Securing the IIOP Listener/Handler with SSL

Similar Messages

• Why did Apple decide there was no need to put a way of securing the new 15"retina with a computer lock?

  why is there no way to secure the new MBP15" retina display with a computer lock?

  maximutt wrote:
  why is there no way to secure the new MBP15" retina display with a computer lock?
  Because it's easy to cut through, so it's worthless.
  This joker here used a too small  of a wire cutter, there is a longer pair of wire cutters that could have cut the wire in seconds with more torque.
  https://www.youtube.com/watch?v=88LVofiBl5A
  Also likely what's been happening is people forget and walk off with the cable attached, thus placing great strain on the case when their tether runs out.

• In Formscentral: is the form SECURE with SSL even if my existing website does not have SSL?

  I plan to embed my new form with html into my existing website. My website does not have SSL. I would like my new form to be SSL secure (will have credit card numbers.) Will the upgraded plan provide this security?

  When a form is embedded the submission is protected with SSL. You shouldn't collect credit card information using FormsCentral because the service is not PCI compliant. You should instead use our new integration with PayPal - it supports credit cards and paypal account payments. The credit card info is processed by paypal and they are PCI compliant.
  Here is a tutorial on the new payments features: http://forums.adobe.com/docs/DOC-1632

• Data Transfer Port ranges in FTPS with SSL in File Adapter

  Hi,
  I would appreciate if you could give me pointers reagrding the below issue.
  We are on XI 3.0.
  For one interface, I have to configure the FTP File adapter to pick up the files from external server.
  The connection is secure and should be FTPS with SSL.
  I have the certificate from the 3rd party and have it installed on our XI development server.
  The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
  I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
  The error i get today is:
  Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
  Yesterday, i got the below error:
  Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
  The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
  He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
  When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
  Please advice.
  Regards,
  Archana

  >
  Archana Singhai wrote:
  > Hi,
  > I would appreciate if you could give me pointers reagrding the below issue.
  > We are on XI 3.0.
  > For one interface, I have to configure the FTP File adapter to pick up the files from external server.
  > The connection is secure and should be FTPS with SSL.
  > I have the certificate from the 3rd party and have it installed on our XI development server.
  > The change has been made in our firewall to allow the connection to the host IP and port 21 which is configured at the target party as Explicit FTPS port and they have allowed access to our Server IP in their firewall.
  > I have configured other FTPS connections and they worked fine but this is the only one that has been giving me so much trouble.
  > The error i get today is:
  > Error occurred while connecting to the FTP server "60.234.48.106:21": java.net.SocketException: Connection reset
  > Yesterday, i got the below error:
  > Error occurred while connecting to the FTP server "60.234.48.106:21": iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier
  > The Vendor has suggested to get the firewall ports 21 and 28000:30000 (data transfer) to be opened.
  > He has also provided with the certificate passphrase additionally to the user name and password needed to make the connection.
  > When i tried the connection from the XI development to the vendor server, via the Telnet, it looked like it worked.
  > Please advice.
  > Regards,
  > Archana
  1. Open the port ranges. FTPS usually requires you to open ports in the range of 65024 through 65535 for Passive FTP data
  connections
  2. Use the CA name in the certificate. it should be same as of the host name of the FTPS server

• Request management service issue with SSL Sites

  Hi guys,
  I've configured up the request management service, but after start the service on our wfe servers (even before to configure specific web applications),  our ssl sites begin to fail and the event viewer start to alert several errors, by the other hand,
  sites over 80 port with no SSL works as expected.
  I've found some similiar scenarios without a happy ending. Below you can find some of the main errors in event viewer and ULS Logs. In
  this post  solved a very similar issue using ssl host headers with a unique ip but we are using fqdn certificates so it is not an option for us.
  I've already checked the
  good posts from Spencer Harbar and He says that is good idea to use host named site collection, but this is not an option for me because we need to use Self Service Creation and mixed authetnication, besides, None of the Technet literature that i've reviewed
  says  something about don't support path based site collection.
  So far, the only way to avoid this errors is not using the service(discouraging finding), These are some errors we got on Event viewer and logs:
  Machine 'MACHINENAME (AppPool(_LM_W3SVC_515444293_ROOT))' failed ping validation and has been unavailable since '3/28/2014 3:55:48 PM'.  (Just starting the service Event viewer begis to have a bunch of this errors)
  03/28/2014 13:34:01.96 w3wp.exe (0x1184)
  0x154C SharePoint Foundation
  Request Management ai2q3
  High Reached maximum number of failed machines based on ping results for this routing group
  53c2819c-8216-20f3-68c0-c0a3e55c92d5
  03/28/2014 13:34:01.96 w3wp.exe (0x1184)
  0x154C SharePoint Foundation
  Request Management ai2q4
  Medium Unavailable machines based on ping results: MACHINENAME
  53c2819c-8216-20f3-68c0-c0a3e55c92d5
  03/28/2014 13:34:01.97 w3wp.exe (0x1184)
  0x1C2C SharePoint Foundation
  Request Management adc7u
  Medium Mapping URI from 'https://HOSTNAME:443/Style Library/somos-sura-css/inicio/inicio.css' to 'https://MACHINENAME/Style%20Library/somos-sura-css/inicio/inicio.css'
  53c2819c-8217-20f3-68c0-cb2f392c388b
  Seems like it tries to find a site with the machine name, not the host name registered in the Alter access mappings (like portal.acme.com) .
  I would appreciate some feedback about this. Another posts with similar issues:
  http://amolmeshe.blogspot.com/2013/05/sharepoint-2013-request-management.html 
  http://www.akspug.org/Blog/Post/4/Request-Management-and-Error-8316 
  Regards,

  Hi,
  According to your post, my understanding is that you had an issue about the Request management service with SSL sites.
  It’s a known issue that the request management service could not work with the SSL site.
  We had already reported the issue to the product team, as a workaround, if you want to use the request management service, you can change the https site back to http.
  What’s more, the SharePoint 2013 SP1 has been relased, you can install it to check whether it works.
  http://support.microsoft.com/kb/2817429/en-us
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Exception handling with eInsight

  hi,
  Can any body has any specific document regarding to achieve the effective exception handling with respect to JCAPS eInsight. where we have very limited information in the eInsight user guide.
  Thanks

  We have the same problem, so I could not help you.
  Further we migrate from SRE eInsight and use manuell restart on failure which does not have a corresponding handling in JCAPS.

• Is the APEX Listener IPV6 Compatible ?

  Hi,
  Is the APEX Listener compatible with IPV6 ?
  Thanks
  Francis.

  Avi Miller wrote:
  user503699 wrote:
  I am trying to find out how the APEX Listener is configured to start when the machine is started. Following are the details of the APEX listener process:It starts from /etc/rc.d/init.d/oracle-xe most likely (if you're running the XE database), as it is configured to startup with the XE listener.Hello Avi,
  Thanks a lot for your help.
  I am not running Oracle XE but the pre-configured "Oracle Developer Days" database vm. However, your suggestion was spot-on and I was able to find the call to start the listener in /etc/rc.d/init.d/oracle.
  p.s. For some reason, I am not able to mark your answer as "Correct" or mark this question as "Answered". Probably something to do with the way moderator has created this thread.
  Edited by: user503699 on Feb 20, 2012 3:27 PM

• How to configure OC4J using RMI/IIOP with SSL

  Any help?
  I just mange configure the OC4J using RMI/IIOP but base on
  But when I follow further to use RMI/IIOP with SSL I face the problem with: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  p/s: I use self generate keystore which should be ok as I can use it for https connection.
  Any one can help?
  Below is the OC4J log:
  D:\oc4j\j2ee\home>java -Djavax.net.debug=all -DGenerateIIOP=true -Diiop.runtime.debug=true -jar oc4j.jar
  05/02/23 16:43:16 ================ IIOPServerExtensionProvider.preInitApplicationServer
  05/02/23 16:43:38 ================= IIOPServerExtensionProvider.postInitApplicationServer
  05/02/23 16:43:38 ================== config = {SEPS={IIOP={ssl-port=5556, port=5555, ssl=true, trusted-clients=*, ssl-client-server-auth-port=5557, keystore=D:\\oc4j\\j2ee\\home\\server.keystore, keystore-password=123456, truststore=D:\\oc4j\\j2ee\\home\\server.keystore, truststore-password=123456, ClassName=com.oracle.iiop.server.IIOPServerExtensionProvider, host=localhost}}}
  05/02/23 16:43:38 ================== server.getAttributes() = {threadPool=com.evermind.server.ApplicationServerThreadPool@968fda}
  05/02/23 16:43:38 ================== pool: null
  05/02/23 16:43:38 ====================== In startServer ...
  05/02/23 16:43:38 ==================== Creating an IIOPServer ...
  05/02/23 16:43:38 ========= IIOP server being initialized
  05/02/23 16:43:38 SSL port: 5556
  05/02/23 16:43:38 SSL port 2: 5557
  05/02/23 16:43:43 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(IIOP_CLEAR_TEXT, 5555, null)
  05/02/23 16:43:43 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = IIOP_CLEAR_TEXT port = 5555 )
  05/02/23 16:43:44 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(SSL, 5556, null)
  05/02/23 16:43:44 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = SSL port = 5556 )
  05/02/23 16:43:45 ***
  05/02/23 16:43:45 found key for : mykey
  05/02/23 16:43:45 chain [0] = [
  Version: V1
  Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  b1239fff 2ae5d31d b01a0cfb 1186bae0 bbc7ac41 94f24464 e92a7e33 6a5b0844
  109e30fb d24ad770 99b3ff86 bd96c705 56bf2e7a b3bb9d03 40fdcc0a c9bea9a1
  c21395a4 37d8b2ce ff00eb64 e22a6dd6 97578f92 29627229 462ebfee 061c99a4
  1c69b3a0 aea6a95b 7ed3fd89 f829f17e a9362efe ccf8034a 0910989a a8573305
  Validity: [From: Wed Feb 23 15:57:28 SGT 2005,
                 To: Tue May 24 15:57:28 SGT 2005]
  Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
  SerialNumber: [    421c3768]
  Algorithm: [MD5withRSA]
  Signature:
  0000: 34 F4 FA D4 6F 23 7B 84 30 42 F3 5C 4B 5E 18 17 4...o#..0B.\K^..
  0010: 73 69 73 A6 BF 9A 5D C0 67 8D C3 56 DF A9 4A AC sis...].g..V..J.
  0020: 88 AF 24 28 C9 39 16 22 29 81 01 93 86 AA 1A 5D ..$(.9.")......]
  0030: 07 89 26 22 91 F0 8F DE E1 4A CF 17 9A 02 51 7D ..&".....J....Q.
  0040: 92 D3 6D 9B EF 5E C1 C6 66 F9 11 D4 EB 13 8F 17 ..m..^..f.......
  0050: E7 66 58 9F 6C B0 60 7C 39 B4 E0 B7 04 A7 7F A6 .fX.l.`.9.......
  0060: 4D A5 89 E7 F4 8A DC 59 B4 E7 A5 D4 0A 35 9A F1 M......Y.....5..
  0070: A2 CD 3A 04 D6 8F 16 B1 9E 6F 34 40 E8 C0 47 03 ..:[email protected].
  05/02/23 16:43:45 ***
  05/02/23 16:43:45 adding as trusted cert:
  05/02/23 16:43:45 Subject: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
  05/02/23 16:43:45 Issuer: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
  05/02/23 16:43:45 Algorithm: RSA; Serial number: 0x421c3779
  05/02/23 16:43:45 Valid from Wed Feb 23 15:57:45 SGT 2005 until Tue May 24 15:57:45 SGT 2005
  05/02/23 16:43:45 adding as trusted cert:
  05/02/23 16:43:45 Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
  05/02/23 16:43:45 Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
  05/02/23 16:43:45 Algorithm: RSA; Serial number: 0x421c3768
  05/02/23 16:43:45 Valid from Wed Feb 23 15:57:28 SGT 2005 until Tue May 24 15:57:28 SGT 2005
  05/02/23 16:43:45 trigger seeding of SecureRandom
  05/02/23 16:43:45 done seeding SecureRandom
  05/02/23 16:43:45 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(SSL_MUTUALAUTH, 5557, null)
  05/02/23 16:43:45 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = SSL_MUTUALAUTH port = 5557 )
  05/02/23 16:43:45 matching alias: mykey
  matching alias: mykey
  05/02/23 16:43:46 ORB created ..com.oracle.iiop.server.OC4JORB@65b738
  05/02/23 16:43:47 com.sun.corba.ee.internal.corba.ClientDelegate(Thread[Orion Launcher,5,main]): invoke(ClientRequest) called
  05/02/23 16:43:47 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): process: dispatching to scid 2
  05/02/23 16:43:47 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): dispatching to sc [email protected]7
  05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ClientDelegate(Thread[Orion Launcher,5,main]): invoke(ClientRequest) called
  05/02/23 16:43:48 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): process: dispatching to scid 2
  05/02/23 16:43:48 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): dispatching to sc com.sun.corba.ee.internal.corba.ServerDelegate@9300cc
  05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Entering dispatch method
  05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Consuming service contexts, GIOP version: 1.2
  05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Has code set context? false
  05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Dispatching to servant
  05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Handling invoke handler type servant
  05/02/23 16:43:48 NS service created and started ..org.omg.CosNaming._NamingContextExtStub:IOR:000000000000002b49444c3a6f6d672e6f72672f436f734e616d696e672f4e616d696e67436f6e746578744578743a312e30000000000001000000000000007c000102000000000c31302e312e3231342e31310015b3000000000031afabcb0000000020d309e06a0000000100000000000000010000000c4e616d65536572766963650000000004000000000a0000000000000100000001000000200000000000010001000000020501000100010020000101090000000100010100
  05/02/23 16:43:48 NS ior = ..IOR:000000000000002b49444c3a6f6d672e6f72672f436f734e616d696e672f4e616d696e67436f6e746578744578743a312e30000000000001000000000000007c000102000000000c31302e312e3231342e31310015b3000000000031afabcb0000000020d309e06a0000000100000000000000010000000c4e616d65536572766963650000000004000000000a0000000000000100000001000000200000000000010001000000020501000100010020000101090000000100010100
  05/02/23 16:43:48 Oracle Application Server Containers for J2EE 10g (9.0.4.0.0) initialized
  05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): Server getConnection(119e583[Unknown 0x0:0x0: Socket[addr=/127.0.0.1,port=1281,localport=5556]], SSL)
  05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): host = 127.0.0.1 port = 1281
  05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): Created connection Connection[type=SSL remote_host=127.0.0.1 remote_port=1281 state=ESTABLISHED]
  com.sun.corba.ee.internal.iiop.MessageMediator(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): Creating message from stream
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, SEND TLSv1 ALERT: fatal, description = unexpected_message
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, WRITE: TLSv1 Alert, length = 2
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeSocket()
  05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ReaderThread(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): IOException in createInputStream: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  05/02/23 16:45:14 javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA12275)
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
  05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.messages.MessageBase.readFully(MessageBase.java:520)
  05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.messages.MessageBase.createFromStream(MessageBase.java:58)
  05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.MessageMediator.processRequest(MessageMediator.java:110)
  05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.IIOPConnection.processInput(IIOPConnection.java:339)
  05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.ReaderThread.run(ReaderThread.java:63)
  05/02/23 16:45:14 Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA12275)
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA12275)
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
  05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
  05/02/23 16:45:14 ... 6 more
  05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.IIOPConnection(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): purge_calls: starting: code = 1398079696 die = true
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
  05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
  05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): DeleteConn called: host = 127.0.0.1 port = 1281

  Good point, I do belive what you are referring to is this:
  Any client, whether running inside a server or not, has EJB security properties. Table 15-2 lists the EJB client security properties controlled by the ejb_sec.properties file. By default, OC4J searches for this file in the current directory when running as a client, or in ORACLE_HOME/j2ee/home/config when running in the server. You can specify the location of this file explicitly with the system property setting -Dejb_sec_properties_location=pathname.
  Table 15-2 EJB Client Security Properties
  Property Meaning
  # oc4j.iiop.keyStoreLoc
  The path and name of the keystore. An absolute path is recommended.
  # oc4j.iiop.keyStorePass
  The password for the keystore.
  # oc4j.iiop.trustStoreLoc
  The path name and name of the truststore. An absolute path is recommended.
  # oc4j.iiop.trustStorePass
  The password for the truststore.
  # oc4j.iiop.enable.clientauth
  Whether the client supports client-side authentication. If this property is set to true, you must specify a keystore location and password.
  # oc4j.iiop.ciphersuites
  Which cipher suites are to be enabled. The valid cipher suites are:
  TLS_RSA_WITH_RC4_128_MD5
  SSL_RSA_WITH_RC4_128_MD5
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
  nameservice.useSSL
  Whether to use SSL when making the initial connection to the server.
  client.sendpassword
  Whether to send user name and password in clear form (unencrypted) in the service context when not using SSL. If this property is set to true, the user name and password are sent only to servers listed in the trustedServer list.
  oc4j.iiop.trustedServers
  A list of servers that can be trusted to receive passwords sent in clear form. This has no effect if client.sendpassword is set to false. The list is comma-delimited. Each entry in the list can be an IP address, a host name, a host name pattern (for example, *.example.com), or * (where "*" alone means that all servers are trusted.

• Issue with one of the Managed server while enabling SSL.__ Issue Resovled

  Weblogic version:wls 8.1sp6
  SSL: internal
  Environment:
  1 AdminServer and 2 Managed servers. Admin and M1 are on same host. M2 is on different host. We have enabled SSL on M1 & M2 only. Configuration of M1 & M2 are identical. After restarting the servers M1 has no issue with SSL but M2 throws javax.net.ssl.SSLKeyException as shown below,
  <Aug 4, 2008 12:29:01 PM BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Aug 4, 2008 12:29:02 PM BST> <Info> <WebLogicServer> <BEA-000213> <Adding address: 10.96.201.249 to licensed client list>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Error> <Cluster> <BEA-000141> <TCP/IP socket failure occurred while fetching statedump over HTTP from -6401422690190304510S:lonlxwebhost99:[16544,16544,16042,16042,16544,16042,-1,0,0]:etg:lonwpyq_16543_1.
  javax.net.ssl.SSLKeyException: [Security:090773]The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at com.certicom.tls.record.WriteHandler.write(Unknown Source)
  at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
  at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
  at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
  at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
  at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:122)
  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:322)
  at weblogic.cluster.HTTPExecuteRequest.connect(HTTPExecuteRequest.java:73)
  at weblogic.cluster.HTTPExecuteRequest.execute(HTTPExecuteRequest.java:121)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)>
  Please let me know where I am going wrong. Thnx in advance
  Message was edited by:
  Shashi_sr

  Solution given by BEA Engineer:
  <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  The reason for this was
  The CA Certificate was missing a required bit (according to RFC 3280).
  keyEncipherment bit is not in the KeyUsage and KeyUsage is marked as critical.
  As per RFC:
  The keyEncipherment bit is asserted when the subject public key is
  used for key transport. For example, when an RSA key is to be
  used for key management, then this bit is set.
  According to RFC3280, when the key will be used to encrypt other keys that are send over the wire ("key transport") the keyEncipherment bit of the KeyUsage extension must be set. If the KeyUsage extension is critical, the SSL certificate validation will check that the key can be used in the key agreement. That is, that the key can be used to encrypt the symmetric public key.
  Your KeyUsage only contains the following bits:
  [4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
  Since it is marked Critical, it MUST have the keyEncipherment bit.
  Otherwise, it should not be marked as Critical.
  So the three solutions that should work are
  1) Remove keyUsage
  2) Don't mark keyUsage as critical
  3) If keyUsage is critical, make sure keyEncipherment bit is set.

• Securing webaccess with ssl

  OK, I will admit right now I don't fully understand how
  webaccess and ssl works. In my current setup I used a
  self-signed key generated and stored in eDir. This key is
  used in httpd.conf like:
  SecureListen xxx.yyy.zzz.1:443 "SSL Certificate"
  I know have my freshly minted ssl cert (filename.crt) from
  my CA. GHow the heck do I use it. I have search the TIDs
  and Documentation with no luck, although I may not know
  exactly what to look for.
  Can someone either point me towards the correct docs or
  otherwise instruct on how to set this up???
  Much thanks, Chris.

  OK, figured this one out. What is confusing is that in the
  webaccess gateway there is an option to secure the gateway.
  To the unfamiliar this would be the spot to add the
  certificate. However, after doing more investigation I
  realized that the ssl connection to the user is handled by
  apache.
  Now the apache setup is fairly straight forward provided
  your CA issue you a certificate in pfx or p12 format. If
  they issue a PEM certificate, then you have some dancing to
  do. Luckily openssl helped here and I was able to convert
  the certificate to pfx.
  Chris
  >>> On 7/16/2009 at 11:55 AM, in message
  <4A5F15AB.CE15.0032.0@N0_$pam.vrapc.com>,
  Chris<cmosentine@N0_$pam.vrapc.com> wrote:
  > OK, I will admit right now I don't fully understand how
  > webaccess and ssl works. In my current setup I used a
  > self-signed key generated and stored in eDir. This key
  > is
  > used in httpd.conf like:
  >
  > SecureListen xxx.yyy.zzz.1:443 "SSL Certificate"
  >
  > I know have my freshly minted ssl cert (filename.crt)
  > from
  > my CA. GHow the heck do I use it. I have search the
  > TIDs
  > and Documentation with no luck, although I may not know
  > exactly what to look for.
  >
  > Can someone either point me towards the correct docs or
  > otherwise instruct on how to set this up???
  >
  > Much thanks, Chris.

• Servlet security with SSL

  Hello All,
  I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
  I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
  Any assistance would be greatly appreciated. I am really stuck with this
  Thank you in advance
  Alanjo

  On 01/14/2014 06:11 AM, Alan Farroll wrote:
  > Hi all,
  >
  > I could not find a more appropriate forum in Eclipse for this question
  > so have placed it in newcomers as I am still quite new to Java\Eclipse
  >
  > We are working on a Java servlet application that involves security with
  > SSL to allow the servlet to run from a server outside our firewall and
  > interrogate databases inside our firewall. It runs on Tomcat 7 and built
  > on Java 1.6.0.29
  >
  > We have had no problems running the servlet on the Test server within
  > the firewall but when running on the Live server outside the firewall
  > the SoapUI request returns nothing and the current Tomcat log error is
  > "java.lang.RuntimeException: Could not generate dummy secret"
  >
  > The problems seem to be with the jce.jar and the sunJCE_provider.jar.
  >
  > Has anybody any assistance they could provide please.
  >
  > Thanks in advance
  >
  > AJF
  The live server doesn't have access to the right JARs? Maybe this will help?
  http://www.javahotchocolate.com/notes/jce-policy.html

• Error: [NQSError:13037] cannot connect to BI security service,Please make sure this is running properly (with SSL or not) in EM

  Hi,
  Im unable to open the RPD online  getting following error.
  Note: Im not done any changes. Its works good till yesterday EOD.
  Error:
  [NQSError:13037] cannot connect to BI security service,Please make sure this is running properly (with SSL or not) in EM.
  [NQSError:37001] could not connect to the oracle BI server instance..
  Kindly help me to fix this issue.

  Hi,
  Could you access the answer side.
  Could you see the reports.
  Do one thing, take a back up of NQS config file from <Oracle Location>\instance\instance1\config\obiserver folder\nqsconfig.ini file.
  Copy nqs config file if you have already have a back up.
  Restart the services and try once.
  http://mkashu.blogspot.com
  Regards,
  VG

• Importing external web service with SSL certificate security

  Hello,
  I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target      [Error: com.sap.ide.es.core.ui.internal.wizards.fragments  Thread[ModalContext,6,main]]
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
            at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
            at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
            at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
            at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
            at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
            at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
            at sun.security.validator.Validator.validate(Validator.java:218)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
            ... 15 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
            at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
            ... 21 more
  Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
  Cheers!

  Hi Alain,
  I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
  You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info

• Securing SQL Server 2012 Azure VM with SSL - Help!!!

  Hello all,
  I am trying to encrypt with SSL my SQL server 2012 Azure VM; I have created the cert and I can see it in cert mgr but when I go to SQL config MGR -protocols for MSSQLSERVER to setup the encryption, the certificate tab contains no certificates :(
  this is so annoying please can someone help me with this?
  Thanks so much,
  BN.

  Also, I am getting the following error whilst connecting to the Azure VM client side via SQL management studio:
  “The certificate chain was issued by an authority that is not trusted”
  I can get around this by specifying "TrustServerCertificate=True" in the connection string; what is causing this and should I be alarmed? can this be resolved?
  Hi ,
  According to your error message, When the SQL Server instance has only a self-signed certificate, the encrypt property is set to true and the trustServerCertificate property is set to true. There is an similar issue about SqlException (0x80131904), you can
  review the following post.
  http://stackoverflow.com/questions/17615260/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted-when-conn
  In addition, there is detail about writing secure connection strings for SQL Database in Windows Azure, you can review it.
  http://social.technet.microsoft.com/wiki/contents/articles/2951.windows-azure-sql-database-connection-security.aspx
  Regards,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• Securing Portal with SSL/https

  Has anyone successfully setup oracle portal 9.0.2 on solaris running all over secure sockets for both login/server and portal ?
  I've followed the otn documentation but i'm still having problems with gettin portal to work with https.
  It's driving me insane!! please help with any suggestions.
  Kind Regards
  Neil

  Hi,
  We did the following steps and it working :)
  Assuming that HTTPS is correctly working and without security aspects.
  Assuming that the HTTPS is 443
  1) configure Webcache to work on port 443 and link it to the 4444 port of Apache
  1) configure SSO
  I directly change in WWSEC_ENABLER_CONFIG_INFO$ LS_LOGIN_URL to the https URL
  the LSNR_TOKEN has to be like 'myhost' and not 'myhost:port'
  2) Login to SSO and update the HOME, SUCCESS and CANCEL URL of SSO
  to https
  3) register mod_osso against the new SSO Server
  4) register the portal using ptlasst
  (if possible remove the already installed portal)
  beware You might have big trouble with groups you have created.
  5) Add in ORACLE_HOME\j2ee\OC4J_Portal\applications\portal\WEB-INF\web.xml
  <init-param>
  <param-name>httpsports<param-name>
  <param-value>443:4444</param-value>
  </init-param>
  That is it !!!!
  You have also to protect some URL with SSL and
  to redefine some virtual path
  The best test is to stop WebCache to liste http port
  Have fun
  Philippe Camelio
  SysAdmin