Java.security.cert.CertificateException: Untrusted Cert Chain

Hi all,
While sending transaction to our supplier I am facing below error, Actually Our trading partner has given .p7b cert, I converted it into base 64 and i m using in b2b server. I am doing the same with all the suppliers but I am facing issue with only this trading partner. I asked him to send a new trusted certificate but he said that he is having 100's of customers, all are using the same certficate.
Error
http.sender.timeout=0
2010.05.20 at 10:52:20:711: Thread-19: B2B - (DEBUG) scheme null userName null realm null
2010.05.20 at 10:52:22:159: Thread-19: B2B - (WARNING)
Message Transmission Transport Exception
Transport Error Code is OTA-HTTP-SEND-1006
StackTrace oracle.tip.transport.TransportException: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
     at oracle.tip.transport.TransportException.create(TransportException.java:91)
     at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:627)
     at oracle.tip.transport.b2b.B2BTransport.send(B2BTransport.java:311)
     at oracle.tip.adapter.b2b.transport.TransportInterface.send(TransportInterface.java:1034)
     at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequestPostColab(Request.java:1758)
     at oracle.tip.adapter.b2b.msgproc.Request.outgoingRequest(Request.java:976)
     at oracle.tip.adapter.b2b.engine.Engine.processOutgoingMessage(Engine.java:1167)
     at oracle.tip.adapter.b2b.transport.AppInterfaceListener.onMessage(AppInterfaceListener.java:141)
     at oracle.tip.transport.basic.FileSourceMonitor.processMessages(FileSourceMonitor.java:903)
     at oracle.tip.transport.basic.FileSourceMonitor.run(FileSourceMonitor.java:317)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Cert Chain
     at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA12275)
     at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:112)
     at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3018)
     at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2843)
     at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2635)
     at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1107)
     at oracle.tip.transport.basic.HTTPSender.send(HTTPSender.java:590)
     ... 8 more
Caused by: java.security.cert.CertificateException: Untrusted Cert Chain
     at oracle.security.pki.ssl.C21.checkClientTrusted(C21)
     at oracle.security.pki.ssl.C21.checkServerTrusted(C21)
     at oracle.security.pki.ssl.C08.checkServerTrusted(C08)
     at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA12275)
     ... 21 more
2010.05.20 at 10:52:22:164: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.transport.TransportInterface:send Error in sending message
2010.05.20 at 10:52:22:168: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab Request Message Transmission failed
2010.05.20 at 10:52:22:170: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Enter
2010.05.20 at 10:52:22:173: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Transaction.begin()
2010.05.20 at 10:52:22:176: Thread-19: B2B - (DEBUG) DBContext beginTransaction: Leave
2010.05.20 at 10:52:22:179: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequestPostColab [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
Untrusted Cert Chain
2010.05.20 at 10:52:22:226: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.engine.Engine:notifyApp retry value <= 0, so sending exception to IP_IN_QUEUE
2010.05.20 at 10:52:22:232: Thread-19: B2B - (DEBUG) Engine:notifyApp Enter
2010.05.20 at 10:52:22:248: Thread-19: B2B - (DEBUG) notifyApp:notifyApp Enqueue the ip exception message:
<Exception xmlns="http://integration.oracle.com/B2B/Exception" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<correlationId>543222</correlationId>
<b2bMessageId>543222</b2bMessageId>
<errorCode>AIP-50079</errorCode>
<errorText>Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
Untrusted Cert Chain</errorText>
<errorDescription>
<![CDATA[Machine Info: (usmtnz-sinfwi02)Transport error: [IPT_HttpSendHttpResponseError] HTTP response error :java.security.cert.CertificateException: Untrusted Cert Chain.
Untrusted Cert Chain ]]>
</errorDescription>
<errorSeverity>2</errorSeverity>
</Exception>
2010.05.20 at 10:52:22:298: Thread-19: B2B - (DEBUG) Engine:notifyApp Exit
2010.05.20 at 10:52:22:301: Thread-19: B2B - (DEBUG) DBContext commit: Enter
2010.05.20 at 10:52:22:307: Thread-19: B2B - (DEBUG) DBContext commit: Transaction.commit()
2010.05.20 at 10:52:22:310: Thread-19: B2B - (DEBUG) DBContext commit: Leave
2010.05.20 at 10:52:22:313: Thread-19: B2B - (DEBUG) oracle.tip.adapter.b2b.msgproc.Request:outgoingRequest Exit
2010.05.20 at 10:52:22:317: Thread-19: B2B - (INFORMATION) oracle.tip.adapter.b2b.engine.Engine:processOutgoingMessage:
***** REQUEST MESSAGE *****
Exchange Protocol: AS2 Version 1.1
Transport Protocol: HTTPS
Unique Message ID: <543222@EMRSNS>
Trading Partner: ZZEASY_PROD
Message Signed: RSA
Payload encrypted: 3DES
Attachment: None

Hi CNU,
1st they has given me in .p7b certificateIs it a self-signed certificate? If no then do you have the CA certs as well?
Open the certificate by double clicking on it. If "Issued To" and "Issued By" fields are same then it is a self signed cert and you need to import only this cert (in base64 format) into wallet.
If it is not a self-signed cert then open the certificate and click on "Certification Path" tab. You should be able to see the issue's certificate here. Make sure that you have imported all issuers certificate along with your TP's cert in the wallet. Moreover, check that all the certs (TP cert and it's issuer cert's) are valid in terms of dates. You can see the "Certificate status" in "Certification Path" tab of certificate.
Please provide the certificate chain details here along with list of certs in wallet (you may mail it to my id as well - [email protected])
Regards,
Anuj

Similar Messages

  • Punchout problem.  CertificateException: Untrusted Cert Chain.

    Hi all
    I hope this is an appropriate forum. I am a developer at a company who has a web site that customers interact with via punchout. I developed the system some time ago. It has nothing to do with Oracle but we have a punchout customer who is converting from Ariba to Oracle. I guess I'm looking for any advice on what to do or what to tell the customer to help solve this problem. They seem to have run out of ideas.
    Everything works well when they send a PunchoutSetupRequest cXML request but when they try to send an OrderRequest they get the following SSL error.
    .apps.ecx.oxta.ConnectionFailureException: Connection failure resulting
    from: javax.net.ssl.SSLHandshakeException:
    java.security.cert.CertificateException: Untrusted Cert Chain
    They're asking me whether am I handling the two types of requests differently but that question makes no sense at this level because it's the same https URL. I have no way of even knowing what type of cXML request is coming until the SSL handshake has succeeded.
    We're running Microsoft IIS. Our SSL certificate has a cert chain back to Equifax. It works on all major browsers, Ariba and their Oracle PunchoutSetup request. I got them to try it with a browser and the SSL worked without error. I can see in my web log that they accessed it using Internet Explorer. I assume that the Oracle system is not running Windows so accessing it with Internet Explorer from a Windows machine might not have been very helpful.
    They say to me that "it's the same site, same server" for the two types of documents. I assume they mean it's the same https client but how can that be true if the SSL succeeds on one type of document but fails on another?
    I've just noticed that the UserAgent is different for the two requests. For PunchoutSetupRequest it's "Oracle iProcurement" but for OrderRequest it's "Oracle E-Business Suite Oracle Purchasing 11.5.9.". Does that mean they are different https clients? I only know the OrderRequest UserAgent because they emailed me an error message which included the cXML.
    I know nothing about Oracle but it seems to me that someone at our customer site needs to do the equivalent of "Accept this certificate" which you can do with a browser assuming that they trust us. At one point they got me to send our certificate so I visited our site with a browser and exported the cert and sent it to them which they could have done themselves. It's not clear to me what they did with it but, coincidentally perhaps, the PunchoutSetupRequest also failed the SSL handshake until I sent them that.
    The only solution may be for us to buy a different (more expensive) certificate but that seems unnecessary to me and they've been unable to answer my question "what signing authorities do you accept". I've been able to look at a couple of their other suppliers and their public sites use certs from GTE CyberTrust so I suspect their punchout site uses the same.
    Any ideas or suggests would be appreciated.
    Thanks

    Hi,
    Similar error is reported in the following documents, please see if it helps.
    Note: 167474.1 - Oracle XML Gateway Troubleshooting Guide
    Note: 152775.1 - Installing Oracle XML Gateway and Oracle Workflow with Oracle Applications 11i
    Regards,
    Hussein

  • Java.security.cert.CertificateException

    Hi,
    I am using a JAVA client to connect to a https server which uses certificates for authentication.
    The server uses gSOAP certificates for client authentication and encryption of messages.
    I am using JSSE coming along with JDK1.6 and generated keystore file from client.pem and cacert.pem files used by the server.
    I need to send SOAP messages with attachments.
    I am using SAAJ API with JDK 1.6 .
    When I try to connect to the server through javax.xml.soap.SOAPConnection, I am getting java.security.cert.CertificateException. Please see the exception below.
    Note: Server is responding properly to SOAP UI tool(java testing tool) with certifcates authentication.
    I have enabled debug option in SSL.
    E:\test\properties\storefile.jks
    keyStore is : E:\test\properties\storefile.jks
    keyStore type is : jks
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: E:\test\properties\storefile.jks
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Algorithm: RSA; Serial number: 0x0
    Valid from Sat Oct 02 22:38:06 IST 2004 until Tue Oct 02 22:38:06 IST 2007
    adding as trusted cert:
    Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Algorithm: RSA; Serial number: 0x7
    Valid from Sun Dec 25 01:01:53 IST 2005 until Wed Dec 24 01:01:53 IST 2008
    adding as trusted cert:
    Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Algorithm: RSA; Serial number: 0x8
    Valid from Sun Dec 25 01:03:13 IST 2005 until Wed Dec 24 01:03:13 IST 2008
    trigger seeding of SecureRandom
    done seeding SecureRandom
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1155448094 bytes = { 120, 70, 246, 123, 195, 47, 61, 191, 223, 241, 23, 204, 98, 143, 212, 251, 80, 10, 100, 183, 82, 82, 215, 228, 212, 47, 68, 224 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    Thread-3, WRITE: TLSv1 Handshake, length = 73
    Thread-3, WRITE: SSLv2 client hello message, length = 98
    Thread-3, READ: TLSv1 Handshake, length = 74
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1155531752 bytes = { 248, 141, 63, 154, 117, 213, 184, 250, 239, 237, 26, 225, 175, 38, 151, 65, 101, 127, 134, 46, 180, 80, 153, 133, 215, 120, 102, 11 }
    Session ID: {100, 201, 98, 232, 113, 191, 163, 129, 1, 101, 251, 29, 233, 245, 144, 203, 231, 208, 202, 248, 160, 99, 84, 248, 86, 16, 235, 234, 20, 73, 231, 148}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    Thread-3, READ: TLSv1 Handshake, length = 1868
    *** Certificate chain
    chain [0] = [
    Version: V3
    Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key: Sun RSA public key, 1024 bits
    modulus: 144881101064455404788814091404981462608080902688277626878350142057531273562236240952084735254146287262789443540177122740514352105900513219519909051335421867736741713195463254360663999239941476817345303119999799829037388457231058611674562175705514528085594563474765367007497034178272408363177194954006361904887
    public exponent: 65537
    Validity: [From: Sun Dec 25 01:03:13 IST 2005,
                   To: Wed Dec 24 01:03:13 IST 2008]
    Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    SerialNumber: [    08]
    Certificate Extensions: 4
    [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
    0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
    0020: 65 e
    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 3D C1 C8 B5 19 17 C3 8C 12 64 3C 05 C3 22 EE 7B =........d<.."..
    0010: BA 27 B4 C1 .'..
    [3]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
    0010: 49 95 77 CA I.w.
    [[email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US]
    SerialNumber: [    00]
    [4]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 6E D0 0E EC 85 EA A9 71 60 5D CB 13 3A 0C C2 C6 n......q`]..:...
    0010: A1 92 15 14 2A BB 86 2A 1D 68 B1 4B 41 C0 0B FB ....*..*.h.KA...
    0020: 35 C7 0F 6E 51 99 B3 25 95 4F 58 18 3D 73 F2 06 5..nQ..%.OX.=s..
    0030: 18 63 40 21 A7 44 1D AB 46 DB DD 6C 20 7D 23 23 .c@!.D..F..l .##
    0040: 08 84 92 CE 04 93 10 B3 CB 84 67 FD 3F 53 81 51 ..........g.?S.Q
    0050: 25 60 EE D1 02 89 06 58 E6 E0 B4 C2 20 D8 E8 84 %`.....X.... ...
    0060: 8A 4E 8D 59 62 67 33 4C 95 BD A3 F7 68 76 5E BA .N.Ybg3L....hv^.
    0070: D9 84 3F 80 C8 1E 49 3A 59 D0 B4 74 9E 2D CD F6 ..?...I:Y..t.-..
    chain [1] = [
    Version: V3
    Subject: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key: Sun RSA public key, 1024 bits
    modulus: 106482211752195899275275639329238789380560290379431640534106480581317795742917955972475513891969031216742557266096088552725987675210922796797720103531106400345818891764659480805498923495886457178236281557583158652266656923442983245641013901721295378444704296581436391012531718274035287004196101203604693764023
    public exponent: 65537
    Validity: [From: Sat Oct 02 22:38:06 IST 2004,
                   To: Tue Oct 02 22:38:06 IST 2007]
    Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    SerialNumber: [    00]
    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
    0010: 49 95 77 CA I.w.
    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
    0010: 49 95 77 CA I.w.
    [[email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US]
    SerialNumber: [    00]
    [3]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 59 9B F6 45 7E 10 3C 79 3B 88 FB 74 B3 2E F7 4F Y..E..<y;..t...O
    0010: 67 16 09 C1 2F 4E AC 7A 98 EA B4 12 08 6D 96 37 g.../N.z.....m.7
    0020: 1A 70 A0 79 FC 4A A7 54 BA 21 FD 35 FE 67 55 EF .p.y.J.T.!.5.gU.
    0030: D9 D9 18 99 5D 7A 03 3B EE DC F8 54 89 73 B8 86 ....]z.;...T.s..
    0040: B3 FB 63 4E F8 6A 9B AF A1 2B 39 1F B7 50 63 AB ..cN.j...+9..Pc.
    0050: 46 E1 F7 F5 A3 13 D4 3B F0 1D 8A 54 E4 65 3E 94 F......;...T.e>.
    0060: 6D 5A 58 77 50 A7 CB 99 E7 2E 28 90 C8 37 67 D2 mZXwP.....(..7g.
    0070: 19 E6 78 A3 91 49 E9 08 74 0E FA AF FC 16 B3 0B ..x..I..t.......
    Feb 24, 2007 9:50:47 AM com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection post
    SEVERE: SAAJ0009: Message send failed
    com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
         at SOAPConnector$1.run(SOAPConnector.java:145)
    Caused by: java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at java.security.AccessController.doPrivileged(Native Method)Found trusted certificate:
    Version: V3
    Subject: [email protected], CN=localhost, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
    Key: Sun RSA public key, 1024 bits
    modulus: 144881101064455404788814091404981462608080902688277626878350142057531273562236240952084735254146287262789443540177122740514352105900513219519909051335421867736741713195463254360663999239941476817345303119999799829037388457231058611674562175705514528085594563474765367007497034178272408363177194954006361904887
    public exponent: 65537
    Validity: [From: Sun Dec 25 01:03:13 IST 2005,
                   To: Wed Dec 24 01:03:13 IST 2008]
    Issuer: [email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US
    SerialNumber: [    08]
    Certificate Extensions: 4
    [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
    0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
    0020: 65 e
    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 3D C1 C8 B5 19 17 C3 8C 12 64 3C 05 C3 22 EE 7B =........d<.."..
    0010: BA 27 B4 C1 .'..
    [3]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: E0 CC 88 8B 41 A0 21 4A A4 61 18 67 27 61 A0 C9 ....A.!J.a.g'a..
    0010: 49 95 77 CA I.w.
    [[email protected], CN=genivia.com, OU=IT, O="Genivia, Inc.", L=Tallahassee, ST=FL, C=US]
    SerialNumber: [    00]
    [4]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    Algorithm: [SHA1withRSA]
    Signature:
    0000: 6E D0 0E EC 85 EA A9 71 60 5D CB 13 3A 0C C2 C6 n......q`]..:...
    0010: A1 92 15 14 2A BB 86 2A 1D 68 B1 4B 41 C0 0B FB ....*..*.h.KA...
    0020: 35 C7 0F 6E 51 99 B3 25 95 4F 58 18 3D 73 F2 06 5..nQ..%.OX.=s..
    0030: 18 63 40 21 A7 44 1D AB 46 DB DD 6C 20 7D 23 23 .c@!.D..F..l .##
    0040: 08 84 92 CE 04 93 10 B3 CB 84 67 FD 3F 53 81 51 ..........g.?S.Q
    0050: 25 60 EE D1 02 89 06 58 E6 E0 B4 C2 20 D8 E8 84 %`.....X.... ...
    0060: 8A 4E 8D 59 62 67 33 4C 95 BD A3 F7 68 76 5E BA .N.Ybg3L....hv^.
    0070: D9 84 3F 80 C8 1E 49 3A 59 D0 B4 74 9E 2D CD F6 ..?...I:Y..t.-..
    Thread-3, SEND TLSv1 ALERT: fatal, description = certificate_unknown
    Thread-3, WRITE: TLSv1 Alert, length = 2
    Thread-3, called closeSocket()
    Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
         ... 2 more
    Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
         ... 3 more
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
         at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
         ... 5 more
    Caused by: java.security.cert.CertificateException: No subject alternative names present
         at sun.security.util.HostnameChecker.matchIP(Unknown Source)
         at sun.security.util.HostnameChecker.match(Unknown Source)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
         ... 17 more
    CAUSE:
    java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
         at SOAPConnector$1.run(SOAPConnector.java:145)
    Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
         ... 3 more
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
         at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
         ... 5 more
    Caused by: java.security.cert.CertificateException: No subject alternative names present
         at sun.security.util.HostnameChecker.matchIP(Unknown Source)
         at sun.security.util.HostnameChecker.match(Unknown Source)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
         ... 17 more
    CAUSE:
    java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(Unknown Source)
         at SOAPConnector$1.run(SOAPConnector.java:145)
    Caused by: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Message send failed
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.post(Unknown Source)
         at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection$PriviledgedPost.run(Unknown Source)
         ... 3 more
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
         at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
         at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
         at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
         ... 5 more
    Caused by: java.security.cert.CertificateException: No subject alternative names present
         at sun.security.util.HostnameChecker.matchIP(Unknown Source)
         at sun.security.util.HostnameChecker.match(Unknown Source)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
         ... 17 more
    Any help is appreciated.

    did you find the solution for the issue i am using jscape now...

  • SecureSocketListener: Could not setup context and create a secure socket on 142.182.112.123:5555 : java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11. java.security.cert.Certifica

    HI Team,
    while starting the node manager in wls 8.1 and java1.4
    we are facing this issue plz help on this immediately.
    + CLASSPATH=/srvrs/bdv/patches/CR210310_81sp4.jar:/usr/java14/lib/tools.jar:/srvrs/bdv/bea/weblogic81/server/lib/weblogic_sp.jar:/srvrs/bdv/bea/weblogic81/server/lib/weblogic.jar::/srvrs/bdv/bea
    + export CLASSPATH
    + export PATH
    + set -x
    + [ 5555 !=  ]
    + [ 142.182.112.123 !=  ]
    + /usr/java14/bin/java -Xms32m -Xmx32m -Dweblogic.security.SSL.enforceConstraints=off -Djava.security.policy=/srvrs/bdv/bea/weblogic81/server/lib/weblogic.policy -Dweblogic.nodemanager.javaHome=/usr/java14 -DListenAddress=142.182.112.123 -DListenPort=5555 weblogic.NodeManager
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <NodeManager: for information on command line options,  try "java weblogic.NodeManager -h">
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Starting NodeManager >
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Setting listenAddress to 142.182.112.123..>
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Setting listenPort to 5,555..>
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Setting java home to '/usr/java14'>
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Effective values of properties :
            ListenAddress=142.182.112.123
            ListenPort=5555
            ListenerType=secureSocket
            SavedLogsDirectory=NodeManagerLogs
            NativeVersionEnabled=true
            TrustedHosts=nodemanager.hosts
            StartTemplate=../../server/lib/unix/nodemanager.sh
            ReverseDnsEnabled=false
            ScavangerDelaySeconds=180
            PIDFileReadRetryCount=0
            WeblogicHome=null
            bea.home=null
            JavaHome=/usr/java14
            PropertiesVersion=8.1
    >
    <Sep 15, 2013 7:35:26 AM EDT> <Info> <NodeManager> <Saving logs in'NodeManagerLogs'>
    <Sep 15, 2013 7:35:31 AM EDT> <Info> <[email protected]:5555> <Reading private key and certificate chain from the keystore /srvrs/bdv/bea/weblogic81/server/lib/DemoIdentity.jks. KeyStore type = jks, Using keystore passphrase = true, Alias = DemoIdentity>
    <Sep 15, 2013 7:35:31 AM EDT> <Info> <[email protected]:5555> <Reading trusted CAs from the keystore /srvrs/bdv/bea/weblogic81/server/lib/DemoTrust.jks. KeyStore type = jks, Using keystore passphrase = true>
    <Sep 15, 2013 7:35:31 AM EDT> <Info> <[email protected]:5555> <Reading trusted CAs from the keystore /usr/java14/jre/lib/security/cacerts. KeyStore type = jks, Using keystore passphrase = false>
    SecureSocketListener: Could not setup context and create a secure socket on 142.182.112.123:5555 : java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
    java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
            at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
            at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
            at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
            at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
            at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:52)
            at weblogic.nodemanager.internal.SecureSocketListener.run(SecureSocketListener.java:57)
            at weblogic.nodemanager.internal.GenericListener.startListener(GenericListener.java:16)
            at weblogic.nodemanager.NodeManager.startSecureSocketListener(NodeManager.java:461)
            at weblogic.nodemanager.NodeManager.init(NodeManager.java:305)
            at weblogic.nodemanager.NodeManager.run(NodeManager.java:511)
            at weblogic.NodeManager.main(NodeManager.java:31)
    Thanks,
    Eswar

    Hi,
    Did you find a solution to this? We are running into the same issue since upgrading to Weblogic 9.2.3 for WebCT Vista 8.0.4.
    Thanks,
    Ron

  • Sun.security.validator.ValidatorException: Netscape cert type does not perm

    Hi,
    I am getting the following exception when clientAuthentication is enabled for ssl connection.
    I am using tomcat and a java client in my application.
    Please let me know how do i get through this.
    Thanks in advance
    -Sanjeev
    Below trace is from catalina.out
    ===========================
    http-8443-Processor24, SEND TLSv1 ALERT: fatal, description = certificate_unknown
    http-8443-Processor24, WRITE: TLSv1 Alert, length = 2
    http-8443-Processor24, called closeSocket()
    http-8443-Processor24, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL client
    http-8443-Processor24, called close()
    http-8443-Processor24, called closeInternal(true)
    ===================================
    I get the below exception in my java client application.
    ==========================================
    : 68 42 6F FD E9 35 AB E5 C7 48 31 2C 78 31 BA F0 hBo..5...H1,x1..
    0020: EB 97 10 1F F9 B2 03 B7 7D CE 8A 04 73 37 07 A1 ............s7..
    0030: 9D 46 5A A2 B7 99 EE 86 1D EE A1 E4 D6 64 73 9B .FZ..........ds.
    0040: 6B FA D1 19 44 54 C0 47 DC F8 E1 4B 33 F6 0D 2D k...DT.G...K3..-
    0050: C9 04 B7 E8 8F 67 00 99 78 67 CC BE 26 C4 73 B5 .....g..xg..&.s.
    0060: 88 26 F6 08 B7 A3 89 A0 28 29 79 DD 16 B0 86 8F .&......()y.....
    0070: DE AA EA D3 1F 9F 8B 5B E7 B4 51 3B C8 90 67 0D .......[..Q;..g.
    0080: 68 46 F1 CC 10 D9 hF....
    main, WRITE: TLSv1 Handshake, length = 134
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    main, handling exception: java.net.SocketException: Software caused connection abort: socket write error
    main, SEND TLSv1 ALERT: fatal, description = unexpected_message
    main, WRITE: TLSv1 Alert, length = 2
    Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
    main, called closeSocket()
    Exception
    =================================================

    Netscape cert type does not permit use for SSL clientTry using another certificate. Your certificate can't be used as a web browser client certificate.

  • SSL Cert requiring intermediate CA chain breaks 10.5.8 caldavd?

    Mac OS X Server 10.5.8
    I just upgraded from a self-signed cert to a cert from StartCom, which requires use of an intermediate certificate on the server. I imported it using Server Admin. It and the intermediate cert are present in the /Library/Keychains/System.keychain and in /etc/certificates. Mail (Both postfix and cyrus) are happy with it. Apache is happy with it.
    caldavd, however, reports the following:
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding server at :8008+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [startup] Adding SSL server at :8443+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] Traceback (most recent call last):+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/bin/twistd", line 21, in <module>+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] run()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 27, in run+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] app.run(runApp, ServerOptions)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 379, in run+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] runApp(config)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/scripts/twistd.py", line 23, in runApp+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] _SomeApplicationRunner(config).run()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 157, in run+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.application = self.createOrGetApplication()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/application/app.py", line 202, in createOrGetApplication+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ser = plg.makeService(self.config.subOptions)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 754, in makeService+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] service = serviceMethod(options)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 727, in makeService_Slave+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] passwdCallback=_getSSLPassphrase+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 423, in _init_+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] sslmethod=sslmethod+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twisted/internet/ssl.py", line 79, in _init_+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] self.cacheContext()+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] File "/usr/share/caldavd/lib/python/twistedcaldav/tap.py", line 437, in cacheContext+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] ctx.usecertificate_chainfile(self.certificateChainFile)+
    +2009-10-25 22:42:11-0700 [-] [caldav-8008] [-] OpenSSL.SSL.Error: [('x509 certificate routines', 'X509check_privatekey', 'key values mismatch')]+
    But the key and the certificate do match, as confirmed by the other apps working fine and openssl x509/rsa -modulus.
    /etc/caldavd/caldavd.plist contains:
    <key>SSLAuthorityChain</key>
    <string>/etc/certificates/osxserver.example.com.chcrt</string>
    <key>SSLCertificate</key>
    <string>/etc/certificates/osxserver.example.com.crt</string>
    <key>SSLPort</key>
    <integer>8443</integer>
    <key>SSLPrivateKey</key>
    <string>/etc/certificates/osxserver.example.com.key</string>
    <key>ServerHostName</key>
    <string>osxserver.example.com</string>
    Using openssl I verified that those three files are, in fact, correct.
    If I remove the filename from the SSLAuthorityChain attribute, the server starts normally but, naturally, connections fail unless I add the intermediate certificate to the local client's keychain.
    Not sure where to go next. I haven't been able to check Server 10.6.1 yet.

    The point that it's breaking on is obviously an Apple modification because Twisted does not and has never supported loading intermediate CA certs from a chain file.
    http://twistedmatrix.com/trac/log/trunk/twisted/internet/ssl.py?rev=26525
    I would suggest creating a little test script that does what the caldavd file does. The related documentation is http://packages.python.org/pyOpenSSL/openssl-context.html

  • How to get Java source in applet stack trace to debug Java security manager

    How can I get line numbers for Java source in stack traces for my applet? I'm having a problem with my code-signing certificate. On one of my applets, I consistently get a NullPointerException inside the security dialog code in the JDK. As a result, either the "trust this applet" dialog never appears, or even though it appears, it defaults to untrusted because of the exception, so I can't access any local files (and that's a bit of a problem for an applet whose sole purpose is to upload files to our server). I unzipped src.zip in my JDK directory and set the debug flag for my Ant <javac> task as well as set debuglevel to "lines." Anything else? Here's the trace that I'm getting so far. See that after the NullPointerException it assumes that the user has denied permission. If I could read this Java source maybe I could figure out why it hates my code-signing certificate (jarsigner, BTW, never complains when I verify my jar).
    security: Blacklist file not found or revocation check is disabled
    security: Accessing keys and certificate in Mozilla user profile: null
    security: Loading Root CA certificates from D:\Program Files (x86)\Java\jre6\lib\security\cacerts
    security: Loaded Root CA certificates from D:\Program Files (x86)\Java\jre6\lib\security\cacerts
    security: Loading Deployment certificates from C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    security: Loaded Deployment certificates from C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
    security: Loading certificates from Deployment session certificate store
    security: Loaded certificates from Deployment session certificate store
    security: Validate the certificate chain using CertPath API
    security: Obtain certificate collection in Root CA certificate store
    security: Obtain certificate collection in Root CA certificate store
    security: Start to check whether root CA is replaced
    security: The root CA has been replaced
    security: No timestamping info available
    security: Found jurisdiction list file
    security: Start checking trusted extension for this certificate
    security: Start comparing to jurisdiction list with this certificate
    security: The CRL support is disabled
    security: The OCSP support is disabled
    security: This OCSP End Entity validation is disabled
    security: Checking if certificate is in Deployment denied certificate store
    security: Checking if certificate is in Deployment permanent certificate store
    security: Checking if certificate is in Deployment session certificate store
    java.lang.NullPointerException
         at com.sun.deploy.ui.UIFactory.showSecurityDialog(Unknown Source)
         at com.sun.deploy.security.TrustDeciderDialog.showDialog(Unknown Source)
         at com.sun.deploy.security.X509Util.showSecurityDialog(Unknown Source)
         at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
         at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
         at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
         at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
         at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$700(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
         at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
         at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
         at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
         at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
         at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
         at java.lang.Thread.run(Unknown Source)
    security: User has denied the priviledges to the code
    security: Adding certificate in Deployment denied certificate store
    security: Added certificate in Deployment denied certificate store
    security: Loading certificates from Deployment session certificate store
    security: Loaded certificates from Deployment session certificate store
    security: Validate the certificate chain using CertPath API
    security: Obtain certificate collection in Root CA certificate store
    security: Obtain certificate collection in Root CA certificate store
    security: Start to check whether root CA is replaced
    security: The root CA has been replaced
    security: No timestamping info available
    security: Found jurisdiction list file
    security: Start checking trusted extension for this certificate
    security: Start comparing to jurisdiction list with this certificate
    security: The CRL support is disabled
    security: The OCSP support is disabled
    security: This OCSP End Entity validation is disabled
    security: Checking if certificate is in Deployment denied certificate store
    security: Checking if certificate is in Deployment denied certificate store

    Rats, now that I look at the stack trace and compare to what's in the JDK srce.zip, it appears that most of this code is not part of the JDK source. I don't see any com/sun/deploy, etc.

  • Java Security Model: Java Protection Domains

    1.     Policy Configuration
    Until now, security policy was hard-coded in the security manager used by Java applications. This gives us the effective but rigid Java sandbox for applets.A major enhancement to the Java sandbox is the separation of policy from mechanism. Policy is now expressed in a separate, persistent format. The policy is represented in simple ascii, and can be modified and displayed by any tools that support the policy syntax specification. This allows:
    o     Configurable policies -- no longer is the security policy hard-coded into the application.
    o     Flexible policies -- Since the policy is configurable, system administrators can enforce global polices for the enterprise. If permitted by the enterprise's global policy, end-users can refine the policy for their desktop.
    o     Fine-grain policies -- The policy configuration file uses a simple, extensible syntax that allows you to specify access on specific files or to particular network hosts. Access to resources can be granted only to code signed by trusted principals.
    o     Application policies -- The sandbox is generalized so that applications of any stripe can use the policy mechanism. Previously, to establish a security policy for an application, an developer needed to implement a subclass of the SecurityManager, and hard-code the application's policies in that subclass. Now, the application can make use of the policy file and the extensible Permission object to build an application whose policy is separate from the implementation of the application.
    o     Extensible policies -- Application developers can choose to define new resource types that require fine-grain access control. They need only define a new Permission object and a method that the system invokes to make access decisions. The policy configuration file and policy tools automatically support application-defined permissions. For example, an application could define a CheckBook object and a CheckBookPermission.
    2.     X.509v3 Certificate APIs
    Public-key cryptography is an effective tool for associating an identity with a piece of code. JavaSoft is introducing API support in the core APIs for X.509v3 certificates. This allows system administrators to use certificates from enterprise Certificate Authorities (CAs), as well as trusted third-party CAs, to cryptographically establish identities.
    3.     Protection Domains
    The central architectural feature of the Java security model is its concept of a Protection Domain. The Java sandbox is an example of a Protection Domain that places tight controls around the execution of downloaded code. This concept is generalized so that each Java class executes within one and only one Protection Domain, with associated permissions.
    When code is loaded, its Protection Domain comes into existence. The Protection Domain has two attributes - a signer and a location. The signer could be null if the code is not signed by anyone. The location is the URL where the Java classes reside. The system consults the global policy on behalf of the new Protection Domain. It derives the set of permissions for the Protection Domain based on its signer/location attributes. Those permissions are put into the Protection Domain's bag of permissions.
    4.     Access Decisions
    Access decisions are straightforward. When code tries to access a protected resource, it creates an access request. If the request matches a permission contained in the bag of permissions, then access is granted. Otherwise, access is denied. This simple way of making access decisions extends easily to application-defined resources and access control. For example, the banking application allows access to the CheckBook only when the executing code holds the appropriate CheckBookPermission.
    Sandbox model for Security
    Java is supported in applications and applets, small programs that spurred Java's early growth and are executable in a browser environment. The applet code is downloaded at runtime and executes in the context of a JVM hosted by the browser. An applet's code can be downloaded from anywhere in the network, so Java's early designers thought such code should not be given unlimited access to the target system. That led to the sandbox model -- the security model introduced with JDK 1.0.
    The sandbox model deems all code downloaded from the network untrustworthy, and confines the code to a limited area of the browser -- the sandbox. For instance, code downloaded from the network could not update the local file system. It's probably more accurate to call this a "fenced-in" model, since a sandbox does not connote strict confinement.
    While this may seem a very secure approach, there are inherent problems. First, it dictates a rigid policy that is closely tied to the implementation. Second, it's seldom a good idea to put all one's eggs in one basket -- that is, it's unwise to rely entirely on one approach to provide overall system security.
    Security needs to be layered for depth of defense and flexible enough to accommodate different policies -- the sandbox model is neither.
    java.security.ProtectionDomain
    This class represents a unit of protection within the Java application environment, and is typically associated with a concept of "principal," where a principal is an entity in the computer system to which permissions (and as a result, accountability) are granted.
    A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Currently, a domain is uniquely identified by a CodeSource, which encapsulates two characteristics of the code running inside the domain: the codebase (java.net.URL), and a set of certificates (of type java.security.cert.Certificate) for public keys that correspond to the private keys that signed all code in this domain. Thus, classes signed by the same keys and from the same URL are placed in the same domain.
    A domain also encompasses the permissions granted to code in the domain, as determined by the security policy currently in effect.
    Classes that have the same permissions but are from different code sources belong to different domains.
    A class belongs to one and only one ProtectionDomain.
    Note that currently in Java 2 SDK, v 1.2, protection domains are created "on demand" as a result of class loading. The getProtectionDomain method in java.lang.Class can be used to look up the protection domain that is associated with a given class. Note that one must have the appropriate permission (the RuntimePermission "getProtectionDomain") to successfully invoke this method.
    Today all code shipped as part of the Java 2 SDK is considered system code and run inside the unique system domain. Each applet or application runs in its appropriate domain, determined by its code source.
    It is possible to ensure that objects in any non-system domain cannot automatically discover objects in another non-system domain. This partition can be achieved by careful class resolution and loading, for example, using different classloaders for different domains. However, SecureClassLoader (or its subclasses) can, at its choice, load classes from different domains, thus allowing these classes to co-exist within the same name space (as partitioned by a classloader).
    jarsigner and keytool
    example : cd D:\EicherProject\EicherWEB\Web Content jarsigner -keystore eicher.store source.jar eichercert
    The javakey tool from JDK 1.1 has been replaced by two tools in Java 2.
    One tool manages keys and certificates in a database. The other is responsible for signing and verifying JAR files. Both tools require access to a keystore that contains certificate and key information to operate. The keystore replaces the identitydb.obj from JDK 1.1. New to Java 2 is the notion of policy, which controls what resources applets are granted access to outside of the sandbox (see Chapter 3).
    The javakey replacement tools are both command-line driven, and neither requires the use of the awkward directive files required in JDK 1.1.x. Management of keystores, and the generation of keys and certificates, is carried out by keytool. jarsigner uses certificates to sign JAR files and to verify the signatures found on signed JAR files.
    Here we list simple steps of doing the signing. We assume that JDK 1.3 is installed and the tools jarsigner and keytool that are part of JDK are in the execution PATH. Following are Unix commands, however with proper changes, these could be used in Windows as well.
    1. First generate a key pair for our Certificate:
    keytool -genkey -keyalg rsa -alias AppletCert
    2. Generate a certification-signing request.
    keytool -certreq -alias AppletCert > CertReq.pem
    3. Send this CertReq.pem to VeriSign/Thawte webform. Let the signed reply from them be SignedCert.pem.
    4. Import the chain into keystore:
    keytool -import -alias AppletCert -file SignedCert.pem
    5. Sign the CyberVote archive �TeleVote.jar�:
    jarsigner TeleVote.jar AppletCert
    This signed applet TeleVote.jar can now be made available to the web server. For testing purpose we can have our own test root CA. Following are the steps to generate a root CA by using openssl.
    1. Generate a key pair for root CA:
    openssl genrsa -des3 -out CyberVoteCA.key 1024
    2. Generate an x509 certificate using the above keypair:
    openssl req -new -x509 -days key CyberVoteCA.key -out CyberVoteCA.crt
    3. Import the Certificate to keystore.
    keytool -import -alias CyberVoteRoot -file CyberVoteCA.crt
    Now, in the step 3 of jar signing above, instead of sending the request certificate to VeriSign/Thawte webform for signing, we 365 - can sign using our newly created root CA using this command:
    openssl x509 -req -CA CyberVoteCA.crt -CAkey CyberVoteCA.key -days 365 -in CertReq.pem -out SignedCert.pem �Cacreateserial
    However, our test root CA has to be imported to the keystore of voter�s web browser in some way. [This was not investigated. We used some manual importing procedure which is not recommended way]
    The Important Classes
    The MessageDigest class, which is used in current CyberVote mockup system (see section 2), is an engine class designed to provide the functionality of cryptographically secure message digests such as SHA-1 or MD5. A cryptographically secure message digest takes arbitrary-sized input (a byte array), and generates a fixed-size output, called a digest or hash. A digest has the following properties:
    � It should be computationally infeasible to find two messages that hashed to the same value.
    � The digest does not reveal anything about the input that was used to generate it.
    Message digests are used to produce unique and reliable identifiers of data. They are sometimes called the "digital fingerprints" of data.
    The (Digital)Signature class is an engine class designed to provide the functionality of a cryptographic digital signature algorithm such as DSA or RSA with MD5. A cryptographically secure signature algorithm takes arbitrary-sized input and a private key and generates a relatively short (often fixed-size) string of bytes, called the signature, with the following properties:
    � Given the public key corresponding to the private key used to generate the signature, it should be possible to verify the authenticity and integrity of the input.
    � The signature and the public key do not reveal anything about the private key.
    A Signature object can be used to sign data. It can also be used to verify whether or not an alleged signature is in fact the authentic signature of the data associated with it.
    ----Cheers
    ---- Dinesh Vishwakarma

    Hi,
    these concepts are used and implemented in jGuard(www.jguard.net) which enable easy JAAS integration into j2ee webapps across application servers.
    cheers,
    Charles(jGuard team).

  • Untrusted Certificate Chain

    Keep receiving Msg "you are attempting to open a secure connection, but the server's cert is not trusted".  If I try to trust certificate it requires that I enter my key store password. I have no idea what that is.  If I View the Certificate it says the program is "rcp.na.blackberry.com" with an untrusted cert chain - stale chain status - x 509.  It stops popping up when I disconnect from my wifi, otherwise it keeps popping up at different times.

    hello,
    have you heard of "secured transaction" or "electronic signature" or "e-signing" or "SSL" ?
    to make things short : when you browse the web, anyone can "do something" and be able to sniff what you send and what you receive.
    When you log on the present forum, you do it with HTTP.
    If your neighbor knows how, he/she can get the password you use to connect.
    that is why people have created SSL. when you go to a secured website, like your bank website, or paypal, or amazon, you go to a page which URL starts with HTTPS:// instead of HTTP://
    if your browser is up-to-date, something should change in the address bar : a color, a sign, a lock that is closed (even on your blackberry Browser).
    HTTPS stands for HTTP over SSL. basically, SSL is a security tunnel.
    when you use that SSL, nobody can get the information that you exchange with the webserver.
    but the SSL protocol is something open : anyone can create an SSL key and say "hey, come and see me, my tunnel is secure". So you have to know who that person is. It is also done by something like SSL. It's called electronic certificates. Codename : X.509.
    so a X.509 is a certificate that says "I am AAA and I can do BBB !".
    how can you trust that certificate ? Because it is certified by a higher authority (a private one, not necessarily government). You know these authorities. They appear on the bottom of your bank websites :
    Verisign
    Thawte
    Certicom (cough cough cough)
    CertPlus
    RSA (the SecurID !)
    VISA (the credit card !)
    and so on...
    these are very valuable Certificate Authorities (CA) that you can trust. But how can you, since you may have never heard of them ?
    well, RIM does that for you, just like any browser system does.
    When you look at your Windows system, you will see all those CA in the list, as well as others like AOL or Dell or Microsoft.
    On your BlackBerry system, it's the same : RIM has put trust in those CAs.
    Those CAs are stored somewhere on your device, in a place called the KeyStore.
    The problem comes when you log on to a website, that uses HTTPS, and whose X.509 certificate is certified by a CA that is not present on your device.
    therefore, the certificate is valid, but not trusted by your browser.
    you are saying the CA is rcp.na.blackberry.com : that is quite strange actually. What website are you trying to log on ?
    The search box on top-right of this page is your true friend, and the public Knowledge Base too:

  • Help : java.security.UnrecoverableKeyException: excess private key

    Hi,
    I require help for the exception "java.security.UnrecoverableKeyException: excess private key"
    When i am trying to generate digital signature using PKCS7 format using bouncyCastle API, it gives the "java.security.UnrecoverableKeyException: excess private key" exception.
    The full stack trace is as follows
    ------------------------------------------------------------------------java.security.UnrecoverableKeyException: excess private key
         at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
         at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:120)
         at java.security.KeyStore.getKey(KeyStore.java:289)
         at com.security.Security.generatePKCS7Signature(Security.java:122)
         at com.ibm._jsp._SendSecureDetail._jspService(_SendSecureDetail.java:2282)
         at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:93)
    I had tested the program under following scenarios...
    The Java Program for generating the digital signature independently worked successfully(without any change in policy files or java.security file) I have tested this independently on Sun's JDK 1.4, 1.6
    For IBM JDK 1.4 on Windows machine for WAS(Webshere Application Server) 6.0, The Program for generating the digital signature using PKCS7 works fine, but it required IBM Policy files(local_policy.jar, US_export_policy.jar) and updation in java.security file
    But the problem occurs in Solaris 5.10, WAS 6.0 where Sun JDK 1.4.2_6 is used.
    I copied the unlimited strength policy files for JDK 1.4.2 from Sun's site(because the WAS 6.0 is running on Sun's JDK intead of IBM JDK)...
    I changed the java.security file as follows(only changed content)
    security.provider.1=sun.security.provider.Sun
    security.provider.2=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.6=com.ibm.jsse.IBMJSSEProvider
    security.provider.7=com.ibm.security.cert.IBMCertPath
    security.provider.8=com.ibm.security.cmskeystore.CMSProvider
    I have used PKCS12(PFX) file for digital signature
    which is same for all environment(i have described as above)
    I copied the PFX file from windows to solaris using WinSCP in binary format so the content of certificate won't get currupted.
    I can not change the certificate because it's given by the company and which is working in other enviroments absolutely fine(just i have described above)
    I have gone though the "http://forums.sun.com/thread.jspa?threadID=408066" and other URLs too. but none of them helped...
    So what could be the problem for such exception?????
    I am on this issue since last one month...
    I know very little about security.
    Thanks in advance
    PLEASE HELP ME(URGENT)
    Edited by: user10935179 on Sep 27, 2010 2:47 AM
    Edited by: user10935179 on Sep 27, 2010 2:54 AM

    user10935179 wrote:
    The Java Program for generating the digital signature independently worked successfully(without any change in policy files or java.security file) If the program was working fine without changing the java.security policy file, why have you changed it to put the IBM Providers ahead of the SunRsaSign provider?
    While I cannot be sure (because I don't have an IBM provider to test this), the error is more than likely related to the fact that the IBM Provider implementations for handling RSA keys internally are different from the SunRsaSign provider. Since you've now forced the IBM provider ahead of the original Sun provider, you're probably running into interpretation issues of the encoded objects inside the keystore.
    Change your java.security policy back to the default order, and put your IBM Providers at the end of the original list and run your application to see what happens.
    Arshad Noor
    StrongAuth, Inc.

  • Java.security.KeyStoreException: Cannot store non-PrivateKeys

    I have been getting this exception:
    Exception in thread "main" java.security.KeyStoreException: Cannot store non-PrivateKeys
         at sun.security.provider.JavaKeyStore.engineSetKeyEntry(Unknown Source)
         at java.security.KeyStore.setKeyEntry(Unknown Source)
         at KeyStoreExample.encrypt(KeyStoreExample.java:89)
         at KeyStoreExample.main(KeyStoreExample.java:39)
    while running this code:
    private static void encrypt(char[] password, String plaintext)
      throws Exception
        System.out.println("Generating a TripleDES key...");
        // Create a Blowfish key
        KeyGenerator keyGenerator = KeyGenerator.getInstance("TripleDES");
        keyGenerator.init(168);
        Key key = keyGenerator.generateKey();
        System.out.println("Done generating the key.");
        // Create a cipher using that key to initialize it
        Cipher cipher = Cipher.getInstance("TripleDES/ECB/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte[] plaintextBytes = plaintext.getBytes();
        // Perform the actual encryption
        byte[] cipherText = cipher.doFinal(plaintextBytes);
        // Now we need to Base64-encode it for ascii display
        BASE64Encoder encoder = new BASE64Encoder();
        String output = encoder.encode(cipherText);
        System.out.println("Ciphertext: "+output);
        /* Create a keystore and place the key in it
         * We're using a jceks keystore, which is provided by Sun's JCE.
         * If you don't have the JCE installed, you can use "JKS",
         * which is the default keystore. It doesn't provide
         * the same level of protection however.
        KeyStore keyStore = KeyStore.getInstance("JKS", "SUN");
        // This initializes a blank keystore
        keyStore.load(null, null);
        // Now we add the key to the keystore, protected
        // by the password.
        keyStore.setKeyEntry("LuisTest", key, password, null);
        // Store the password to the filesystem, protected
        // by the same password.
        FileOutputStream fos = new FileOutputStream(FILENAME);
        keyStore.store(fos, password);
        fos.close();The error fires when it gets to this line
        keyStore.setKeyEntry("LuisTest", key, password, null);

    Maybe you should try defining the type of entry that
    you want stored into the KeyStore, i.e. privateKey,
    SecretKey, TrustedCertificateEntry. The setKeyEntry
    method that you're using expects a certificate chain
    to accompany the Key if it is used as a private key.
    If you don't want to use the key as one of the
    available types, perhaps you need to use the
    CertStore object as opposed to the KeyStore object.Hi,
    I've got the same exception althought I specified the type of entry. Here is my test code :
    public void createKeyStore() {
         try {
              KeyGenerator keyGen = KeyGenerator.getInstance("DES");
              SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN");
              keyGen.init(56, random);
              SecretKey secretKey = keyGen.generateKey();
              KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
              char password[] = {'j', 's', 'd', '4', '9', '4' };
              // Create an empty keystore
              ks.load(null, password);
              KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(secretKey);
              ks.setEntry("symKey", skEntry, new KeyStore.PasswordProtection(password));
              // store away the keystore
              java.io.FileOutputStream fos =
                   new java.io.FileOutputStream("mystore");
              ks.store(fos, password);
              fos.close();
         } catch (NoSuchAlgorithmException nsaex) {
              nsaex.printStackTrace(System.err);
         } catch (NoSuchProviderException nspex) {
              nspex.printStackTrace(System.err);
         } catch (KeyStoreException ksex) {
              ksex.printStackTrace(System.err);
         } catch (CertificateException cex) {
              cex.printStackTrace(System.err);
         } catch (IOException ioex) {
              ioex.printStackTrace(System.err);
    } ... and what I don't understand is that the main idea of this code is taken from the Java API documentation itself. See this url for reference
    http://java.sun.com/j2se/1.5.0/docs/api/java/security/KeyStore.html

  • Java.security.InvalidKeyException: Illegal key size

    Hi,
    I have developed an adf application using jdeveloper 11g which hosts weblogic 10.3.3.0.
    My adf application has to connect to an external application for credit card validation.
    To achieve this i am using a HTTPURLConnection and passing the external address and attributes that has to be written to it.
    The external application which i am trying to connect is secured starts with https://..
    I get an error as soon i am trying to open the "connection.getOutputStream()".
    Following is the error i am getting
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    java.security.InvalidKeyException: Illegal key size
         at javax.crypto.Cipher.a(DashoA13*..)
         at javax.crypto.Cipher.init(DashoA13*..)
         at javax.crypto.Cipher.init(DashoA13*..)
         at com.certicom.tls.provider.Cipher.init(Unknown Source)
         at com.certicom.tls.ciphersuite.SecurityParameters.createWriteCipher(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.changeCipherSpec(Unknown Source)
         at com.certicom.tls.record.handshake.ClientStateReceivedCertificate.handle(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
         at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
         at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
         at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
         at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
         at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
         at com.certicom.tls.record.WriteHandler.write(Unknown Source)
         at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
         at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)The code i am using to connect to the external website is as follows.
        URL url;  
        HttpURLConnection connection = null; 
        try {    
          //Create connection  
          url = new URL(targetURL); 
          connection = (HttpURLConnection)url.openConnection();   
          connection.setRequestMethod("POST");
          connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
         connection.setRequestProperty("Content-Length", "" + Integer.toString(urlParameters.getBytes().length));
          connection.setRequestProperty("Content-Language", "en-US");  
          connection.setUseCaches (false); 
           connection.setDoOutput(true); 
           DataOutputStream wr = new DataOutputStream (      
               connection.getOutputStream ());
                wr.writeBytes (urlParameters);  
                wr.flush ();  
          wr.close ();   
                //Get Response   
          InputStream is = connection.getInputStream();  
          System.out.println("after getting input stream");
        BufferedReader rd = new BufferedReader(new InputStreamReader(is));  
          System.out.println("after BUffered reader");
        String line;  
        StringBuffer response = new StringBuffer();  
          System.out.println("after String buffer");
        while((line = rd.readLine()) != null) {     
          response.append(line);   
          response.append('\r');  
          }      rd.close();  
        return response.toString();
        } catch (Exception e) { 
          e.printStackTrace();   
          return null; 
          } finally { 
          if(connection != null) {      
            connection.disconnect();  
        }I am currently totally clueless , i dont understand what steps should i take. Is this error due to some keystore stuff??
    I even tried to replace the policy files in jre as per some blogs but it still does not work.
    I have very limited knowledge of the security issues with weblogic , i will really appreciate if i can get any links or any help in this matter.
    Thanks in advance
    ash

    The messages prior to the exception are very significant:
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    <Oct 8, 2010 10:32:54 AM CDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
    java.security.InvalidKeyException: Illegal key size
    So there are at least 4 certificates in your server's truststore that are causing issues.
    Is your weblogic server using CustomIdentityAndStandardTrust? If so, the the keystore is the $JAVA_HOME/jre/lib/security/cacerts
    You should familiarize yourself with keytool ( in $JAVA_HOME/bin ) and consider removing entries from your trust store unless you absolutely need them and are willing to trust any cert signed by them. There's been a thread about some newer Certificate Authorities ( CAs ) that were included as part of a recent java upgrade which have caused similar "unknown OID" issues.
    For your specific endpoint, you can use your browser to invoke the services' wsdl; this will cause your browser to fetch the certificate from that server
    You can then see what CA is used to sign it. Then see whether that CA is in your truststore.
    There is also a thread with a very simple class to test the SSL handshake:
    Re: Use Server Cert in Managed server not working

  • Java Security Error

    Hi Guys
    I am getting following error, when i am loading third party vendor JAR files into oracle db.
    ****************** error *****************
    badly formed class: User has attempted to load a class (java.security.cert.X509CRLEntry) into a restricted package. Permission can be granted using dbms_java.grant_permission(<user>, LoadClassInPackage...
    can anybody help me in this. like what could be the reason and what to do.
    i will apprecieate for for ASAP response.
    Regards
    Praveen
    null

    Java security. This is a privileged area. Please read the following docs: http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/java.817/a83728/securit2.htm
    null

  • Java security policy trouble

    import javax.crypto.Cipher;
    class TestCifer {
        public static void main(String [] args){
            try {
                Cipher rsaCipher = Cipher.getInstance("RSA/ECB/nopadding");
                if (null != rsaCipher)
                    System.out.println("Cifer ok");
                else
                    System.out.println("Cifer failed");
            } catch (Exception e){
                e.printStackTrace();
    }compiling:
    javac TestCifer.java
    running:
    java TestCifer
    And it's generates Exception:
    Exception in thread "main" java.lang.ExceptionInInitializerError
    at javax.crypto.Cipher.getInstance(DashoA12275)
    at TestCifer.main(TestCifer.java:7)
    Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
    at javax.crypto.SunJCE_b.<clinit>(DashoA12275)
    ... 2 more
    Caused by: java.lang.SecurityException: Cannot locate policy or framework files!
    at javax.crypto.SunJCE_b.g(DashoA12275)
    at javax.crypto.SunJCE_b.e(DashoA12275)
    at javax.crypto.SunJCE_q.run(DashoA12275)
    at java.security.AccessController.doPrivileged(Native Method)
    ... 3 more
    What do I need to install to run this code properly ?

    Why do you think this is a security problem when the exception is explicitly complaining about being unable to find the class MyServer_Stub?
    Have you included the class files for MyServer_Stub in the classpath, or at the codebase?
    Dave.

  • Report to write about Java Security

    Hello
    I'm doing a project for my studies; I'm investigating some points of java security (class loader, bytecoder verifier, security manager and applets). In the second part of my report, I would like to do some tests to show these functionalities in use.
    Here is what I was think to implement
    Security Manager
    - Update the security manager; application can be very restricted - Or very free
    Byte code verifier: I don't know how to test
    Class loader: I don't know how to test
    Applets
    - Show the difference between local and downloaded code (On server vs applet)
         Write the same code for both application. The only difference will be that one application will be downloaded; the other one run from the server.
    - Show the difference between signed applet and untrusted applet
    Write the same code for both applets. The only difference will be that just one applet we be signed.
    - Possibilities on extending the sandbox. What can do an applet?
    What do you think about these tests?
    Do you have some ideas for my missing tests?
    Thanks in advance
    Romain

    I would like to do some forbidden actions, to show how Java reacts.
    Is it possible to change the bytecode? In order to raise an error from the bytecode verifier?
    Actually, I would like to implements attacks, and Java would protect the application.
    I hope you understand what I mean.

Maybe you are looking for

  • Calling a report

    Dear all, good morning, i am calling a report from a form and getting error like numeric value error. any one can help. form is running individuallu fine and also report as well. when i am trying to call form form in application only the problem is c

  • Query to map values between tables

    Hi, I'm trying to group data from the following three tables to create a new table. Fields in bmf: account_no, trans_date cmf: account_no, balance_due acct_map: account_no, external_id The fields I want in my new table are : external_id, account_no,

  • BB 9300. BB protect not working.

    Everytime I click on the protect Icon it takes me to the download screen.  When Try downloading, it says "download failed." I checked the details and it says 907 error Code.  

  • Getting iBook and PC both connected to internet

    I am new to owning a Mac and have another computer which is a PC. I would like to have it so that both the PC and Mac can be connected to the the same internet connection at the same time without having to set up another DSL line. I don't know if thi

  • Weird lookup column issue

    I have process that I setup to summarize a list in a lookup column in another list and to automatically generate emails based on the lookup column. I noticed that things weren't behaving quite as expected and after some extensive troubleshooting foun