Keystore and trust store
Hi,
i am writing a lib that uses JSSE. I need to set the keystore and trust store for the SSL to work. i do not want to use the system properties to set the above as it is a lib and user may have different values set. Is there any other way of specifying the location of Keystore and trustore, other than System properties.
If anyone knows please let me know.
Regards,
vani.
My email : [email protected]
Hi
I�m a student working on a Sun JSSE Samples for many weeks and I couldn�t run anyone ..!
I am using the last JSSE 1.02 , the jdk 1.31, working on Jbuilder4
I am working on both RMI and sockets samples.
On the RMI sample I got this Exception : no such algorithm �TSL�
�TSL� not supported
I searched in the posted messages in the forum and I found someone had the same problem
I followed all what he did but no way �!
I don�t know what I forget to do, see what I did and tell me please what is wrong.
I installed the JSSE as followed in the install file. I am sure that it is well installed
How to compile???!!!
1.I configured the rmic parameters to generate only the stub compatible only with java 2
2.I compiled the project I got the stub
3.I put theses parameters in
Project Properties /Run/ field : VM parameters
-Djava.rmi.server.codebase=file:/c:/windows/jbproject/Sunrmissl/classes/ -Djava.security.policy=file:/c:/windows/jbproject/Sunrmissl/policy.policy -Djavax.net.ssl.trustStore=file:/c:/windows/jbproject/Sunrmissl/testkeys.key
4.I run the rmiregistry
5.i run the HelloImp but every time exceptions :
C:\JBUILDER4\JDK1.3\bin\javaw -classpath "C:\WINDOWS\jbproject\Sunrmissl\classes;C:\jsse-1_0_2-gl\jsse1.0.2\lib\jcert.jar;C:\jsse-1_0_2-gl\jsse1.0.2\lib\jnet.jar;C:\jsse-1_0_2-gl\jsse1.0.2\lib\jsse.jar;C:\JBUILDER4\JDK1.3\demo\jfc\Java2D\Java2Demo.jar;C:\JBUILDER4\JDK1.3\jre\lib\i18n.jar;C:\JBUILDER4\JDK1.3\jre\lib\jaws.jar;C:\JBUILDER4\JDK1.3\jre\lib\rt.jar;C:\JBUILDER4\JDK1.3\jre\lib\sunrsasign.jar;C:\JBUILDER4\JDK1.3\lib\dt.jar;C:\JBUILDER4\JDK1.3\lib\tools.jar" -Djava.rmi.server.codebase=file:/c:/windows/jbproject/Sunrmissl/classes/ -Djava.security.policy=file:/c:/windows/jbproject/Sunrmissl/policy.policy -Djavax.net.ssl.trustStore=file:/c:/windows/jbproject/Sunrmissl/testkeys.key sunrmissl.HelloImpl
java.security.NoSuchAlgorithmException: Algorithm TLS not available
at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
at sunrmissl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:39)
at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:559)
at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:200)
at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:172)
at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:319)
at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:119)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:125)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:109)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:278)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:209)
at java.rmi.server.UnicastRemoteObject.<init>(UnicastRemoteObHelloImpl err: null
ject.java:100)
at sunrmissl.HelloImpl.<init>(HelloImpl.java:27)
at sunrmissl.HelloImpl.main(HelloImpl.java:41)
java.lang.NullPointerException
at sunrmissl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:51)
at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:559)
at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:200)
at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:172)
at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:319)
at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:119)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:125)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:109)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:278)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:209)
at java.rmi.server.UnicastRemoteObject.<init>(UnicastRemoteObject.java:100)
at sunrmissl.HelloImpl.<init>(HelloImpl.java:27)
at sunrmissl.HelloImpl.main(HelloImpl.java:41)
Similar Messages
-
Configuring JSSE to use Smartcards as Keystores and Trust Stores
Hello;
I want to use my Javacard enabled smart card as KeyStore and Truststore stock. I have read the part of JSSE Reference guide, and it says this is possible for smart card. Do anyone know how to do that? I think this happens like that : We get the certificate and keys file from javacard enabled smart card to out of card into java environment and we use the soft keys in the program. This is the first thing that I thought how to implement. Is there any other soulution ways? Any help is appreciated.Hi,
I am also trying to develop a similar application but I dont know how to do. Can you please help me regarding that?
I need to get user's smartcard based certificate to store in server. -
Hello, I've successfully configured the Custom Trust and Key Store on one server (hosting OpenSSO,) but when I follow the exact same directions to configure the Custom Trust and Key Store on another server (hosting Identity Manager with OpenSSO policy agent) WebLogic pre-empts my configuration by loading the DemoTrust.jks and cacerts keystores. I think the issue is introduced because the OpenSSO policy agent requires an Authentication Provider (Agent_Authenticator, com.sun.identity.agents.weblogic.v10.AmWLAuthProvider) that is loaded before the WebLogic domain's config/config.xml file, which contains the Custom Trust and Key Store entities.
Thanks.
A part of the log file showing that these two stores are loaded before the custom identity and trust stores are loaded:
Note JAVA_OPTIONS has -verbose:class and -Dssl.debug=true set
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE KeyAgreement: SunPKCS11-Solaris version 1.6 for algorithm DiffieHellman>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm DiffieHellman>
[Loaded com.certicom.ecc.scheme.DH from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm ECDH>
[Loaded com.certicom.ecc.scheme.KeyAgreement from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.ecc.scheme.ECDH from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.ecc.scheme.KDF from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.tls.provider.Cipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.NullCipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_RC4 from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.des.ECCpresso_DESCBCNoPad from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_AESCBCNoPad from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.JSAFE_RSA from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_RSACipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.jce.WLCipher from file:/opt/bea/wlserver_10.3/server/lib/wlcipher.jar]
[Loaded sun.security.pkcs11.P11Cipher from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunpkcs11.jar]
[Loaded sun.security.pkcs11.P11Cipher$Padding from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunpkcs11.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
[Loaded com.certicom.ecc.scheme.DES from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DES/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DES>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm AES/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm AES>
[Loaded com.certicom.ecc.scheme.AES from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm RC4>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm RC4>
[Loaded com.certicom.ecc.scheme.ARC4 from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.sun.crypto.provider.RSACipher from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunjce_provider.jar]
[Loaded javax.crypto.spec.PSource from /usr/jdk/instances/jdk1.6.0/jre/lib/jce.jar]
[Loaded javax.crypto.spec.PSource$PSpecified from /usr/jdk/instances/jdk1.6.0/jre/lib/jce.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
[Loaded java.util.regex.Pattern$BranchConn from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.util.regex.Pattern$Branch from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
[Loaded com.certicom.tls.interfaceimpl.CertificateSupport from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.cert.CertificateParsingException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.CertificateNotYetValidException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.CertificateExpiredException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded com.certicom.security.cert.internal.x509.X509V3CertImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.KeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.net.ssl.TrustManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.net.ssl.impl.TrustManagerImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.SessionDBImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSL Session TTL :90000>
[Loaded com.certicom.tls.interfaceimpl.ProtocolVersions from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.ProtocolVersion from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLTrustValidator from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.cert.CertificateEncodingException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded weblogic.security.SSL.CertPathTrustManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier$DefaultHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <DefaultHostnameVerifier: allowReverseDNS=false>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: using pre-mbean command line configuration for SSL trust>
[Loaded weblogic.security.utils.KeyStoreConfigurationHelper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.PreMBeanKeyStoreConfiguration from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreConstants from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLContextManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/bea/wlserver_10.3/server/lib/DemoTrust.jks.>
[Loaded weblogic.jndi.ClientEnvironment from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.jndi.Environment from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreUtils from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.KeyStoreSpi from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore$JKS from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.DigestInputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore$TrustedCertEntry from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded weblogic.security.utils.SSLCertUtility from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded javax.security.cert.CertificateException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.security.cert.CertificateEncodingException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLPeerUnverifiedException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 5 trusted CAs from /opt/bea/wlserver_10.3/server/lib/DemoTrust.jks>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US; Issuer: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US>
... The Certs ....
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US; Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US>
<Jan 26, 2010 4:00:26 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts.>
[Loaded sun.security.x509.CRLDistributionPointsExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.DistributionPoint from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.URIName from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.DNSName from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.CertificatePoliciesExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.PolicyInformation from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.CertificatePolicyId from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.PolicyQualifierInfo from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.PrivateKeyUsageExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor9 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor10 from __JVM_DefineClass__]
[Loaded sun.security.x509.ExtendedKeyUsageExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor11 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor12 from __JVM_DefineClass__]
[Loaded sun.security.x509.IssuerAlternativeNameExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.AuthorityInfoAccessExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.AccessDescription from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 76 trusted CAs from /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts>
... The 76 Certs ...
[Loaded sun.nio.cs.ISO_8859_1$Decoder from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US; Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
[Loaded com.certicom.security.asn1.ASN1ParsingException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Type from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Structured from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Sequence from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SequenceOf from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Extensions from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.SubjectPublicKeyInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1InputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Certificate from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1EncodingException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.TBSCertificate from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Tag from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Primitive from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Integer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.AlgorithmIdentifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Null from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkcs.pkcs1.DSSParams from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkcs.pkcs5.PBEParameter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Choice from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Name from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.RDNSequence from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.AttributeTypeAndValue from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SetOf from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.RelativeDistinguishedName from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SimpleString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1PrintableString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1TeletextString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1IA5String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.UTF8String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1BMPString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Validity from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Time from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1BitString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERInputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERDefiniteLengthInputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Time from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Set from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OctetString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Boolean from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERInputStream$Header from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1UTCTime from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Extension from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DEROutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERByteArrayOutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DEROutputSizer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.ECCpresso_ECKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.JSAFE_RSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.ECCpresso_RSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.DSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor13 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor14 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor15 from __JVM_DefineClass__]
[Loaded com.certicom.locale.Resources from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.locale.jSSLPlusResources from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.locale.jSSLPlusResources_en from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.bea.logging.ThrowableWrapper from file:/opt/bea/modules/com.bea.core.logging_1.4.0.0.jar]
[Loaded weblogic.logging.ThrowableInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:62)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:320)
at weblogic.security.SSL.SSLClientInfo.getSSLSocketFactory(SSLClientInfo.java:101)
at weblogic.security.SSL.SSLSocketFactory.setSSLClientInfo(SSLSocketFactory.java:218)
at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:36)
at weblogic.security.SSL.SSLSocketFactory.getInstance(SSLSocketFactory.java:68)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:561)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:242)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:237)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:191)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:93)
at com.iplanet.services.naming.WebtopNaming.getNamingTable(WebtopNaming.java:1038)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1074)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:991)
at com.iplanet.services.naming.WebtopNaming.access$000(WebtopNaming.java:74)
at com.iplanet.services.naming.WebtopNaming$SiteMonitor.<clinit>(WebtopNaming.java:1386)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:145)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:93)
at com.iplanet.services.naming.WebtopNaming.getNamingTable(WebtopNaming.java:1038)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1074)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:991)
at com.iplanet.services.naming.WebtopNaming.getServiceAllURLs(WebtopNaming.java:466)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:575)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:521)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:381)
at com.sun.identity.agents.common.ApplicationSSOTokenProvider.getApplicationSSOToken(ApplicationSSOTokenProvider.java:63)
at com.sun.identity.agents.arch.AgentConfiguration.setAppSSOToken(AgentConfiguration.java:541)
at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:646)
at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1054)
at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1498)
at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:643)
at com.sun.identity.agents.weblogic.v10.AmWLAuthProvider.initialize(AmWLAuthProvider.java:57)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:65)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
[Loaded javax.net.ssl.impl.SSLSocketImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.net.SocksConsts from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.PlainSocketImpl from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocksSocketImpl from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocksSocketImpl$5 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.ProxySelector from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector$1 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.NetProperties from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.NetProperties$1 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector$3 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.Socket$2 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocketInputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.Socket$3 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocketOutputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded javax.net.ssl.impl.StringID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.event.HandshakeWouldBlockException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded javax.net.ssl.SSLProtocolException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLHandshakeException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLKeyException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded com.certicom.tls.record.Message from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIO from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIO from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.bea.sslplus.TwoWaySSLHandshakeStageSocketException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.TLSSession from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIOStreamWrapper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIOStreamWrapper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIOStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIOStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.alert.AlertHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.alert.Alert from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeInputBuffer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.TLSSessionImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.CryptoRecordState from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeTypes from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeState from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ClientStateSentHello from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeMessage from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageSSL2Error from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageClientHelloVersion2 from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageClientHello from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.SessionID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ServerStateNoHandshake from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ClientStateNoHandshake from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.WriteHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageEncryptor from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageFragmentor from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.ReadHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageInterpreter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLIOContext from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.socket.SSLFilter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.utils.collections.PartitionedStackPool from file:/opt/bea/modules/com.bea.core.utils_1.4.0.0.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
[Loaded weblogic.security.utils.SSLIOContextTable from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 16880245>
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
Edited by: user585541 on Jan 26, 2010 1:23 PM
Edited by: user585541 on Jan 26, 2010 1:29 PMFaisal Khan wrote:
<BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
The root problem is the Certicom SSL does not support SHA256 algorithm, which is required with the trusted certificates of “ttelesecglobalrootclass2ca" and "ttelesecglobalrootclass3ca"
A fix is included in JDK 1.6.0_13 wherein WLS just ignores these certificates.
You can get more information on the fix for Oracle Support
You can delete these certificates yourself using the keytool utility..Thank you. I removed them all, but WebLogic still loads the Demo and JDK keystores and not the custom keystores before loading the security realm.
Is there a way to specify the KeyStores for the security realm?
I've provided the following to the JVM but to no avail:
-Djavax.net.ssl.keyStore=/export/home/weblogic/keystore/keystore.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStore
Password=***** -Djavax.net.ssl.trustStore=/export/home/weblogic/keystore/keystore.jks -Djavax.net.ssl.trustStoreType=jks -Dj
avax.net.ssl.trsustStorePassword=***** -
What is the fundamental difference between trust store and key store ?
what this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever. -
Trust and Key Store config values? - OBPM 10g (Linux) With Websphere6 (AIX)
HI,
We installed OBPM 10gR3 on Linux (10.3.2 for Websphere) with Websphere 6.1.0.21 on AIX,
When we try to save values in following section we are getting an error:
Engines > Edit Engine bpmengine > JMX Engine Management Configuration
Attributes are:
Host / Port / Security Enabled / Principal / Credentials / Trust store / Trust store password / Key store / Key store password
Can anybody please help what values to put for following parameters under JMX Engine Management Configuration with respect to Websphere Application Sever 6.1.0.21:
Trust store: ?
Trust store password: ?
Key store: ?
Key store password: ?
Please help us in case anybody came across this.
Thanks and Regards
SHWell it seems that my trouble all started when I began using the 'printable = yes' option for shares. Since I removed that the troubles seem to have left me.
Does anyone know why that is listed as on option in smb.conf here:
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
As well as in a few other examples if it doesn't work? I seen the example and assumed that option was needed to print from those shared directories.
Also, it seems that the comma is not needed between the 'valid users' names.
Also, I guess it wasn't Windows XP's fault either but rather my own ignorance. I like the idea of blaming Windows better though.....
I hope this servers to help others to aviod my mistakes. -
How to set a default trust store just for DirContext not the whole JVM
I need to connect to a secure LDAP server ( URL is ldaps://..../). The Server certificate in this LDAP server is a self signed cert so I need to put this certificate in my Keystore as well for me to connect to it.
My code is something like :
DirContext ctx=null;
Properties prop = .... ;
// I set URL etc. in this.
KeyStore ks = some_function_call();
// save this keystore to file
java.io.FileOutputStream fos = new java.io.FileOutputStream("/tmp/newKeyStoreName.jks");
char[] password = .....
ks.store(fos, password);
fos.close();
// set this keystore as the default Keystore.
System.setProperty("javax.net.ssl.trustStore", "/tmp/newKeyStoreName.jks");
System.setProperty("javax.net.ssl.trustStorePassword", ...);
System.setProperty("javax.net.ssl.trustStoreType", "jks");
ctx = new InitialDirContext(prop);My problem is when I do a System.setProperty it makes it the default trust store for the whole JVM. I want a solution that would use this trust store only for the DirContext as I do not want this keystore to be used for other parts of my code. And its an MT application so setting keystore back to default one after this LDAP query gets over won't work.
I tried changing System.setProperty to props.put() it doesn't work.
Any ideas?I have the same problem. I have to make 2 different SSL calls to 2 different 2 servers and if I set to System truststore and keystore properties I have a problem, 'cause those are different for each server.
I you have found the solution in the meanwhile, maybe you can write it here.
thanks,
Mihai -
Unable to load custom trust store in cluster
Weblogic 9.2 cluster with three nodes. Each is configured to use custom trust store. The same jks is copied to every node.
On node1 ssl works perfectly but on node2 and node3 certificate validation fails. Interesting is the stack that is thrown after first validation request, when Weblogic starts to load truststore:
####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211972> <000000> <SSLSetup: loading trusted CA certificates>
####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211984> <000000> <SSLContextManager: loading server SSL identity>
####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211986> <000000> <MBeanKeyStoreConfiguration: constructor - using mbean trust config>
####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211989> <000000> <PreMBeanKeyStoreConfiguration: constructor - explicitly configured=true>
####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211992> <000000> <PreMBeanKeyStoreConfiguration: constructor - TrustKeyStore[0]=FileName=/bea/keystores/MyTrust.jks, Type=jks, PassPhraseUsed=true>
####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211994> <000000> <MBeanKeyStoreConfiguration: constructor - TrustKeyStore[0]=FileName=/bea/keystores/MyTrust.jks, Type=jks, PassPhraseUsed=true>
####<Jan 17, 2011 5:46:51 PM EET> <Notice> <Security> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1295279211998> <BEA-090171> <Loading the identity certificate and private key stored under the alias beal2.srv.sise from the jks keystore file /bea/keystores/MyIdentity.jks.>
####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212009> <000000> <Failed to load server trusted CAs
java.lang.NullPointerException
at weblogic.security.utils.SSLContextManager.getRealmName(SSLContextManager.java:594)
at weblogic.security.utils.SSLContextManager.getServerSSLIdentity(SSLContextManager.java:535)
at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:276)
at weblogic.security.utils.SSLContextManager.getDefaultServerSSLContext(SSLContextManager.java:221)
at weblogic.security.utils.SSLContextManager.getServerTrustedCAs(SSLContextManager.java:183)
at weblogic.security.utils.SSLSetup.getTrustedCAs(SSLSetup.java:505)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:384)
at weblogic.security.SSL.SSLSocketFactory.setSSLClientInfo(SSLSocketFactory.java:218)
at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:36)
at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:28)
at weblogic.security.SSL.SSLSocketFactory.getDefault(SSLSocketFactory.java:55)
at com.liferay.portal.security.auth.WeblogicSocketFactory.createSocket(WeblogicSocketFactory.java:21)
at com.liferay.portal.security.auth.WeblogicSocketFactory.createSocket(WeblogicSocketFactory.java:30)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.liferay.portal.servlet.filters.sso.cas.Cas20ProxyTicketValidator.retrieveResponse(Cas20ProxyTicketValidator.java:73)
at com.liferay.portal.servlet.filters.sso.cas.Cas20ProxyTicketValidator.validate(Cas20ProxyTicketValidator.java:46)
at com.liferay.portal.servlet.filters.sso.cas.CASFilter.processFilter(CASFilter.java:172)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3242)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
>
####<Jan 17, 2011 5:46:52 PM EET> <Deb...
during the validation I get following:
####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212020> <000000> <Cannot complete the certificate chain: No trusted cert found>
####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212020> <000000> <Validating certificate 0 in the chain: Serial number: 1283510590
####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212023> <000000> <validationCallback: validateErr = 16>
####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212025> <000000> <weblogic user specified trustmanager validation status 16>
I have run out of ideas. The certificate is in trustore. I think my issues are related to that NullPointer but because it is Weblogic internal code I have no idea what's causing it. I know somehow node1 has to be different but I don't know where to look anymore.
After decompiling SSLContextManager getRealmName looks like this:
private final String getRealmName()
return runtimeAccess.getDomain().getSecurity().getRealm().getName();
What configuration am I missing?Maybe this helps....
I would try to check the following steps:
- Are node2 and node3 on the same machine as node1?
- Is present and readable "/bea/keystores/MyTrust.jks" on each machine?
- Who signs the trust certificate in "MyTrust.jks"? I.E.: it is needed a trust chain to validate MyTrust?
From your decompilation it seems that one of these
- runtimeAccess;
- runtimeAccess.getDomain();
- runtimeAccess.getDomain().getSecurity();
- runtimeAccess.getDomain().getSecurity().getRealm();
is null ...
Bye
Mariano -
Regarding Keystore and Truststore
Hi Guys!
I am really new to this SSL or TLS.I would like to know what is a keystore and what is a truststore?
What r thier uses?
what does this pioece of code imply?
-Djavax.net.ssl.trustStore=C:\APACHE\Tomcat5\conf\SSL\cacerts -Djavax.net.ssl.keyStore=C:\APACHE\Tomcat5\conf\SSL\bpricatclient.keystore -Djavax.net.ssl.keyStorePassword=bpricatclient
Thanks a lot!
Regards
Vivek.sVivek,
A KeyStore stores your private keys and the TrustStore stores the certificates that you trust. For a two-way SSL connection, server has a KeyStore and a TrustStore and each client also must have a TrustStore and a KeyStore. For One-Way SSL server needs a KeyStore and a Client needs a TrustStore.
In a one-way SSL connection, the server's certificate must be in your client's TrustStore for the SSL handshake to complete. And the sedrver KeyStore is used to store the keys used for encryption.
The code you have there is specifying the KeyStore and the TrustStore and their passwords for the security provider you are using, which looks like javax.net.ssl.
hope this helps -
Adding a key to the agent trust store
Hi
I am running EM version 12.1.0.4.0 I want to add a key to the trust store. I am using the following command:
$ emctl secure add_trust_cert_to_jks -trust_certs_loc /var/tmp/new_cert_from_ovmkeytool.cert3 -alias ovmm
The key does exist at the given location. The problem is that I don't seem to have the option "emctl secure add_trust_cert_to_jks" I just get the usage of emctl printed to the screen below is an extract of what I get for the "emctl secure" sub-command. As you can see it is telling me that I don't have the option I want. I was following the syntax from the official doumentation here:
http://docs.oracle.com/cd/E24628_01/doc.121/e28814/cloud_iaas_setup.htm#CHDEFEDB
Am I missing a step, do I have to manually create the trust store first? Or do I need to apply a patch to get this working?
Any help would be greatly appreciated.
USAGE FOR EMCTL
Security commands usage:
Secure OMS:
emctl secure oms [-sysman_pwd <sysman password>] [-reg_pwd <registration password>]
[-host <hostname>] [-ms_hostname <Managed Server hostname>]
[-slb_port <SLB HTTPS upload port>] [-slb_console_port <SLB HTTPS console port>] [-no_slb]
[-secure_port <OHS HTTPS upload Port>] [-upload_http_port <OHS HTTP upload port>]
[-reset] [-console] [-force_newca]
[-lock_upload] [-lock_console] [-unlock_upload] [-unlock_console]
[-wallet <wallet_loc> -trust_certs_loc <certs_loc>]
[-key_strength <strength>] [-sign_alg <md5|sha1|sha256|sha384|sha512>]
[-cert_validity <validity>] [-protocol <protocol>]
[-root_dc <root_dc>] [-root_country <root_country>] [-root_email <root_email>]
[-root_state <root_state>] [-root_loc <root_loc>] [-root_org <root_org>] [-root_unit <root_unit>]
-host : SLB or Virtual Hostname
-ms_hostname: actual hostname of machine where Managed Server is running
-slb_port : HTTPS port configured on SLB for uploads
-slb_console_port : HTTPS port configured on SLB for console access
-no_slb: Specify this to remove SLB configuration
-secure_port : Specify this to change HTTPS Upload port on WebTier
-upload_http_port : Specify this to change HTTP Upload port on WebTier
-reset : Create new CA
-force_newca: Force OMS secure with new CA although there are Agents secured with older CA
-console : Create certificate for Console HTTPS port as well
-lock_upload : Lock Upload
-lock_console : Lock Console
-unlock_upload : Unlock Upload
-unlock_console : Unlock Console
-wallet : Directory where external wallet is located
-trust_certs_loc : File containing all trusted certificates
-key_strength : 512|1024|2048
-sign_alg : Signature Algorithm; md5|sha1|sha256|sha384|sha512
-cert_validity : Number of days certificate should be valid; min 1, max 3650
-protocol : SSL Protocol to use on WebTier
Valid values for <protocol> are the allowed values for Apache's SSLProtocol directive
Secure WLS:
emctl secure wls [-sysman_pwd <sysman password>]
(-jks_loc <loc> -jks_pvtkey_alias <alias> | -wallet <loc> | -use_demo_cert)
Specify jks_loc,jks_pvtkey_alias or wallet or use_demo_cert
[-jks_pwd <pwd>] [-jks_pvtkey_pwd <pwd>]
-jks_loc : Location of JKS containing the custom cert for Admin & Managed Servers
-jks_pvtkey_alias : JKS's private key alias
-jks_pwd : JKS's keystore password
-jks_pvtkey_pwd : JKS's private key password
-wallet : Location of wallet containing the custom cert for Admin & Managed Servers
-use_demo_cert: Configure the demo cert for Admin & Managed Servers
emctl secure console [-sysman_pwd <pwd>]
(-wallet <wallet_loc> | -self_signed)
[-key_strength <strength>] [-cert_validity <validity>]
emctl secure lock [-sysman_pwd <pwd>] [-console] [-upload]
emctl secure unlock [-sysman_pwd <pwd>] [-console] [-upload]
emctl secure createca [-sysman_pwd <pwd>] [-root_country <root_country>]
[-root_state <root_state>] [-root_org <root_org>] [-root_unit <root_unit>]
[-key_strength <strength>] [-cert_validity <validity>]
emctl secure setpwd [sysman password] [new registration password]
emctl secure sync
emctl secure create_admin_creds_wallet [-admin_pwd <pwd>] [-nodemgr_pwd <pwd>]Nice to know your issue is resolved
You can also bookmark below MOS doc for your future references which provided detailed steps for Importing the custom CA certificate into Agent
12c Cloud Control: Steps to Create and Import Third Party / Self-Signed SSL Certificates for WebLogic Server in an Enterprise Manager Installation (Doc ID 1527874.1)
Regards,
Rahul -
Problem with Java keystore and certificates (unable to find valid cert path
Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception
"Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the <java_home>/jre/lib/security/cacerts and <java_home>/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.
If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.
One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
I use ip 1.1.1.1, import self signed certificate, authenticates successfully
login with ip 2.2.2.2 import self signed certificate, FAILS
login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates
Also, I am using java 1.5.0_03.
Any help is greatly appreciated as I've been trying to figure this out for over a week now.
ThanksPlease don't post in threads that are long dead and don't hijack other threads. When you have a question, start your own topic. Feel free to provide a link to an old post that may be relevant to your problem.
I'm locking this thread now. -
HT5577 I lost recovery key and trusted device, how do I rescue my funds on account?
Lost recovery key and trusted dev, and need to transfer balance on account how do I do this?
You will need one of your trusted devices to be able to change your password : Apple ID: Can't sign in with two-step verification - Apple Support
Nobody else should be able to download from a new device or computer unless they have access to two of your password, a trusted device, and your recovery key. You are sure that they are using it e.g. there are a number of phishing emails doing the rounds saying that something has been downloaded on an account and to click on a link in the email if it wasn't you that made it so as to request a refund (i.e. so that they can capture your password and payment details).
If they are 'proper' purchases then you can try contacting iTunes Support : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page -
SSL CA Trust Store issue in Android 2.1
Here is one more reason Samsung/Verizon should push Android 2.2. Websites using SSL Certificates from some valid Certificate AUthorities are throwing SSL Certificate warnings when accessed via Android 2.1. This is because the CA Trust store in Android 2.1 is old and incomplete. It does not contain the full list of trusted CAs that are commonly found in regular desktop browsers like Safari, Chrome, FF and IE. Android 2.2 has a more updated and complete Trusted CA store.
Also, Android 2.1 does not have a published feature for importing CA Certificates (there are some manual workarounds for people who took their phone to the dentist). So, even if you had a valid reason to add a valid CA certificate from a company like Verisign or COMODO or your enterprise to your trust store, you can not do it. So, you have to get used to constantly accepting certificate warnings (which is a security risk in that you may inadvertenty accept a certificate signed by a really invalid/bad CA)
Is anyone aware of a fix for this issue? If not, does Verizon have any plans to address it?
ps: I do not want help for installing client certificates. These are not the same as CA certificates. Android can import client certificates from a URL or from an SD card using Settings->Locations&Security->Credential Storage section.[Edited to comply with Terms of Service]
They were talking about this
In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).
Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA).
A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate - a signature by a root certificate is somewhat analogous to "notarizing" an identity in the physical world. Certificates further down the tree also depend on the trustworthiness of the intermediates (often known as "subordinate certification authorities").
Many software applications assume these root certificates are trustworthy on the user's behalf. For example, a Web browser uses them to verify identities within SSL/TLS secure connections. However, this implies that the user trusts their browser's publisher, the certificate authorities it trusts, and any intermediates the certificate authority may have issued a certificate-issuing-certificate, to faithfully verify the identity and intentions of all parties that own the certificates. This (transitive) trust in a root certificate is the usual case and is integral to the X.509 certificate chain model.
The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers -
LDAP SSL - ways to provide trust store/key store details.
In our application we need to talk to LDAP over ssl.
We are using following to create ldapContext
System.setProperty ( "javax.net.ssl.trustStore",
tStoreFile.getAbsolutePath() );
System.setProperty ( "javax.net.ssl.keyStore",
keyStoreFile.getAbsolutePath() );
System.setProperty ( "javax.net.ssl.keyStorePassword", kspasswd );
System.setProperty ( "javax.net.ssl.trustStorePassword", tspasswd );
LdapContext ctx = new InitialLdapContext(env, null);is there any other way to provide Key/Trust store details?
Thanksof course : http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization
-
What's the difference between keystore and truststore?
I am new to this SSL and don't understand the diference between a keystore and a truststore, when to use which and all that. Can anyone enlighten me?
The keystore is for client certificates. The truststore is for server (or CA) sertificates that you choose to trust.
"Regular" SSL connections, where only server authentication is perfomed, usually uses just the truststore. If you want to do SSL client authentication with certificates as well, you use a keystore.
Did this help ? -
Hi! I'm writing a web app, deployed in Tomcat. It accesses some remote resources via SSL, so it connects to a server and must check server's certificate against one in trust store. I'm a bit confused about where to put the trust store file. Now I use a config file to specify the location of truststore manually by sysadmins of target Tomcat server. Can I simply put it in WAR? If I put it in WAR, how am I to refer it from app?
Thanx.Hi,
How can a remote user on a remote domain access the jsp on my comp?
Do I have to add the trust store somewhere in the code?
Seetesh
Maybe you are looking for
-
I have an old iPad2, and received a new iPad Air. When I set up the iPad Air, I started as a backup from the iPad2, instead of treating it as a new iPad setup. It also asked if I wanted to set up Find My iPhone and I said yes. Problem is that I also
-
How to connect WDJ to 3rd Party Backend Systems(Oracle).
Hi Friends, How to connect WDJ to 3rd Party Backend Systems(Oracle). Please give Step-by-Step Explanation. This is first time I am connect to Oracle System. Can you give Step-by-Step Explanation. Regards Vijay Kalluri
-
Hi Everyone, Please let me know if the following is there is standard SAP R/3 system...if it is there...how to go about it. 1.forecasting cash flow based on financial and non-financial information . 2.- Work flow procedure embedded in the syste
-
Exception when querying the database
Hi I'm using jtds driver to connect to the database, it's been working fine all along and now all of a sudden it's giving exceptions when I query the database and It requires me to logout and login to my application again. The exception is as follows
-
[new] ccxstream -- XBOX XStream Server
Hi everyone! I just made a PKGBUILD to install ccXstream which is a XBOX streaming server. I took some ideas from gentoo's ebuild of ccxstream. I am not sure if with I did with init scripts and config file is OK because they do not come with the sour