Same Certificate for WLS Clustering?
Hi all.
First of all, is it worth to have 2 way authentication SSL connections among
the weblogic servers under the same weblogic clustering?
I'm wondering if I can set up same certificate/private key pair into all
weblogics running on the same machine under
weblogic clustering? or do they require to have unique key pairs?
To make 2 way authentication SSL between IIS and weblogic server, does IIS
have to obtain certificate from
trusted CA such as Verisign? Can IIS and weblogic server running at the
same machine share same certificate and
private key?
Thanks in advance.
First of all, is it worth to have 2 way authentication SSL connectionsamong
the weblogic servers under the same weblogic clustering?There really is no reason to do so.
>
I'm wondering if I can set up same certificate/private key pair into all
weblogics running on the same machine under
weblogic clustering? or do they require to have unique key pairs?Digital certificates are typically tied to machine name. Each digital
certificate is associated with a unique private key. So, unless all the
machines have the same machine name, (ala machine.com), you'll need a
different visual certificate.
>
To make 2 way authentication SSL between IIS and weblogic server, does IIS
have to obtain certificate from
trusted CA such as Verisign?You're trying to do with SSL connection from the plug-in to WLS?
Can IIS and weblogic server running at the
same machine share same certificate and
private key?I do not believe that this is possible. Each vendor uses their own
mechanism for storage of the private key.
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Won H. Cho" <[email protected]> wrote in message
news:[email protected]..
Hi all.
First of all, is it worth to have 2 way authentication SSL connectionsamong
the weblogic servers under the same weblogic clustering?
I'm wondering if I can set up same certificate/private key pair into all
weblogics running on the same machine under
weblogic clustering? or do they require to have unique key pairs?
To make 2 way authentication SSL between IIS and weblogic server, does IIS
have to obtain certificate from
trusted CA such as Verisign? Can IIS and weblogic server running at the
same machine share same certificate and
private key?
Thanks in advance.
Similar Messages
-
Ssl certificates for a clustered environment
Hi all,
I have a rather large domain in one environment with one Admin Server and 6 Managed Servers.
The Managed Servers are split on two physical machines with the first machine holding the Admin Server as well.
Each pair of servers is joined in a cluster, so I have 3 clusters, each hosting one application.
Now some of the communication needs to be done over ssl and I'm wondering about the configuration. First of all I should
note that these certificates won't be seen by a client (browser), they will only be used for internal application communication.
So, do I need one certificate for each managed server for his identity keystore? Or can I use the same certificate for all of them?
They will all be accessible under the same url, under a couple of layers of routers. If I use the same certificate can I use the one on the
router, which the clients see as well? Can I or Must I?You only need to tell nodemanager where to find its certs. If you've already chosen SSL for your nodemanager, then by default it uses the democerts that come with WL. But you really don't want to use those...
So in your nodemanager properties, use something like:
# SSL Configuration
KeyStores=CustomIdentityAndJavaStandardTrust
CustomIdentityAlias=your_cert_alias
CustomIdentityKeyStoreFileName=full_path_to_your_identity_keystore_used_by_your_mgd_server
CustomIdentityKeyStorePassPhrase=your_storepass
CustomIdentityKeyStoreType=jks
CustomIdentityPrivateKeyPassPhrase=your_keypass
This tells your nodemanager to use the same identity as your managed servers. Since it's using java standard trust, it shares the same "cacerts" as the app server. In the console, your Machine -> Configuration -> Node Manager -> Type would be SSL.
So that would be all that's required for the nodemanager.
In your trust keystore, you can just add the signer / root ca cert for your certs, or you can add the individual server certs if you want to restrict the trust a little further. Normally identity certs expire more frequently than root certs, so I don't put identity certs into the trust store since it just means more maintenance when they expire. -
Using Basic or Multi-tier configuration for WLS Clusters...
Ok,
The scenario is: I'm using WLS6.1 (hopefully, version doesn't matter here)
with three instances clustered. Each instance provides all Services:
Servlets / JSPs/ EJBs / Database communication... I'm using the Basic
configuration described on the BEA documentation....
Now, I want to move forward to a Multi-tier configuration, where the first
layer will serve Servlets and JSPs and the second layer will serve EJBs.
The problem: On the first scenario, I was looking EJBs with the Default
InitialContext() constructor without the environment, since everybody was on
the same JVM...
What do I have to do, so my Servlets start looking for EJBs on the second
cluster now? Do I have to re-write every single lookup? Can I use a
jndi.properties file on the first layer - on the presentation tier?
Thanks in Advance,
Marcelo.
Thanks Patrick!
But my actual problem starts here. The Servlets aren't mine. We have to support
applications which run atop our product(which is a bunch of beans+RMI Objects
running on the top of WLS) in a backward compatible way with a standalone.
Will try and make a post if I can find a 'configurable' way out.
Harish
Robert Patrick <[email protected]> wrote:
>Put the other server's PROVIDER_URL in a system property, property file,
>whatever and
>have the servlets explicitly use it when creating the InitialContext
>to talk with the
>other server...
>
>Harish Vajha wrote:
>
>> Hi Cameron,
>>
>> A -Djava.naming.provider.url nor jndi.properties would work. The problem
>is like
>> this:
>> Say I have two WL servers hosting just EJBs: E1, E2. And I have a single
>WL Server
>> hosting just servlets: S1. Now I give the -Djava.naming.provider.url=E1(using
>> http or t3) (or I provide the same thing using my own jndi.properties).
>>
>> The problem with this setup is that while starting up, the Server will
>try binding
>> every object(including the System bindings like wl.transaction.TransactionManager,
>> wl.common.T3Services) to the other NS (in this case E1's naming service)
>which
>> is bound to fail, as they're already bound in that Server.
>>
>> The solution has to be a way to specify the java.naming.provider.url
>only for
>> the servlets (or the web app).
>>
>> Any ideas on how to provide a Webapp specific lookup address?
>>
>> Marcelo, if you've found a way out to separate, pl. make a post.. Thanks!
>>
>> Harish
>>
>> "Cameron Purdy" <[email protected]> wrote:
>> >Hi Marcelo,
>> >
>> >With Weblogic, your performance will typically decrease if you go
>the
>> >route
>> >that you are describing.
>> >
>> >Yes, you can do jndi.properties, however I believe you will find it
>inside
>> >one of the WL jars.
>> >
>> >Note that you can use java -D instead to define some of the JNDI properties
>> >to point to the other cluster, but I can't remember them off-hand.
>> >
>> >Peace,
>> >
>> >--
>> >Cameron Purdy
>> >Tangosol Inc.
>> ><< Tangosol Server: How Weblogic applications are customized >>
>> ><< Download now from http://www.tangosol.com/download.jsp >>
>> >
>> >
>> >"Marcelo Caldas" <[email protected]> wrote in message
>> >news:[email protected]...
>> >> Ok,
>> >> The scenario is: I'm using WLS6.1 (hopefully, version doesn't matter
>> >here)
>> >> with three instances clustered. Each instance provides all Services:
>> >> Servlets / JSPs/ EJBs / Database communication... I'm using the
>Basic
>> >> configuration described on the BEA documentation....
>> >>
>> >> Now, I want to move forward to a Multi-tier configuration, where
>the
>> >first
>> >> layer will serve Servlets and JSPs and the second layer will serve
>> >EJBs.
>> >>
>> >> The problem: On the first scenario, I was looking EJBs with the
>Default
>> >> InitialContext() constructor without the environment, since everybody
>> >was
>> >on
>> >> the same JVM...
>> >> What do I have to do, so my Servlets start looking for EJBs on the
>> >second
>> >> cluster now? Do I have to re-write every single lookup? Can I use
>a
>> >> jndi.properties file on the first layer - on the presentation tier?
>> >>
>> >> Thanks in Advance,
>> >> Marcelo.
>> >>
>> >>
>> >
>> >
>
-
Same certificates for two servers using Sun Java WS 6.1sp5 with Crypto card
Hi,
I have 2 Sun java webserver 6.1 sp5 installed on two machines as :
Single webserver1 instance on hostmachine1
Single webserver1 instance on hostmachine2.
(both instance names are same)
I have created server certificate and installed it using External cryptographic module: Sun Crypto Accelerator 500 on hostmachine1.
It is perfectly working fine.
Now,for hostmachine2, I created trust database with same password as for hostmachine1, I copied the two files
https-webserver1-hostmachine1-key3.db and
https-webserver1-hostmachine1-cert8.db from hostmachines1 and then put on the hostmachines2 (in an serverroot/alias folder ) and then renamed them as
https-webserver1-hostmachine2-key3.db and
https-webserver1-hostmachine2-cert8.db
Then I went to preferences->Edit socket listen, but security was disabled.
I restarted the webserver, but security was still disabled.
What is the problem??
Please inform me as well as at my email address [email protected]
Please do reply me as I am waiting anxiously.
Thanks.
TaqiHello,
The problem you are reporting is not expected.
Hope you are not trying on admin server.
I am not sure why you removed all files from alias directory.
Please do the following in a fresh installation:-
1) install ws6.1sp5.
2) copy cert and key db from the working systems to the alias
directory of the instance.
3) move the db files to the new name (make this name right).
4) through admin server GUI select instance (Manage server).
5) go to edit listen socket.
6) turn on security and select OK.
7) then press Apply button.
8) then press Apply changes.
9) it will restart your instance server and will ask you for the password.
10) supply the security password of the first server.
11) it will restart your instance server in https mode.
This works fine. -
New server and/or CA certificate for connection from custom authentication
We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
Relevant things I've tried so far:
Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
Import the IPS CA into the web server cert8 style db via the web admin server.
The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
Part of the stack:
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
The relevent bit of code from the SecureURL.retrieve looks as follows:
URL u = new URL(url);
if (!u.getProtocol().equals("https"))
throw new IOException("only 'https' URLs are valid for this method");
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally { ...
The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
Thank you very much for any insights and help,
EthanI thought since this has had a fair number of views I would give an update.
I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
certutil: certificate is valid
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
certutil: certificate is invalid: Certificate type not approved for application.
root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
FSU Wildcard Certificate : Certificate type not approved for application.
So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil. -
Security Certificate for BizTalk server
Hello,
We need to have a party certificate for EDI communication for ourselves, as required by some of our trading partners. Currently we have EDI implemented but moving to BizTalk platform. So we do have a certificate for our party in our current AS2 software.
My question is, can we use the same certificate for our party once moved to BizTalk (different computer, different environment). And if not, where would you go to obtain one?
Thanks a lot!
GalinaHi Galina,
You can use the same certificate which you used in non-BizTalk to BizTalk EDI integration. Security by using certificate is not specific to BizTalk; it’s all related to cryptography and digital signature.
BizTalk just provides a way to support those security implementations. So you can very well use the same certificates used in non BizTalk to BizTalk environment as part of your migration.
For party resolution, you have to use the public certificate of your trading partner. So this certificate must have been shared to you by your trading partner. In your non-BizTalk EDI communication for party
resolution you would have used this public key/certificate. This certificate (public key) is not related to BizTalk or non-BizTalk EDI products. This is used to implement public-private key pair of digital signature. For BizTalk you have to install this public
certificate in “Other People store”
Just and additional info, if you don’t have this (or misses this in future) you have to get this public key from your trading partner to whom you exchange EDI messages.
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful. -
Exchange 2013 Certificates for Hybrid Deployment Clarification
I have an Exchange 2013 servers (CAS and Mailbox on separate server) which I wanted to setup for Hybrid deployment. I already have a certificate acquired from 3rd party with 3 names (mail, autodiscover and owa). the certificate was installed in the
CAS server. As per the hybrid deployment documentation I need also to install a certificate in the mailbox server, questions:
1. Can I use the same certificate for installation in the mailbox server?
2. Can I also use the same certificate in the Hybrid Configuration wizard for the "certificate to use with securing the hybrid mail transport"?
3. Do I need to include the primary smtp domain (xxxxx.com) in the certificate since current configuration points to the mail.xxx.com as the certificate common name?Hi,
Here are my answers you can refer to:
1. It depends.
The certificate used for hybrid secure mail transport must be installed on all on-premises Exchange 2013 Mailbox and Client Access servers.
If you're configuring a hybrid deployment in an organization that has Exchange servers deployed in multiple Active Directory forests, you must use a separate third-party CA certificate for each Active Directory forest.
2. Yes. But we recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another certificate on your Exchange servers for other needed
services or features.
3. Yes. Here are the minimum suggested FQDNs that should be included on certificates: domain.com, autodiscover.domain.com, edge.domain.com
For more information, you can refer to the following article:
http://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Multiple Certificates for the same WLS
Hi,
IHAC who asks the following:
Background
Bigshop Limited carried out a soft launch of our e-tailing website under
the
url fonzie.bigshop.com.au
We have a verisign certificate setup up for 128 bit ssl under the
knownname
fonzie.bigshop.com.au
All ssl connections that connect to the site with this url are able to
establish an SSL session.
Current Issue
Bigshop is now in the process of carrying out the public launch of the
website. The public url for the website will be www.bigshop.com.au
We have generated new public/private key pair and a Certificate Signing
Request (CSR) and have ordered a new certificate from verisign
Could you please advise if it is possible to operate two certificates
for
the one server. This will allow our www.bigshop.com.au and
fonzie.bigshop.com.au url's to operate concurrently and enable both to
establish SSL session with valid certificates.
Is what they want to do possible ?? any suggestions
appreciated,
regards,
Patrick.Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
one certificate per server.
-utpal -
Multiple certificates for the same webpage
I have two certificates for two different accounts for the same bank.
The problem is select the desired certificate to login into the bank web page, because Safari saves one of them as the default (the one I select for the first time)
How can I make Safati ask me to choose one certificate when the same web page as 2+ certificates to use?I found a workaround:
1. Open the keychain. Select "Login" keychain, on the top left, and "All items" in the Category.
2. In the top right search box, write some part of the webpage
3. Below it will appear your webpage with "identity preference" in the Kind column
4. If you double click that item, you can choose the certificate you want to access with
If you erase that item, the next time you enter the webpage, it will ask you to choose a certificate, and will create a new entrance with the new selection.
It's not perfect, but at least you can work with two or more certificates in the same webpage using Safari. -
Is it possible to use the same Switch for two different clusters.
I have 10g Rac setup on windows.
Now I am planning to install 11gR2 on different servers.
Is it possible to use the same Switch for two different clusters.user9198027 wrote:
I have 10g Rac setup on windows.
Now I am planning to install 11gR2 on different servers.
Is it possible to use the same Switch for two different clusters.
Yes. Technically there will not be any conflict as long as the private addresses used by the 2 clusters do not collide, and provided that the switch's port capacity and bandwidth will not be exceeded.
Your NA (netadmin) can also configure the switch to separate the 2 Interconnects from one another (called partitioning when using Infiniband) - if the switch supports such features.
A major consideration is not to make the switch, public. That typically cause a range of problems and can have a serious impact on an Interconnect. But using 2 private networks on the same infrastructure should not have the same problems - if configured and implemented correctly. -
Gift certificate for friend, download to same computer problem
Hi,
I purchased a gift certificate for my girlfriend from my own account.
She received the email gift certificate, hit 'redeem' however the album didn't download. Unfortunately going back to the email and hitting the 'redeem' bring up a message saying this code has been used.
Is there an issue if she trys to download the tunes onto the same computer as i have all my purchased music?????
Thanks
RustybobFirst, is she logged into the account through which she redeemed the certificate and ordered the album? If so, first have her check to make sure it's not still sitting in the Shopping Cart and not actually purchased. If not, have her try the "check for purchases" command under the Advanced menu; the album may be sitting there waiting to be downloaded.
Hope this helps. -
Can i use same certificate on 2 different CAS Server across sites
Hi All
I have a question I have been playing with for a few days,
I have the following setup,
2 sites connected via a VPN and a DAG configured between sites.
Site 1-Head Office
2 exchange 2010 servers,
1 running CAS and Mailbox (this server is entry point to all clients for owa etc.)
1 running Hub, CAS, Mailbox. (this is the main server and a DAG Member)
We have a UNC certificate associated with all records pointing to remote access and its installed on both servers.
** Everything in this site works fine.
** The AD DNS server does not have a zone for the public domain with all the external records only the .local domain. Planning to change this soon.
Site 2.
1 exchange 2010 servers,
1 running Hub, CAS, Mailbox. (this is the main server for this site, a DAG Member and no entry point at this time but we intend to use it for redundancy)
** Currently all BD are on server in site 1.
** The AD DNS server does not have a zone for the public domain with all the external records only the .local domain. Planning to change this soon.
My questions are as follows:
1 on site 2’s the cas server can I use the same certificate I’m using onsite 1. in other words all clients currently use mail.domain.com which has an IP pointing to site 1, can I use that same certificate in site 2 and associate
it with the CAS server there? (in the event of a failover I just change the records IP)
2 All smtp traffic come through site 1, when I test moving active databases to site 2, all email stay in the ques of exchange server in site one, they don’t get delivered. (I have not set AD replication through smtp so don’t know
if this is a factor)
3 When I do set the active databases to site 2, webmail and remote services stop working, I get the infamous error when logging onto webmail, service unavailable because it’s been moved. I have read a lot about this being an internal
external url issue.
All these issues im starting to think they all interlinked, and would like some help.
CheersAnswers to your questions:
Yes. Understand that until you swap your external DNS so it points to Site 2, the mail.domain.com won't be accessed, but it will be there for when you want it to be.
AD replication is not the issue, so don't try to set it to use SMTP. If you have hub servers in both sites, your inbound Internet email should be delivered from the Site 1 hubs to the Site 2 hubs. We may need more information before we can give
you a good answer for this question. However, you may check the following TechNet article (and its links) for assistance.
http://technet.microsoft.com/en-us/library/aa998825(v=exchg.141).aspx
Web access requires that the CAS you connect to be either externally accessible and in the same site as your mailbox server, or that the CAS in the inaccessible Windows site needs to be configured as internal only and the accessible CAS needs to be configured
to proxy connections. For this, make sure you have followed the directions in the following TechNet article.
http://technet.microsoft.com/en-us/library/bb310763(v=exchg.141).aspx
HTH ... -
How to use the same keypair for both encrypt/decryprt-SunPKCS#11
Dear All,
Subject: To access iKey 2032 token, to retrieve public/private key from iKey 2032 token using pkcs#11 in sdk1.5, to encrypt/decrypt files.
When I separate the encrypt and decrypt part of java program, encryption program works well, whereas decryption program does not decrypt anything in the decrypt file (But there is no error). I printed out the public and private key in both encrypt and decrypt part of java program, its displayed differently::
Encrypt program:
SunPKCS11-rainbow_token RSA public key, 1024 bits (id 10, session object)
modulus: 114338469922835728259534620463489934081917342509275191892563243582065
74380495029336519036972702864998634664269499641616889325482699399559620370181624
72068116957594402738459932902481604823224406859575930392708524033619120886256353
58738237376491107769961041015109436347533548940674900728805627968145581222172729
public exponent: 65537
SunPKCS11-rainbow_token RSA private key, 1024 bits (id 11, session object, sensi
tive, unextractable)
Decrypt Program::
SunPKCS11-rainbow_token RSA public key, 1024 bits (id 12, session object)
modulus: 138556361758970660122782926386849783732271581948935425587968692317930
09262429353977097956605140384961825974398004270547046620971835394362397699233738
54481804748731546655197744692886754946373745924825650876065903334173666990347814
83727290962956934521650035029131176614982652900659797194703065074407857754883163
public exponent: 65537
SunPKCS11-rainbow_token RSA private key, 1024 bits (id 13, session object, sensi
tive, unextractable)
I suspect that every time program generates different set of key, therefore we need to store the generated key during encryption part (i believe it is to be in the keystore) and to use the same for decryption part. Could you please give me a tips how to do this?
Encrypt Program ::
import java.io.*;
import java.util.*;
import java.lang.*;
import java.sql.*;
import java.text.*;
import java.math.*;
import java.security.*;
import java.security.cert.*;
import java.security.interfaces.*;
import javax.crypto.interfaces.*;
import javax.net.ssl.*;
import javax.crypto.*;
import javax.crypto.spec.DESKeySpec;
import java.security.KeyStore.*;
* A class of Encrypt.
public class Encrypt
public Encrypt(){}
public void loginToken() {
Provider p = new sun.security.pkcs11.SunPKCS11(MQConfig.getvalue("SecurityPropertyPath"));
Security.addProvider(p);
KeyStore ks = null;
try{
String password = General.ReadFiles(MQConfig.getvalue("logFilePath"),"Simple");
password = password.trim();
char pin[] = password.toCharArray();
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA",p);
KeyPair kp = kpg.genKeyPair();
kpg.initialize(1024, new java.security.SecureRandom());
FileInputStream in = new FileInputStream("C:\\ReportDBBE.properties");
FileOutputStream out = new FileOutputStream("C:\\ReportDBAE.properties");
Cipher cp=Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
cp.init(cp.ENCRYPT_MODE,kp.getPublic());
CipherOutputStream cout=new CipherOutputStream(out,cp);
byte[] input=new byte[8];
int byteread=in.read(input);
while(byteread!=-1){
cout.write(input,0,byteread);
byteread=in.read(input);
cout.flush();
in.close();
cout.close();
catch(NoSuchAlgorithmException nsae)
System.out.println("No Such Algorithm Exception " + nsae.getMessage());
catch(NoSuchPaddingException nspe)
System.out.println("No Such Padding Exception " + nspe.getMessage());
catch(InvalidKeyException ike)
System.out.println("Invalid Key Exception " + ike.getMessage());
catch(IllegalStateException ise)
System.out.println("Illegal State Exception " + ise.getMessage());
catch(KeyStoreException kse)
System.out.println("Key Store Exception " + kse.getMessage());
catch(CertificateException ce)
System.out.println("Certificate Exception " + ce.getMessage());
catch(IOException ioe)
System.out.println("IO Exception " + ioe.getMessage());
public static void main (String args[]) throws Exception {
try{
Encrypt tl = new Encrypt();
tl.loginToken();
}catch(Exception e){
e.printStackTrace();
Decrypt Program ::
import java.io.*;
import java.util.*;
import java.lang.*;
import java.sql.*;
import java.text.*;
import java.math.*;
import java.security.*;
import java.security.cert.*;
import java.security.interfaces.*;
import javax.crypto.interfaces.*;
import javax.net.ssl.*;
import javax.crypto.*;
import javax.crypto.spec.DESKeySpec;
import java.security.KeyStore.*;
* A class of Decrypt.
public class Decrypt
public Decrypt(){}
public void loginToken() {
Provider p = new sun.security.pkcs11.SunPKCS11(MQConfig.getvalue("SecurityPropertyPath"));
Security.addProvider(p);
KeyStore ks = null;
try{
String password = General.ReadFiles(MQConfig.getvalue("logFilePath"),"Simple");
password = password.trim();
char pin[] = password.toCharArray();
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA",p);
KeyPair kp = kpg.genKeyPair();
kpg.initialize(1024, new java.security.SecureRandom());
FileInputStream in1 = new FileInputStream("C:\\ReportDBAE.properties");
FileOutputStream out1 = new FileOutputStream("C:\\ReportDBAD.properties");
Cipher cipher=Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
AlgorithmParameters algParams = cipher.getParameters();
cipher.init(Cipher.DECRYPT_MODE,kp.getPrivate(),algParams);
CipherInputStream cin1=new CipherInputStream(in1,cipher);
byte[] input1=new byte[8];
int byteread1=cin1.read(input1);
while(byteread1!=-1){
out1.write(input1,0,byteread1);
byteread1=cin1.read(input1);
out1.flush();
in1.close();
out1.close();
cin1.close();
catch(NoSuchAlgorithmException nsae)
System.out.println("No Such Algorithm Exception " + nsae.getMessage());
catch(NoSuchPaddingException nspe)
System.out.println("No Such Padding Exception " + nspe.getMessage());
catch(InvalidKeyException ike)
System.out.println("Invalid Key Exception " + ike.getMessage());
catch(IllegalStateException ise)
System.out.println("Illegal State Exception " + ise.getMessage());
catch(InvalidAlgorithmParameterException iape)
System.out.println("Invalid Algorithm ParameterException " + iape.getMessage());
catch(KeyStoreException kse)
System.out.println("Key Store Exception " + kse.getMessage());
catch(CertificateException ce)
System.out.println("Certificate Exception " + ce.getMessage());
catch(IOException ioe)
System.out.println("IO Exception " + ioe.getMessage());
public static void main (String args[]) throws Exception {
try{
Decrypt tl = new Decrypt();
tl.loginToken();
}catch(Exception e){
e.printStackTrace();
Configuration file::
name = rainbow_token
library = c:\winnt\system32\dkck201.dll
attributes(*,CKO_PRIVATE_KEY,*) = {
CKA_SIGN = true
attributes(*,CKO_PRIVATE_KEY,CKK_DH) = {
CKA_SIGN = null
attributes(*,CKO_PRIVATE_KEY,CKK_RSA) = {
CKA_DECRYPT = true
}Hi all,
Now i manage to use the same keypair for both encrypt/decryprt-SunPKCS#11. Below is my code woks well. In my code i hard coded alias name of certificate, did anyone knows how to read alias name of certificate from iKey token 2032??
import java.io.*;
import java.util.*;
import java.lang.*;
import java.sql.*;
import java.text.*;
import java.math.*;
import java.security.*;
import java.security.cert.*;
import java.security.interfaces.*;
import javax.crypto.interfaces.*;
import javax.net.ssl.*;
import javax.crypto.*;
import javax.crypto.spec.DESKeySpec;
import java.security.KeyStore.*;
* A class of Encrypt.
public class Encrypt
public Encrypt(){}
public void loginToken() {
Provider p = new sun.security.pkcs11.SunPKCS11(MQConfig.getvalue("SecurityPropertyPath"));
String myAlias = "349eefd1-845b-4ba4-9f88-06e9f5cb82f6";
/** to view alias name
keytool -list -v -keystore NONE -storetype PKCS11 -storepass PASSWORD
Security.addProvider(p);
KeyStore ks = null;
PrivateKey privKey = null;
PublicKey pubKey = null;
try{
String password = General.ReadFiles(MQConfig.getvalue("logFilePath"),"Simple");
password = password.trim();
char pin[] = password.toCharArray();
ks = KeyStore.getInstance("pkcs11");
ks.load(null,pin);
java.security.cert.Certificate cert = ks.getCertificate(myAlias);
Key key = ks.getKey(myAlias, pin);
if(key != null) {
System.out.println("key class: " + key.getClass().getName()); // -> sun.security.pkcs11.P11Key$P11PrivateKey
System.out.println("key bytes: " + key.getEncoded()); // -> null!!!!!!!
if(PrivateKey.class.isInstance(key)) {
privKey = (PrivateKey)key;
System.out.println("algo: " + privKey.getAlgorithm()); // -> RSA
//Signature rsasig = Signature.getInstance("SHA1withRSA");
//rsasig.initSign(privKey);
//rsasig.update(data.getBytes());
//byte[] sigBytes = rsasig.sign();
pubKey = cert.getPublicKey();
//System.out.println("signed bytes: " +sigBytes);
//return sigBytes;
//KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA",p);
//KeyPair kp = kpg.genKeyPair();
//KeyPair kp = kpg.generateKeyPair();
//kpg.initialize(1024, new java.security.SecureRandom());
FileInputStream in = new FileInputStream("C:\\ReportDBBE.properties");
FileOutputStream out = new FileOutputStream("C:\\ReportDBAE.properties");
Cipher cp=Cipher.getInstance("RSA/ECB/PKCS1Padding", p);
//cp.init(cp.ENCRYPT_MODE,kp.getPublic());
cp.init(cp.ENCRYPT_MODE,pubKey);
CipherOutputStream cout=new CipherOutputStream(out,cp);
byte[] input=new byte[8];
int byteread=in.read(input);
while(byteread!=-1){
cout.write(input,0,byteread);
byteread=in.read(input);
cout.flush();
in.close();
cout.close();
catch(NoSuchAlgorithmException nsae)
System.out.println("No Such Algorithm Exception " + nsae.getMessage());
catch(NoSuchPaddingException nspe)
System.out.println("No Such Padding Exception " + nspe.getMessage());
catch(InvalidKeyException ike)
System.out.println("Invalid Key Exception " + ike.getMessage());
ike.printStackTrace();
catch(IllegalStateException ise)
System.out.println("Illegal State Exception " + ise.getMessage());
catch(KeyStoreException kse)
System.out.println("Key Store Exception " + kse.getMessage());
catch(CertificateException ce)
System.out.println("Certificate Exception " + ce.getMessage());
catch(IOException ioe)
System.out.println("IO Exception " + ioe.getMessage());
catch(UnrecoverableKeyException unrke)
System.out.println("Unrecoverable Key Exception " + unrke.getMessage());
public static void main (String args[]) throws Exception {
try{
Encrypt tl = new Encrypt();
tl.loginToken();
}catch(Exception e){
e.printStackTrace();
Your help is very much appreciated!!!! -
Is it possible to use single ssl certificate for multiple server farm with different FQDN?
Hi
We generated the CSR request for versign secure site pro certificate
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
SSL Certificate for cn=abc.com considering abc.com as our major domain. now we have servers in this domain like www.abc.com, a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
And the same message when trying to access https://www.abc.com from Google Chrome.
"This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
Now my question is
1. Is is possible to remove above errors doing some ssl configuration on ACE?
2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate for CSR generated uisng cn =abc.com to be installed on ACE and will be used for all servers like www.abc.com , a.abc.com etc..
Thanks
WaliullahIf you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate. Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate. And right now it won't beause your certificate is for abc.com. You need a wildcard cert that will be for something like *.abc.com.
Hope this helps,
Sean -
Multiple WL instances on same machine with multiple clusters
Hi,
I am wondering if it is possible to run two separate instances of WL on a
single machine, with each instance belonging to a separate cluster? The
machines are not multi-homed, so each instance must listen on a separate
port.
Our current architecture looks like this:
4 web servers running NSAPI WL plug-in
3 app. server boxes running WL 5.1 SP2
I would like to start multiple instances of WL on each app. server to better
utilize the hardware, and would like each instance to be part of a separate
cluster.
My questions are:
1. Do I have to have a separate multicast address for each cluster, or can
I use the same address since the clusters are on different ports?
2. In the NSAPI plug-in, you simple specify a list of all the servers for a
cluster. Are there any issues with having the machine/port names in this
list belonging to different clusters?
Thanks,
Bob
Comments inline.
Cheers - Wei
www4.weblogic.com <[email protected]> wrote in message
news:[email protected]...
> Hi,
>
> I am wondering if it is possible to run two separate instances of WL on a
> single machine, with each instance belonging to a separate cluster? The
> machines are not multi-homed, so each instance must listen on a separate
> port.
Yes, you can. FYI, in addition, each cluster use different multicast
address.
>
> Our current architecture looks like this:
>
> 4 web servers running NSAPI WL plug-in
> 3 app. server boxes running WL 5.1 SP2
>
> I would like to start multiple instances of WL on each app. server to
better
> utilize the hardware, and would like each instance to be part of a
separate
> cluster.
>
> My questions are:
>
> 1. Do I have to have a separate multicast address for each cluster, or
can
> I use the same address since the clusters are on different ports?
Different multicast addresses.
>
> 2. In the NSAPI plug-in, you simple specify a list of all the servers for
a
> cluster. Are there any issues with having the machine/port names in this
> list belonging to different clusters?
In-memory replication will not work.
>
> Thanks,
> Bob
>
>
>
Maybe you are looking for
-
Image processing algorithms on video frames.
Hello. I am trying to access video frames, one by one, and do image processing on each of them. this practically includes just a comparison of successive video frames to see how much the content is changing so as to detect when the scenes in the vide
-
Hardware Error Reporting Via Email
Hello All I have a question i hope someone can help me out with. what i want to know is if there is a oem and or third part software that would send you server errors (mainly looking at windows) via emails. For example: if a hardware issue was to ari
-
HT6030 how can i send word/pdf/ppt/excel sheets as attachments to my emails via gmail using ipad
i have been trying to save word pdf excel and ppts on my ipad and also send these files as attachements using gmail App but I am unable. please advise.
-
Trying to understand processes
I support an application that is suddenly kicking off 2 processes that are eating most of the CPU on the server (the last time I was told, the software on the server is Solaris 8 and iPlanet Enterprise Server 6.0). The processes are: wpswrapupd wpswr
-
Problems with Canon Pixma 9000 Mark ii and Aperture
When I try to print the colors are not quite right. I noticed that when I print Aperture tells me to turn off the color management in the printer. When I try to do this it is greyed out and will not allow me to change it. When I originally installed