Server Certificate on Weblogic 8.1
Hi. I know it is really dumb to ask these questions but I urgently need to know these as I am on a very tight project schedule. So can someone please enlighten me.
1. If I use SSL protocol and configure to use server certificate, may I know when someone enter my URL, will internet explorer prompt my client for certificate?
2. Do I really need SSL for configuring Certificate? If I do not use, can I still configure and use Server Certificate?
3. Can I reuse the server certificate on my Weblogic 5.1 to Weblogic 8.1 since I am migrating from WL5.1 to WL8.1?
My certificates files in WL 5.1 are in the form of *.pem
Cheers
If you get (for example) a 128-bit SSL certificate from Verisign you need to specify a Certificate Signing Request (CSR). This is unique for each server. If you have upgraded your server and the CSR generated from the weblogic CSR generator servlet is the same as it was in the previous version, then I guess you can use the same certificate. If the CSR has changed then I think you will need to replace the certificate, this costs $100. If it's been less than 30 days since your certificate was issued, it's free.
Similar Messages
-
Weblogic server 9.2 and SSL server certificate for the wrong site
I turned on SSL service for a weblogic 9.2 server and later on changed the hostname of the machine that weblogic was running on. So the hostname that my SSL server certificate was issued to has now became an invalid hostname. But my weblogic server continues to run SSL service without any exception. I can still access my web applications thru the SSL port (except of course I get a warning for the server certificate every time that it is for the "wrong site"). My question is this: should weblogic 9.2 verify the hostname in the server certificate and stop SSL service if the certificate is for the wrong site? Or is verifying the certificate strictly the job of the browser? Just want to make sure there is nothing wrong with my SSL configuration. Thanks.
So you are saying that something is wrong with my weblogic 9.2 ssl configuration? And that given a server certificate issued to a different hostname, my weblogic server should NOT be servicing ssl request and/or it should throw some sort of exception during startup? Thanks for clarifying.
-
SSL for Weblogic 6.0: Server Certificate Chain File & Verisign
http://www.bea.com/support/askbea/wls/S-07188.shtml
This issue attempts to explain what a "certificate chain file" is for. I still don't understand why this is so difficult. Where do I get this from?
At the end of the article it points me here:
http://www.verisign.com/repository/root.html
And vaguely tells me to convert the unspecified format on that page using a utility from OpenSSL. The format on that page is NOT .pem, what is it? Which utility do I use, and HOW do I convert the root server CA on that page to .der format?
Thanks for tips!Unfortunately this is a missleading exception you are getting.
Here is a suggested workaround (at-least to get SSL working )
https://www.verisign.com/server/prg/browser/root.html
I have been meet same question as you.
The Server Certificate Chain File obtained from your Browser (such as IE5.5 )
Jason Pettiss <[email protected]> wrote:
http://www.bea.com/support/askbea/wls/S-07188.shtml
This issue attempts to explain what a "certificate chain file" is for.
I still don't understand why this is so difficult. Where do I get
this from?
At the end of the article it points me here:
http://www.verisign.com/repository/root.html
And vaguely tells me to convert the unspecified format on that page using
a utility from OpenSSL. The format on that page is NOT .pem, what is
it? Which utility do I use, and HOW do I convert the root server
CA on that page to .der format?
Thanks for tips! -
Configuring Apache HTTP Server with Oracle Weblogic Server plugin
Hello friends,
I have a scenario of OIM 9.1.0.2 on Oracle Application Server 11g and Weblogic Server Apache HTTP Server.
Oracle WebLogic Server is configured in cluster (node1 and node2), also use the Oracle Weblogic Server plugin for integration with Apache.
One of the tests is to lose one of the nodes for the apache plugin redirects the node that has less overhead.
When the mode is node1 and node2 stop start mode and try to access the management console of Oracle Identity Manager, the plugin sometimes redirects to the other active node, and on another occasion shows the oracle management console identity manager without the colors of the basic look and feel.
Deputy of the Apache HTTP Server log, do you expect your comments to solve this case?
*************************************************log****************************************************
Server Details are:
OrigHostInfo [192.168.1.200]
isOrigHostInfoDNS [0]
Host [192.168.1.200]
Port [7002]
SecurePort [7004]
Mon Jan 30 22:10:43 2012 <2600713279794431> Initializing lastIndex=0 for a list of length=1
Mon Jan 30 22:10:43 2012 <2600713279794431> initJVMID: Trying to locate Primary or Secondary using SrvrInfo with JVMID [-872106207]
Mon Jan 30 22:10:43 2012 <2600713279794431> initJVMID: Found Primary 192.168.1.200:7002:7004
Mon Jan 30 22:10:43 2012 <2600713279794431> INFO: Closing SSL context
Mon Jan 30 22:10:43 2012 <2600713279794431> .....internal request /bea_wls_internal/WLDummyInitJVMIDs.....processed
Mon Jan 30 22:10:43 2012 <2600713279794431> getPreferredFromCookie: Found 1 servers
Mon Jan 30 22:10:43 2012 <2600713279794431> attempt #0 out of a max of 5
Mon Jan 30 22:10:43 2012 <2600713279794431> trying connect to PRIMARY '192.168.1.200'/7002/7004
Mon Jan 30 22:10:43 2012 <2600713279794431> getPooledConn: No more connections in the pool for Host[192.168.1.200] Port[7002] SecurePort[7004]
Mon Jan 30 22:10:43 2012 <2600713279794431> New SSL URL: match = 0 oid = 22
Mon Jan 30 22:10:43 2012 <2600713279794431> Connect returns -1, and error no set to 150, msg 'Operation now in progress'
Mon Jan 30 22:10:43 2012 <2600713279794431> EINPROGRESS in connect() - selecting
Mon Jan 30 22:10:43 2012 <2600713279794431> Setting peerID for new SSL connection
Mon Jan 30 22:10:43 2012 <2600713279794431> 0ae2 0436 0000 1b5c ...6...\
Mon Jan 30 22:10:43 2012 <2600713279794431> Local Port of the socket is 39186
Mon Jan 30 22:10:43 2012 <2600713279794431> Remote Host 192.168.1.200 Remote Port 7004
Mon Jan 30 22:10:43 2012 <2600713279794431> created a new connection to preferred server '192.168.1.200/7004' for '/xlWebApp/images/spacer.gif', Local port:39186
Mon Jan 30 22:10:43 2012 <2600713279794431> INFO: CA certificate missing basicConstraints, validation failed
Mon Jan 30 22:10:43 2012 <2600713279794431> ERROR: SSLWrite failed
Mon Jan 30 22:10:43 2012 <2600713279794431> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Mon Jan 30 22:10:43 2012 <2600713279794431> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Mon Jan 30 22:10:43 2012 <2600713279794431> Marking 192.168.1.200:7004 as bad
Mon Jan 30 22:10:43 2012 <2600713279794431> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3160
Mon Jan 30 22:10:43 2012 <2600713279794431> INFO: Closing SSL context
Mon Jan 30 22:10:43 2012 <2598413279794431>
================New Request: [GET /images/cab.gif HTTP/1.1] =================
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: SSL is configured
Mon Jan 30 22:10:43 2012 <2598413279794431> SSL Main Context not set. Calling InitSSL
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: SSL configured successfully
Mon Jan 30 22:10:43 2012 <2598413279794431> Using Uri /images/cab.gif
Mon Jan 30 22:10:43 2012 <2598413279794431> After trimming path: '/images/cab.gif'
Mon Jan 30 22:10:43 2012 <2598413279794431> adding prepend path: /xlWebApp/
Mon Jan 30 22:10:43 2012 <2598413279794431> The final request string is '/xlWebApp/images/cab.gif'
Mon Jan 30 22:10:43 2012 <2598413279794431> Host extracted from serverlist is [192.168.1.100]
Mon Jan 30 22:10:43 2012 <2598413279794431> Host extracted from serverlist is [192.168.1.200]
Mon Jan 30 22:10:43 2012 <2598413279794431> Initializing lastIndex=0 for a list of length=2
Mon Jan 30 22:10:43 2012 <2598413279794431> getListNode: created a new server node: id='192.168.1.100:7004,192.168.1.200:7004' server_name='OIMSERVER', port='443'
Mon Jan 30 22:10:43 2012 <2598413279794431> getPreferred: availcookie=[JSESSIONID=6RGCPnbTFRG7LBrTRpFnv1QLnQHkxkqr4pjGhhGJyrJWJ1rv86NK!-872106207!NONE]
Mon Jan 30 22:10:43 2012 <2598413279794431> Found cookie from cookie header: JSESSIONID=6RGCPnbTFRG7LBrTRpFnv1QLnQHkxkqr4pjGhhGJyrJWJ1rv86NK!-872106207!NONE
Mon Jan 30 22:10:43 2012 <2598413279794431> Parsing cookie JSESSIONID=6RGCPnbTFRG7LBrTRpFnv1QLnQHkxkqr4pjGhhGJyrJWJ1rv86NK!-872106207!NONE
Mon Jan 30 22:10:43 2012 <2598413279794431> getpreferredServersFromCookie: [-872106207!NONE]
Mon Jan 30 22:10:43 2012 <2598413279794431> primaryJVMID: [-872106207]
secondaryJVMID: [NONE]
Mon Jan 30 22:10:43 2012 <2598413279794431> No of JVMIDs found in cookie: 1
Mon Jan 30 22:10:43 2012 <2598413279794431> getPreferredFromCookie: Start Position is 0, listLen is 2
Mon Jan 30 22:10:43 2012 <2598413279794431> getPreferredFromCookie: Either JVMIDs not set or they are stale. Will try to get JVMIDs from WLS
Mon Jan 30 22:10:43 2012 <2598413279794431> initJVMID: Iterating SrvrList from position 0
Mon Jan 30 22:10:43 2012 <2598413279794431> ======internal request /bea_wls_internal/WLDummyInitJVMIDs======
initJVMID: Trying Host[192.168.1.100] Port[7004] SecurePort[7004] useSSL [1] ioTimeout [30] socketTimeout [2]
Mon Jan 30 22:10:43 2012 <2598413279794431> New SSL URL: match = 0 oid = 0
Mon Jan 30 22:10:43 2012 <2598413279794431> Connect returns -1, and error no set to 146, msg 'Connection refused'
Mon Jan 30 22:10:43 2012 <2598413279794431> Error connecting to host 192.168.1.100:7004
Mon Jan 30 22:10:43 2012 <2598413279794431> *******Exception type [CONNECTION_REFUSED] (Error connecting to host 192.168.1.100:7004 errno = 146) raised at line 1723 of ../nsapi/URL.cpp
Mon Jan 30 22:10:43 2012 <2598413279794431> initJVMID: Failed to retrieved JVMID for 192.168.1.100:7004:7004
Mon Jan 30 22:10:43 2012 <2598413279794431> initJVMID: Marked server as BAD
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: Closing SSL context
Mon Jan 30 22:10:43 2012 <2598413279794431> .....internal request /bea_wls_internal/WLDummyInitJVMIDs.....processed
Mon Jan 30 22:10:43 2012 <2598413279794431> ======internal request /bea_wls_internal/WLDummyInitJVMIDs======
initJVMID: Trying Host[192.168.1.200] Port[7004] SecurePort[7004] useSSL [1] ioTimeout [30] socketTimeout [2]
Mon Jan 30 22:10:43 2012 <2598413279794431> New SSL URL: match = 0 oid = 0
Mon Jan 30 22:10:43 2012 <2598413279794431> Connect returns -1, and error no set to 150, msg 'Operation now in progress'
Mon Jan 30 22:10:43 2012 <2598413279794431> EINPROGRESS in connect() - selecting
Mon Jan 30 22:10:43 2012 <2598413279794431> Setting peerID for new SSL connection
Mon Jan 30 22:10:43 2012 <2598413279794431> 0ae2 0436 0000 1b5c ...6...\
Mon Jan 30 22:10:43 2012 <2598413279794431> Local Port of the socket is 39188
Mon Jan 30 22:10:43 2012 <2598413279794431> Remote Host 192.168.1.200 Remote Port 7004
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: Certificate validation succeeded
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: Negotiated to cipher: 3
Mon Jan 30 22:10:43 2012 <2598413279794431> SSLWrite sent 171
Mon Jan 30 22:10:43 2012 <2598413279794431> SSLWrite completed, sent 171
Mon Jan 30 22:10:43 2012 <2598413279794431> Reader::fill() SSLRead returned: 0 290
Mon Jan 30 22:10:43 2012 <2598413279794431> URL::parseHeaders: CompleteStatusLine set to [HTTP/1.1 404 Not Found]
Mon Jan 30 22:10:43 2012 <2598413279794431> URL::parseHeaders: StatusLine set to [404 Not Found]
Mon Jan 30 22:10:43 2012 <2598413279794431> parsed all headers OK
Mon Jan 30 22:10:43 2012 <2598413279794431> Parsing cluster list: -872106207!182584374!7002!7004
Mon Jan 30 22:10:43 2012 <2598413279794431> parseJVMID: Parsing JVMID '-872106207!182584374!7002!7004'
Mon Jan 30 22:10:43 2012 <2598413279794431> parseJVMID: Actually parsing '-872106207!182584374!7002!7004'
Mon Jan 30 22:10:43 2012 <2598413279794431> ServerInfo struct for JVMID '-872106207' populated
Server Details are:
OrigHostInfo [192.168.1.200]
isOrigHostInfoDNS [0]
Host [192.168.1.200]
Port [7002]
SecurePort [7004]
Mon Jan 30 22:10:43 2012 <2598413279794431> Initializing lastIndex=0 for a list of length=1
Mon Jan 30 22:10:43 2012 <2598413279794431> initJVMID: Trying to locate Primary or Secondary using SrvrInfo with JVMID [-872106207]
Mon Jan 30 22:10:43 2012 <2598413279794431> initJVMID: Found Primary 192.168.1.200:7002:7004
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: Closing SSL context
Mon Jan 30 22:10:43 2012 <2598413279794431> .....internal request /bea_wls_internal/WLDummyInitJVMIDs.....processed
Mon Jan 30 22:10:43 2012 <2598413279794431> getPreferredFromCookie: Found 1 servers
Mon Jan 30 22:10:43 2012 <2598413279794431> attempt #0 out of a max of 5
Mon Jan 30 22:10:43 2012 <2598413279794431> trying connect to PRIMARY '192.168.1.200'/7002/7004
Mon Jan 30 22:10:43 2012 <2598413279794431> getPooledConn: No more connections in the pool for Host[192.168.1.200] Port[7002] SecurePort[7004]
Mon Jan 30 22:10:43 2012 <2598413279794431> New SSL URL: match = 0 oid = 22
Mon Jan 30 22:10:43 2012 <2598413279794431> Connect returns -1, and error no set to 150, msg 'Operation now in progress'
Mon Jan 30 22:10:43 2012 <2598413279794431> EINPROGRESS in connect() - selecting
Mon Jan 30 22:10:43 2012 <2598413279794431> Setting peerID for new SSL connection
Mon Jan 30 22:10:43 2012 <2598413279794431> 0ae2 0436 0000 1b5c ...6...\
Mon Jan 30 22:10:43 2012 <2598413279794431> Local Port of the socket is 39189
Mon Jan 30 22:10:43 2012 <2598413279794431> Remote Host 192.168.1.200 Remote Port 7004
Mon Jan 30 22:10:43 2012 <2598413279794431> created a new connection to preferred server '192.168.1.200/7004' for '/xlWebApp/images/cab.gif', Local port:39189
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: CA certificate missing basicConstraints, validation failed
Mon Jan 30 22:10:43 2012 <2598413279794431> ERROR: SSLWrite failed
Mon Jan 30 22:10:43 2012 <2598413279794431> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Mon Jan 30 22:10:43 2012 <2598413279794431> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Mon Jan 30 22:10:43 2012 <2598413279794431> Marking 192.168.1.200:7004 as bad
Mon Jan 30 22:10:43 2012 <2598413279794431> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../nsapi/URL.cpp]: at line 3160
Mon Jan 30 22:10:43 2012 <2598413279794431> INFO: Closing SSL context
Thanks"One of the tests is to lose one of the nodes for the apache plugin redirects the node that has less overhead."
Note that the plug-in does a round robin load balancing, for example, in the case of three server (1,2,3) it does 1-2-3-1-2-3-1...
with server 3 going down it does 1-2-1-2-1...
An example configuration (with SSL off) looks as follows:
LoadModule weblogic_module "/home/oracle/weblogic12.1.1/apache/modules/mod_wl.so"
<IfModule weblogic_module>
ConnectTimeoutSecs 10
ConnectRetrySecs 2
DebugConfigInfo ON
WLSocketTimeoutSecs 2
WLIOTimeoutSecs 300
Idempotent ON
FileCaching ON
KeepAliveSecs 20
KeepAliveEnabled ON
DynamicServerList ON
WLProxySSL OFF
</IfModule>
<Location /LoadTest6>
SetHandler weblogic-handler
WebLogicCluster 172.31.0.175:7002,172.31.0.113:7003
</Location>Also see the complete example here: http://middlewaremagic.com/weblogic/?p=7795
"the plugin sometimes redirects to the other active node"
This is somewhat strange, do you have session binding turned off?
"and on another occasion shows the oracle management console identity manager without the colors of the basic look and feel."
This could happen due to mime types (not really sure just a hunch). Here is a general story on this concept: https://developer.mozilla.org/en/Properly_Configuring_Server_MIME_Types
and the apache module: http://httpd.apache.org/docs/2.2/mod/mod_mime.html -
How to get the Server Certificate Chain File?
Hi all,
I config the SSL for weblogic 6.0 on a Win2k Machine .I followed WebLogic
documentation:
Generate a private key file, then submit to Verisign, get the certificate
file.
Because I have only one WebLogic server. I clear the "Server Certificate
Chain File" field.
But I get error message after reboot WebLogic. Following is the error
message:
<2001-1-21 04:57:56 pm> <Alert> <WebLogicServer> <Inconsistent security con
figuration, java.lang.Exception: Required file server-certchain.pem which is
spe
cified by ServerCertificateChainFileName, was not found>
java.lang.Exception: Required file server-certchain.pem which is specified
by Se
rverCertificateChainFileName, was not found
at
weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
enThread.java:152)
at
weblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
stenThread.java:180)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
at weblogic.Server.main(Server.java:35)
My question is: Should I input the rootCA certificate into the Server
Certificate Chain File field? If yes, where can I get the rootCA certificate
file?
Thanks[sorry, deleted irrelevant wrong answer]
-
Problem in installation of free SSL certificate on Weblogic using keytool
We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
Steps followed:-
1) To generate keystore and private key and digital cerficate:-
keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
2) To generate CSR
keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
4) Same certificate is put into same keystore using following command
keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
(intermediateCa.cer file is downloaded from verisign site)
keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
6) After this configuration we used weblogic admin module to configure Keystore and SSL.
7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:-
Private key alias: mykey2
PassKeyphrase: webconkeystorepassword
Location of keystore: location of webconkeystore.jks file on server
8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations.
Error on console:
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
<Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
If anyone knows the solution ,please help us out.Thanx in advance.
I was really happy to get reply yesterday from "mv".I was not expecting such instant response.Thanx all guys for your interest and support.
I have solved this issue.
We have weblogic 9 on unix env.
Following steps which I followed:
#generate private key
keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
#generate csr
keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
We copied that text file in "ert4nov2009.crt" rt file used below.
Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
roo ca in "root4nov2009.cer" file.
intermediate ca in "intermediateca4nov2009.cer"
both these files used in
#import root certificate
keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
#import intermediate ca certificate
keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
#install free ssl certifiate
keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
#after this admin configuration
In weblogic admin console module, we did following settings:-
1. under Configuration tab
a. Under KeyStore tab
For keystore , we selected "Custom identity and Custom Trust"
Under Identity,
Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
Same we copied Under "Trust", as we have not created separate keystore for trust.
Save setting.
b. Under SSL tab
Identity and Trust Locations: select "Keystores"
Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
Save setting.
c. Under General tab
Check checkbox "SSL Listen Port Enabled"
and mention ssl port "SSL Listen Port"
Save setting.
After this activate changes.You might see error on admin module.
Using command prompt, stop the server and again restart and then try to access using https and port ...
you will definately get output...
in our case issue might be due to key size..we used 1024 key size ..it solve problem.
for your further reference plz find link below..it is also helpful.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674 -
Hi!
Is it possible to use self-signed certificates in Weblogic 6.0 ?
How can my company become a CA, and what's the cost ?
Thanks in advance.
Johnny KeeConfiguring Commercial certificates on weblogic server
http://weblogictips.wordpress.com/2008/07/27/configuring-commercial-certificates-on-weblogic-server/
How to debug SSL issues with weblogic server
http://weblogictips.wordpress.com/2010/05/11/how-to-debug-ssl-issues-with-weblogic-server/
Steps to create self sign certificates for weblogic server
http://weblogictips.wordpress.com/2008/07/27/steps-to-create-self-sign-certificates-for-weblogic-server/
thanks,
sandeep -
Certificate to weblogic-user mapping using CertAuthenticator
In SSL scenario I have a two way aithentication setup and working.
Now I wanted to use an auto Certificate to weblogic user mapping.
I tried using the SimpleCertAuthenticator (part of examples), and
setup the required properties in weblogic.properties.
SimpleCertAuthenticator is not getting called by the server.
(I put debug statements in SimpleCertAuthenticator.java which are
not being reached).
can somebody who had it successfully running help.
thank you,
escher.escher,
When connecting from a browser a similar problem arises which can be solved by a patch to sp6. Soon sp7 will fix it, but at the moment sp7 solves that problem but causes another.
I'm confident that the same fix will fix calls from a java client, and thus the example, but I haven't checked yet. If it doesn't I'll let you know.
"escher" <[email protected]> wrote:
>
In SSL scenario I have a two way aithentication setup and working.
Now I wanted to use an auto Certificate to weblogic user mapping.
I tried using the SimpleCertAuthenticator (part of examples), and
setup the required properties in weblogic.properties.
SimpleCertAuthenticator is not getting called by the server.
(I put debug statements in SimpleCertAuthenticator.java which are
not being reached).
can somebody who had it successfully running help.
thank you,
escher. -
While trying to establish a SSL Link to a URL Connection, I got an IO
Exception "Server Certificate subjectDN CommonName received does not match
Server hostname" on the destConn.getOutputStream().
What does this mean? And how do I fix it?
System.setProperty("https.proxyHost", "xxxx");
System.setProperty("https.proxyPort", "0000");
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
URL destURL = new URL("URLaddress");
URLConnection destConn = destURL.openConnection();
((java.net.HttpURLConnection)destConn).setRequestMethod("POST");
destConn.setDoInput(true);
destConn.setDoOutput(true);
URLin = new PrintWriter( new BufferedWriter(
new
OutputStreamWriter(destConn.getOutputStream())));Hi,
I was wondering if there was a solution for this. I am using the certficates and
keys that came with the installation of 6.1. Do I have to regenerate them in order
to use them in weblogic. I am getting this same error when I try to run the SSLClient
class in the examples.security.sslclient.
Jerry <[email protected]> wrote:
Hi Terry,
The server-side certificate has a DN (distinguished name) embedded in it.
This usually looks like a full hostname -- something like www.mycomputer.com
When you make the reaquest
URL destURL = new URL("URLaddress");
The string for "URLaddress" should match the DN of the certificate on the
server that you are requesting a connection to. It needs to match because
there is a compare of the DN in the cert, to the requested host.
In other words, if you are connecting to www.mycomputer.com, then the server
running on www.mycomputer.com should have a certificate with the DN
www.mycomputer.com
Then, when the match of the certificate DN to the requested host is done,
it
will succeed.
Right now, this match appears to be failing for you.
Cheers
Joe Jerry
Terry Treadwell wrote:
While trying to establish a SSL Link to a URL Connection, I got an IO
Exception "Server Certificate subjectDN CommonName received does not match
Server hostname" on the destConn.getOutputStream().
What does this mean? And how do I fix it?
System.setProperty("https.proxyHost", "xxxx");
System.setProperty("https.proxyPort", "0000");
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
URL destURL = new URL("URLaddress");
URLConnection destConn = destURL.openConnection();
((java.net.HttpURLConnection)destConn).setRequestMethod("POST");
destConn.setDoInput(true);
destConn.setDoOutput(true);
URLin = new PrintWriter( new BufferedWriter(
new
OutputStreamWriter(destConn.getOutputStream()))); -
SSL VPN Failed to validate server certificate (cannot access https)
Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
url-list "Intranet"
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
url-list "Intranet"
mask-urls
svc dns-server primary 192.168.10.250
svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Any help would be apreciatted.
Thank youHi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much -
AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!
Hi guys,
Is there a way to disable the warning generated from using self signed certs?
I would like to make the process as seamless as possible.
AnyConnect 3.1
ASA 8.4(2)
Thanks.Hi,
We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
We were instructed to request a new one
Also here is the link to Cisco site we were provided that explains the changes in 3.1
IPSec and SSL connections require server certificates to contain Key Usage attributes of Digital Signature and Key Encipherment, as well as an Enhanced Key Usage attribute of Server Authentication or IKE Intermediate. Note that IPSec server certificates not containing a Key Usage are considered invalid for all Key Usages, and similarly an IPSec server certificate not containing an Enhanced Key Usage is considered invalid for all Enhanced Key Usages.
Link to document
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
Sadly I dont dable with certificates myself so I'm not really familiar with this.
- Jouni -
How to add a certificate to IIS global "Server Certificates" list using PowerShell?
Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
list in IIS and POSH I would be super happy! :|
I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
Thanks for the help in advance guys, take care!
br4tt3Hi and thanks for the suggestions!
Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
loaded into that shell;
$certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
New-Object : Cannot load COM type IIS.CertObj
From an IIS perspective I have the following components installed;
[X] Web Server (IIS) Web-Server
[X] Web Server Web-WebServer
[ ] Common HTTP Features Web-Common-Http
[ ] Static Content Web-Static-Content
[ ] Default Document Web-Default-Doc
[ ] Directory Browsing Web-Dir-Browsing
[ ] HTTP Errors Web-Http-Errors
[ ] HTTP Redirection Web-Http-Redirect
[ ] WebDAV Publishing Web-DAV-Publishing
[X] Application Development Web-App-Dev
[ ] ASP.NET
Web-Asp-Net
[X] .NET Extensibility Web-Net-Ext
[ ] ASP
Web-ASP
[ ] CGI
Web-CGI
[ ] ISAPI Extensions Web-ISAPI-Ext
[ ] ISAPI Filters Web-ISAPI-Filter
[ ] Server Side Includes Web-Includes
[ ] Health and Diagnostics Web-Health
[ ] HTTP Logging Web-Http-Logging
[ ] Logging Tools Web-Log-Libraries
[ ] Request Monitor Web-Request-Monitor
[ ] Tracing
Web-Http-Tracing
[ ] Custom Logging Web-Custom-Logging
[ ] ODBC Logging Web-ODBC-Logging
[X] Security
Web-Security
[ ] Basic Authentication Web-Basic-Auth
[ ] Windows Authentication Web-Windows-Auth
[ ] Digest Authentication Web-Digest-Auth
[ ] Client Certificate Mapping Authentic... Web-Client-Auth
[ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
[ ] URL Authorization Web-Url-Auth
[X] Request Filtering Web-Filtering
[ ] IP and Domain Restrictions Web-IP-Security
[ ] Performance Web-Performance
[ ] Static Content Compression Web-Stat-Compression
[ ] Dynamic Content Compression Web-Dyn-Compression
[X] Management Tools Web-Mgmt-Tools
[X] IIS Management Console Web-Mgmt-Console
[X] IIS Management Scripts and Tools Web-Scripting-Tools
[ ] Management Service Web-Mgmt-Service
[ ] IIS 6 Management Compatibility Web-Mgmt-Compat
[ ] IIS 6 Metabase Compatibility Web-Metabase
[ ] IIS 6 WMI Compatibility Web-WMI
[ ] IIS 6 Scripting Tools Web-Lgcy-Scripting
[ ] IIS 6 Management Console Web-Lgcy-Mgmt-Console
[X] FTP Server Web-Ftp-Server
[X] FTP Service Web-Ftp-Service
[X] FTP Extensibility Web-Ftp-Ext
[ ] IIS Hostable Web Core Web-WHC
More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
able to reference the IIS.CertObj object.
Br4tt3 signing out...
br4tt3 -
How can I make Firefox trust a Server Certificate by Default?
I'm trying to distribute Firefox via Empirum. All settings are made using the CCK-Wizard Addon.
When I import our Certificates in CCK-Wizard, I can make trust-settings for CA's, but not for Server Certificates, and so the SC isn't trusted by default.
Is there any way to make the trust Settings for SC's in the install package, maybe through an option in about:config (didn't find any, but maybe somebody knows more than google :P )?
I tried to do it like PRF_1 suggested here https://support.mozilla.org/de/questions/687296#answer-112220 but in the last step I got an Error 1: C compiler cannot create executables.
Regards,
BowserHello,
'''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
''(If you're not using it, switch to the Default theme.)''
* On Windows you can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
* On Mac you can open Firefox 4.0+ in Safe Mode by holding the '''option''' key while starting Firefox.
* On Linux you can open Firefox 4.0+ in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode (you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
* Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
[[Image:FirefoxSafeMode|width=520]]
''Once you get the pop-up, just select "'Start in Safe Mode"''
[[Image:Safe Mode Fx 15 - Win]]
'''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
Thank you. -
Error: Untrusted Server Certificate
When i click on Query Interfaces (IPS Manager: Configuration > Settings > Interfaces) i get the following error:
An error occurred trying to get the interface information. An error occurred while trying to determine the sensor version. Detail = Error occurred while communicating with 172.17.xx.xx: java.security.cert.CertificateException: Untrusted Server Certificate Chain
Any suggestion?
Thank you,That is a pretty strange message. Have you had a chance to reach out to Windows Live?
TamaraH_VZW
Follow us on Twitter @VZWSupport -
Untrusted Server Certificate Chain error
I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
My code is :
KeyStore ks = null;
String strURL = "https://myserver.com/myurl/lookup.asmx";
SSLSocketFactory sslSocketFactory = null;
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Load certificate dynamically
SSLContext sslContext = SSLContext.getInstance("SSLv3");
TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
CertificateFactory cert = CertificateFactory.getInstance("X.509");
FileInputStream lo_fileinputstream = null;
lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
lo_fileinputstream.close();
String s1 = servercacert.getSerialNumber().toString();
if(ks == null)
ks = KeyStore.getInstance("JKS");
ks.load(null, null);
ks.setCertificateEntry(s1, servercacert);
trustMgtFactory.init(ks);
sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
sslSocketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
// Call webservice
URL cascadeURL = new URL(strURL);
HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
String inputline=null;
if (conn instanceof HttpsURLConnection) {
conn.connect();
BufferedReader in = new BufferedReader(
new InputStreamReader(
conn.getInputStream()));
while ((inputline = in.readLine()) != null) {
System.out.println(inputline);
in.close();
Please help - I am on a very tight deadline (as usual).Found the problem. I simply needed to add another certificate.
Maybe you are looking for
-
IPlanet 4.1SP9 *hangs* when shutting down
I just moved our iPlanet 4.1SP9 web servers from a Solaris 2.6 box to a Solaris 2.8 box and now the port 80 (http) server hangs EVERY time I try to stop it. This never happened on Solaris 2.6. I even tried re-installing rather than copying the entire
-
Still cannot purchase item at game inside . What can I do?
Still cannot purchase . What can I do ? Change credit card also cannot. Or got any contact service can help me?
-
Hallow Im doing a batch input from file csv (comma dilmeted) In the file I have company that ok and company name with before and after the company name word <b>''</b> how can I get rid of from that . just<b> ''</b> before and after the company na
-
OMG! ..what on Earth is going on with Version?
OMG!!! ...I've never experienced anything like this in my 49 yrs dealing with customer service. I will try and make this as quick and least painful to read. First, I'm a recently returning customer after leaving Verizon for over ten years. My wife wo
-
My Nokia N9 does not work properly with a camera a...
Hi guys! Some time ago I noticed that when I turn on the camera, a message appears "CAMERA NOT RESPONDING Close application?". Shortly after the camera is turned on. Almost is the same with the maps apllication. The message is "MAPS NOT RESPONDING Cl