New server and/or CA certificate for connection from custom authentication

We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
Relevant things I've tried so far:
Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
Import the IPS CA into the web server cert8 style db via the web admin server.
The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
Part of the stack:
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
The relevent bit of code from the SecureURL.retrieve looks as follows:
URL u = new URL(url);
if (!u.getProtocol().equals("https"))
throw new IOException("only 'https' URLs are valid for this method");
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally { ...
The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
Thank you very much for any insights and help,
Ethan

I thought since this has had a fair number of views I would give an update.
I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
certutil: certificate is valid
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
certutil: certificate is invalid: Certificate type not approved for application.
root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
FSU Wildcard Certificate : Certificate type not approved for application.
So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

Similar Messages

  • I upgraded my iPad 2 (3G) to the new OS8 and I can no longer connect to 3G.  All the settings on the iPad are correct.  It just shows that it's searching for a signal.  I'm in an area where my signal (pre OS8) was very good in strength.  Please help!

    I upgraded my iPad 2 (3G) to the new OS8 and I can no longer connect to 3G.  All the settings on the iPad are correct.  It just shows that it's searching for a signal.  I'm in an area where my signal (pre OS8) was very good in strength.  Please help!

    Hello Jpahlphoto!
    I'm sorry to learn about the issues mentioned in your post. Let's fix this for you OK?
    Please restore your iPad and see if that does the trick. You'll find the steps here:
    http://bit.ly/16hQAlr
    Thanks,
    ChristinaB_VZW
    Follow us on Twitter @VZWSupport

  • New server make many broadcast traffic for NetBIOS wpad

    From 1 month ago I finished transferred from old server 2003 to new server 2012 with new machine all role , DHCP and sharing file are transferred successfully and I use netdom computername to keep the name for the new server as a same name for the old server 
    and all thing in my network is good  but I feel that there are some slow in the network and some router in my network frozen from time to time a need to restart 
    I use Wireshark to monitor my network and I found that my new server make many broadcast traffic for NetBIOS wpad , the server make more than 500 nbns broadcost per second .
    No.
               Time
                            Source
    Destination            
    Protocol    Length             
    Info
    384       134.075102           
    192.168.15.100        192.168.15.255            
    nbns         92         
    name query nb wpad<00>
    Where 192.168.15.100 is my server IP.
    all server and workstation have a antivirus and latest update  of windows and the server not connect to internet
    Can anyone help me to solve this problem.

    I found the problem and i would like to share it with other
    the problem from my antivirus Kaspersky Endpoint security 10 when i close the program the broadcast stop and all traffic return to normal
    i open antivirus again and disable the using of proxy from it and now its work good.
    Thanks

  • Installing contact center enterprise 6.0 in new server and upgrading to 7.0

    Hi,
    I am trying to install contact center enterprise 6.0 into a new server ( earlier both call manage 4.3  and enterprise 6.0 were in the same BOX). So now i am upgrading cucm4.3 to 7.0 and installing enterprise 6.0 onto a new server taking backup from the old server and restoring in the new server. and after that i am planning to upgrade the Enterprise version to 7.0. Is this the right way or there is any other way.

    Take a look at the 7.0 Upgrade Guide for your options. You'll be looking for Tech Refresh.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_7_0/installation/guide/Upgrade_Guide.pdf
    Is there any reason why you are not upgrading to UCCE 7.5 which is compatible with UCM 7.0?

  • Log connection attempts and source IP address for connections that fail/timeout on RADIUS

    How can I log the connection attempts and source IP address for connections that fail RADIUS authentication?  I'm using RD Gateway on 2012 R2 in conjunction with Azure Multi-Factor Authentication Server on another 2012 R2 server.  When a user fails
    multifactor authentication or the authentication times out, all I get is Security event 6273 on the RD Gateway that the radius server did not process the request, and only the radius server's IP is logged.  There's nothing logged in TerminalServices-Gateway\Operational
    because the TS Gateway hasn't yet processed the connection attempt (all auditing options for RD Gateway are enabled).  The MFA/Radius Server is only logging the connection from the TSGateway - it doesn't know the original client's IP address.
    I'm looking for the equivalent of an IIS log - somewhere the RD Gateway should log the initial HTTPS connection attempt and the source IP address of the client.  I need to be able to track down potentially fraudulent login attempts. 

    Hi,
    Thank you for your posting in Windows Server Forum.
    This error might be caused by one of the following conditions:
    •  The user does not have valid credentials
    •  The connection method is not allowed by network policy
    •  The network access server is under attack
    •  NPS does not have access to the user account database on the domain controller
    •  NPS log files or the SQL Server database are not available
    To perform these procedures, you must be a member of Domain Admins.
    Please check for more information:
    Event ID 6273 — NPS Authentication Status
    http://technet.microsoft.com/en-us/library/cc735399(v=ws.10).aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki

  • Moving to new server and from 11.2.0.1 to 11.2.0.3 at the same time

    I have 2 11.2.0.1 databases running on windows server 2008, and am moving them to a VMware server running the same OS.
    While I am doing this, I figure I may as well apply the 11.2.0.3 patch by installing it on the new server and upgrading the databases.
    I've yet to do an "out of place" patch, so I'm assuming I can do the following:
    Install 11.2.0.3 on the new server running the setup.exe -downloadUpdates command, copy backed up datafiles (from online or offiline backups) over from current prod databases, restore them with rebuild controlfile & open database, then shut down and do startup upgrade?
    Or would it be a better practice to create the databases on the new server and just do full imports?
    thanks in advance.

    Thanks - since the first one I am moving over is a test database, I just created the instance on the new server, shutdown the source test database then copied sp & control files & datafile directory structure over with data files, and decided to try DBUA rather than startup upgrade. Right now it's about 1/2 way through the upgrade so we'll see how it goes.
    For the production database I am going to first try my cloning technique then do a startup upgrade or use DBUA. What I'm thinking about doing is copying my last (user managed) online backup over (after creating the instance & directories), doing a startup no mount, rebuild the controlfile to reflect any changes, recover with backup controlfile & apply latest redo, open with resetlogs then shutdown and startup upgrade (or DBUA).
    If that works well that's probably the way I'll do the actual production roll over this way, but leave it in recover mode until I shutdown the old database and apply the last redolog, then upgrade it.
    I suppose that given these databases are relatively small I could also do the upgrade first then just drop the schemas with tables in them and do a schema level impdp.

  • Moved to new server and needing help with feed

    My website www.gothamknightsonline.com has been moved to a new server and I am needing to keep the feed updated with new and old podcasts. I have reposted some of the old episodes as well as a new one I just posted. I have not been able to get the feed to show up. When I view our podcasts itunes page all of the info on each individual podcast is now gone with just the episodes listed and no more information.
    Here is the feed URL: http://gothamknightsonline.com/category/podcast/feed/ (I have verified the feed) but I am not certain if this is the same feed URL that was listed before. Either way the plugin i used for my podcasts in wordpress has this in the feed as well as our iTunes id and URL ( http://itunes.apple.com/us/podcast/batman-gotham-knights-online/id315370686)
    I am doing all of this on a Wordpress blog using the podpress plugin.
    Any help would be appreciated. Thank you
    -Garrey

    iTunes is looking for a feed at http://www.gothamknightsonline.com/feed/?cat=10 and not finding it - checking this I don't get 'file not found' but if there is a file there it contains no data whatever.
    I assume this is your original feed URL. The method for redirecting iTunes to another feed URL involves placing a special tag in the original feed, and is described in detail here:
    http://www.wilmut.webspace.virginmedia.com/notes/podcast.html#move
    Your new feed contains this tag (effectively redirecting to itself); you need to place a copy of the feed, with the redirect tag, at the original URL and leave it there for a couple of weeks. If you are unable to do this the two alternatives are described in my article.

  • My computer was stolen so I deauthorized all computers that had iTunes on them on 10/28/2011.  I have a new computer and it was authorized for iTunes.  When I checked my account it says I have 2 authorized computers, but this one should be the only one.

    My computer was stolen so I deauthorized all computers that had iTunes on them on 10/28/2011.  I have a new computer and it was authorized for iTunes.  When I checked my account it says I have 2 authorized computers, but this new computer should be the only one. How can I deauthorize whatever the other computer is?  I don't want whoever stole my old computer to be able to use my iTunes account.

    Get all that music back in itunes and sync again.

  • I'm installing the new OS and iPhone is asking for a password to "restore" my iPhone, but I've never used a password for the phone and don't know what it is!

    I'm installing the new OS and iPhone is asking for a password to "restore" my iPhone, but I've never used a password for the phone and don't know what it is!  Can anyone help??

    You selected Encrypt iPhone Backups in iTunes.  Then you entered a password.
    It would be that specific password it is asking for.
    See here:
    https://discussions.apple.com/thread/3284065?start=0&tstart=0

  • Hi! I went to the new Apple new shop and I was looking for a dock station/ speakers for ipod. Why is not possible to listen the models not in exhibition?! How can I decide?! Just the design?! It's stupid!

    Hi! I went to the new Apple new shop and I was looking for a dock station/ speakers for ipod. Why is not possible to listen the models not in exhibition?! How can I decide?! Just the design?! It's stupid!

    Hi! I went to the new Apple new shop and I was looking for a dock station/ speakers for ipod. Why is not possible to listen the models not in exhibition?! How can I decide?! Just the design?! It's stupid!

  • I bought a new ipad and shared my documents in Pages from the old ipad to my cloud, but the only document showing on my new pad is the ones that was not in folders. Have I lost my documents for ever?

    I just bought a new ipad and shared my documents in Pages from the old ipad to my cloud, but the only documents showing on my new pad is the ones that was not in folders. Have I lost my documents for ever?

    Thank you, but after an hour with apple support on the phone we came to the conclusion that the documents are lost... So the lesson is, don't trust icloud as a back up solution! A month worth of work down the drain...

  • I've been having an issue of connecting to wifi. I have restored and set up my phone as a new one and i still can't connect. Also i have restored my network setting also. The wifi button is still grey and i cant switch it on or off.

    I've been having an issue of connecting to wifi. I have restored and set up my phone as a new one and i still can't connect. Also i have restored my network setting also. The wifi button is still grey and i cant switch it on or off.

    Hi _Pchay,
    Accordign to the artcle below, it looks like you have done all the troubleshooting steps and your next step may be to contact Apple Support. 
    iOS: Wi-Fi settings grayed out or dim
    -Griff W. 

  • Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 IP for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS which is in a different .Domain

    Hi,
    Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 Ip for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS . ?
    Scenario: We are building 1 SCCM 2012 primary site and 2 DPs in one domain . In future this will attach to a CAS server which is in different domain. Can we assign  2 IPs in Primary site server , one IP will use to communicate with its 2 DPs and second
    IP for communicating with the CAS server which is in a different domain.? 
    Details: 
    1)Server : Windows 2012 R2 Std , VM environment .2) SCCM : SCCM 2012 R2 .3)SQL: SQL 2012 Std
    Thanks
    Rajesh Vasudevan

    First, it's not possible. You cannot attach a primary site to an existing CAS.
    Primary sites in 2012 are *not* the same as primary sites in 2007 and a CAS is 2012 is completely different from a central primary site in 2007.
    CASes cannot manage clients. Also, primary sites are *not* used for delegation in 2012. As Torsten points out, multiple primary sites are used for scale-out (in terms of client count) only. Placing primary sites for different organizational units provides
    no functional differences but does add complexity, latency, and additional failure points.
    Thus, as the others have pointed out, your premise for doing this is completely incorrect. What are your actual business goals?
    As for the IP Addressing, that depends upon your networking infrastructure. There is no way to configure ConfigMgr to use different interfaces for different types of traffic. You could potentially manipulate the routing tables in Windows but that's asking
    for trouble IMO.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Win2000 Server and OS 10.4.11 connection issues

    We have 2 Macs running on a WIN2000 Server we have had no issues up until lately. We connect to a drive on the WIN2000 server and normally it will stay connected all day with no interruptions. Now we both are experiencing at least 2-3 times a day the drive is just disconnected and dropped off our desktop, no dialog box stating this, nothing. We don't even realize it's missing until we try and open something from the drive. We don't even get an error message when we try and save documents to the drive. So please help us. Is it the WIN2000 server or is it our MAC OS X we were wondering if it was the latest security update we have done?

    Hi tsmonson-
    If this is a fairly recent problem, and you did nothing to cause it and cannot find a logical explanation otherwise, all things point towards a possible server problem.
    Have you had the folks that maintain the server take a look at it?
    Luck-
    -DaddyPaycheck

  • The new table and Columns to look for in picking headers, etc

    Hi,
    What are the new tables and columns to look for mapping the following old ones:
    1) Pick_Slip_Number from So_Picking_Headers,
    2) Sequence_Number from SO_Picking_lines
    3) Line_ID from So_Note_References
    Thanks and Regards,
    Praveen

    <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by ravi alladi ([email protected]):
    Actually would it be possible to get a list of all changes in Order Management between 11 and 11i? ie what tables added, what have been modified and which ones are obsolete<HR></BLOCKQUOTE>
    Ravi
    Actually, we are working on that same analysis. If you receive any responses, please forward to myself as well.
    Thank you
    Sha Green

Maybe you are looking for

  • Soundblaster keeps crashing my compu

    I have just recently built from scratch my first home built pc, and have run into some problems that i cannot fix... I have this spec.... amd athlon 64bit 3800+ 2.4ghz processor x maxtor maxline 2 - 300gb HDD x maxtor Diamond 0 - 250gb HDD Gigabyte N

  • ADF UIX - programmatically deleting rows

    Hi gang I'm attempting to programmatically delete rows from an exposed VO client-method as follows: public void deleteRecord(String cesId) {   ApplicationModule am = this.getApplicationModule();   ViewObject voCes = am.findViewObject("ClinicalDataEle

  • The BDC program for Transaction COGI not workign -need some alternative

    Hi,      We are doing a SAP upgrade from 4.6c to ECC. One of the custom tcodes which were using BDC programming on COGI is now broken.Since , COGI is now changed in Ecc 6.0  with respect to the output which is now inALV and the earlier Date funtional

  • Can't stop wrong email address autofilling

    Hi can any one help me please when I try to email people it keeps printing me to write wrong address is has only happened since the wife used my iPad to order stuff from the net this is the problem here My email address starts Toffa@ but when I try t

  • How is it possible to extend pattern chars valid for Date formatting?

    Hi I need to represent Calendar.DAY_OF_MONTH and Calendar.MONTH date fields in one symbol (1,2,3,..,9,A,B,C,D..) and keep working standard patterns SimpleDateFormart doesn't give such possibility. In a result i want to have something like that: ExtDa