NEED TO REFERENCE 2 DIFFERENT SSL CERTIFICATES  BASED ON VIRTUAL HOST NAMES

Similar Messages

• Can I reference 2 different SSL certificates in the same weblogic.properties

  Hello,
  Can I reference 2 different SSL certificates in the same
  weblogic.properties
  file?
  Reason is we have 2 groups of users for a web application: one will use
  a
  French-language DNS to access
  the application, and the other will use English DNS. Both DNS will point
  to
  the same application on the same
  server.
  Example of what we require:
  weblogic.security.certificate.server=mycert1.pem
  weblogic.security.key.server=mykey1.der
  weblogic.security.certificate.authority=rootCertificate1.pem
  ----and---
  weblogic.security.certificate.server=mycert2.der
  weblogic.security.key.server=mykey2.der
  weblogic.security.certificate.authority=rootCertificate2.pem
  mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
  both
  DNS1 and DNS2 point to the same application on the same box.
  Thanks,
  Ragu

  I think that you can only have one server certificate per server currently
  since the certificate establishes the server's identity and there isn't
  support for a server to have two identities at the same time.
  "RAGUTAM BOMMAREDDY" <[email protected]> wrote in message
  news:[email protected]..
  Hello,
  Can I reference 2 different SSL certificates in the same
  weblogic.properties
  file?
  Reason is we have 2 groups of users for a web application: one will use
  a
  French-language DNS to access
  the application, and the other will use English DNS. Both DNS will point
  to
  the same application on the same
  server.
  Example of what we require:
  weblogic.security.certificate.server=mycert1.pem
  weblogic.security.key.server=mykey1.der
  weblogic.security.certificate.authority=rootCertificate1.pem
  ----and---
  weblogic.security.certificate.server=mycert2.der
  weblogic.security.key.server=mykey2.der
  weblogic.security.certificate.authority=rootCertificate2.pem
  mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
  both
  DNS1 and DNS2 point to the same application on the same box.
  Thanks,
  Ragu

• How can I change to a different SSL certificate without restarting FF?

  I work in a helpdesk environment and my team requires the use of two different SSL certificates for one particular website depending on what we are doing. I can only find the following two ways to do this:
  1. Restart Firefox - this is really unproductive due to the nature of our work we have a lot of things open and in use in different tabs/windows and restarting firefox makes us lose information/progress (it's not the kind of stuff that re-opening the tabs automatically will fix).
  2. Wait 20 minutes after the last use of the certificate for it to time out and then Firefox will ask us to choose the certificate next time we try to access the page - obviously this is a pretty asinine solution and won't really work. (:
  I'm just wondering if there is some way to force Firefox to change certificates or forget the one that is currently in use for the site?

  Thanks for the suggestion, I should've mentioned I'd already tried that without success. I tried clearing everything in the Clear Recent History section actually but the certificate is still remembered.
  I've also just now tried deleting the certificates completely but not even that works - a little concerning. (:

• [IMAP SSL] Certificate-Based Login problems

  Hi,
  I am trying to set up a Certificate-Based Login authentication for an installation of Java Messaging Server 7 Update 3 over Solaris x86 64bit platform.
  The objetive is to allow a client to establish an SSL session using a certificate that has been issued by a CA that the server has established as trusted and then grant access to the user without providing his password.
  In my installation, unfortunately password is allways required to login any user. These are the steps I have made:
  1. Add the CA-signed server certificate.
  2. Add the trusted Certificate Authority.
  3. Turn on all cipher suites including the weak ones.
  4. Enable SSL
  ./configutil -o service.imap.enablesslport -v yes
  ./configutil -o service.imap.enable -v 1
  ./configutil -o service.imap.sslport -v 993
  ./configutil -o service.imap.sslusessl -v yes
  ./configutil -o encryption.rsa.nssslpersonalityssl -v "Product-Cert" (where Product-Cert is my CA signed server certificate)
  5. Check with the netstat command to verify that the service is running.
  bash-3.00# ./configutil -o service.imap.sslport
  993
  bash-3.00# netstat -an | grep 993
  *.993 *.* 0 0 49152 0 LISTEN
  Once I have taken these steps, when I use a client to establish an SSL session with a PKCS#12 certificate installed (signed by the same CA trusted by MS and the email address in your users' certificates matches the email address in a users' directory entry) the connection is correct stablished using the port 993 but it is allways necessary to login with password to grant access.
  The imap logs seems to show that the MS is not requesting the user's certificate from the client, because allways shows "plaintext authentication" (this correspond a try to access to the user's inbox without Login).
  [10/Mar/2010:10:31:38 -0100] goody imapd[2623]: Account Notice: badlogin: [192.168.169.12:1595] plaintext llcc authentication failure
  [10/Mar/2010:10:31:41 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:1595] [unauthenticated] 2010/3/10 10:31:37 0:00:04 41 907 0
  [10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Network Error: Socket error [192.168.169.12:2226] : I/O function error
  [10/Mar/2010:10:32:21 -0100] goody imapd[2623]: Account Notice: close [192.168.169.12:2226] [unauthenticated] 2010/3/10 10:31:56 0:00:25 11 511 0
  Also there are some error logs related to the Ciphers:
  [10/Mar/2010:10:30:39 -0100] goody imapd[2623]: General Error: SSL initialization error: Unable to enable SSL cipher suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SH
  A (0x0064)
  (-8186)
  Please, Can you help me to discover if there is something wrong in my configuration?
  Thanks in advance.
  Kind Regards,
  Luis

  Thanks for your reply Shane.
  Yes, I have configured the client to use port 993. I think the problem is in the Multiplexor configuration, after finished, I allways get this Log message in the ImapProxy Logs:
  [15/Mar/2010:17:25:10 -0100] goody ImapProxy[1865]: General Error: (id 455) Connection limit reached for client IP 192.168.169.108
  [15/Mar/2010:17:25:22 -0100] goody ImapProxy[1865]: General Error: (id 477) Connection limit reached for client IP 192.168.169.108
  [15/Mar/2010:17:25:37 -0100] goody ImapProxy[1865]: General Error: (id 499) Connection limit reached for client IP 192.168.169.108
  Where 192.168.169.108 is the IP of the server where MS is installed. The strange thing is that there are no connections established becacause this is a development environment, when I try to check the IMAP port (not ssl) I find a strange behaviour:
  bash-3.00# telnet localhost 143
  Trying 192.168.169.108...
  Connected to goody.
  Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS CHILDREN BINARY UNSELECT SORT CATENATE URLAUTH LANGUAGE ESEARCH ESORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES ENABLE QRESYNC CONTEXT=SEARCH CONTEXT=SORT WITHIN SASL-IR XSENDER X-NETSCAPE XSERVERINFO AUTH=PLAIN STARTTLS] Messaging Multiplexor (Sun Java(tm) System Messaging Server 7.3-11.01 (built Sep 1 2009))
  . login llcc LLCC_PASSWORD
  Connection to goody closed by foreign host.
  The ConnLimits parameter is set to default in the ImapProxyAService.cfg (i.e. default:ConnLimits 0.0.0.0|0.0.0.0:20).
  Also I have set this values not present in the link: http://wikis.sun.com/display/CommSuite/Configuring+Encryption+and+Certificate-Based+Authentication#ConfiguringEncryptionandCertificate-BasedAuthentication-ToSetUpCertificateBasedLogin
  configutil -o local.mmp.enable -v 1
  configutil -o local.store.enable -v 0
  configutil -o local.imta.enable -v 0
  configutil -o local.http.enable -v 0
  Any idea?
  One question more. I have read that Store Administrators have proxy authentication privileges to any service (POP, IMAP, HTTP, or SMTP), which means they can authenticate to any service using the privileges of any user. The question is: Is there any way for the Store Administrator to access to the mailbox of all the users using the IMAP protocol?
  Thanks a lot for your help,
  Best Regards,
  Luis

• CSA MC 6 - How can I create an SSL Certificate that points to a name other than the hostname?

  I have just installed CSA MC 6.0.2.  My company has a bunch of customer's that are on different domains.  We are all linked through VPN tunnels and would like to have all the agents point to a specific URL for updates rather than the hostname of the machine.
  FQDN:                    testserver.abc123.internal
  URL:                       thisserver.abc123.com
  We already have everything setup so that the clients can reach thisserver.abc123.com but I need to create a certificate with this name without changing the server's hostname.  We also don't wnat update their host files.  Any ideas?
  If anyone could help I would greatly appreciate it as we're looking to start upgrading the agents on all servers ASAP.
  Thank you,
  Cory

  What about putting the CSAMC in your DMZ and allowing those ports through your firewall?
  The nice thing is it allows hosts to communicate with the MC no matter where they are.
  You'd have to open up 80 to the MC for software updates but we haven't had any problems in 6 years with that setup.
  Tom

• Need to identify the same people based on their (misspelled) names

  hello
  we have a table with persons and their name (first name and last name in 1 field) ;
  the names are often mispelled, so some string comparison is required;
  can you advise what the best approach would be to uniquely identify the same people?
  so far i have only found this functions :utl_match.jaro_winkler_similarity and SOUNDEX
  is there anything else 'out of box' i could make use of to implement the above?
  i appreciate any tips
  thanks very much
  rgds

  UTL_MATCH (either the Jaro-Winkler or the edit distance functions) would generally be preferred. SOUNDEX is a less sophisticated algorithm.
  In the general case, however, doing this sort of thing yourself is extremely difficult. There are commercial products out there that just help you do fuzzy matching on names. If you're going to build something yourself, you're likely going to spend a large amount of time trying to fine-tune the algorithm to try to balance type 1 (false positive, you match names that you shouldn't) and type 2 errors (false negative, you fail to match names that you should). To do it well will require a rather large number of meetings with users trying to figure out the appropriate balance of errors in your particular environment.
  Justin

• This certificate is not valid (host name mismatch)

  How do I fix this error message? Safari can't verify the identity of the website ....keeps saying the certificate in invalid.

  Normally a button appears "Trust..." (can´t remember what does it say exactly).
  And there's also an option to always trust the certificate.

• SSL certificate renewal

  I need to update the SSL certificates on two domains hosted on my OS X 10.5.8 server. It appears that renewal cannot happen in Server Admin.
  After extensive web reading, I find that under 10.4 you had to use both Server Admin and and Keychain Access to accomplish the renewal. Here is the official Apple instructions:
  http://support.apple.com/kb/TA24487?viewlocale=en_US
  Is this the same in 10.5?
  My problem is that I have only access via SSH to my server and thus cannot run Keychain Access as a GUI. I found that the terminal command 'security' can do much of this, but its man page is highly cryptic and I fear for my certs as I try this. Any help with usage of 'security' to achieve export of a domains certs, deletion, and importation as per the above instructions?
  What if using 'Server Admin', I delete the domain certificate before I request and reinstall the new one? This would leave a small hole of uncovered access, but I can live with that. But I don't want to do this to find out that the Keychain Access app is going to throw a fit?
  Any help from someone who has done this successfully would be appreciated. Thanks.

  To renew your SSL certificate, you can do one of two things:
  1) Use your existing CSR to acquire your new certificate.
  2) Generate a new CSR to acquire your new certificate.
  If you choose to use your existing CSR, you will need to know which keystore file you are currently using and the password you assigned to that keystore file.
  Here are the steps to find out which keystore file you are currently using:
  1) Login to the PostX Administration Console (GUI)
  2) Click on the Configuration tab.
  3) Navigate to Web Servers and Proxies > Web Server Config > Connection Listeners > HTTPS (SSL) Connection Listener.
  4) You should see a keystore file field. This is will display the path to the keystore file you are currently using.
  If you do not remember the password to your current keystore file, we strongly suggest that you create a new CSR.
  To generate a new Certificate Request (CSR):
  1) Login to the PostX Administration Console (GUI)
  2) Click on the Keys and Certificates tab
  3) Click on SSL Setup and select Get Certificate Request
  4) Fill out the form and hit submit. Your new CSR will be generated in a text box on the page.
  5) Copy and paste the CSR onto a local text file which you can then send to your CA of choice.
  For more information on the SSL certificate process as well as importing the certificate please refer to our Knowledge Base article 845 at http://tinyurl.com/2n6qru.

• Installing 2 ssl certificate on one machine with two virtual hosts

  Hi,
  If you have a managed server in a cluster that has two virtual hosts running
  on it how can you intsall the ssl certificates for both virtual hosts, in
  the admin console.
  any help would be great!

  OK....I figured it out.
  I was able to set the IPV4 properties on the ones needing filtering to use the IP or OpenDNS as the primary DNS and my server address as the secondary and that works.
  I removed OpenDNS forwarder from the server, flushed dns on all machines and so far it's working perfectly.  The machines that are not going to be filtered just go through the server for DNS.
  Hopefully, after a while it doesn't break down!

• Unrecognized update of expired ssl certificate

  hi there
  i installed open ssl to serve pages through apache using https by following this support page
  http://developer.apple.com/internet/serverside/modssl.html
  after a successful year, my server certificate expired. my users now get the following error message...
  "xxx is a site that uses a security certificate to encrypt data during transmission, but its certificate expired.
  you should check to make sure that your computer's time (currently set to xxx) is correct."
  i followed the same steps again to renew the certificate, but it still produces the same error message eve after the update. i've even tried deleting any references to the old certificates from the keychain, in case there was some old pointer, but that hasn't seemed to work either.
  the situation is causing my users some consternation and is cause for mistrust. how can i get the update to be recognized?

  To confirm, I was able to connect to https://rumi.smarthome.cs.cmu.edu/ and saw the valid certificate.
  I'm not an expert on SSL by any means, but I do believe your certificate should match the host name of the server. And as for virtual hosts, see Apache's documentation on using SSL:
  http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
  Summary: you cannot use name-based virtual hosting to host multiple SSL sites on one server. You can use different IP addresses or different ports.
  Matt

• Installing SSL Certificates on OS X 10.7 Lion Server

  Is there anybody out there that has gotten this to work.
  Have been at this for 3 days. Now on 10th clean install.
  Have tried different SSL certificates from different CA vendors. All on clean installs.
  Can install along with intemediate certificates.
  Differnet SSL checkers report differing results. Some will report as fine whilst others will report that the chain is broken.
  Some examples:
  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=conten t&id=SO9556&actp=LIST&viewlocale=en_US
  Will report a double entry
  http://www.digicert.com/help/
  will report a break between the server certificate and the first intermediate certificate which it recognises as the same server certificate (weird!)
  https://www.ssllabs.com/ssldb/analyze.html
  Will report "incorrect order"
  http://www.sslshopper.com/ssl-checker.html
  Seems to report as fine although you will notice the server certificate twice in the chain again first as Server then first link in chain
  I assure you have only installed certificates once (1 for purchased cert and 1 for intermediate) at the beginning of a clean install.
  At a loss with this and very frustrated after 3 days getting no where.
  Anyone able to help?

  https://certs.godaddy.com/ccp/tools/sslinstallvalidator.seam
  Will report "Chain of Trust broken!"
  All this despite being able to access the server over SSL just fine. Need to get this to work properly though to make use of profile manager.

• Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL

  I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
  Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
  So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
  When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
  I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
  A) We're at version 11 ---- these kinds of issues should have been fixed years ago
  B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!

  Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
  My tests seem to show that
  (a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
  (b) if a dialog is at a higher level, this is a global setting.
  So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back.  So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window).

• SSL certificates not visible while RFC destination creation

  Hi all,
  I am setting up an RFC destination to connect to external server and which uses SSL certificates for its authorization.
  So i have imported the Client certificates into STRUST.
  While setting up an RFC connection of type G, in the security tab when we select the SSL security certificate radio button, will we be able to see the certificates(in the combo box) that we have imported in STRUST.
  Currently, though i have imported the Client certificates into STRUST, i am not able to see them in the SS security certificates combo box.
  Kindly help me out.
  Cheers,
  Siva Maranani.

  Well, first of all we should avoid confusion by using the term "<i>ABAP destination</i>" rather than "<i>RFC destination</i>" (although ABAP transaction SM59 still has this old title).
  When referring to an "ABAP destination of type G" we are talking of an outbound http connection to a non-ABAP server (e.g. an SAP J2EE server or any other http server).
  I'm not sure whether you are aware that in this context "<i>SSL client certificate</i>" refers to the ABAP <u>system</u> (which is the SSL client in this scenario). This is different from scenarios where "X.509 client certificate" refers to a certificate which is assigned to an individual <u>user</u> (using a web browser). <b>In the given scenarios, where two systems are the communication peers, SSL cannot be used for user authentication.</b> That fact is often misunderstood.
  By default you'll find 3 different SSL certificates (actually: PSEs) in an ABAP system (which can be used only after enabling SSL, of course - see note 510007 for instructions):
    - SSL Server
    - SSL Client (anonymous)
    - SSL Client (Default)
  Well, the "<i>SSL Client (anonymous)</i>" is actually not really a "client certificate" but used for outgoing http requests where you do not intend to send your own SSL client certificate. Since you cannot use the server's SSL client certificates for user authentication it might make sense to use "<i>SSL Client (anonymous)</i>" is most cases.
  Please notice: you have to add the server's SSL certificate (respectively the root CA certificate and potentially intermediate CA certificates) to the certificate list of the "<i>SSL Client (anonymous)</i>" PSE (using STRUST). By default, that list is empty - consequently no SSL server certificate is trusted (in contrast to a web browser which is already shipped with a long list of "trusted CAs").
  Only when the (remote) server demands SSL client certificates it might make sense to use either "<i>SSL Client (Default)</i>" or to define a new SSL client certificate (for the ABAP system that submits the https request).
  Please notice:
  SSL client certificates need to be issued by an Certification Authority (CA) in order to be accepted by the SSL server.
  In addition to importing the SSL server's certificate to the certificate list of the SSL client PSE (see above: <i>anonymous SSL client</i>) you also need to export the root CA certificate (and potentially all intermediate CA certificates) of the SSL client certificate and import it to the (remote) SSL server's keystore (kindly refer to the manuals of that server for instructions).
  Kind regards, Wolfgang
  PS: I assume that you have imported some certificates to the certificate list of a SSL client PSE. In SM59 only those SSL client PSEs are listed: "<i>SSL Client (anonymous)</i>", "<i>SSL Client (Default)</i>" and all SSL client PSEs that you might have defined in addition (using transaction STRUST => <i>Environment</i> => <i>SSL Client Identities</i>).

• How to Create SSL certificate for HTTPS Connection in SAP PI

  Hi,
            I have Proxy to HTTPS scenario. I need to provide my SSL certificate( SAP PI SSL Certificate) to the vendor.
            How to generate SAP PI SSL certificate. I have already imported vendor certificate using STRUST T-code.
           I am not sure from where to generate SAP PI SSL certificate that need to be shared with vendor.
           Please help me on this issue.
  Thanks,
  Siva

  Hi,
  Check if it helps:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/49/26af8339242583e10000000a421937/frameset.htm
  But as mentioned for the colleague above, you can create that on Visual Administrator Tool -> Keystore
  Regards,
  Caio Cagnani

• CSS SSL Certificate Upgrade

  Hello,
  I need to install an SSL certificate on my CSS but have no access to an FTP/SFTP server.
  Can the import be accomplished via the console or some other means?
  Thanks,
  -Adam

  Gilles,
  We actually have an FTP server... it's just that the CSS is inside a DMZ and we are having some issues right now... so just wanted to know if it was possible to get the cert/key files to the CSS by some other means.
  Time to fire-up the FileZilla FTP server and hit the management port!
  Thanks,
  -Adam