SSL and security-constraints

I'd like to know if anybody knows a way to abandon an https session.
I know I can specify a set of protected resources, editing web.xml, in the following way:
<security-constraint>
     <web-resource-collection>
          <web-resource-name>Protected Context</web-resource-name>
               <url-pattern>/Login.jsp</url-pattern>
        </web-resource-collection>
     <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint> I just saw that if I keep surfing my site, after the system redirected me to https (because a protected resource has been requested), all following requests are https, even if the resource is not specified as protected in web.xml, and not simple http!
How can I specify that a resource must run in http?
How can I specify that a resource is not protected?
Hope somebody could help...
Peppe.

Similar Messages

Web service proxy and security constraint

I've placed a security constraint on my web service and set the login-config auth-method as BASIC. When I run the Workshop test and the (Test View) browser begins to appear I am prompted for my username and password since it is protected --- great, it's working.
Here's my problem, when I create the Java Proxy and try to access the web service using the proxy in another application I am never prompted for my username and password and thus the request fails. Anyway to fix this so I can be promted using the proxy??
thanks in advance,
Steve Touw

Hi Shay Shmeltzer,
Thanks for the reply.
I tried in HTTP Analyzer in JDeveloper and there also it is not working. My concern is :-
There are many other web services deployed on the same SOA server in same partition and they are working fine in HTTP analyzer and I am able to create and use the web service proxy as well. So as per my understanding there is nothing like network issues between SOA server and jDeveloper.
1 more thing When I am creating the proxy for this web service and requesting from the proxy's main method SOA is getting proper input (which I am providing in the main method) and SOA is returning proper output I have checked the SOA instance in em. So there is no problem in SOA side. The problem is jDeveloper is not able to get back that response which SOA is returning.
Please Help.
-- NavinK

LDAP SSL and Secure

I am unable to get SSL or Secure LDAP connection to work.
These are my settings for Directory-service:
name: TEST
description: TEST
login-prefix: TEST
type: GenericLdap
last-sync: (no value)
last-sync-error: The server is not operational.
users: (no value)
groups: (no value)
Connection settings
host: ldap.xon-ionx.****.se
port: 636
top-directory: ou=USER_CONTAINER,o=ROOT
binding-type: Secure
synchronization-account: cn=ZAV_User,ou=external,o=ROOT
password: ********
Schema settings
user-filter: (objectClass=inetOrgPerson)
user-class: inetOrgPerson
user-login-name: cn
user-first-name:
user-last-name:
user-full-name: cn
group-filter: (objectClass=groupOfNames)
group-class: groupOfNames
group-name: cn
group-description: description
group-members: member
Message from server is not saying much: Not synchronized (error: The server is not operational.)
Debug log output as follows:
05-07-2013 08:47:09.9960 - Critical - 0x0C5C: Directory service TEST could not be completely synced. Connection settings: host ldap.xon-ionx.****.se, port 636, top ou=USER_CONTAINER,o=ROOT, user cn=ZAV_User,ou=external,o=ROOT, type Secure, ufilter (objectClass=inetOrgPerson), uclass inetOrgPerson, uuname cn, ufname , ulname , uflname cn, gfilter (objectClass=groupOfNames), gclass groupOfNames, gdescription description, gmembership member
The server is not operational.
at System.DirectoryServices.DirectoryEntry.Bind(Boole an throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObj ect()
at System.DirectoryServices.DirectorySearcher.FindAll (Boolean findMoreThanOne)
at System.DirectoryServices.DirectorySearcher.FindAll ()
at Spoon.Server.Common.Data.Library.DirectoryService. _SyncNode(LibraryDataContext dc, DirectoryServiceNode dsn, Dictionary`2 dictUsers, Dictionary`2 dictGroups, Dictionary`2 dictUsersToInclude, Dictionary`2 dictGroupsToInclude, Int32& iUsersAdded, Int32& iGroupsAdded)
at Spoon.Server.Common.Data.Library.DirectoryService. Sync()
/Mathias

Do other binding options function as expected (Simple, Anonymous)? I'm also working on setting up a test environment to try and reproduce this. If I find something that can help, I'll update the thread.
The support team could open a proper ticket with Spoon about this, but it requires that you open an SR first.

Web.xml and security constraints

Hi,
I have several web services deployed. I only want to protect one of these web services.
If I use "/services/*" in <security-constraint> of my web.xml file, all my deployed web services are protected.
If I use "/services/aaaWebService" in <security-constraint> of my web.xml file, aaaWebService web service is NOT protected.
Please let me know what I should use for teh <url-pattern> to protect only aaaWebService.
Thanks /dan

What about "/services/aaaWebService*"?
I think whithout an asterisk service parameters don't match your pattern.
Vovencij

SSL and Secure Cookies

I am running WebCache 10.1.2 and an origin server of OAS 10.1.3. I have configured SSL communication for both WebCache and OAS. I have cookies that are defined in OAS to be secure.
If I hit the system through OAS directly, I can see that the connection flags for the cookies are set to Secure Connection only. But when I access the application through WebCache, the cookies' connection flags are set to Any Connection.
Is there something I can configure in WebCache to keep the Secure Connection flag value as it is passed from OAS?

See if something here can help you: http://download-west.oracle.com/docs/cd/B14099_02/caching.1012/b14046/concepts.htm#i1014783 . I believe its just a config issue.
Hope this helps.
Regards,
Priyanka GES

SSL and security modes

We are getting ready to implement SSL on the Portal Server and after reading the documentation, I'm not sure which security mode we need to be in. Will mode 0 be fine as long we require SSL on IIS on the portal server?

Hi Eric,
You mentioned that your site is in mode 2. How was the performance? Are you using an accelerator? Please send me the link if that is alright. We have been playing with https (mode 2) but no success since all admin tasks stopped working. Our next step is to install a separate portal inside the firewall....Any tips would be appreciated.
Thanks,
Leona------- Eric Whitley wrote on 9/17/04 10:33 AM -------
I think you'll want to at least set SSL mode to 1. I'm going to just write out my understanding of things, and I only really have PT 4.5 WS in production, so if I'm off, well... somebody correct me. :)
Something to keep in mind - Plumtree needs to "know" which SSL mode you're setting up so it can construct the links for all click-throughs (http://myservervs https://myserver).
0 = no SSL. Even if you place SSL on IIS Plumtree won't care - in fact, if you click on 'require SSL' on IIS, I think you'll run into problems. Plumtree won't construct URLs with the appropriate "https" prefix, which will likely cause problems.
1 = apply security to pages that need it. Login pages, document click-throughs, etc. as defined in the secure activity spaces configuration. Plumtree will apply the "https" to only those pages/links.
2 = SSL everything, everywhere. Our portal current has this configuration.
Clicking on "require SSL" on the virtual directory will only deal with the IIS portion - you still need to indicate to Plumtree how much/where you want it applied so it can construct the links appropriately. Try setting "1" to see if it will get you where baseline security - our clients and global security team force us to SSL everything conceivable, so we use setting "2".
That help?
Eric

Sharepoint and SSRS report trust relationship ssl/tls secure channel remote certificate is invalid

I have no experience with sharepoint at all. but this is what I observed.
I intermittently getting this error message on my sharepoint. could not establish trust relationship for the ssl/tls secure channel. Remote Certificate is invalid according to the validation procedure.
Screnshot of the error
This is how the sharepoint page layout.
I have report.aspx. and below is the content of the aspx file.
The url is http://sharepoint.COMPANY.com/Pages/Report.aspx.
The URL is intranet only.
The sharepoint is hosted in SERVER1 and the SSRS is hosted in SERVER.
I observed this error happens on both HTTP and HTTPS http sharepoint COMPANY com/Pages/Report.aspx OR https sharepoint COMPANY com/Pages/Report.aspx
So far, the step I did was to follow this blog http://krishnasangani.blogspot.ca/2013/06/the-remote-certificate-is-invalid.html Restarted
IIS in SERVER1 AND SERVER2. but the problem persist. Another I have done is to click the certificate in internet explorer and everything looks ok on that side to (certificate is valid)
It seems to only happen earlier during the morning, then it fixes itself around 9 Oclock. It has been on going for about 2 weeks. Please help troubleshooting this.
<%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bsasdasdasd9c" %> <%@ Reference VirtualPath="~TemplatePageUrl" %> <%@ Reference VirtualPath="~masterurl/custom.master" %><%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bsasdasdasd9c" %>
<html xmlns:mso="urn:schemas-microsoft-com:office:office" xmlns:msdt="uuid:547SF010-65B3-11d1-A29F-00457845FFSW"><head>

<title>Report</title></head>
A few questions I have in mind is Any pointer to troubleshoot this problem AND By looking at the ASPX file, Would you be able to determine what method is my Sharepoint page calling the SSRS report , integrated mode, native mode? IEFrame? The reason I am asking
this is that maybe IF I google using the right terminology I can get to the similar problem and solution.
Thanks

Please let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP)

[svn] 1053: Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference .

Revision: 1053
Author: [email protected]
Date: 2008-04-01 11:35:28 -0700 (Tue, 01 Apr 2008)
Log Message:
Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference. The custom authentication sample uses the new ChannelSet.login and ChannelSet.logout methods.
Modified Paths:
blazeds/branches/3.0.x/apps/team/WEB-INF/flex/remoting-config.xml
blazeds/branches/3.0.x/apps/team/WEB-INF/flex/services-config.xml
Added Paths:
blazeds/branches/3.0.x/apps/team/features/security-constraints/
blazeds/branches/3.0.x/apps/team/features/security-constraints/README.txt
blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Basic.m xml
blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Custom. mxml
Removed Paths:
blazeds/branches/3.0.x/apps/team/features/remoting/remoting_AMF_SecurityConstraint_Basic. mxml

Congrats to Carmelo!
Windows Phone and Windows Store Apps Technical Guru - February 2015
Carmelo La Monica
Windows Phone 8: control Nokia Maps (Part 3)
JH: "Part 3 of the series how to work with the Nokia maps control. As the previous articles this one contains a lot of code snippets and some pictures. Good work!"
Ed Price: "A great topic, a fantastic breakdown of sections with clear descriptions, and a nice mix of code formatting and helpful images! Another stellar article from Carmelo! Great job including the link back at the end to the portal
article!"
Ed Price, Azure & Power BI Customer Program Manager (Blog,
Small Basic,
Wiki Ninjas,
Wiki)
Answer an interesting question?
Create a wiki article about it!

[svn] 1433: adding 'console' security constraint to MBeanServerGateway remote object for MBean tests and ds-console , used when running on Websphere with administrative security enabled.

Revision: 1433
Author: [email protected]
Date: 2008-04-28 13:13:12 -0700 (Mon, 28 Apr 2008)
Log Message:
adding 'console' security constraint to MBeanServerGateway remote object for MBean tests and ds-console, used when running on Websphere with administrative security enabled. Should call setCredentials("bob","bob1") to use this RO.
Modified Paths:
blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/remoting-config.mods.xml
blazeds/branches/3.0.x/qa/apps/qa-regress/WEB-INF/flex/services-config.mods.xml

Hi,
It seems that you were using Hyper-V Remote Management Configuration Utility from the link
http://code.msdn.microsoft.com/HVRemote, if so, you can refer to the following link.
Configure Hyper-V Remote Management in seconds
http://blogs.technet.com/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx
By the way, if you want to perform the further research about Hyper-V Remote Management Configuration Utility, it is recommend that you to get further
support in the corresponding community so that you can get the most qualified pool of respondents. Thanks for your understanding.
For your convenience, I have list the related link as followed.
Discussions for Hyper-V Remote Management Configuration Utility
http://code.msdn.microsoft.com/HVRemote/Thread/List.aspx
Best Regards,
Vincent Hu

How do I bind to directory server with SSL and authentication?

I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
Here are the problems:
1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
2) I was never prompted to authenticate for the directory binding.
So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
Thank you.

You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
Cheers,
Vikas

TF215097: An error occurred while initializing a build for build definition : Could not establish trust relationship for the SSL/TLS secure channel

Hello,
We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML. It seems to me that some certificate
might be invalidated. Can anyone please point me in the right direction?
Thanks,
Mitul
TF215097: An error occurred while initializing a build for build definition :
Exception Message: One or more errors occurred. (type AggregateException)
Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
Inner Exception Details:
Exception Message: An error occurred while sending the request. (type HttpRequestException)
Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
Inner Exception Details:
Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
Inner Exception Details:
Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

Hi Mitul,
Thanks for your reply.
It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
Please share your TFS Server detailed environment information here. And share your
Build Service Properties dialog screenshot here.
Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
Clean the Cache folder on Server machine. The folder path is:
C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.
After cleaned, on Server machine, click Start and select
Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

Hello everyone,
Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
Here's what happens:
1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
http://discussions.apple.com/thread.jspa?messageID=5967023
http://discussions.apple.com/message.jspa?messageID=5982070
these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
Thanks,
Andrew

Hard to tell what is happening without looking at the application
source, knowing what OS & hardware you're using etc. You might want to
try running with different JVM versions to see if it's actually the VM
that is the problem. If you have a support contract with BEA you could
ask support to help you diagnose this.
Regards,
/Helena
Ayub Khan wrote:
I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
seems to happen on loading the machine..the performance progressively gets worse
and after a couple of seconds, all the threads stop responding. I checked the
heap, cpu and the idle threads in the execute queue and there is nothing there
to trigger alarms...there are quite a few idle threads still and the heap and
the cpu utilization seem OK. On doing a thread dump, Is see that all the other
threads seem to be in a state where they are waiting for data from LDAP and it
is basically read only data that they are waiting on.
Does anyone know what it is going on and help point me in the right direction.
-Ayub

How do I reconnect using SSL/TLS security in Dreamweaver using Windows 7?

I am using an old version of Dreamweaver on Windows 7. When I try to upload a file, I get a message saying that I need to reconnect using SSL/TLS security mechanisms. Is this a setting in Dreamweaver or Windows 7? Thanks for any help or suggestions.

It sounds like it is a requirement of the server, not Dreamweaver or Windows7
Dreamweaver, even older versions, can connect using both FTP and SFTP. But SSL/TLS are on the HTTP protocol, not FTP, so I don't understand why you would get such an error using DW file upload.

WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException: The remote

I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
server is configured on http port 80
ERROR
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
I've checked proxy server connectivity. I'm able browse following site from WSUS server
http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
I did telnet proxy server on the particular port (8080) and that is also fine.
I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
Any tips appreciated !
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM

Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
Your reply ("SSL is enabled/configured, and the certificate being used is invalid
(or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
Any other hints where I can prove them it's a sure shot problem from their side.
Thanks again !!
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM

Mail Delivery System Errors and Securing/Protecting agains spam

Good morning all.
This morning I started recieving these:
          From: Mail Delivery System <[email protected]>
          Subject: [It] Postfix SMTP server: errors from imr-mb02.mx.aol.com[64.12.207.163]
          Date: November 18, 2011 8:51:23 AM EST
          To: Postmaster <[email protected]>
Transcript of session follows.
Out: 220 mail.cotaoil.com ESMTP Postfix
In: EHLO imr-mb02.mx.aol.com
Out: 250-mail.cotaoil.com
Out: 250-PIPELINING
Out: 250-SIZE
Out: 250-VRFY
Out: 250-ETRN
Out: 250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI
Out: 250-AUTH=LOGIN PLAIN CRAM-MD5 GSSAPI
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: MAIL From:<[email protected]> SIZE=3485
Out: 250 2.1.0 Ok
In: RCPT To:<[email protected]> ORCPT=rfc822;[email protected]
Out: 451 4.3.5 Server configuration error
In: DATA
Out: 554 5.5.1 Error: no valid recipients
In: RSET
Out: 250 2.0.0 Ok
In: QUIT
Out: 221 2.0.0 Bye
How this started:
Over the past couple of days to approx a week, I have seen a massive influx of Spam on our server. Spam coming in on random ex employee names that no longer work for the company.
Previous to the spam, I turned on "forward un-deliverable mail to" and set to me. The CEO was missing emails because people were not spelling his name correctly. I have actually been able tyo catch a lot of employee emails some important, others not.
In trying to make the mail server more secure, one of the features I tried to turn on was SMTP Client Restrictions, Which broke SMTP for my users. Obviously the error is mine and I need to do more research, but love some feedback on what needs to be set on the server and clients for SMTP client restrictions to work.
I know THE HOFF (mr hoffman) had information at some point to help users secure postfix, can anyone point me in the right direction, as well as any tips here on how to stop the influx of spam?
pstconf -n is here:
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps =
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps_rbl_domains =
maximal_queue_lifetime = 2d
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost, mail.cotaoil.com, cotaoil.com, $mydomain
mydomain = mail.cotaoil.com
mydomain_fallback = localhost
myhostname = mail.cotaoil.com
mynetworks = 127.0.0.0/8,192.1.1.10,192.1.1.11
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /private/var/spool/imap/dovecot/mail
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_password_maps =
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr reject_rbl_client zen.spamhaus.org permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5,gssapi,login,plain
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks   reject_unknown_recipient_domain reject_unknown_sender_domain reject_invalid_hostname reject_unauth_destination check_policy_service unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile = /etc/certificates/mail.cotaoil.com.8F44026B8E7E908CEDAAD718F486D91C8FCD693E.cha in.pem
smtpd_tls_cert_file = /etc/certificates/mail.cotaoil.com.8F44026B8E7E908CEDAAD718F486D91C8FCD693E.cer t.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/certificates/mail.cotaoil.com.8F44026B8E7E908CEDAAD718F486D91C8FCD693E.key .pem
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
mail:~ administrator$

I am not certain what you mean by immediately removing the 192.1.1.10 and 192.1.1.11, AIX servers that I use to relay admin emails to an IT address here. Some sort of a gateway implemented on a pair of IBM boxes, I might presume.
192.1.1.0/24 is in a public address space that you don't have assigned (unless you're BBN). If that IP routing leaks out, then some folks can get cranky. Or should you eventially need to contact hosts within the address space of the "real" occupants of 192.1.1.0/24, routing won't necessarilt play nice. There may well be a static IP route here, depending on the details of the router configuration, as otherwise that IP traffic would be going to BBN and not to those servers. The Internet works because folks play by the rules, when working with IP routing and DNS services. And if your predecessor used this address space (and not the likely 192.168.0.0/16 block), I'd look around to see if there were other unusual network configuration choices.
TCP port 25 is the server-to-server mail port. That's the main connection used among mail servers. Blocking that has the effect that you've discovered.
It's the clients that can also use that port that need to be relocated off the port, as the clients don't have the reverse DNS and related tests that would allow them access to that port, with various common server security configurations.
Open TCP 587 at the firewall and ensure that this port is active at the mail server host, as a starting point. You can test that with (among other tools) with a remote "telnet your.mail.server.host.name 587" command or similar; that's a primitive (but effective) (common) port test.
With the Apple Mail client, make sure the SMTP server is configured to use the default SMTP ports. Mail > Preferences > Account > Account Information > Edit SMTP Server > select the target SMTP server > Advanced > select "use the default ports (25, 465, 587)" and consider using SSL and authentication. (Apple Mail tries a few ports automatically, so the set-up can be different than other clients.)
I don't have enough space here for a full write-up on how mail or IP works, and setting up an arbitrary mail client or an IP network can be an adventure; I assumed the Apple mail client in the above. See the user collaboration services disscussion of mail services in the Mac OS X Server Advanced Administration manual as some background. (And if this stuff all looks a little cryptic, that's understandable, and you might want to consider getting some set-up help or consider moving to hosted mail services and making this stuff somebody else's problem.)

SSL and security-constraints

Similar Messages

Maybe you are looking for