PHP failing to retrieve content over ssl

Similar Messages

• Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

  In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
  Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

  Hi,
  Sorry, I could not understand what your are trying to do with iWS.
  Could you please berifly explain your question. So that I can help you.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• Web Service over SSL failing in BEA Workshop

  I have deployed a web service on weblogic 9.2
  I have enabled one-way ssl on it. got a trial ssl certificate from verisign. installed them on the keystore/truststore on the server as well as the jre (cacerts and jssecacerts truststores) being used by the client. the client is on different machine than the server.
  i have developed the service through 'bea weblogic workshop 9.2' now when i try to test the service through the 'web services explorer' within bea weblogic workshop i receive the following error:
  IWAB0135E An unexpected error has occurred.
  IOException
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  on server:
  <Jul 13, 2009 6:45:44 PM EDT> <Warning> <Security> <BEA-090485> <CERTIFICATE_UNKNOWN alert was received from yunus.l1id.local - 10.10.2.72. The peer has an unspecified issue with the certificate. SSL debug tracing should be enabled on the peer to determine what the issue is.>
  if i try to access the web service (over ssl) through the browser (ie/firefox), it works fine. i have generated a proxy class to access this web service through the same bea workshop and that works fine too. certificates are identified and all. i also created a small .net (c#) application that calls this secure web service over ssl from another machine and it works fine too!
  of course non-secure url for the web service is working fine in every case.
  what can be the reason for this failing only in 'web services explorer' in bea workshop?
  cross posted at: http://www.coderanch.com/t/453879/Web-Services/java/Web-Service-over-SSL-failing
  thanks.

  Hello,
  I used this example, when I made my experiments with SSL and Glassfish (GF):
  http://java.sun.com/developer/EJTechTips/2006/tt0527.html#1
  If you have problems with GF I suggest to post a message here:
  http://forums.java.net/jive/forum.jspa?forumID=56
  e.g. here is one thread:
  http://forums.java.net/jive/thread.jspa?threadID=59993&tstart=0
  Miro.

• Cannot find api to implement RIDC connect WebCenter Content Server over SSL

  Hi WebCenter Content team,
  I find the following sample code from http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BJFIHEHI
  Example 23-6 IDC Protocol over SSL
  +// build a secure IDC client as cast to specific type+
  IntradocClient idcClient = (IntradocClient)
  manager.createClient("idcs://localhost:4443");
  +// set the SSL socket options+
  config.setKeystoreFile("ketstore/client_keystore");  //location of keystore file
  config.setKeystorePassword ("password");      // keystore password
  config.setKeystoreAlias("SecureClient");  //keystore alias
  config.setKeystoreAliasPassword("password");  //password for keystore alias
  I downloaded RIDC package from Individual Component Downloads in http://www.oracle.com/technetwork/middleware/webcenter/content/downloads/index.html.
  But cannot find the above methods in IdcClientConfig and its subclasses. For example, cannot compile the following code.
  IdcClientConfig config = idcClient.getConfig();
  config.setKeystoreFile("ketstore/client_keystore");  // no such method
  Could you please give a correct example.
  Thanks a lot.

  Most likely the port. RIDC listens usually at 4444, 16200 is the port for browser-based communication.

• Ldapbind failed over SSL  (U2 – "one way", "U3-two way") from Oracle DB to

  Hi
  I am facing the below error when I try ldapbind (database server to OID) over SSL (U2 – “one way”, “U3-two way”)
  *** ACTION NAME:() 2010-09-29 07:09:46.691
  *** MODULE NAME:(sqlplus@alddbux01 (TNS V1-V3)) 2010-09-29 07:09:46.691
  *** SERVICE NAME:(SYS$USERS) 2010-09-29 07:09:46.691
  *** SESSION ID:(121.274) 2010-09-29 07:09:46.691
  kzld_discover received ldaptype: OID
  KZLD_ERR: DB-OID SSL auth failed. Err=0
  KZLD is doing LDAP unbind
  KZLD_ERR: found err from kzldini
  Environment details:
  OID Server:
  OS: Enterprise Linux Enterprise Linux AS release 5.3
  Hostname : aldidmux02
  Oracle Internet Directory 11.1.1.2.0
  Realm in this OID is “dc=mycmsc,dc=com”
  Oracle Database Server:
  OS: Sun Solrais 5.10
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  Hostname: alddbux01
  Key points:
  1.     As per metalink notes 466662.1, I am trying to setup EUS between DB - OID.
  First difference I see here is OID version (10.1.4.0.1) in notes & using OID 11g (11.1.1.2.0) in my environment for testing.
  a)     Are these steps applicable for OID11g(11.1.1.2.0) version?
  b)     If not please provide me the references for achieving ldap authentication from Oracle database server with OID 11g as ldap user repository.
  c)     As per task1 > step3 For the first time oidctl command is used to connect & start the instance before starting services using opmnctl. What is the procedure to do the same in OID11g?
  2.     Wallet certificates in my environment OID & Database server status shows “Ready”

  Is it possible to get an answer on this one from someone who knows?
  "Leif Kristian Vadseth" <[email protected]> wrote in
  message news:[email protected]..
  In WLS 6.0 I was able to configue the server SSL protocol so that when
  accessing the server (web application) from a web browser over https, the
  browser showed a list of matching installed client certificates that the
  client can choose, but the client could choose not to present his/hers
  certificate and still continue to access the requested resources.
  In WLS 6.1 I have not been able to repeat this behaviour, even if the SSL
  configuration is exactly the same.
  The project I work in wants to have both one-way SSL (using only username
  and password for authentication) and two-way SSL (using both
  username/password and certificate for authentication) in the same server.
  Is it possible to configure the server the way I want or do we have to
  configue two servers; one that does not require mutual authentication, and
  one that requires this?
  Leif Kristian Vadseth

• WebDAV not working over SSL on CSS11503

  SOME HISTORY
  As you may recall we had an issue with interoperability between our WebCT Vista application and the Cisco CSS11503 Load Balancer. In a nutshell the Load Balancer would inject custom HTTP headers into HTTP packets, but only into the first HTTP packet of a TCP session. With your help we've learned that Cisco will change this in the August release of the CSS software.
  OUR NEW PROBLEM
  We are now having a related problem. In short, we cannot get WebDav to work over SSL. That is, when connect from Client to Load Balancer via SSL, and then Load Balancer to Web Server via plaintext, our application fails. Conversely, when we maintain a clear text connection straight through from Client to Web sever WebDav works.
  After doing some network traces of WebDav connections both with and without SSL I think we've discovered the cause of the problem: the Load Balancer fails to add our custom HTTP header "WL-Proxy-SSL: true" to HTTP "PROPFIND" requests, even though it correctly adds them to the HTTP "OPTIONS" requests.
  HOW WE CONFIGURED THE LOAD BALANCER
  We configured our Load Balancer with the Global configuration of
  http-method parse RFC2518-methods
  and with the command
  ssl-server 20 http-header static "WL-Proxy-SSL: true"
  so that the header "WL-Proxy-SSL: true" will be passed with the HTTP headers used for WebDav was well as with the 'standard' HTTP headers "GET, POST, HEAD", etc.
  Below is the relevant passage from the "CSS Command Reference" at
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdgloba.htm#wp1432749
  ======================================================================
  "By default, a Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST, and PUT methods. Unless configured, the CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment, but does not load balance them:
  OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, and DELETE.
  When you enable the CSS to support all RFC-2518 methods, the CSS parses the Request-URI field in an attempt to match a Layer 5 rule. If the contents of the Request-URI field are not in a compliant format of an absolute URI or an absolute path, the CSS tries to match the field to the next best wildcard ("/*") rule. If the match fails, the CSS attempts to match the Layer 4 rule, and then the Layer 3 rule."
  ========================================================================
  I interpret this to mean that when we configure "http-method parse RFC2518-methods" that the load balancer will treat all the HTTP headers in the group "OPTIONS, TRACE, PROPFIND, ...", etc the same as the "standard" HTTP headers "GET, POST, HEAD", etc.
  As I said earlier our network traces show that the "WL-Proxy-SSL: true"
  header present in the HTTP header OPTIONS but *not* in the header "PROPFIND".
  A BUG IN THE CSS COMMAND PROCESSOR?
  By my reckoning, this behaviour must be a bug in the CSS Command processor, because whatever the CSS does for the "OPTIONS" header it should also do for the "PROFIND" header.
  ATTACHMENTS
  I've included three attachments.
  trace.txt
  - text output from Ethereal of the network trace
  on the web server, with comments.
  webdav.ssl.snoop
  - the original network trace in Sun's 'snoop' format.
  css.2.cfg
  - the running configuration on the CSS11503
  Thanks in advance for your help.

  Hi
  I finally discovered what is the issue here. In appears that in case of unsigned applets, the code is unable to access SunJCE provider which contains most of the ciphers used by SSL protocol. This means that a session with SSL server is broken and effectively applet is not initialised.
  This problem is related to configuration of JRE under linux due to export control restrictions. Unfortunately I don't know how to make JRE to use SunJCE by default.
  As a workaround I have set up the following policies using Policy Manager:
  grant {
  permission java.security.SecurityPermission "putProviderProperty.SunJCE";
  grant {
  permission java.lang.RuntimePermission "getProtectionDomain";
  grant {
  permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
  I don't know how insecure my actions are, but this definitely fixed problems with applets under SSL / HTTPS.
  Feel free to send me your ideas how to fix this issue in more elegant way.
  Best,
  Marcin

• Trying to determine if LDAP over SSL is working using LDP.exe

  Hi,
  I just wanted to confirm that LDAP over SSL is working properly on our domain controller.  When I connect using LDP.exe on my Windows 7 computer, I get the following output:
  ld = ldap_sslinit("dc1.domain.com", 636, 1);
  Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
  Error 0 = ldap_connect(hLdap, NULL);
  Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
  Host supports SSL, SSL cipher strength = 128 bits
  Established connection to dc1.domain.com.
  Retrieving base DSA information...
  Getting 1 entries:
  Dn: (RootDSE)
  <unnecessary details>
  It looks like it is working, but I wasn't sure if the Error 0's mean there is some sort of problem.
  Also, when I run a Simple bind with my credentials, I get the following output:
  res = ldap_simple_bind_s(ld, 'myuseraccount-at-domaindotcom', <unavailable>); // v.3
  Authenticated as: 'DOMAIN\myuseraccount'.
  Finally, when I run a Bind as currently logged on user (with Encrypt traffic after bind checked), I get the following output:
  53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
  res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
  {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
  Authenticated as: 'DOMAIN\myuseraccount'.
  I followed all the instructions found in Microsoft article KB-321051 to get LDAP over SSL working with a valid 3rd party certificate on one of our Windows 2008 R2 domain controllers.  However, when I test Active Directory Authentication on our
  WatchGuard Management Server after importing the CA certificate, the test fails.  In order to use Active Directory Authentication, LDAPS (LDAP over SSL) must be enabled in the Active Directory domain and I am not 100% sure that it is enabled properly.
  Any advice or additional insight would be greatly appreciated.
  Thanks!

  Some ideas:
  DNS Name: KB-321051 says that you need the DNS name in either Subject CN or Subject Alternative Name. Which one did you use? Windows clients are fine with an empty CN and only the SAN populated (there the "either or" statement in the article)
  but third-party tools often look for the DNS name in the Subject CN.
  Even if the WatchGuard Server runs on Windows it might use its own certificate checking logic.
  DC certificate(s): Does the DC have more than this certificate? If yes I'd run a network trace to check which one the machine is actually sending in the SSL handshake.
  Chaining issues at your LDAP client / the WatchGuard Management Server:
  Very often such issues are related to the fact that the certificate chain is not validated properly. Some typical issues:
  It is not clear whether the client uses the Windows certificate store (even if it runs on a Windows server).
  Tools / systems / PKI clients can only deal with a single root CA, not with a hierarchy.
  You need to import both Root and intermediate CAs as the client cannot fetch the intermediates from AIA URLs.
  The client cannot access CRL URLs because of firewalls rules or missing access (e.g.: A CRL URL in AD is used but the client does not have an AD user in whose context it would try to fetch the CRL).
  The client has issues with blanks or special characters in CDP or AIA URLs.
  Having a quick look at
  WatchGuard documentation it seems to me that they are using their own certificate stores you need to import CA certificates to. And they only mention a "Root CA" so if your PKI has two levels you might need to import both CAs to the so-called Root store.
  Elke

• DP's have Warning "Failed to retrieve the package list on the distribution point" - How to Clear it?

  All but one of my DP's (A new one I just created) have this Warning Message:  "Failed to retrieve the package list on the distribution point".  They all seem to be working, I can update and push new content to them.
  When I go to the smsdpmon.log, it has an error for a package, but I've since redistributed it, and it is working fine. (Items below are snips from the smsdpmon.log)
  CContentDefinition::LibraryPackagesWmi: The package data in WMI is not consistent to PkgLib SMS_Distribution_Point_Monitoring 11/16/2013 6:00:01 PM 3920 (0x0F50)
  CContentDefinition::LibraryPackagesWmi: Package PS10011B can't be found in PkgLib SMS_Distribution_Point_Monitoring 11/16/2013 6:00:01 PM 3920 (0x0F50)
  CContentDefinition::LibraryPackagesWmi failed; 0x80004005 SMS_Distribution_Point_Monitoring 11/16/2013 6:00:01 PM 3920 (0x0F50)
  Failed to evaluate package PS10011B, Error code 0x80070002 SMS_Distribution_Point_Monitoring 11/16/2013 6:29:50 PM 3920 (0x0F50)
  Since then, after redistributing the package, it clears up the logs... but not the warning in Monitoring:
  Start to evaluate package share for package 'PS10011B' version 0 ... SMS_Distribution_Point_Monitoring 11/18/2013 12:39:52 PM 868 (0x0364)
  Package PS10011B is verified successfully SMS_Distribution_Point_Monitoring 11/18/2013 12:39:52 PM 868 (0x0364)
  So since everything appears to be working fine, how do I clear out that Warning, so I have nice Green Check Mark Icons in my Monitoring Tab, so when something actually does go wrong, I won't just ignore it since it's always been set to Warning?

  I'll have to review this. The script
  here, alone did not solve the my issue. Interesting that it say I do not have any inconsistencies on any my DP's now, but I run the other one on a single DP, it states I have inconsistencies still.
  $WMIPkgList = Get-WmiObject -Namespace Root\SCCMDP -Class SMS_PackagesInContLib | Select -ExpandProperty PackageID | Sort-Object
  $ContentLib = (Get-ItemProperty HKLM:SOFTWARE\Microsoft\SMS\DP).ContentLibraryPath
  $PkgLibPath = ($ContentLib) + "\PkgLib"
  $PkgLibList = (Get-ChildItem $PkgLibPath | Select -ExpandProperty Name | Sort-Object)
  $PkgLibList = ($PKgLibList | ForEach-Object {$_.replace(".INI","")})
  $PksinWMIButNotContentLib = Compare-Object -ReferenceObject $WMIPkgList -DifferenceObject $PKgLibList -PassThru
  ##### section 1 #######################
  Write-Host Items in WMI but not the Content Library
  Write-Host ========================================
  $PksinWMIButNotContentLib
  Foreach ($Pkg in $PksinWMIButNotContentLib){
  Get-WmiObject -Namespace Root\SCCMDP -Class SMS_PackagesInContLib -Filter "PackageID = '$Pkg'" | Remove-WmiObject -Confirm
  I wonder if the first script is not looking for INI's whereas the second one is. I verified that the INI's do exist...
  I'll run the second on all of my DP's, remove the left over INI's, and report back again next week on status.
  -Tony

• All DPs read "Failed to retrieve the package list on the distribution point"...

  About 2 weeks ago all 10 of my DPs started reporting the following warning (roughly 2 weeks after upgrading to R2):
  "Failed to retrieve the package list on the distribution point ["Display=\\<server.FQDN>\"]MSWNET:["SMS_SITE=<code>"]\\<server.FQDN>\. Or the package list in content library doesn't match the one in WMI. Review
  smsdpmon.log for more information about this failure.
  This warning has appeared in my environment once before and I've read a number of posts regarding it. In the previous situation I found the problematic package ID recorded in smsdpmon.log and followed the standard procedure of redistributing and then proceeded
  with a validation check on the affected DP. These steps resolved the issue originally.
  This time around the package ID is not referenced in smsdpmon.log. It had the same error but the ID was not listed. Unfortunately the logs have already rolled over and I forgot to save a copy so I don't have anything to reference. I'm curious if anyone else
  has seen this behavior and what the recommended fix is. 
  As always, appreciate the help!

  I used the following process to clean up these warnings on my DPs:
  Setup content validation checks for each of my affected DPs to run every morning (previously only set to weekends). I did this so when I made a change I could validate whether or not it worked the following day. It would be great if there was a way to force
  these checks manually but I haven't found a method yet.
  After the content validation check completed I filtered through the smsdpmon.log on each affected DP. This revealed the package ID that was causing the issue.
  In my environment the package in question was not needed so I deleted it. If it is required I suspect re-distributing it would work as well.
  At this stage the problem was still not fully resolved for me. Even though I had deleted the package WMI was still inaccurate. I used this script to scrub WMI on all affected DPs and it picked up the problematic package ID:
  http://gallery.technet.microsoft.com/Powershell-script-to-fix-81dc4e69
  My content validation checks are now passing and the warnings are being cleared. YEAH!
  As a final note - After running the PS script Nickolaj posted I ran started seeing dozens of error checks on my packages (Distribution Manager failed to process package "Laptop Drivers" (package ID = XYZ00123).) After doing some research
  I found I was prone to this issue:
  Failed to start DP health monitoring task. In my case the suspect file was called "Microsoft". I moved it to another location and the errors cleared immediately.
  Hope this info is helpful to others!

• Connecting to a remote OpenLDAP server over SSL.

  I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
  I've created a CA with a self-signed certificate.
  I used that CA to create a server and client certificate.
  The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
  The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
  ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
  Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
  I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
  It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
  The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
  My Mac Console shows something even more bizare, though:
  11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
  My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
  Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
  Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
  TLSVerifyClient never
  (And of course, the client:)
  TLS_REQCERT demand
  Message was edited by: lhunath

  By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
  * ldapsearchext - initiate an ldap search operation.
  * Parameters:
  * ld LDAP descriptor
  int
  ldapsearchext(
  LDAP *ld,
  assert( ld != NULL );

• How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

  Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
  Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

  Solved it by some (a lot) of fiddling.
  Turns out it's not a bug in the iPhone, it's a feature.
  Here's how to make it work.
  DOVECOT
  If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
  More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
  So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
  1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
  service imap-login {
    inet_listener imap {
      port = --your port # here--
    inet_listener imaps {
      port = 0
      ssl = yes
  This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
  2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
  ssl = required
  This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
  3. In /etc/dovecot/conf.d/10-auth.conf set
  disable_plaintext_auth = yes
  This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
  When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
  Don't forget service dovecot restart.
  To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
  telnet your.host.name.here yourimapsportnumber
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
  Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
  a STARTTLS
  a OK Begin TLS negotiation now.
  (The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
  Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
  openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
  . OK Pre-login capabilities listed, post-login capabilities have more.
  You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
  a capability
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
  a login username password
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
  a OK Logged in
  POSTFIX
  Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
  1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
  2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
  smtpd_tls_security_level = encrypt
  3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
  smtpd_tls_auth_only = yes
  Don't forget postfix reload.
  To test if this works, issue the following telnet and wait for the server's greeting:
  telnet your.host.name.here yoursmtpsportnumber
  220 your.host.name ESMTP Postfix (Ubuntu)
  Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
  ehlo your.host.name.here
  250-STARTTLS
  Then issue starttls and wait for the server's confirmation:
  starttls
  220 2.0.0 Ready to start TLS
  Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
  CERTIFICATES
  You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
  basicConstraints = critical,CA:true
  keyUsage = critical, cRLSign, keyCertSign
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
  basicConstraints=CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
  subjectAltName = DNS:your.domain.name.here
  issuerAltName=issuer:copy
  Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
  You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
  Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
  IN CLOSING...
  With all this, you can read and send email from your iPhone.
  Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

• Failed to Retrieve SQL

  Hi,
  Using STANDARD REPORT CREATION WIZARD, I connected to UNIVERSES Data Sources and RUN a querry in BUSINESS OBJECTS QUERY PANEL,i am getting ERROR Message "Failed to Retrieve SQL".What would be the causes?
  Thanks,
  Sandeep

  Hi,
  try this link, [Click HEre|http://www.forumtopics.com/busobj/viewtopic.php?t=40450&sid=14981ec8c36d528ba129eedb58fe2e18]
  Regards,
  Clint

• AD Password Sync connector 9.1.1 With OIM 11g R2 - ERROR OVER SSL

  I have set up AD password sync with from AD to OIM 11G R2
  The password syncs from AD to OIM 11G R2 on non ssl port 389.
  But if fails on SSL Port 636.
  Errors in OIMMain.Log:_
  Debug [10/11/2012 10:49:34 AM] Inside ConnectToADSI
  Debug [10/11/2012 10:49:34 AM]
  ldap_connect failed with
  Debug [10/11/2012 10:49:34 AM] Server Down
  Debug [10/11/2012 10:49:34 AM]
  Steps Carried Out thus far:_
  AD is up and running.
  Configured AD Password Sync Connector on 636 and selected ssl.
  Created Certificate on OIM host, configured custom identity key store on weblogic. Restarted Weblogic.
  Imported Certificate to AD. After this, restarted the AD
  I can Telnet port 636 from OIM Box and also connect to AD through LDAP Browser on 636 and view OU and CN, so this seems fine.
  Provisioning from OIM through Connector Server to AD works over SSL and this works fine.
  Help would be appreciated.
  Many Thanks

  This question is now been fixed.
  Instead of explicitly stating 636 for SSL,
  Use the same port 389 for ssl and also configured oim port to be 140001 which is the ssl port for oim in the configuration of OIM Password Sync.
  Export Certificates from AD to java security keystore and to weblogic keystore
  Export .pem certificate created on OIM host machine to AD.
  Restart weblogic, oim and AD
  Everything would work fine.
  For all the other information, refer to doc.
  Thanks

• BizTalk Tracking Profile Editor not tracking the data and how to implement the Orchestration as wcf service over SSL

  Hi Ashwinprabhu,
  thank you very much for your answer.
  i have one more query, I have orchestration published as wcf service in IIS and internally orchestration calling one more service , it means orchestration sending a request and getting response back from the service.
  actually we are implementing the copy of that called service through biztalk orchestration for system automatic and tracking failed messages and n/w failures.
  But tracking profiler not tracking the Data.
  And we need to develop the http service as https(Over SSL), we implemented in iis using self 
  signed certificate, it is working just browser for wsdl(in browser), we are not able to test the service in wcf test client, it is giving wsdl error, in wsdl schema reference showing with HTTP only,
  please help me how to resolve the issue.
  Teegala

  First things first, I think it's best to publish only schemas as WCF service for dependency management reasons. That said - WSDL availability is covered in the WCF adapter under the behaviors. If you're using HTTPBasic this may be hard to modify, but using
  WCFCustom allows you to add the WSDL behavior and specify that it should be available via HTTPS.
  As to the BAM, are you using TPE within the orchestration or at the port level?  I'd imagine your TPE tracks the start and end events of your orchestration using the Orchestration Schedule.  If you're fairly confident that the TPE is correct and
  yet don't see BAM data 1) make sure your SQL Agent is running healthy and all jobs look OK and 2) check the TDDS tables in both the message box and the BAMPrimaryImport databases.  These will show you if there has been some sort of sync issue. There's
  even a TDDS errors tables - so check that out.
  Kind Regards,
  -Dan
  If this answers your question, please Mark as Answer

• Failed to open XML document. Failed to retrieve Public ID

  I have a client posting to Weblogic 6.1 server with the help of Apache
  SOAP 2.2. The posting works fine if the contents of the SOAP message
  is small. But when the contents of SOAP reached more than 11KB, the
  following error occurs:
  Error: Failed to open XML document. Failed to retrieve PUBLIC id or
  SYSTEM id from the document. Decrease the number of char between the
  beginning of the document and its root element.
  The SOAP document looks like:
  <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <mn:sMethodName xmlns:mn="sMethodURI">
  <batch appid="1">
  <employee>
  <name>...</name>
  <address>...</address>
  </employee>
  <employee>
  <name>...</name>
  <address>...</address>
  </employee>
  </batch>
  </mn:sMethodName>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  The Max Post Size in Weblogic is set to (-1).
  The program is able to handle less than 50 items of
  <employee>.....</employee>. The error occurs when more than 50 items
  are used. The problem is that our application should be able to handle
  more than 1000 items of <employee>....</employee>.
  My questions are:
  1. How should I configure weblogic to solve the problem?
  2. How should I configure the deployment of Apache SOAP to solve the
  problem?
  Pls advise. Thanks.

  One can deduce from the error message that the parser is looking for the
  <?XML...?> portion of the document because that is where the SYSTEM and
  PUBLIC ids are found in the document.
  Peace,
  Cameron Purdy
  Tangosol Inc.
  Tangosol Coherence: Clustered Coherent Cache for J2EE
  Information at http://www.tangosol.com/
  "Grace" <[email protected]> wrote in message
  news:[email protected]...
  >
  Sorry, but I didn't get what you mean. I thought that was handled by theApache
  SOAP API already? And if it couldn't see the XML document header, then whydoes
  this only happens when the document size is large? It doesn't haveproblems whenever
  the document size is small.
  "Cameron Purdy" <[email protected]> wrote:
  It's looking for the XML document header "<?XML" ....
  Peace,
  Cameron Purdy
  Tangosol Inc.
  Tangosol Coherence: Clustered Coherent Cache for J2EE
  Information at http://www.tangosol.com/
  "Grace" <[email protected]> wrote in message
  news:[email protected]...
  I have a client posting to Weblogic 6.1 server with the help of Apache
  SOAP 2.2. The posting works fine if the contents of the SOAP message
  is small. But when the contents of SOAP reached more than 11KB, the
  following error occurs:
  Error: Failed to open XML document. Failed to retrieve PUBLIC id or
  SYSTEM id from the document. Decrease the number of char between the
  beginning of the document and its root element.
  The SOAP document looks like:
  <SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <mn:sMethodName xmlns:mn="sMethodURI">
  <batch appid="1">
  <employee>
  <name>...</name>
  <address>...</address>
  </employee>
  <employee>
  <name>...</name>
  <address>...</address>
  </employee>
  </batch>
  </mn:sMethodName>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  The Max Post Size in Weblogic is set to (-1).
  The program is able to handle less than 50 items of
  <employee>.....</employee>. The error occurs when more than 50 items
  are used. The problem is that our application should be able to handle
  more than 1000 items of <employee>....</employee>.
  My questions are:
  1. How should I configure weblogic to solve the problem?
  2. How should I configure the deployment of Apache SOAP to solve the
  problem?
  Pls advise. Thanks.