Installation Tomcat with SSL

Similar Messages

• Question regd C++ and Java with Tomcat and SSL

  I have configured Tomcat with SSL and am running a servlet
  which is going to recieve input from a C++ Application.
  The team which are coding in C++ have a statement in their C++
  code 'HTTP1.1'
  My Tomcat is v 3.2.4
  Does this support HTTP 1.1 OR HTTP 1.0 PROTOCOL.??

  tomact latest version supports both HTTP specifications 1.1 and 1.0. If you want to make sure you for tomcat 3.2.4 then you can search the web and jakarta website for this.
  Regards
  Akhil Nagpal

• XFire, Tomcat and SSL

  Hi,
  till i recreated our complete Keyset with Stores and Trusts, everything worked fine (expect our certificates wasn't valid anymore, thats why i've recreated them).
  As far as i tested everything looks fine. Truststore recognized the trusted Keys and i can read out Certificates with alias from Keystores.
  But now to the problem: I have several WebServices running on Tomcat, every service has a own Store-Trust Pair. Tomcat itself is using a Store-Trust Pair too, which trusts every other Key instead of itself.
  If i do a simple connection from an Application to Tomcat with SSL it works without problems. But as soon as a called service from tomcat tries to call another service on same Tomcat i get following error:
  Caused by: java.security.UnrecoverableKeyException: Password verification failed
  I have really no idea what could be wrong, following the code i used to create the keys:
      public GenKeys() {       
          for (int i=0;i<services.length;i++) {
              File file = new File(BASEPATH + STOREPATH);
              file.mkdirs();
              file = new File(BASEPATH + KEYPATH);
              file.mkdirs();
              file = new File(BASEPATH + TRUSTPATH);
              file.mkdirs();           
          System.out.println("Directories created\n");
          System.out.println("---------------------------------------");
          System.out.println("Creating keystores and certificates");
          System.out.println("---------------------------------------");
          for (int i=0;i<services.length;i++) {
              System.out.print("Processing " + services[i] + "...");
              String Path = BASEPATH + STOREPATH + "\\";
              String Path2 = BASEPATH + KEYPATH + "\\";
              try {                           
                  Runtime.getRuntime().exec("keytool -genkey -keyalg "+KEYALG+" -sigalg "+SIGALG+" -keysize "+KEYSIZE+" -keystore "+Path+""+services[i]+".jks -storepass "+PASS+" -alias "+services[i]+" -keypass "+PASS+" -dname \"CN=localhost, OU=TUWien, O=INSO, L=Vienna, S=Vienna, C=AT\"");
                  File checkCreation = new File(Path+""+services[i]+".jks");
                  while (!checkCreation.exists()) {
                      System.out.print(".");
                      Thread.sleep(1000);
                  Runtime.getRuntime().exec("keytool -export -keystore "+Path+""+services[i]+".jks -storepass "+PASS+" -alias "+services[i]+" -keypass "+PASS+" -file "+Path2+""+services[i]+".cer");
                  checkCreation = new File(Path2+""+services[i]+".cer");
                  while (!checkCreation.exists()) {
                      System.out.print(".");
                      Thread.sleep(1000);
                  System.out.println(" DONE");
              } catch (IOException exc) {
                  System.out.println("FEHLER: " + exc);
              } catch (InterruptedException exc) {
          System.out.println("\n---------------------------------------");
          System.out.println("Creating keytrusts");
          System.out.println("---------------------------------------");
          String Path = BASEPATH + TRUSTPATH + "\\";
          String Path2 = BASEPATH + KEYPATH + "\\";
          for (int i=0;i<services.length;i++) {
              System.out.println("Processing " + services);
  for (int j=0;j<services.length;j++) {
  if (i==j) continue;
  try {   
  System.out.println("Adding key of " + services[j]);
  Runtime.getRuntime().exec("keytool -import -trustcacerts -noprompt -keystore "+Path+""+services[i]+"Trust.jks -storepass "+PASS+" -alias "+services[j]+" -file "+Path2+""+services[j]+".cer");
  File checkCreation = new File(Path+""+services[i]+"Trust.jks");
  while (!checkCreation.exists()) {
  Thread.sleep(1000);
  Thread.sleep(5000);
  } catch (IOException exc) {
  System.out.println("FEHLER: " + exc);
  } catch (InterruptedException exc) {
  System.out.println(" DONE");

  just for info ... the problem is solved, somehow. The same keytool commands run on linux produce functional keys. But in windows console the keys dont work and i get a incorrect password failure.

• Tomcat 5 with SSL

  Hi, I am having trouble getting Tomcat to work with SSL.
  I have created a PKCS12 keystore with 1 entry. When I look at with keytool it says it has "Entry type: keyEntry" and "Certificate chain length: 1"
  In my server.xml file I have
  <Connector port="8443"
       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
       enableLookups="false" disableUploadTimeout="true"
       keystoreFile="/home/mydir/ssl.p12"
       keystorePass="*******" keystoreType="PKCS12"
       acceptCount="100" debug="0" scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS" />When I go to the site at port 8443 using https I get a network timeout error.
  Any help is appreciated.
  Edited by: Empr on Aug 6, 2009 4:35 PM

  Could not open connection to the host, on port 8443: Connect failedDid it really say 'connect failed'?
  the Tomcat is running on an Apache web serverNo it's not. It might be running in the same host as an Apache Web server.
  but the Apache already uses HTTPS... on port 443 in a separate process. Nothing to do with Tomcat's SSL on port 8443. If your Tomcat SSL configuration is as shown above you should be able to connect an SSL socket or an HTTPS URL to it.

• Has any one configured Tomcat 4. with SSL?

  Has any one configured Tomcat 4. with SSL?
  Please I am getting a problem with this.
  When I say $tomcat_home/bin>startup,it starts up fine.
  When I change to the server.xml to point out to the server
  ceritificate I have created using the keytool,and again say
  startup,it disappears.
  Here is the extract of my server.xml
  Can some one please help as to what i am missing?
  <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
  <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
  port="8443" minProcessors="5" maxProcessors="75"
  enableLookups="true"
       acceptCount="100" debug="0" scheme="https" secure="true"
  useURIValidationHack="false" disableUploadTimeout="true">
  <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
  keystoreFile="C:/AHTTPS_UrlConnect/.keystore"
  keystorePass="changeit"
  clientAuth="false" protocol="TLS" />
  </Connector>

  this works for me
  <!-- unedited part below for ssl 21/7 -->
  <Connector className="org.apache.catalina.connector.http.HttpConnector"
  port="8443" minProcessors="5" maxProcessors="200"
  enableLookups="false"
  acceptCount="10" connectionTimeout="60000" debug="0"
  scheme="https" secure="true">
  <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
  clientAuth="false" keystoreFile="c:\jwsdp-1_0-ea2\tomcat_keystore\tomcatks" keystorePass="tomcat" protocol="TLS"/>
  </Connector>
  <!-- unedited part above 21/7 -->

• Application Server 10g installation with SSL

  Hello,
  I'm planning to install the new 10g application server on a Red Hat Linux. I need the infrastructure and the middle tier components to work on SSL. Anybody has installed and configured the 10g with SSL? Is it as difficult and time consuming as in the 9iASR2? Is there any guide to do that?
  thanks.

  Pls refer to "Oracle Application Server 10g Administrator's Guide", Chapter 1.6 for more information on how to configure in SSL mode. By default SSL us not configured in 10g.

• Autovue with SSL Locally

  I'm running Autovue and apache, and it works great.
  But now I want to run AutoVue with SSL, so to test it I've made a self signed certificate and running both autovue and apache locally run through the steps of the installation guide. Using standard settings
  When I use https for my servlet my applet áppears not to do anything (also nothing happens at http://localhost:5098/servlet/VueServlet)
  If i remove/disable jvueserver.ssl.enable in jvueserver.propperties I get errors with handshakes

  Hi,
  Please see the following article, you can search using the note number in My Oracle Support:
  Configuring AutoVue Client/Server Deployment to Use SSL with a Generated Self-Signed Certificate on Tomcat (Doc ID 1535378.1)

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• HOWTO: Setting up Server-Side Authentication with SSL

  This howto covers the configuration of server-side SSL authentication for both Net8 and IIOP (JServer) connections. It documents the steps required to set up an SSL encrypted connection; it does not cover certificate authentication.
  It is worthwhile noting that although the setup of SSL requires the installation of certificates, these certificates do not have to be current, only valid. For some reason, in order to enable SSL connections, it is necessary to set up valid certificate file on the server whether you intend to use certificate authentication or not.
  NOTE: I have been unable to determine whether or not the above statement is entirely correct. If anyone can confirm or disprove it, please let me know.
  The steps described below must all be carried out from the same logon account. They have been tested on both 816 and 817 databases, but will probably work for all versions, including 9i (unless there have been some drastic changes in 9i that I'm not aware of).
  1. Log on to the database server with an administrative login.
  Configure the database and listener to run under the current login account (Control Panel -> Services). It is not necessary to restart these services at this time.
  2. Create an Oracle wallet and set up the required certificates
  (i) Open the Oracle Wallet Manager:
  Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet Manager
  (ii) Create a new wallet (Wallet -> New).
  (iii) When prompted, elect to generate a certificate request.
  (iv) On the request form, the only field that matters is the Common Name. Enter the fully qualified domain name (FQDN) of the database server (i.e. the name with which the database server will be referenced by clients).
  (v) Export the certificate request to file (Operations -> Export Certificate Request).
  (vi) Obtain a valid server certificate from an authorised signing authority. It will also be necessary to download the signing authoritys publicly available trusted root certificate. Certificates can be obtained from Verisign (http://www.verisign.com/)
  (vii) Install the trusted root certificate obtained in (vi) into the wallet (Operations -> Import Trusted Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
  (viii) Install the server certificate obtained in (vi) into the wallet (Operations -> Import User Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
  (ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user home]\Oracle\Wallets directory.
  3. Configure the listener for SSL.
  (i) Open the Oracle Net8 Assistant:
  Start -> Programs -> [Oracle Home] -> Network Administration -> Net8 Assistant
  (ii) Select Net8 Configuration -> Local -> Profile.
  (iii) From the drop-down list at right, select Oracle Advanced Security. Select the SSL tab.
  (iv) Select the Server radio button.
  (v) In the wallet directory field, enter the location of the wallet created in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
  (vi) Uncheck the Require Client Authentication checkbox.
  (vii) Select Net8 Configuration -> Listeners -> [listener name].
  (viii) Add a new address:
  Protocol: TCP/IP with SSL
  Host: [database server FQDN] (e.g. oraserver)
  Port: 2484
  (ix) Add a second new address:
  Protocol: TCP/IP with SSL
  Host: [database server FQDN] (e.g. oraserver)
  Port: 2482
  Check the Dedicate this endpoint to IIOP connections checkbox.
  (x) Save the Net8 configuration (File p Save Network Configuration).
  (xi) Restart the listener service.
  4. Configure the database to accept SSL connections.
  (i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or equivalent).
  (ii) At the bottom of the file, uncomment the line that reads
  mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
  (iii) Save the file and restart the database service.
  5. Test the SSL confi guration using the Net8 Assistant.
  (i) Open the Oracle Net8 Assistant.
  (ii) Select Net8 Configuration -> Local -> Service Naming.
  (iii) Add a new net service (Edit p Create).
  Net service name: [SID].auth (e.g. iasdb.auth)
  Protocol: TCP/IP with SSL
  Host: [database server] (e.g. oraserver)
  Port: 2484
  Service Name/SID: [SID] (e.g. iasdb.orion.internal)
  Note: at the end of the net service configuration, click Finish, not Test. The test can hang if run from the wizard.
  (iv) Test the connection (Command -> Test Service). If the only error to appear is username/password denied, the test has succeeded.
  null

  Dear Alex,
  Thank you for reaching the Small Business Support Community.
  I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side.  If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.
  Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587
  Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• OEL ldap client setup with SSL against OID using either ldaps or starttls

  Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
  Here's my /etc/ldap.conf file on OEL 5.3.
  timelimit 120
  bind_timelimit 120
  idle_timelimit 3600
  nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
  URI ldaps://FQDN:3132/
  port 3132
  ssl yes
  host FQDN
  base dc=DOMAIN,dc=com
  pam_password clear
  tls_cacertdir /etc/oracle-certs
  tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
  tls_ciphers SSLv3
  # filter to AND with uid=%s
  pam_filter objectclass=posixaccount
  #The search scope
  scope sub
  I have /etc/nsswitch.conf set to check for files first, then ldap
  passwd: files ldap
  shadow: files ldap
  group: files ldap
  Here's my /etc/openldap/ldap.conf file
  URI ldaps://FQDN:3132/
  BASE dc=DOMAIN,dc=com
  TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
  TLS_CACERTDIR /etc/openldap/cacerts
  TLS_REQCERT allow
  TLS_CIPHERS SSLv3
  The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
  4224de9f.0 -> oid-test-ca.pem
  I can run ldapsearch using ldaps and it works fine.
  ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
  But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
  Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
  Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

  Hello again...
  after some research and work together with Oracle Support I found out how to get it to work:
  1. You have to create your own ConfigSet in OID using
  SSL-Server-Authentication
  (OpenSSL seems not to support SSL-encryption-only).
  The following link shows on how to do that:
  http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
  2. Add the following lines to your $HOME/ldaprc
  TLS_CACERT /home/frank/oid-caroot.pem
  TLS_REQCERT allow
  TLS_CIPHERS SSLv3
  ssl on
  tls_checkpeer no
  oid-caroot.pem is the CA-Root Certificate you got
  during step 1
  3. you should now be able to use ldapsearch using SSL
  If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
  I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
  Bye
  Frank Berger

• Configure HFM environment with SSL

  Hi all
  I am in the middle of process to install HFM environment
  For the first time I need to configure HFM environment with SSL
  Before I started to install the HFM environment with SSL
  I read the SSL CONFIGUATION GUIDE to understand what I need to configure
  My environment based on web logic web server version Bea WebLogic_9.1_Express
  As I started I read the part of information on configuring your web server for SSL
  The next step was creating CA. The Company created for me CA ( file *.cer ) that I can continue with the issue, and this is what I do:
  I configure the HSS for SSL Using a text editor, open Hub.properties. Create the following entry in Hub.properties. sslEnabled=true
  And. Saved the file Hub.properties.
  The next step was configure the HSS Server on WebLogic
  I Log on to the Web Logic Administration Console.
  Select Servers > Shared Services (admin).
  From General tab, I select SSL Listen Port Enabled.
  Specify the port (for example, 58082) on which Shared Services will listen for SSL communication
  At last I Navigate to Keystore tab and set up the identity and trust keystore
  And fill the parameters
  At the end I restarted HSS services and Log on to User Management Console as Shared Services Administrator. Connect using the secure
  URLhttps://<host>:<SSL-port>/interop; for example, https://myServer:58082/
  interop.
  The things doesn’t seems that they work, I don’t know how can I be sure that all the parameter's that I fill is right?
  Nothing writes on Hyperion SSL PDF
  The web logic doesn't notify any error, all I can is just to get to the standard port 58080
  Thank
  Renan

  Hi Renan,
  One thing to realize is you don't need to have Shared Services in SSL mode to have HFM in SSL mode.
  The main reason you would want Shared Services in SSL mode was if IT/Info security mandated that your directory service (active directory, ldap, ...) be encrypted. If the corporate directory service is not encrypted you should skip making Shared Services encrypted which will simplify things some.
  Also once you had gotten shared services up on 58082 you would need to unregister/register all the installs to use 58082 and check the SSL box on the Shared Services install.
  Good Luck,
  -John

• Servlet security with SSL

  Hello All,
  I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
  I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
  Any assistance would be greatly appreciated. I am really stuck with this
  Thank you in advance
  Alanjo

  On 01/14/2014 06:11 AM, Alan Farroll wrote:
  > Hi all,
  >
  > I could not find a more appropriate forum in Eclipse for this question
  > so have placed it in newcomers as I am still quite new to Java\Eclipse
  >
  > We are working on a Java servlet application that involves security with
  > SSL to allow the servlet to run from a server outside our firewall and
  > interrogate databases inside our firewall. It runs on Tomcat 7 and built
  > on Java 1.6.0.29
  >
  > We have had no problems running the servlet on the Test server within
  > the firewall but when running on the Live server outside the firewall
  > the SoapUI request returns nothing and the current Tomcat log error is
  > "java.lang.RuntimeException: Could not generate dummy secret"
  >
  > The problems seem to be with the jce.jar and the sunJCE_provider.jar.
  >
  > Has anybody any assistance they could provide please.
  >
  > Thanks in advance
  >
  > AJF
  The live server doesn't have access to the right JARs? Maybe this will help?
  http://www.javahotchocolate.com/notes/jce-policy.html

• Build failure when trying to build haproxy with SSL support.

  Hello everybody,
  I don't know if this is the right "context" to submit this question.
  How ever I'm having problem with building haproxy 1.5.5 with SSL support.
  I'm running SLES 11 SP3 with the latest updates via YAST2.
  Building without SSL support works fine.
  I use the syntax:
  make TARGET=linux2628 USE_OPENSSL=1
  And here is the output:
  gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DCONFIG_HAPROXY_VERSION=\"1.5.5\" -DCONFIG_HAPROXY_DATE=\"2014/10/07\" \
  -DBUILD_TARGET='"linux2628"' \
  -DBUILD_ARCH='""' \
  -DBUILD_CPU='"generic"' \
  -DBUILD_CC='"gcc"' \
  -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
  -DBUILD_OPTIONS='"USE_OPENSSL=1"' \
  -c -o src/haproxy.o src/haproxy.c
  In file included from include/types/acl.h:33,
  from include/types/proxy.h:40,
  from include/proto/log.h:32,
  from includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
  from src/haproxy.c:61:
  include/types/server.h:29:25: error: openssl/ssl.h: No such file or directory
  In file included from include/types/connection.h:30,
  from include/types/server.h:36,
  from include/types/acl.h:33,
  from include/types/proxy.h:40,
  from include/proto/log.h:32,
  from includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
  from src/haproxy.c:61:
  include/types/listener.h:127: error: expected specifier-qualifier-list before SSL_CTX
  In file included from include/types/acl.h:33,
  from include/types/proxy.h:40,
  from include/proto/log.h:32,
  from includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
  from src/haproxy.c:61:
  include/types/server.h:207: error: expected specifier-qualifier-list before SSL_CTX
  In file included from src/haproxy.c:90:
  include/proto/listener.h: In function bind_conf_alloc:
  include/proto/listener.h:130: error: struct bind_conf has no member named file
  include/proto/listener.h:131: error: struct bind_conf has no member named line
  include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
  include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
  include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
  include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
  include/proto/listener.h:133: error: struct bind_conf has no member named by_fe
  include/proto/listener.h:135: error: struct bind_conf has no member named arg
  include/proto/listener.h:137: error: struct bind_conf has no member named ux
  include/proto/listener.h:138: error: struct bind_conf has no member named ux
  include/proto/listener.h:139: error: struct bind_conf has no member named ux
  include/proto/listener.h:141: error: struct bind_conf has no member named listeners
  include/proto/listener.h:141: error: struct bind_conf has no member named listeners
  include/proto/listener.h:141: error: struct bind_conf has no member named listeners
  In file included from src/haproxy.c:107:
  include/proto/ssl_sock.h: At top level:
  include/proto/ssl_sock.h:46: error: expected declaration specifiers or ... before SSL_CTX
  src/haproxy.c: In function display_build_opts:
  src/haproxy.c:272: error: expected ) before OPENSSL_VERSION_TEXT
  src/haproxy.c:274: warning: implicit declaration of function SSLeay_version
  src/haproxy.c:274: error: SSLEAY_VERSION undeclared (first use in this function)
  src/haproxy.c:274: error: (Each undeclared identifier is reported only once
  src/haproxy.c:274: error: for each function it appears in.)
  src/haproxy.c:275: error: OPENSSL_VERSION_NUMBER undeclared (first use in this function)
  src/haproxy.c:275: warning: implicit declaration of function SSLeay
  src/haproxy.c:275: warning: format %s expects type char *, but argument 2 has type int
  src/haproxy.c: In function deinit:
  src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1188: warning: left-hand operand of comma expression has no effect
  src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1188: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1196: error: struct bind_conf has no member named file
  src/haproxy.c:1197: error: struct bind_conf has no member named arg
  src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1198: warning: type defaults to int in declaration of __ret
  src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
  src/haproxy.c:1198: error: struct bind_conf has no member named by_fe
  make: *** [src/haproxy.o] Error 1
  I'm I missing some libs or sources from OpenSSL ?
  And/or need to point them out so that make/gcc can find them?
  I have copy haproxy from another machine where I did the build process on.
  But I would like to be able to build it on my SLES 11 SP3 installation.
  Thank you in advance.

  Originally Posted by smflood
  On 17/10/2014 15:36, mattias bjork wrote:
  > I don't know if this is the right "context" to submit this question.
  >
  > How ever I'm having problem with building haproxy 1.5.5 with SSL
  > support.
  >
  > I'm running SLES 11 SP3 with the latest updates via YAST2.
  >
  > Building without SSL support works fine.
  >
  > I use the syntax:
  >
  > make TARGET=linux2628 USE_OPENSSL=1
  >
  > And here is the output:
  >
  > gcc -Iinclude -Iebtree -Wall -O2 -g -fno-strict-aliasing
  > -DCONFIG_HAP_LINUX_SPLICE -DTPROXY -DCONFIG_HAP_LINUX_TPROXY
  > -DCONFIG_HAP_CRYPT -DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY
  > -DASSUME_SPLICE_WORKS -DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME
  > -DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DCONFIG_HAPROXY_VERSION=\"1.5.5\"
  > -DCONFIG_HAPROXY_DATE=\"2014/10/07\" \
  > -DBUILD_TARGET='"linux2628"' \
  > -DBUILD_ARCH='""' \
  > -DBUILD_CPU='"generic"' \
  > -DBUILD_CC='"gcc"' \
  > -DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing"' \
  > -DBUILD_OPTIONS='"USE_OPENSSL=1"' \
  > -c -o src/haproxy.o src/haproxy.c
  > In file included from include/types/acl.h:33,
  > from include/types/proxy.h:40,
  > from include/proto/log.h:32,
  > from
  > includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
  > from src/haproxy.c:61:
  > include/types/server.h:29:25: error: openssl/ssl.h: No such file or
  > directory
  > In file included from include/types/connection.h:30,
  > from include/types/server.h:36,
  > from include/types/acl.h:33,
  > from include/types/proxy.h:40,
  > from include/proto/log.h:32,
  > from
  > includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
  > from src/haproxy.c:61:
  > include/types/listener.h:127: error: expected specifier-qualifier-list
  > before �SSL_CTX�
  > In file included from include/types/acl.h:33,
  > from include/types/proxy.h:40,
  > from include/proto/log.h:32,
  > from
  > includehttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.comhttps://www.novell.com/common/cfgparse.h:29,
  > from src/haproxy.c:61:
  > include/types/server.h:207: error: expected specifier-qualifier-list
  > before �SSL_CTX�
  > In file included from src/haproxy.c:90:
  > include/proto/listener.h: In function �bind_conf_alloc�:
  > include/proto/listener.h:130: error: �struct bind_conf� has no member
  > named �file�
  > include/proto/listener.h:131: error: �struct bind_conf� has no member
  > named �line�
  > include/proto/listener.h:133: error: �struct bind_conf� has no member
  > named �by_fe�
  > include/proto/listener.h:133: error: �struct bind_conf� has no member
  > named �by_fe�
  > include/proto/listener.h:133: error: �struct bind_conf� has no member
  > named �by_fe�
  > include/proto/listener.h:133: error: �struct bind_conf� has no member
  > named �by_fe�
  > include/proto/listener.h:133: error: �struct bind_conf� has no member
  > named �by_fe�
  > include/proto/listener.h:135: error: �struct bind_conf� has no member
  > named �arg�
  > include/proto/listener.h:137: error: �struct bind_conf� has no member
  > named �ux�
  > include/proto/listener.h:138: error: �struct bind_conf� has no member
  > named �ux�
  > include/proto/listener.h:139: error: �struct bind_conf� has no member
  > named �ux�
  > include/proto/listener.h:141: error: �struct bind_conf� has no member
  > named �listeners�
  > include/proto/listener.h:141: error: �struct bind_conf� has no member
  > named �listeners�
  > include/proto/listener.h:141: error: �struct bind_conf� has no member
  > named �listeners�
  > In file included from src/haproxy.c:107:
  > include/proto/ssl_sock.h: At top level:
  > include/proto/ssl_sock.h:46: error: expected declaration specifiers or
  > �...� before �SSL_CTX�
  > src/haproxy.c: In function �display_build_opts�:
  > src/haproxy.c:272: error: expected �)� before �OPENSSL_VERSION_TEXT�
  > src/haproxy.c:274: warning: implicit declaration of function
  > �SSLeay_version�
  > src/haproxy.c:274: error: �SSLEAY_VERSION� undeclared (first use in this
  > function)
  > src/haproxy.c:274: error: (Each undeclared identifier is reported only
  > once
  > src/haproxy.c:274: error: for each function it appears in.)
  > src/haproxy.c:275: error: �OPENSSL_VERSION_NUMBER� undeclared (first use
  > in this function)
  > src/haproxy.c:275: warning: implicit declaration of function �SSLeay�
  > src/haproxy.c:275: warning: format �%s� expects type �char *�, but
  > argument 2 has type �int�
  > src/haproxy.c: In function �deinit�:
  > src/haproxy.c:1188: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1188: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1188: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1188: warning: left-hand operand of comma expression has
  > no effect
  > src/haproxy.c:1188: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1188: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1188: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1196: error: �struct bind_conf� has no member named
  > �file�
  > src/haproxy.c:1197: error: �struct bind_conf� has no member named �arg�
  > src/haproxy.c:1198: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1198: warning: type defaults to �int� in declaration of
  > �__ret�
  > src/haproxy.c:1198: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1198: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1198: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1198: error: �struct bind_conf� has no member named
  > �by_fe�
  > src/haproxy.c:1198: error: �struct bind_conf� has no member named
  > �by_fe�
  > make: *** [src/haproxy.o] Error 1
  >
  >
  > I'm I missing some libs or sources from OpenSSL ?
  >
  > And/or need to point them out so that make/gcc can find them?
  >
  > I have copy haproxy from another machine where I did the build process
  > on.
  >
  > But I would like to be able to build it on my SLES 11 SP3 installation.
  So you're trying to build HAProxy 1.5.5 from source?
  Do you have libopenssl and libopenssl-devel installed? What does "rpm
  -qa | grep ssl" report?
  You might have better luck installing HAProxy 1.5.5 already built for
  SLES11 SP3 via the openSUSE Build Service @
  https://build.opensuse.org/package/s...ackage=haproxy
  HTH.
  Simon
  Novell Knowledge Partner
  If you find this post helpful and are logged into the web interface,
  please show your appreciation and click on the star below. Thanks.
  Hello Simon,
  Yes I'm trying to build it from source.
  Unfortunately I don't have them installed.
  Here is the output:
  sudo -i rpm -qa | grep -i ssl
  openssl-0.9.8j-0.62.1
  libopenssl0_9_8-0.9.8j-0.62.1
  libopenssl0_9_8-32bit-0.9.8j-0.62.1
  perl-IO-Socket-SSL-1.38-5.2.2
  perl-Net-SSLeay-1.35-2.14
  openssl-certs-1.97-0.3.1
  Thank you for your speedy reply.

• Securing the IIOP Listener/Handler with SSL

  Hi,
  I am looking into securing CORBA client connections to ISL/ISH with SSL. Client authentication is not needed, just encryption and server authentication. Having looked through the documentation I have a couple of questions about this.
  1. The "Using Security in CORBA Applications" manual says that an LDAP server is used as the certificate repository for the ISL/ISH server certificate. Are there alternatives to this such as using a keystore or is LDAP the only option?
  2. Is it possible to configure the LDAP server (server name, port etc) without re-installing Tuxedo?
  Regards
  Ian

  Ian,
  Tuxedo uses a plugin framework architecture to manage certificates and it is possible to replace any of the plugin framework implementations.
  In order to change the plugin framework interfaces you will need to obtain information about the epif* commands and the plugin framework interfaces and you will need to write some code. The plugin framework documentation is made available on an as-needed basis.
  As documented at http://download.oracle.com/docs/cd/E15261_01/tuxedo/docs11gr1/sec/secadm.html#wp1239453 , "For more information about security plug-ins, including installation and configuration procedures, see your Oracle account executive."
  The command "epifregedt -g" shows the current plugin framework settings.
  The command "epifregedt -g -k SYSTEM/impl/security/BEA/certificate_lookup" shows just the settings for the security/BEA/certificate_lookup interface.
  The command "epifregedt -g -k SYSTEM/impl/security/BEA/certificate_lookup -a Params" shows just the instantiation parameters for this interface.
  Assume that the output from this command is
  IMPLEMENTATION security/BEA/certificate_lookup
  Instantiation Parameters :
  "userCertificateLdap=ldap://localhost:389/"
  "filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat"
  Then the command
  epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup \
  -a Params=userCertificateLdap=ldap://abcxyz:1389/ \
  -a Params=filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat
  will change the LDAP location to ldap://abcxyz:1389/
  Note that it is necessary to respecify the filterFileLocation with this command even though it is not changing.
  Thus, it is not necessary to reinstall Tuxedo in order to change the LDAP parameters.
  Since the registry modification commands can be tricky to use, you may want to experiment with these commands on a development system or you may want to
  export REG_KEY_SYSTEM=<TEMPORARY_DIRECTORY>/System.rdp
  cp $TUXDIR/udataobj/System.rdp $REG_KEY_SYSTEM
  before experimenting with epifregedt -s. (The value of REG_KEY_SYSTEM will override the default of $TUXDIR/udataobj/System.rdp .)
  Regards,
  Ed

• Step by step to set up tomcat with mysql

  hi i'm new to these things, well i went through the forum , there are load of info but no1 has explain how to set up (step by step) tomcat with mysql using jdbc driver ( also i'll use jsp pages to get info from the database.)
  thx alot.

  Hiya,
  Best way would be to read the README.doc that you get after the installation on the sysetm. Becuase this provided you with the exact info. pertianing to the sysetm etc that you have and also visit this website:
  http://www.experts-exchange.com/Programming/Programming_Languages/Java/Q_20148108.html
  It gives u a step by step guide to set-up and some sample codes also to test etc.
  Happy Javaing, Cheers