Separating SSL and non-SSL transactions

Similar Messages

• Mixing ssl and non ssl jsp pages.

  Hi,
  I am new to Weblogic 8.1 and I would like to learn how to setup few jsp pages in https:// and few pages to be served in http:// protocol.
  I have created a managed server using 7004 for http and 7040 for https. Currently I have 2 jsp pages index.jsp and test.jsp and both the pages can be accessed using http:// or https://
  I wanted to make test.jsp work only with https:// and not work with http:// How do I configure this?
  In realtime webapplications. How is switching of http and https working? Are the URL's hard coded in the controller servlet?
  Some tips would be helpful.
  Uma

  Hi,
  To do this task do the following,
  1. Create a property file in your application. for example let us take myapp.properties
  2. include the following to the myapp.properties file
  #sslport=7002
  #nonsslport=7001
  #serverip=127.0.0.1
  #ctpath=myApp
  # In your case
  sslport=7004
  nonsslport=7040
  serverip=127.0.0.1
  # ctpath is the web deployment directory
  ctpath=yourapp
  3. Create a class to read the property file say PropertyReader.java and implement the following
  String sslport=Properties.getProperty("sslport");
  String nonssl=Properties.getProperty("nonsslport);
  String serverip=Properties.getProperty("serverip);
  String cpath=Properties.getProperty("ctpath");
  4. initialise the propertyReader class and
  in the property class keep following variables in admin session data
  String sslpath="https://"+serverip+":"+sslport+"/"+cpath
  String nonsslpath="http://"+serverip+":"+nonsslport+"/"+cpath
  5. use these variables for ssl or nonssl
  response.senRedirect(sslpath+"/bank.jsp"); //for ssl
  response.sendRedirect(nonsslpath+"/welcome.jsp"); //for non ssl
  like the same way
  Regards,
  Nishant Kulkarni

• Using SSL and non-SSL

  We are running 4.12 on Solaris 8 with SSL enabled. However, we would also
  like this server to accept queries on 389 for portions of the tree. An
  example would be that a username and phone number could be queried via 389,
  but an employee ID could only be queried by an authenticated user. Does
  anyone have any guidance on this or could point me to some documentation
  relating to this. Thanks in advance.

  Hi Ryan,
  You probably want to look at the "Managing Access Control" chapter of the
  Administrator's Guide.
  More specifically, have a look at the "Access Based on the Authentication
  Method"
  (http://docs.iplanet.com/docs/manuals/directory/41/admin/acl.htm#997696) and
  the "Defining permission based on the Authentication Method"
  (http://docs.iplanet.com/docs/manuals/directory/41/admin/acl.htm#998706)
  sections.
  I hope this helps.
  Bertold
  "Ryan Kean" <[email protected]> wrote in message
  news:9r967v$[email protected]..
  We are running 4.12 on Solaris 8 with SSL enabled. However, we would also
  like this server to accept queries on 389 for portions of the tree. An
  example would be that a username and phone number could be queried via389,
  but an employee ID could only be queried by an authenticated user. Does
  anyone have any guidance on this or could point me to some documentation
  relating to this. Thanks in advance.

• How do i know the ssl over non ssl

  Hello Gurus,
  Your answer is greatly aprreciaied ;
  a)
  https://ebusdockel.9dc.com:243/DockerMasterAJX/services/DockerMaster
  b)
  http://ebusmodel.9dc.com/DockerMasterAJX/services/DockerMaster
  How do to dtermine from the above 2 URLS difference betwenn SSL and non SSL ,your answer is appreciated.

  Hi,
  There is a way within Forms to programmatically tell whether users are in SSL or not - if you're in 11g Forms. You can use the new 11g javascript built-ins to execute javascript. Javascript will pull the URL and return it to as a VARCHAR. Then you can have PL/SQL logic to see if the url contains "https" or "http", then you can execute whatever logic you want.
  The PL/SQL Built-in you want to use is: web.javascript_eval_function
  The javascript command you want to run is: document.location.href
  If you are looking for a way to force users to go to SSL, there are some options you can do with OHS(Oracle HTTP Server) - which comes with the 11g Forms.
  I hope this helps.
  Thank you,
  Gavin
  http://pitss.com/us

• Session Cookies Being Overwritten Browsing From SSL to Non SSL

  I have created a bug report for this issue as well.
  Please note I am using J2EE session variables so keep that in mind.
  I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
  For example:
  Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
  Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
  Here's the problem:
  Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
  Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
  Steps to Reproduce:
  1. Clear your cookies.
  2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
  3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
  This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
  Has anyone else experience this?

  Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

• Difference between enjoy and non-enjoy transaction

  hi
  can anybody tell me the difference between enjoy transaction and non-enjoy transactions
  for example ME21N is enjoy transaction and ME21 isnt
  we can do a BDC for ME21 and not for ME21N
  basically, is it all transactions finishing with 'N' is enjoy transaction?

  Hi sia,
  1 can anybody tell me the difference between enjoy transaction and non-enjoy transactions
  The main difference, bcos we cannot do bdc is :
  a) The enjoy transactions are based on
     GUI Control (eg. Grid control based on class)
     which are instantiated/created
     on the front-end machine.
    Hence, they cannot be accessed directly by code,
    running on the application server.
    (instead their value is set on the front-end)
    Hence, we cannot do bdc on them.
  regards,
  amit m.

• Changes to Verizon email servers and Non-SSL capable email clients

  Need to change over my pop/smtp settings to the new settings as per Verizon notification.  I have quite a few non-SSL capable email clients.  Does Verizon provide a non-SSL email server on port other than 25 I can use ?

  blottje wrote:
  Need to change over my pop/smtp settings to the new settings as per Verizon notification.  I have quite a few non-SSL capable email clients.  Does Verizon provide a non-SSL email server on port other than 25 I can use ?
  Not once they turn off the old incoming/outgoing servers. (Supposedly coming in September.)
  What email clients are you using that don't allow for SSL???
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."

• TO confirmation for picking: difference between RF and non RF transactions

  Hello,
  I am confirming one TO for picking in a outbound delivery process. My storage location is WM and HU managed and materials are batch managed.
  I noticed if I confirm TO through RF transaction (LM61), I have the following results per material on outbound delivery:
  one main item with 0 as delivery quantity
  several sub items (9000x), with as many lines as HUs confirmed. Qty is HU qty
  Now if I confirmed TO with non RF transaction (LT12), I do not have the same results:
  one main item with 0 as delivery quantity
  one or several sub items (9000x), with as many lines as batch confirmed (then potentially less sub items). Qty is aggregated per batch with several HUs.
  I need to use TO confirmation through RF.
  But this seems to have an impact on an inter company process where I'm using SPED functionality.
  Indeed, when I process post goods issue in the issuing plant, I have an automatic creation of the inbound delivery for the receiving plant (with same HUs).
  And then I have to proceed QM controls:
  - if I have confirmed picking TO with RF, inspection lots are created for each HU.
  - if I have confirmed picking TO w/o RF, inspection lots are created for each batch
  I need to manage inspection lots per batch and confirm TO with RF!
  I changed several QM settings on material, without success.
  Now I would like to know if this could be much more managed on LE side, specifically TO confirmation.
  Have you got an idea?
  Thank you

  I got a feed back out of this forum.
  The solution is to change delivery update settings in interface between WM and shipping, so that update delivery is not done after each confirmation item but after the the whole TO confirmation.

• Content server and Non SSL portlet

  I have a url that I placed in one of my portal headers that is not using SSL (i.e. http://mylink.com) My portal is SSL (https://myportal.com). When a user login to the portal he gets a message from the browser ?This page accessing information that is not under it?s control. Do you want to continue?? This also happens when I place a portlet that use Google gadget or a weather web services. How do I get around this?
  We are using ALUI 6.1, w/.net
  Thank you

  here is the solution for anyone that is interested. I got it from BEA support:
  Resolution:
  This is a Zone Alert issue involved with "Cross Domain Data" access and XHTML rendering of content not on the same site as server the user lands on. (thats all i have found out so far)
  The User's IE settings in the security tab can be changed to stop the prompt. The specific setting is in the IE Tools/Internet Options/Security Tab/Custom Level Button. It is under Miscellaneous category titled "Access Data Sources Accross Domains". Set this parameter to "Enable" will stop the prompt. (But this is on the user's side not the server side)
  Also enable mixed content should be enabled as well to prevent the mixed mode security errors. This needs to be configured against each client machine.

• Performing ORM and non-ORM transactions in one request.

  During the processing of a request, we need to perform an ORM statement and a non-ORM cftransaction on 2 different data sources.
  Example:
  # Note, 'someObject' is a persistent CFC with a datasource attribute of 'DSN1'.
  <cftransaction>
       <cfset myObjects = EntityLoad('someObject') />
  </cftransaction>
  <cftransaction>
       <cfquery name="test" datasource="DSN2">
             INSERT INTO ...
       </cfquery>
  </cftransaction>
  Whenever we hit the 2nd cftranaction block, we get the following error:
  Message=A transaction cannot be started on more than one datasource.
  This works in CF 9.0.1, but fails on CF 9.0.1 HF3, CF 9.0.2, and on CF 10.

  javax.servlet.ServletRequest method isSecure() - "Returns a boolean indicating
  whether this request was made using a secure channel, such as HTTPS."
  Chris Scott wrote:
  >
  What's the best way to separate SSL andnon-SSL transactions in a single web app?Ie when the user logs in, the login formis submitted over an SSL connection, butfrom then on only certain pages/forms useSSL. If there's one JVM with the sessioninfo, how can we be sure what needs to besecured goes thru the SSL server?

• Bulk changing all websites from SSL to non-SSL (443 to 80)

  While I was cleaning up my Mountain Lion Server, I innocently updated some SSL server certificates.
  Shortly afterwards, I found that ALL my HTTP (80) sites didn't work. I went into the Server.app and found that ALL my sites were now using port 443, rather than the port 80 that they were running on.
  Since I have over 100 sites, I need to know how to BULK update them back by removing the certificate they were assigned when I updated that specific cert.
  How did I update the certificate? I was looking at the Alerts section of the Server.app, that told me that some were expiring. There was a Replace button and that's what I clicked. I was never warned that it would change ALL my sites from having NO certificate to the certification that I replaced.
  Any ideas on how to resolve this issue quickly, without having to open up EACH site and change the certification to NONE (and thus changing the port back to 80)?

  There's no bulk update via the GUI [1], which leaves shutting off Server.app and mass-editing the Apache data.
  For a bulk change of 443 to 80, something like this should get you started. 
  FWIW, Do also confirm whether the port 80 sites are still around in the configuration data, as some web browsers are now selecting 443 whenever that's available.
  [1] Yes, I'm probably ignoring scripting via AppleScript here.  If I have to script something, it'll be the Apache data and not the GUI, and using bash, Python or other such and likely not AppleScript.  Local preference.

• What's the difference between END-TO-END SSL and other SSL?

  Could anyone summarize all of the differences?
  Thanks a lot! Points guaranteed.

  Hi,
  SSL end-to-end means that the web dispatcher is just forwarding the
  HTTPS requests to the backend system without unpacking / decrypting the data.
  This can be configured by icm/server_port_<XX> = ...,PROT=ROUTER,..
  To be able to configure the ROUTER protocol on the web dispatcher you also
  must have configured HTTPS / SSL on the relevant backend system.
  Configuring SSL "only" means that the web dispatcher is listening to HTTPS and you can decide with the relevant parameters, if the communication to the backend is HTTP or if it is again reencrypted using HTTPS.
  This would end up in using the parameter icm/server_port_<xx> = ...,PROT=HTTPS,....
  Kind Regards
  Thomas Alt

• NW7 ssl and webdispatcher ssl

  Hi:
  We have an NW7 (A+J) system and a webdispatcher in front of the NW7.
  I have configured the SSL between the NW7 and the webdispatcher.
  Do I have to configure the SSL on the NW7 itself, that is the SSL between the ABAP and the JAVA?
  I see documents on both types of SSL configuration but no sure what is the differnece in their functionalities.
  Thanks!

  Hello Laura,
  1) for BI and PI with ABAP and JAVA on seperated servers, no SSL needed between A and J?
  - As far as I know, SSL between ABAP and JAVA stacks is not required in BI and PI systems. If you need secure layer for message processing in PI system then we have separate procedure for SSL setup in PI Java stack.
  2) for a pure Java system (no ABAP), I remember I read a document about configuring SSL on itself (no with the webdispatcher), could you please tell what is that for?
  - Let's assume pure Java system is Enterprise Portal. If ABAP system SAP HCM is backend for EP then we will setup SSL in EP for secure communication with HCM system. It all depends on client's requirement.
  We can setup SSL in ABAP system or Java system with/without webdispatcher.
  Hope it answered your question.
  Thanks,
  Siva Kumar
  Edited by: Siva Kumar Arivinti on Jan 11, 2012 6:53 PM

• Apache, ssl, and php problem

  i just added ssl support to my apache website running php. before i added ssl i had a php flash script that has always worked fine until i altered the httpd.conf file to forbid access to this directory unless it was an encrypted connection. i used the code
  <Directory "/home/httpd/html/folder">
      AuthType Basic
      AuthName "user"
      AuthUserFile /home/httpd/passwords/folder
      Require user user
      SSLRequireSSL
  </Directory>
  i tested the ssl with the directory running php before i altered the code and it worked fine. now that i altered the code to require ssl, the folder's index shows up a blank page. what went wrong, is there some bug or something i did wrong?

  steps to use ssl in arch with apache.
  1) pacman -S openssl apache
  2) Read /etc/httpd/conf/mod_ssl.txt
  2a) Edit /etc/conf.d/httpd and set HTTPD_USE_SSL to "yes"
  2b) Create an ssl key, request, and certificate.
  # This generates the cert and key (valid for 3650 days)
    # Be sure to enter the FQDN of your apache server as the "Common Name".
    openssl req -new -x509 -newkey rsa:1024 -days 3650
      -keyout server.key -out server.crt
    # This will remove the passphrase
    openssl rsa -in server.key -out server.key
  2c) Modify /etc/httpd/conf/ssl.conf to use your new certificate.
  SSLCertificateFile /etc/httpd/conf/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/server.key
  3) Edit /etc/httpd/conf/ssl.conf
  Define an appropriate virtualhost for your ssl site
  4) Restart apache (/etc/rc.d/httpd restart)
  If it hangs or fails to start, check the /var/log/httpd/error_log or try running
  '/usr/sbin/apachectl startssl' and looking for errors/prompts.
  NOTE: Using the same dir for ssl and non-ssl does not make sense, as someone could just use non-ssl to access the same information. Instead, create a new directory (something like /home/httpd/ssl), and use that dir for ssl web activities. Adjust /etc/httpd/conf/ssl.conf accordingly

• SSL and problems serving images.

  We've recently begun testing our application through SSL (we've
  concluded non-SSL testing and all issues have been resolved.)
  When running through SSL, some images fail to load properly but
  re-appear with a "refresh" or an explicit "show picture" from the
  browser. This doesn't happen to any images in particular but does occur
  frequently -- one or two images for every couple pages served.
  Our installation specifics are as follows:
  NT
  Weblogic 5.1 (sp4) running through DOS batch file
  Oracle 8.1
  JSP / EJB
  VeriSign certificate.
  Any help you can provide will be appreciated.
  Thanks - Jackson

  Thanks for the response.
  I am serving all of the images myself through the SSL connection (i.e., we don't
  have a mixture secure and non-secure images on the page.)
  I agree that we shouldn't require ANY app-side changes as we move from non-SSL
  to SSL.
  Has anyone else experienced this type of problem?
  Sunil Kuchipudi wrote:
  Jackson:
  Whether your images appear or not should be transperent to the application.
  What I mean, when you move from non ssl to ssl mode,
  there should be no changes required for the application code.
  Having said that I would check the following
  Does your page contain and mixture of SSL (ie images served from https) and
  non ssl links (ie image or links served like http:). If the page
  contains a mixture of SSL and non SSL tags then you would run into the
  problems. Netscape would not display the images properly and IE
  would warn you with a dialog box. I would recommend that you go through the
  generated HTML or JSP and check the http and https links.
  I hope this helps.
  -Sunil . K
  Jackson Wilson <[email protected]> wrote in message
  news:[email protected]..
  We've recently begun testing our application through SSL (we've
  concluded non-SSL testing and all issues have been resolved.)
  When running through SSL, some images fail to load properly but
  re-appear with a "refresh" or an explicit "show picture" from the
  browser. This doesn't happen to any images in particular but does occur
  frequently -- one or two images for every couple pages served.
  Our installation specifics are as follows:
  NT
  Weblogic 5.1 (sp4) running through DOS batch file
  Oracle 8.1
  JSP / EJB
  VeriSign certificate.
  Any help you can provide will be appreciated.
  Thanks - Jackson