SSL and keystore password

Similar Messages

• Sending an username and a password with SSL but without Authentication

  Hi,
  I've read several threads about this topic but I'm still confused. I need to send a login and a password in a more or less secure way (not sending it in the get/post and not using a base64 encoding), but I don't want authentication, just to send the info from the browser to the server without everyone in a firewall/proxy being able to read it. I don't want the popup window annoying the user. Buying a certificate from a certification entity would be the last option.
  Could anyone confirm that is impossible to do without including the authentication?
  Thanks in advance,
  - Juan

  HTTP Authentication works via a glorified GET anyway.
  You can only (generally) send stuff via GET or POST.
  SSL encryption takes place outside (or around) the request and response of HTTP, so using an https URL to a server that supports it will make sure that the data in the request including the name & password are encrypted.
  I don't want the popup window annoying the user. Not that you need a popup... a simple form would do, but you need to get the username from the user somehow. You can't get it from the browser otherwise.
  A certificate is not normally needed on the client side, but it is needed on the server.

• Differences between SSL and Code-Signing Certificates

  Hello,
  I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
  Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
  Ulf

  yep, looks like it.
  keytool can be used with v3 x509 stores:
  Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
  jarsigner needs a keystore so I would assume public and private key pair.
  you could list the keys from your store:
  C:\temp>keytool -list -keystore serverkeys.key
  Enter keystore password: storepass
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  client, Jul 5, 2005, trustedCertEntry,
  Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
  server, Jul 5, 2005, keyEntry,
  Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
  The server is the private key, this can be used with jarsigner (alias option).
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar client
  jarsigner: Certificate chain not found for: client. client must reference a val
  id KeyStore key entry containing a private key and corresponding public key cert
  ificate chain.
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar server

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• Web Service (SSL) and certificates (keytool) with INternet Explorer

  Hi,
  Followed this steps http://www.grallandco.com/blog/archives/2006/10/using_htts_with.html to have a secure SSL WEb service (with client authorization).
  Tested from Jdeveloper it worked O.K.
  Now I would like to test it with Internet explorer, but now server ask for certificate before internet show parameters page to invoke Web Service.
  I generated self signed certificates and keystore using keytool. (This keystore is used by the OC4J and my proxy client).
  Imported this certificate (.cer) to internet explorer succesfully, but when access URL for the web service (https) internet does not show this certificate to use it, so failed to connect...
  keytool certificates could be used by INternet explorer for this purposes?, what am I doing wrong?
  Thanks
  J.

  Hi,
  I already configured HTTPS - client authenticate for OC4J, and you can work with follow step:
  1: Create keystore for OC4J by java keytool
  2: Using openssl to create certificate for your server (privatekey, certificate)
  3. Using keytool to import your server's certificate (2) to keystore (1)
  4. Generate client certificate (4)
  5. Sign on client certificate (4) by privatekey and server certificate (20
  6. Import client certificate to windows - (should create keystore with format pkcs12)
  You can using "Java Certificate Services" to help you create keystore with multi format or sign cert....
  Rgs

• Where to put keystore password

  I am sure this topic has been discussed.. but the forum search seems to be cactus at the moment so:
  I have a keystore (java.security.KeyStore) into which I am putting encryption keys (as you would expect). I need to encrypt data because although it's on a server behind a firewall, it's pretty important info. I am securing the keystore with a password, but I now have a problem of what to do with the password. I can't store it in a database because I am using one of the keys from the keystore to encrypt the configuration file used to access the database (again, for security).
  I realise that there will always be one weak point in the system, but I was wondering what the best-practice approach for storing keystore passwords was.
  A couple of considerations:
  1. I am in a web (tomcat) environment
  2. I don't have (and don't want to have) an EJB layer
  3. I can't leave it up to the user to enter, because I (the system) needs to encrypt/decrypt data without the user's intervention
  4. I can't store it in the database as already mentioned
  5. I can hard code the password(s) in compiled java code, but this can be decompiled and it means I can change them (easily)
  Any ideas?

  There are three key questions you have to answer before you can do "the right thing" for your environment in this context. The first is, "How much do you trust the physical security of your hardware?" The second is "How hard do you need to make life for would-be Bad Guys?" And the third is "How hard are you willing to make life for your sysadmins?"
  Take #3, for example. If you're willing to make your admins miserable, or pay for 24x7 on-site coverage - don't write your ultimate key down anywhere, ever. When your system goes down, an admin has to restart it by re-entering the password/key info for unlocking all of your secrets. This approach chooses security over convenience in a very large way.
  #2 and #1 are interrelated. If you trust your machine-security, you can make life hard for the Bad Guys even while leaving your startup password in the clear in your init scripts. If you don't trust your system too much, but you only care about deterring the "casual cracker," then you can do the same. If you want to make life REALLY hard for the Bad Guys, you can't leave the key available anywhere near your machine - even the specialized hardware approach can be defeated by a dedicated assault that has access to the machine. (At which point, you need to see #3 above).
  In general, putting the key into your .class files is always the wrong answer. You can't change the password without recompiling, and everyone who uses the app is forced to have the same password, which is A Bad Thing. In addition, it's no more secure than having the pasword in a config-file that's protected to the same degree as the classfile itself. If the JVM can read the classfile, it can find and read a config file - and if a Bad Guy could find the plaintext config, he can find the classfile and extract the password nearly as easily.
  In the vast majority of cases, keys in config files protected by the OS of the server machine will keep your system's secrets safe while allowing for "hands off" restarts. In the small number of instances where that's not sufficient, be prepared to pay a heavy price in hardware and convenience.
  Grant

• Webservice call failed during execution (SSL and certificates) on NetWeaver 7.30

  Hey experts,
  i need your help!
  We make webservice calls to sap me with our own software.
  We connect to our software via SSL and certificates e.g. https://host:50001/XMII/CM/POD/MEDialogsWeb.irpt
  At the beginning the software runs without any problems and than we become the following message on all our webservice:
  thats the webservice configurations
  (configuration - connectivity - single service administration):
  (configuration - security - authentication and single sign-on)
  if we restart the software after the error display, the webservice call runs successfully again.
  is it a timeout?
  can anybody help us?
  Thanks,
  Markus
  our system info:
  NetWeaver 7.30 Java
  SAP ME 6.0
  software runs log looks as following
  software doesn't runs log looks as following
  security Log Entry
  more info from security_00.0.log
  #2.0 #2014 06 06 14:51:17:136#+0200#Warning#/System/Security/WS#
  com.sap.ASJ.wssec.020142#BC-ESI-WS-JAV-RT#tc~sec~wssec~service#C0000A650AD826FF0000000100000BEC#3855850000000005#sap.com/me~ws#com.sap.engine.services.wssec.authentication#Guest#0##207092CAED7111E3A01A0000003AD5EA#23386e31ed7911e39d560000003ad5ea#23386e31ed7911e39d560000003ad5ea#0#Thread[HTTP Worker [@648881277],5,Dedicated_Application_Thread]#Plain##
  Received unsupported callback: com.sap.engine.interfaces.security.auth.SetLogonTicketCallback
  Received unsupported callback: com.sap.engine.lib.security.http.HttpSetterCallback
  Read data of type username and value  MEFLEX from wsse:Security header and set on module javax.security.auth.callback.NameCallback
  Read data of type username and value   from HTTP header and set on module javax.security.auth.callback.NameCallback
  Read data of type password and value  xxx from wsse:Security header and set on module javax.security.auth.callback.PasswordCallback
  Read data of type password and value  xxx from HTTP header and set on module javax.security.auth.callback.PasswordCallback
  Authentication for web service ShopOrderService, configuration ShopOrderService using security policy BASIC*SSO2*_*_*ws failed: Cannot authenticate the user.. (See SAP Note 880896 for further info).

  Hi,
  the authentication for the second call is failing. Have you tried suggest log level from note 880896 - Web Service authentication failure? I would also try to use something like SoapUI to test if the issue is caused by your application or something wrong on SAP side. Also coparing messages for the first and second calls might give you answer.
  Cheers

• How do I set the default keystore password?

  The following code is currently failing with the exception below.
  private X509Certificate getX509Certificate(String alias)
                 throws CertificateException {
            // NOTE The default keystore password is "**********", as specified in the Sun KeyStore documentation
            // NOTE For more information, read the Sun documentation at http://java.sun.com
            X509Certificate cert  = null;
            String keystore      = "keystore";
            try {
                 cert = getX509Certificate(alias, keystore, "**********");
            catch(KeyStoreException exception) {
                 // A keystore exception occurred in the call to getX509Certificate, which could be indicative of a
                 // bad installation
                 throw new CertificateException("A keystore exception occurred accessing the default keystore."
                          + " Check your keystore installation, ensuring that the default keystore password"
                          + " is the standard Java keystore password\r\n"
                          + exception.getMessage());
            }+[04/12/07 15:02:57:827 GMT] 0000001f SystemErr R java.security.cert.CertificateException: A keystore exception occurred accessing the default keystore. Check your keystore installation, ensuring that the default keystore password is the standard Java keystore password+
  A keystore exception occurred accessing the default keystore. Check your keystore installation, ensuring that the default keystore password is the standard Java keystore password
  The provider 'SUN' has not been configured
  no such provider: SUN
  So it looks like my default keystore password is not the same as that in the code above (I've replaced it with ******). How do I set the default keystore to be the same as in the code above? Please note the exact same code works for another application - and so I would like to use the same class file rather than having to change the code above.

  You define the password for a keystore when you create it.
  There is no default.
  There is a default on the 'cacerts' truststore provided for JSSE: see
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

• Apache, ssl, and php problem

  i just added ssl support to my apache website running php. before i added ssl i had a php flash script that has always worked fine until i altered the httpd.conf file to forbid access to this directory unless it was an encrypted connection. i used the code
  <Directory "/home/httpd/html/folder">
      AuthType Basic
      AuthName "user"
      AuthUserFile /home/httpd/passwords/folder
      Require user user
      SSLRequireSSL
  </Directory>
  i tested the ssl with the directory running php before i altered the code and it worked fine. now that i altered the code to require ssl, the folder's index shows up a blank page. what went wrong, is there some bug or something i did wrong?

  steps to use ssl in arch with apache.
  1) pacman -S openssl apache
  2) Read /etc/httpd/conf/mod_ssl.txt
  2a) Edit /etc/conf.d/httpd and set HTTPD_USE_SSL to "yes"
  2b) Create an ssl key, request, and certificate.
  # This generates the cert and key (valid for 3650 days)
    # Be sure to enter the FQDN of your apache server as the "Common Name".
    openssl req -new -x509 -newkey rsa:1024 -days 3650
      -keyout server.key -out server.crt
    # This will remove the passphrase
    openssl rsa -in server.key -out server.key
  2c) Modify /etc/httpd/conf/ssl.conf to use your new certificate.
  SSLCertificateFile /etc/httpd/conf/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/server.key
  3) Edit /etc/httpd/conf/ssl.conf
  Define an appropriate virtualhost for your ssl site
  4) Restart apache (/etc/rc.d/httpd restart)
  If it hangs or fails to start, check the /var/log/httpd/error_log or try running
  '/usr/sbin/apachectl startssl' and looking for errors/prompts.
  NOTE: Using the same dir for ssl and non-ssl does not make sense, as someone could just use non-ssl to access the same information. Instead, create a new directory (something like /home/httpd/ssl), and use that dir for ssl web activities. Adjust /etc/httpd/conf/ssl.conf accordingly

• RMI, SSL, and compression

  Hi,
  I am trying to find an example of how to create a custom socket factory for RMI that does SSL and compression. Doing either separately is easy, but it seems that using SSL precludes the use of a custom socket as one would want for compression. Any suggestions or pointers would be appreciated.
  Regards,
  Neal

  Thank you for the help. Sadly, I am still unable to wrap my brain around this one. I am hoping a concrete example will help out:
  public class SecureServerSocketFactory implements java.rmi.server.RMIServerSocketFactory, java.io.Serializable
      /** Creates new SSLServerSocketFactory */
      public SecureServerSocketFactory()
       * Create a server socket on the specified port (port 0 indicates
       * an anonymous port).
       * @param  port the port number
       * @return the server socket on the specified port
       * @exception IOException if an I/O error occurs during server socket
       * creation
      public java.net.ServerSocket createServerSocket( int port )
          throws java.io.IOException
           SSLSocketFactory sssf = null;
          ServerSocketFactory ssf = null;
          ClassLoader cl = this.getClass().getClassLoader();
           try
              // set up key manager to do server authentication
              SSLContext ctx;
              KeyManagerFactory kmf;
              TrustManagerFactory tmf;
              KeyStore ks;
              char[] passphrase = "xxxxxxxxxxxxxx".toCharArray();
              ctx = SSLContext.getInstance( "TLS" );
              kmf = KeyManagerFactory.getInstance( "SunX509" );
              tmf = TrustManagerFactory.getInstance( "SunX509" );
              ks = KeyStore.getInstance( "JKS" );
              ks.load( new FileInputStream( SimpleLocator.getInstanceValue( "ServerKeystore") ), passphrase );
              kmf.init( ks, passphrase );
              tmf.init( ks );
              ctx.init( kmf.getKeyManagers(), tmf.getTrustManagers(), null );
              // this is w/o compression
              //ssf = ctx.getSocketFactory();
          catch( Exception e ) { e.printStackTrace(); }
          // need to put ejp's idea to practice here...
          // create a LZMACompressedSocket
          // put it into server mode?
          // wrap in SSL?
          return socket;
      }Any help you can provide would be appreciated.
  On a related note, I do agree that compressing at this level likely will not help, but I want to try all solutions.
  Thanks again for your help.

• If someone has wiped my ipad and changed passwords on icloud how do i get my data back

  if someone has wiped my ipad and changed passwords on icloud how do i get my data back? please could someone help me out thanks

  How did they wipe it?  By using Find My iPad and performing a wipe?  If so, that means they have your icloud ID and password, not a good thing.
  You could try connecting it to iTunes and performing a restore from iCloud.  But if they changed password, then you are out of the loop.  How did they get your password in order to change it?

• I am unable to access iCloud because my iPhone states that my Apple ID and\or password is incorrect.  Based on Apple's own policy my current ID and P/W should be fine to access iCloud.  Any suggestions?

  I am unable to access iCloud because my iPhone states that my Apple ID and\or password is incorrect.  Based on Apple's own policy my current ID and P/W should be fine to access iCloud.  Any suggestions?

  You will have to contact Apple Care and ask for account security for help. Apple ID: Contacting Apple for help with Apple ID account security

• TS3276 Cannot send mail from my iPad...."user name and or password is incorrect"......mail can be sent from my iPhone

  Why do I get the message   "Cannot send mail, the user name and or password for my email outgoing server is incorrect"?  I use the same account, etc. on my iPhone and haven't any trouble sending mail.

  If your email requires a password for the SMTP server you can set it up in the settings in the General mail setup. Some i.e Gmail require a password for SMTP.
  Otherwise you will probably get better answers in the iPad forum.
  https://discussions.apple.com/community/ipad/using_ipad

• When I try to send email from my iPad and iphone it says that I have the incorrect username and/or password, but I know they are correct, can someone help me?

  When I try to send email from my iPad and iPhone it says that I have the wrong username and/or password, but I know they are correct.  Can someone help me?

  "Your email account" means to tap on the name of your email account. Whatever it is listed as in the settings.
  In my mail settings, one of my email accounts is a Comcast account. I tap on the Comcast name and it brings up this window.
  Then I tap on the arrow under the Outgoing mail server smtp setting to get to the next window.
  In the resulting window, I then tap on the arrow next to the smtp server under the Primary Server setting.
  That brings up this window in which I check to make sure that my user name and password have been entered correctly. If those items are missing, enter them in the appropriate fields and then tap done.

• How do I bind to directory server with SSL and authentication?

  I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
  Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
  Here are the problems:
  1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
  2) I was never prompted to authenticate for the directory binding.
  So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
  What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
  Thank you.

  You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
  Cheers,
  Vikas