Move from NON-SSL to SSL (OAS 9.0.4.1)

Similar Messages

• Web Server 7 - Switch to SSL - Automatic forwarding from non-SSL

  I just posted a similar question regarding Web server 6. This question is for Web server 7!
  I maintain Web tools on a non-SSL Web Server 7. I need to turn on SSL, because our organization requires the security feature for certain functions in the tool.
  The current non-SSL address for the tool is similar to http://mytool.com/. I want to make the switch to SSL transparent for users, so I want http://mytool.com/ to automatically forward to https://mytool.com. What is the best way to do that in Web server 7?
  Also, I'd like to make the changes without using the GUI, what are the XML commands for the server.xml file (I assume that's what I'll need to change, right?)
  Sincerely,
  dailysun
  THIS IS FOR WEB SERVER 7

  Hi
  Assuming you have figured out the way to setup a listener with SSL enabled, you can the following
  1. find out what object file is currently used by server
  bin/wadm get-virtual-server-prop user=admin config=<hostname> object-file
  this will either return as obj.conf or <vs>-obj.conf
  2. now open this file and add the following lines after <Object name="default" line
  <Object name="default">
  #add the following lines
  <Client match="all" security="false" urlhost="mytool.com">
  NameTrans fn="redirect" from="/" url-prefix="https://mytool.com"
  NameTrans fn="redirect" from="/*" url-prefix="https://mytool.com/"
  </Client>
  # end
  now save this file and test to see if this is what you are expecting.
  if you are satisfied, you will need to bring over this manual change into admin config repository by doing something like
  bin/wadm pull-config user=admin  config=<..>
  You can also save the commonly used parameter like <user> and <password> within the .wadmrc file. Please see - http://blogs.sun.com/natarajan/date/20070131
  hope this helps

• Web Server 6 - Switch to SSL - Automatic forwarding from non-SSL

  I maintain Web tools on a non-SSL Web Server 6. I need to turn on SSL, because our organization requires the security feature for certain functions in the tool.
  The current non-SSL address for the tool is similar to http://mytool.com/. I want to make the switch to SSL transparent for users, so I want http://mytool.com/ to automatically forward to https://mytool.com. What is the best way to do that in Web server 6.1?
  Also, I'd like to make the changes without using the GUI, what are the XML commands for the server.xml file (I assume that's what I'll need to change, right?)
  Sincerely,
  dailysun
  THIS IS FOR WEB SERVER 6.1

  edit the https-<instancename>/config/obj.conf and add the following lines
  <Object name="default">#add the following lines
  <Client match="all" security="false" urlhost="mytool.com">
  NameTrans fn="redirect" from="/" url-prefix="https://mytool.com"
  NameTrans fn="redirect" from="/*" url-prefix="https://mytool.com/"
  </Client>
  ...

• Changing from non-ssl to ssl communication in OAM

  I have installed the Identity server and webpass on linux, I initially set them up for non ssl communication between them and the configuration/policy store & the user store. Now I must change that to use SSL. I have not configured them yet. how would I make this change without reinstalling?
  When I try to set the configuration data location with SSL checked I get the following error
  The files requires for SSL connection are missing.

  Hi Andy,
  Note 740034.1 on My Oracle Support describes how to do this. After performing those steps, I would also verify that you do not have any remaining Open Mode directory profiles being used (in the Identity System Console/System Configuration/Directory Profiles).
  Regards,
  Colin

• Session Cookies Being Overwritten Browsing From SSL to Non SSL

  I have created a bug report for this issue as well.
  Please note I am using J2EE session variables so keep that in mind.
  I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
  For example:
  Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
  Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
  Here's the problem:
  Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
  Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
  Steps to Reproduce:
  1. Clear your cookies.
  2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
  3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
  This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
  Has anyone else experience this?

  Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

• Remote non-SSL image served from SSL site?

  I have an SSL site and I need to display images located on an external non-SSL site. When I do this using a standard graphicImage tag and URL=http://whatever IE will throw a warning every time the page is displayed saying the page has secure and non-secure content. I need to avoid this somehow. Is there a way to have the image pulled to the server and then server over SSL? Surely this is a common problem!
  I really appreciate any help!
  Jeff

  You cannot suppress this warning without changing the browser's default settings.
  Serve the images through SSL, preferably from the same server. You could also create a servlet for this which gets the images from other non-SSL server by URLConnection.

• Confirming connections are over ssl - OAS - advanced security

  I have both ssl encrypted, via OAS, and non-ssl connection support configured. During a transition time, before I disable the clear text connection support, I'd like to monitor how clients are making the connection and hopefully, be able to identify them so they can "adjusted" away from clear text. I can do this with a tcpdump filter on the server, but is there some way to collect this information in the database?
  I consider net8 tracing on the server a silly response to this question, too much overhead and it requires a restart to turn tracing on. tcpdump is a much easier way to attack the problem down near that layer. This query will tell you about your current session, but I need to know about all sessions.
  select sys_context('USERENV','NETWORK_PROTOCOL') from dual;
  Thanks.

  I was curious about why I would get the periodic close() callsBecause RMI does connection pooling, which you can also control via those system properties, and part of that is closing idle connections.
  and also about why the ServerHello might be timing out. Any further insight?Network problems?
  Would the DNS configuration still come into play even if we were connecting purely to the IP address?Yes because Java does reverse DNS lookups when opening sockets.
  Do the domain names in the cert chain(s) possibly get resolved every time?No.

• Custom sig: Non-SSL over SSL port

  I am trying to build a custom signature for detecting non-SSL traffic on a specific SSL port (let's say tcp/443). This has to do with CONNECT tunnels through an HTTP proxy. Conceptually, it's not a complicated idea. Whether or not it can technically be done effectively with the Cisco IPS I don't know.
  It seems that very early in every SSL connection, there is an SSL "client hello" message(SYN,SYN/ACK,ACK,CLIENT HELLO). There are two relevant record formats, SSLv2 and SSLv2/TLS. I would like to create a signature that fires when it DOES NOT see the client hello message very early in a given TCP session. I would want the signature to only need to check the very first n packets of any given TCP session (n = max size of connection establishment + max size of client hello packet). Has anyone created such a beast or willing to help? Here are a couple packets.
  SSLv3 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 8e 33 b8 40 00 3e 06 94 16 ce c3 c3 6c 40 22 ..3.@.>......l@"
  0020 a2 49 58 27 01 bb b7 42 c6 92 fd 36 a3 d1 50 18 .IX'...B...6..P.
  0030 44 70 08 e2 00 00 16 03 00 00 61 01 00 00 5d 03 Dp........a...].
  0040 00 44 5f 9a 77 69 49 5a 85 52 a0 96 38 b3 b4 15 .D_.wiIZ.R..8...
  0050 8f db f2 0f c9 0e ea 10 f5 69 39 8c 58 87 e5 33 .........i9.X..3
  0060 70 20 ba 06 1e 3f d4 4e 3c d0 de a8 ea 4e a3 7f p ...?.N<....N..
  0070 0f 07 fd 5f 88 07 17 ef 50 ce 6b cf 10 e3 84 99 ..._....P.k.....
  0080 04 a2 00 16 00 04 00 05 00 0a 00 09 00 64 00 62 .............d.b
  0090 00 03 00 06 00 13 00 12 00 63 01 00 .........c..
  TLSv1 Client Hello
  0000 00 0f 20 6c 99 8b 00 a0 8e 82 c4 c1 08 00 45 00 .. l..........E.
  0010 00 96 a2 89 40 00 7f 06 32 b3 ce c3 c2 29 ce c3 [email protected]....)..
  0020 c6 74 0d 13 01 bb 38 17 d5 89 98 0f fc 73 50 18 .t....8......sP.
  0030 44 70 6c 75 00 00 16 03 01 00 69 01 00 00 65 03 Dplu......i...e.
  0040 01 44 5f 9a 84 8a 94 ab f3 78 e7 b1 c9 ca 04 34 .D_......x.....4
  0050 3b 95 1b 86 51 05 5f ac 9d a0 b0 69 fe 0c 27 e5 ;...Q._....i..'.
  0060 9c 20 78 08 00 00 ce c3 c2 29 58 58 58 58 58 58 . x......)XXXXXX
  0070 58 58 58 58 58 58 58 58 58 58 48 9a 5f 44 8c 4b XXXXXXXXXXH._D.K
  0080 05 00 00 1e 00 04 00 05 00 2f 00 33 00 32 00 0a ........./.3.2..
  0090 00 16 00 13 00 09 00 15 00 12 00 03 00 08 00 14 ................
  00a0 00 11 01 00 ....
  SSLv2 Client Hello
  0000 00 00 5e 00 01 67 00 a0 8e 82 ec 5d 08 00 45 00 ..^..g.....]..E.
  0010 00 82 fb a7 40 00 3e 06 cf 32 ce c3 c3 6c 9f 35 ....@.>..2...l.5
  0020 40 36 58 6d 01 bb b7 78 06 1b cd e2 e2 3d 80 18 @6Xm...x.....=..
  0030 44 70 47 6b 00 00 01 01 08 0a 31 fd f9 51 00 00 DpGk......1..Q..
  0040 00 00 80 4c 01 03 00 00 33 00 00 00 10 00 00 04 ...L....3.......
  0050 00 00 05 00 00 0a 01 00 80 07 00 c0 03 00 80 00 ................
  0060 00 09 06 00 40 00 00 64 00 00 62 00 00 03 00 00 [email protected].....
  0070 06 02 00 80 04 00 80 00 00 13 00 00 12 00 00 63 ...............c
  0080 7b af 57 75 f8 a9 72 54 23 29 32 50 bf ef 1e a9 {.Wu..rT#)2P....

  Hi mhellman:
  I can see 3 difficulties with this kind of sign.
  1) To determine the order of the packets.
  2) To determine that happen at the very begining of the conection
  3) fire when the traffic doesn't match with the signature.
  The difficulty number 3, I think, is imposible to resolve because the sensor can compare the trafic with a well defined pattern and fire when it match, but not when it doen't.
  The difficult number 2
  You need a kind of state signature because this can be classified like a machine state (first three way handshake, then hello packet) but I can't see fields in the state engine that help in this case.
  The difficult number 1 could be resolved by a Meta signature.
  You will need to create an a custom atomic signature for the syn packet, another for the syn ack, another to ack, and the last one for hellow packet.
  Then create a meta signature and add the fourth atomic singatures whith a strict order.
  but guess what...
  Meta signature doesn't permit custom signatures.
  I think this kind of signature is imposible to write.
  But I'd try.
  Regards
  Alberto Giorgi from spain.

• Disable non-SSL session tracking?

  Hi, all,
  I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
  I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
  Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
  Thanks,
  Dmitri.

  I don't think you can do this programatically.
  However I also don't think it is a problem.
  Cookies are related to zone names aren't they?
  http://mysite and https://mysite are two different
  zones as far as cookies are concerned. One should
  not be able to see the other.
  It issues a new cookie for the http site you are just
  navigating to. That cookie has nothing to do with
  the secure site you just came from, and shouldn't be
  able to tell them any info about the secure site.
  I think you are worrying about something that isn't
  really there.
  What is your concern? That they pick up a JSESSIONID
  from the cookie and can then pretend to be a
  different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
  I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

• How do i know the ssl over non ssl

  Hello Gurus,
  Your answer is greatly aprreciaied ;
  a)
  https://ebusdockel.9dc.com:243/DockerMasterAJX/services/DockerMaster
  b)
  http://ebusmodel.9dc.com/DockerMasterAJX/services/DockerMaster
  How do to dtermine from the above 2 URLS difference betwenn SSL and non SSL ,your answer is appreciated.

  Hi,
  There is a way within Forms to programmatically tell whether users are in SSL or not - if you're in 11g Forms. You can use the new 11g javascript built-ins to execute javascript. Javascript will pull the URL and return it to as a VARCHAR. Then you can have PL/SQL logic to see if the url contains "https" or "http", then you can execute whatever logic you want.
  The PL/SQL Built-in you want to use is: web.javascript_eval_function
  The javascript command you want to run is: document.location.href
  If you are looking for a way to force users to go to SSL, there are some options you can do with OHS(Oracle HTTP Server) - which comes with the 11g Forms.
  I hope this helps.
  Thank you,
  Gavin
  http://pitss.com/us

• The graphs created in non ssl endeca server run in ssl endeca server

  Hi All,
  I created the graphs to run in non-ssl endeca server and when I gave the code for testing its failing with error:
  Unable to read WSDL file from location 'http://slc06xkc.us.oracle.com:7001//endeca-server/ws/manage?wsdl'. Response status: HTTP/1.1 404 Not Found WSDLException: faultCode=PARSER_ERROR: Wsdl not found
  http://slc06xkc.us.oracle.com:7001//endeca-server/ws/manage?wsdl
  Can someone please let me know whether the graphs which are created in non ssl endeca server will work in ssl endeca serve ror not.Do we need to do some modifications?
  Thanks,
  Amrit

  Amrit,
  If SSL is enabled, the default wsdl port is 7002.
  See http://docs.oracle.com/cd/E40521_01/server.760/es_install/toc.htm#Creating%20SSL%20certificates
  This is the doc about generating SSL certificates, when you install Endeca Server in the SSL mode.
  "The generate_ssl_keys utility:
  Creates the SSL certificates in the $DOMAIN_HOME/config/ssl directory.
  Updates the EndecaServer.properties and EndecaCmd.properties files (in the $DOMAIN_HOME/config directory) with the pathnames of the key files.
  Enables the SSL Listen Port of 7002 in WebLogic Server, and sets 7002 as the port on which Endeca Server is started."
  To summarize:
  If you installed Endeca Server in non-SSL mode, you access the Manage web service of the Endeca Server as discussed in "Accessing the Manage Web Service", using this path: http://host:port/endeca-server/ws/manage, or to access the WSDL: http://<host>:<port>/endeca-server/ws/manage/?wsdl, where the default non-SSL port is 7001.
  If you installed Endeca Server in the SSL mode, the protocol in the path changes to HTTPS, and the default port changes to 7002 (it can be any other port, depending on the one you configure during the installation process).
  Note: any other public web service of the Endeca Server is accessible in the same way: http://host:port/endeca-server/ws/<name_of_the_web_service>.

• Flex SSL Connection on Non-SSL page

  hey there everyone,
  i'm about to get into my first FLEX project. however, before my company decides as to whether or not we'll go w/ Flex and the proposed solution, there was a question that I had to find an answer to, namely: if the end-user is on a non-ssl page, selects a link that has something similar to a shadowbox popup open in the window containing the FLEX interface, can the said FLEX webapp connect via SSL?
  Hopefully I explained the problem correctly. Please let me know if I need to develop the idea and explanation further.
  Thanks for any help!

  Yes a Flex app can use secure transport even if it's not hosted in a secure container.
  Look at
  SecureAMFChannel
  SecureHTTPChannel
  for examples on how to do this.
  I suppose the converse is also true... you can make non-secure calls from a secure page, but I've never tried this, so...

• Non SSL website on port 443

  Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
  I access the website as http://xyz:443.
  Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
  Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
  Firefox 32.0.3
  Error message:
  The connection was reset
  The connection to the server was reset while the page was loading.
  The site could be temporarily unavailable or too busy. Try again in a few moments.
  If you are unable to load any pages, check your computer's network connection.
  If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

  What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
  You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible.

• How to get the Users Name from the SSL certificate?

  Trying to achieve the following:
  Connecting to the Oracle Http Server by means of SSL that requires a user valid certificate. Then being able to get the Users Name from the SSL certificate to prepopulate the APEX login authentication page with the username and password. Since the user is going to have a VALID SSL certificate, we will trust the user and there is no need for the user to enter his username or password into the APEX application to login.
  Does SSO do this or something else?

  Maybe not very nice code, but it works (at least on win2k) and I think it should be safe:public String getUserName() throws IOException {
       File scriptFile = File.createTempFile("script", ".js");
       FileWriter fw = new FileWriter(scriptFile);
       fw.write ("WScript.Echo(WScript.CreateObject('WScript.Network').UserName)");
       fw.flush();
       fw.close();
       BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("CSCRIPT.EXE \"" + scriptFile + "\" //Nologo").getInputStream()));
       String uName = br.readLine();
       br.close();
       scriptFile.delete();
       if (scriptFile.exists()) scriptFile.deleteOnExit();
       return uName;
  }

• Non ssl - gives 403 forbidden

  I can access the EM 12c with the ssl address https://server:7799/em
  but I would like to use the non-ssl side of it... I can access http://server:7788 and get the welcome index page.. but if I use http://server:7788/em I get Error 403 Forbidden...

  It sounds like your console is Locked. You can check the status with the command 'emctl status oms -details'.
  To unlock the console use 'emctl secure unlock -console'
  If you also want to unlock agent/OMS communication use 'emctl secure unlock -upload'
  See the Administrators Guide for further details.