Problem with ssl certificate
Hello everyone!
I have a scenario wherein I am trying to connect SRM to a marketsite through XI.
SRM (Purchase Order) ---> XI (marketplace adapter) ---> Marketsite
The URL of the marketsite is of the type HTTPS so I am using certificate logon as the method for authentication.
Please tell me whether this is the right thing to do:
1. Create a self-signed certificate in the "Key Storage" of the visual administrator.
2. Export the certificate and have it installed in the marketsite.
3. Configure the marketplace com. channel in the integration directory to use the private key I used to generate the certificate I sent to the marketsite.
Having done that, I am get a "server rejected by chain verifier" error in the message monitoring tool.
Here are some other questions:
1. Should I create a new View for the certificate and private key, or should I create the certificate in the existing "service_ssl" and rename the new certificate "ssl-credentials-cert" and the private key "ssl_credentials"
2. Will a self-signed certificate work or do I need to get it signed by a CA before importing the response.
3. If a self-signed certificate will work, do I need to add another certificate in the "TrustedCAs" view?
4. If I should import a certificate response from a CA, where can I get the certificate of the CA?
I know these are a lot of questions, but I'd really appreciate all the help I can get from you guys. Please avoid posting links to other threads as I have pretty much read all of them..
Warm regards,
Glenn
Hi Glenn,
Let me explain the scenario without client certificate Logon (User and password) first .
When you want to communicate with marketsite in secure manner, get the certificate of the CA (Certifying Authority) who has signed market site Cert. and add it to Trusted CAs view in Visual Admin of XI. Sometimes it may be a CA certificate chain.
If that certificate is self-signed, add the market site certificate itself in to Trusted CAS of Vis.Admin of XI.
Certificate Logon:
This is for ur (XI servers) Identity to Marketsite.
In Visual Admin KeyStorage create a view or in any of existing views create a Private Key and Public key (Certificate) pair representing XI Server (CN should be hostname of XI server). Get the public Key signed by CA and import the Certificate in Visual Admin.
Now in Configuration select view and the Private Key just created for XI's Identity.
PS: There may be some steps in Marketsite too in case of Certificate logon like Adding XI certificate to something like Trusted CAS of Marketsite.You can get better picture from guys administrating the Marketsite..
Try these options and post the results in forum.
Good Luck.
Regards,
Sudharshan N A
Similar Messages
-
Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL
I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
A) We're at version 11 ---- these kinds of issues should have been fixed years ago
B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
My tests seem to show that
(a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
(b) if a dialog is at a higher level, this is a global setting.
So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back. So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window). -
Importing external web service with SSL certificate security
Hello,
I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [Error: com.sap.ide.es.core.ui.internal.wizards.fragments Thread[ModalContext,6,main]]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
... 21 more
Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
Cheers!Hi Alain,
I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info -
[SOLVED] Problem with ca-certificates
For some time there is a problem with ca-certificates during update. I receive folowing error:
[user@bragi ~]$ sudo pacman -Suy
:: Synchronizowanie baz danych z pakietami...
core jest już w najnowszej wersji
community jest już w najnowszej wersji
multilib jest już w najnowszej wersji
:: Rozpoczynanie pełnej aktualizacji systemu...
ostrzeżenie: libxml-perl: local (0.08-6) jest nowsze niż community (0.08-5)
rozwiązywanie zależności...
ostrzeżenie: nie można rozwiązać "ca-certificates-mozilla", zależności od "ca-certificates"
:: Następujący pakiet nie mógł zostać zaktualizowany w wyniku niespełnionych zależności:
ca-certificates
:: Czy chcesz pominąć powyższy pakiet przy aktualizacji? [t/N] N
błąd: nie udało się przygotować transakcji (niespodziewany błąd)
I know that this is not in english but the messages says that there is a error with dependency ca-certificates-mozilla <--> ca-certificates.
I ask this same question on polish forum but I only receive suggestion to try run:
pacman -Suyy
but this is not a solution.
Any ideas?
Last edited by web01 (2014-10-16 19:36:30)I'm not sure but maybe becouse of this
[user@bragi ~]$ sudo pacman -Suyy
:: Synchronizing package databases...
core 116.7 KiB 1945K/s 00:00 [#####################################################] 100%
extra 1767.3 KiB 2.16M/s 00:01 [#####################################################] 100%
community 2.3 MiB 2.28M/s 00:01 [#####################################################] 100%
multilib 118.9 KiB 2.04M/s 00:00 [#####################################################] 100%
:: Starting full system upgrade...
:: Replace ati-dri with extra/mesa-dri? [Y/n]
:: Replace baloo with extra/baloo4? [Y/n]
:: Replace baloo-widgets with extra/baloo4-widgets? [Y/n]
:: Replace grantlee with extra/grantlee-qt4? [Y/n]
:: Replace intel-dri with extra/mesa-dri? [Y/n]
:: Replace java-common with extra/java-runtime-common? [Y/n]
:: Replace kfilemetadata-frameworks with extra/kfilemetadata5? [Y/n]
warning: libxml-perl: local (0.08-6) is newer than community (0.08-5)
:: Replace nouveau-dri with extra/mesa-dri? [Y/n]
:: Replace svga-dri with extra/mesa-dri? [Y/n]
resolving dependencies...
looking for inter-conflicts...
error: unresolvable package conflicts detected
error: failed to prepare transaction (conflicting dependencies)
:: kwin and kdebase-workspace are in conflict -
REDUNDANT ACE 20 WITH SSL CERTIFICATE
Hi
I have an ACE 20 redundant infrastructure (Active-Standby),and it´s needed to implement a secure aplication with SSL certificate.
The question I have is, for this solution is neccesary to generate a digital certificate and key for each ACE module? and, It´s is possible to use the same certificate and key in both ACE modules?
Thanks for your help.
RegardsRicardo,
You can just the same certificates for both devices.
Jorge -
Having some problems with security certificates
Hello,
In some pages, e.g. Twitter, and pages that load FB comments sections, I'm having problems with the certificates and the pages won't load. I don't get an option to add an exception either, therefore I cannot access pages.
I have pasted the error details below. Here is some important info for you:
Version: 9.0.1 <-- Upgrading is NOT an option, this is a corporate machine
Connect via proxy: yes
I doubt very much that this is an issue with the connection, as IE and Chrome are NOT having this issue on the same connection.
Error I get:
This Connection is Untrusted
You have asked Firefox to connect securely to twitter.com, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
Technical Details
twitter.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
(Error code: sec_error_untrusted_issuer)
Can anyone shed some light? The usual troubleshooting I've come across hasn't helped me much.Off the cuff it smells of a man-in-the-middle situation to me. As far as I know, Twitter does have a valid certificate, signed by Verisign. That IE and Chrome have no problem with it, could just mean they do not check resp. do let you know.
I'll have to pass here, because I would not know, how to turn this checking off in FX 9.0 - in any case I would think twice before doing it. The place to look would be Options > advanced > Encryption.
Hope somebody else joins us:)
PS: keeping you nailed down to Fx 9.0 version is unsafe - not just for you, but for your company as well. -
TS3899 iPad mail account says problem with 'ssl settings' - can you help me?
iPad mail account says problem with 'ssl settings' - can you help me?
The 4Gs hardware, only 256 MB of RAM, prohibits updating beyond 6.1.6.
Starting when iOS 7 was released, Apple now allows downloading the last compatible version of some apps (iOS 4.2.1 and later only)
App Store: Downloading Older Versions of Apps on iOS - Apple Club
App Store: Install the latest compatible version of an app
You first have to download the non-compatible version on your computer. Then when you try to purchase the version on your iPod you will be offered a compatible version if one exists. -
We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
The application is running on a server within a wide area network which is separated from the internet.
The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
are no problems with certificate revocation checks.
The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
"Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
it cannot fetch the certificate under https://my-site.de:80.
The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
- Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
- Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
our users.
It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
Many thanks!
This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
(sorry for this is in german... and also my english above)
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: OCSP Response: GOOD
network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
security: UNAUTHORIZED
security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
security: Revocation Status Unknown
com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 35 more
Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
... 36 more
security: Ungültiges Zertifikat vom HTTPS-Server
network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.
-
Problem with SSL weblogic plug in and Apache
We're using mod_wl_22.so with Apache, and after some problems with the mod failing on startup it is now working. We can access the weblogic SSL page fine directly on port 16101 with no warning, when we try via the proxy we get a failure of server Apache bride --------------------------------------------------------------------------------
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF. And in the wl_proxy.log there is a message that I think relates to the trustedcertfile in our http.conf file. We have a root certificate in pem format as the trustedcertfile.
================New Request: [GET /irm_desktop HTTP/1.1] =================
Thu Jan 27 21:52:15 2011 <258812961651354> INFO: SSL is configured
Thu Jan 27 21:52:15 2011 <258812961651354> INFO: SSL configured successfully
Thu Jan 27 21:52:15 2011 <258812961651354> Using Uri /irm_desktop
Thu Jan 27 21:52:15 2011 <258812961651354> After trimming path: '/irm_desktop'
Thu Jan 27 21:52:15 2011 <258812961651354> The final request string is '/irm_desktop'
Thu Jan 27 21:52:15 2011 <258812961651354> SEARCHING id=[sealedinfo-prod:16101] from current ID=[sealedinfo-prod:16101]
Thu Jan 27 21:52:15 2011 <258812961651354> The two ids matched
Thu Jan 27 21:52:15 2011 <258812961651354> @@@FOUND...id=[sealedinfo-prod:16101], server_name=[uat.sealedinfo.com], server_port=[443]
Thu Jan 27 21:52:15 2011 <258812961651354> attempt #0 out of a max of 5
Thu Jan 27 21:52:15 2011 <258812961651354> Trying a pooled connection for '10.10.10.10/16101/16101'
Thu Jan 27 21:52:15 2011 <258812961651354> getPooledConn: No more connections in the pool for Host[10.10.10.10] Port[16101] SecurePort[16101]
Thu Jan 27 21:52:15 2011 <258812961651354> general list: trying connect to '10.10.10.10'/16101/16101 at line 2658 for '/irm_desktop'
Thu Jan 27 21:52:15 2011 <258812961651354> New SSL URL: match = 0 oid = 22
Thu Jan 27 21:52:15 2011 <258812961651354> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Jan 27 21:52:15 2011 <258812961651354> EINPROGRESS in connect() - selecting
Thu Jan 27 21:52:15 2011 <258812961651354> Setting peerID for new SSL connection
Thu Jan 27 21:52:15 2011 <258812961651354> 0a0a 0a0a e53e 0000 .....>..
Thu Jan 27 21:52:15 2011 <258812961651354> Local Port of the socket is 63867
Thu Jan 27 21:52:15 2011 <258812961651354> Remote Host 10.10.10.10 Remote Port 16101
Thu Jan 27 21:52:15 2011 <258812961651354> general list: created a new connection to '10.10.10.10'/16101 for '/irm_desktop', Local port:63867
Thu Jan 27 21:52:15 2011 <258812961648171> WARN: GetSessionCallback: No session match found
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: SSL certificate chain validation failed: 3015
Thu Jan 27 21:52:16 2011 <258812961651354> trusted certs = 0
Thu Jan 27 21:52:16 2011 <258812961651354> dumping cert chain
Thu Jan 27 21:52:16 2011 <258812961651354> commonName is uat.sealedinfo.com
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: DeleteSessionCallback: No match found!!
Thu Jan 27 21:52:16 2011 <258812961651354> ERROR: SSLWrite failed
Thu Jan 27 21:52:16 2011 <258812961651354> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> Marking 10.10.10.10:16101 as bad
Thu Jan 27 21:52:16 2011 <258812961651354> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3094
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Closing SSL context
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Jan 27 21:52:16 2011 <258812961651354> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Jan 27 21:52:16 2011 <258812961651354> attempt #1 out of a max of 5
Thu Jan 27 21:52:16 2011 <258812961651354> general list: trying connect to '10.10.10.10'/16101/16101 at line 2658 for '/irm_desktop'
Thu Jan 27 21:52:16 2011 <258812961651354> New SSL URL: match = 0 oid = 22
Thu Jan 27 21:52:16 2011 <258812961651354> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Jan 27 21:52:16 2011 <258812961651354> EINPROGRESS in connect() - selecting
Thu Jan 27 21:52:16 2011 <258812961651354> Setting peerID for new SSL connection
Thu Jan 27 21:52:16 2011 <258812961651354> 0a0a 0a0a e53e 0000 .....>..
Thu Jan 27 21:52:16 2011 <258812961651354> Local Port of the socket is 63868
Thu Jan 27 21:52:16 2011 <258812961651354> Remote Host 10.10.10.10 Remote Port 16101
Thu Jan 27 21:52:16 2011 <258812961651354> general list: created a new connection to '10.10.10.10'/16101 for '/irm_desktop', Local port:63868
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: GetSessionCallback: No session match found
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: SSL certificate chain validation failed: 3015
Thu Jan 27 21:52:16 2011 <258812961651354> trusted certs = 0
Thu Jan 27 21:52:16 2011 <258812961651354> dumping cert chain
Thu Jan 27 21:52:16 2011 <258812961651354> commonName is uat.sealedinfo.com
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: DeleteSessionCallback: No match found!!
Thu Jan 27 21:52:16 2011 <258812961651354> ERROR: SSLWrite failed
Thu Jan 27 21:52:16 2011 <258812961651354> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> Marking 10.10.10.10:16101 as bad
Thu Jan 27 21:52:16 2011 <258812961651354> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3094
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Closing SSL context
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Jan 27 21:52:16 2011 <258812961651354> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Jan 27 21:52:16 2011 <258812961651354> attempt #2 out of a max of 5
Thu Jan 27 21:52:16 2011 <258812961651354> general list: trying connect to '10.10.10.10'/16101/16101 at line 2658 for '/irm_desktop'
Thu Jan 27 21:52:16 2011 <258812961651354> New SSL URL: match = 0 oid = 22
Thu Jan 27 21:52:16 2011 <258812961651354> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Jan 27 21:52:16 2011 <258812961651354> EINPROGRESS in connect() - selecting
Thu Jan 27 21:52:16 2011 <258812961651354> Setting peerID for new SSL connection
Thu Jan 27 21:52:16 2011 <258812961651354> 0a0a 0a0a e53e 0000 .....>..
Thu Jan 27 21:52:16 2011 <258812961651354> Local Port of the socket is 63869
Thu Jan 27 21:52:16 2011 <258812961651354> Remote Host 10.10.10.10 Remote Port 16101
Thu Jan 27 21:52:16 2011 <258812961651354> general list: created a new connection to '10.10.10.10'/16101 for '/irm_desktop', Local port:63869
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: GetSessionCallback: No session match found
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: SSL certificate chain validation failed: 3015
Thu Jan 27 21:52:16 2011 <258812961651354> trusted certs = 0
Thu Jan 27 21:52:16 2011 <258812961651354> dumping cert chain
Thu Jan 27 21:52:16 2011 <258812961651354> commonName is uat.sealedinfo.com
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: DeleteSessionCallback: No match found!!
Thu Jan 27 21:52:16 2011 <258812961651354> ERROR: SSLWrite failed
Thu Jan 27 21:52:16 2011 <258812961651354> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> Marking 10.10.10.10:16101 as bad
Thu Jan 27 21:52:16 2011 <258812961651354> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3094
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Closing SSL context
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Jan 27 21:52:16 2011 <258812961651354> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Jan 27 21:52:16 2011 <258812961651354> attempt #3 out of a max of 5
Thu Jan 27 21:52:16 2011 <258812961651354> general list: trying connect to '10.10.10.10'/16101/16101 at line 2658 for '/irm_desktop'
Thu Jan 27 21:52:16 2011 <258812961651354> New SSL URL: match = 0 oid = 22
Thu Jan 27 21:52:16 2011 <258812961651354> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Jan 27 21:52:16 2011 <258812961651354> EINPROGRESS in connect() - selecting
Thu Jan 27 21:52:16 2011 <258812961651354> Setting peerID for new SSL connection
Thu Jan 27 21:52:16 2011 <258812961651354> 0a0a 0a0a e53e 0000 .....>..
Thu Jan 27 21:52:16 2011 <258812961651354> Local Port of the socket is 63870
Thu Jan 27 21:52:16 2011 <258812961651354> Remote Host 10.10.10.10 Remote Port 16101
Thu Jan 27 21:52:16 2011 <258812961651354> general list: created a new connection to '10.10.10.10'/16101 for '/irm_desktop', Local port:63870
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: GetSessionCallback: No session match found
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: SSL certificate chain validation failed: 3015
Thu Jan 27 21:52:16 2011 <258812961651354> trusted certs = 0
Thu Jan 27 21:52:16 2011 <258812961651354> dumping cert chain
Thu Jan 27 21:52:16 2011 <258812961651354> commonName is uat.sealedinfo.com
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: DeleteSessionCallback: No match found!!
Thu Jan 27 21:52:16 2011 <258812961651354> ERROR: SSLWrite failed
Thu Jan 27 21:52:16 2011 <258812961651354> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> Marking 10.10.10.10:16101 as bad
Thu Jan 27 21:52:16 2011 <258812961651354> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3094
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Closing SSL context
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Jan 27 21:52:16 2011 <258812961651354> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Jan 27 21:52:16 2011 <258812961651354> attempt #4 out of a max of 5
Thu Jan 27 21:52:16 2011 <258812961651354> general list: trying connect to '10.10.10.10'/16101/16101 at line 2658 for '/irm_desktop'
Thu Jan 27 21:52:16 2011 <258812961651354> New SSL URL: match = 0 oid = 22
Thu Jan 27 21:52:16 2011 <258812961651354> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Jan 27 21:52:16 2011 <258812961651354> EINPROGRESS in connect() - selecting
Thu Jan 27 21:52:16 2011 <258812961651354> Setting peerID for new SSL connection
Thu Jan 27 21:52:16 2011 <258812961651354> 0a0a 0a0a e53e 0000 .....>..
Thu Jan 27 21:52:16 2011 <258812961651354> Local Port of the socket is 63871
Thu Jan 27 21:52:16 2011 <258812961651354> Remote Host 10.10.10.10 Remote Port 16101
Thu Jan 27 21:52:16 2011 <258812961651354> general list: created a new connection to '10.10.10.10'/16101 for '/irm_desktop', Local port:63871
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: GetSessionCallback: No session match found
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: SSL certificate chain validation failed: 3015
Thu Jan 27 21:52:16 2011 <258812961651354> trusted certs = 0
Thu Jan 27 21:52:16 2011 <258812961651354> dumping cert chain
Thu Jan 27 21:52:16 2011 <258812961651354> commonName is uat.sealedinfo.com
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: DeleteSessionCallback: No match found!!
Thu Jan 27 21:52:16 2011 <258812961651354> ERROR: SSLWrite failed
Thu Jan 27 21:52:16 2011 <258812961651354> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> Marking 10.10.10.10:16101 as bad
Thu Jan 27 21:52:16 2011 <258812961651354> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3094
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Closing SSL context
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Jan 27 21:52:16 2011 <258812961651354> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Jan 27 21:52:16 2011 <258812961651354> attempt #5 out of a max of 5
Thu Jan 27 21:52:16 2011 <258812961651354> general list: trying connect to '10.10.10.10'/16101/16101 at line 2658 for '/irm_desktop'
Thu Jan 27 21:52:16 2011 <258812961651354> New SSL URL: match = 0 oid = 22
Thu Jan 27 21:52:16 2011 <258812961651354> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Jan 27 21:52:16 2011 <258812961651354> EINPROGRESS in connect() - selecting
Thu Jan 27 21:52:16 2011 <258812961651354> Setting peerID for new SSL connection
Thu Jan 27 21:52:16 2011 <258812961651354> 0a0a 0a0a e53e 0000 .....>..
Thu Jan 27 21:52:16 2011 <258812961651354> Local Port of the socket is 63872
Thu Jan 27 21:52:16 2011 <258812961651354> Remote Host 10.10.10.10 Remote Port 16101
Thu Jan 27 21:52:16 2011 <258812961651354> general list: created a new connection to '10.10.10.10'/16101 for '/irm_desktop', Local port:63872
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: GetSessionCallback: No session match found
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: SSL certificate chain validation failed: 3015
Thu Jan 27 21:52:16 2011 <258812961651354> trusted certs = 0
Thu Jan 27 21:52:16 2011 <258812961651354> dumping cert chain
Thu Jan 27 21:52:16 2011 <258812961651354> commonName is uat.sealedinfo.com
Thu Jan 27 21:52:16 2011 <258812961648171> WARN: DeleteSessionCallback: No match found!!
Thu Jan 27 21:52:16 2011 <258812961651354> ERROR: SSLWrite failed
Thu Jan 27 21:52:16 2011 <258812961651354> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Thu Jan 27 21:52:16 2011 <258812961651354> Marking 10.10.10.10:16101 as bad
Thu Jan 27 21:52:16 2011 <258812961651354> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3094
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Closing SSL context
Thu Jan 27 21:52:16 2011 <258812961651354> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Jan 27 21:52:16 2011 <258812961651354> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Jan 27 21:52:16 2011 <258812961651354> request [irm_desktop] did NOT process successfully..................I see that it is six months ago that I first posted this. Nothing has changed. When I use affixa to create a message with an attachment from my gmail account in firefox, the message is created in drafts, but the gmail window is closed and I have to re-open it. Not critical, but annoying.
Now there is a plug-in on the affixa site that is supposed to be designed for Firefox, and which affixa support claims should take care of this. And I've downloaded it twice. When you download it and open it, it says that it will be installed when Firefox restarts, and gives you a button to restart Firefox. But after you click that button and firefox disappears and re-appears, the affixa plug-in is NOT in the plugin list.
Please, somebody, HELP. -
Problem with client certificate based authentication
Hello.
We are developing an AIR application that uses client
certificates for authentication. We have written a simple test case
to show the problem.
<?xml version="1.0" encoding="utf-8"?>
<mx:WindowedApplication xmlns:mx="
http://www.adobe.com/2006/mxml"
layout="absolute">
<mx:Script>
<![CDATA[
import mx.controls.Alert;
private function responseHandler(): void {
Alert.show("Response received");
]]>
</mx:Script>
<mx:HTTPService id="exampleService"
url="https://www1.aeat.es/pymes1/pacargoi.html"
showBusyCursor="true"
result="responseHandler()">
</mx:HTTPService>
<mx:Button label="Send"
click="exampleService.send()"/>
</mx:WindowedApplication>
When we click on the button, it sends the request to the
protected page and then (if you have CA emitted certificates) the
dialog appears requesting the client certificate. And it works
fine.
But next time we click on the button, the dialog requesting
the client certificate appears again.
Is there a way to stop showing the dialog every time?
Any help would be very appreciated.
Thanks a lot for your support.
Paco.I have just sent a Feature Request/Bug Report with the
following text:
"We are experiencing a problem using AIR with a server that
requires authentication via client certificate.
The dialog for selecting the client certificate appears every
time that the AIR application interacts with the server (not only
the first time).
Steps to reproduce bug:
1. Install Apache HTTP Server with SSL and require client
certificate in order to authenticate.
2. Develop an AIR Application that connects to this server
(HTTPService or RemoteObject have been tested with the same
result).
3. Every time that the AIR application connect to the
server, the dialog appears in order the user to select the client
certificate.
Results: This makes the AIR application unusable.
Expected results: The dialog requesting the client
certificate should appear the first time only."
Thanks,
Paco. -
I have created a java application that communicates with a Server via HTTPS.
I use both jdk and jre 1.5
I know this has somthing to do with Certificates and Storing them
But i dont know exactly what to do.
Can Som1 pls help me
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at lk.informatics.infopro.connector.command.AptiloHTTPCommand.httpPost(AptiloHTTPCommand.java:106)
at lk.informatics.infopro.connector.command.AptiloHTTPCommand.performTask(AptiloHTTPCommand.java:134)
at lk.informatics.infopro.connector.SimpleRMIImpl.performTask(SimpleRMIImpl.java:112)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
at java.lang.Thread.run(Thread.java:595)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 30 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 35 moreThe problem that i had was that my application was unable to find a valid certificate that proved that the site can be trusted.
What you need to do is to tell the application that the site can be trusted and point it to a certificate that proves the site that you want to communicate with is a valid one.
If the application cannot find a proper certificate then it results in a failed SSL handshake.
What you must do is save the certificate provided by the site you wish to communicate and point the application to it. Done in 3 steps
1. Save the certificate provided by the end site on the as a .cer file
eg:- theSite.cer
This can be done via IE or Mozilla (Has not been tested with Mozilla yet)
To do this open the site on your browser, When the browser asks if you
wish to accept the certificate provided by the site view the certificate and
save it.
2. Create a keyStore and add the saved certificate to it. Use the java "keytool" command in the command prompt to achive this
keytool -import -alias ALIAS -file CERTIFICATE.cer -keystore KEY_STORE_NAME
eg:-
keytool -import -alias test -file theSite.cer -keystore TS
3. In you application make sure that you specify where to look for the Trusted Key Store in.
System.setProperty("javax.net.ssl.trustStore", "TRUST_STORE_NAME");
System.setProperty("javax.net.ssl.trustStorePassword", "TRUST_STORE_PASSWORD");
eg:-
System.setProperty("javax.net.ssl.trustStore", "C:\\Key_Store\\TS");
System.setProperty("javax.net.ssl.trustStorePassword", "XXX");
ALT: you can also specify the above values on the java execution command as
-Djavax.net.ssl.trustStore=C:\Key_Store\TS -Djavax.net.ssl.trustStorePassword=XXX
-Djavax.net.debug=all
Can be used to view all debug information.
Simply put we save the sites certificate in step 1. create a new KeyStore and and save the certificate in it in step 2 and show the application where to look for the valid certificate by pointing it to the proper keyStore in step 3.
Note that you can save multiple certificates on the same keyStore.
If you have any problems with this let me know -
ICal server won't work with SSL certificate
I'm running Leopard Server 10.5.7, and have a GoDaddy SSL certificate installed on the server, which is working fine in Apache, but not for iCal server.
In the Security Certificates section of Server Admin, the certificate shows up properly with the correct hostname, with the correct authority (i.e. not self-signed). I can use the certificate for one of my SSL websites, and it works fine, no browser errors, all works great.
However, if I use Server Admin to enable SSL for iCal server and then select my GoDaddy certificate from the "Certificate" dropdown, the dropdown immediately changes to "Custom Configuration." So I save changes and stop/start the iCal service.
Then I took my iCal clients (which were all working fine without SSL), and in 'Server Settings,' I changed the server address to https (instead of http), and port 8443 (instead of port 8008). But then when I refresh the calendars, iCal throws an error saying:
"Unexpected secure name resolution error (code -9844). The server name may be incorrect."
When I set everything back to the way it was before I started, all works fine.
Anyone have any suggestions?Your problem seems similar to this thread:
http://discussions.apple.com/thread.jspa?threadID=1992033&tstart=0
There is some contradictory anecdotal information there, however. Tis reply in another thread:
http://discussions.apple.com/message.jspa?messageID=6288712#6288712
may hold some answers to your problem. There are two very enlightening articles on AFP548.com regarding certificate issues:
http://www.afp548.com/article.php?story=20080624005724638
http://www.afp548.com/article.php?story=20071203011158936
That might also be of assistance. Then there's this little tidbit:
http://www.networkjack.info/blog/2007/11/30/ssl-cert-with-subject-alternate-name /
These may-or-may-not solve theproblem but may provide insight as to why it's happening. -
Problems installing SSL certificates for more than one alias on iMS 5.2
I have a problem to getting encyption on IMAP/HTTP/SMTP when they are on the same server. I only getting one SSL certificate installed by the Netscape console wizard, and therefore only one alias.
Let's say I have 3 aliases to the same server just for the scalability, imap.vxu.se, smtp.vxu.se and mail.vxu.se for http (https). Then I can only have one certificate installed at the same time, for example https://mail.vxu.se. And the others, like (S)IMAP I getting a dialouge that says the hostname doesnt is the same as the registred in the certificate. How do I solve this? Is there some possibillity to install more than ONE certificate, so I can have one certificate for each alias?
Environment: Full 420R, Solaris 8, iMS5.2
Thanks in adviceAlthough I completely agree the comments that suggestion this is not a great configuration idea, the error you are seeing ("...bean not found...") likely has nothing to do with the configuration - at least not as mentioned. My first guess is that if you are running the same exact form (FMX) as you ran for your first test then there should be no error. The only way such an error would appear is if the proper jar files are not being pulled to the client JRE or if the fmx was not properly generated. Be sure you are including config=webutil in the URL or that you have added the Webutil configuration info to your own named configuration section of formsweb.cfg
Regardless, if this is a Windows machine, the probability of having problems with multiple installations of the same version is high. Consider that the system PATH, CLASSPATH, ORACLE_HOME and various other system variables needed by the server side of the installation will overlap for each installation. This will cause problems. On the client side, attempting to download jars of the same name from the same server, but which are not actually the same files will confuse the JRE. If the JRE detects that a file which it has already cached is coming from the same server (host) then it will not attempt to pull it again. This will be a problem if the jars are not exactly the same in both installation. Making the problem worse is that you may not be able to easily determine from which installation the jars (or any files) were obtained.
So. as a general rule, regardless of whether multple installations can co-exist, I would not recommend it. This is especially true on a Windows platform. -
Messaging Server: Problem Adding SSL Certificate
We have a problem importing a CA certificate into Messaging Server 7 on Solaris 10 x86.
Platform
uname -a
SunOS mail1 5.10 Generic_138889-03 i86pc i386 i86pcMessaging Server Version
imsimta version
Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)
libimta.so 7.0-3.01 64bit (built 09:24:13, Dec 9 2008)We have created a certificate database and generated a certificate request, as follows:
msgcert generate-certDB
msgcert request-cert --name mail.domain.xxx --org "University of XXX" --org-unit ITS --city XXX --state "XXX" --country GB -F ascii -o /tmp/ssl.csrHowever, when we come to import the CA-supplied certificate we get the following error.
msgcert add-cert Server-Cert /tmp/mail1.crt
Enter the certificate database password:
Unable to find private key for this certificate.
Failed to add the certificate.I'm confused. What does the msgcert request-cert command use as a private key when generating the certificate request? Should I have used openssl to generate the certificate request with a known private key?
Thanks
AlanI solved the problem by converting certificate to pkcs#12 format and importing it.
openssl pkcs12 -export -in cert.pem -inkey private.key -out cert.pkcs12 -name Server-Cert
/opt/sun/comms/messaging64/bin/msgcert add-cert Server-Cert cert.pkcs12Alan -
Problem with SSL Activated on SSO Login
Hi Guys,
One of my applications has recently hit a few problems when SSL was activated on several environments. My application requires you to login using a SSO username and password before you can use the application. Before SSL was implemented, when you pressed the main menu button the page would redirect to the login server and the SSO login would remember your details and log you in again and then take you to the 1st page with a new session id. However, with SSL implemented, when the main menu button is pressed it redirects you to the login server but this time it asks you to enter your username and password. This is a problem as every time authentication is required on my application, it will keep telling you to login even if you have already done so before.
For extra information, the main menu button (which is a navigation bar entry) redirects you to a piece of javascript which is used to take you back to the 1st page depending on what page you are on.
I am also using the latest version of APEX.
Any help is much appreciated as I am not sure where to go with this problem.
Also is it a problem with the SSL setup or my application?
Thanks
-MarkI have tried to pass the cookie through the URL to the login server but this does nothing.I can't imagine what you mean by that or what exactly you did.
it just takes me to the login page and resets the session id after i have logged in again!What do you mean by "reset"?
How can I make cookies be accepted by SSL?Have you constructed an experiment to prove that this is the problem?
Is there something i can put in the application itself?Definitely not.
Scott
Maybe you are looking for
-
Odd System Lock-Ups [XP-Pro SP3]
Something odd is happening, on my normally, and otherwise stable laptop with XP-Pro SP3. I have observed that on Fridays, at about 11:30AM MST/USA, I get system lock-ups. Everything just freezes. I have poured over Event Viewer, and nothing is gettin
-
How to do autoprovisioning to a custom connector based on jobcodes?
Hi, I have developed a custom connector which has 50 job codes. Based on the job codes we need to do autoprovisioning. How this is possible? do we need to create rule for each job? Thanks in advance
-
Installed the new iTunes 11.1.4.62 and now my iPod is not recognized by iTunes
Seems to be lots of people on here with the same issue. It would be nice if Apple were to advise users of iTunes that there is an issue with iPod syncing so we all don't run around wasting our time. Looks to me like in Device Manager under portable d
-
CREATE MULTIPLE TABLES USING BATCH FILE OR ANYOTHER MODE
Dear Legends, I want to create Multiple table at a single stroke in oracle sql developer or sql*plus using any mode like batch file or sql files... I dont know the exact mode and how to create it please guide me..I want to learn more about this since
-
Like SM30 ,table should be display in editable ALV Grid(for Dynamic DB )
Hi Friends, plese help me how to display ALV grid in editable mode for differnt types of data base tables. same as like SM30 transaction. Moderator message: please search for available information/documentation/previous discussions before asking. Ed