N95, SSL and Certificates

Similar Messages

• Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30

  Hey experts,
  i need your help!
  We make webservice calls to sap me with our own software.
  We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
  At the beginning the software runs without any problems and than we become the following message on all our webservice:
  thats the webservice configurations
  (configuration - connectivity - single service administration):
  (configuration - security - authentication and single sign-on)
  if we restart the software after the error display, the webservice call runs successfully again.
  is it a timeout?
  can anybody help us?
  Thanks,
  Markus
  our system info:
  NetWeaver 7.30 Java
  SAP ME 6.0
  software runs log looks as following
  software doesn't runs log looks as following
  security Log Entry
  more info from security_00.0.log
  #2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
  com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
  Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
  Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
  Read data of type username and value  MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
  Read data of type username and value   from HTTP header and set on module javax.security.auth.callback.NameCallback
  Read data of type password and value  xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
  Read data of type password and value  xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
  Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

  Hi,
  the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
  Cheers

• Connect - SSL and certificate chain

  Hi,
  is it possible to place a certificate chain somewhere, so
  that Adobe connect users dont have to manually install the
  certificates from the chain?

  Hi cj63, why isn't your cert accepted automatically? We're
  using hardware SSL and encountered an issue with our cert. We ended
  up changing the cert chain on the F5, I believe. I'm not sure of
  the "how" other than to know we did it with hardware SSL, so it
  should be possible.

• Web Service (SSL) and certificates (keytool) with INternet Explorer

  Hi,
  Followed this steps http://www.grallandco.com/blog/archives/2006/10/using_htts_with.html to have a secure SSL WEb service (with client authorization).
  Tested from Jdeveloper it worked O.K.
  Now I would like to test it with Internet explorer, but now server ask for certificate before internet show parameters page to invoke Web Service.
  I generated self signed certificates and keystore using keytool. (This keystore is used by the OC4J and my proxy client).
  Imported this certificate (.cer) to internet explorer succesfully, but when access URL for the web service (https) internet does not show this certificate to use it, so failed to connect...
  keytool certificates could be used by INternet explorer for this purposes?, what am I doing wrong?
  Thanks
  J.

  Hi,
  I already configured HTTPS - client authenticate for OC4J, and you can work with follow step:
  1: Create keystore for OC4J by java keytool
  2: Using openssl to create certificate for your server (privatekey, certificate)
  3. Using keytool to import your server's certificate (2) to keystore (1)
  4. Generate client certificate (4)
  5. Sign on client certificate (4) by privatekey and server certificate (20
  6. Import client certificate to windows - (should create keystore with format pkcs12)
  You can using "Java Certificate Services" to help you create keystore with multi format or sign cert....
  Rgs

• Weblogic server 9.2 and SSL server certificate for the wrong site

  I turned on SSL service for a weblogic 9.2 server and later on changed the hostname of the machine that weblogic was running on. So the hostname that my SSL server certificate was issued to has now became an invalid hostname. But my weblogic server continues to run SSL service without any exception. I can still access my web applications thru the SSL port (except of course I get a warning for the server certificate every time that it is for the "wrong site"). My question is this: should weblogic 9.2 verify the hostname in the server certificate and stop SSL service if the certificate is for the wrong site? Or is verifying the certificate strictly the job of the browser? Just want to make sure there is nothing wrong with my SSL configuration. Thanks.

  So you are saying that something is wrong with my weblogic 9.2 ssl configuration? And that given a server certificate issued to a different hostname, my weblogic server should NOT be servicing ssl request and/or it should throw some sort of exception during startup? Thanks for clarifying.

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• Java ssl and root certificate

  We use JAVA as a client for secure SSL connection. For this is a SSL root certificate necessary, if not, the SSL handshake fails due the trust relationship.
  SUN introduced the feature in version 1.5, that JAVA can use OS keystore and grab ROOT certificate from there.
  Unfortunately, this is not working anymore with JAVA 1.6 and if the ROOT is not present in JAVA keystore, the SSL handsake fails. Once the ROOT is imported in JAVA keystore, the SSL works fine. SUN JAVA 1.5 works fine with same environment and ROOT does not need to be in JAVA keystore.
  The failed SSL handsake is visible in Ethereal Sniffing log and is always reproducible.
  Please, are there known issues, that SUN JAVA 1.6.x can not use OS keystore, but only JAVA keystore ? Are there any reported bugs ?

  Right.  Hopefully you've gotten acquainted with this:
  http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
  Is the CA on the DC also issuing certs, or is it just the Enterprise Root and there are subordinates issuing certs?  I ask because if it's just the Enterprise Root but not actually issuing certs, that simplifies things greatly.  If it's issuing
  certs, one thing to research is what certs are currently issued, how often they are renewed, and what they are used for.  This will give you an idea how much risk you're looking at during cutover. 
  To address the specific question of what happens to a desktop that has been offline during the cutover, as I understand it the desktop will pull the new PKI information (new AIA path, new CDP if that gets changed) from AD when it comes back online. 
  This data is stored in "CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=COM" in AD.  In a nutshell, it should be seamless to that particular client.

• HTTP adapter, SSL and wildcard certificate

  Hi,
  I am developing a B2B integration solution using BizTalk Server. The protocol used to communicate with the partner’s server is HTTPS and so it uses SSL.
  The certificate the partner is using to establish SSL connections is provided by GeoTrust but it is a wildcard certificate, issued to *.*.*.company.com
  The server I am trying to contact to is on a domain of the form: a.b.c.company.com (which seems to match the wildcard).
  When I try to open an HTTPS connection to the server (either through Internet Explorer, a .Net Windows Application or BizTalk), the connection cannot be established because the certificate is said to not be trusted. For example, Internet Explorer shows a pop-up message saying that:
  - The certificate is issued from a valid CA
  - The certificate date is valid
  - The name of the certificate is NOT matching the name of the site. This means that the certificate is issued for a domain different that the one we are accessing to. So it seems that the wildcard system is not working for this certificate? Is that possible if they aquire a wrong type of certificate by mistake? or is multipart wildcard certificate (*.*.*) not supported?
  Anyway even if their certificate is not 100% valid, they refuse to change it as their other partners work with that and they won't change to a proper certificate just for us...
  In .Net 2.0 code, it is easy to circumvent any certificate validation by setting the delegate ServicePointManager.ServerCertificateValidationCallback to a callback method with something like:
  ServicePointManager.ServerCertificateValidationCallback = delegate(Object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors)  { return true; };
  Nevertheless, I need to achieve this sort of circumvention with BizTalk Server 2006 and I would like to know if anyone ever did that.
  I am aware that I can write my own custom HTTP Adapter but I need this urgently so I thought of asking this forum's community first. Maybe someone as a quicker way than writing a custom adapter such as some "hack" (registry keys, custom class... ) or knows of an existing custom adapter already doing the job.
  Thanks in advance,
  Best regards,
  Francois Malgreve

  The certificate needs to be installed as a explicitly trusted certificate in the store under the computer a/c on the BzTalk machine and then it'll work. Refer
  https://thinkintegration.wordpress.com/2011/12/02/biztalk-https-adapter-and-certificate-configurations/ for the steps.
  Regards.

• How do I bind to directory server with SSL and authentication?

  I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
  Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
  Here are the problems:
  1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
  2) I was never prompted to authenticate for the directory binding.
  So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
  What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
  Thank you.

  You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
  Cheers,
  Vikas

• Error 403.7 - Forbidden: SSL client certificate is required

  Hi people!
  I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
  I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
  I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
  _THE CODE_
  package principal;
  import java.io.BufferedReader;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.FileReader;
  import java.io.IOException;
  import java.net.URL;
  import java.net.UnknownHostException;
  import java.security.KeyStore;
  import java.security.Security;
  import javax.net.ssl.HttpsURLConnection;
  import javax.net.ssl.KeyManagerFactory;
  import javax.net.ssl.SSLContext;
  import javax.net.ssl.SSLSocket;
  import javax.net.ssl.SSLSocketFactory;
  import javax.net.ssl.TrustManagerFactory;
  import org.apache.axis.client.Call;
  import org.apache.axis.client.Service;
  import entidade.Certificado;
  public class SSLClient {
  private static final int PORT_NUMBER = 443;
  private static final String HTTPS_ADDRESS = "10.200.140.117";
  private static String strCabecalhoMsg = "";
  private static String strDadosMsg = "";
  public static void main(String[] args) throws Exception {
  System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
  System.setProperty("javax.net.ssl.keyStorePassword", "senha");
  System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  System.setProperty("javax.net.ssl.keyStoreType", "JKS");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("javax.net.debug","ssl,handshake,record");
  KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
  ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
  Certificado.getArranjoCharSenhaCertificadoServidor());
  KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
  kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
  KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
  ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
  tmf.init(ksT);
  SSLContext sc = SSLContext.getInstance("SSLv3");
  sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
  SSLSocketFactory factory = sc.getSocketFactory();
  try{
  // method to load the values of the strings strCabecalhoMsg and strDadosMsg
  carregarXMLCabecalhoDados();
  SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
  socket.startHandshake();
  String [] arr = socket.getEnabledProtocols();
  URL url = new URL("https://10.200.140.117/dirNotes");
  HttpsURLConnection.setDefaultSSLSocketFactory(factory);
  HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
  urlc.setDoInput(true);
  urlc.setUseCaches(false);
  Object[] params = {strCabecalhoMsg, strDadosMsg};
  Service service = new Service();
  Call call = (Call) service.createCall();
  call.setTargetEndpointAddress(url);
  call.setOperationName("serviceName");
  String ret = (String) call.invoke(params);
  System.out.println("Result: " + ret);
  catch (UnknownHostException uhe) {
  uhe.printStackTrace();
  System.err.println(uhe);
  catch (Exception uhe) {
  uhe.printStackTrace();
  System.err.println(uhe);
  private static void carregarXMLCabecalhoDados()
  try
  BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
  String str;
  while((str=input.readLine()) != null)
  strCabecalhoMsg += str ;
  System.out.println("Cabe�a: " + strCabecalhoMsg);
  input = new BufferedReader( new FileReader("notas/nota.xml"));
  while((str=input.readLine()) != null)
  strDadosMsg += str ;
  System.out.println("Nota: " + strDadosMsg);
  catch (FileNotFoundException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  catch (IOException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  _THE TRACE_
  adding as trusted cert:
  Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
  *others trusted certs*
  trigger seeding of SecureRandom
  done seeding SecureRandom
  export control - checking the cipher suites
  export control - no cached value available...
  export control - storing legal entry into cache...
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 3953
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
  Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  Version: V3
  *many chains and related data*
  Found trusted certificate:
  Version: V3
  Subject:
  *many trusted certificates and related data*
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
  main, WRITE: TLSv1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
  0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
  0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
  0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
  Server Nonce:
  0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
  0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
  Master Secret:
  0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
  0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
  0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
  Client MAC write Secret:
  0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
  Server MAC write Secret:
  0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
  Client write key:
  0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
  Server write key:
  0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
  ... no IV for cipher
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
  main, WRITE: TLSv1 Handshake, length = 32
  main, READ: TLSv1 Change Cipher Spec, length = 1
  main, READ: TLSv1 Handshake, length = 32
  *** Finished
  verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
  %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  setting up default SSLSocketFactory
  use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
  class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
  keyStore is : Certificados/certificadoSondaMonitor.jks
  keyStore type is : JKS
  keyStore provider is :
  init keystore
  init keymanager of type SunX509
  trustStore is: Certificados\cacerts
  trustStore type is : jks
  trustStore provider is :
  init truststore
  adding as trusted cert:
  Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
  adding as trusted cert:
  * many certificates*
  init context
  trigger seeding of SecureRandom
  done seeding SecureRandom
  instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
  export control - checking the cipher suites
  export control - found legal entry in cache...
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 3953
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
  Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  many chains again
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
  main, WRITE: TLSv1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
  0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
  0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
  0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
  Server Nonce:
  0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
  0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
  Master Secret:
  0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
  0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
  0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
  Client MAC write Secret:
  0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
  Server MAC write Secret:
  0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
  Client write key:
  0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
  Server write key:
  0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
  ... no IV for cipher
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
  main, WRITE: TLSv1 Handshake, length = 32
  main, READ: TLSv1 Change Cipher Spec, length = 1
  main, READ: TLSv1 Handshake, length = 32
  *** Finished
  verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
  %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
  main, setSoTimeout(600000) called
  main, WRITE: TLSv1 Application Data, length = 282
  main, WRITE: TLSv1 Application Data, length = 8208
  main, WRITE: TLSv1 Application Data, length = 1102
  main, READ: TLSv1 Application Data, length = 1830
  main, received EOFException: ignored
  main, called closeInternal(false)
  main, SEND TLSv1 ALERT: warning, description = close_notify
  main, WRITE: TLSv1 Alert, length = 18
  main, called close()
  main, called closeInternal(true)
  AxisFault
  faultCode: {http://xml.apache.org/axis/}HTTP
  faultSubcode:
  faultString: (404)Not Found
  faultActor:
  faultNode:
  faultDetail:
       {}:return code: 404
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <HTML><HEAD><TITLE>The page cannot be found</TITLE>
  <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
  <STYLE type="text/css">
  BODY { font: 8pt/12pt verdana }
  H1 { font: 13pt/15pt verdana }
  H2 { font: 8pt/12pt verdana }
  A:link { color: red }
  A:visited { color: maroon }
  </STYLE>
  </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
  <h1>The page cannot be found</h1>
  The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
  <hr>
  <p>Please try the following:</p>
  <ul>
  <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
  <li>If you reached this page by clicking a link, contact
  the Web site administrator to alert them that the link is incorrectly formatted.
  </li>
  <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
  </ul>
  <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
  <hr>
  <p>Technical Information (for support personnel)</p>
  <ul>
  <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
  <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
  and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
  </ul>
  </TD></TR></TABLE></BODY></HTML>
       {http://xml.apache.org/axis/}HttpErrorCode:404
  (404)Not Found
       at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
       at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
       at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
       at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
       at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
       at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
       at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
       at org.apache.axis.client.Call.invoke(Call.java:2767)
       at org.apache.axis.client.Call.invoke(Call.java:2443)
       at org.apache.axis.client.Call.invoke(Call.java:2366)
       at org.apache.axis.client.Call.invoke(Call.java:1812)
       at principal.SSLClient.main(SSLClient.java:86)
  (404)Not Found
  -----

  I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
  public class NFeClient {
       static{
            Security.addProvider(new BouncyCastleProvider());
       public static void main(final String[] args) throws Exception {
            final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
            final String keyStoreProvider = "BC";
            final String keyStoreType = "PKCS12";
            final String keyStore = "/home/mendes/certificados/cert.p12";
            final String keyStorePassword = "xxxx";
            System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
            System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
            System.setProperty("javax.net.ssl.keyStore",keyStore);
            System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
            System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
            final SSLContext context =  SSLContext.getInstance("TLS");
            final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            final KeyStore ks = KeyStore.getInstance(keyStoreType);
            ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
            kmf.init(ks, keyStorePassword.toCharArray());
            context.init(kmf.getKeyManagers(), null, null);
            final URL url = new URL(path);
            final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
            httpsConnection.setDoInput(true);
            httpsConnection.setRequestMethod("GET");
            httpsConnection.setRequestProperty("Host", "iis-server");
            httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
            httpsConnection.setSSLSocketFactory(context.getSocketFactory());
            try{
                 final InputStream is = httpsConnection.getInputStream();
                 final byte[] buff = new byte[1024];
                 int readed;
                 while((readed = is.read(buff)) > 0)
                      System.out.write(buff,0,readed);
            }catch(final IOException ioe){
                 ioe.printStackTrace();
  }and the response of the server is always the same:
  java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
       at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• Step by Step : How to Create an SSL Server Certificate (Part 3)

  How to Create an SSL Server Certificate (Part 3)
  In the previous part you have completed step 10, now you are almost there.
  Step 11:
  This is another very important step.
  Leave the settings as is or tick more options if you know what you do.
  Step 12:
  Again leave as it is.
  Step 13:
  Another important step !
  In the DNS Name field enter the host name(s) separated by spaces (or commas), e.g.
  myserver.name.private myserver.dyndns.org
  You can enter your local IP if you wish.
  Step 14:
  Certificate Assistant now procedes to create your certificate. Within a few seconds you should see the new certificate in your Keychain.
  Switch to Server App (if at this stage Server App has crashed, don't worry , re-open Server App and proceed.
  Repeat step 2 described in Part 1 and select the new certificate from the drop-down menu of available certificates.
  You may want to use this certificate for all services (iChat, iCal, Mail, Web) or create different ones.
  If you use the same certificate for all services the name of the certificate is diplayed next to "SSL Certificate", if you don't you will see "Custom" instead.
  Addendum:
  1. Do not forget to open port 443 in your router to enable https connections.
  2. Enable SSL in your iCal account settings if you wish.
  Enjoy your server !

  Hi,
  Are you talking about the Mercedes leaderboard ad?  Because that look a lot more complicated than "fade in - fade out" images?
  Anyway... I am looking at the easiest way to create a banner ad with fade in - fade out images that I have created in illustrator.
  This tutorial helped me alot.
  http://www.youtube.com/watch?v=gFw-1D8yaMs&NR=1
  cheers

• How can you configure an Exchange Account in Mac OS X to use a SSL client certificate?

  I'm trying to connect the Mail App of Mac OS X to my company's Exchange server. For security reasons you have provide a SSL client certificate to the server. You can convince Safari to use a client certificate by putting it into your keychain and configuring a suitable "identity preference" for the URL of the related site. But the Mail App seems not to use the keychain for this part of the SSL negotiations.
  Since you can configure the client certificate usage for an Exchange Account for the iPhone with the Configuration Utility there should be a way for the desktop App, too. Has someone sorted this issue out already or does the Mail App actually lack of client certificate support?

  I had a nice chat with the Apple end user support which revealed that this feature falls in the responsibility of the business support group. Since I have no appropriate support contract I could ask for help for about 480€ per issue -- nice try
  After more research I found the Configuration Profile Reference, where you get information about Exchange accounts too. Starting with a working iOS-Profile I changed the Exchange account part according to this documentation for OS X. All you have to do is to replace PayloadType com.apple.eas.account by com.apple.ews.account.
  After importing this profile I found the expected Exchange account within the Contacts.app. But the SSL client certificate was still not used and therefore my account not usable.
  You could enable Mail, Calendar & Reminders and Notes within the System Preferences, but neither of these would work due to the missing client certificate support.
  I came to the conclusion that the relevant applications in OS X have no proper SSL Client support build in. Since the underlying libraries and frameworks have everything in place that is really a shame.
  Would be nice, if someone would enforce the developers to do their homework there.

• Yosemite Mail 10.10.2 - SSL port, Certificate not trusted, email can't be seen

  Hi All,
  Thanks in advance for your help.
  I have just upgraded  (quite regrettably) to Yosemite 10.10.2 with a clean install (Time machine... that's a whole new bag of tricks hasn't worked can't even reinstall mail via TimeMachine RESTORE.. very helpful apple)
  Mail – The simplest of software, is causing no end of problems:
  PROBLEMS:
  1) When mail opens, it kept saying "Certificate for this server is invalid"
  2) The 2 email accounts I have, keep going offline? NEVER had this on any of the macs i've had set up before ran 10.6.8 for ages not a blip?
  3) And another glorious trick, even if the email accounts aren't showing any exclamation marks (about being off line)
  I select any mail box AND out of nowhere, no emails show in the mail boxes, where only 10 seconds ago they were all there?
  4) REPLY ALL just a few moments ago DIDN'T work or reply to all
  NOW, it either replies to ALL including me (the original sender) OR it'll place the original sender email address in TO and all others in CC? when all emails were in the TO field?
  Just to be clear: I have set up 2 email accounts as IMAP on the mac (Say email X and email Y), and have tested by sending an email FROM email X TO email Y and a hotmail account, just to have more than 1 email address in the to field to see what happens with the REPLY ALL. It doesn't work suffice to say
  SOLUTIONS TRIED BUT NOT WORKED SO FAR
  I have scoured the forums and tried a few suggested things
  1) I have 2 email accounts, both of which I'm setting up as IMPA,  my ISP Tech support for email host has said "Set the SSL port to 587"
  – Tried doing that in 2 places
  a) Mail > Accounts > (select email account) > Advanced  There under PORT stated 587
  b)  Mail > Preferences > Accounts (select account) > Advanced > PORT And here it is NOT the stated 587, it's (currently) 143?
  (I've tried changing this to 587) and this doesn't solve the problem(s)
  2) I tried UNTICKING "automatically detect and maintain account settings". but this didn't solve anything, and the whole certificate error and Mail going offline started up pretty much instantly
  3) Tried ticking the "Allow Insecure authentication" - Again, no solution?
  4) I did have my gmail account set up, but took that out of the equation as that wasn't helping, and with that I couldn't hit REPLY ALL and it show up in the TO field????
  I appreciate this is a lot of information on the screen, but i've tried to be as through as I can, and seriously I CANNOT believe Apple have managed to mess up a corner stone app that should Just work?
  Thanks agin for any help or pointers.
  Mypetshadow

  CAVEAT:
  1)I'm not technically qualified, but thought i should share the info I have found that works for me after having a tech guy from the ISP sort out the settings to get my main running:
  2) This has been working for all of 2 hours... lets hope it stays that way.
  3) My emails are set up as IMAP accounts.
  So....
  After speaking / emailing with my ISP and after 4 days of what seems like ****... (Seriously, thanks Apple "it just works.... like a hole in the head") I have a few solutions that are working for me and thought I would post them up for people who maybe having the same difficulty...
  SSL PORTS AND CERTIFICATES ISSUE
  1) Once you "CREATE' an email account, you have to adjust the settings manually (No surprise there)
  • There are some people saying you have to UNTICK the "Automatically detect and maintain my account settings"
  • (I'm NOT a techie kinda guy), BUT in my case I LEFT THIS CHECKED (on advise from the ISP tech guy), and for me it is working. The tech guy from my ISP said something on the lines of  "If the PORT is 993 then SSL has to be checked, If it's port 143 the SSL IS UNCHECKED"
  Again, i'm not a techie, but this may be of relevance to you.
  Screen grab of the main IMAP settings page
  2) EDITING the SMTP settings
  • MAIL > PREFERENCES > ACCOUNTS > select your newly created account > ACCOUNT INFORMATION TAB
  – From the OUTGOING MAIN SERVER Dropdown list, Select EDIT SMTP SERVER LIST and change your port to 465 (note: Originally port was 587... read below)
  Here, SSL WAS CHECKED, as was "Automatically detect and maintain account settings".
  REPLY ALL MOVES EMAILS INTO THE CC FIELD
  • Originally the port was set at 587 BUT I noticed a glitch; when I hit reply all, this would put all email addresses that were in the TO field into the CC field? (excluding the original sender...) Not helpful.
  • I noticed  (in an earlier mess up and moving around of ports etc) that when the port was changed to 465 (another port that the ISP tech guys said was an option) my email started behaving as expected... emails in the TO field stay in the TO field, as expected. and not placed in the CC field
  Screen grab of the SMTP edit page:
  Right, that's my non-techie tuppence and hope that it is of some help, and if not specifically all you need, it might give a few clues.
  Cheers

• SSL Server Certificate

  Hi All,
  I am configuring Maintenance Optimizer in SAP Solution Manager 7.1 SP3.
  Is it mandatory to have SSL Server Certificate ?
  And if yes why SSL Server Certificate is needed?
  And if no can i proceed with the Configuration of Maintenance Optimizer?
  Kindly Suggest.
  Thanks
  Ishan

  Hi ishansangai1
  i) Is it mandatory to have SSL Server Certificate ?
  No, you dont required SSL for MOPZ ,
  SSL is different and MOPZ is different
  SSL - is for trusted certificate
  MOPZ- is used to approve support packages to download
  ii) And if no can i proceed with the Configuration of Maintenance Optimizer?
  yes proceed to configuration of MOPZ , find docs in service market place or SDN