Key store on JNDI ?
Hi,
I develop application working inside application serwer (JBoss 4). The application has functionality that requires usage of kryptographic keys for signing and decrypting data.
My question is about concurrent access to such keystore, under heavy load, one key may be accessed from many threads. how to deal with it ? Would it be good solution to put keystore object on JNDI and retrieve it every time it should be used ?
regards,
Martin
Hi there Martin,
Your concerns about keystores are valid, though technically, you can setup the keystore as a physical file and have each thread request the keys. I know that under heavy loads, this isn't really that much of a problem, as each thread is technically doing a READ of the file, and not locking it. The problem comes in when you need to either delete or add a new key to that keystore. These both require a WRITE lock, and as this is file IO, you will get locking errors.
I came up with a solution (which I just finished implementing/testing about 20 minutes ago :) ) wherin you store each key within it's own keystore, and then store that keystore under the alias's name in a database table - using varbyte datatype - because you can keystore.store(ByteArrayOutputStream, passwordChars) and then store that to a DB row.
This gives me an average column size of around 1500 bytes for each keystore. Not only that, but when I need to add/remove certs, it's a database call, which handles read/write locks well, and once done, allows the other threads to continue. Not only that, but you can cache that table, and maybe even JNDI it as you asked.
Hope this gives you a bit of help.
Similar Messages
-
Hello, I've successfully configured the Custom Trust and Key Store on one server (hosting OpenSSO,) but when I follow the exact same directions to configure the Custom Trust and Key Store on another server (hosting Identity Manager with OpenSSO policy agent) WebLogic pre-empts my configuration by loading the DemoTrust.jks and cacerts keystores. I think the issue is introduced because the OpenSSO policy agent requires an Authentication Provider (Agent_Authenticator, com.sun.identity.agents.weblogic.v10.AmWLAuthProvider) that is loaded before the WebLogic domain's config/config.xml file, which contains the Custom Trust and Key Store entities.
Thanks.
A part of the log file showing that these two stores are loaded before the custom identity and trust stores are loaded:
Note JAVA_OPTIONS has -verbose:class and -Dssl.debug=true set
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE KeyAgreement: SunPKCS11-Solaris version 1.6 for algorithm DiffieHellman>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm DiffieHellman>
[Loaded com.certicom.ecc.scheme.DH from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm ECDH>
[Loaded com.certicom.ecc.scheme.KeyAgreement from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.ecc.scheme.ECDH from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.ecc.scheme.KDF from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.tls.provider.Cipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.NullCipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_RC4 from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.des.ECCpresso_DESCBCNoPad from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_AESCBCNoPad from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.JSAFE_RSA from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_RSACipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.jce.WLCipher from file:/opt/bea/wlserver_10.3/server/lib/wlcipher.jar]
[Loaded sun.security.pkcs11.P11Cipher from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunpkcs11.jar]
[Loaded sun.security.pkcs11.P11Cipher$Padding from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunpkcs11.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
[Loaded com.certicom.ecc.scheme.DES from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DES/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DES>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm AES/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm AES>
[Loaded com.certicom.ecc.scheme.AES from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm RC4>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm RC4>
[Loaded com.certicom.ecc.scheme.ARC4 from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.sun.crypto.provider.RSACipher from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunjce_provider.jar]
[Loaded javax.crypto.spec.PSource from /usr/jdk/instances/jdk1.6.0/jre/lib/jce.jar]
[Loaded javax.crypto.spec.PSource$PSpecified from /usr/jdk/instances/jdk1.6.0/jre/lib/jce.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
[Loaded java.util.regex.Pattern$BranchConn from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.util.regex.Pattern$Branch from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
[Loaded com.certicom.tls.interfaceimpl.CertificateSupport from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.cert.CertificateParsingException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.CertificateNotYetValidException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.CertificateExpiredException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded com.certicom.security.cert.internal.x509.X509V3CertImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.KeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.net.ssl.TrustManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.net.ssl.impl.TrustManagerImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.SessionDBImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSL Session TTL :90000>
[Loaded com.certicom.tls.interfaceimpl.ProtocolVersions from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.ProtocolVersion from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLTrustValidator from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.cert.CertificateEncodingException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded weblogic.security.SSL.CertPathTrustManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier$DefaultHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <DefaultHostnameVerifier: allowReverseDNS=false>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: using pre-mbean command line configuration for SSL trust>
[Loaded weblogic.security.utils.KeyStoreConfigurationHelper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.PreMBeanKeyStoreConfiguration from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreConstants from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLContextManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/bea/wlserver_10.3/server/lib/DemoTrust.jks.>
[Loaded weblogic.jndi.ClientEnvironment from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.jndi.Environment from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreUtils from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.KeyStoreSpi from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore$JKS from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.DigestInputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore$TrustedCertEntry from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded weblogic.security.utils.SSLCertUtility from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded javax.security.cert.CertificateException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.security.cert.CertificateEncodingException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLPeerUnverifiedException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 5 trusted CAs from /opt/bea/wlserver_10.3/server/lib/DemoTrust.jks>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US; Issuer: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US>
... The Certs ....
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US; Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US>
<Jan 26, 2010 4:00:26 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts.>
[Loaded sun.security.x509.CRLDistributionPointsExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.DistributionPoint from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.URIName from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.DNSName from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.CertificatePoliciesExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.PolicyInformation from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.CertificatePolicyId from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.PolicyQualifierInfo from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.PrivateKeyUsageExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor9 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor10 from __JVM_DefineClass__]
[Loaded sun.security.x509.ExtendedKeyUsageExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor11 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor12 from __JVM_DefineClass__]
[Loaded sun.security.x509.IssuerAlternativeNameExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.AuthorityInfoAccessExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.AccessDescription from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 76 trusted CAs from /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts>
... The 76 Certs ...
[Loaded sun.nio.cs.ISO_8859_1$Decoder from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US; Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
[Loaded com.certicom.security.asn1.ASN1ParsingException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Type from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Structured from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Sequence from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SequenceOf from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Extensions from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.SubjectPublicKeyInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1InputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Certificate from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1EncodingException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.TBSCertificate from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Tag from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Primitive from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Integer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.AlgorithmIdentifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Null from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkcs.pkcs1.DSSParams from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkcs.pkcs5.PBEParameter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Choice from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Name from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.RDNSequence from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.AttributeTypeAndValue from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SetOf from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.RelativeDistinguishedName from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SimpleString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1PrintableString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1TeletextString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1IA5String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.UTF8String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1BMPString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Validity from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Time from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1BitString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERInputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERDefiniteLengthInputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Time from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Set from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OctetString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Boolean from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERInputStream$Header from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1UTCTime from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Extension from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DEROutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERByteArrayOutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DEROutputSizer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.ECCpresso_ECKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.JSAFE_RSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.ECCpresso_RSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.DSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor13 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor14 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor15 from __JVM_DefineClass__]
[Loaded com.certicom.locale.Resources from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.locale.jSSLPlusResources from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.locale.jSSLPlusResources_en from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.bea.logging.ThrowableWrapper from file:/opt/bea/modules/com.bea.core.logging_1.4.0.0.jar]
[Loaded weblogic.logging.ThrowableInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:62)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:320)
at weblogic.security.SSL.SSLClientInfo.getSSLSocketFactory(SSLClientInfo.java:101)
at weblogic.security.SSL.SSLSocketFactory.setSSLClientInfo(SSLSocketFactory.java:218)
at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:36)
at weblogic.security.SSL.SSLSocketFactory.getInstance(SSLSocketFactory.java:68)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:561)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:242)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:237)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:191)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:93)
at com.iplanet.services.naming.WebtopNaming.getNamingTable(WebtopNaming.java:1038)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1074)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:991)
at com.iplanet.services.naming.WebtopNaming.access$000(WebtopNaming.java:74)
at com.iplanet.services.naming.WebtopNaming$SiteMonitor.<clinit>(WebtopNaming.java:1386)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:145)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:93)
at com.iplanet.services.naming.WebtopNaming.getNamingTable(WebtopNaming.java:1038)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1074)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:991)
at com.iplanet.services.naming.WebtopNaming.getServiceAllURLs(WebtopNaming.java:466)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:575)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:521)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:381)
at com.sun.identity.agents.common.ApplicationSSOTokenProvider.getApplicationSSOToken(ApplicationSSOTokenProvider.java:63)
at com.sun.identity.agents.arch.AgentConfiguration.setAppSSOToken(AgentConfiguration.java:541)
at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:646)
at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1054)
at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1498)
at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:643)
at com.sun.identity.agents.weblogic.v10.AmWLAuthProvider.initialize(AmWLAuthProvider.java:57)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:65)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
[Loaded javax.net.ssl.impl.SSLSocketImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.net.SocksConsts from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.PlainSocketImpl from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocksSocketImpl from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocksSocketImpl$5 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.ProxySelector from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector$1 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.NetProperties from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.NetProperties$1 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector$3 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.Socket$2 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocketInputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.Socket$3 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocketOutputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded javax.net.ssl.impl.StringID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.event.HandshakeWouldBlockException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded javax.net.ssl.SSLProtocolException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLHandshakeException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLKeyException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded com.certicom.tls.record.Message from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIO from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIO from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.bea.sslplus.TwoWaySSLHandshakeStageSocketException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.TLSSession from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIOStreamWrapper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIOStreamWrapper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIOStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIOStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.alert.AlertHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.alert.Alert from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeInputBuffer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.TLSSessionImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.CryptoRecordState from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeTypes from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeState from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ClientStateSentHello from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeMessage from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageSSL2Error from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageClientHelloVersion2 from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageClientHello from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.SessionID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ServerStateNoHandshake from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ClientStateNoHandshake from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.WriteHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageEncryptor from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageFragmentor from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.ReadHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageInterpreter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLIOContext from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.socket.SSLFilter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.utils.collections.PartitionedStackPool from file:/opt/bea/modules/com.bea.core.utils_1.4.0.0.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
[Loaded weblogic.security.utils.SSLIOContextTable from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 16880245>
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
Edited by: user585541 on Jan 26, 2010 1:23 PM
Edited by: user585541 on Jan 26, 2010 1:29 PMFaisal Khan wrote:
<BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
The root problem is the Certicom SSL does not support SHA256 algorithm, which is required with the trusted certificates of “ttelesecglobalrootclass2ca" and "ttelesecglobalrootclass3ca"
A fix is included in JDK 1.6.0_13 wherein WLS just ignores these certificates.
You can get more information on the fix for Oracle Support
You can delete these certificates yourself using the keytool utility..Thank you. I removed them all, but WebLogic still loads the Demo and JDK keystores and not the custom keystores before loading the security realm.
Is there a way to specify the KeyStores for the security realm?
I've provided the following to the JVM but to no avail:
-Djavax.net.ssl.keyStore=/export/home/weblogic/keystore/keystore.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStore
Password=***** -Djavax.net.ssl.trustStore=/export/home/weblogic/keystore/keystore.jks -Djavax.net.ssl.trustStoreType=jks -Dj
avax.net.ssl.trsustStorePassword=***** -
If you have 2 separate VPN clients using certificates on Windows 7. Can/would the private keys use separate private key stores?
Hi,
Every certificate is stored with its private key.
For more information, please refer to this article:
Export a Certificate with the Private Key
http://technet.microsoft.com/en-us/library/cc754329.aspx
Karen Hu
TechNet Community Support -
Built two OIF 11.1.1.2 instances in same IDMDomain, second instance cannot read key store
I asked about loading two versions of OIF onto two different managed servers listening on two different ports but within the same IDMDomain that gets bootstrapped here: Different instances of OIF within the same IDMDomain
I have built this out. Here is what it looks like in EM. Ports are highlighted.
AdminServer 7001
wls_oif1 7499 (bootstrapped at config)
OIF 11.1.1.2 (bootstrapped at config)
wls_oif2 7498 (cloned from wls_oif1 in WL Console)
OIF 11.1.1.2 (changed target from bootstrapped instance to hit both servers)
I had to do a few other hacky things to get this up without any erratic EM or application errors. I had to change the targets on several libraries and other EAR/WARs to hit both wls_oif1 and wls_oif2, and then edited my config.xml for IDMDomin to reference all three servers where it would only reference Admin and wls_oif1 before, and change single references to wls_oif1 to both wls_oif1 and wls_oif2. This got me a stable EM and deployment.
I can pull metadata from http://dlaxoifs101:7499/fed/idp/metadata, but I get an HTTP 500 error when trying http://dlaxoifs101:7498/fed/idp/metadata. The only error in the logs of wls_oif2 OIF instance is:
Message ID
FED-20000
Message Level
1
Relationship ID
0
Component
wls_oif2
Module
oracle.security.fed.sec.key.select.CryptoStore
Host
dlaxoifs101.devapollogrp.edu
Host IP Address
10.87.1.3
User
<anonymous>
Thread ID
[ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'
ECID
37391fee28ccc45c:-13d3734e:13ff2932ce7:-8000-0000000000000570
Message
Cannot open the key store.
I altered the config of the Admin Server and wls_oif2 Identity and Trust to reference some new keystores of my own creation to make sure the cloned server and the Admin server were speaking the same language, but that just prevented me from being able to start wls_oif2 due to an "SSL not trusted" error- which was odd because I am not using SSL in any of these connections.
So am I missing any other keystores, or do I just need to admit that running two distinct OIF instances on the same IDMDomain is not supported and a bad idea?First, I sent an email to the author of PhotoME to inform him of the serious issues his addon caused with Firefox latest versions.
Now, for those of you who do not have the PhotoME addon and yet experience the same problem that I had and that I described above, I suggest the following strategy.
As PhotoME did cause these problems with Firefox latest versions, I am pretty covinved other addons probably might cause these problems too. Therefore, adopt the following method.
Test one addon at a time to see if this particular addon is behind your Firefox issues like the ones I had.
So, disable one addon only at a time. Then close your Firefox and restart it from scratch and see if you still have your Firefox problems. You must restart the Firefox browser from scratch. If you still have these Firefox problems, re-enable the disabled addon, restart your Firefox (again!) and repeat the same method for every single addon that you have.
Try to be selective by choosing first addons that are more likely to cause your Firefox problems such as not very well-known or not very popular addons (like it was the case for the PhotoME addon).
If this method works or if it does not work, report it on this web page so that others can be helped with your comments.
I hope this method will help you because I was really upset that I had these Firefox problems and I first thought it was the fault of Firefox, only to discover later that this PhotoME addon was the culprit and had caused me such upset. -
How to store a RSA pair key in Java Key Store (jks) and VS
Hi Everyone ,
I have generated a RSA pair key . now I need to store my public key in a Java Key Store (.jks file) . and then I need to read this .jks file in another application and get this public key to use for verification .
I'll appreciate it if anyone could help me with this matter with a sample code for import/export public key to/from a java key store file or any hints.
Best Regards,
VivianI don't think this makes sense. How have you generated an RSA key pair and where is the result stored?
-
Trouble with handheld key store.
Hi,
I got this second hand blackberry 8820 and I tried to download facebook app., but for some reason, it needed handheld key store. Can anyone please help me with this? Ow one more thing, I didn't get any manual or cd for this blackberry.
thank youwhen you are prompted for the key store password, just click "cancel".
The search box on top-right of this page is your true friend, and the public Knowledge Base too: -
Key store problem using bouncycastle
Hey guys, i'm writing pseudo PGP encryption code using bouncycastle provider. Now everything works great when i start my project from NETBeans 6.8, but when i build .jar file,execute it and try to create a key store i get following message : "java.io.IOException: Error initialising store of key store : java.security.NoSuchProviderException: JCE cannot authenticate the provider BC" . Does anyone knows what might be the problem?
Vaskea wrote:
Hey guys, i'm writing pseudo PGP encryption code using bouncycastle provider. Now everything works great when i start my project from NETBeans 6.8, but when i build .jar file,execute it and try to create a key store i get following message : "java.io.IOException: Error initialising store of key store : java.security.NoSuchProviderException: JCE cannot authenticate the provider BC" . Does anyone knows what might be the problem?You probably have not included the BC JCE jar in your classpath! -
Trust Key Store - Interesting question ....
Hi,
Currently, using one way SSL, we get a 200 millisecond overhead from the client perspective. I have a gut feel that the trust key store check adds a lot of overhead (since it does an I/O check)
if my gut is right ...
IS there anyway to cache the trust keys store (I am using a stand alone java client running it on Junit)
Thankswhat this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever. -
What is the fundamental difference between trust store and key store ?
what this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever. -
Trust and Key Store config values? - OBPM 10g (Linux) With Websphere6 (AIX)
HI,
We installed OBPM 10gR3 on Linux (10.3.2 for Websphere) with Websphere 6.1.0.21 on AIX,
When we try to save values in following section we are getting an error:
Engines > Edit Engine bpmengine > JMX Engine Management Configuration
Attributes are:
Host / Port / Security Enabled / Principal / Credentials / Trust store / Trust store password / Key store / Key store password
Can anybody please help what values to put for following parameters under JMX Engine Management Configuration with respect to Websphere Application Sever 6.1.0.21:
Trust store: ?
Trust store password: ?
Key store: ?
Key store password: ?
Please help us in case anybody came across this.
Thanks and Regards
SHWell it seems that my trouble all started when I began using the 'printable = yes' option for shares. Since I removed that the troubles seem to have left me.
Does anyone know why that is listed as on option in smb.conf here:
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
As well as in a few other examples if it doesn't work? I seen the example and assumed that option was needed to print from those shared directories.
Also, it seems that the comma is not needed between the 'valid users' names.
Also, I guess it wasn't Windows XP's fault either but rather my own ignorance. I like the idea of blaming Windows better though.....
I hope this servers to help others to aviod my mistakes. -
WLST/start AdminServer - problems with trusted cert key store
Hello,
I have clustered environment. Machine1: AdminServer and odi_server1. Machine2: odi_server2. There is NodeManager running on each machine. This is my nodemanager.properties for NodeManager on Machine1:
#Thu Dec 19 13:18:30 CET 2013
#Thu Dec 19 11:29:43 CET 2013
#Thu Dec 19 11:17:53 CET 2013
#Tue Dec 11 11:40:20 CET 2012
DomainsFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=10.3
DomainsDirRemoteSharingEnabled=false
javaHome=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64
AuthenticationEnabled=true
NodeManagerHome=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager
JavaHome=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
DomainRegistrationEnabled=false
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=false
StartScriptEnabled=true
LogFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/keystore.jks
CustomIdentityKeyStorePassPhrase={3DES}VRCBXCfDocQ=
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/cacerts.jks
CustomTrustKeyStorePassPhrase=
CustomIdentityAlias=keyAlias
CustomIdentityPrivateKeyPassPhrase={3DES}VRCBXCfDocQ=
As you can see, I have my custom trust (cacerts,jks) and identity (keystore.jks) keystores and they are set for node manager in this file. Next, nodemanager is started via wlst, like this:
bea_home = '/home/oracle/Oracle/Middleware';
pathseparator = '/';
listen_port = '5556';
listen_address = 'eb-etl1';
node_manager_home = bea_home + pathseparator + 'wlserver_10.3' + pathseparator + 'common' + pathseparator + 'nodemanager';
startNodeManager(verbose='true', NodeManagerHome=node_manager_home, ListenPort=listen_port, ListenAddress=listen_address);
I want to start my AdminServer via wlst (by connectiong to nodemanager), like this:
bea_home = '/home/oracle/Oracle/Middleware';
pathseparator = '/';
admin_username = 'weblogic';
admin_password = '1q2w3e1q2w3e';
listen_address = 'eb-etl1';
listen_port = '5556';
admin_server_url='t3://eb-etl1:7005'
domain_name = 'odi_cluster';
domain_home = bea_home + pathseparator + 'user_projects' + pathseparator + 'domains' + pathseparator + domain_name;
print 'CONNECT TO NODE MANAGER';
nmConnect(admin_username, admin_password, listen_address, listen_port, domain_name, domain_home, 'ssl');
print 'START ADMIN SERVER ONLY ON THE MACHINE WHERE THE ADMIN SERVER IS PRESENT';
nmStart('AdminServer');
print 'CONNECT TO ADMIN SERVER';
connect(admin_username, admin_password, admin_server_url);
print 'START MANAGED SERVERS ON THE MACHINE';
start('odi_server1','Server');
But I can't even connect to node manager:
CONNECT TO NODE MANAGER
Connecting to Node Manager ...
<2013-12-19 13:48:23 CET> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<2013-12-19 13:48:23 CET> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Warning> <Security> <BEA-090542> <Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
This Exception occurred at Thu Dec 19 13:48:24 CET 2013.
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
Problem invoking WLST - Traceback (innermost last):
File "/home/oracle/Oracle/Middleware/deploy/scripts/startBiatelbit_puw.py", line 12, in ?
File "<iostream>", line 123, in nmConnect
File "<iostream>", line 648, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090542]Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
Use dumpStack() to view the full stacktrace
So - it seems my trust keystore is not even used, why? Why still demo key store is used??
If I remove this:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/keystore.jks
CustomIdentityKeyStorePassPhrase={3DES}VRCBXCfDocQ=
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/cacerts.jks
CustomTrustKeyStorePassPhrase=
CustomIdentityAlias=keyAlias
CustomIdentityPrivateKeyPassPhrase={3DES}VRCBXCfDocQ=
from my nodemanager.properties, there is no exception while connecting to node manager and I can start admin server. But - I can't start odi_server1 (weblogic console says that node manager for Machine1 is unreachable). From other hand, when I run AdminServer via startWebLogic script (with above keystore definitions), I can start my odi_server1 via weblogic administration console without any problems.
Also, NodeManager for Machine2 is always unreachable, no matter what I do (with or without keystore definitions).
Do you have any idea what am I doing wrong?Hi,
If the admin URL is specified with the https protocol, then http tunneling must be enabled for the server from the console -> servers -> AdminServer ->Protocols -> http.
Moreover we also need to add following java options to the stopWebLogic.cmd or setDomainEnv.cmd:
set JAVA_OPTIONS=$JAVA_OPTIONS$ -Dweblogic.security.IdentityKeyStore=CustomIdentity -Dweblogic.security.CustomIdentityKeyStoreFileName=identity.jks -Dweblogic.security.CustomIdentityKeyStorePassPhrase=password -Dweblogic.security.Identity.KeyStoreType=JKS -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=trust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.IgnoreHostNameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true
Regards,
Kal -
AuthSSLProtocolSocketFactor could not load the certificate from key store
Hello,
I am trying to use this to the mutual authentication.
I create a self signed cert and and imported to a key store. I tried a couple ways to create the cert, but all of them failed when creating AuthSSLProtocolSocketFactory
new AuthSSLProtocolSocketFactory( new URL("file:my.keystore"), "mypassword", new URL("file:my.truststore"), "mypassword")
One of the store which is used for ssl by the Jetty server which is approved works.
The exception is like this:
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:519)
at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:365)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:240)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:232)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:220)
at org.apache.commons.ssl.TrustMaterial.<init>(TrustMaterial.java:214)
at org.apache.commons.ssl.SSL.<init>(SSL.java:170)
at org.apache.commons.ssl.SSLClient.<init>(SSLClient.java:62)
at org.apache.commons.ssl.HttpSecureProtocol.<init>(HttpSecureProtocol.java:57)
at org.apache.commons.httpclient.contrib.ssl.AuthSSLProtocolSocketFactory.<init>(AuthSSLProtocolSocketFactory.java:175)
Any help will be greatly appreciated!Hello,
I am using the same way as that in this post:
Re: apache commons httpclient - keystore problem
However, it seems the client did not send the cert to sever. BTW, the server is Jetty.
Here is the way how to generate the client cert:
keytool -genkey -alias client-alias -keyalg RSA -keypass password -storepass password -keystore clientStore.jks
keytool -export -alias client-alias -keypass password -storepass password -file client.cer -keystore clientStore.jks
keytool -import -v -trustcacerts -alias client-alias -file client.cer -keypass password -storepass password -keystore cacerts.jks
Here is the exception:
WARNING: EXCEPTION
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:148)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:630)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:488)
2011-02-03 11:05:31,914 [main] granteeId=2 ERROR sms.SendSmsTextsProcess$2 - A unexpected exception occurred processig sms AlertMessage 2
java.lang.RuntimeException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:101)
at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:72) -
Please enter your key store password
Almost each time my BB syncs via my computer, I get this request to enter my key store password.
What is meant and why ?
Pete
Solved!
Go to Solution.Hi,
Go to options, security options, do you have content protection enabled?
Go options, media card, encryption mode, do you have this enabled?
Thanks,
Bifocals
Click Accept as Solution for posts that have solved your issue(s)!
Be sure to click Like! for those who have helped you.
Install BlackBerry Protect it's a free application designed to help find your lost BlackBerry smartphone, and keep the information on it secure. -
Help with understanding SSL on Netweaver 7.1 and the relevant key stores.
I am having a great difficulty in understanding how SAP manages and uses SSL certificates in Netweaver 7.1. More specifically, what the difference is between System, Server, and Client.
As I can see, there are three PSE key stores I see within STRUST.
1. SSL System PSE
2. SSL Server PSE
3. SSL Client PSE
The System PSE I believe is installed by default and enables the systems to communicate between each other, such as Application Servers and the Central Instance.
The Server PSE is the where I store the certificate I generated and had signed by a CA (certificate authority). It contains a root and intermediate certificate and both have been imported back into the Server PSE store. When partners connect to me and I agree to accept server only authentication, it is this cert that identifies my server as a trusted server the partner. Do I need to add the partneru2019s u201Crootu201D or u201Cintermediateu201D certs to my Server PSE in order to allow SSL login?
The Client PSE is where I store partneru2019s client certificates that I allow to login via u201Cclientu201D authentication. Without their key installed in this store, they will not be allowed to login via SSL.
When I wish to make connections to partners, I will take my Server key from the Server PSE, export the key, and send it to the partner so they can import it in their key store.
Does the above sounds right? Any clarification would be greatly appreciated.
Thanks,
Mike.
P.S. I also have questions about how and if certificates are synchronized from the ABAP stack (STRUST) to the JAVA stack (Netweaver Administrator), as keys can be stored in either direction. If not, does where you store the certificate depend if it is an ABAP or JAVA type connection?hi michael,
<br />
please be careful - actually, there is NO SSL System PSE.<br />
There is only a so called "System PSE", which is not at all related to SSL.<br />
<br />
The PSEs actually available for SSL as default are:<br />
<br />
- the SSL Server PSE (which is a rather complicated construction ... see below) [mandatory]<br />
- the SSL Client PSE (standard) <br />
- the SSL Client PSE (anonymous)<br />
<br />
Looking at connections using HTTPS/SSL, you always have two communication partners: an entity issuing a request, named the "client", and another entity, to which the request is sent in order to be responded to, named the "server".
Since an SAP ABAP system can be either client or server in this setup, we have the chance to provide different security environments (= PSE) for these communication roles.<br />
<br />
When the SAP system initializes a HTTPS communication, it will make use of one of the SSL Client PSEs. These PSEs mainly serve the purpose of storing the CA certificates that are trusted. Only servers whose server certificate is signed by a CA where the CA root certificate is contained in the SSL Client PSE can be connected to. If the server's certificate is not trusted, the error message "verification of the server's certificate chain faile" will appear in the ICM trace (see note 1094342).<br />
<br />
The difference between SSl Client PSEs "standard" and "anonymous" is the actual certificate - the "anonymous" PSE always contains the distinguished name (DN) "CN=anonymous", which can not be used for client authentication. In contrast, the "standard" PSE's DN can be defined freely, so this PSE can be signed by a CA and furthermore used for client authentication.<br />
<br />
Now for the SSL Server PSE.<br />
As mentioned already, the SSL Server PSE can be a complicated thing ... actually, this PSE is only a container for more PSEs. There must be at least the "default" PSE (unfortunately also called "standard"), and there can be up to 1 PSE for each application server.<br />
In a standard setup, the default PSE is used only for those cases where no application server specific PSE applies. The application server specific PSEs are supposed to be the ones that are actually used by the ICM.<br />
<br />
What does "up to 1 per AS" mean? Well - as soon as two SSL Server PSEs use the same DN, these PSEs are no longer distinguished, and will be mapped to the same PSE data (key pair, certificate list). So, if you define the same DN for several application servers, only one PSE is created and used by both application servers.<br />
<br />
I hope this (lengthy) epistle anwers more question than opens new ones...<br />
<br />
regards,<br />
sebastian
Edited by: Sebastian Broll on Apr 8, 2010 8:07 AM (formatting) -
How to find my initial Key Store Password?
I have an older Curve, and recently changed my gmail password. For the first time I can remember, the phone needs me to enter the Key Store password. (T-Mobile has a security certificate with some issue, and I need to tell the phone, "Trust Certificate".)
I don't think I've ever dealt with Key Store password before. My PIN doesn't work. I have never enabled the phone's Password, never set the password.
Searches here in support plus reading the User's manual for this model 8320 tells me lots of info about the Key Store - including, I might have to reset the phone (and lose lots of data) - however no where have I determined, how was this password initially set? When I reset the phone, how do I even find out what the new password is? Is this something RIM sets, or T-Mobile sets, or do I set it? (Yes I see that I can change it - but only if I know what the existing password is.)
Thanks for any help! tstockmaHi tstockma ,
In order to change your keystore password without entering the current password, you will need to backup your data and perform a security wipe. The following KB article provides the steps to perform the security wipe and also to create a new keystore password. "How to reset the keystore password on a BlackBerry smartphone" http://bbry.lv/Nr8fyB
Please make sure to backup your data before performing these steps. The following KB articles provide the steps to backup.
"How to back up BlackBerry smartphone data using BlackBerry Desktop Software for Windows" http://bbry.lv/IWfPl0
"Back up and restore BlackBerry smartphone data on a Mac computer using BlackBerry Desktop Software" http://bbry.lv/L9UqAk
Hope this helps.
-FS
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Kudos! for those who have helped you.
Click Solution? for posts that have solved your issue(s)!
Maybe you are looking for
-
How to insert some records in one table and some records in another table
Interview question how insert records in two tables by using trigger CREATE or REPLACE TRIGGER Emp_Ins_Upd_Del_Trig BEFORE delete or insert or update on EMP FOR EACH ROW BEGIN if UPDATING then UPDATE emp2 SET empno = :new.empno, ename = :new.ename --
-
Satellite A350 - How can I remove the password?
Hi every one I am Col and I have just joint the site I have a problem with my Satellite A350 I bought this laptop from a trusted auction,not on the net, with the password attached unfortunately this password dont work, but the auction house clams it
-
Configuring mail account in Mail App with restriction account on
Hi there, How is possible to create an account in Mail App with the restriction Accounts enable? I explain myself. I configure all the iPads of my business with the restrictions enabled and select "Don´t Allow Changes" on the Accounts tab. Settings >
-
Error when I try to save my website
Why do I get this error when I try to save or save as...any of my adobe muse websites? Thanks!
-
Colouring Rows of a Table depending on a particular condition.
Hi, The problem I am facing is coloring specific rows of a table depending on the satisfaction of a particular condtion. For example: All rows having the value in the amount column greater than 1000 have to be coloured in red and the remaining ye