Problem in SSL programation client in Weblogic 5.1 using JSSE

Similar Messages

• WebServices Client on Weblogic 8.1 using HTTPS

  Hi All,
  I have created a custom keystore file based on the SSL certificate obtained from the browser and then importing it into a java keystore file using the keytool.
  I am trying to do something like this:
  System.setProperty( "javax.net.ssl.trustStore", (this.getClass().getResource("/resources/abc.keystore")).getPath());
  HostnameVerifier hv = new HostnameVerifier(){
  public boolean verify(String urlHostName, SSLSession session) {
  return true;
  HttpsURLConnection.setDefaultHostnameVerifier(hv);
  This part goes fine and System.getProperty gives me the proper class path.
  After this, I am able to access the Web Service using eclipse and WL8.1 SP4. Though, the moment I deploy the application to the actual server (also using WL8.1 SP4), it throws the following exception:
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.Valida
  torException: No trusted certificate found
  faultActor:
  faultNode:
  faultDetail:
  {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeExcept
  ion: sun.security.validator.ValidatorException: No trusted certificate found
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
  at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFac
  tory.java:186)
  at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:1
  91)
  at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.ja
  va:404)
  at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
  at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrateg
  y.java:32)
  at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
  at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
  at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
  at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
  at org.apache.axis.client.Call.invoke(Call.java:2767)
  at org.apache.axis.client.Call.invoke(Call.java:2443)
  at org.apache.axis.client.Call.invoke(Call.java:2366)
  at org.apache.axis.client.Call.invoke(Call.java:1812)
  Shouldn't things like this just work as is. If it is working on my windows machine in eclipse, I was expecting it to work hassle-free on the server. Any thoughts and suggestions are appreciated.
  Thanks,
  Rahul
  Edited by rcpatel79 at 05/30/2007 9:21 AM

  So I added the DOCTYPE and now I get another error. And that is as follows:
  ERROR: Error from ejbc: Error parsing file 'META-INF/ejb-jar.xml' at line: 5 column: 219. Attribute "xmlns:xsi" must be declared for element type "ejb-jar".
  It seems that when the EJB is created, then it automatically creates the appropriate ejb-jar.xml and for some reason I guess the one it is creating this time is not good enough for Weblogic because first the DOCTYPE was missing and then after inserting the DOCTYPE I am getting the above error. Any help would be appreciated. This is the first time I am using Weblogic and this is a rather disheartening amount of progress I have made since last night! ;(
  Thanks in advance for any help. If I am doing something silly please point it out so I can learn!
  Cheers,
  Surya

• Problems deploying a simple EJB on Weblogic 8.1 using JDeveloper

  Hey guys,
  Title says it all. First I had one problem in that I could not test the connection to the Weblogic server. I moved the weblogic.jar file into the lib/ext folder and that test worked then. After that I wrote the EJB...a very simple one...and I followed the http://dev2dev.bea.com/pub/a/2006/01/wls-jdeveloper.html?page=1 tutorial so far. But when it came time to deploy the ejb to the server, I am getting this funky error:
  ERROR: ejbc found errors while processing the descriptor for C:\oracle\jdeveloper\jdev\mywork\WeblogicApp\EchoEJB\deploy\ejb1.jar:
  ERROR: Error from ejbc: Error processing 'META-INF/ejb-jar.xml': XML document does not appear to contain a properly formed DOCTYPE header
  Honestly I am confused now...any one encounter that error?
  Thanks for all replies.
  Cheers

  So I added the DOCTYPE and now I get another error. And that is as follows:
  ERROR: Error from ejbc: Error parsing file 'META-INF/ejb-jar.xml' at line: 5 column: 219. Attribute "xmlns:xsi" must be declared for element type "ejb-jar".
  It seems that when the EJB is created, then it automatically creates the appropriate ejb-jar.xml and for some reason I guess the one it is creating this time is not good enough for Weblogic because first the DOCTYPE was missing and then after inserting the DOCTYPE I am getting the above error. Any help would be appreciated. This is the first time I am using Weblogic and this is a rather disheartening amount of progress I have made since last night! ;(
  Thanks in advance for any help. If I am doing something silly please point it out so I can learn!
  Cheers,
  Surya

• Itunes wont work.Says there has been a problem with the program and then shutsdown. only works using safe mode

  Recently itunes stopped working. It will only work using safe mode. i have check the plug ins folder but i have no plug ins.

  Hello MaFiosoXIII
  For issues with iTunes crashing and only working in Safe Mode, then check out the article below to continue your troubleshooting to get it working again. 
  iTunes for Windows Vista, Windows 7, or Windows 8: Fix unexpected quits or launch issues
  http://support.apple.com/kb/TS1717
  Regards,
  -Norm G.

• Problems in accessing an SSL enabled site through Weblogic 6.1

  Hi,
  We want to connect to an SSL enabled site (https://test.SalesForce.com) through Weblogic 6.1. We are using JDK1.3.1_08 and Apache axis.
  We have followed the appropriate steps explained in the URL -
  http://www.pankaj-k.net/WSOverSSL/WSOverSSL-HOWTO.html
  As mentioned in the above link, we made the configurations in JDK 1.3.1_08 to put the jsse.jar and other important JARs in jre\lib\ext folder and also updated the java security file to add the proper "Provider".
  After that we tried to execute the test application to connect to an SSL site specified in it. It is a stand alone Java application and connects to the site and reads the bytes of the home page and displays them on the console.
  When we tried to connect the SalesForce test site, we figured out that we were able to connect to the site and were able to read entire stream of bytes.
  Then we copied the same code in a sample JSP, set the JDK1.3.1_06 as the JAVA_HOME for Weblogic6.1 and tried to connect to our test site through that JSP.
  We observed that it is connecting to the site but reading just a few initial bytes and not the entire stream.
  When we tried the same steps with Weblogic8.1 and JDK1.4.2_X, it works fine and reads the entire page with Weblogic8.1 as client.
  So, we observed that the standalone application works fine with JDK1.3.1_08, it also works fine on the the Weblogic 8.1 and JDK1.4.2_x combination, but when we use Weblogic6.1 and JDK1.3.1_08, it does not work properly.
  Is there any setup issue in Weblogic 6.1 regarding connecting to a SSL enabled site?
  Our actual problem scenario is a bit different than this, but we are sure that it is related to this situation and a solution to this problem can resolve the actual problem.
  Another question we have is do we need to configure SSL in Weblogic 6.1 and also care for installing certificates evenif Weblogic 6.1 in this case is a mere client?
  We have tried to connect to the same site using Weblogic 8.1 and JDK1.4.2_X. We did not require any kind of certicates in that case. Hence I want to clear my doubt.
  Please help.

  Hello,
  Just wondering if you ever found a solution to this problem. We are suffering just about the exact same issue, where our environment with WebLogic 6.1 SP4 cannot access an SSL enabled site, but our WebLogic 8.1 SP2 upgrade environment can. The only difference we've been able to pinpoint is that our 6.1 server connects via TLS1.0 (SSL3.1) and our 8.1 server connects via SSLv3 (SSL3.0). Does anyone know how to control which version of SSL WebLogic 6.1 uses?

• Watchguard SSL VPN client on OSX 10.7 Lion TUN/TAP Kernel Problem

  I upgraded to OSX 10.7 Lion and lost the use of the Watchguard VPN client.
  I eventually found a solution at http://lesmond.net/2011/07/watchguard-ssl-vpn-client-on-osx-10-7-lion/
  I had already uninstalled Watchguard VPN and tried to reinstall to see if that worked (poor advice from another forum)
  I hadn't manually removed Watchguard icon from the dock.
  When you try to reinstall the dialog tells you to run an postupgrade script on the TUN/TAP kernel and then quits with a fail.
  If you install openVPN in this scenario you get an openVPN app and menu item, both of which do nothing.
  Click on the Watchguard dock icon and connect.
  I was then asked to upgrade and ended up with the run post upgrade script dialog and quit with a fail.
  I then clicked on the Watchguard doc icon again and connected.
  This time it connected with no problem.
  Hope this helps!

  WG has new firmware that will fix the problem, once flashed, download the new client vpn client (11.5.1) and you should be good to go.
  I had to contact WG to get the patch as it was not in the portal  Version 11.3.4 CSP6 for my device.  Hope this helps someone.

• Strange problem with SSL Sockets using more than 10 Clients

  Hi
  I�m using Jsse ( JDK 1.4.2_06 ). I have coded a Client/Server Applikation acting over SSLSockets or over unsecured Sockets. If I use unsecured Sockets everthing works fine, but if I use SSLSockets for the Connection and about 20 Clients, the Clients often can�t connect to the Server and the following Exception was thrown:
  java.net.ConnectException: Connection refused: connect
  Could it be that there is some strange problem with SSLServerSockets relating to this phenomenon?
  If I use only a few Clients the Exception occurs never or only sometimes.
  Has anyboby an idea what is happaning there?
  Regards Chrisli

  Hi
  From the description of your scenario, you have coded your own server side of the application. I would advise that you consider moving your application to run under Tomcat framework and test if you still get the same exception.

• SA540 SSL VPN Client will not install on Windows 7

  I had the SSL VPN Client working on my Windows 7 laptop.  I tried to use the SSL VPN through Firefox and now my client does not work on IE anymore.
  The install process beings and the progress bar makes it halfway before I get an error saying the install failed.
  I tried everything I could to remove the SSL VPN client manually.  I even followed the instructions posted at the end of this forum posting:  https://cisco-support.hosted.jivesoftware.com/thread/2018716?decorator=print&displayFullThread=true
  Nothing has worked.
  The best I can find is the VPN Client is crashing during install.  I saw this in the Event Log.
  Fault bucket 177244756, type 5
  Event Name: PnPDriverInstallError
  Response: Not available
  Cab Id: 0
  Problem signature:
  P1: x64
  P2: E0000234
  P3: ssldrv.inf
  P4: 93775c2b0faa616bc11a47d4ff617aa8d00cd56f
  P5: SSLDrv.Ndi
  P6:
  P7:
  P8:
  P9:
  P10:
  Attached files:
  C:\Users\shudson\AppData\Local\Temp\DMIE984.tmp.log.xml
  C:\Windows\inf\oem54.inf
  These files may be available here:
  C:\Users\shudson\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_d317f66069d2e3b17f6bc1e7306afd9085494a_1020fe2c
  Analysis symbol:
  Rechecking for solution: 0
  Report Id: 75c67e96-1882-11e0-8e4d-5c260a0235ed
  Report Status: 0
  I then used AppCrashView to see the crash report and I get this:
  Version=1
  EventType=APPCRASH
  EventTime=129386443518175301
  ReportType=2
  Consent=1
  UploadTime=129386443518799293
  ReportIdentifier=2a4c4f0a-183c-11e0-aac2-5c260a0235ed
  IntegratorReportIdentifier=2a4c4f09-183c-11e0-aac2-5c260a0235ed
  WOW64=1
  Response.BucketId=2007535968
  Response.BucketTable=1
  Response.type=4
  Sig[0].Name=Application Name
  Sig[0].Value=VirtualPassageExe.exe
  Sig[1].Name=Application Version
  Sig[1].Value=1.7.3.1
  Sig[2].Name=Application Timestamp
  Sig[2].Value=4b20cf25
  Sig[3].Name=Fault Module Name
  Sig[3].Value=OLEAUT32.dll
  Sig[4].Name=Fault Module Version
  Sig[4].Value=6.1.7600.16567
  Sig[5].Name=Fault Module Timestamp
  Sig[5].Value=4bbc2f3d
  Sig[6].Name=Exception Code
  Sig[6].Value=c0000005
  Sig[7].Name=Exception Offset
  Sig[7].Value=00004660
  DynamicSig[1].Name=OS Version
  DynamicSig[1].Value=6.1.7600.2.0.0.256.48
  DynamicSig[2].Name=Locale ID
  DynamicSig[2].Value=1033
  DynamicSig[22].Name=Additional Information 1
  DynamicSig[22].Value=0a9e
  DynamicSig[23].Name=Additional Information 2
  DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
  DynamicSig[24].Name=Additional Information 3
  DynamicSig[24].Value=0a9e
  DynamicSig[25].Name=Additional Information 4
  DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
  UI[2]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  UI[3]=VirtualPassageExe MFC Application has stopped working
  UI[4]=Windows can check online for a solution to the problem.
  UI[5]=Check online for a solution and close the program
  UI[6]=Check online for a solution later and close the program
  UI[7]=Close the program
  LoadedModule[0]=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
  LoadedModule[2]=C:\Windows\syswow64\kernel32.dll
  LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll
  LoadedModule[4]=C:\Windows\system32\MFC42.DLL
  LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll
  LoadedModule[6]=C:\Windows\syswow64\USER32.dll
  LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
  LoadedModule[8]=C:\Windows\syswow64\LPK.dll
  LoadedModule[9]=C:\Windows\syswow64\USP10.dll
  LoadedModule[10]=C:\Windows\syswow64\ADVAPI32.dll
  LoadedModule[11]=C:\Windows\SysWOW64\sechost.dll
  LoadedModule[12]=C:\Windows\syswow64\RPCRT4.dll
  LoadedModule[13]=C:\Windows\syswow64\SspiCli.dll
  LoadedModule[14]=C:\Windows\syswow64\CRYPTBASE.dll
  LoadedModule[15]=C:\Windows\syswow64\ole32.dll
  LoadedModule[16]=C:\Windows\syswow64\OLEAUT32.dll
  LoadedModule[17]=C:\Windows\system32\ODBC32.dll
  LoadedModule[18]=C:\Windows\syswow64\SHELL32.dll
  LoadedModule[19]=C:\Windows\syswow64\SHLWAPI.dll
  LoadedModule[20]=C:\Windows\system32\apphelp.dll
  LoadedModule[21]=C:\Windows\AppPatch\AcLayers.DLL
  LoadedModule[22]=C:\Windows\system32\USERENV.dll
  LoadedModule[23]=C:\Windows\system32\profapi.dll
  LoadedModule[24]=C:\Windows\system32\WINSPOOL.DRV
  LoadedModule[25]=C:\Windows\system32\MPR.dll
  LoadedModule[26]=C:\Windows\system32\IMM32.DLL
  LoadedModule[27]=C:\Windows\syswow64\MSCTF.dll
  LoadedModule[28]=C:\Windows\system32\odbcint.dll
  LoadedModule[29]=C:\Windows\system32\uxtheme.dll
  LoadedModule[30]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16661_none_ebfb56996c72aefc\COMCTL32.DLL
  LoadedModule[31]=C:\Windows\system32\dwmapi.dll
  State[0].Key=Transport.DoneStage1
  State[0].Value=1
  FriendlyEventName=Stopped working
  ConsentKey=APPCRASH
  AppName=VirtualPassageExe MFC Application
  AppPath=C:\Users\shudson\CiscoCisco-SSLVPN-Tunnel\VirtualPassageExe.exe
  None of this makes any sense to me, but may someone can tell me why the install is failing?
  Thanks,
  Scott

  Mario,
  I tried everything you mentioned.  I cleared cookies and temporary files.  I enabled SSL 3.0. I restarted IE.
  I get the same thing.  The install process starts and then ends at suddenly saying the install failed.
  Scott

• Receiver SOAP adapter SSL error - client certificate required?

  Hi all,
  Problem configuring SSL in XI 3.0 NW04 SP17....
  I have followed the config steps from Rahul's excellent weblog at <a href="/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter">How to use Client Authentication with SOAP Adapter</a> (my Basis team have done the Visual Admin steps) and am going through his example as it closely matches my requirement. So, I have a test receiver SOAP adapter sending messages to a web service URL defined for a sender SOAP adapter. My test scenario is:
  <b>Sender File -> <u><i>Receiver SOAP -> Sender SOAP</i></u> -> IDoc Receiver -> IDocs in R/3</b>
  The problem components are in italic and underlined above. My Receiver SOAP Adapter has the web service URL, Certificate Keystore Entry and View entered. If, in the Sender SOAP Adapter, I have an HTTP Security Level of HTTPS Without Client Authentication, the interface works fine (note that Rahul suggests you untick the User Authentication in the Receiver but with this Security Level, it seems to work with or without it).
  The problem is when I set HTTPS <b>With</b> Client Authentication in the Sender. I then get the following error in the message monitor:
  SOAP: response message contains an error XIServer/UNKNOWN/ModuleUnknownException - com.sap.aii.af.mp.module.ModuleException: java.security.AccessControlException: <b>client certificate required caused by: java.security.AccessControlException</b>: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:1111) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl3.process(ModuleLocalLocalObjectImpl3.java:103) at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:250) at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0.process(ModuleProcessorLocalLocalObjectImpl0.java:103) at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:166) at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:421) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java(Compiled Code)) at com.sap.engine.services.httpserver.server.Client.handle(Client.java(Inlined Compiled Code)) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java(Compiled Code)) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code)) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code)) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code)) at java.security.AccessController.doPrivileged1(Native Method) at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code)) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code)) Caused by: java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:843) ... 22 more
  Has anyone got any idea what this could be caused by?
  Many thanks,
  Stuart Richards

  Have you configured the https port with that keystore entry?
  Check out these links:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/b0/881e3e3986f701e10000000a114084/frameset.htm
  http://help.sap.com/saphelp_nw2004s/helpdata/en/5c/15f73dd0408e5be10000000a114084/frameset.htm
  Regards,
  Henrique.

• Create outgoing SSL connections in WebLogic 4.5.1 using JSSE

  Hi,
  Does anyone know how to create outgoing SSL connections from a WLS 4.5.1 using
  JSSE.
  I've implemented an application using JSSE for POSTing data to an HTTPS server
  that requires client authentication and it worked fine. But when used inside the
  WebLogic server it doesn't work, because the WLS SSL classes are used instead
  of the JSSE ones. It returns a "java.io.IOException: Alert: fatal handshake_failure".
  If the ssl.enable property is set to false probably it will work, but I need it
  set to true. Does anyone a way to solve this problem?
  Thanks in advance.

  Hi,
  I also need to do the same in weblogic 5.1 (sp8). I know
  it is not possible with JSSE, but how do I achieve with
  weblogic implementation of Https? I am getting "Non
  supported cipher requested" error. How do I remove this message. It will be
  of great help if someone can list
  down the configuration step in weblogic. I am trying
  to find it in weblogic documentation but no success so far.
  Thanks in advance for your help!
  - Rishi
  "Jerry" <[email protected]> wrote in message
  news:[email protected]..
  Hi Nuno,
  I don't think that you can use JSSE to make outgoing SSL connections inWLS 4.5.1 because
  of the many conflicts between JSSE and the WLS SSL classes
  In versions of 5.1 (such as sp9 and up), and also 6.0 and 6.1, BEA gotrid of these
  conflicts to make the use of JSSE possible with WebLogic to do outgoingSSL.
  In 4.5.1, I believe you are out of luck.
  Joe Jerry
  Nuno Carvalho wrote:
  Hi,
  Does anyone know how to create outgoing SSL connections from a WLS 4.5.1
  using
  JSSE.
  I've implemented an application using JSSE for POSTing data to an HTTPSserver
  that requires client authentication and it worked fine. But when usedinside the
  WebLogic server it doesn't work, because the WLS SSL classes are usedinstead
  of the JSSE ones. It returns a "java.io.IOException: Alert: fatalhandshake_failure".
  If the ssl.enable property is set to false probably it will work, but Ineed it
  set to true. Does anyone a way to solve this problem?
  Thanks in advance.

• Urgent : problems in authenticating the client

  Hi every one,
  Im new to SSL and have a problem in authenticating the client with the server. when i disable
  ((SSLServerSocket)serversocket).setNeedClientAuth(true);
  both the server and client work fine and i get the required output.
  if i use -Djavax.net.ssl.truststore=trustStoreName and -Djavax.net.ssl.keyStore=keystoreName in the command line for the client then it works but i want to do it without the commandline options
  I tried to debug the clients ssl handshake where it seams that if i dont mention the truststore and keystore in the command line it wont take the ones mentioned in the code.
  If anyone has a solution for this or any idea can you please help me out im stuck on it for about a week now. Thanks in advance.
  uzi
  Message was edited by:
  Deo_Zone
  Message was edited by:
  Deo_Zone

  Hi...
  i'm new to ssl connection....i implement the code for ssl connection through java program...i use the following code
  String keystore = "<java_home>/jre/lib/security/cacerts";
  System.setProperty("javax.net.ssl.trustStore",keystore);
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  env.put(Context.SECURITY_PRINCIPAL,adminName);
  env.put(Context.SECURITY_CREDENTIALS,adminPassword);
  env.put(Context.SECURITY_PROTOCOL,"ssl");
  String ldapURL = "ldaps://mydc.speedrock.com:636";
  env.put(Context.PROVIDER_URL,ldapURL);
  DirContext ctx = new InitialLdapContext(env,null);
  i use this code in my web application and using server tomcat 5.5 server...
  Steps:
  1. Started my tomcat server
  2. attempt to change ActiveDirectory user password.
  At this time i'm not importing AD server certificate into cacerts file..
  In this situation it throws exception.
  3. now i import the valid certificate into cacerts file using keytool command
  keytool -import -alias xyzADCert -keystore <javahome>/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt -file <java_home>/jre/lib/security/ca.cer;
  when i run this command from console, import the certificate successfully....
  4. now again attempts to change password...
  In this situation it gives same previous exception....
  But, when i restart the tomcat server and attempts change password, its working fine...
  The same thing happens in case of delete certificate...
  Steps:
  1.Start the tomcat server
  2. import valid certificate using keytool command
  keytool -import -alias xyzADCert -keystore <javahome>/jre/lib/security/cacerts -keypass changeit -storepass changeit -noprompt -file <java_home>/jre/lib/security/ca.cer;
  3. Try to change password....working fine
  4. delete the certificate using keytool command
  keytool -delete -alias xyzADCert -keystore <javahome>/jre/lib/security/cacerts -keypass changeit -storepass changeit
  when i run this command certificate deleted from cacerts file....
  for confirmation, once again i run this command...it gives alias does not exit message.
  5. Now, i re attempts to change password with out restaring tomcat server...
  instead of throwing exception like "simple bind failed", password updated in server for user.
  6. But, when i restart the tomcat server, it gives the exception like "simple bind failed" when i try to change password.
  my target is with out restarting server ..do change password successfully when i import the certificate and throw exception when i delete the certificate from cacerts file...
  please give me some help...

• Problem creating web service client using WSM Policies

  Hello everyone,
  I'm trying to make a simple java client to a Web Service secured using a WSM 11gR1 policy (from Soa Suite 11.1.1.2.0). The policy on the server side is oracle/wss11_x509_token_with_message_protection_service_policy which I attached via the Weblogic Admin Console. To implement the client I'm trying to follow the instructions from this documentation: http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/owsm_appendix.htm#WSSOV386 section "Policy Configuration Overrides for the Web Service Client" and also I'm using OEPE 11.1.1.3.0 (Eclipse 3.5.0) to develop the client. The only weblogic jar I've added to the build path is the weblogic.jar . Unfortunately, the oracle.wsm.security.util.SecurityConstants.ClientConstants interface (used in the example A-6) is not included in this jar and I have no idea what other libraries should I include in order to follow the example. I tried manualy adding other jars but without success. In fact I found one jar which includes this interface, the wsm-secpol.jar but it does not have the properties described in the documentation, so I guess it's not the right jar, and also I don't think this is the right procedure since there might be another dependent jars. So I would like to know what libraries exactly I should add to the build path (or some other procedure if you noticed I'm doing anything wrong)
  Thank you !

  Hi
  I am having the same problem almost where i wrote a client to comsume a JWS server in https. Where the server is setup to require a certificate to connect to.
  My code:
  public static void main(String[] args) {
  try {
  DataBaseSyncServerImpl port = new DataBaseSyncServerImplService().getDataBaseSyncServerImplPort();
  int number1 = 20;
  int number2 = 10;
  System.out.printf("Invoking divide method(%d, %d)\n", number1, number2);
  double result = port.divide(number1, number2);
  System.out.printf("The result of dividing %d and %d is %f.\n\n", number1, number2, result);
  when run this code throw
  run:
  [java] Invoking divide method(20, 10)
  [java] Exception in thread "main" javax.xml.ws.WebServiceException: HTTP transport error: javax.net.ssl.SSLHandshak
  eException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCert
  PathBuilderException: unable to find valid certification path to requested target
  Does any one know how can I solve this problem or how can I make the client be able to use self signed certificates. Any help is greatly apprecited. Thanks

• SSL VPN Client Error

  I setup a Cisco ASA 5510 SSL VPN with the folowing;
  IOS 7.2
  SSL VPN CLient sslclient-win-1.1.1.164.pkg
  Out of 400 users, there is one user having problem installing the SSL Client to his laptop. The user laptop information is;
  IBM Thinkpad T40
  Windows XP SP 2
  Internet Explorer 7
  All patches up-to-date
  All drivers up-to-date
  SSL VPN Client connection process;
  - User login with valid account and password
  - The SSL VPN Client package will automatically download and installed.
  - User will then be connected to SSL VPN
  The ERRORS;
  1. GUI (Cisco SSL VPN Client installation process)
  "The SSL VPN Client driver has Encountered an Error"
  2. Event Viewer
  The only error in this user event viewer that differs from other users who successfully connected are;
  a)
  Function: EnableVA
  Return code: 0
  File: e:\temp\build\workspace\SSLClient\Agent\VAMgr.cpp
  Line: 310
  Description: unknown
  b)
  Function: EnableVA
  Return code: 0xFE080007
  File: e:\temp\build\workspace\SSLClient\Agent\VpnMgr.cpp
  Line: 1145
  Description: VAMGR_ERROR_ENABLE_VA_FAILED
  Anyone know what thus the error means?
  BTW, anyone know the link to SSL VPN knowledgebase. i.e errors, root cause, solutions?
  Thanks

  The Cisco SVC provides end users running Microsoft Windows XP or Windows 2000 with the benefits of a Cisco IPSec VPN client without the administrative overhead required to install and configure an IPSec client. It supports applications and functions unavailable to a standard WebVPN connection.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/svc/svcrn110.htm

• Problem establishing SSL VPN from only 1 IP address

  Hi,
  I'm experiencing strange problem.
  I can't establish SSL VPN connection from 1 IP address, but I don't have problem establishing SSL VPN from any other IP address.
  Remote IP address: 10.0.0.1
  ASA's public IP address: 192.168.1.1
  Output of packet-tracer:
  1. with problematic source IP address:
  packet-tracer input wan tcp 10.0.0.1 50601 192.168.1.1 443 detailed
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.1   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
          hits=861, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
          hits=4069, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
          hits=4044934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
          hits=2268518, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 6
  Type: TCP-MODULE
  Subtype: webvpn
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
          hits=4627, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 7
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0x7fff375504a0, priority=69, domain=encrypt, deny=false
          hits=40747, user_data=0x0, cs_id=0x7fff3754fa40, reverse, flags=0x0, protocol=0
          src ip/id=192.168.1.1, mask=255.255.255.255, port=0
          dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, dscp=0x0
          input_ifc=any, output_ifc=wan
  Result:
  input-interface: wan
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  If I run packet-tracer with any other source IP address, let's say 10.0.0.2, everything is OK:
  packet-tracer input wan tcp 10.0.0.2 50601 192.168.1.1 443 de
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.1.1   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37573f00, priority=119, domain=permit, deny=false
          hits=862, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 3
  Type: CONN-SETTINGS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
          hits=4090, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 4
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
          hits=4047886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
          hits=2270040, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=wan, output_ifc=any
  Phase: 6
  Type: TCP-MODULE
  Subtype: webvpn
  Result: ALLOW
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  in  id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
          hits=4648, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
          input_ifc=wan, output_ifc=identity
  Phase: 7
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW
  Config:
  Additional Information:
  Reverse Flow based lookup yields rule:
  out id=0x7fff3a1cc320, priority=0, domain=user-statistics, deny=false
          hits=4902651, user_data=0x7fff3a0043c0, cs_id=0x0, reverse, flags=0x0, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=any, output_ifc=wan
  Phase: 8
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 4384689, packet dispatched to next module
  Module information for forward flow ...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_tcp_normalizer
  snp_fp_tcp_mod
  snp_fp_adjacency
  snp_fp_fragment
  snp_fp_drop
  Module information for reverse flow ...
  snp_fp_tracer_drop
  snp_fp_inspect_ip_options
  snp_fp_tcp_normalizer
  snp_fp_adjacency
  snp_fp_fragment
  snp_ifc_stat
  Result:
  input-interface: wan
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: allow
  I run packet capture on WAN interface - and I can only see incoming packets (SYN) with destination to tcp/443 but there isn't any outgoing packet (SYN/ACK).
  I even can't open web page from internet browser (url https://192.168.1.1) when source IP is 10.0.0.1, but I can open "SSL VPN Service" web page from any other source IP address.
  The only thing different with this IP address is that there's configured site-to-site (IPsec) vpn tunnel from same source to same destination IP address.
  Here is the configuration of the tunnel:
  group-policy GroupPolicy_10.0.0.1 internal
  group-policy GroupPolicy_10.0.0.1 attributes
  vpn-filter value VPN-ACL
  vpn-tunnel-protocol ikev1 ssl-client
  access-list VPN-ACL:
  access-list VPN-ACL extended permit ip object-group DM_INLINE_NETWORK_83 object-group DM_INLINE_NETWORK_84
  object-group network DM_INLINE_NETWORK_83
  network-object 10.11.217.0 255.255.255.0
  network-object 192.168.201.0 255.255.255.0
  object-group network DM_INLINE_NETWORK_84
  network-object 10.11.217.0 255.255.255.0
  network-object 192.168.201.0 255.255.255.0
  tunnel local & remote networks:
  access-list wan_cryptomap_5 extended permit ip 10.11.217.0 255.255.255.0 192.168.201.0 255.255.255.0
  crypto map wan_map 5 match address wan_cryptomap_5
  crypto map wan_map 5 set connection-type answer-only
  crypto map wan_map 5 set peer 10.0.0.1
  crypto map wan_map 5 set ikev1 transform-set ESP-3DES-SHA
  I've configured the same setup in my lab and I can't reproduce the error.
  The SW version running on ASA is asa861-12.
  I'm out of ideas.

  Just collected some other information:
  1. traceroute shows that traffic is not leaving ASA at all
  1   *  *  *
  2   *  *  *
  3   *  *  *
  I double checked that there is no "strange" entry for remote public IP in routing. Traffic with destination to remote IP should be sent via default gateway like all other traffic.
  2. debug crypto ipsec shows this information when I ping public IP address of the remote host (with VPN
  IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.1, sport=30647, daddr=10.0.0.1, dport=30647
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 1: skipping because 5-tuple does not match ACL wan_cryptomap_1.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 2: skipping because 5-tuple does not match ACL wan_cryptomap_2.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 3: skipping because 5-tuple does not match ACL wan_cryptomap_3.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 4: skipping because 5-tuple does not match ACL wan_cryptomap_4.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 6: skipping because 5-tuple does not match ACL wan_cryptomap_6.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 7: skipping because 5-tuple does not match ACL wan_cryptomap_7.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 8: skipping because 5-tuple does not match ACL wan_cryptomap_8.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 9: skipping because 5-tuple does not match ACL wan_cryptomap_9.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 10: skipping because 5-tuple does not match ACL wan_cryptomap_10.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 11: skipping because 5-tuple does not match ACL wan_cryptomap_11.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 13: skipping because 5-tuple does not match ACL wan_cryptomap_13.
  IPSEC(crypto_map_check)-5: Checking crypto map wan_map 65535: skipping dynamic_link.
  IPSEC(crypto_map_check)-1: Error: No crypto map matched.
  It really seems that the whole problem is that ASA is trying to encrypt traffic sent from public IP address of one VPN endpoint and targeted to public IP address of another VPN endpoint and send it to remote VPN endpoint via IPcec tunel.
  There is indeed VPN tunnel established between both VPN endpoints, but there are just local and remote networks defined with private IP address space for this tunnel, VPN endpoint's public IP addresses are not included in the definition of this IPsec VPN tunnel.
  And there are at least two more IPsec VPN tunnels configured the same way and I can't reprodure this error on there two VPN tunnels.
  Any idea?

• Problem with socket programming(Vista)

  I'm not sure if this has something to do with windows vista.
  I wrote simple echo client and server programs and the client program contains these lines
  String hostname="172.16.54.22"; //My comp's IP
  int portNo=6666;
  mySocket=new Socket(hostname, portNo);
  Now the problem is that the client program is able to communicate with the server only when I run both of them in xp machines or if I run the server in vista and client in xp. The client is not able to connect to the server when both the client and server are running in a vista machine or if the server is running in xp and client in vista.
  It'd be nice if any of you could throw some light on this issue.
  PS:
  It doesn't work even if I turn the firewall off
  The programs work well when I give hostname="localhost" or hostname="127.0.0.1"
  Here are my programs
  //EchoClient.java
  import java.io.*;
  import java.net.*;
  import java.util.*;
  class EchoClient
       public static void main(String args[])
            String hostname="172.16.54.25"; //My ip address
            int portNo=6666;
            //if(args[1]
            //PrintWriter out=null;
            Socket mySocket=null;
            BufferedReader networkIn=null;
            BufferedReader userIn=null;
            PrintWriter sockOut=null;
            try
                 mySocket=new Socket(hostname, portNo);
                 networkIn=new BufferedReader(new InputStreamReader(mySocket.getInputStream()));
                 userIn=new BufferedReader(new InputStreamReader(System.in));
                 sockOut= new PrintWriter(mySocket.getOutputStream());
                 System.out.println("Connected to Echo Server\n");
                 System.out.println("Enter a series of lines (\"end\" to exit)\n");
                 while(true)
                      String myLine=userIn.readLine();
                 //     System.out.println(myLine);
                      if(myLine.equals("end"))
                           break;
                      sockOut.println(myLine);
                      sockOut.flush();
                      System.out.println(networkIn.readLine());
            catch(IOException exc)
                 System.err.println(exc);
            finally
                 try{
                 if(networkIn!=null) networkIn.close();
                 if(sockOut!=null) sockOut.close();}
                 catch(IOException exc){ }
                 EchoServer.java
  //EchoServer.java
  import java.io.*;
  import java.net.*;
  class EchoServer
       public static void main(String args[])
            int portNo=6666;
            ServerSocket serverSock=null;
            try
                 serverSock=new ServerSocket(portNo);
                 System.out.println("Echo Server Started\n\n");
                 while(true)
                      Socket clientSock=serverSock.accept();
                      new Thread(new EchoServerThread(clientSock)).start();
            catch(IOException exc)
                 System.err.println(exc);
       EchoServerThread.java
  //EchoServerThread.java
  import java.io.*;
  import java.net.*;
  import java.util.*;
  public class EchoServerThread implements Runnable
       public Socket clientSock;
       EchoServerThread(Socket sock)
            clientSock=sock;
       public void run()
            System.out.println("\nAccepted Connection from a Client");
            try{
            BufferedReader in=new BufferedReader(new InputStreamReader(clientSock.getInputStream()));
            BufferedReader userIn=new BufferedReader(new InputStreamReader(System.in));
            PrintWriter out= new PrintWriter(clientSock.getOutputStream());
                      /*In sockIn=new In(clientSock);
            Out sockOut=new Out(clientSock);*/
            String str;
            while((str=in.readLine())!=null)
                 out.println(str);
                 out.flush();
            System.out.println("Closing Connection from a Client");
            out.close();
            in.close();
            catch(IOException exc)
                 System.err.println(exc);
       

  Sorry everyone but I'd been giving a wong IP address thinking it's my own. The problem's solved.
  Thanks for the response Peter.