SOAP over SSL

Similar Messages

• Anyone able to run SOAP over SSL with Weblogic 5.1 and without purchasing third party tools???  If so, how???

  Anyone able to run SOAP over SSL with Weblogic 5.1??? If so, how??? And
  without purchasing third party tools??? Thanks.
  -Freddie

  Anyone able to run SOAP over SSL with Weblogic 5.1??? If so, how??? And
  without purchasing third party tools??? Thanks.
  -Freddie

• Java.lang.ArrayIndexOutOfBoundsException when using SOAP over SSL

  Looks like a strange thing. I am using MS SOAP Toolkit 2.0 sp2 to make SOAP calls
  to Weblogic (Win2000, 6.1) over SSL. On Weblogic I have an RPC service (EJB).
  I'm getting
  <Mar 26, 2002 9:14:56 PM EST> <Error> <HTTP> <Connection failure
  java.lang.ArrayIndexOutOfBoundsException
  at weblogic.security.SSL.GenericCipher.input(GenericCipher.java:216)
  at weblogic.security.SSL.SSLCiphertext.input(SSLCiphertext.java:65)
  at weblogic.security.SSL.SSLSocket.getRecord(SSLSocket.java:1030)
  at weblogic.security.SSL.RecordInputStream.getData(RecordInputStream.java:109)
  at weblogic.security.SSL.RecordInputStream.read(RecordInputStream.java:51)
  at weblogic.socket.SSLFilter.isMessageComplete(SSLFilter.java:182)
  at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:605)
  at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:24)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  But what's interesting, it's actually working. I am getting data as expected.
  Any idea what it could be?
  Thanks,
  Serge

  Looks like a strange thing. I am using MS SOAP Toolkit 2.0 sp2 to make SOAP calls
  to Weblogic (Win2000, 6.1) over SSL. On Weblogic I have an RPC service (EJB).
  I'm getting
  <Mar 26, 2002 9:14:56 PM EST> <Error> <HTTP> <Connection failure
  java.lang.ArrayIndexOutOfBoundsException
  at weblogic.security.SSL.GenericCipher.input(GenericCipher.java:216)
  at weblogic.security.SSL.SSLCiphertext.input(SSLCiphertext.java:65)
  at weblogic.security.SSL.SSLSocket.getRecord(SSLSocket.java:1030)
  at weblogic.security.SSL.RecordInputStream.getData(RecordInputStream.java:109)
  at weblogic.security.SSL.RecordInputStream.read(RecordInputStream.java:51)
  at weblogic.socket.SSLFilter.isMessageComplete(SSLFilter.java:182)
  at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:605)
  at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:24)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  But what's interesting, it's actually working. I am getting data as expected.
  Any idea what it could be?
  Thanks,
  Serge

• Soap over ssl in wls 7.0

  Hi,
  I'm trying to use mutual authentication for the soap client in wls7.0. weblogic.webservice.client.WLSSLAdapter
  works fine for me as long as I don't require 2 way authentication.
  I get java.lang.ClassCastException: [Ljava.security.cert.X509Certificate when
  try to pass client certificate. It seems that WLSSLAdapter accepts javax...X509Certificate
  and server wants java...X509Certificate. Is it a bug in wls7.0?
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         

  I don't think this is a bug. WLS7.0 supports javax.....X509 certs.
  Checkout http://e-docs.bea.com/wls/docs70/security/cli_apps.html#1113310
  The following attributes are supported in WebLogic Server servlets:
  javax.servlet.request.X509Certificate
  java.security.cert.X509Certificate []—returns an array of the X509Certificate.
  Vimala Ranganathan
  Alex wrote:
  Hi,
  I'm trying to use mutual authentication for the soap client in wls7.0. weblogic.webservice.client.WLSSLAdapter
  works fine for me as long as I don't require 2 way authentication.
  I get java.lang.ClassCastException: [Ljava.security.cert.X509Certificate when
  try to pass client certificate. It seems that WLSSLAdapter accepts javax...X509Certificate
  and server wants java...X509Certificate. Is it a bug in wls7.0?

• ORA-29266: end-of-body reached - using SOAP_API over SSL

  Hey guys. I have a simple SOAP_API I am using to send SOAP over SSL. It seems to connect fine but give off some shaky results. This is the error I keep getting:
  ERROR at line 1:
  ORA-29266: end-of-body reached
  ORA-06512: at "SYS.UTL_HTTP", line 1321
  ORA-06512: at "LOANADMIN.SOAP_API", line 229
  ORA-06512: at "LOANADMIN.GET_CITY_FROM_ZIPCODE", line 29
  ORA-06512: at line 2
  it seems to mainly happen on these two peices of code:
  UTL_HTTP.write_text(l_http_request, l_envelope);
  UTL_HTTP.read_text(l_http_response, l_envelope);
  Sometimes the first and sometimes the latter. I know my XML is well formed, and im thinking the response is to big for the variable (im thinking the response could be larger than 32k. not sure though).
  I've searched all over this forum, but it seems like the people who have solutions to this particular problem found it on meta-link. I dont have a meta-link account. Could someone please simply explain the solution and problem im running into?
  That would help a lot. Thanks.
  Mo

  I'm having the same problem, and it is inside the SOAP_API package from http://www.oracle-base.com/dba/miscellaneous/soap_api.sql :
  ORA-29266: end-of-body reached
  ORA-06512: at "SYS.UTL_HTTP", line 1330
  ORA-06512: at "NAPS.SOAP_API", line 119
  I understand the responses given:
  EXCEPTION WHEN UTL_HTTP.end_of_body THEN
  utl_http.end_response(resp);
  END;
  and the suggestion to use UTL_HTTP.read_line instead of UTL_HTTP.read_text, but would like some assistance in modifying the procedure to ensure I get the full response returned.
  The procedure with the error is:
  FUNCTION invoke(p_request IN OUT NOCOPY t_request,
  p_url IN VARCHAR2,
  p_action IN VARCHAR2)
  RETURN t_response AS
  l_envelope VARCHAR2(32767);
  l_http_request UTL_HTTP.req;
  l_http_response UTL_HTTP.resp;
  l_response t_response;
  BEGIN
  generate_envelope(p_request, l_envelope);
  show_envelope(l_envelope);
  l_http_request := UTL_HTTP.begin_request(p_url, 'POST','HTTP/1.1');
  UTL_HTTP.set_header(l_http_request, 'Content-Type', 'text/xml');
  UTL_HTTP.set_header(l_http_request, 'Content-Length', LENGTH(l_envelope));
  UTL_HTTP.set_header(l_http_request, 'SOAPAction', p_action);
  UTL_HTTP.write_text(l_http_request, l_envelope);
  l_http_response := UTL_HTTP.get_response(l_http_request);
  UTL_HTTP.read_text(l_http_response, l_envelope);
  UTL_HTTP.end_response(l_http_response);
  l_response.doc := XMLTYPE.createxml(l_envelope);
  l_response.envelope_tag := p_request.envelope_tag;
  l_response.doc := l_response.doc.extract('/'||l_response.envelope_tag||':Envelope/'||l_response.envelope_tag||':Body/child::node()',
  'xmlns:'||l_response.envelope_tag||'="http://schemas.xmlsoap.org/soap/envelope/"');
  -- show_envelope(l_response.doc.getstringval());
  check_fault(l_response);
  RETURN l_response;
  END;
  I have tested the exact call I am making using 'soapUI 2.5.1' so I can compare results to ensure I get the code right, and I am expecting a response of 1755 bytes (well short of the 32767 that is said to cause this error).
  My call is not over SSL, the call I am trying to make is:
  <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:abr="http://abr.business.gov.au/ABRXMLSearchRPC/">
  <soapenv:Header/>
  <soapenv:Body>
  <abr:ABRSearchByABN soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <searchString xsi:type="xsd:string">11006489103</searchString>
  <includeHistoricalDetails xsi:type="xsd:string">N</includeHistoricalDetails>
  <authenticationGuid xsi:type="xsd:string">?</authenticationGuid>
  </abr:ABRSearchByABN>
  </soapenv:Body>
  </soapenv:Envelope>
  The calling code is:
  DECLARE
  l_request soap_api.t_request;
  l_response soap_api.t_response;
  l_return VARCHAR2(32767);
  l_url VARCHAR2(32767);
  l_namespace VARCHAR2(32767);
  l_method VARCHAR2(32767);
  l_soap_action VARCHAR2(32767);
  l_result_name VARCHAR2(32767);
  BEGIN
  l_url := 'http://abr.business.gov.au/abrxmlsearchRPC/ABRXMLSearch.asmx';
  l_namespace := 'http://abr.business.gov.au/ABRXMLSearchRPC/"';
  l_method := 'ABRSearchByABN';
  l_soap_action := 'http://abr.business.gov.au/ABRXMLSearchRPC/ABRSearchByABN';
  l_request := soap_api.new_request(p_method => l_method,
  p_namespace => l_namespace);
  soap_api.add_parameter(p_request => l_request,
  p_name => 'searchString',
  p_type => 'xsd:string',
  p_value => '11006489103');
  soap_api.add_parameter(p_request => l_request,
  p_name => 'includeHistoricalDetails',
  p_type => 'xsd:string',
  p_value => 'N');
  soap_api.add_parameter(p_request => l_request,
  p_name => 'authenticationGuid',
  p_type => 'xsd:string',
  p_value => '?');
  l_response := soap_api.invoke(p_request => l_request,
  p_url => l_url,
  p_action => l_soap_action);
  l_return := l_response.doc.getStringVal();
  dbms_output.put_line('-----------------------------------------------------------');
  dbms_output.put_line(l_return);
  END;
  Edited by: 873298 on 18-Jul-2011 15:41

• SOAP Receiver over SSL - server certificate troubles

  Hello all,
  I have a scenario with SOAP receiver communication channel with comunnication over SSL. In the URL there is a IP address for a reason I will not mention ... simply there must be IP address in URL and not a host name.
  When I access the SOAP server with internet browser it gives me a server certificate with HOST NAME in CN. I placed this certificate to the "trusted container" in J2EEVisAdmin - Key Storage.
  Now you might already suspect the trouble: the certificate CN doesn't match with URL. This is obvios error we got many times on the internet (even in e-banking sector .. but we are able to skip it with our internet browsers' possibilities.
  Could I set up something in J2EE server as same as in internet browser ???
  Thank you in advance.
  Rgds
  Tom

  Got it,
  SAP Note : 791655
  HTTPS/SSL Properties
  Property Name = [default]
  messaging.ssl.httpsHandler=iaik.protocol.https.Handler
  messaging.ssl.securityProvider=iaik.security.provider.IAIK
  messaging.ssl.trustedCACerts.viewName=TrustedCAs
  messaging.ssl.serverNameCheck=false
  Description:
  The properties "httpsHandler" and "securityProvider" specify the class names of the HTTPS handler and Security provider used. The AF only supports IAIK. Never change these values! To activate HTTP/SSL, you must install the IAIK libraries on your J2EE Engine as described in the Installation Guide.
  The property "trustedCACerts.viewName" defines which J2EE keystore is used during the SSL Handshake for trusted CA certificates. You should never change this value either. With "serverNameCheck" you can specify whether the host name in outbound HTTPS requests should be checked against the host name in the certificate of the server.
  Regards,
  Bhavesh

• Web Service over SSL hangs if sent data size exceeds around 12Kb

  Hi,
  I have a Web Service running on a WebLogic Server 10.3. One of its purposes is to send and receive documents over a one-way SSL connection. The service runs fine if the documents are smaller than around 12Kb, however if its larger than that, the service simply hangs. From SSL debug information it looks like some data is sent but afterwards it simply stops. When testing the Web Service without SSL it works fine, which points to an SSL issue. Also, surprisingly, when it receives documents over the SSL, it also works fine. I assumed there is a parameter that limits the size of the POST message sent over SSL, however all the parameters that I found, that could do that, were already set to unlimited.

  We ended up resolving this issue. It turned out to be something really simple. The client that was sending the soap traffic did not have the proper SSL certificate installed on the server that was generating the soap traffic.

• Enabling SOAP over HTTPs on PI7.0

  Hello
      We have a requirement to connect PI7.0 to PI7.1 with SOAP over HTTPS. Would you please let us know what all configuration need
         1.  Setting required to be done on PI7.0 ( Communication Channels, Receiver and Sender agreements)
         2.  Where to put private key and root certificate in Visual admin
         3. Port configuration for outbound and inbound traffic.
         4. Enabling of SSL on PI7.0.
         5. Any ICM related setting on PI7.0
  Thanks & Regards

  Hi Uttam,
  Hi,
  For using HTTPS protocol, you have to chose the option of HTTPS in the 'HTTP Security Level' parameter on SOAP sender communication channel.
  For using HTTPS protocol, the SSL certificates need to be deployed on the server.
  Below are the links for more information on SSL certificates:
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
  For choosing & installing steps of SSL, refer the below links:
  /people/aniket.tare/blog/2005/03/22/ssl-certificate-installation-procedure-for-sap-j2ee-engine-630-150-steps-in-visual-administrator
  http://info.ssl.com/article.aspx?id=10694
  -Supriya.

• SOAP over HTTPS Scenario.

  Experts,
  I am using PO 7.31 Single Stack.
  I am going to integrate with some Third-Party System ( B2B ) Scenario. As its B2B client want this to integrate this over SSL.
  We are using SOAP Communication channel at Source side.
  We have shared a PI WebService to third Party and told them to send data on this endpoint.
  I have changed following things in webservice( http to https and port no to ssl port no).
  Now Certficate part always confuses me So I have question over certificates/ PubliC/ Private Key :-
  1. Who will provide Certificate and to whom ??
  2. What kind of certificate will be shared accross parties ?? such as public private ?? PGP or X.509 ??
  I have gone through many blogs - but i am still confused.

  Hi Prabhat,
  1. Who will provide Certificate and to whom ??
  --->> Certificates are shared between both parties/systems. So PI needs to provide PI public key to receiver system and receiver system needs to provide there public key.
  2. What kind of certificate will be shared accross parties ?? such as public private ?? PGP or X.509 ??
  -->> The certificate can be X.509.
  Please refer the below blog and sap note 891877
  SSL (HTTPS) Configuration in SAP PI Systems as of release PI 7.10 – Step-by-step procedure
  regards,
  Harish

• OIM 9102 , AD Password Sync 91x, JBoss 423GA - issue over SSL port.

  Followed the steps describe in "Deploying the connector"
  http://download.oracle.com/docs/cd/E11223_01/doc.910/e11218/install_config.htm#insertedID0
  section
  Pre-Installation both SSL n non-SSL works for SPML verification.
  For JBoss Application Server:
  http://IP ADDRESS:8080/spmlws/services/HttpSoap11
  https://IP ADDRESS:8443/spmlws/services/HttpSoap11
  Post Installation - configured SSL.
  On AD machine logs following error message is displayed:
  MAX_RETRY LIMIT count is not updated: OIM is down
  Following meta-link ID 1073889.1
  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=PROBLEM&id=1073889.1
  explains to verify 'oimhost and oimport' - oimhost is machine ip address ( AD machine is able to ping OIM machine through ip address and machine name )
  oimport is 8443
  Any suggestion.
  Or anyone previously successfully deployed password sync over SSL for OIM 9102 and AD Password sync 91x,
  as i found a similar thread in OTN forum where user had issues over SSL.

  Did anyone resolve this issue? I have the same running SSL Password Sync on OAS 10.1.3.4 and OIM 9.1.0.2 BP09a with AD 2003.
  Debug [7/8/2010 6:35:45 AM] oimport is
  Debug [7/8/2010 6:35:45 AM] 4443
  Debug [7/8/2010 6:35:45 AM]
  Debug [7/8/2010 6:35:45 AM] oimsslclient is
  Debug [7/8/2010 6:35:45 AM] nw-dc-01.nwocaland.nwoca.org
  Debug [7/8/2010 6:35:45 AM]
  Debug [7/8/2010 6:35:45 AM] oimuserattr is
  Debug [7/8/2010 6:35:45 AM] USR_UDF_SAM_ACCTNAME
  Debug [7/8/2010 6:35:45 AM]
  Debug [7/8/2010 6:35:45 AM] oimusessl is
  Debug [7/8/2010 6:35:45 AM] Y
  Debug [7/8/2010 6:35:45 AM]
  Debug [7/8/2010 6:35:45 AM] oimappservertype is
  Debug [7/8/2010 6:35:45 AM] 2
  Debug [7/8/2010 6:35:45 AM]
  Debug [7/8/2010 6:35:45 AM] End of sgsloidi::getConfigParamters
  Debug [7/8/2010 6:35:45 AM] Inside sgsloidi::setParameters
  Debug [7/8/2010 6:35:45 AM] The SOAP start element is
  Debug [7/8/2010 6:35:45 AM] <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning">
  Debug [7/8/2010 6:35:45 AM] The SOAP end element is
  Debug [7/8/2010 6:35:45 AM] </SPMLv2Document>
  Debug [7/8/2010 6:35:45 AM] The path is
  Debug [7/8/2010 6:35:45 AM] /spmlws/HttpSoap11
  Debug [7/8/2010 6:35:45 AM] End of sgsloidi::setParameters

• Generating fault detail; basic auth over SSL

  2 questions.
  1) We are running GLUE in WL5.1 and are investigating porting the app to WL6.1.
  In GLUE we can control the content of the SOAP fault detail generated on the server
  through a SOAPException class. Is there any way to do this in WL6.1 SOAP?
  2) Does the WL6.1 SOAP client support basic auth over SSL? If so, do I specify
  an https URL and set the user/pwd in the context properties?
  Thanks,
  -rg

  Beta 1 does not support custom soap fault. it puts name of the
  exception class as faultstring and the exception message + stack
  trace as the details.
  We understand that users may want to customize the soap fault
  and we are planning to support it by allowing user to configure
  error pages. ie, user can specify the servlet/jsp to use in case
  foo exception occured while processing soap request.
  An example of the error handling servlet is attached.
  regards,
  manoj
  public class FaultHandler extends HttpServlet {
  public void doGet(HttpServletRequest req, HttpServletResponse res)
  throws IOException
  res.setContentType("text/xml; charset=UTF-8");
  String eType;
  String eMessage;
  Exception e = (Exception)req.getAttribute("javax.servlet.error.exception");
  eType = e.getClass().getName();
  eMessage = e.getMessage();
  PrintWriter w = res.getWriter();
  w.println("<?xml version=\"1.0\" ?>");
  w.println("<soap:Envelope
  xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\">");
  w.println("<soap:Body>");
  w.println("<soap:Fault>");
  w.println("<faultcode>");
  w.println(eType);
  w.println("</faultcode>");
  w.println("<faultstring>");
  w.println(eMessage);
  w.println("</faultstring>");
  if (e != null) {
  w.println("<detail>");
  e.printStackTrace(w);
  w.println("</detail");
  w.println("</soap:Fault>");
  w.println("</soap:Body>");
  w.println("</soap:Envelope>");
  Rhett Guthrie wrote:
  If it is the conent of the soap:fault/detail you want
  to modify, you can do it by simply throwing the
  exception with right message.Thanks for the reply Manoj, but are you sure that the exception message maps to
  the fault detail? The fault detail is supposed to be XML. It would be more natural
  to map the exception message to the fault message. But we need to specify both.
  We send a human readable message in the fault message and a complex XML structure
  (describing ways in which the fault can be fixed) in the fault detail.
  Thanks for any clarification you can give.
  -rg

• Connecting to a remote OpenLDAP server over SSL.

  I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
  I've created a CA with a self-signed certificate.
  I used that CA to create a server and client certificate.
  The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
  The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
  ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
  Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
  I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
  It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
  The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
  My Mac Console shows something even more bizare, though:
  11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
  My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
  Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
  Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
  TLSVerifyClient never
  (And of course, the client:)
  TLS_REQCERT demand
  Message was edited by: lhunath

  By the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
  * ldapsearchext - initiate an ldap search operation.
  * Parameters:
  * ld LDAP descriptor
  int
  ldapsearchext(
  LDAP *ld,
  assert( ld != NULL );

• How to set up iPhone 5 iOS 6 email with IMAP over SSL on a custom port?

  Basically I have the same problem as this guy 5 years ago but the thread contained no useful answer. Maybe there are people out there who became smarter in the meantime? Please help me out how to get my iPhone read emails via IMAP over SSL on a custom port to the corporate server. The issue is that the iPhone only seems to work if you use the standard 993 port for IMAPS, not with a custom port as we have. I've installed the corporate root certificate in a profile, and it shows up as trusted and verified in the phone, so that should not be the issue. The mail app in the iPhone tries to connect, I can verify that from the server, but then does nothing, doesn't try to authenticate, doesn't log out, nothing is going on, and then drops the connection after 60 seconds. Repeats this every 5 minutes (as set to fetch e-mail every 5 minutes.)
  Original thread 5 years ago: https://discussions.apple.com/message/8104869#8104869

  Solved it by some (a lot) of fiddling.
  Turns out it's not a bug in the iPhone, it's a feature.
  Here's how to make it work.
  DOVECOT
  If the IMAPS port is anything other than 933 (the traditional IMAPS port) the iPhone's Mail App takes the "Use SSL" setting on the IMAP server as 'TLS', meaning it starts the communication in plain text and then issues (tries to issue) the STARTTLS command to switch the connection to encrypted. If, however, Dovecot is set up to start right away in encrypted mode, the two cannot talk to each other. For whatever reason neither the server nor the client realizes the connection is broken and only a timeout ends their misery.
  More explanation about SSL/TLS in the Dovecot wiki: http://wiki2.dovecot.org/SSL
  So to make this work, you have to set Dovecot the following way. (Fyi, I run Dovecot 2.0.19, versions 1.* have a somewhat different config parameters list.)
  1. In the /etc/dovecot/conf.d/10-master.conf file make sure you specify the inet_listener imap and disable (set its port to 0) for imaps like this:
  service imap-login {
    inet_listener imap {
      port = --your port # here--
    inet_listener imaps {
      port = 0
      ssl = yes
  This of course enables unencrypted imap for all hackers of the universe so you quickly need to also do the things below.
  2. In the /etc/dovecot/conf.d/10-ssl.conf file, make sure you set (uncomment) the following:
  ssl = required
  This sets Dovecot to only serve content to the client after a STARTTLS command was issued and the connection is already encrypted.
  3. In /etc/dovecot/conf.d/10-auth.conf set
  disable_plaintext_auth = yes
  This prevents plain text password authentication before encryption (TLS) is turned on. If you have also set ssl=required as per step 2, that will prevent all other kinds of authentications too on an unencrypted connection.
  When debugging this, please note that if you connect from localhost (the same machine the server runs on) disable_plaintext_auth=yes has no effect, as localhost is considered secure. You have to connect from a remote machine to make sure plain text authentication is disabled.
  Don't forget service dovecot restart.
  To test if your setup works as it's supposed to, issue the following (green) from a remote machine (not localhost) (I'm using Ubuntu, but telnet and openssl is available for almost all platforms) and make sure Dovecot responds with something like below (purple):
  telnet your.host.name.here yourimapsportnumber
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
  Most importantly, make sure you see 'STARTTLS' and 'LOGINDISABLED'. Then issue STARTTLS and hopefully you see something like this:
  a STARTTLS
  a OK Begin TLS negotiation now.
  (The 'a' in front of STARTTLS is not a typo, a prefix is required by the IMAP server in front of all commands.)
  Close the telnet (with 'a logout' or Ctrl+C) and you can use openssl to further investigate as you would otherwise; at the end of a lot of output including the certificate chain you should see a line similar to the one below:
  openssl s_client -starttls imap -connect your.domain.name.here:yourimapsportnumber
  . OK Pre-login capabilities listed, post-login capabilities have more.
  You can then use the capability command to look for what authentication methods are available, if you see AUTH=PLAIN, you can then issue a login command (it's already under an encrypted connection), and if it's successful ("a OK Logged in"), then most likely your iPhone will be able to connect to Dovecot as well.
  a capability
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN
  a login username password
  * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS
  a OK Logged in
  POSTFIX
  Likewise, you have to set Postfix to wait for STARTTLS before encrypting the communication.
  1. You have to delete the setting smtpd_tls_wrappermode=yes from /etc/postfix/master.cf and/or /etc/postfix/main.cf, if it was enabled. This will mean Outlook won't be able to connect any more because it requires a TSL connection without issuing STARTTLS as per Postfix documentation (haven't tested.) In my case we don't use Outlook so I didn't care. Outlook + iPhone + custom SMTPS port are simply not possible together at the same time as far as I understand. Pick one to sacrifice.
  2. Require encrypted (TLS) mode for any data transfer in /etc/postfix/main.cf:
  smtpd_tls_security_level = encrypt
  3. Authentication should only happen while already in encrypted (TLS) mode, so set in /etc/postfix/main.cf:
  smtpd_tls_auth_only = yes
  Don't forget postfix reload.
  To test if this works, issue the following telnet and wait for the server's greeting:
  telnet your.host.name.here yoursmtpsportnumber
  220 your.host.name ESMTP Postfix (Ubuntu)
  Then type in the EHLO and make sure the list of options contains STARTTLS and does not include an AUTH line (that would mean unencrypted authentication is available):
  ehlo your.host.name.here
  250-STARTTLS
  Then issue starttls and wait for the server's confirmation:
  starttls
  220 2.0.0 Ready to start TLS
  Once again, it's time to use openssl for further testing, detailed info here http://qmail.jms1.net/test-auth.shtml
  CERTIFICATES
  You also need to be aware that iOS is somewhat particular when it comes to certificates. First of all, you have to make sure to set the following extensions on your root certificate (probably in the [ v3_ca ] section in your /etc/ssl/openssl.cnf, depending on your openssl setup), especially the 'critical' keyword:
  basicConstraints = critical,CA:true
  keyUsage = critical, cRLSign, keyCertSign
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always,issuer:always
  And then on the certificate you sign for your mail server, set the following, probably in the [ usr_cert ] section of /etc/ssl/openssl.cnf:
  basicConstraints=CA:FALSE
  keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid,issuer
  subjectAltName = DNS:your.domain.name.here
  issuerAltName=issuer:copy
  Please note, the above are results of extensive google-ing and trial and error, so maybe you can omit some of the stuff above and it still works. When it started working for me, I stopped experimenting because figuring this all out already took way too much time. The iPhone is horribly undocumented when it comes to details of its peculiar behaviors. If you experiment more and have more accurate information, please feel free to post here as a reply to this message.
  You have to import your root certificate into your iPhone embedded in a profile via the iPhone Configuration Utility (free, but only available in Windows or a Mac; details here: http://nat.guyton.net/2012/01/20/adding-trusted-root-certificate-authorities-to- ios-ipad-iphone/ ), after having first added it to Windows' certificate store as a trusted root certificate. This way the Utility will sign your certificate for the phone and it becomes usable; if you just add it from the phone it will be there but won't be used. Using a profile has the added benefit of being able to configure mail settings in it too, and that saves a lot of time when you have to install, remove, reconfigure, install again, etc. a million times until it works.
  Another undocumented constraint is that the key size is limited to a max of 4096. You can actually install a root certificate with a larger key, the iPhone Configuration Utility will do that for you without a word. The only suspicious thing is that on the confirmation screen shown on your iPhone when you install the profile you don't get the text "Root Certificate/ Installing the certificate will add it to the list of trusted certificates on your iPhone" in addition to your own custom prompt set up in the iPhone Configuration Utility. The missing additional text is your sign of trouble! - but how would know that before you saw it working once? In any case, if you force the big key certificate on the device, then when you open the Mail App, it opens up and then crashes immediately. Again, without a word. Supposedly Apple implemented this limit on the request of the US Government, read more here if you're interested: http://blogs.microsoft.co.il/blogs/kamtec1/archive/2012/10/13/limitation-of-appl e-devices-iphone-ipad-etc-on-rsa-key-size-bit.aspx .
  IN CLOSING...
  With all this, you can read and send email from your iPhone.
  Don't forget to set all your other clients (Thunderbird, Claws, etc.) to also use STARTTLS instead of SSL, otherwise they won't be able to connect after the changes above.

• BAD_CERTIFICATE error calling a web service over SSL in ALSB 2.6

  We have a business service on an ALSB 2.6 server (running on WL 9.2.1) that connects to a web service over SSL. When we try to run it, we get the following exception:
  <Sep 17, 2009 7:49:17 AM PDT> <Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.
  wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  com.bea.wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:146)
  at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOu
  tboundMessageContext.java:310)
  at com.bea.wli.sb.transports.http.HttpsTransportProvider.sendMessageAsync(HttpsTransportProvider.java:435)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  Truncated. see log file for complete stacktrace
  javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  Truncated. see log file for complete stacktrace
  This exception only occurs when hitting the web service through the bus. I have written a standalone Java application that posts to the web service and it works fine. I ran the application on the server where the ALSB is running using the same jdk (1.5.0_06 - the version that ships with 9.2.1) and the same cacerts file so I know it's not a problem with the certificate not being trusted. I have tried updating the cacerts file to the latest one distributed with JRE 1.6 and it still doesn't work.
  After 8 hours of troubleshooting, I'm out of ideas. Does anyone have any suggestiosn?
  Thanks.
  Matt
  Edited by: user6946981 on Sep 17, 2009 7:58 AM

  Are you sure that your standalone application is using the same keystore (eg. cacert)? Default WebLogic configuration uses different keystore (demo).
  I saw BAD_CERTIFICATE error only once and the cause was in keytool that somehow corrupted certificate during import. Deleting and importing certificate again helped me, but I doubt you have the same problem as your standalone application works.
  Another idea ... Is hostname varification used? I know that the error message would look different if this was the cause, but try to add this parameter to your weblogic startup script: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Last but not least, there is difference between your standalone application and ALSB runtime as WebLogic uses Certicom SSL provider. If you don't find the reason, contact Oracle support. Maybe they can help you to tweak Certicom provider in some way.

• Web service client behind a proxy server connecting to web service over SSL

  Hi Friends,
  A web service is exposed by an external system over SSL. We are behind a proxy server and are trying to get connected to web service over SSL. <p>
  We are getting the following error on the test browser of workshop<p><p>
  External Service Failure: FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters.<p><p>
  the whole trace is <p>
  <p>JDIProxy attached
  <Sep 24, 2005 9:27:25 AM EDT> <Warning> <WLW> <000000> <Id=creditCheckCtrl:salesExpertServiceControl; Method=creditcheckcontr
  ol.SalesExpertServiceControl.doCreditVerification(); Failure=com.bea.control.ServiceControlException: SERVICE FAULT:
  Code:javax.net.ssl.SSLHandshakeException
  String:FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters
  Detail:
  END SERVICE FAULT>
  <Sep 24, 2005 9:27:26 AM EDT> <Warning> <WLW> <000000> <Id=creditCheckCtrl; Method=creditcheckcontrol.CreditCheck.testCreditC
  heck(); Failure=com.bea.control.ServiceControlException: SERVICE FAULT:
  Code:javax.net.ssl.SSLHandshakeException
  String:FATAL Alert:HANDSHAKE_FAILURE - The handshake handler was unable to negotiate an acceptable set of security parameters
  Detail:
  END SERVICE FAULT [ServiceException]>
  <Sep 24, 2005 9:27:26 AM EDT> <Warning> <WLW> <000000> <Id=top-level; Method=processes.CreditCheck_wf.$__clientRequest(); Fai
  lure=com.bea.wli.bpm.runtime.UnhandledProcessException: Unhandled process exception [ServiceException]>
  <Sep 24, 2005 9:27:26 AM EDT> <Error> <WLW> <000000> <Failure=com.bea.wli.bpm.runtime.UnhandledProcessException: Unhandled pr
  ocess exception [ServiceException]><p>
  I am not able to make out what could be possibly wrong. Please let me know if you guys have any ideas about how to resolve it.
  Thanks
  Sridhar

  did you resolve this problem. I am looking at the same issue. If you did I would really appreciate your response.
  Thanks.