SSL and JWS Sandbox
I saw references herein and at the vamphq faq that you could not run SSL from within the JWS Sandbox. I'm guessing that this is a JDK1.3 issue because, while in the sandbox, you cannot install the security provider. Therefore, this issue should go away with JDK1.4 since the default security provider is pre-installed, and SSL from inside the JWS Sandbox should work. Comments?
However, you cannot use a proxy server because the proxy server is not the download host. So for proxy server cases (which is quite often), you would still need "all permissions". Any way around this?
And, of course, just to chime in, JWS does need granular permissions so you can request just, for example, java.net.SocketPermission, and not all permissions. As others have noted, a security box that declares an application is requesting unrestricted access makes an end-user very wary. Of course, end-users install applications all the time that have unrestricted access, but since they usually aren't warned, they don't think about it. Telling the user is, in theory, a good feature. But if we tell them, we need to be able to ask for much less.
I've been asking for fine grained permissions ever since the first version of JWS.
Has anyone ever heard a response from Sun on this?
Similar Messages
-
How do I bind to directory server with SSL and authentication?
I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
Here are the problems:
1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
2) I was never prompted to authenticate for the directory binding.
So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
Thank you.You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
Cheers,
Vikas -
EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility
Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
AndrewHard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub -
Business Connector problem with SSL and Web Services
Hi,
I have generated a Web Connector Service and tested this in our DEV and QA environment with http and no credentials.
All is fine.
I now switched to SSL and was provided with an https WSDL by our Web Server developers. The Web Connector service generates fine however as soon as I execute the service I get a NumberFormatException. Exact error is:
java.io.IOException:java.lang.NumberFormatException: null
The error occurs in pub.client:http
I traced through the working (in QA) and non-workinfg versions and checked the pipeline prior to the call and can see no different apart from the difference in protocol.
Does anyone have any idea what the cause is? I cannot determine what value is null.
Thanks
BrianHi,
I have generated a Web Connector Service and tested this in our DEV and QA environment with http and no credentials.
All is fine.
I now switched to SSL and was provided with an https WSDL by our Web Server developers. The Web Connector service generates fine however as soon as I execute the service I get a NumberFormatException. Exact error is:
java.io.IOException:java.lang.NumberFormatException: null
The error occurs in pub.client:http
I traced through the working (in QA) and non-workinfg versions and checked the pipeline prior to the call and can see no different apart from the difference in protocol.
Does anyone have any idea what the cause is? I cannot determine what value is null.
Thanks
Brian -
Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
ThanksHi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks -
Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30
Hey experts,
i need your help!
We make webservice calls to sap me with our own software.
We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
At the beginning the software runs without any problems and than we become the following message on all our webservice:
thats the webservice configurations
(configuration - connectivity - single service administration):
(configuration - security - authentication and single sign-on)
if we restart the software after the error display, the webservice call runs successfully again.
is it a timeout?
can anybody help us?
Thanks,
Markus
our system info:
NetWeaver 7.30 Java
SAP ME 6.0
software runs log looks as following
software doesn't runs log looks as following
security Log Entry
more info from security_00.0.log
#2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
Read data of type username and value MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
Read data of type username and value from HTTP header and set on module javax.security.auth.callback.NameCallback
Read data of type password and value xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
Read data of type password and value xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).Hi,
the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
Cheers -
What is "use SSL" and "S/MIME" mail settings for?
What is "use SSL" and "S/MIME" mail settings for?
it has do with encrypting your mail when sent over the web
-
JDBC Thin Connections with SSL and client certificates
Hi ,
we are going have a look at JDBC Thin Connections with SSL and client certificates.
I have two questions:
1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
Thanks for your help
regards
Markus ReichertI could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
Steps to add the SSL Certificate:
1. Run the form with the https mode in the IE Browser.
2. Security Alert is raised.
3. Click on the View Certificate button.
4. In the Certificate Window, click on the Details tab.
5. Click on the Copy to File button to copy the certificate.
6. Copy the certificate and append to the certdb.txt file. -
Connect - SSL and certificate chain
Hi,
is it possible to place a certificate chain somewhere, so
that Adobe connect users dont have to manually install the
certificates from the chain?Hi cj63, why isn't your cert accepted automatically? We're
using hardware SSL and encountered an issue with our cert. We ended
up changing the cert chain on the F5, I believe. I'm not sure of
the "how" other than to know we did it with hardware SSL, so it
should be possible. -
What is SSO , SSL, and other terms?
Hi,
I always hear the terms SSO, SSL and some other terms, but I am not aware of the exact meaning of them.
Can anyone focus some light on this ?
Thanks!
YoginiHi Yogini,
if you are referring SSO( Single sign on ) and SSL ( security socket layer) for Discoverer, check out the link below.
http://download.oracle.com/docs/html/B13918_03/security2.htm#BABGEIEC
Here topics on 14.6 Using Discoverer with OracleAS Framework Security
14.7 Using Discoverer with Oracle Identity Management Infrastructure -
SOAP and JWS - Help!!
Hi everyone!!
I am trying to integrate SOAP and JWS. ie the application being downloaded is a SOAP messaging application. while compiling i have SAAJ api in my classpath. while executing it, i need to have it too in my classpath. before executing the application, if i dont set the classpath, the application doesnt execute. when i do, it works. its ok when i execute the application in the command prompt bcoz i can set classpath again. but issue arises when i run this example using jws. can anybody resolve this issue?
regards,
ManyadeveloperHi I've been dealing with this problem for a little while.
I've got an APP that is dependant on SOAP.JAR. My appp doesn't need to be signed, but SOAP.JAR does.
Why does it need to be signed?
I only want to download information from the server where I started my program from. When I leave SOAP.JAR unsigned it tells me I need to input the proxy address and port.
Any ideas?
Thanks Martin -
Delete or disable ssl and https on exchange web url
Hi,
I disable by clear check box on Default Web Site --> SSL Settiings --> Require SSL
and also inseret my domain name example: http://mail.myexchange.com/owa in Exchange admin center Console --> Servers --> Virtual Directory --> owa
and also i change <add key="UseHttpsForWacUrl" value="true" /> to <add key="UseHttpsForWacUrl" value="false" /> in C:\Program Files\Microsoft\Exchange
Server\V15\ClientAccess\Owa\web
But, after this steps for removing https on my url i can use it. and after loggin in https mode i can delete https on my url manually but did't work good and i get this error when i want see my email body "Error: Your
request can't be completed right now. Please try again later."Hi S.Ali,
Have you restarted IIS after changing all the settings?
If not, please try to restart iis and check again.
Best regards,
Niko Cheng
TechNet Community Support -
dear all,
i have AS 10g Release 1 with froms90, i want to know how to enable the ssl with from90 on the AS. are there any notes or tips.
please let me know
fadi... maybe you find this useful
SSL and Application Server 10G
Frank -
Apache, ssl, and php problem
i just added ssl support to my apache website running php. before i added ssl i had a php flash script that has always worked fine until i altered the httpd.conf file to forbid access to this directory unless it was an encrypted connection. i used the code
<Directory "/home/httpd/html/folder">
AuthType Basic
AuthName "user"
AuthUserFile /home/httpd/passwords/folder
Require user user
SSLRequireSSL
</Directory>
i tested the ssl with the directory running php before i altered the code and it worked fine. now that i altered the code to require ssl, the folder's index shows up a blank page. what went wrong, is there some bug or something i did wrong?steps to use ssl in arch with apache.
1) pacman -S openssl apache
2) Read /etc/httpd/conf/mod_ssl.txt
2a) Edit /etc/conf.d/httpd and set HTTPD_USE_SSL to "yes"
2b) Create an ssl key, request, and certificate.
# This generates the cert and key (valid for 3650 days)
# Be sure to enter the FQDN of your apache server as the "Common Name".
openssl req -new -x509 -newkey rsa:1024 -days 3650
-keyout server.key -out server.crt
# This will remove the passphrase
openssl rsa -in server.key -out server.key
2c) Modify /etc/httpd/conf/ssl.conf to use your new certificate.
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
3) Edit /etc/httpd/conf/ssl.conf
Define an appropriate virtualhost for your ssl site
4) Restart apache (/etc/rc.d/httpd restart)
If it hangs or fails to start, check the /var/log/httpd/error_log or try running
'/usr/sbin/apachectl startssl' and looking for errors/prompts.
NOTE: Using the same dir for ssl and non-ssl does not make sense, as someone could just use non-ssl to access the same information. Instead, create a new directory (something like /home/httpd/ssl), and use that dir for ssl web activities. Adjust /etc/httpd/conf/ssl.conf accordingly -
I can't set up gmail in my iPad 2. Keep on saying ' can't connect with SSL and ask me whether to connect without using SSL, then I press 'yes' and it said again IMAP is not working and tell me to see network connection and incoming mail server. No idea how to do anymore. Already tried to figure out. But not work. Can anyone pls help me?
Nope, doesn't pass verification. I get the spinner for a minute or so, then the alert about setting it up without SSL. Are you suggesting I disable Fetch and Push BEFORE I enter the account details? Because I never get past the account details screen, unless I choose "Set up without SSL" after the warning.
Maybe you are looking for
-
A few months ago my ability to use different fonts, colors and sizes suddenly disappeared. These choices were always available when looking at my email and I used them regularly . No one I asked ever heard of such a thing happening. I left it alone u
-
ISE 1.2 - Match Policy Set based on endpoint identity group?
Hello, I would like to create a condition that would force MAB'd clients to hit a certain policy set if their MAC address matches one in an endpoint identity group? Is this possible? I feel like a condition can be created using a combination of attri
-
ITunes has detected an iPod in recovery mode loop
Hello, I have an Ipod 5 and during update of the OS to the latest, the process got an error. No my Ipod is in recovery mode. Everytime I download the Update (Restore and update) there is this constant pop up that comes up (iTunes has detected an iPod
-
CF: Checkpoxes in Report builder
Hallo, ich versuche im Report Builder einen recht komlexen Report (Format= Excel) zu erstellen. Dabei möchte ich leere Checkboxes erstellen, die ich dann später im Excelreport markieren bzw. entmarkieren kann. Wie in einem in Excel erstellten Formula
-
How do I configure SPA8800 for a Viking FBI-1A?
I am working with a customer who has had a phone system failure. We're trying to replace the old Asterisk system that had a hardware interface card with a newer system and use an SPA8800 adapter (since I have that in stock and didn't have the hardwa