Oracle with SSL

Hello,
I'm trying to set up a testing environment to use Oracle with SSL. I would like to connect to the database using SSL (local naming with SSL), and create a globally identified user.
I'm a beginner in this matter, so I am looking for some clues from more experienced people.
I have 10.2 Enterprise Edition database running on Linux.
I created a wallet in which I want to keep certificates. But for obvious reasons if I create a certificate, I can't register it in CA. Is Oracle offering any certificates for testing purposes? if yes, where could I find any?
Thanks in advance,
Aliq

Hello, again.
I think I did what was to do using both German article and documentation and in the end:
I can connect on a server (Linux) to the instance
I can't connect to the instance from client(WinXP),
after sqlplus system/****@sorcl I get an error:
ORA-28860: Fatal SSL error
sqlnet.log says:
Fatal NI connect error 28860, connecting to:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=192.168.122.60)(PORT=1562))(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=C:\oracle\product\10.2.0\db_1\bin\sqlplus.exe)(HOST=myhost)(USER=aliq))))
Tns error struct:
ns main err code: 12560
TNS-12560: TNS:protocol adapter error
ns secondary err code: 0
nt main err code: 28860
TNS-28860: Message 28860 not found; product=NETWORK; facility=TNS
Oracle error 1: 28860
ORA-28860: Fatal SSL error
nt secondary err code: 542
nt OS err code: 0
Any help, please?
Aliq

Similar Messages

IE unable to connect to Oracle HTTP Server v10.1.2 with SSL

Hi,
I configured OHS with SSL to run APEX applications.
This configuration can be run from Mozilla browsers and Opera, but not from Internet Explorer.
I suspect that IE doesn't support 256-bit encryption, as both browser above support it. So I set several combination of SSL Cipher Suite in ssl.conf. I also set IE to use TLS v1, SSLv2, and SSLv3. But this doesn't show any results. I also found that several sites which has 256 bit encryption (read the information from Mozilla and Opera browser) can also be opened by IE (read as 128 bit encryption). So I guess the encryption is not the problem, and I move on to the Apache error_log files.
What I found from Apache's error_log.xxxx is
[error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 29014 (server ---.---.com:4443, client --.--.--.--)
[error] mod_ossl: Unknown error
[error] mod_ossl: SSL call to NZ function nzos_Handshake failed with error 28864 (server ---.---.com:4443, client --.--.--.--)
[error] mod_ossl: SSL IO error [Hint: the client stop the connection unexpectedly]
So I looked in the Metalink and found Note:312041.1 and applied patch 4960210 and restart the server. But now it wouldn't start at all, despite that all configuration files were not changed.
Any help would be greatly appreciated.
Regards,
Aulia Bismar

You can use any PKCS#12 file with OHS if it includes the complete private key and certificate chain. With Oracle Wallet Manager (owm) you could also create a private key, import it, import the CA certificate as trusted certificate, create a certificate request for the private key, get the certificate response from the CA and import this.
If you use an unsual CA, ie cacert.org, you must import the CA root certificate as a trusted server certificate for IE.
--olaf

Oracle forms10g rel1 config with SSL

Is anybody using oracle forms10g config with ssl?
I installed OAS 10g and followed instruction in documentation http://www.oracle.com/technology/products/forms/pdf/10g/frm10gssl.pdf.
Now I can see "welcome page" using https://localhost:4445,
but the I'm running oracle forms, ever test form Jinitiator give me error:
java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
     at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
     at sun.net.www.http.HttpClient.openServer(Unknown Source)
     at sun.net.www.http.HttpClient.openServer(Unknown Source)
     at sun.net.www.http.HttpClient.<init>(Unknown Source)
     at sun.net.www.http.HttpClient.<init>(Unknown Source)
     at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
     at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
     at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
     at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
     at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
     at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
     at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
     at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
     at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
     at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
     at sun.misc.URLClassPath$2.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.misc.URLClassPath.getLoader(Unknown Source)
     at sun.misc.URLClassPath.getLoader(Unknown Source)
     at sun.misc.URLClassPath.getResource(Unknown Source)
     at java.net.URLClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(Unknown Source)
     at sun.applet.AppletClassLoader.findClass(Unknown Source)
     at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadCode(Unknown Source)
     at sun.applet.AppletPanel.createApplet(Unknown Source)
     at sun.plugin.AppletViewer.createApplet(Unknown Source)
     at sun.applet.AppletPanel.runLoader(Unknown Source)
     at sun.applet.AppletPanel.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
WARNING: Unable to cache https://34.64.0.102:4445/forms90/java/f90all_jinit.jar
load: class oracle.forms.engine.Main not found.
java.lang.ClassNotFoundException: java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
     at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
     at sun.net.www.http.HttpClient.openServer(Unknown Source)
     at sun.net.www.http.HttpClient.openServer(Unknown Source)
     at sun.net.www.http.HttpClient.<init>(Unknown Source)
     at sun.net.www.http.HttpClient.<init>(Unknown Source)
     at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
     at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
     at java.net.HttpURLConnection.getResponseCode(Unknown Source)
     at sun.applet.AppletClassLoader.getBytes(Unknown Source)
     at sun.applet.AppletClassLoader.access$100(Unknown Source)
     at sun.applet.AppletClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.applet.AppletClassLoader.findClass(Unknown Source)
     at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadCode(Unknown Source)
     at sun.applet.AppletPanel.createApplet(Unknown Source)
     at sun.plugin.AppletViewer.createApplet(Unknown Source)
     at sun.applet.AppletPanel.runLoader(Unknown Source)
     at sun.applet.AppletPanel.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
java.lang.ClassNotFoundException: java.io.IOException: javax.net.ssl.SSLException: Failed set trust point in ssl context
     at oracle.security.ssl.OracleSSLSocketImpl.startHandshake(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
     at sun.net.www.http.HttpClient.openServer(Unknown Source)
     at sun.net.www.http.HttpClient.openServer(Unknown Source)
     at sun.net.www.http.HttpClient.<init>(Unknown Source)
     at sun.net.www.http.HttpClient.<init>(Unknown Source)
     at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
     at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
     at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
     at java.net.HttpURLConnection.getResponseCode(Unknown Source)
     at sun.applet.AppletClassLoader.getBytes(Unknown Source)
     at sun.applet.AppletClassLoader.access$100(Unknown Source)
     at sun.applet.AppletClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.applet.AppletClassLoader.findClass(Unknown Source)
     at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.applet.AppletClassLoader.loadCode(Unknown Source)
     at sun.applet.AppletPanel.createApplet(Unknown Source)
     at sun.plugin.AppletViewer.createApplet(Unknown Source)
     at sun.applet.AppletPanel.runLoader(Unknown Source)
     at sun.applet.AppletPanel.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
I ever was trying to use higher version of Jinitiator. I'm using 1.3.1.23 still not working.
Please help it is emergency

Hi,
did you configure the certdb.txt on teh Forms client with your certificate? I sugget you call customer support on metalink.oracle.com
Frank

How to configure sso with SSL step by step

Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1.     How to configure OHS support SSL
2.     How to Register SSO with SSL
3.     Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1.     Oracle AS 10g infrastructure installed (10.1.2)
2.     OCA installed
Note:
1.     “When you install Oracle infrastructure, please make sure you have select OCA.
2.     How Certificate-Enabled Authentication Works:
a.     The user tries to access a partner application.
b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l     You must configure SSL on the computer where the single sign-on middle tier is running.
l     You are configuring one-way SSL.
l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4.     Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7.     Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8.     Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1.     Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
     3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
·     HTTPMachine—the server host name
·     HTTPPort—the server port number
·     HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6.     Reload the OracleAS console:
     ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
     -oracle_home_path $ORACLE_HOME
     -config_mod_osso TRUE
     -mod_osso_url https://myhost.mydomain.com:4443
2.     Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1.     Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2.     Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.

I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance

Error: [NQSError:13037] cannot connect to BI security service,Please make sure this is running properly (with SSL or not) in EM

Hi,
Im unable to open the RPD online getting following error.
Note: Im not done any changes. Its works good till yesterday EOD.
Error:
[NQSError:13037] cannot connect to BI security service,Please make sure this is running properly (with SSL or not) in EM.
[NQSError:37001] could not connect to the oracle BI server instance..
Kindly help me to fix this issue.

Hi,
Could you access the answer side.
Could you see the reports.
Do one thing, take a back up of NQS config file from <Oracle Location>\instance\instance1\config\obiserver folder\nqsconfig.ini file.
Copy nqs config file if you have already have a back up.
Restart the services and try once.
http://mkashu.blogspot.com
Regards,
VG

Using OSE with SSL

Hello,
I'm trying to use Oracle Servlet Engine (Oracle SE 8.1.7.3) for HTTP+SSL connexion WITHOUT APACHE.
I already managed to configure OSE this way
in initxxx.ora :
mts_dispatchers="(ADDRESS=(PROTOCOL=TCP)(HOST=myhost.mydomain)(PORT=8092)(DISP=1))(PRE=http://mywebdomain)"
Then I created the service with the sess_sh utilitie .After loading my java classes and publishing my servlets, it works
fine (for instance, I access my servlet Hello with the URL
http://myhost.mydomain:8092/Hello )
Now , to do the same thing in SSL (something like "https://myhost.mydomain:9092/Hello", I tried the following modification :
mts_dispatchers="(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.mydomain)(PORT=9092))(DISP=1)(PRE=http://mywebdomain)"
(+ adding the corresponding entry in sess_sh)
The problem is that it doesn't work : my web browser says that the
tcp connection wes interrupted, and I got a TNS-12560 and a
TNS-00540 in a dxxx_xxxxx.trc file in bdump
Howerver, it MUST be possible : the manual "Oracle Servlet Engine User's Guide Release 3 (8.1.7)"
(Part No. A83720-01) says "To support HTTPS, associate an additional
SSL endpoint to the Web service" (page 7-3)
(This little line is the only doc I have been able to found about OSE+SSL !!!)
Is someone knows the solution ? ( I mean ORACLE+OSE+SSL+ NO APACHE )
thank you,
Laurent FRANCOISE

I've used Webdav over SSL ever since i started using webdav :)
Infact many of my web servers are entirely ssl

HOWTO: Setting up Server-Side Authentication with SSL

This howto covers the configuration of server-side SSL authentication for both Net8 and IIOP (JServer) connections. It documents the steps required to set up an SSL encrypted connection; it does not cover certificate authentication.
It is worthwhile noting that although the setup of SSL requires the installation of certificates, these certificates do not have to be current, only valid. For some reason, in order to enable SSL connections, it is necessary to set up valid certificate file on the server whether you intend to use certificate authentication or not.
NOTE: I have been unable to determine whether or not the above statement is entirely correct. If anyone can confirm or disprove it, please let me know.
The steps described below must all be carried out from the same logon account. They have been tested on both 816 and 817 databases, but will probably work for all versions, including 9i (unless there have been some drastic changes in 9i that I'm not aware of).
1. Log on to the database server with an administrative login.
Configure the database and listener to run under the current login account (Control Panel -> Services). It is not necessary to restart these services at this time.
2. Create an Oracle wallet and set up the required certificates
(i) Open the Oracle Wallet Manager:
Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet Manager
(ii) Create a new wallet (Wallet -> New).
(iii) When prompted, elect to generate a certificate request.
(iv) On the request form, the only field that matters is the Common Name. Enter the fully qualified domain name (FQDN) of the database server (i.e. the name with which the database server will be referenced by clients).
(v) Export the certificate request to file (Operations -> Export Certificate Request).
(vi) Obtain a valid server certificate from an authorised signing authority. It will also be necessary to download the signing authoritys publicly available trusted root certificate. Certificates can be obtained from Verisign (http://www.verisign.com/)
(vii) Install the trusted root certificate obtained in (vi) into the wallet (Operations -> Import Trusted Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
(viii) Install the server certificate obtained in (vi) into the wallet (Operations -> Import User Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
(ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user home]\Oracle\Wallets directory.
3. Configure the listener for SSL.
(i) Open the Oracle Net8 Assistant:
Start -> Programs -> [Oracle Home] -> Network Administration -> Net8 Assistant
(ii) Select Net8 Configuration -> Local -> Profile.
(iii) From the drop-down list at right, select Oracle Advanced Security. Select the SSL tab.
(iv) Select the Server radio button.
(v) In the wallet directory field, enter the location of the wallet created in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
(vi) Uncheck the Require Client Authentication checkbox.
(vii) Select Net8 Configuration -> Listeners -> [listener name].
(viii) Add a new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2484
(ix) Add a second new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2482
Check the Dedicate this endpoint to IIOP connections checkbox.
(x) Save the Net8 configuration (File p Save Network Configuration).
(xi) Restart the listener service.
4. Configure the database to accept SSL connections.
(i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or equivalent).
(ii) At the bottom of the file, uncomment the line that reads
mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
(iii) Save the file and restart the database service.
5. Test the SSL confi guration using the Net8 Assistant.
(i) Open the Oracle Net8 Assistant.
(ii) Select Net8 Configuration -> Local -> Service Naming.
(iii) Add a new net service (Edit p Create).
Net service name: [SID].auth (e.g. iasdb.auth)
Protocol: TCP/IP with SSL
Host: [database server] (e.g. oraserver)
Port: 2484
Service Name/SID: [SID] (e.g. iasdb.orion.internal)
Note: at the end of the net service configuration, click Finish, not Test. The test can hang if run from the wizard.
(iv) Test the connection (Command -> Test Service). If the only error to appear is username/password denied, the test has succeeded.
null

Dear Alex,
Thank you for reaching the Small Business Support Community.
I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side. If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.
Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587
Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found.

Java.lang.NoClassDefFoundError: oracle/security/ssl/OracleSSLSocketImpl

Hi, can anyone please help us to come out of this:
java.lang.NoClassDefFoundError: oracle/security/ssl/OracleSSLSocketImpl
at oracle.security.ssl.OracleSSLCipherSuite.isSSLLibDomestic(Unknown Source)
at oracle.security.ssl.OracleSSLCipherSuite.getSupportedCipherSuites(Unknown Source)
at oracle.security.ssl.OracleSSLSocketFactoryImpl.getSupportedCipherSuites(Unknown Source)
at HTTPClient.OracleSSL.getSSLDefaultCipherSuites(OracleSSL.java:108)
at HTTPClient.OracleSSL.initHttps(OracleSSL.java:91)
at HTTPClient.OracleSSL.<init>(OracleSSL.java:77)
at HTTPClient.HTTPClientSSLFactory.mk(HTTPClientSSLFactory.java:137)
at HTTPClient.HTTPConnection.getSSL(HTTPConnection.java:4174)
at HTTPClient.HTTPConnection.getSSLSocket(HTTPConnection.java:4220)
at HTTPClient.HTTPConnection.doConnect(HTTPConnection.java:4038)
at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3003)
at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:2843)
at HTTPClient.HTTPConnection.setupRequest(HTTPConnection.java:2635)
at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1107)
at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1072)
at HTTPClient.HTTPConnection.Post(HTTPConnection.java:1049)
at com.eds.bluesphere.util.V01.HTTPQueryStringRequestDispatcher.invokePost(Unknown Source)
at com.eds.bluesphere.util.V01.HTTPRequestor.obtainReponse(Unknown Source)
at com.eds.bluesphere.util.V01.HTTPRequestor.submit(Unknown Source)
at com.newcorp.mailinglabel.response.USPSResponseProcessor.generateResponseXml(USPSResponseProcessor.java:111)
at com.newcorp.mailinglabel.response.USPSResponseProcessor.processResponse(USPSResponseProcessor.java:62)
at com.newcorp.mailinglabel.response.ResponseProcessor.execute(ResponseProcessor.java:89)
at com.newcorp.mailinglabel.MailingLabelAPI.generateLabel(MailingLabelAPI.java:177)
at com.newcorp.consumerportal.dataaccess.claim.ClaimMailingLabel.generateUSPSLabel(ClaimMailingLabel.java:74)
at com.newcorp.consumerportal.process.claim.ClaimConfirmProcess.generateLabel(ClaimConfirmProcess.java:67)
at com.newcorp.consumerportal.process.claim.ClaimConfirmProcess.executeDoProcess(ClaimConfirmProcess.java:157)
at com.newcorp.common.PortalProcess.doProcess(PortalProcess.java:201)
at com.eds.bluesphere.framework.process.V01.ApplicationFrameworkNavigationProcess.invokeDoProcess(Unknown Source)
at com.newcorp.common.PortalProcessChainingProcess.doProcess(PortalProcessChainingProcess.java:146)
at com.eds.bluesphere.framework.process.runner.V01.HttpServletProcessRunner.invokeDoProcess(Unknown Source)
at com.eds.bluesphere.framework.process.runner.V01.HttpServletProcessRunner.execute(Unknown Source)
at com.eds.bluesphere.framework.process.runner.V01.HttpServletProcessRunner.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at com.eds.bluesphere.framework.process.runner.V01.HttpServletProcessRunner.service(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:649)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:322)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].server.http.HttpRequestHandler.run(HttpRequestHandler.java:270)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].server.http.HttpRequestHandler.run(HttpRequestHandler.java:112)
at com.evermind[Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
thanks in advance..sha

java.lang.NoClassDefFoundError: oracle/security/ssl/OracleSSLSocketImpl
at oracle.security.ssl.OracleSSLCipherSuite.isSSLLibDomestic(Unknown Source)
at oracle.security.ssl.OracleSSLCipherSuite.getSupportedCipherSuites(Unknown Source)
at oracle.security.ssl.OracleSSLSocketFactoryImpl.getSupportedCipherSuites(Unknown Source)Some Orcale SSL related classes seem to be there as we see in the trace.
Those classes seem to deal with general management.
However, OracleSSLSocketImpl cannot be found, which makes me guess that you have
some kind of non-SSL enabled version (trial perhaps?) of the Orcale software. Can it be the case?
Or that you need to place another Oracle supplied jar in your classpath to get SSL to work?
Edited by: baftos on Sep 26, 2008 11:43 AM

OEL ldap client setup with SSL against OID using either ldaps or starttls

Hi, I've got OID 11.1.1.1.0 running with SSL enabled on port 3132. It's running in mode 2, SSL Server Authentication mode (orclsslauthentication is set to 32). I'd like to setup my OEL 5.3 and Solaris 10 ldap clients to connect to OID using SSL for user authentication. I have everything already working on the non-SSL port (3060), but I need to switch over to SSL. So far I can't get it to work on either OEL or Solaris. Does anyone out there know how to configure the client to use SSL?
Here's my /etc/ldap.conf file on OEL 5.3.
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
URI ldaps://FQDN:3132/
port 3132
ssl yes
host FQDN
base dc=DOMAIN,dc=com
pam_password clear
tls_cacertdir /etc/oracle-certs
tls_cacertfile /etc/oracle-certs/oid-test-ca.pem
tls_ciphers SSLv3
# filter to AND with uid=%s
pam_filter objectclass=posixaccount
#The search scope
scope sub
I have /etc/nsswitch.conf set to check for files first, then ldap
passwd: files ldap
shadow: files ldap
group: files ldap
Here's my /etc/openldap/ldap.conf file
URI ldaps://FQDN:3132/
BASE dc=DOMAIN,dc=com
TLS_CACERT /etc/openldap/cacerts/oid-test-ca.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
TLS_CIPHERS SSLv3
The oid-test-ca.pem is a self-signed cert from the OID server. I also have the hash file configured.
4224de9f.0 -> oid-test-ca.pem
I can run ldapsearch using ldaps and it works fine.
ldapsearch -v -d 1 -x -H ldaps://FQDN:3132 -b "dc=DOMAIN,dc=com" -D "cn=user,cn=users,dc=DOMAIN,dc=com" -w somepass -s sub objectclass=* | more
But when I run the 'getent passwd' command, it only shows me my local user accounts and none of my ldap accounts. I also can't SSH in using a ldap account.
Solaris 10 is actually a whole other beast...I'm using the native Solaris ldap client (not PADL based) and I don't think it even works with SSL unless you're using the default ports (389/636).
Does anyone out there know how to setup the client-side for ldap authentication using SSL? Any tips, howto docs, or advice are appreciated. Thanks!

Hello again...
after some research and work together with Oracle Support I found out how to get it to work:
1. You have to create your own ConfigSet in OID using
SSL-Server-Authentication
(OpenSSL seems not to support SSL-encryption-only).
The following link shows on how to do that:
http://otn.oracle.com/products/oid/oidhtml/oidqs/html_masters/a_port01.htm
2. Add the following lines to your $HOME/ldaprc
TLS_CACERT /home/frank/oid-caroot.pem
TLS_REQCERT allow
TLS_CIPHERS SSLv3
ssl on
tls_checkpeer no
oid-caroot.pem is the CA-Root Certificate you got
during step 1
3. you should now be able to use ldapsearch using SSL
If you still can't connect using SSL you may have run into another issue with OpenSSL which affects systems using OpenSSL version 0.9.6d and above. The problem seems to be caused by an security fix which may not be compliant with the SSL implementation of Oracle.
I opened an Bug for that problem with RedHat. This Bug Description also includes an proposal for an Patch which solves the problem (but may introduce some security risks). See the Bug at RedHat:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123849
Bye
Frank Berger

How to configure OC4J using RMI/IIOP with SSL

Any help?
I just mange configure the OC4J using RMI/IIOP but base on
But when I follow further to use RMI/IIOP with SSL I face the problem with: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
p/s: I use self generate keystore which should be ok as I can use it for https connection.
Any one can help?
Below is the OC4J log:
D:\oc4j\j2ee\home>java -Djavax.net.debug=all -DGenerateIIOP=true -Diiop.runtime.debug=true -jar oc4j.jar
05/02/23 16:43:16 ================ IIOPServerExtensionProvider.preInitApplicationServer
05/02/23 16:43:38 ================= IIOPServerExtensionProvider.postInitApplicationServer
05/02/23 16:43:38 ================== config = {SEPS={IIOP={ssl-port=5556, port=5555, ssl=true, trusted-clients=*, ssl-client-server-auth-port=5557, keystore=D:\\oc4j\\j2ee\\home\\server.keystore, keystore-password=123456, truststore=D:\\oc4j\\j2ee\\home\\server.keystore, truststore-password=123456, ClassName=com.oracle.iiop.server.IIOPServerExtensionProvider, host=localhost}}}
05/02/23 16:43:38 ================== server.getAttributes() = {threadPool=com.evermind.server.ApplicationServerThreadPool@968fda}
05/02/23 16:43:38 ================== pool: null
05/02/23 16:43:38 ====================== In startServer ...
05/02/23 16:43:38 ==================== Creating an IIOPServer ...
05/02/23 16:43:38 ========= IIOP server being initialized
05/02/23 16:43:38 SSL port: 5556
05/02/23 16:43:38 SSL port 2: 5557
05/02/23 16:43:43 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(IIOP_CLEAR_TEXT, 5555, null)
05/02/23 16:43:43 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = IIOP_CLEAR_TEXT port = 5555 )
05/02/23 16:43:44 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(SSL, 5556, null)
05/02/23 16:43:44 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = SSL port = 5556 )
05/02/23 16:43:45 ***
05/02/23 16:43:45 found key for : mykey
05/02/23 16:43:45 chain [0] = [
Version: V1
Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
b1239fff 2ae5d31d b01a0cfb 1186bae0 bbc7ac41 94f24464 e92a7e33 6a5b0844
109e30fb d24ad770 99b3ff86 bd96c705 56bf2e7a b3bb9d03 40fdcc0a c9bea9a1
c21395a4 37d8b2ce ff00eb64 e22a6dd6 97578f92 29627229 462ebfee 061c99a4
1c69b3a0 aea6a95b 7ed3fd89 f829f17e a9362efe ccf8034a 0910989a a8573305
Validity: [From: Wed Feb 23 15:57:28 SGT 2005,
To: Tue May 24 15:57:28 SGT 2005]
Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
SerialNumber: [ 421c3768]
Algorithm: [MD5withRSA]
Signature:
0000: 34 F4 FA D4 6F 23 7B 84 30 42 F3 5C 4B 5E 18 17 4...o#..0B.\K^..
0010: 73 69 73 A6 BF 9A 5D C0 67 8D C3 56 DF A9 4A AC sis...].g..V..J.
0020: 88 AF 24 28 C9 39 16 22 29 81 01 93 86 AA 1A 5D ..$(.9.")......]
0030: 07 89 26 22 91 F0 8F DE E1 4A CF 17 9A 02 51 7D ..&".....J....Q.
0040: 92 D3 6D 9B EF 5E C1 C6 66 F9 11 D4 EB 13 8F 17 ..m..^..f.......
0050: E7 66 58 9F 6C B0 60 7C 39 B4 E0 B7 04 A7 7F A6 .fX.l.`.9.......
0060: 4D A5 89 E7 F4 8A DC 59 B4 E7 A5 D4 0A 35 9A F1 M......Y.....5..
0070: A2 CD 3A 04 D6 8F 16 B1 9E 6F 34 40 E8 C0 47 03 ..:[email protected].
05/02/23 16:43:45 ***
05/02/23 16:43:45 adding as trusted cert:
05/02/23 16:43:45 Subject: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Issuer: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Algorithm: RSA; Serial number: 0x421c3779
05/02/23 16:43:45 Valid from Wed Feb 23 15:57:45 SGT 2005 until Tue May 24 15:57:45 SGT 2005
05/02/23 16:43:45 adding as trusted cert:
05/02/23 16:43:45 Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Algorithm: RSA; Serial number: 0x421c3768
05/02/23 16:43:45 Valid from Wed Feb 23 15:57:28 SGT 2005 until Tue May 24 15:57:28 SGT 2005
05/02/23 16:43:45 trigger seeding of SecureRandom
05/02/23 16:43:45 done seeding SecureRandom
05/02/23 16:43:45 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(SSL_MUTUALAUTH, 5557, null)
05/02/23 16:43:45 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = SSL_MUTUALAUTH port = 5557 )
05/02/23 16:43:45 matching alias: mykey
matching alias: mykey
05/02/23 16:43:46 ORB created ..com.oracle.iiop.server.OC4JORB@65b738
05/02/23 16:43:47 com.sun.corba.ee.internal.corba.ClientDelegate(Thread[Orion Launcher,5,main]): invoke(ClientRequest) called
05/02/23 16:43:47 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): process: dispatching to scid 2
05/02/23 16:43:47 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): dispatching to sc [email protected]7
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ClientDelegate(Thread[Orion Launcher,5,main]): invoke(ClientRequest) called
05/02/23 16:43:48 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): process: dispatching to scid 2
05/02/23 16:43:48 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): dispatching to sc com.sun.corba.ee.internal.corba.ServerDelegate@9300cc
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Entering dispatch method
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Consuming service contexts, GIOP version: 1.2
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Has code set context? false
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Dispatching to servant
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Handling invoke handler type servant
05/02/23 16:43:48 NS service created and started ..org.omg.CosNaming._NamingContextExtStub:IOR:000000000000002b49444c3a6f6d672e6f72672f436f734e616d696e672f4e616d696e67436f6e746578744578743a312e30000000000001000000000000007c000102000000000c31302e312e3231342e31310015b3000000000031afabcb0000000020d309e06a0000000100000000000000010000000c4e616d65536572766963650000000004000000000a0000000000000100000001000000200000000000010001000000020501000100010020000101090000000100010100
05/02/23 16:43:48 NS ior = ..IOR:000000000000002b49444c3a6f6d672e6f72672f436f734e616d696e672f4e616d696e67436f6e746578744578743a312e30000000000001000000000000007c000102000000000c31302e312e3231342e31310015b3000000000031afabcb0000000020d309e06a0000000100000000000000010000000c4e616d65536572766963650000000004000000000a0000000000000100000001000000200000000000010001000000020501000100010020000101090000000100010100
05/02/23 16:43:48 Oracle Application Server Containers for J2EE 10g (9.0.4.0.0) initialized
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): Server getConnection(119e583[Unknown 0x0:0x0: Socket[addr=/127.0.0.1,port=1281,localport=5556]], SSL)
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): host = 127.0.0.1 port = 1281
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): Created connection Connection[type=SSL remote_host=127.0.0.1 remote_port=1281 state=ESTABLISHED]
com.sun.corba.ee.internal.iiop.MessageMediator(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): Creating message from stream
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, SEND TLSv1 ALERT: fatal, description = unexpected_message
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, WRITE: TLSv1 Alert, length = 2
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeSocket()
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ReaderThread(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): IOException in createInputStream: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.messages.MessageBase.readFully(MessageBase.java:520)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.messages.MessageBase.createFromStream(MessageBase.java:58)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.MessageMediator.processRequest(MessageMediator.java:110)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.IIOPConnection.processInput(IIOPConnection.java:339)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.ReaderThread.run(ReaderThread.java:63)
05/02/23 16:45:14 Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
05/02/23 16:45:14 ... 6 more
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.IIOPConnection(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): purge_calls: starting: code = 1398079696 die = true
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): DeleteConn called: host = 127.0.0.1 port = 1281

Good point, I do belive what you are referring to is this:
Any client, whether running inside a server or not, has EJB security properties. Table 15-2 lists the EJB client security properties controlled by the ejb_sec.properties file. By default, OC4J searches for this file in the current directory when running as a client, or in ORACLE_HOME/j2ee/home/config when running in the server. You can specify the location of this file explicitly with the system property setting -Dejb_sec_properties_location=pathname.
Table 15-2 EJB Client Security Properties
Property Meaning
# oc4j.iiop.keyStoreLoc
The path and name of the keystore. An absolute path is recommended.
# oc4j.iiop.keyStorePass
The password for the keystore.
# oc4j.iiop.trustStoreLoc
The path name and name of the truststore. An absolute path is recommended.
# oc4j.iiop.trustStorePass
The password for the truststore.
# oc4j.iiop.enable.clientauth
Whether the client supports client-side authentication. If this property is set to true, you must specify a keystore location and password.
# oc4j.iiop.ciphersuites
Which cipher suites are to be enabled. The valid cipher suites are:
TLS_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
nameservice.useSSL
Whether to use SSL when making the initial connection to the server.
client.sendpassword
Whether to send user name and password in clear form (unencrypted) in the service context when not using SSL. If this property is set to true, the user name and password are sent only to servers listed in the trustedServer list.
oc4j.iiop.trustedServers
A list of servers that can be trusted to receive passwords sent in clear form. This has no effect if client.sendpassword is set to false. The list is comma-delimited. Each entry in the list can be an IP address, a host name, a host name pattern (for example, *.example.com), or * (where "*" alone means that all servers are trusted.

Calling web service with SSL (HTTPS) hangs client stub

If anyone can help it would make my day! I've spent way too much time on this!!!
I'm running:
- Web service is running on Linux RedHat with Oracle9iAS 9.0.3
- Client is running from Windows XP under Jdeveloper
I've successfully installed and run the web security demo "ws_security" at http://otn.oracle.com/sample_code/tech/java/web_services/wssecurity/ws_security.jar.
This demo goes through installing the web service, certificates, etc... and the demo runs fine. I'm also able to connect to the web service from a browser using https://server1:4443/CreditCardValidator/CreditCardValidator. I can download the proxy, look at the WSDL, etc...
Now I've written my own very simple stateless java class web service, deployed it to 9iAS , and then downloaded the proxy stub jar. Using the proxy stub I can call my web service and everything works fine.
Then I configure the web service to use HTTPS by making the following changes to the proxy stub (per the ws_security demo).
1) Copy the following 5 lines to the proxy stub
System.setProperty("ssl.SocketFactory.provider","oracle.security.ssl.OracleSSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider","oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
System.setProperty("java.protocol.handler.pkgs","HTTPClient");
System.setProperty("oracle.wallet.location","C:\\Data\\Oracle\\WALLETS\\ws_security\\wallet.txt");
System.setProperty("oracle.wallet.password","thewalletpassword");
2) modify the "m_soapURL" by changing "http" to "https" and the port number to 4443
3) add the following 3 jar files to my projects library class list:
C:\Program Files\jdev9031\jlib\jssl-1_2.jar
C:\Program Files\jdev9031\jdk\jre\lib\ext\jcert.jar
C:\Program Files\jdev9031\lib\jsse.jar;C:\Program Files\jdev9031\jlib\javax-ssl-1_2.jar
When I run the proxy stub it just hangs. I've traced the hang to the "Response response = call.invoke(new URL(m_soapURL), soapActionURI);" statement in the "makeSOAPCallRPC" method in the proxy stub.
Again, this works fine if I simply change the "m_soapURL" to use "http" instead of "https". It looks like it's hanging on the client side and the call is never making it to the server.
Any help is GREATLY appreciated!!!!!

Could you explain it a little more, please.
Since my first message, I used the wallet manager to add the certificate the server where the web service is at, uses.
What else do I need to make it work??
Thanks in advance again.

AD password sync with SSL

Hello everyone
The following note is in AD Password sync.connector documentation:
Note: It is strongly recommended that you configure SSL
communication between the connector and Oracle Identity Manager
in your production environment.
However, the configuration of secure client operation (using SSL at the
server) affects all clients. This means that if you use SSL to secure
Oracle Identity Manager communication with the connector, then the
Oracle Identity Manager Design Console and any other custom clients
must also communicate with Oracle Identity Manager using SSL.
I've installed the connector and configured SSL and it is working fine. Design console can still connect to OIM without using SSL. What is this note all about?
Thanks

Because you have enabled both SSL and non-SSL port. Once you will disable the non-ssl (recommended in prod) you will not able to access the Design Console.
I am struggling to use PassSync with SSL. I have two DCs and I imported the certificate on both DCs. Installed the PassSync Connector with Use SSL value to "Yes" and giving OIM SSL port and OIM host name. However, PassSync is not working and log is showing OIM is down. I tested the https url of OIM from both DCs and able to access from there. Do you have any idea what could be the cause?
Thanks

Servlet security with SSL

Hello All,
I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
Any assistance would be greatly appreciated. I am really stuck with this
Thank you in advance
Alanjo

On 01/14/2014 06:11 AM, Alan Farroll wrote:
> Hi all,
>
> I could not find a more appropriate forum in Eclipse for this question
> so have placed it in newcomers as I am still quite new to Java\Eclipse
>
> We are working on a Java servlet application that involves security with
> SSL to allow the servlet to run from a server outside our firewall and
> interrogate databases inside our firewall. It runs on Tomcat 7 and built
> on Java 1.6.0.29
>
> We have had no problems running the servlet on the Test server within
> the firewall but when running on the Live server outside the firewall
> the SoapUI request returns nothing and the current Tomcat log error is
> "java.lang.RuntimeException: Could not generate dummy secret"
>
> The problems seem to be with the jce.jar and the sunJCE_provider.jar.
>
> Has anybody any assistance they could provide please.
>
> Thanks in advance
>
> AJF
The live server doesn't have access to the right JARs? Maybe this will help?
http://www.javahotchocolate.com/notes/jce-policy.html

Securing Portal with SSL/https

Has anyone successfully setup oracle portal 9.0.2 on solaris running all over secure sockets for both login/server and portal ?
I've followed the otn documentation but i'm still having problems with gettin portal to work with https.
It's driving me insane!! please help with any suggestions.
Kind Regards
Neil

Hi,
We did the following steps and it working :)
Assuming that HTTPS is correctly working and without security aspects.
Assuming that the HTTPS is 443
1) configure Webcache to work on port 443 and link it to the 4444 port of Apache
1) configure SSO
I directly change in WWSEC_ENABLER_CONFIG_INFO$ LS_LOGIN_URL to the https URL
the LSNR_TOKEN has to be like 'myhost' and not 'myhost:port'
2) Login to SSO and update the HOME, SUCCESS and CANCEL URL of SSO
to https
3) register mod_osso against the new SSO Server
4) register the portal using ptlasst
(if possible remove the already installed portal)
beware You might have big trouble with groups you have created.
5) Add in ORACLE_HOME\j2ee\OC4J_Portal\applications\portal\WEB-INF\web.xml
<init-param>
<param-name>httpsports<param-name>
<param-value>443:4444</param-value>
</init-param>
That is it !!!!
You have also to protect some URL with SSL and
to redefine some virtual path
The best test is to stop WebCache to liste http port
Have fun
Philippe Camelio
SysAdmin

Securing the IIOP Listener/Handler with SSL

Hi,
I am looking into securing CORBA client connections to ISL/ISH with SSL. Client authentication is not needed, just encryption and server authentication. Having looked through the documentation I have a couple of questions about this.
1. The "Using Security in CORBA Applications" manual says that an LDAP server is used as the certificate repository for the ISL/ISH server certificate. Are there alternatives to this such as using a keystore or is LDAP the only option?
2. Is it possible to configure the LDAP server (server name, port etc) without re-installing Tuxedo?
Regards
Ian

Ian,
Tuxedo uses a plugin framework architecture to manage certificates and it is possible to replace any of the plugin framework implementations.
In order to change the plugin framework interfaces you will need to obtain information about the epif* commands and the plugin framework interfaces and you will need to write some code. The plugin framework documentation is made available on an as-needed basis.
As documented at http://download.oracle.com/docs/cd/E15261_01/tuxedo/docs11gr1/sec/secadm.html#wp1239453 , "For more information about security plug-ins, including installation and configuration procedures, see your Oracle account executive."
The command "epifregedt -g" shows the current plugin framework settings.
The command "epifregedt -g -k SYSTEM/impl/security/BEA/certificate_lookup" shows just the settings for the security/BEA/certificate_lookup interface.
The command "epifregedt -g -k SYSTEM/impl/security/BEA/certificate_lookup -a Params" shows just the instantiation parameters for this interface.
Assume that the output from this command is
IMPLEMENTATION security/BEA/certificate_lookup
Instantiation Parameters :
"userCertificateLdap=ldap://localhost:389/"
"filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat"
Then the command
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup \
-a Params=userCertificateLdap=ldap://abcxyz:1389/ \
-a Params=filterFileLocation=file:///home/tuxdir/udataobj/security/bea_ldap_filter.dat
will change the LDAP location to ldap://abcxyz:1389/
Note that it is necessary to respecify the filterFileLocation with this command even though it is not changing.
Thus, it is not necessary to reinstall Tuxedo in order to change the LDAP parameters.
Since the registry modification commands can be tricky to use, you may want to experiment with these commands on a development system or you may want to
export REG_KEY_SYSTEM=<TEMPORARY_DIRECTORY>/System.rdp
cp $TUXDIR/udataobj/System.rdp $REG_KEY_SYSTEM
before experimenting with epifregedt -s. (The value of REG_KEY_SYSTEM will override the default of $TUXDIR/udataobj/System.rdp .)
Regards,
Ed

Oracle with SSL

Similar Messages

Maybe you are looking for