Layer security?

Similar Messages

• Transport Layer Security Cipher Suites in Safari

  Does anyone happen to know which Transport Layer Security (TLS) Cipher Suites Safari 4 supports?
  Specifically, does it support the Elliptic Curve suites from RFC 4492? How about AES?
  Thanks!

  Hi,
  i`m only aware that SSL is supported. If you need an official Statement i would recommend you open an OSS Message with the SAP Support.
  Regards
  -Seb.

• Does SChannel library support DTLS(Datagram Transport Layer Security) protocol?

  Please let me know whether SChannel library supports DTLS(Datagram Transport Layer Security) protocol.

  I want to know whether DTLS(Datagram Transport Layer Security) protocol is supported by schannel. DTLS provides communication privacy for Datagram protocols. OpenSSL supports DTLS. 

• Application layer security

  hi
  i m doing my project based upon APPLICATION LAYER SECURITY. however i dont hav enough knowledge boou it.Can anyone guide me how to go about this.

  What do you mean by Application Layer Security?

• Transport layer security for ActiveSync on iPhone

  Is the data (email, calendar, contacts) encrypted during transport when using ActiveSync on iPhone?
  Thanks
  Saqib

  All data sent via AT&T's cellular data or internet network is encrypted, which is the same with all GSM networks.
  And copied from this link.
  http://www.apple.com/iphone/business/integration/
  iPhone 3GS protects your data through encryption of information in transmission, at rest on the device, and when backed up to iTunes. iPhone also provides secure methods to prevent unauthorized use of the device through passcode policies and restrictions. In the event of a lost or stolen iPhone, you can even clear all data and settings by issuing a remote wipe command from Exchange.
  Network communications stay secure with Cisco IPSec VPN, WPA2 Enterprise Wi-Fi, and SSL/TLS on iPhone. Exchange users can enforce complex passcodes, camera restrictions, and other policies on iPhone to protect corporate data. And certificate-based authentication enables iPhone to connect with corporate servers via Exchange as well as VPN On Demand, making network communications seamless and secure.

• TLS(Transaport Layer Security) algorithm not available...JSSE sample codes

  I am using the sample codes provided with the JSSE1.0.2, but I get the following exception" when TLS algorithm not available". I do not get the error when using Java Forte( UI), but when I use the dos prompt to execute the sample codes, I get the error.Please advice.
  Thank You,
  Shafique Razzaque,
  Java Certified Programmer,
  Singapore.

  My email : [email protected]
  If you want to send me any running programme
  Hi
  I�m a student working on a Sun JSSE Samples for many weeks and I couldn�t run anyone ..!
  I am using the last JSSE 1.02 , the jdk 1.31, working on Jbuilder4
  I am working on both RMI and sockets samples.
  On the RMI sample I got this Exception : no such algorithm �TSL�
  �TSL� not supported
  I searched in the posted messages in the forum and I found someone had the same problem
  I followed all what he did but no way �!
  I don�t know what I forget to do, see what I did and tell me please what is wrong.
  I installed the JSSE as followed in the install file. I am sure that it is well installed
  How to compile???!!!
  1.I configured the rmic parameters to generate only the stub compatible only with java 2
  2.I compiled the project I got the stub
  3.I put theses parameters in
  Project Properties /Run/ field : VM parameters
  -Djava.rmi.server.codebase=file:/c:/windows/jbproject/Sunrmissl/classes/ -Djava.security.policy=file:/c:/windows/jbproject/Sunrmissl/policy.policy -Djavax.net.ssl.trustStore=file:/c:/windows/jbproject/Sunrmissl/testkeys.key
  4.I run the rmiregistry
  5.i run the HelloImp but every time exceptions :
  C:\JBUILDER4\JDK1.3\bin\javaw -classpath "C:\WINDOWS\jbproject\Sunrmissl\classes;C:\jsse-1_0_2-gl\jsse1.0.2\lib\jcert.jar;C:\jsse-1_0_2-gl\jsse1.0.2\lib\jnet.jar;C:\jsse-1_0_2-gl\jsse1.0.2\lib\jsse.jar;C:\JBUILDER4\JDK1.3\demo\jfc\Java2D\Java2Demo.jar;C:\JBUILDER4\JDK1.3\jre\lib\i18n.jar;C:\JBUILDER4\JDK1.3\jre\lib\jaws.jar;C:\JBUILDER4\JDK1.3\jre\lib\rt.jar;C:\JBUILDER4\JDK1.3\jre\lib\sunrsasign.jar;C:\JBUILDER4\JDK1.3\lib\dt.jar;C:\JBUILDER4\JDK1.3\lib\tools.jar" -Djava.rmi.server.codebase=file:/c:/windows/jbproject/Sunrmissl/classes/ -Djava.security.policy=file:/c:/windows/jbproject/Sunrmissl/policy.policy -Djavax.net.ssl.trustStore=file:/c:/windows/jbproject/Sunrmissl/testkeys.key sunrmissl.HelloImpl
  java.security.NoSuchAlgorithmException: Algorithm TLS not available
       at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
       at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
       at sunrmissl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:39)
       at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:559)
       at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:200)
       at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:172)
       at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:319)
       at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:119)
       at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:125)
       at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:109)
       at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:278)
       at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:209)
       at java.rmi.server.UnicastRemoteObject.<init>(UnicastRemoteObHelloImpl err: null
  ject.java:100)
       at sunrmissl.HelloImpl.<init>(HelloImpl.java:27)
       at sunrmissl.HelloImpl.main(HelloImpl.java:41)
  java.lang.NullPointerException
       at sunrmissl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:51)
       at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:559)
       at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:200)
       at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:172)
       at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:319)
       at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:119)
       at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:125)
       at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:109)
       at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:278)
       at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:209)
       at java.rmi.server.UnicastRemoteObject.<init>(UnicastRemoteObject.java:100)
       at sunrmissl.HelloImpl.<init>(HelloImpl.java:27)
       at sunrmissl.HelloImpl.main(HelloImpl.java:41)

• Simple Authentication and Security Layer

  Hi All,
  What is Simple Authentication and Security Layer (SASL)?? and what it's function in Oracle Beehive??
  Thanks,
  Dha_Suh

  wikipedia :
  Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. Authentication mechanisms can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 is an example of mechanisms which can provide a data security layer. Application protocols that support SASL typically also support Transport Layer Security (TLS) to complement the services offered by SASL.
  SASL was originally specified in RFC 2222, authored by John Gardiner Myers while at Carnegie Mellon University. That document was obsoleted by RFC 4422, edited by Alexey Melnikov and Kurt Zeilenga.
  SASL is an IETF Standard Track protocol, presently a Proposed Standard.

• What are the steps required in NWA and ID in order to enhance security of adapters in PI 7.31 Java Stack ?

  HI All,
  I am looking for steps need to follow for seurity and certificate management in PI 7.31 Java Stack.
  Could someone help me with the security and certificate management steps needs to follow for SOAP/RFC/MAIL adapter ?
  I looked at sap help link Network and Transport Layer Security - SAP NetWeaver Process Integration Security Guide - SAP Library
  Regards,
  Karan

  Hi Karan,
  For SOAP adapter you can use digital signing and encryption. Please refer the below blog
  Configuring WSSE (digital signing and encryption) using SAP PI 7.11 AAE SOAP Adapter
  regards,
  Harish

• Security Issues: SSL on SOAP Adapter and Digital Signature in BPM

  Hi there,
  we're developing a R/3-XI-3rd Party Application scenario, where the XI/3rd Party communication is based on a webservice (SOAP adapter with SSL). Also, the messages in the XI/3rd Party communication must be digitally signed. I've got some questions on both subjects.
  1. About the SSL. I've started to investigate what will be necessary to enable the HTTPS option under SOAP Adapter (it's not enabled now). If I'm not correct, all I need to do is:
  - check whether the SAP Java Crypto Lib is installed in the Web AS;
  - generate the certificate request in the Visual Administrator and, after acquiring the certificate, store it with the KeyStorage option.
  Is that right?
  I'm considering that I won't need to use SSL in the ABAP Web AS, only the J2EE Java Engine (since the SOAP Adapter is based on J2EE).
  2. About the digital signature. As a first solution, we had decided on accessing a webservice based on another machine running a signature application. We'd send the unsigned XML and receive a signed XML. But since that needed to be done into the BPM, I thought that using a piece of Java code in a mapping would suit it better.
  But to be able to use the hashing/encrypting/encoding algorithms, which library needs to be installed? Is it the same SAP Java Crypto Lib that was installed for the SSL enabling?
  Thanks in advance!

  Hello Henrique,
  1. You're right. For detailed instructions please have a look at the online help: http://help.sap.com/nw04 - Security - Network and Transport Layer Security - Transport Layer Security on the SAP J2EE Engine
  2. The SOAP adapter supports security profiles. Please have a look at the online docu http://help.sap.com/nw04 -Process Integration - SAP Exchange Infrastructure - Runtime - Connectivty - Adapters - SOPA Adapter - Configuring the Sender SOAP adapter and from the link under Security Parameters to the Sender Agreement. You'll find some additional information in the following document: http://service.sap.com/~sapdownload/011000358700002767992005E/HowToMLSXI30_02_final.pdf
  Rgds.,
  Andreas

• What about security in adf faces application ?

  It seem that the documentation has a little bit changed about security for adf faces application.
  SRDemo J2EE sample application only implemented the security at the web container and may be for the session beans (don't remember) by using security-role and security-constraint in web.xml configuration file.
  It seem that the documentation recommand now to implement adf security and didn't find anymore the reference to the standard j2ee security implementation.
  We found also that the security constraints checked by the web container was sometimes ignored and the container didn't ask us to login before displaying a page.
  Is ADF security a clear Oracle recommandation for ADF Faces application ?
  What about j2ee security for this type of application (why it is not recommended to use it) ?

  Hi,
  there is no single recommedation about security because security ideally is applied on several levels to implement security in depth. Container managed security with J2EE is a good option to secure page access and - if using EJB - to propagate the user identity for method level access control.
  Using ADF Security, which is security added to the binding layer based on JAAS, a second layer of the security onion becomes available that allows you to define which user is allowed to perform which operation on an iterator or attribute binding. This goes beyond of what container managed security can do for you.
  The thrid layer is business layer security and eventually database security.
  For Oracle Open World we will have a developmengt track and one of the presentation I am giving with Ric Smith from our team is about end-to-end application security for ADF Faces, ADF, ADF BCor TopLink/EJB and the Oracle database.
  The plan is to also write this up in a paper, but this would come late because of other priorities I have on my plate. So attending OOW probably is the best option for you to get the big picture
  Frank

• Reaching out for Enterprise Security Help

  My current environment is a medium size hospital with mulitple campuses. We have a number of different types of devices; Laptops, CoW's (Computer on Wheels) 7921's, BlackBerry's. Currently the majority of my clients are running WPA/WPA2-PSK. Personally, I'm sick to death of PSK. It's an easy and samll footprint, but managing keys is a major pain in the butt. At any one time I have an average of 500 clients connected to my WLC's (4.2.205). I've been trying to run a project on moving the devices to an EAP scenerio. Laptops work fine in EAP-TLS as do BlackBerry's but as everyone knows, EAP-TLS has some authentication overhead. Here's my problem, the CoW's. The CoW is simply a mini-pc put into a specialized cart that the nurses pull from room to room for BedSide Meds and such. With EAP-TLS testing I'm having a lot of issues with the authentication taking to long and the user getting kicked out of their app, Meditech. Our version of Meditech is basically a crap telnet application and if it doesn't get a response quickly it'll throw you to the desktop. Also, although I know EAP-TLS had some overhead, I'm dissapointed in it's roaming ability and how slow it is. As I see it, the users I have testing EAP-TLS on laptops and Blackberry's are not truely mobile. They typically don't attempt to use their device while on the move versus's the CoW. Here are a few things I've ran into in trying to figure out a security solution and hopefully you guys can help me out and suggest somethings I haven't thought of:
  EAP-TLS - Obvious overhead issues as stated above. Is anyone running this in a similiar environment, how do you deal with it?
  PEAP - Rely's on a strong user/pass which does not work in our world. The nurses log into the CoW witha generic username/password that pretty much everyone is aware of. Although Windows it's self is locked WAY down, your still on the network if you have access to this user/pass.
  EAP-FAST - As I understand it, with EAP-FAST and MSCHAPv2, there's a PAC for each user. If the user logs in more then once from different locations, I suspect this would be a problem. Not to mention I'm not sure how the manageability on usernames would work. I looked at using the Certificate on the machine to do the authentication and setting EAP-FAST to require this for autehntication and it works fine for my laptop and the IntelPro/Set Wireless utility but on the CoW's, not so.. The Cow's have an Atheros AR5006x chip and with the Atheros Client Utility, the utility will only allow you to select a personal cert, not a machine certificate for anything. Does anyone know of an Client Utility that will allow me to do this with out spending $$$$ or of Atheros Client that will allow me to do this?
  How is everyone else providing an enterprise solution with manageabillity and stability?

  Extensible Authentication Protocol (EAP) is an IETF RFC that stipulates that an authentication protocol must be decoupled from the transport protocol used to carry it. This allows the EAP protocol to be carried by transport protocols such as 802.1X, UDP, or RADIUS without having to make changes to the authentication protocol itself.
  •PEAP MSCHAPv2-Protected EAP MSCHAPv2. Uses a Transport Layer Security (TLS) tunnel, (the IETF standard of an SSL) to protect an encapsulated MSCHAPv2 exchange between the WLAN client and the authentication server.
  •PEAP GTC-Protected EAP Generic Token Card (GTC). Uses a TLS tunnel to protect a generic token card exchange; for example, a one-time password or LDAP authentication.
  •EAP-FAST-EAP-Flexible Authentication via Secured Tunnel. Uses a tunnel similar to that used in PEAP, but does not require the use of Public Key Infrastructure (PKI).
  •EAP-TLS-EAP Transport Layer Security uses PKI to authenticate both the WLAN network and the WLAN client, requiring both a client certificate and an authentication server certificate.
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf

• OC4J security with certificates

  Hi,
  I'm trying to develop OC4J (with JDeveloper 10g) application that has to use certificates X509 for authentication.
  Can someone help me with links to demos or tutorials? Or some ideas how to build this?
  Regards,
  Niko

  OK, I'll make an assumption. You see, you could want to do message-layer level security for web services. That is, use WS-Security. Since this thread started with SSL-enabling OC4J, I guess I should assume you want to just do transport-layer security. I got a little thrown off by your mention of optionally encrypting your SOAP message.
  Anyway, it is a matter of obtaining certs, building and loading up the keystore with the appropriate certs and informing OC4J about the keystore and whether or not you will authenticate the client with a cert. You will need to modify server.xml, and modify your default-web-site.xml (or perhaps better, create a secure-web-site.xml from the default-web-site.xml base).
  You know, Oracle has changed OC4J quite a bit from the Orion base. But you might try this out to see if it works.
  http://www.orionserver.com/docs/ssl.html#configuring
  If you try, please post back with your results.
  regards,
  tt

• Dsee 6.3.1 - disable non-secure port

  I disabled access to the non-secure port on my ldapserver as I only want clients to talk to my server using ssl (tls:simple)
  root@ldapserver#/> dsconf set-server-prop ldap-port:disabled
  After the compulsory restart, I was no longer able to bind a client (even if I tell it to connect on port 636) :
  root@ldapclient #/> ldapclient init -v -a profileName=SB -a domainName=unix.mydomain.com -a proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain
  ,dc=com ldapserver.mydomain.com:636
  Parsing profileName=SB
  Parsing proxyDN=cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  Arguments parsed:
  proxyDN: cn=proxyagent,ou=profile,dc=unix,dc=mydomain,dc=com
  profileName: SB
  defaultServerList: ldapserver.mydomain.com:636
  Handling init option
  About to configure machine by downloading a profile
  findBaseDN: begins
  findBaseDN: ldap not running
  findBaseDN: calling __ns_ldap_default_config()
  __ns_ldap_list return NULL resultp
  findBaseDN: Err exit
  LDAP ERROR (85): Error occurred during receiving results. Timed out.
  Failed to find defaultSearchBase for domain unix.mydomain.com
  I know my certs are good as ldapsearch returns data as I would expect...
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com uid=myuser
  returns my userid.
  There is an anonymous read only ACI in place:
  root@ldapclient #/> ldapsearch -Z -p 636 -h ldapserver.mydomain.com -P /var/ldap -b dc=unix,dc=mydomain,dc=com -s base "(objectclass=*)" aci
  aci: (target ="ldap:///dc=unix,dc=mydomain,dc=com")(targetattr!="userPassword")(
  version 3.0;acl "Anonymous read-search access";allow (read, search, compare)
  (userdn = "ldap:///anyone");)
  As soon as I re-enable standard 389 access the client init works fine again....
  Am I missing something here?
  Does the `ldapclient init` command need to make a 389 connection first before it downloads the profile which tells it to use tls:simple and therefore port 636 from then onwards?

  quote:
  SSL enables support for the Start TLS extended operation that provides security on a regular LDAP connection. Clients can bind to the non-SSL port and then use the Transport Layer Security protocol to initiate an SSL connection. The Start TLS operation allows more flexibility for clients, and can help simplify port allocation.
  [http://docs.sun.com/app/docs/doc/820-2765/gdzdc?l=en&a=view]

• Firefox V.39 Security vulnerability blocking access to login FYI

  Just an FYI and a page redirection. I have not logged in to the forum in a while. I am using most current version of Firefox (V.39). The error basically states to let the web admin know that the vulnerability exists on the web site. The fix was to do: about:config toggle these two settings from True to False 1 - security.ssl3.dhe_rsa_aes_256_sha;false 2 - security.ssl3.dhe_rsa_aes_128_sha;false Which I did and it worked for me. I will most likely toggle the two back to true as it was a default setting.

  Here is the official explanation relating to the issue. The POODLE Attack and the End of SSL 3.0 - Published October 14, 2014
     Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS). Issue In late September, a team at Google discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability, known as “POODLE”, is similar to the BEAST attack. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website. Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.Today, Firefox uses SSLv3 for only about 0.3% of HTTPS connections. That’s a small percentage, but due to the size of the Web, it still amounts to millions of transactions per day. Impact The POODLE attack can be used against any browser or website that supports SSLv3. This affects all current browsers and most websites. As noted above, only 0.3% of transactions actually use SSLv3. Though almost all websites allow connections with SSLv3 to support old browsers, it is rarely used, since there are very few browsers that don’t support newer versions of TLS. Sites that require SSLv3 will remain vulnerable until they upgrade to a more recent version of TLS. According to measurements conducted by Mozilla and the University of Michigan, approximately 0.42% of the Alexa top million domains have some reliance on SSLv3 (usually due to a subdomain requiring SSLv3). Status SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3. As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV. If this is supported by the server, it prevents attacks that rely on insecure fallback. Additional Precautions For Firefox users, the simplest way to stay safe is to ensure that Firefox is configured to automatically update. Look under Preferences / Advanced / Update and make sure that “Automatically install updates” is checked. For users who don’t want to wait till November 25th (when SSLv3 is disabled by default in Firefox 34), we have created the SSL Version Control Firefox extension to disable SSLv3 immediately.Website operators should evaluate their traffic now and disable SSLv3 as soon as compatibility with legacy clients is no longer required. (The only remaining browser that does not support TLSv1.0 is Internet Explorer 6). We recommend following the intermediate configuration level from Mozilla’s Server Site TLS guidelines. We realize that many sites still receive traffic from IE6 and cannot disable SSLv3 entirely. Those sites may have to maintain SSLv3 compatibility, and should actively encourage their users to migrate to a more secure browser as soon as possible. 

• TLS Protocol Session Renegotiation Security Vulnerability

  Has anyone out there been trying to figure out a way to deal with this TLS vulnerability?
  An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
  This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

  I have updated the link.
  This is a TLS/SSL vulnerability that is industry wide. it is a problem with the protocols themselves not the implementation. I am certain that it affects IronPort and have word that they are working on it.
  I was hoping someone from IronPort would jump in and let us know what was going on, and when we would expect to see an update for the AsynchOS.
  Thierry ZOLLER does a good job of explaining the issue at the below link.
  http://www.g-sec.lu/practicaltls.pdf