Managing SSL certifications

Similar Messages

• Oracle Wallet SSL Certification???

  I tried these steps for SSL certification. I may be wrong on this.
  If anyone has done this on correct way on middleware 11g,
  please forward me with command and all the steps to complete this.
  Thanks
  John
  bash-3.2# openssl genrsa -out server.key 2048
  Generating RSA private key, 2048 bit long modulus
  ...+++
  .........................................................+++
  e is 65537 (0x10001)
  Create server cert request:
  bash-3.2# openssl req -new -key server.key -out server.csr
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  Country Name (2 letter code) [GB]:US
  State or Province Name (full name) [Berkshire]:xxxxx
  Locality Name (eg, city) [Newbury]:xxxxx
  Organization Name (eg, company) [My Company Ltd]:xxxxxx
  Organizational Unit Name (eg, section) []:ITS
  Common Name (eg, your name or your server's hostname) []:xxxxx.yyyy.edu
  Email Address []:[email protected]
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:xxxxxx
  An optional company name []:xxxxx
  Create a file named CACerts.crt and paste intermediate and root certificates in it. CACerts.crt will look like this:
  openssl pkcs12 -export -out ewallet.p12 -inkey private.key -in dev-banner01.crt -certfile CACerts.crt

  It has been solved for middleware 11g as well as for 10g.
  Prakash

• How can you manage ssl service provider service in PI 7.1?

  Hello there..
  I am trying to find a place in Netweaver admin tool so that I can add CA certificate into the SSL provider service Trusted Certification Authorities list. I use to be able to do that in Visual Admin tool -> dispatcher node -> Services -> SSL Provider -> Runtime tab -> Client Authentication, but now I cannot find anywhere in the NetWeaver Admin tool.
  Thanks.
  Jerry.

  Hi Jerry,
  Once you login to the NWA, follow this path
  Configuration Management -> Security -> Certificate and keys ->
  You need to import the client certificate under ICM_SSL_xxx and you can find SSL_Provider if you scroll completly down. You need to import the private key of the client certificate under ICM_SSL_xxx.
  You have even Trusted CA's under this list. Please let me know if you have any problems.
  Thanks,
  Srini
  Edited by: srinivas kapu on Dec 18, 2008 9:58 PM

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Application Networking Manager - SSL Certs

  Hi,
  We have an ANM 4.1  installation and today i was asked why an ACE context with many certs installed for the SSL proxy service didnt show any of the certs or keys in ANM. I can see some chains group parameters and ssl proxy service config.
  I have double checked and there are lots of certs installed via CLI and have run a resync but absolutely nothing in the SSL --> Cert pages or SSL --> Keys. Is it because all the config importing the certs was via the ACE CLI rather than the ANM??
  What I have to do to import these as we plan to use ANM to manage the cert expiry dates

  Adrian,
  In order to install the license you must have a license file on the ANM server and install it through the command line:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/installation/guide/IG_config.html#wpmkr1120937
  No other way to do it.
  License file can either be copied to the ANM file system, or you can create a new empty license file on it and copy paste the license file content.
  If you have no access to the ANM server through CLI, then a workaround might be:
       - install a new VMWARE machine where you have CLI access.
       - install ANM on it
       - copy license (other you copy the file through any means or you create a file and edit by copy pasting the license file content)
       - install license with the command  /opt/CSCOanm/bin/anm-license install /path/ANMxxxxxxxxxxxxxxxxx.lic as described in the link above
       - save the VMware image
       - deploy the same VMWare image to the ESX where it has to be installed and where you have no access to CLI neither you can copy a file.
  Hope this helps,
  Domenico.

• SSL Certification - Acceptance?

  Hi,
  I'm having troubles getting a server to connect to itself (yes, itself).
  The code I have write works perfectly in a non-SSL setup, but now in a SSL setup it's not working. The error message is:
  sun.security.validator.ValidatorException: No trusted certificate found
  Now, I've searched through the forums and the fix seems to be: you need to add a certificate to your keystore .... ok, maybe I'm missing something but I've done that.
  I think my problem is that I make the connection on: https://localhost whereas the certificate is made out to https://mydomain.com and because of the miss-match the validator is rejecting the certificate!? Now, before someone suggests: why not connect to https://mydomain.com ??? I can't because, because the underlieing IP is load-balanced and there is NO garrentee that the server will connect to the correct server (itself).
  What can I do?
  - Create another certificate for localhost?
  - somehow tell the validator to accept the certificate?
  - other?
  Thanks in advance for any and all help.

  >
  sun.security.validator.ValidatorException: No trusted
  certificate found
  Is this exception coming from the client code (the code trying to make the connection) or the server code (the code receiving the connection attempt)?
  Now, I've searched through the forums and the fix seems to be: you need to add a
  certificate to your keystore .... ok, maybe I'm missing something but I've done that.
  There are two kinds of certificates you need to concern yourself with: a trusted certificate and a certificate that is signed by (possibly through a chain of other certificates) trusted certificate.

• Project Management Certifications

  Hi All,
  After going through Training and certification shop website of SAP what I could understand is there are 4 certifications available related to Project Management whose codes are given below:
  1. C_PM_71
  2. C_TPLM22_60
  3. C_TPLM22_64
  4. C_TPLM50_95
  (Please correct me if I am wrong.)
  My query is related to the above certifications based on the below points:
  1. Auidance to do this course?
  2. Number of years of experience required for it / Eligibility criteria?
  3. What is the market value for each 1 of the above mentioned courses?
  Thanks in advance,
  Vaibhav

  Frankly speaking (my opinion), if you are more inclined towards technology, you should not go in for management level certifications (You would prefer an OCM as your manager than a typical project manager who probably would not understand the technicalities of an issue).
  Its not that these certifications do not help at all, they do. They will help you manage the activities around you but then you tend to drift away from the technology.
  There would definitely be other views, I am sure. :)

• Certificate Manager Software compatible with BEA?

  Hi,
  We want to use 2-way SSL certification, and create client certificates for
  our clients.
  I tried using Netscape CMS, but the WL documentation says it is
  incompatible.
  Of course, we want to be an isolated CA to make sure that no client
  authenticated by
  other CAs has access.
  Has anyone used a certificate server compatible with BEA weblogic?
  Is there a way to convert the output of Netscape CSM to a compatible format
  (PEM or DER) ?
  Thanks in advance,
  Luis Muniz

  Hi all,
  I finally managed. Somehow creating the request with openSSL doesn't work.
  You have to create the certificate request with the certificate request
  servlet.
  Now I'm going to try to create some client certificates.
  "Luis Muniz" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I tried openSSL, here are my results:
  I created a self-signed demoCA.
  I created a certificate signed by this CA.
  i have following files:
  newkey.pem (512 bits RSA private key)
  newcert.pem (certificate)
  but when I start WL 61, i still get the error:
  <Oct 26, 2001 12:25:49 PM CEST> <Alert> <WebLogicServer> <Security
  configuration
  problem with certificate file certifs/newkey.pem, java.io.IOException:
  Length i
  s too big: takes 108 bytes>
  java.io.IOException: Length is too big: takes 108 bytes
  at
  weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:148)
  at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:120)
  at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:111)
  at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1045)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:480)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
  at weblogic.Server.main(Server.java:35)
  Any idea?
  Thanks
  "Gilbert W. Pilz Jr." <[email protected]> wrote in message
  news:[email protected]...
  In article <[email protected]>, [email protected] says...
  Hi,
  We want to use 2-way SSL certification, and create client certificates
  for
  our clients.
  I tried using Netscape CMS, but the WL documentation says it is
  incompatible.
  Of course, we want to be an isolated CA to make sure that no client
  authenticated by
  other CAs has access.
  Has anyone used a certificate server compatible with BEA weblogic?Have you tried OpenSSL?
  - gil

• Call a SSL Secured Webservice

  Hi,
  I build service for call a webservice (BPEL). It works fine. Now, that webservice is secured with ssl Certification - https. (I have the certification documents).
  I can't find useful information how to fix this.
  - Must I enable or change settings from the Application Server (where the services are deployed), because we installed the SOA suite with standard settings?
  - Changes or settings in our JDveloper / BPEL process / Partnerlink?
  - Use of Wallet Manager?
  I hope somebody can help me.
  Regards
  Hakan

  I get still a error when I try to deploy the service after importing the certificates in the both JDK's (JDeveloper and SOA Suite):
  Error:
  [Error ORABPEL-10903]: failed to read wsdl
  [Description]: in "bpel.xml", Failed to read wsdl.
  Error happened when reading wsdl at "C:\SOAPTEST\SendHeaderProcess\SSLTesting\zoekCurs\JDev\bpel\PortalServicesUU.wsdl", because "Error reading import of file:/C:/SOAPTEST/SendHeaderProcess/SSLTesting/zoekCurs/JDev/bpel/PortalServicesUU.wsdl: WSDL-bestand op "https://www.osiriswebservices2.universiteitutrecht.nl:9443/osipuu_osts/PortalServicesUU?WSDL" kan niet worden gelezen. De oorzaak is: javax.net.ssl.SSLHandshakeException. : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
  Make sure wsdl exists at that URL and is valid.
  [Potential fix]: If your site has a proxy server, then you may need to configure your BPEL Server, designer and browser with your proxy server configuration settings (see tech note on http://otn.oracle.com/bpel for instructions).
  Anybody nows what te problem is? Thanks

• BPC NW 7.5 SSL Configuration

  Hi,
  I am trying to implement SSL on a newly installed BPC NW system. Everything went well until i started to configure SSL.
  After completing the steps as mentioned in install guide, Server manager is unable to connect
  I have checked ABAP users, all users are correctly configured as needed in the install doc.
  Errors i notice,
  1) Cannot connect to  planning & consol. web server(when i try to open server mgr).
  2) Once i get past message 1, SAP ABAP server connection is in error state
  3) Microsoft message queue is in error state
  If i undo all the SSL settings my system works without issues
  Any suggestions are appreciated
  Thanks.....

  Dear SAP Fan,
  You could refer this document please
  Link deleted 10 July 2012 - Content was removed.
  That document for SAP BPC 10 and the step-by-step still can run on SAP BPC 7.5NW. For SSL certification installation guide you can refer your security certification company.
  Thank you,
  Wandi Sutandi
  Message was edited by: Jason Lax

• Problem add CAS in CAM NAC 4.7 SSL certificate

  Hello,
  I have a problem with NAC 4.7, I cant add CAS in CAM, I imported the certified of www.perfigo.com and it doesnt work, i reboot the NAM and NAS and nothing.
  Any suggest?
  Best Regards

  Hi,
  Do this.
  Go to the CAM GUI. Browse to CCA Manager -> SSL. Check the box marked CCA Manager Certificate and click on Export. Save this file as CAMCert.pem
  Go to the CAS admin page by going to https://IP_ADDRESS_OF_CAS/admin Click on SSL. Check the box marked CCA Server Certificate and click Export. Save this file as CASCert.pem
  On the CAS page, click on Trusted Certificate Authorities, click on Browse, and choose the CAMCert.pem. Click on Import
  On the CAM page, click on CCA Manager -> SSL -> Trusted Certificate Authorities, click on Browse, and choose the CASCert.pem. Click on Import.
  Now try to add one to the other.
  HTH,
  Faisal

• PI 7.1 NetWeaver Adminstrator/STRUST configuration for SSL

  We are trying to configure SSL on a PI 7.1 system.  My understanding is that you either use the NWA or the ABAP stack STRUST functionality.
  The problem is, when I try to configure a communication channel to use client authentication, the "SSL client SSL Client (Standard)" data is not visible to be selected in the communication channel when I just use STRUST.
  But, if I try to export the certificate from the ABAP "SSL client SSL Client (Standard)" key store and import it into the JAVA client key store (with PKCS#12) it seems fine and I can select it in the communication channel.  I can't export just the X.509 certificate as it needs a complete key pair (which makes sense).
  But, later in STRUST the PSE entry for the client will go red (because it is maintained in the JAVA stack). 
  What is the problem here?  In PI 7.0, I exported it from the ABAP stack and imported the certificate into the JAVA stack and everything was fine.  I don't think I can ignore this because it happens every time.
  You can't request two certificates because the unique name is the host name.  Any help is appreciated.

  Just an update to this:  I've found that this behavior is correct and is fixed in SP08.  It's an either or scenario for managing SSL via ABAP or JAVA.  But, they share the same PSE's so this is why you get this error. 
  I still don't know how you can export Client certificates to the ABAP stack or vice versa.

• CSS SSL renewal problem

  While renewing the ssl certification in CSS everything went fine while installation but after that when i checked with the following command
  sh ssl associate rsakey | grep url(dont want to mention name)
  i can see the previous as well as the new both key as associated and says yes
  while the new should show yes and old should be no
  same it is showing for cert
  can anyone help me to sort out with this problem what it can be
  Thanks in advance

  Sagar,
  Have you performed the "no ssl associate rsakey" and the "no ssl associate cert"?
  After that, perform the "clear ssl file " and "clear ssl file rsakey "
  HTH
  Dave

• Https ssl config Oracle AS, webcache, portal...almost works

  Hi,
  I have searched the forums and I havent found anything that works for me.
  I have Oracle infrastructure on one server, and Oracle App server/portal on another server. I can get as far as the http server showing the "welcome to oracle" page in https form. When I try to access a page in the portal (plsql) I get a blank page. It does convert the "https://myserver:xxxx//pls/portal/url/page/IRWEB/HOME
  " to "https://myserver:xxxx/portal/page?_pageid=73,86254,73_86264:73_86316:73_8632...." but nothing comes up.
  Also, it uses the Infrastructure server for single-sign-on...so I need to make the app server do the single sign-on. I've tried by adding /pls/orasso entry in DADS.conf of http server..
  So as far as I can tell...the http server IS operating in https/ssl, but the single-sign-on and the pages in the portal are not.
  I have to do everything manually since I am using 10.1.2 (no Oracle Collab Suite installed, so no SSLConfigTool and other assistants)
  Here is what I've done to get https://myserver:xxxx/ to come up ok.
  server 1: Oracle Infrastructure and Oracle database release 1 10.1.2.0.0
  server 2: Oracle Application Server / Portal with webcache release 2 10.1.2
  using Oracle Wallet for certificate,
  http server -> process management "ssl-enabled",
  http server -> advanced -> ssl.config: SSLWallet file:, SSLWalletPassword, virtual host for ssl
  webcache -> added settings for ssl (I used the current entries for non-ssl as a guide for the ssl entries)
  Interesting issue...with the ports in the ssl.conf file example:
  Port 4459
  Listen 4459
  VirtualHose myserver.blah.edu:4450
  Port 4458
  When I get the blank page trying to use ssl and 4459, I can manually change the url in my browser to 4458 (or maybe its the other way around) and get this message: "Error: The portlet could not be contacted"
  Is this a problem with webcache? Do I have to do any ssl config on the server with the database?
  I've even tried disabling the webcache, both with the oracle sql script and through web interface but neither made a difference...same problem.
  Any help would be greatly appreciated..I feel as if I'm almost there.
  If I did not post enough info for accurate help, please ask what you need to know to provide help! Thanks in advance.

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• Project Management Institute and credentials

  Has anyone heard of the PMP (Project Management Professional) certification and is it well recognized? Is it worth going for if I want to do more project management type stuff? I'm just wondering if anyone's heard of it and has opinions on whether or not it will open any doors for me....
  https://www.pmi.org/certapp/Default.aspx

  Only if you're going to be a consultant teaching other printers/design studios how to implement Project Management sw. They may be swayed by the certification.
  Can't see it bringing your print shop/design studio more work off the street if that's what you're thinking.