Secure Environment  - SSL

Similar Messages

• Securing file download with standard web security and ssl

  Hi,
  I want to put some files for download in my webapp. At the same time, I want to protect these files using standard servlet security and ssl. So I added <security-constraint> in my web.xml and configured tomcat to allow SSL connection. Now I got the files protected as I expected. When I try to access the file directly from browser, tomcat shows me the login page. However, after correct login, I.E. pops up an error saying something like "Internet Explorer cannot download XXX from XXX. The file could not be written to the cache.". The log file showed the following exception:
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1154)
       at com.sun.net.ssl.internal.ssl.AppInputStream.available(AppInputStream.java:40)
       at org.apache.tomcat.util.net.TcpConnection.shutdownInput(TcpConnection.java:90)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:752)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLException: java.net.SocketException: Connection reset by peer: socket write error
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1407)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:64)
       at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:747)
       at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:403)
       at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:400)
       at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:961)
       at org.apache.coyote.Response.action(Response.java:182)
       at org.apache.coyote.Response.finish(Response.java:304)
       at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:281)
       at org.apache.catalina.connector.Response.finishResponse(Response.java:473)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:738)
       ... 4 more
  Caused by: java.net.SocketException: Connection reset by peer: socket write error
       at java.net.SocketOutputStream.socketWrite0(Native Method)
       at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
       at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
       at com.sun.net.ssl.internal.ssl.OutputRecord.writeBuffer(OutputRecord.java:283)
       at com.sun.net.ssl.internal.ssl.OutputRecord.write(OutputRecord.java:272)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:663)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       ... 15 more
  I've tried separating concerns, for example protect files but not require SSL, and enable SSL but do not protect files. Both works respectively but not together. I also tried using a download4j's DownloadServlet. Still doesn't work.
  Have any of you encouter the same situation? If so, could you enlight me what I did wrong? It maybe just a simple SSL configuration or something. Thanks in advance!
  Jack

  My environment setup is:
  JDK 1.5.01
  Tomcat 5.5.7
  For downloading files, I just use plain old <a href> method. I simply right-click the link and choose "save target as...".
  Thanks,
  Jack

• How can I Remove Firefox Hello in a high-security environment?

  Hi,
  After a recent Firefox update in a test environment for a high-security environment (I'm not at liberty to disclose the nature of this environment, sorry. Let's just say we have to disable Firefox from contacting Mozilla's servers and further disable Google's "Safe Browsing" due to possibility of inadvertent unauthorized disclosure) We have noticed a feature: "Firefox Hello", this feature causes Firefox to violate strict policy as it transforms it from being classified as strictly a "Web Browser" (which is permitted) to a "Chat Application", all of which are completely banned. Simply disabling Hello is not a sufficient option as Firefox still contains the code to run Hello, which still constitutes it a "Chat Application" as per policy. We have the capability to edit out unauthorized code from open source software internally, but we don't know where to start to remove this code from the Firefox codebase as Hello seems pretty well integrated.
  Currently I only have two options, both of which do not please me as for me personally, (I really like Firefox and have fought to include it in any environment I can):
  1. Discontinue permanent use of Firefox.
  2. Discontinue updating Firefox permanently or until Hello is removed as a non-modular element. This is unacceptable as it'd mean we can't keep it secure, which causes us to fall back to (1).
  I would graciously like any third option. Internet Explorer seems to be the only browser that provides sufficient enterprise-level control without extraneous features at the moment with the addition of Hello to Firefox. We have banned Chrome from our environment due to how tightly bound it is with Google's "Cloud" services and hope that Firefox isn't becoming a "Cloud" browser for Mozilla, Sync has already placed Firefox under the microscope as it is.
  Thank you.

  We have WebRTC traffic blocked (We have a setup that audits SSL traffic before it leaves or enters the network).
  Our primary issue with Hello is that policy classifies the actual code used to run it as being very much like an Easter Egg, code that was inserted that goes beyond the spec of being a web browser and thus difficult to audit. It's easy to block services in general, but when an a single unauthorized service becomes a core feature and has code strapped to the browser, that throws up red flags that Mozilla is moving Firefox away from being a organization-managable browser and more toward an exclusively mozilla-managed "Cloud" browser, where there is a possibility that Mozilla will seek more control over user experience that will increase attack surface.
  It's reasons like this we decline to install Chrome into our environment, because Google has several services built-in to the core of their browser and do not leverage their extensions capabilities, but rather mandates that these features "must be installed" and that users can only toggle them off.
  It's easy to uninstall an extension or to recompile with a flag, but it's hard when a vendor makes decisions for you and tells you "This is good for you, you must embrace it" irrespective of policy of organizations or even individual users wishes.
  Thank you all for this information, it will help our future audits and help determine if Firefox is right for our needs.
  Unfortunately I can't mark this thread as "Solved" since the root issue is still not solved (Mozilla's development practices making something that should be an extension, a core aspect of the browser), so marking it solved would be a lie. But thank you both nonetheless.

• How to open -pdf in a secure environment

  Opening PDF files from a secured account on Internet (e.g. telephone billing info) does not work. in Safe as the file is shown as _pdf (underscore instead of dot).  We suspect this problem started after installing CS6, but are not sure. Win 7, IE 9, Reader XI

  PDF on a regular website can be opened and downloaded. However, PDF on a secure website (https) looks normal with normal icon but double click gives screen for open / save / save as. ‘Open’ gives no result, no error message either. ‘Save’ or ‘save as’ shows screen with filename ending on _pdf, which cannot be opened or saved, no error messages either. Changing the filename into .pdf gives the same reaction: nothing happens, no error messages.
  The same files can be opened on a different PC win7, IE9, Reader XI and similar software, but without CS6.
  Van: Pat Willener [email protected]
  Verzonden: 3 november 2012 5:19
  Aan: EllyHo
  Onderwerp: how to open -pdf in a secure environment
  Re: how to open -pdf in a secure environment
  created by Pat Willener <http://forums.adobe.com/people/pwillener>  in Adobe Reader - View the full discussion <http://forums.adobe.com/message/4820274#4820274

• Enterprise Manager in secure environment with no internet access

  I have Oracle 11g installed in a secure isolated environment, which means there is limited access to the servers, and definitely no internet access from that environment.
  I am looking to configure Enterprise Manager / Database control.
  I can successfully start up the application server on my database server, and connect to this from a web browser within my secure environment.
  However when I try to display the Performance tab, nothing is displayed.
  I understand this screen uses an ActivX component.
  Is the use of the ActivX component going to have problems because my servers have no direct internet access, or should this not make any difference?
  Thanks
  Paul Graves

  No this is not going to make any difference.
  You don't need any internet connection at all for working with OEM GC.
  Maybe, if you want to configure the Patch Setup to receive Patch Adviories from My Oracle Support, but even then you can do without a connection from you server(s) to the internet.
  Asuming that you are using OEM GC 10.2.0.5, you will also be needing the installation of Flash Player and Adobe SVG Plugin, both to be installed in your browser.
  Kind regards
  Rob
  For more information on working with OEM GC, you might want to check http://oemgc.wordpress.com

• Saving Opened attachments in a secure environment (no local drive access)

  We are evaluating Windows 7 and Office 2010 in a secure environment and have a strange issue when saving opened Office attachments from Outlook 2010.
  If an Office (Word, Excel or Powerpoint) file is opened from a received email within Outlook 2010 and a user then attempts to save, they are presented with a restriction error message as below:
  This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
  Upon clicking OK, they are then presented with a Save As dialogue box in the correct location (i.e. their redirected Home Drive location on a network share).
  We block any access to the C:\ drive (or any local drives other than the optical drive) and the users have a roaming non-cached profile.
  The OutlookSecureTempFolder value in the registry is C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\RANDOMSTRING\
  I tried altering this to a network location which I knew the user would have write access over, but Outlook just overwrote my custom value with a new one of its own.
  I ran ProcMon and determined that the machine is getting ACCESS_DENIED when trying to create files in that location.
  Any ideas?

  I've the same problem too.
  to have more than one approuved locations displayed, you have to enable this policy too:
  Places Bar Locations
  the office 2010 GPO.
  Specify the same locations you have approuved in the other GPO
  click User
  Configuration, click Administrative
  Templates, click Microsoft
  Office 2010, double-click File
  Open/Save dialog box, and then click Places
  Bar Locations.
  Problem solved for me.
  Thanks to all of you. I've spend a lot of time on this problem. 

• Servlet security with SSL

  Hello All,
  I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
  I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
  Any assistance would be greatly appreciated. I am really stuck with this
  Thank you in advance
  Alanjo

  On 01/14/2014 06:11 AM, Alan Farroll wrote:
  > Hi all,
  >
  > I could not find a more appropriate forum in Eclipse for this question
  > so have placed it in newcomers as I am still quite new to Java\Eclipse
  >
  > We are working on a Java servlet application that involves security with
  > SSL to allow the servlet to run from a server outside our firewall and
  > interrogate databases inside our firewall. It runs on Tomcat 7 and built
  > on Java 1.6.0.29
  >
  > We have had no problems running the servlet on the Test server within
  > the firewall but when running on the Live server outside the firewall
  > the SoapUI request returns nothing and the current Tomcat log error is
  > "java.lang.RuntimeException: Could not generate dummy secret"
  >
  > The problems seem to be with the jce.jar and the sunJCE_provider.jar.
  >
  > Has anybody any assistance they could provide please.
  >
  > Thanks in advance
  >
  > AJF
  The live server doesn't have access to the right JARs? Maybe this will help?
  http://www.javahotchocolate.com/notes/jce-policy.html

• How do I make a "security environment"?

  I need to do something I don't even know if is possible..
  We have a code that handle crypted data, and we have another software that is open source and need to manipulate this data, both are desktop stand alone softwares.
  I'm wondering, is there a way to create a "secure environment" to use the open source software as a plugin, restricting this software's access do external world (I don't want it to externalize my decrypted data)?
  Any help would be appreciated.

  You can install a home grown SecurityManager in your main application. Whatever security policy you define for that SecurityManager will apply to plugins and libraries. You can forbid socket access, file access, system properties etc etc.
  You have a steep learning curve. A starting point is [http://java.sun.com/docs/books/tutorial/security/tour2/step2.html|http://java.sun.com/docs/books/tutorial/security/tour2/step2.html].

• Usage of Security.setProperty("ssl.SocketFactory.provider",myCustomSock...)

  While using java mail API, to establish a secure connection with the target server, we use a property object to set any custom socket factory like the following:
  props.setProperty( "mail."+ protocol + ".socketFactory.class", "com.realops.adapter.mail.ssl.CustomSSLSocketFactory")
  We also set our custom socket factory in the security api like:
  Security.setProperty( "ssl.SocketFactory.provider", "com.realops.adapter.mail.ssl.CustomSSLSocketFactory");
  Just wanted to know the difference b/w these two lines.
  We pass the properties object while creating a javamail session. So it will pick the custom socket factory from the properties object, in this case do we still need to set the custom socket factory in the Security API?
  Thanks.

  Thanks for the answer.
  Can you please also tell me how Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()) is functionally different from Security.setProperty( "ssl.SocketFactory.provider",...).
  Do we always need to 'add' the provider if we are using the Sun's default socket factory or can we simple use local properties object for setting the sun's default socket factory also (assuming it is to be used by java mail only)?
  Should I post a separate thread for this?
  Much Thanks.

• How do I sign an Abode document with a secure environment?

  How do I sign an Abode document with a secure environment?

  If this is related to Adobe Fill & Sign (since you did submit this feedback through the Feedback form) this is an FAQ on security: https://www.acrobat.com/en_us/security.html
  I am not sure if that really is what you wanted, if that doesn't answer please provide more details.
  Thanks,
  Josh
  PS - You might want to look at Electronic Signature Software, Digital Signatures | Adobe EchoSign to see if that fits your needs
  Also Electronic signatures, e-signatures | Adobe Acrobat XI

• Does anyone know whether iTunesU can be used in a secure environment for corporate training? Looking at previous posts it does not seem like it?

  Does anyone know whether iTunesU can be used in a secure environment for corporate training? Looking at previous posts it does not seem like it?

  Sorry, but iTunes U is only available to K-12 public school districts, private schools and two- and four-year accredited, degree-granting, public or private colleges and universities. It's not available for corporations.
  Regards.

• SP3 - Secure portal SSL performance improvements ?

  Portal Gurus,
  One of the major enhancements I was looking for in SP3 was an improvement in
  the SSL gateway performance. However testing I've done so far only shows a
  30% improvement in Requests/second and in open mode SP3 actually seems a
  little slower than SP2. I realize there are environment and specific
  workload factors at work, but under near identical conditions comparing SP2
  to SP3 secure mode, the performance increase wasn't what I had hoped for.
  I followed the tuning instructions in the SP3 release notes and noticed a
  small improvement, ~5%, and was wondering what other people are seeing.
  Given the numbers I'm seeing I have to wonder if using SSL is really viable
  for a busy portal site.
  Anyone seeing a big improvement in SSL performance with SP3 ?
  Cheers,

  I would recommend applying sp3a. The ssl have changed only in sp3a, this should give you much better and faster performance.
  Else, these tuning parameters should help the performance. Goto Admin Console | Gateway Management | Manage Gateway Profile | select "Show Advanced Options" in the bottom of the page and change the following...
  1) Increase the value of "Maximum Thread Pool Size". The default is 200, and it can be increased to 800.
  2) Also increase the Gateway Timeout. The default is 120000. This can be increased to 125000. Then click Submit
  3) Finally on the Gateway server, modify the /opt/SUNWips/bin/ipsgateway script. Find the line that defines the CMD environment variable and change the '-mx128m' parameter to '-mx256m'.

• Cannot send email via Hotmail through port 587 with Secure Connection (SSL) set

  Something is blocking my attempts to send email (with Outlook Express) via my hotmail.com account. The error I receive is as follows:
  Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'Hotmail', Server: 'smtp.live.com', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
  When Hotmail.com first changed over to a POP3 server (Sept 2009), I could send emails through them using port 587, which they require. But then something happened, with no changes on my part, to disable my ability to send.
  I have checked and rechecked my Outlook Express account settings. I can send email through another third-party mail account (at 1&1 Internet.com) using port 587, which does not require setting SSL to yes. I can also ping the Hotmail SMTP server via port 587 and receive a response from it.
  I connect to Verizon DSL via a Westell 327W modem/router. Clearly it is not blocking port 587 without SSL. Does it have the capability to block SSL traffic? Or is the Verizon server the culprit, not allowing emails to be sent via Hotmail.com?
  Two different computers on my LAN have the same problem sending emails via Hotmail.com. I have tried everything the Hotmail people have suggested; at this point they think it is an ISP problem, hence this post. This problem doesn't make sense to me and is driving me crazy. Can anyone help me with this?
  Thanks.

  You can still have your reply address set to your hotmail address. And you don't have to really remember to do anything. Configure your client for the HOTMAIL account with Verizon's outgoing server. It will automatically send via Verizon. You don't reveal your verizon.net address, you are just using their server to transmit.
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."

• Security Issues: SSL on SOAP Adapter and Digital Signature in BPM

  Hi there,
  we're developing a R/3-XI-3rd Party Application scenario, where the XI/3rd Party communication is based on a webservice (SOAP adapter with SSL). Also, the messages in the XI/3rd Party communication must be digitally signed. I've got some questions on both subjects.
  1. About the SSL. I've started to investigate what will be necessary to enable the HTTPS option under SOAP Adapter (it's not enabled now). If I'm not correct, all I need to do is:
  - check whether the SAP Java Crypto Lib is installed in the Web AS;
  - generate the certificate request in the Visual Administrator and, after acquiring the certificate, store it with the KeyStorage option.
  Is that right?
  I'm considering that I won't need to use SSL in the ABAP Web AS, only the J2EE Java Engine (since the SOAP Adapter is based on J2EE).
  2. About the digital signature. As a first solution, we had decided on accessing a webservice based on another machine running a signature application. We'd send the unsigned XML and receive a signed XML. But since that needed to be done into the BPM, I thought that using a piece of Java code in a mapping would suit it better.
  But to be able to use the hashing/encrypting/encoding algorithms, which library needs to be installed? Is it the same SAP Java Crypto Lib that was installed for the SSL enabling?
  Thanks in advance!

  Hello Henrique,
  1. You're right. For detailed instructions please have a look at the online help: http://help.sap.com/nw04 - Security - Network and Transport Layer Security - Transport Layer Security on the SAP J2EE Engine
  2. The SOAP adapter supports security profiles. Please have a look at the online docu http://help.sap.com/nw04 -Process Integration - SAP Exchange Infrastructure - Runtime - Connectivty - Adapters - SOPA Adapter - Configuring the Sender SOAP adapter and from the link under Security Parameters to the Sender Agreement. You'll find some additional information in the following document: http://service.sap.com/~sapdownload/011000358700002767992005E/HowToMLSXI30_02_final.pdf
  Rgds.,
  Andreas

• Application architecture in secure environment

  Hello,
  I am currently designing an enterprise application that will use a DBMS back-end. My environment has the DBMS and Web (Tomcat) servers sitting inside a very strict firewall, allowing only port 80 access. I need to know what is the best architecture to use for my application, given the several tiers and the firewall.
  Should I use a 3-tier, with the DBMS being 1 tier, the business logic in a servlet, helping circumvent the firewall, and the UI in an applet and/or HTML/JSP page?
  Thanks,
  haighaig

  You first have to have a look at the security policies
  so you can see what restrictions your company has.
  These policies and the requirements of the busines-
  case reflect the architecture you design. From a tech-
  point of view, you can have from 1 to a lot of tiers...
  If you are using a DBMS, Tomcat and Apache and your only restriction is the port 80. So you integrate
  Tomcat into apache and apache then forwards the
  requests to tomcat what is kept within the server. It
  is again a question of your policies and business
  requirements (performance, scalability, availabilit
  etc) how your DB-server looks like and where you place
  it. While using JSP and servlets, you can talk to any
  DB-server reachable by the network.
  The use of applets has as well be dicsussed and
  depends on your target audience, because some
  companies drop applets with the firewall and these
  people can in this case not profit from your web-
  application.