Question: OAS + SSL + certificate

Similar Messages

• Problem with OAS Instance Name y Host Name to create trial ssl certificate

  Hi, everyone
  I have a problem when creating a trial ssl certificate from Verisign page, affer a live assistance, that page rejected my CSR generated from OAS, saying thay my common name has invalid characters.
  My Oracle Application Server installation name: Instance.HostName is:
  IAS_IND01.ind-internet
  So, Verisign told me this name can't contain "_" or "-" characters for example.
  I need to know if it's possible to change the instance name and if OAS host name changes also if i change server's host name.
  I wouldn't like to reinstall all over again.
  Please help.
  Regards
  David

  Hi,
  No your AS server will not automatic. even if you change your host name.
  If U 'll try to change your host name, be carefull when U 'll try to start you AS instacne
  it ' not start anymore , AS user hosts fill to get full quallified name of your host.
  U 've two choices
  -1 delete your AS, then change your hosts name, then new installtion of AS
  2- If U 've exprience with AS, just breng your AS down, change your hosts name,
  U 'll need to do some changes in your AS, just read admininstrator Guide.
  Cheers,
  Hamdy

• SSL/Certificate creation/distribution questions

  I'm extremely new to SSL and using certificates and have been having some trouble figuring out exactly how to create and implement them.
  Environment background:
  Currently, my entire network is closed off from the outside world. It's a mac-only network, basically sandboxed from a PC-only network via a router (to provide access to the internet, that's provided from the PC network). No port forwarding is set up and I don't have any external IP addresses pointing to my router, so currently there's no way for an outside source to see my network. With not really any need for secure traffic, SSL and certificates aren't really needed (basically, it's a video dept at a university with ~150 users). However, once I get external access (the main IT dept's been "working" on this with our ISP for, um, about a year <coughcough>), I'm wanting to do some stuff with VPN as well as wikis and chat (chat could theoretically be useful internally now). Even though we don't really have much worth hacking, once I get a window to the outside world, I'd like to button up my server/network as much as possible.
  Since all my services will be set up and provided by me, I'm comfortable using certificates I create instead of purchasing any--if I knew how to do this, which brings me to my questions. I've tried creating a certificate within Server Admin, but it says it's not trusted (and clients don't seem to see it, anyway). I've also tried the instructions here: www.eclectica.ca/howto/ssl-cert-howto.php, but got an error when actually running the openssl command (OpenSSL is installed and appears to be functional). How do I get a trusted certificate(s) and then, how do I distribute them to the clients so they see and use them? Exactly what path are these created to, or should be placed, etc?
  I'd initially like to use SSL for increasing the security of my logins (all network users), but like mentioned, I'd also like to secure other services (is a cert needed/useable for VPN?). In that regard, do I only need one certificate, or would I need certificates for each separate service?
  Sorry for the long post, but thanks for any help.

  Hi There,
  If you create a "self signed" certificate you will get warning messages in your browser but can configure your browser to accept these warnings. This is ok if it is just a local access machine and you are the only one accessing it.
  If outside people are going to be accessing it, you will want to use a 3rd party SSL certificate from a trusted authority such as Verisign, GeoTrust etc.
  Here is a good article on how to create the CSR on 10.6
  http://support.apple.com/kb/HT3976
  Hope this Helps,
  Eric Holtzman
  Hosting 4 Less

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• SSL Certificate question (minor issue)

  I have a Windows 2012 server setup with RDS.  I have about 10 virtual machines already setup - my whole VDI infrastructure.  Everything is working fine - accessing the vm's internally and externally, however, I have issues w/the certificate.
  I am using a self-signed certificate (until I can my client to pay for a real SSL cert).
  I have created an A record for my DNS at my hosting company that points to my public IP (e.g. remote.mycompany.com instead of typing in the IP address), the port forwarding on my router kicks in and sends the https traffic to my RD Gateway (my Windows 2012)
  and the user will see the RDWeb page and can log in from there.  The cert is pointed to remote.mycompany.com too.  However, my server is called vdi-remote2.mycompany.com.  Naturally, when using IE to access the RDWeb page, their address bar
  in IE will be red with the cert error/warning.
  First they are greeted with the "There is a problem with this website's security certificate" and will click on continue to the this website.  Upon inspection of the certificate, it will say "This CA Root certificate is not trusted.  To
  enable trust, install this certificate in the Trusted Root Certification Authorities store."  Ok, I can install it (and have), but I still get the red address bar in my IE.
  Needless to say, I'd like to clean this all up.  The users are non-technical people and when they see this stuff, they freak out.  We know what it all means - we're technical folks, but I'd like to clean it all up and just have it nice and security.
   Green or no address bar when using https in the address bar.
  How can I clean this all up though when I have external users accessing https://remote.mycompany.com/rdweb and internal users accessing https://vdi-remote2/rdweb.  I don't recall the possibility to have two certs for one website (the RDWeb).  So,
  I'm a bit confused on all this cert stuff.  I could keep everything as is and just train the users, but I'd rather not.
  Thank you in advance for your reply.

  Hi Steve,
  Thanks for your comment.
  Yeah, your understanding is correct as you have commented that “Things are working, but ONLY after I install the cert in the trusted root certification authorities store.”
  Trusted certificate is required for RDS server.
  I would like to suggest you that first of all certificate must be placed in (local computer)/Personal Store, and the
  certificate must be signed by trusted authority. Please check below link which state that “If the RD Gateway server is configured to use a Secure Sockets Layer (SSL) certificate that is not signed by a trusted
  certification authority, users might be unable to connect to internal network resources (computers) through the RD Gateway server. “ 
  RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
  You may export your certificate (and its private key) to a .pfx file using the Certificates mmc snapin.  By that way you can use the .pfx file for the RDS Role Services.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  For your comment “One user was having issues.  Once I installed the cert on her computer, she has no more issues logging in and launching a remote session. “, I can say that if the issue is mostly due to certificate only then
  if you will purchase trusted authority certificate then as per my knowledge you’re all problem regarding login and certificate will be solved.
  More information:
  1. Configuring RDS 2012 Certificates and SSO
  2. RD Web Access Web site to use a trusted certificate
  (Thread might helpful to understand)
  Hope it helps!
  Thanks,
  Dharmesh

• Is it possible to use single ssl certificate for multiple server farm with different FQDN?

  Hi
  We generated the CSR request for versign secure site pro certificate
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
  And the same message when trying to access https://www.abc.com from Google Chrome.
  "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
  so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
  Now my question is
  1. Is is possible to  remove above errors doing some ssl configuration on ACE?
  2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
  Thanks
  Waliullah

  If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
  Hope this helps,
  Sean

• Copying SSL Certificates from one server to another.

  I have a question that hopefully someone might have the answer for... I have a IPlanet 6.0 SP4 server that has an SSL certificate I'm trying to move to a new server that's on SunOne 6.1. I was under the impression that I could easily copy the <Iplanet_Root>/alias/https-<ServerInstance>-<server>-<key3/cert7>.db files to the new server from that server's alias directory. However before I copied the files, I immediately noticed the new server's cert file is called cert8 instead of cert7 and is 64K as opposed to the 6.0 server's 16K.
  I stopped the web instance and renamed the current db files and copied in the new and changed the cert7 to cert8. When I restarted the server, it stayed up and didn't report any problems. However, when I go the security tab and click on any of the links on the left column, an internal server error (http500) page is displayed. No additional errors show up in the errors log.
  Unfortunately, we don't have the original certificate request. I'm sure when it was applied for; it was cut and pasted into the install certificate page. Otherwise, I'd simply do the install on the other server. Is there a simply means to copy an already installed cert from one sever to another?
  Any assistance would be greatly appreciated.

  Migration from 6.0 to 6.1 should take care of this. You don't have to rename the files to cert7.db after the migration, just leave them with their new names and size as is. The new file created in 6.1(after migration is complete) will be called cert8 and this is fine because 6.1 uses newer version of security libs. Doc links:
  http://docs.sun.com/source/817-1830-10/migrate2.html
  http://docs.sun.com/source/817-1831-10/agcert.html#wp1017112
  Thanks,
  Manish

• How to install SSL certificate on Mac OS X 10.8.3 Server 2.2

  Hi,
  In eairler versions of !0.8 / OS X Server 2.2 your where able to install a purchased SSl certificate in the
  Hardware >> Profile Manager Server >> Settings >> SSL Certificate Edit
  I've just done a clean install of 10.8.3 and OS X Server 2.2 but there is no  "SSL Certificate Edit" available.
  How do I install my purchased certificate?
  Thanks,
  John

  sorry for hijacking but I have a related question to do with certificates.
  I had to set up virtual domains manually instead of through the GUI and the server ssl site is now locked to a certificate that is about to expire and no longer needed, I can't change the certificate in the web gui because it was created manually, I can't delete the certificate because it is assigned to the server ssl website and I can't manually edit the conf files to point to a different certificate becasue it breaks it, any ideas?

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• SSL Certificate - No public Biztalk

  Hello !!
  I've been working with Biztalk since 2006 version, always doing some AS2, encryption and so on. It's the first time a customer requires to use a GoDaddy, Symantec, etc. SSL (in the past always self-signed ssl).
  My question is simple:  This biztalk server is not public, won't use a URL, just plain IP.  The guys at GoDaddy or Symantec does not understand what I'm asking for, they just keep asking what's the URL of the website.
  Can you give me any directions on how to work with this scenario? How do I request the SSL certificates for encryption and signing?
  Thank you!
  Victor

  You will have a problem with that which you might not be able to overcome.
  The names on the certificate used for TSL/SSL must match the host names used in the url either directly or by wildcard.
  However, no public vendor will sell you a total wildcard certificate and probably no public vendor will sell you an IP address based certificate because a particular address, 10.4.5.6 for example, can be used many, many times on different networks. 
  If you actually own that public address space, maybe, but it's unlikely you do.
  You have two realistic options:
  Assign the BizTalk endpoint a name in a DNS namespace you own and buy a certificate for that.  You don't actually have to register the host name, the clients can use a hosts file or equivalent.
  Continue to use self-issued certificates.
  One question, of the BizTalk Server is not public, how is the customer accessing it?  I don't need to know how, but it's an unusual request to require a public cert for an internal service.

• Wildcard SSL Certificates with MFE?

  Is anyone using a wildcard SSL certificate on their mail server when using Mail for Exchange on assorted Nokia E Series mobiles please?
  We currently use a straight SSL cert and MFE works with no problem, however I've been looking into getting a single wildcard SSL certificate for our domain.
  Before doing anything I figured I'd try a website that used a wildcard certificate.
  When I did this (using an E51) I got the message "Website has sent a certificate with a different website name than requested" and was prompted to accept once, permanently, or don't accept.
  My question is whether this message would come up in a clear/obvious manner when using Mail For Exchange on a Nokia (so I can tell our users what to do when it does), and whether anyone has encountered issues using a wildcard with Nokias when using Mail for Exchange.
  If anyone has an E-Series and is using a Wildcard cert can you let me know if you've encountered any issues please?
  Thanks.

  This is interesting question. I look forward testing this myself
  What kind of cert & website you used on your own tests? Was the cert something like *.example.com? And the domain, was it https://something.example.com or https://example.com ? AFAIK wildcard doesn't match addresses consisting domain part only, so the latter one might not work.
  Help spreading the knowledge — If you find my answer useful, please mark your question as Solved by selecting Accept this solution from the Options menu. Thank you!

• Exchange 2013 autodiscover finds external & internal SSL certificate causing autodiscover to fail

  <p>Hi:</p><p>I'm currently working on a windows 2012 server, with exchange 2013, lets say our internal domain is "cars.com" and ALSO the case for&nbsp;our external domain. We have purchased an SSL wildcard positive certificate
  *.cars.com so that we could configure Outlook Anywhere, we have created the needed DNS records at godaddy and our internal server, OWA, ECP it all works if you go to&nbsp; <a href="https://bird.cars.com/owa">https://bird.cars.com/owa</a>
  because we have a DNS record for bird in godaddy and out local server, so all of that is working like a pro ! here comes the tricky part, our website is registered in godaddy but hosted by someone else a company called poetic systems; when we test the connection
  with the remote connectivity analyzer website we get a very peculiar error that says SSL certificate not valid, now it provides the name of the certificate it found and is not ours, we found that the hosting company is listening in port 443, therefore, it
  is pulling their self signed certificate also, does anyone have a fix for this, I have done this same setup before for other companies and this is the first time a situation like this happens. I REALLY NEED HELP !!!!!</p>

  Hi,
  According to your description, there is a certificate error when you test Outlook Anywhere connection by ExRCA.
  If I misunderstand your meaning, please feel free to let me know.
  And to understand more about the issue, I’d like to confirm the following information:
  What’s detail error page?
  Check the Outlook Anywhere configuration: get-outlookanywhere |fl
  Check the certificate : get-exchangecertificate |fl
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Several SSL-Certificates in STRUST

  Hello,
  I'm not sure, if this is right place for my question, but I will try it.
  On one SAP WAS 7.0 we have two BSP-Applications.
  Each application uses an seperate URL, for example
  shopa.test.com
  shopb.test.com
  Access should be realized over two SAP webdispatchers.
  Both applications should run with SSL.
  Is it possible to install two SSL-Certificates in the STRUST?
  Installing a SSL-Certificate in STRUST is not the problem, I did several times.
  What happens, if there is an existing certificate, and the server-pse will be changed to create
  an new CR for the second URL.
  Can anybody help me or did this before?
  Thank you
  Frank

  Hi,
  >If we want an end to end encryption, the certificates in strust are necessary.
  You did not say that you wanted end to end encryption...
  I don't know if what you want to do is possible.
  I would experiment with virtual hosts creation at the SICF level and create 2 SSL servers entries in STRUST
  Menu --> Environment --> SSL Server Identities
  It adds your created entry to the main tree of STRUST and you can then create a new SSL server certificate.
  Hope this helps,
  Olivier

• Web server type of standalone oc4j needed for SSL Certificate

  Hi,
  We have a standalone oc4j 10.1.3 that hosts an application whose many of its pages use https and so we need to buy SSL certificate from any of CAs like Verisign, GeoTrust, etc.. All of these CAs are asking us about the web server type that the standalone OC4J uses. I read the following statement from this url:
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28950/intro.htm#JICON100
  "communications in a standalone environment is provided through the built-in *_OC4J Web server_*, which supports HTTP and HTTPS communications natively without the use of the Oracle HTTP Server"
  On all of the SSL certificate systems of above CAs websites, they ask us to choose the web server type from a list of server types but I don't see OC4J web server listed and I am told that it is very important to make sure the web server type is correct otherwise the SSL Certificate that we buy may not be compatible with our web server type.
  So, I like to know the exact built in web server type name that goes with Standalone OC4J or one that is closest and for which SSL Certificate is compatible.
  Shown below is a list of web server types that I am asked to choose from on Verisign website.The closest to standalone oc4j according to below list is Oracle Wallet Manager but isn't this meant for Oracle Application Server (OAS) and not the standalone OC4J? we are using the java keytool to generate the CSR that we look to sign it via the verisign but again we are not sure about the web server type in the case of standalone OC4J that is not listed below. Please advice and thanks in advance to any of your responses in helping out.
  Webstar 4.x
  ApacheSSL mod_ssl
  WebLogic 6.0
  WebLogic 8.1
  Cisco
  ACS 3.2
  Covalent
  Apache ERS 2.4
  Apache ERS 3.0
  F5
  BIG-IP
  IBM
  Websphere MQ
  HTTP Server
  Lotus
  Domino 5.0
  Domino 6.0
  Domino 7.0
  Domino 8.0
  Windows NT - IIS 4.0
  Windows 2000 - IIS 5.0
  Windows 2003 - IIS 6.0
  Windows 2008 - IIS 7.0
  Exchange 2007
  iPlanet 4.x
  iPlanet 6.x
  ScreenOS
  SSL Accelerator
  Oracle Wallet Manager_
  Secure Web Server
  SSL Offloaders
  Stronghold
  Java Web Server 6.x
  Sun ONE
  AS Server w/IIS 4
  AS Server w/IIS 5
  EA Server
  Tomcat
  Zeus

  Hi Zeus,
  Type of certificate depends the method you will use to deploy the certificate on your application server.
  Please refer the links,
  http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/configssl.htm
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm#ASADM400
  http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
  Regards,
  mYth

• NAC SSL certificate Issue

  I recently applied a signed certificate to both the CAM and CAS. ever since then I have been having problems with the system. In the perfigo logs on the CAM I receive a lot of messages with "Certificate chaining error" in them. My question is what is the best way to roll back the signed certificates to the self signed ones? Any other suggestions would be greatly appreciated.
  Thanks in advance.

  Hi Giles,
  Thanks for te update. The problem I am facing is:-I have 2 SSL certificates on my ACE and I have also configured 2 server farms (farm1 and farm2)each associated with ssl certificate, now the problem i am facing is when we access the farm2 serverfarm we are issued the certificate of farm1 wereas i need to be getting the certificate from the farm2.
  Thanks in advance.
  Regards
  Sum