New To SSL

I have a client/server application (Not HTTP) that uses sockets to communicate with each other. Ports are opened and objects are passed from the client to the server and vise versa. I have successfully converted the application to use SSL by following the very simple example in the Java Secure Socket Extension Reference Guide. It appears that the application only works when I create a keystore and truststore; and the client and the server are initiated with the keystore and truststore options (-Djavax.net.ssl.trustStore=, -Djavax.net.ssl.keyStore=, -Djavax.net.ssl.keyStorePassword=).
My question is: Why does the client application need anything? Again, I'm a novice with SSL. I have been doing web development for years and have created public/private keys with a CA signed certificates, and the source (a web-browser) never needs anything. It is passed the public key by Apache to do the decryption. Going back to the Java application... Is this typically how client applications connect to their server counterparts (the client needing the keystore and truststore files)? The reason I ask is that there may be many client application installations, each requiring this file. I can't see this as being reasonable to need these two files for every client installation. Secondly, this application can also run as an applet. Can the applet read these files? If it is packed in a signed JAR file then I guess one could grab the files from the JAR file.
I would think the better approach is the private/public key encryption. The client doesn't need anything that way. If this way can be achieved, does anyone have an example of this (not using HTTP, but SSL sockets passing simple objects back and forth to each other). I want this application to be generic enough that it could be plopped into any company that requires SSL and this thing will work. I'm not sure if that is easily achievable.
Any help appreciated.
Thanks.
-Jim

Question: When I created a self-signed certificate I ran keytool with -genkey. That created a keystore with 1 key entry. Then I exported the generated certificate into a file. Then I ran keytool again with the "-import". That created a truststore.
From what I have seen, my server application requires a keystore and a truststore. I have a CA certificate with an RSA private key . I am trying to create a keystore and a truststore, as above, so that my application can be executed against an authenticated certificate, not the self-signed one. Since I am not generating a certificate, I didn't run the keytool with the "genkey" option (and also obviously didn't export the key from the keystore since I haven't created one yet). Instead, I ran keytool with the "-import", which appears to have created a truststore (no keystore). How do I create a keystore, and where does this private key come into play (or doesn't it)? Nothing asks me for the private key file.
Sorry if I'm asking level 1 questions. I'm trying to figure out how this all works. I really need to take a class to help me understand the components and relationships. I've read some of the docs, but I'm not quite getting it.
-Jim

Similar Messages

New Wildcard SSL certificate

Guys,
We had a certificate expire on our CAS servers that was used for webmail, autodiscover etc. WE had purchased a wildcard cert for use on the newly installed ADFS servers for our migration to office 365. Rather than renew the original SAN cert, I imported
the wildcard cert into cas, (same domain name) bound the cert in IIS, then completed an IISRESET. Launched outlook again, it prompted to accept the new wildcard cert. I accepted it. Logged out of outlook, launched again, prompted again for certificate. I then
installed the certificate via the prompts in outlook. Yet each time I launch outlook, it is still asking to accept certificate. Any thoughts?

Guys,
Thanks for the suggestions, but here is the fix.
I finally received a call from MSFT in regards to the certificate popup in Outlook. From what I had written earlier, I was on the right track, but it was ultimately an autodiscover issue.
For this conversation, my client’s domain name is Domain.com
FQDN names of the CAS servers are CAS01.nyc.domain.com / CAS02.nyc.domain.com
Now, all the steps that were completed, importing the *.domain.com cert into Exchange via EMC, and importing the cert using Certificate manager snap-in were successful. I was curious if the *.domain.com would cover a servers name if the server name was like
my client, CAS01.nyc.domain.com. Typically it’s just CAS01.Domain.com. You would think so, but I was not totally convinced. MSFT did say that it is fine for the server, but, the AutodiscoverInternalURL CAS01.nyc.domain.com was the underlying problem. Once
the outlook client tried to login, it used the AutodiscoverInternalURL, which was shown to be
https://CAS01.nyc.Autodiscover.domain.com/Autodiscover/Autodiscover.xml . Same for CAS02
So we ran the command below which removed the nyc,
Set-ClientAccessServer –Identity CAS01 -AutoDiscoverServiceInternalUri
https://CAS01.autodiscover.domain.com/autodiscover/autodiscover.xml
Same for CAS02. Completed an IISRESET, all better now…….

Exchange 2007 - Outlook Anywhere problems after installing new SSL cert

*** Original thread posted on wrong forum ***
Hi all,
Exchange 2007 environment (2x CAS, ISA2006). Not much familiar with Exchange.
Problem: 20-odd machines off the domain use Outlook Anywhere (XP with Outlook 2010). AUthentication pop-up and not able to connect.
Company has recently changed its name and we have to renewed the SSL cert. Previous SSL cert. was issued to: webmail.oldcompname.co.uk (several SANs on that cert., including internal server names).
Applied for a new UCC SSL cert issued to: newcompanyname.com (also includes webmail.newcompanyname.com ; autodiscover.newcompanyname.com + old SANs).
The setting on those machines point the proxy to the following:
Https://webmail.oldcompname.co.uk (which is fine since it is in the cert and can be accessed)
Only connect to proxy servers that have this principal name in their cert.:
msstd:webmail.oldcompname.co.uk (I believe this is the problem since the new UCC SSL cert. was issued to newcompanyname.com).
Browsing technet + internet it seems that I need to look into OutlookProvider EXPR.
When I run Get-OutlookProvider everything is blank (I believe I should be concerned to EXPR only for Outlook Anywhere).
I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com
My only concern is whether this might break something else in the Exchange environment, especially as we have 100+ users on smartphones connecting via SSL on webmail.oldcompname.co.uk
Is it save to run this command? Do I need to re-start IIS? Do I need to look into any settings on ISA2006?
Comments/help are much appreciated.
Regards

Hi,
According to the description, I found that we re-new a SSL certificate.
"I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com"
Just do it. Then remove the old certificate on ISA server and install a new one.
Found a similar thread for your reference:
Renewal of SSL certificate in exchange 2007 with ISA 2006
http://social.technet.microsoft.com/Forums/exchange/en-US/25770038-8491-470a-92fa-8ae50674b7a6/renewal-of-ssl-certificate-in-exchange-2007-with-isa-2006
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support

Missing Active/New Sockets during SSL Setup

Hello Everyone,
We have a situation where we tried to upload a new signed SSL cert ( the previous one worked fine ).
After uploading the new cert; we have lost the SSL port (5XX01) under Active/New Sockets in VA
Anyone know what would cause this?

Thanks..
How do you re-add the ports? We didn't change anything to begin with.
Anyways, we removed the signed cert and bounced the system. The ports came back and everything worked.

Anyconnect SSL-VPN - DNS Lookups (external) doesn't work

Hello,
I have issues with my SSL AnyConnect VPN setup on my ASA 5512-x. The VPN , split tunneling and NAT exempt is working fine and i can connect to internal hosts.
However, external or internal DNS requests doesn't work on the clients (Windows, Anyconnect). I want full split tunneling, ie DNS requests should not go through the VPN.
The DNS requests works through NSLOOKUP but not in ping and in any browser.
(The config, request more if i've omitted something important).
ASA Version 8.6(1)2
access-list vlan42-splittunneling standard permit 192.168.42.0 255.255.255.0
ip local pool vlan42test 192.168.199.50-192.168.199.55 mask 255.255.255.0
address-pools value vlan42test
nat (any,any) source static any any destination static VPN-pool-range VPN-pool-range
object network VPN-pool-range
range 192.168.199.10 192.168.199.254
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
group-policy vlan42-clientvpn-policy internal
group-policy vlan42-clientvpn-policy attributes
wins-server none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vlan42-splittunneling
default-domain value doesntmatter.local
split-dns value doesntmatter.local
vlan none
address-pools value vlan42test
vpn-group-policy vlan42-clientvpn-policy
vpn-simultaneous-logins 20
service-type remote-access
tunnel-group vlan42-con-profile type remote-access
tunnel-group vlan42-con-profile general-attributes
authentication-server-group ah
default-group-policy vlan42-clientvpn-policy
tunnel-group vlan42-con-profile webvpn-attributes
group-alias privatecloud42 enable
group-url https://vpn.**.com/privatecloud42 enable
I gladly appreciate your help. Thank you.

I don't have experience with the ssl client and vista, but I do use the new Anyconnect SSL client with vista. All you need to do is upgrade the ASA to version 8. Hope that helps.

SSL between WebLogic 10.0 and IIS 6.0 does'nt work

Hi,
I don't understand why the SSL connection between WL10.0 and IIS 6.0 doesn't work. My ini file is below:
WebLogicHost=10.0.162.31
WebLogicPort=7002
ConnectTimeoutSecs=20
ConnectRetrySecs=2
WlForwardPath=/weblogic
PathTrim=/weblogic
Debug=ON
SecureProxy=ON
TrustedCAFile=C:\trustedca.pem
EnforceBasicConstraints=off
RequireSSLHostMatch=false
where 'trustedca.pem' is the pem extracted (and converted) from wlsdemoca contained into DemoTrust.jks and '7002' is my ssl listen port.
I need to set any more parameter??
My wlpsoxy.log for one request is:
================New Request: [crl4/.wlforward] =================
Thu Apr 17 10:27:32 2008 <351612084388524> SSL is not being used
Thu Apr 17 10:27:32 2008 <351612084388524> resolveRequest: wlforward: /crl4/
Thu Apr 17 10:27:32 2008 <351612084388524> URI is /crl4/, len=6
Thu Apr 17 10:27:32 2008 <351612084388524> Request URI = [crl4/]
Thu Apr 17 10:27:32 2008 <351612084388524> attempt #0 out of a max of 10
Thu Apr 17 10:27:32 2008 <351612084388524> Trying a pooled connection for '10.0.162.31/7001/7001'
Thu Apr 17 10:27:32 2008 <351612084388524> getPooledConn: No more connections in the pool for Host[10.0.162.31] Port[7001] SecurePort[7001]
Thu Apr 17 10:27:32 2008 <351612084388524> general list: trying connect to '10.0.162.31'/7001/7001 at line 1239 for '/crl4/'
Thu Apr 17 10:27:32 2008 <351612084388524> INFO: New NON-SSL URL
Thu Apr 17 10:27:32 2008 <351612084388524> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Apr 17 10:27:32 2008 <351612084388524> EINPROGRESS in connect() - selecting
Thu Apr 17 10:27:32 2008 <351612084388524> Local Port of the socket is 1476
Thu Apr 17 10:27:32 2008 <351612084388524> Remote Host 10.0.162.31 Remote Port 7001
Thu Apr 17 10:27:32 2008 <351612084388524> general list: created a new connection to '10.0.162.31'/7001 for '/crl4/', Local port: 1476
Thu Apr 17 10:27:32 2008 <351612084388524> WLS info in sendRequest: 10.0.162.31:7001 recycled? 0
Thu Apr 17 10:27:32 2008 <351612084388524> URL::parseHeaders: CompleteStatusLine set to [HTTP/1.1 200 OK]
Thu Apr 17 10:27:32 2008 <351612084388524> URL::parseHeaders: StatusLine set to [200 OK]
Thu Apr 17 10:27:32 2008 <351612084388524> parsed all headers OK
Thu Apr 17 10:27:32 2008 <351612084388524> sendResponse() : uref->getStatus() = '200'
Thu Apr 17 10:27:32 2008 <351612084388524> Going to send headers to the client. Status :200 OK
Thu Apr 17 10:27:32 2008 <351612084388524> Content Length = 264
Thu Apr 17 10:27:32 2008 <351612084388524> canRecycle: conn=1 status=200 isKA=1 clen=264 isCTE=0
Thu Apr 17 10:27:32 2008 <351612084388524> closeConn: pooling for '10.0.162.31/7001'
Thu Apr 17 10:27:32 2008 <351612084388524> request [crl4/] processed successfully ..................
Thu Apr 17 10:27:57 2008 <351612084387971> timed out 1 connections, idle for (at least) 25 secs
Any idea that help me?

I had a look into the xlclient.cmd file and went to the JAVA directory which is being used. And did a search for the "cacerts" and found out that there is a file named cacerts in the JAVA_HOME/jre/lib/security folder over there.
But how does that relate to the problem of running the keytool command successfully at the right place (OIM_DC_HOME) ?
Any hints Kevin....
Thanks,
- oidm.

FTPSClient - SSL Received fatal alert: bad_record_mac

I am trying to connect to an out of network server using org.apache.commons.net.ftp.FTPSClient
and trying to upload a file.
The code works correctly when i execute it from localhost but throws the following exception from prod server.
javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1682)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
     at org.apache.commons.net.ftp.FTPSClient.sslNegotiation(FTPSClient.java:240)
     at org.apache.commons.net.ftp.FTPSClient._connectAction_(FTPSClient.java:171)
     at org.apache.commons.net.SocketClient.connect(SocketClient.java:178)
Code
FTPClient ftp = new FTPSClient("SSL")
     ftp.connect(server, 21);
               reply = ftp.getReplyCode();
               if (!FTPReply.isPositiveCompletion(reply)) {
                    ftp.disconnect();
                    log.debug("FTP server refused connection.");
                    return;
               //ftp.enterRemotePassiveMode();
               ftp.enterLocalPassiveMode();
               ftp.login(username, password);
======================
Any suggestions why would it work from my localhost and not from the server.
Could it be a firewall issue or do i need to user a certificate?

The FTP server sent you an alert saying that it received a bad_record_MAC from you, i.e. the client.
So there is something wrong with the client you used when it failed, or the underlying version of JSSE. Are the versions of Java the same in both cases?

SSL error: ... SSLCipherUtility.getCompatabilityKeySize()

Hi all:
I am using WLS 8.1SP3 to do 2-Way SSL with client, and I am seeing the following SSL error. I have the SSL/Domestic BEA license. Pretty sure that the client uses 128-bit SSL.
Anyone seen this before? Your help would be appreciated.
Thanks
================
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 770107>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 SSL Version 2 with no padding>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 SSL3/TLS MAC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 received SSL_20_RECORD>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHelloV2>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 58>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 2027>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 4>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 SSL3/TLS MAC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 received HANDSHAKE>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange RSA>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 SSL3/TLS MAC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 received CHANGE_CIPHER_SPEC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 SSL3/TLS MAC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 received HANDSHAKE>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(sock): 5177735>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <activateNoRegister()>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <avalable(): 15551322 : 0 + 0 = 0>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.activate(): activated: 24734398 21629812>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read(offset=0, length=4080)>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 SSL3/TLS MAC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 received APPLICATION_DATA: databufferLen 0, contentLength 318>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read databufferLen 318>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read A returns 318>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read(offset=318, length=3762)>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns false 1>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 Rethrowing InterruptedIOException>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(sock): 5177735>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <activateNoRegister()>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <avalable(): 15551322 : 0 + 501 = 501>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.activate(): activated: 24734398 9126243>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read(offset=318, length=3762)>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns false 1>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 Rethrowing InterruptedIOException>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <Socket> <BEA-000430> <hasException
java.lang.NullPointerException
java.lang.NullPointerException
at weblogic.security.utils.SSLCipherUtility.getCompatabilityKeySize(SSLCipherUtility.java:80)
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:619)
at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:285)
at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:702)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:648)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:123)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:53:58 PM EST> <Error> <HTTP> <BEA-101083> <Connection failure.
java.lang.NullPointerException
at weblogic.security.utils.SSLCipherUtility.getCompatabilityKeySize(SSLCipherUtility.java:80)
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:619)
at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:285)
at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:702)
at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:648)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:123)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:287)
at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:625)
at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:589)
at weblogic.socket.SocketMuxer.deliverHasException(SocketMuxer.java:541)
at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:125)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <avalable(): 15551322 : 0 + 501 = 501>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read(offset=0, length=501)>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 SSL3/TLS MAC>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15607581 received APPLICATION_DATA: databufferLen 0, contentLength 460>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read databufferLen 460>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <15551322 read A returns 460>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <write ALERT, offset = 0, length = 2>
<Dec 5, 2005 8:53:58 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 770107>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 7470368>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <1759783 SSL3/TLS MAC>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <1759783 received ALERT>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@e83a99>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <CLOSE_NOTIFY received from peer, closing connection: >
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <close(): 6234268>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <write ALERT, offset = 0, length = 2>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 7470368>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:02 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 7470368>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 22406146>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <24113997 SSL3/TLS MAC>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <24113997 received ALERT>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@ce4f39>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <CLOSE_NOTIFY received from peer, closing connection: >
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <close(): 11754736>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <write ALERT, offset = 0, length = 2>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 22406146>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Dec 5, 2005 8:54:10 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 22406146>
================

The problem was due to the fact that the client application was using the new AES128 SSL ciphersuites, which are not supported in SP3/SP4. Here's BEA support's response:
The following are the ssl cipher suite supported by weblogic server 8.1 sp4
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_MD5
TLS_RSA_EXPORT124_WITH_RC4_56_SHA
Support has been added for the following two AES cipher suites in WLS 8.1 SP5
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
In order to use TLS_RSA_WITH_ AES_ 256_CBC_SHA cipher suite, you need you install JCE unlimited strength jurisdiction policy files instead of the policy files that are shipped with the JDK by default The jurisdiction files can be found at <http://java.sun.com/products/jce/index-14.html>
Only TLS_RSA_WITH_AES_256_CBC_SHA requires the judisdiction files. TLS_RSA_WITH_AES_128_CBC_SHA does not
--------

HTTPS over SSL

Hi!
I1ve been experimenting with SSL and weblogic. I run the following code to
retrieve an HTML page.
public static void main(String[] args) throws Exception {
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
System.setProperty("javax.net.ssl.trustStore","C:\\Documents and
Settings\\tdevos\\.keystore");
URL ssl = new URL(args[0]);
BufferedReader in = new BufferedReader(
new InputStreamReader(
ssl.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
Everything goes fine over a non HTTPS connection. E.g. when I type in
java myApp http://localhost:7001
everything goes fine. However when I run
java myApp https://localhost:7002
I get the following error:
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([Dash
oPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStrea
m([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:798)
I imported the weblogic key in the correct way (I think ...)
keytool -import -trustcacerts -keystore "C:\Documents and
Settings\tdevos\.keystore" -file democert.pem
I understand that he expects weblogic.bea.com instead of localhost but what
I don`t understand is that the example works when I rewrite my code to the
following:
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and
Settings\\tdevos\\.keystore");
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 7002);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET http://localhost/ HTTP/1.1");
out.println();
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
/* read response */
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
This is also NOT the way I want to write my code because I`m planning to do
SOAP calls over the SSL.so I can`t simply use the GET method.
In my opinion I should tell weblogic to use another private key than the one
in the delivered. But how can I make a private key on my own?
Is there a way to export a private key with the standard java keytool and
how can I tell weblogic to use it? If can get rid of the error
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
then everything is fine!
Thanks in advance for replying
Tim De Vos

You can try to abuse the attached code to get your stuff work. Note do not try HTTPS
POST with Weblogic 6 now. The key point here is the DummyHostnameVerifier. You should
not use such method in your production code.
import java.io.*;
import java.net.*;
import com.sun.net.ssl.*;
import javax.net.ssl.*;
import java.security.*;
public class TestHttpsURL{
     public static void main(String[] args){
SSLContext ctx;
//KeyManagerFactory kmf;
KeyStore ks;
try{
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
          //ctx = SSLContext.getInstance ("SSL");
          KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
          TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
ctx = SSLContext.getInstance ("SSL");
     ctx.init (kmf.getKeyManagers(), X509TrustManagerImpl.getTrustManagers("SunX509",null),
null);
     SSLSocketFactory factory = ctx.getSocketFactory();
     String msg = "USERID=user&PASSWORD=password";
HttpsURLConnection conn = (HttpsURLConnection)(new URL("https://localhost:7002/PostTest.jsp")).openConnection();
//URLConnection conn = (new URL("http://localhost:7001/PostTest.jsp")).openConnection();
conn.setDefaultSSLSocketFactory(factory);
conn.setSSLSocketFactory(factory);
conn.setHostnameVerifier(new DummyHostnameVerifier());
conn.setDoOutput(true);
conn.setDoOutput(true);
conn.setRequestProperty("Content-Length", String.valueOf(msg.length()));
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
conn.setRequestProperty("Accept", "image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel,
conn.setRequestProperty("Accept-Language", "en-us");
conn.setRequestProperty("User-Agent","Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
conn.setRequestProperty("Host", "localhost:7002");
OutputStream out = conn.getOutputStream();
out.write(msg.getBytes());
out.flush();
byte[] resp = new byte[1024];
int len;
BufferedInputStream in = new BufferedInputStream(conn.getInputStream());
while((len = in.read(resp))>0){
System.out.print((new String(resp,0,len, "8859_1")));
}catch(Exception ex){
ex.printStackTrace();
class DummyHostnameVerifier implements HostnameVerifier{
public boolean verify(String urlHostname, String certHostname){
return true;
"Tim De Vos" <[email protected]> wrote:
Hi!
I1ve been experimenting with SSL and weblogic. I run the following code
to
retrieve an HTML page.
public static void main(String[] args) throws Exception {
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.ww
w.protocol");
System.setProperty("javax.net.ssl.trustStore","C:\\Documents and
Settings\\tdevos\\.keystore");
URL ssl = new URL(args[0]);
BufferedReader in = new BufferedReader(
new InputStreamReader(
ssl.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
Everything goes fine over a non HTTPS connection. E.g. when I type in
java myApp http://localhost:7001
everything goes fine. However when I run
java myApp https://localhost:7002
I get the following error:
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120
198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([Dash
oPro-V1.2-120198])
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStrea
m([DashoPro-V1.2-120198])
at java.net.URL.openStream(URL.java:798)
I imported the weblogic key in the correct way (I think ...)
keytool -import -trustcacerts -keystore "C:\Documents and
Settings\tdevos\.keystore" -file democert.pem
I understand that he expects weblogic.bea.com instead of localhost but what
I don`t understand is that the example works when I rewrite my code to the
following:
System.setProperty("javax.net.ssl.trustStore", "C:\\Documents and
Settings\\tdevos\\.keystore");
SSLSocketFactory factory =
(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 7002);
socket.startHandshake();
PrintWriter out = new PrintWriter(
new BufferedWriter(
new OutputStreamWriter(
socket.getOutputStream())));
out.println("GET http://localhost/ HTTP/1.1");
out.println();
out.flush();
if (out.checkError())
System.out.println("SSLSocketClient: java.io.PrintWriter error");
/* read response */
BufferedReader in = new BufferedReader(
new InputStreamReader(
socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
out.close();
socket.close();
This is also NOT the way I want to write my code because I`m planning to
do
SOAP calls over the SSL.so I can`t simply use the GET method.
In my opinion I should tell weblogic to use another private key than the
one
in the delivered. But how can I make a private key on my own?
Is there a way to export a private key with the standard java keytool and
how can I tell weblogic to use it? If can get rid of the error
Exception in thread "main" java.io.IOException: HTTPS hostname wrong:
should be <localhost>, but cert says <weblogic.bea.com>
then everything is fine!
Thanks in advance for replying
Tim De Vos

SSL implementation in Java

Hi to all
I am new to SSL topic and i am trying to implement SSL,so,please help me in this regard.
I am implementing SSL in JSSE(Java).We are developing our Application through self-signed certificate.
The client is implementing SSL on C Language and server on Java language.
How to communicate between these client and server .First i want to know how to generate keys,Certificates and how to exchange the certificates between client and server.
Give me one example in this regard.
Thank you

Thanks for your reply........
I already studied the whole JSSE Reference guide. But there is no explanation when the client is implementing SSL on C Language and server on Java language.
How to communicate between these client and server
Please please help in this regard.
Thank u in advance.

RDP with SSL via CSS

I have been asked about providing this as a way to secure RDP connections - has anyone done this?
I can see two potential ways, but do not know much about RDP.
How is the SSL part of RDP initialised? would it be prractical to terminate the SSL on the CSS in a similar manner to SSl for HTTP?
The other option would be to "blind" load balance the encrypted traffic straight to the servers, and let them sort SSL.
Thanks,
Paul.

Hi Paul,
what we have done here is to deploy an MS ISA Server farm behind the CSS: client SSL connection terminate at ISA external interface, and ISA starts a new internal SSL connection to a MS TS_Gateway . So RDP over SSL traffic is: internet client ---> Firewall ---> CSS ---> ISA farm (in DMZ) ---> Firewall ---> TS_Gateway (internal network)---> TS Server (internal network)
(see for example: http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx)

How to make an HTTP request via SSL

Hi,
I´m using an instance of the class CL_HTTP_CLIENT to make an HTTP request to a https server. as long as it requires an SSL authentication, it returns an ICM_HTTP_SSL_ERROR error message.
How do I tell my program to ask for user´s certificate, and use it in the http request?
I´m supossed to have hundreds of users online running this application (it´s over SRM 5.0). How can I reach this?
Thanks you very much.
Federico.

Hello Frederico,
>1. By creating a new client, you mean go to "Environment->SSL Client Identitites" in STRUST, right? >Can I use a previously existing one?
I meant to create a new client SSL PSE. By default in a new Netweaver abap system, you have 3 of them : ANONYM, DFAULT and WSSE.
If you need more of them, you can create them with the menu "Go to-->Environment->SSL Client Identitites".
>2. I need this PSE client to have several 'identitites', I mean, to include several certificates from all my >users. Is it possible? If it´s not; how should I do so?
It seems that you want a different certificate per user. These client certificates in STRUST are designes to identify a SAP abap system, not human users. If you have 1000 users, you will not create 1000 certificates in STRUST !
Usually, you use only 2 entries here, one for anonymous HTTPS access and one authenticated HTTPS access. It is unusual to have several different identities for the same abap server. But it might be possible : for exemple, one identity on the intranet and an other one on the Internet.
>3. When I had my new PSE client, and my HTTP RFC destination of type 'G' configured to use that >PSE client, and when in abap I instantiate my http client (using CREATE_BY_DESTINATION method, >from CL_HTTP_CLIENT class): How does SAP knows which certificate to use? Because there will be >several users (hundreds) running this code to retrieve their specific data from a third party server.
>How does SAP knows whom certificate must use?
The certificate used will be the one defined in the HTTP destination.
You still seem to make the confusion between server client certificates and users client certificates.
a users client certificate is stored in the user's PC (or smartcard) and is used for HTTPS connections from the user's browser to the SSL server, not for an HTTPS connection from the ABAP server to another server.
Regards,
Olivier

Problem with ssl certificate

Hello everyone!
I have a scenario wherein I am trying to connect SRM to a marketsite through XI.
SRM (Purchase Order) ---> XI (marketplace adapter) ---> Marketsite
The URL of the marketsite is of the type HTTPS so I am using certificate logon as the method for authentication.
Please tell me whether this is the right thing to do:
1. Create a self-signed certificate in the "Key Storage" of the visual administrator.
2. Export the certificate and have it installed in the marketsite.
3. Configure the marketplace com. channel in the integration directory to use the private key I used to generate the certificate I sent to the marketsite.
Having done that, I am get a "server rejected by chain verifier" error in the message monitoring tool.
Here are some other questions:
1. Should I create a new View for the certificate and private key, or should I create the certificate in the existing "service_ssl" and rename the new certificate "ssl-credentials-cert" and the private key "ssl_credentials"
2. Will a self-signed certificate work or do I need to get it signed by a CA before importing the response.
3. If a self-signed certificate will work, do I need to add another certificate in the "TrustedCAs" view?
4. If I should import a certificate response from a CA, where can I get the certificate of the CA?
I know these are a lot of questions, but I'd really appreciate all the help I can get from you guys. Please avoid posting links to other threads as I have pretty much read all of them..
Warm regards,
Glenn

Hi Glenn,
Let me explain the scenario without client certificate Logon (User and password) first .
When you want to communicate with marketsite in secure manner, get the certificate of the CA (Certifying Authority) who has signed market site Cert. and add it to Trusted CAs view in Visual Admin of XI. Sometimes it may be a CA certificate chain.
If that certificate is self-signed, add the market site certificate itself in to Trusted CAS of Vis.Admin of XI.
Certificate Logon:
This is for ur (XI servers) Identity to Marketsite.
In Visual Admin KeyStorage create a view or in any of existing views create a Private Key and Public key (Certificate) pair representing XI Server (CN should be hostname of XI server). Get the public Key signed by CA and import the Certificate in Visual Admin.
Now in Configuration select view and the Private Key just created for XI's Identity.
PS: There may be some steps in Marketsite too in case of Certificate logon like Adding XI certificate to something like Trusted CAS of Marketsite.You can get better picture from guys administrating the Marketsite..
Try these options and post the results in forum.
Good Luck.
Regards,
Sudharshan N A

SOAP SSL error when connecting in with java

Hi,
We are trying to make a simple application that makes requests to the CCM via the AXL SOAP interface to get personal address book information. When we do the request it errors out with a SSL handshake problem, I have pasted some of the exact error output below: Any help or ideas would be appreciated !!!
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_
failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Un
known Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Sou
rce)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Sou
rce)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect
(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown S
ource)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unk
nown Source)
Full logs attached, I have imported the CCM cert into the Java keystore and still no luck. The only way I can get this to work by testing is to have CCM in VM and web deployed on actual physical machine and that's only for a single user dev. environment.
Rob

By default, the ssl certificate from the ccm is untrusted - so you get a verification error. There are two ways to work around this.. one is importing the certificate to the trusted store (google it), the other is writing your code so that it automatically accepts untrusted certs.
For the latter, you could have a method like this (which I stole from the axlsql application)
public void init() throws InitializationException
X509TrustManager xtm = new MyTrustManager();
TrustManager[] mytm = { xtm };
SSLContext ctx;
try
ctx = SSLContext.getInstance("SSL");
ctx.init(null, mytm, null);
SSLSocketFactory sf = ctx.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sf);
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
public boolean verify(String hostname, SSLSession session)
return true;
catch (NoSuchAlgorithmException ex)
throw new InitializationException("SSL Algorithm not found: " + ex.getMessage());
catch (KeyManagementException ex)
throw new InitializationException("Key management exception: " + ex.getMessage());

Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

Did you verify that all intermediate certificates are installed on the server?
You can inspect the certificate chain via a site like this:
*http://www.networking4all.com/en/support/tools/site+check/
*https://www.ssllabs.com/ssltest/

New To SSL

Similar Messages

Maybe you are looking for