certificate so all the trust stores etc are correct. My question is what happens when there is no client certificate presented by the client -- I want it to fall through to Basic authentication. The ActiveDirectory provider has a Control Flag="SUFFICIENT" setting and I was expecting the X.509 one to have a similar flag, but it doesn't. What controls whether the X.509 provider is REQUIRED/REQUISITE/SUFFICIENT/OPTIONAL in the chain, like the Active Directory one?
Thanks for your time.
-- Ben.

Client SSL Vpn question`

not sure if this is possible /device asa 5550 - But can a Client establish a SSL VPN to remote network and devices on the remote network access local network printers?
so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?

I do not know if its just me but I do not understand what you mean with this:
so you got one client one network A that creates a SSL VPN to network B , can network B be configured so that automatic job come across the same ssl vpn to a Different IP?
Can you try it to explain it one more time?
Now, I think you are saying the following, please look this:
HQ----ASA----INTERNET----------Office2
Now the Office2 will do a clientless SSL vpn to the ASA and afterwards you want the HQ to be able to contact some printers or servers on office 2 via the clientless SSL vpn, If that is the question the answer is NO. the clientless SSL vpn will only allow traffic to go from office2 to the HQ, and not all traffic, it will depend on what you use to configure the clientless ssl ( Smart tunnels, Port-forwarding,Plugins).
Again I am not sure if that was the question.
Regards,
Julio
Do rate all the helpful posts

Servlet as client ssl connection

I am trying to establish an ssl socket connection from a servlet to a secure web server. I'm running the servlet on Tomcat 4.0 and have the following code in my servlet...
try {
String server = "localhost";
int port = 8443;
java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// create socket connection
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket(server,port);
// if connected
System.out.println("Connected to " + server + " via https");
// close the socket after the request is sent
socket.close();
catch (Exception e)
System.out.println("Can't connect to " + server);
System.out.println(e);
When I use this code in an application it works, but when I use it in a servlet I get an exception stating that the SSL implementation is not available. My suspicion is that the security provider is not being registered properly.
Any suggestions?
rlvis

hi,
Think to add the following protocol handler ???
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");

How to make an HTTP request via SSL

Hi,
I´m using an instance of the class CL_HTTP_CLIENT to make an HTTP request to a https server. as long as it requires an SSL authentication, it returns an ICM_HTTP_SSL_ERROR error message.
How do I tell my program to ask for user´s certificate, and use it in the http request?
I´m supossed to have hundreds of users online running this application (it´s over SRM 5.0). How can I reach this?
Thanks you very much.
Federico.

Hello Frederico,
>1. By creating a new client, you mean go to "Environment->SSL Client Identitites" in STRUST, right? >Can I use a previously existing one?
I meant to create a new client SSL PSE. By default in a new Netweaver abap system, you have 3 of them : ANONYM, DFAULT and WSSE.
If you need more of them, you can create them with the menu "Go to-->Environment->SSL Client Identitites".
>2. I need this PSE client to have several 'identitites', I mean, to include several certificates from all my >users. Is it possible? If it´s not; how should I do so?
It seems that you want a different certificate per user. These client certificates in STRUST are designes to identify a SAP abap system, not human users. If you have 1000 users, you will not create 1000 certificates in STRUST !
Usually, you use only 2 entries here, one for anonymous HTTPS access and one authenticated HTTPS access. It is unusual to have several different identities for the same abap server. But it might be possible : for exemple, one identity on the intranet and an other one on the Internet.
>3. When I had my new PSE client, and my HTTP RFC destination of type 'G' configured to use that >PSE client, and when in abap I instantiate my http client (using CREATE_BY_DESTINATION method, >from CL_HTTP_CLIENT class): How does SAP knows which certificate to use? Because there will be >several users (hundreds) running this code to retrieve their specific data from a third party server.
>How does SAP knows whom certificate must use?
The certificate used will be the one defined in the HTTP destination.
You still seem to make the confusion between server client certificates and users client certificates.
a users client certificate is stored in the user's PC (or smartcard) and is used for HTTPS connections from the user's browser to the SSL server, not for an HTTPS connection from the ABAP server to another server.
Regards,
Olivier

Error : Validity of certificate (...) PSE SSL ends in 1 day

Dear all,
I have a certificate problem with my WAS system.
"Validity of certificate from list with PSE type >SSL Client (Standard)< ends in 1 day, for more information, see the SAP System Log (transaction SM21)"

==> I have a BSP website https://services.aquasambre.be/service which is using a certificate valid until June 14th 2006.
==> I go through transaction SM21, but there is no further information.
==> I go through transaction STRUST,
> PSE System 
--> Red cross for "SNC (SAOCryptolib)
> SSL Server
--> Green (ok) but fields "begin/end of validity" are empty
> SSL Client anonymous
--> Green (ok) but fields "begin/end of validity" are empty
> SSL Client standard
--> Green (ok) but fields "begin/end of validity" are empty
==> I go through the amazing SAP documentation... "I'm a bit lost"
... Maybe have you already encountered this kind of problem... do you have an advice for me ?
Nico
PS : My problem occurs after installation of support packages.
PPS : Why are they all on holiday ??? ;o)

I have found where the cerficate fails :
using program SSF_ALERT_CERTEXPIRE -->
Client SSL (standard) SSLC DFAULT
Certificat personnel
CN=Client, OU=I0020211069, OU=SAP Web AS, O=SAP Trust Community, C=BE 01.01.2038
Liste des certificats (Lste Certif.)
 1 = CN=extn12.nrb.be, OU=I0020211069, OU=SAP Web AS, O=SAP Trust Community, C=D 01.01.2038
 2 = EMAIL=[email protected], CN=vdeler, OU=nrb logiciels, O=nrb logiciels, L=hers 18.08.2005
I can have the same information using STRUST. 
So if I go through OSS note 499386, the solution seems to be "generate a new PSE (with the same name) and resend a certificate request to SAP"
--> Could someone tell me how I can send a request to SAP to renew the concerned certificate ?

SSL Client example from dev2dev

Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
>>
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
>>
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J.

Hi Michael,
I've asked our security folks to help answer your questions. The
weblogic.webservice.client.ssl.trustedcertfile file (located on the client
application computer) contains the certificates of CA (certificate authority).
The CAs are trusted to issue WebLogic Server certificates. The file can also
contain certificates that you trust directly. The file contains a collection of
PEM-encoded certificates. See:
http://e-docs.bea.com/wls/docs70/webserv/security.html#1056434
There shouldn't be any WSDL changes/tags required.
HTHs,
Bruce
Michael Jouravlev wrote:
Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J.

How to get OS X to accept an SSL Cert the way other UNIX clients do?

I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
Any suggestions would be appreciated.
Thanks in advance--
=N=

when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
what unix apps are you using to connect to this server?

ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
Regards

Hello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
    loadbalance vip inservice
    loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
    serverfarm ENCRYPTED-SERVERFARM
    ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
    inservice
Here you have some additional details under the configuration guide:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
Here you have some additional samples:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
Hope this helps for you and fix your issue
Jorge

Individual client SSL PSE

Similar Messages

Maybe you are looking for