SSL CA Cert with Teaming / Netstorage / GW Webaccess
Have a new OES server in which we'll be migrating Groupwise to, as well as installing Teaming and Netstorage.
Running SLES10 SP3 and OES2 SP2.
I'd like to use a wildcard cert from Digicert. I saw a bit about this in OES documentation re: Apache. But on Digicert's site, it says there's a different install for Tomcat also. A rep from Digicert said (without knowing too much about the apps I'm running), that I'd need to purchase one wildcard cert, then create a CSR for both Apache and Tomcat, then install cert to each. He wasn't positive though.
Any help? and/or better documentation than the OES manual?
thanks
bertbrand,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/
Similar Messages
-
We have a Certificate Authority (Version: 5.2.3790.3959) configured on Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
Currently i am only able to generate SSL cert with md5RSA.Hi,
Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
Therefore, you need to build a new CA to use a new algorithm.
More information for you:
Is it possible to change the hash algorithm when I renew the Root CA
http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
Changing public key algorithm of a CA certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
modify CA configuration after Migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
Best Regards,
Amy Wang -
Ssl-handshake fails with scandinavian chars in client certificate
Hello,
We've run into a problem with 2-way-ssl and certificates that have scandinavian
characters in the subject. The problem cert is used as client-certificate for
authentication and it goes like this:
1. Client surfs with http in our site, until clicks https-link that will immediately
start the ssl-handshake
2. Server presents it's trusted cert-list fine
3. PIN is being asked fine
4. Next the request processing stops on the exception below and nothing will happen
on the client side.
Certs without these äöå -chars work fine, so our guess is that they cause it,
but the certs ought to be according to specs: name-fields encoding is UTF-8 according
to RFC 2459 from year 1999. A failing example-cert is also below.
Would this be a problem with the certificate rather than BEA-implementation?
Same behavior on Windows and Solaris Weblogic 8.11 as such and with SP2 (and with
sp2 + CASE_ID_NUM: 501454 hotfix).
Best Regards,
Igor Styrman
<avalable(): 20303264 : 0 + 0 = 0>
<write ALERT offset = 0 length = 2>
<SSLIOContextTable.removeContext(ctx): 1765100>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering JSSE
SSLSocket>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
6487148>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket will
be Muxing>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
11153746>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL Version 2 with no padding>
<21647856 SSL3/TLS MAC>
<21647856 received SSL_20_RECORD>
<HANDSHAKEMESSAGE: ClientHelloV2>
<write HANDSHAKE offset = 0 length = 58>
<write HANDSHAKE offset = 0 length = 1789>
<Converting principal: OU=Class 4 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
<Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri, C=FI>
<Converting principal: OU=Class 1 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: [email protected], CN=Thawte Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<Converting principal: [email protected], CN=Thawte Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western
Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte Premium
Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western Cape, C=ZA>
<Converting principal: OU=Secure Server Certification Authority, O="RSA Data Security,
Inc.", C=US>
<Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore,
C=IE>
<Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri, C=FI>
<Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE>
<Converting principal: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US>
<write HANDSHAKE offset = 0 length = 2409>
<write HANDSHAKE offset = 0 length = 4>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL3/TLS MAC>
<21647856 received HANDSHAKE>
<HANDSHAKEMESSAGE: Certificate>
PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14' for queue:
'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest failed
java.lang.NullPointerException: Could not set value for ASN.1 string object..
java.lang.NullPointerException: Could not set value for ASN.1 string object.
at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeString(Unknown Source)
at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
tvrGCMOrvrb5QTxVtLNr
-----END CERTIFICATE-----BMPString is another asn1 type that can be used for certificate attributes with
non-ascii characters. The workaround is simply to use the BMPString instead of
UTF8String for that subject name attribute in the certificate request. This off-course
assumes that you can replace the certificate, and have control over what asn1
type is used for the subject name attributes in the certificate request (via a
tool options, or by generating the request yourself), so it is probably not applicable.
Pavel.
"Ari Räisänen" <[email protected]> wrote:
>
Thanks again, Pavel!
I'm filing a support case about this. You talked about a workaround (BMPString).
Could you be more spesific? I haven't talked about this issue with Igor
yet.
Regards,
Ari
"Pavel" <[email protected]> wrote:
Sounds like a bug in certicom code. It should support UTF8String.
I'd file a support case.
You might be able to use BMPString instead as a workaround.
Pavel.
"Igor Styrman" <[email protected]> wrote:
Hello,
We've run into a problem with 2-way-ssl and certificates that have
scandinavian
characters in the subject. The problem cert is used as client-certificate
for
authentication and it goes like this:
1. Client surfs with http in our site, until clicks https-link thatwill
immediately
start the ssl-handshake
2. Server presents it's trusted cert-list fine
3. PIN is being asked fine
4. Next the request processing stops on the exception below and nothing
will happen
on the client side.
Certs without these äöå -chars work fine, so our guess is that they
cause it,
but the certs ought to be according to specs: name-fields encoding
is
UTF-8 according
to RFC 2459 from year 1999. A failing example-cert is also below.
Would this be a problem with the certificate rather than BEA-implementation?
Same behavior on Windows and Solaris Weblogic 8.11 as such and withSP2
(and with
sp2 + CASE_ID_NUM: 501454 hotfix).
Best Regards,
Igor Styrman
<avalable(): 20303264 : 0 + 0 = 0>
<write ALERT offset = 0 length = 2>
<SSLIOContextTable.removeContext(ctx): 1765100>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <Filtering
JSSE
SSLSocket>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.addContext(ctx):
6487148>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLSocket
will
be Muxing>
PM EEST><SSLListenThread.Default> <<WLS Kernel>> <> <000000> <SSLIOContextTable.findContext(is):
11153746>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL Version 2 with no padding>
<21647856 SSL3/TLS MAC>
<21647856 received SSL_20_RECORD>
<HANDSHAKEMESSAGE: ClientHelloV2>
<write HANDSHAKE offset = 0 length = 58>
<write HANDSHAKE offset = 0 length = 1789>
<Converting principal: OU=Class 4 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: CN=SHP ROOT CA, O=SHP, C=FI>
<Converting principal: CN=topsel, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust
Solutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=SatShp CA, O=Satakunnan sairaanhoitopiiri,
C=FI>
<Converting principal: OU=Class 1 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: [email protected], CN=Thawte
Personal
Basic CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape
Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Personal
Freemail CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: OU=Class 3 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<Converting principal: CN=GTE CyberTrust Root, O=GTE Corporation, C=US>
<Converting principal: [email protected], CN=Thawte
Server
CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape
Town, ST=Western
Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Personal
Premium CA, OU=Certification Services Division, O=Thawte Consulting,
L=Cape Town,
ST=Western Cape, C=ZA>
<Converting principal: [email protected], CN=Thawte
Premium
Server CA, OU=Certification Services Division, O=Thawte Consultingcc,
L=Cape
Town, ST=Western Cape, C=ZA>
<Converting principal: OU=Secure Server Certification Authority, O="RSA
Data Security,
Inc.", C=US>
<Converting principal: CN=Baltimore CyberTrust Root, OU=CyberTrust,O=Baltimore,
C=IE>
<Converting principal: CN=Fujitsu Test CA, O=Fujitsu Services Oy, C=FI>
<Converting principal: CN=GTE CyberTrust Root 5, OU="GTE CyberTrustSolutions,
Inc.", O=GTE Corporation, C=US>
<Converting principal: CN=PSHP CA, O=Pirkanmaan sairaanhoitopiiri,
C=FI>
<Converting principal: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust,
O=Baltimore, C=IE>
<Converting principal: OU=Class 2 Public Primary Certification Authority,
O="VeriSign,
Inc.", C=US>
<write HANDSHAKE offset = 0 length = 2409>
<write HANDSHAKE offset = 0 length = 4>
<SSLFilter.isActivated: false>
<isMuxerActivated: false>
<SSLFilter.isActivated: false>
<21647856 readRecord()>
<21647856 SSL3/TLS MAC>
<21647856 received HANDSHAKE>
<HANDSHAKEMESSAGE: Certificate>
PM EEST> <Error> <Kernel> <> <satshpeduServer> <ExecuteThread: '14'
for queue:
'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest
failed
java.lang.NullPointerException: Could not set value for ASN.1 string
object..
java.lang.NullPointerException: Could not set value for ASN.1 string
object.
at com.certicom.security.asn1.ASN1String.setValue(Unknown Source)
at com.certicom.security.asn1.ASN1String.setBufferTo(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeString(UnknownSource)
at com.certicom.security.asn1.ASN1String.decode(Unknown Source)
at com.certicom.security.pkix.AttributeTypeAndValue.decodeContents(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSetOf(Unknown Source)
at com.certicom.security.asn1.ASN1SetOf.decode(Unknown Source)
at com.certicom.security.asn1.ASN1SequenceOf.decodeContents(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Name.decodeContents(Unknown Source)
at com.certicom.security.asn1.ASN1Choice.decode(Unknown Source)
at com.certicom.security.pkix.TBSCertificate.decodeContents(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.pkix.Certificate.decodeContents(Unknown Source)
at com.certicom.security.asn1.DERInputStream.decodeStructured(Unknown
Source)
at com.certicom.security.asn1.DERInputStream.decodeSequence(Unknown
Source)
at com.certicom.security.asn1.ASN1Sequence.decode(Unknown Source)
at com.certicom.security.asn1.ASN1Type.decode(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown
Source)
at com.certicom.tls.record.handshake.MessageCertificate.<init>(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeMessage.create(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretContent(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown
Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:514)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIDFm/PMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkZJ
MRwwGgYDVQQKExNGdWppdHN1IFNlcnZpY2VzIE95MRgwFgYDVQQDEw9GdWppdHN1
IFRlc3QgQ0EwHhcNMDQwNjAyMTE1MjE4WhcNMDYwNjAyMTIyMjE4WjB3MQswCQYD
VQQGEwJGSTEQMA4GA1UEChMHRnVqaXRzdTEgMB4GA1UEAwwXSMO2bG3DtmzDpGlu
ZW4gw4VrZSAwMDExDDAKBgNVBAUTAzAwMTEXMBUGA1UEBAwOSMO2bG3DtmzDpGlu
ZW4xDTALBgNVBCoMBMOFa2UwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO44
Zm31uJb8048/6PByPyXzaW3gCz1mT02TuwVtjMRJ4ObbFCqMGC+YosA2kNKoW0Ef
C+YlKNqhvaid0bATQefdSHVQhzFL3HFIfZc3ONAJQ/U+I6W69r2JePoCvZppknmC
YrnCCDx3Ap27B7v57f/XTmdpiB8IdiCTl3PnV78PAgMBAAGjggFEMIIBQDAfBgNV
HSMEGDAWgBT8T+xYc3T6j89O8cZ4hC9r1e9DojAdBgNVHQ4EFgQUtS4z8K26uW2d
IeJ3aelDnqnkBnYwCwYDVR0PBAQDAgSwMFMGA1UdEQRMMEqgKwYKKwYBBAGCNxQC
A6AdDBtha2UuaG9sbW9sYWluZW5AZnVqaXRzdS5jb22BG2FrZS5ob2xtb2xhaW5l
bkBmdWppdHN1LmNvbTB9BgNVHR8EdjB0MHKgcKBuhmxsZGFwOi8vMjEyLjI0Ni4y
MjIuMTQyOjM4OS9DTj1GdWppdHN1JTIwVGVzdCUyMENBLE89RnVqaXRzdSUyMFNl
cnZpY2VzJTIwVGVzdCxDPUZJP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3QwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQAZ
KV3Og/y6zUOMwZGswUxAne5fe4Ab70bmX+z49MVeA0dfdQwQdR9GwFVF+fcK+q0T
3Lmcwpm5KiHWYoIOxPb6MqTTWxV7HSXWr7A7P4BbTGxsujpUULcmQGQFAd69R0Ur
JFDwYnDEP2+4RzrvlP6AWspyHJePYmCt9h3JfxYAqVLTL0suO1uh8hgtStujmqsI
0WNCfnQ+sURdDzp6WpVFcxFQa5aAcyx9sWWqV5Ta5l6JTCmoHth7qoV3BtUKv4+z
SqIHKA1ixrvlhqWkjYxg51N6ihbbR5shBRRinAqRIQjTzXmun2wJzwNigt4zWiNg
tvrGCMOrvrb5QTxVtLNr
-----END CERTIFICATE----- -
Deploy Trusted Cert with the deployment J2SE Runtime Environment 5.0
I want to deploy J2SE Runtime Environment 5.0 Update 2.msi using active directory. I have tested my deployment and all is good, now I want to know how to deploy a trusted cert with the the deployment of J2SE Runtime Environment 5.0 Update 2.msi. I am using active directory for the deployment. I do not know much about Java or cert, but want my users not to have to grant permission to the only cert we have on ouir web page the first time they hit the page.
Is there a way to pre-answer the Grant always box for the cert we have. I hope I have asked the question correctly. Thank in advance.Hello, I've inserted the following content
#Thu Sep 15 11:36:07 CEST 2005
deployment.system.security.trusted.certs=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.jssecerts=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.cacerts=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.jssecacerts=C\:\\temp\\SSL_applet\\client.com
deployment.system.security.trusted.clientcerts=C\:\\temp\\SSL_applet\\client.com
to the file:
C:\Documents and Settings\UserName\Application Data\Sun\Java\Deployment\deployment.config
When a signed applet is opened I get:
security: Loading Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts
security: Loaded Root CA certificates from C:\PROGRA~1\Java\JRE15~1.0_0\lib\security\cacerts
security: Loading Deployment certificates from C:\temp\SSL_applet\client.com
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)
at com.sun.deploy.security.DeploySigningCertStore$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeploySigningCertStore.load(Unknown Source)
at com.sun.deploy.security.DeploySigningCertStore.load(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin.security.PluginClassLoader.getPermissions(Unknown Source)
at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$100(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)All fine and dandy you can specify your own keystore to be used but no where
to give it a storepass so you can use it.
Can someone tell me how to use my own keystore for SSL auth, trust and
signature trust that WILL work.
Setting the system property in an applet won't auth and or trust SSL:
System.setProperty("javax.net.ssl.keyStore", "file:/C:/temp/SSL_applet/client.com");
System.setProperty("javax.net.ssl.keyStorePassword", "storepass");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.trustStore", "file:/C:/temp/SSL_applet/client.com");
System.setProperty("javax.net.ssl.trustStorePassword", "storepass");
System.setProperty("javax.net.ssl.trustStoreType","JKS");Ends up with a trace telling me cacerts wil be opened, client.com is never used.
C:\Documents and Settings\UserName\Application Data\Sun\Java\Deployment\security\trusted.jssecerts
Googling for the combination of
site:sun.com "deployment.system.security.trusted.certs" password
will give me no results. Searching the entire web won't do much either.
Anyway, assuming the password is changit will end up with an unpleasent
surprise after installing a new version jre.
Because SUN actually changed it in 1.5
Anything short of the programmer loading a keystore when an applet is run
will not work.
This is not good enough, is there a way for administrators to use their own
keystore and give it a password so a jre update won't screw up everything? -
File/Directory Sharing With Team Members
Is file/directory sharing with team members going to be added or should I be using dropbox or some other utility to provide this functionality? This would seem like a MANDATORY requirement for teams that are geographically dispersed such as mine. Of course a versioning system on top of this would also be of great help.
Comments?There are various threads around here regarding this.
Some examples:
Eric_v3
How do I share a folder in creative cloud, I know how to share individual files..
http://forums.adobe.com/thread/1207446?tstart=870
Jorgen K
Creative Cloud does not allow me to share files
http://forums.adobe.com/message/5632926#5632926
kakluttz
How do I share files via cloud with my teammates?
http://forums.adobe.com/thread/1152807?tstart=330
Conclusion: Right now you could as well use Dropbox or similar services…
Uwe -
How to implement SSL for Portal with ADS (for Adobe besed MSS Application)
Hi Experts,
What is the Minimum setting is required to implement the SSL for Portal with ADS.
Http is working fine with Portal with ADS and R/3 for Adobe Based MSS Form.
Please let me know.
Regards
AliRajat,
Nice to see your reply...
Could you please write me the steps how to do that.
I would like to implement SSL only in portal. So is that mandatory to implement the SSL in ADS and R/3 too.
Please what are the minimum setting is required.
Sure points will be rewarded
Regards
Ali -
CSA 5.1 Agent Installation on Microsoft Clusters with Teamed Broadcom NICs
I'm searching all over Cisco.com for information on installing CSA 5.1 agent on Microsoft Clusters with Teamed Broadcom NICs, but I can't find any information other than "this is supported" in the installation guide.
Does anyone know if there is a process or procedure that should be followed to install this? For example, some questions that come to mind are:
- Do the cluster services are needed to be stopped?
- Should the cluster be broken and then rebuilt?
- Is there any documentation indicating this configuration is approved by Microsoft?
- Are there case studies or other documentation on previous similar installations and/or lessons learned?
Thanks in advance,
KenKen, you might just end up being the case study! Do you have a non-production cluster to with?
If not and you already completed pilot testing, you probably have an idea of what you want to do with the agent. Do you have to stop the cluster for other software installations? I guess you might ask MS about breaking the cluster it since it's their cluster.
The only caveat I've seen with teamed NICs is when the agent tries to contact the MC it may timeout a few times. You could probably increase the polling time if this happens.
I'd create an agent kit that belongs to a group in test mode with minimal or no policies attached to test first and install it on one of the nodes. If that works ok you could gradually increase the policies and rules until you are comfortable that it is tuned correctly and then switch to protect mode.
Hope this helps...
Tom S -
Problem with Team Calendar from Create Leave Request
Hi Expert,
We are facing following 2 issues with Team Calendar-
1) When manager checks Team Calendar from create leave request he gets a warning message 'No team set up for the user in the selection period.Contact Administrator'
I know this issue has been reported earlier as well but i didn't find the thread where it has been answered correctly.
- OADP configuration is correct.
- Manager is head of org unit.
- Also IT105 exist for manager as well as employees.
We are currently checking on authorization side for this.
2) Team Calendar is showing leave details only for the current month. If we navigate to previous month it does not show anything even though there exist leave data for the given month.
Please suggest if we are missing something.
Thanks & regards,
AvinashHi Nagendra,
I dont remember the exact auth object but ask security team to apply trace for the user id and identify the same.
Also i would suggest you to check following setting before checking authorizations-
Get the Group of Organizational Views applicable for rule group in your case from following path
SAP Customizing Implementation Guide--> Personnel Management-->Manager Self-Service (Web Dynpro ABAP)--> Service Specific Settings-->Working Time--> Team Calendar--> Select Employees:
After getting Group of Org View Check the Evaluation path used in OADP configuration.
Please check if the evaluation path is correct as per your requirement.
Regards,
Avinash -
Security Manager on server with teamed NICs ?
Can anyone confirm that Security Manager will run on server with teamed NICs (i.e. 2 physical connections, but 1 logical IP address) ?
I ask because the data sheet for Security Manager 3.0.1 states :-
"100BASE-T (100 Mbps) or faster network connection; single interface only". and
"One static IP address".
I already have a server that meets all the specs, but it has dual NICs to dual switches for resilience, teamed together with a single IP. The Cisco document is open for interpretation, so has anyone got a definitive answer or is running a setup like this already ?
Thanks.
Mark.It's recommended that you can use only one interface when installing CSM. However, if the second interface is using the same IP it should not be a problem.
-
Remote Desktop Services Single SSL Cert with multiple hosts
I am trying to use a single SSL Cert from a third party issuer. I have 3 servers in my deployement all are 2012R2. One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role. The other 2 are
RD Session Hosts. I have the SSL cert for the server that has the Gateway and other roles. My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL. It works currently with the
exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match. Is anyone else using a similar setup and had success with it? I am trying
to avoid buying an expensive wildcard cert to cover all of them.Hi,
Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC. To do this, log on to RD Web Access using IE, right-click and choose View Source. Find the goRDP function for the icon you want to examine and copy
the text between the ' marks. Next paste this into the escape text box the below page:
http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
Click complete unescape to get the plain text version. After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file. Once you have the .rdp file created you can compare
it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
Thanks.
-TP -
SSL LLE together with Cert-C PKI Encryption
I could successfully set up LLE encrytion for WSL without Cert-C or message encrpytion with Cert-C plugin. But could not mange to get them both working in the same application.
I am using Tuxedo10.3 + OpenLDAP on RH5.
Native client tpinit gives me tpinit failure and in ULOG I see LIBTUX_CAT:6657: ERROR: Could not copy SSL context, err = -1
Encrpyted PKCS8 private key dont work for me with Cert-C. SEC_PRINCIPAL_PASSVER and decPassword attribute for cert-c/key_manager didnt change anything and finaly i used unencrypted PK.
ULOG ---------------------------------8<----------------------------------------------------------------
173342.730.borjomi!WSH.14905.3086448320.0: 09-17-2010: Tuxedo Version 10.3.0.0, 32-bit
173342.730.borjomi!WSH.14905.3086448320.0: PIFREG: instantiate(intf=engine/pif/registry, impl=registry.so, flags=0
173342.730.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/map_proof, alias=bea/mapfile)
173342.731.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=native/security/authentication)
173342.731.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=bea/native/atn)
173342.732.borjomi!WSH.14905.3086448320.0: PIFREG: instantiate(intf=engine/pif/registry, impl=registry.so, flags=0
173342.732.borjomi!WSH.14905.3086448320.0: PIFREG: destroy(priv=0x8199ee0)
173342.732.borjomi!WSH.14905.3086448320.0: WSNAT_CAT:1030: INFO: Work Station Handler joining application
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/map_proof, alias=native/security/map_proof)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/pk_initialization, alias=native/security/pk_initialization)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/pk_initialization, alias=bea/native/pkifile)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=ws/security/authentication)
173342.734.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=bea/ws/atn)
173342.739.borjomi!?proc.14904.3086374592.0: 09-17-2010: Tuxedo Version 10.3.0.0, 32-bit
173342.739.borjomi!?proc.14904.3086374592.0: PIFREG: instantiate(intf=engine/pif/registry, impl=registry.so, flags=0
173342.739.borjomi!?proc.14904.3086374592.0: PIFREG: GetAlias(intf=engine/security/map_proof, alias=bea/mapfile)
173342.740.borjomi!?proc.14904.3086374592.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=ws/security/authentication)
173342.740.borjomi!?proc.14904.3086374592.0: PIFREG: GetAlias(intf=engine/security/authentication, alias=bea/ws/atn)
173342.744.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/key_management, alias=native/security/key_management)
173342.751.borjomi!WSH.14905.3086448320.0: INFO: CERTDBG level is 255
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG:{ _ep_dl_certc_key_management()
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: regData: privateKeyDir=file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: regData: decPassword=password
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: { parseFileURL(dir file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/)
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: return file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: } parseFileURL(50) return EE_SUCCESS
173342.751.borjomi!WSH.14905.3086448320.0: CCDBG: Using Private keys in directory /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/
173342.751.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_lookup, alias=native/security/certificate_lookup)
173342.760.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_parsing, alias=native/security/certificate_parsing)
173342.760.borjomi!WSH.14905.3086448320.0: INFO: CERTDBG level is 255
173342.760.borjomi!WSH.14905.3086448320.0: CCDBG: { _e_dl_certc_certificate_parsing()
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: } edl_certc_certificate_parsing(30), returns 0
173342.761.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_validation, alias=native/security/certificate_validation)
173342.761.borjomi!WSH.14905.3086448320.0: PIFREG: GetAlias(intf=engine/security/certificate_validation, alias=bea/cert-c/certificate_validation)
173342.761.borjomi!WSH.14905.3086448320.0: INFO: CERTDBG level is 255
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { _ep_dl_certc_validate_certificate()
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: Trusted CA file file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: CRL file file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { parseFileURL(dir file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der)
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: return file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: } parseFileURL(50) return EE_SUCCESS
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { parseFileURL(dir file:///home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der)
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: return file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: } parseFileURL(50) return EE_SUCCESS
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { validate_init()
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: { addCertFromFileToList(fname /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der)
173342.761.borjomi!WSH.14905.3086448320.0: CCDBG: open file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/camyapp_crt.der, read 537 of bytes
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: } addCertFromFileToList(50) return 0
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: open file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/my_crl.der, read 279 of bytes
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: } validate_init(140) return SUCCESS
173342.762.borjomi!WSH.14905.3086448320.0: CCDBG: } epdl_certc_validate_certificate(80) return SUCCESS
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_trust(principal myapp)
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_trust(50) return SUCCESS
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_get_issuer_name()
173342.797.borjomi!WSH.14905.3086448320.0: issuer dn (81 bytes):
173342.797.borjomi!WSH.14905.3086448320.0: 30 4f 31 10 30 0e 06 03 55 04 03 13 07 63 61 6d 0O1.0...U....cam
173342.797.borjomi!WSH.14905.3086448320.0: 79 61 70 70 31 0e 30 0c 06 03 55 04 0b 13 05 54 yapp1.0...U....T
173342.797.borjomi!WSH.14905.3086448320.0: 69 65 74 6f 31 0d 30 0b 06 03 55 04 07 13 04 52 ieto1.0...U....R
173342.797.borjomi!WSH.14905.3086448320.0: 69 67 61 31 0f 30 0d 06 03 55 04 08 13 06 4c 61 iga1.0...U....La
173342.797.borjomi!WSH.14905.3086448320.0: 74 76 69 61 31 0b 30 09 06 03 55 04 06 13 02 4c tvia1.0...U....L
173342.797.borjomi!WSH.14905.3086448320.0: 56 V
173342.797.borjomi!WSH.14905.3086448320.0: CCDBG: { getNameFromNameObject()
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: avaCount 5
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: valueTag PRINTABLE STRING
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: type = 55, 4, 55
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: name camyapp, 0x81ccb40
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: } getNameFromNameObject(40) return SUCCESS
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: issuer name is camyapp
173342.798.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_get_issuer_name(60) return 0
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_trust(principal camyapp)
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_trust(40) return TRUSTED
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_open_private(cd 0x81cd260, principal myapp, location /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/myapp.der)
173342.836.borjomi!WSH.14905.3086448320.0: CCDBG: req_usage 0x2, cd->cds_usage 0x2
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: open file /home/uldisa/trunk/src/cs.test.tuxq_crypt--dev/myapp.der, read 634 of bytes
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: got the key info for type 0
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: private key 0x81cbdf0, *keyp 0x81cbdf0
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_open_private(70) return SUCCESS
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_open_public(cd 0x81cd260, principal myapp, req_usage 0x2)
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: public key match type 0
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: public key 0x81d19c8, *keyp 0x81d19c8
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_open_public(70) return SUCCESS
173342.837.borjomi!WSH.14905.3086448320.0: CCDBG: { certc_validate(principal myapp)
173342.840.borjomi!WSH.14905.3086448320.0: CCDBG: } certc_validate(100) return SUCCESS
173342.848.borjomi!WSH.14905.3086448320.0: LIBTUX_CAT:6657: ERROR: Could not copy SSL context, err = -1
173342.848.borjomi!WSH.14905.3086448320.0: LIBTUX_CAT:6741: ERROR: SSL error -1
173342.848.borjomi!WSH.14905.3086448320.0: LIBTUX_CAT:6633: ERROR: Could not create SSL context on accept
173344.852.borjomi!?proc.14904.3086374592.0: LIBWSC_CAT:1032: ERROR: Failed to receive expected reply
173344.852.borjomi!?proc.14904.3086374592.0: LIBWSC_CAT:2003: ERROR: Unable to get reply to gssapi token message
---------------------------------8<----------------------------------------------------------------
Test setup script:
---------------------------------8<----------------------------------------------------------------
LDAP_HOST=10.57.5.167
LDAP_PORT=8080
LDAP_ROOTDN="dc=com"
LDAP_BASEDN="cn=Manager,$LDAP_ROOTDN"
LDAP_PASSWORD="password"
## Create openssl config
cat <<EOF >openssl.cfg
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # top dir
database= index.txt
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
encrypt_rsa_key = no
default_md = md5
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
[ req_distinguished_name ]
EOF
## Generate self-signed CA
openssl req -x509 -newkey rsa:1024 -keyform PEM -keyout camyapp_key.pem -out camyapp_crt.pem -days 365 -subj '/CN=camyapp/OU=Tieto/L=Riga/ST=Latvia/C=LV' -config openssl.cfg
openssl x509 -in camyapp_crt.pem -out camyapp_crt.der -outform DER
cat camyapp_crt.pem >> $TUXDIR/udataobj/security/certs/trust_ca.cer
## Generate user certificate for PRINCIPAL myapp
openssl req -newkey rsa:1024 -keyform PEM -keyout myapp_key.pem -outform PEM -out myapp_csr.pem -days 365 -subj '/CN=myapp/OU=Tieto/L=Riga/ST=Latvia/C=LV' -config openssl.cfg
# myapp.pem works fine for LLE when using libplugin.so
#openssl pkcs8 -topk8 -in myapp_key.pem -passout pass:password -outform PEM -out myapp.pem
# It look like libcertctux.so accepts only unencrypted keys. Is it true?
openssl pkcs8 -topk8 -in myapp_key.pem -outform DER -nocrypt -out myapp.der
openssl pkcs8 -topk8 -in myapp_key.pem -outform DER -nocrypt -out myapp.pvt
openssl x509 -req -in myapp_csr.pem -CA camyapp_crt.pem -CAkey camyapp_key.pem -CAcreateserial -outform DER -out myapp_crt.der -days 356
#Reload LDAP
ldapdelete -h $LDAP_HOST -p $LDAP_PORT -D $LDAP_BASEDN -w $LDAP_PASSWORD -r "$LDAP_ROOTDN"
cat <<EOF > myapp.ldif
dn: $LDAP_ROOTDN
dc: ${LDAP_ROOTDN/*=}
objectClass: dcObject
objectClass: organization
o: something
dn: o=TUX,$LDAP_ROOTDN
o: TUX
objectClass: organization
dn: cn=myapp,o=TUX,$LDAP_ROOTDN
userPassword: password
objectClass: inetOrgPerson
objectClass: person
objectClass: pkiUser
objectClass: strongAuthenticationUser
sn: myapp
cn: myapp
# For SSL search:SRCH base="o=TUX,dc=com" scope=2 deref=0 filter="(&(objectClass=strongAuthenticationUser)(mail=myapp))"
mail: myapp
userCertificate;binary:<file://`pwd`/myapp_crt.der
EOF
ldapadd -h $LDAP_HOST -p $LDAP_PORT -D $LDAP_BASEDN -f myapp.ldif -w $LDAP_PASSWORD -c
## Generate empty CRL. The same CRL is used for ARL
echo > index.txt
openssl ca -gencrl -keyfile camyapp_key.pem -cert camyapp_crt.pem -out my_crl.pem -config openssl.cfg
openssl crl -in my_crl.pem -out my_crl.der -outform DER
cat <<EOF > ca.ldif
dn: cn=camyapp,o=TUX,$LDAP_ROOTDN
userPassword: password
objectClass: inetOrgPerson
objectClass: person
objectClass: certificationAuthority
sn: camyapp
mail: camyapp
cACertificate;binary:<file://`pwd`/camyapp_crt.der
certificateRevocationList;binary:<file://`pwd`//my_crl.der
authorityRevocationList;binary:<file://`pwd`//my_crl.der
EOF
ldapadd -h $LDAP_HOST -p $LDAP_PORT -D $LDAP_BASEDN -f ca.ldif -w $LDAP_PASSWORD -c
## Installation values
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup -a Params=userCertificateLdap=ldap://10.57.5.167:8080/ -a Params=ldapBaseObject=o=TUX,dc=com -a Params=binaryCertificate=YES
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_validation -a Params=caCertificateFile=file://$TUXDIR/udataobj/security/certs/trust_ca.cer -a Params=peerValidationRuleFile=file://$TUXDIR/udataobj/security/certs/peer_val.rul
epifregedt -s -k SYSTEM/impl/security/BEA/key_management -a Params=privateKeyDir=file://$TUXDIR/udataobj/security/keys
# ** Modify Validation Interface **
epifreg -r -p bea/cert-c/certificate_validation -i engine/security/certificate_validation -v 1.0 -f libcertctux.so -e epdl_certc_validate_certificate -u caCertificateFile=file://`pwd`/camyapp_crt.der -u crlFile=file://`pwd`/my_crl.der
epifregedt -s -k SYSTEM/impl/bea/valfile -a InterceptionSeq=bea/cert-c/certificate_validation
epifregedt -s -k SYSTEM/interfaces/engine/security/certificate_validation -a DefaultImpl=bea/valfile
# ** Modify Lookup Interface ** Use OpenLDAP
# Not using cert-c certificate lookup. Lookup from libplugin is compatible with OpenLDAP
#epifreg -r -p bea/cert-c/certificate_lookup -i engine/security/certificate_lookup -v 1.0 -f libcertctux.so -e epdl_certc_certificate_lookup -u ldapUserCertificate=ldap://10.57.5.167:8080 -u ldapBaseObject="o=TUX,dc=com" -u ldapFilterAttribute="cn" -u ldapBaseDNAttribute="dc,o,cn,c,ou"
epifregedt -s -k SYSTEM/impl/security/BEA/certificate_lookup -a Params=userCertificateLdap=ldap://$LDAP_HOST:$LDAP_PORT/ -a Params=ldapBaseObject=o=TUX,$LDAP_ROOTDN -a Params=binaryCertificate=YES -a Params=filterFileLocation="file://$TUXDIR/udataobj/security/bea_ldap_filter.dat"
epifregedt -s -k SYSTEM/interfaces/engine/security/certificate_lookup -a DefaultImpl=security/BEA/certificate_lookup
# ** Modify Key Management Interface **
epifreg -r -p bea/cert-c/key_management -i engine/security/key_management -v 1.0 -f libcertctux.so -e epdl_certc_key_management -u privateKeyDir=file://`pwd`/ -u decPassword="password"
epifregedt -s -k SYSTEM/interfaces/engine/security/key_management -a DefaultImpl=bea/cert-c/key_management
# ** Modify Certificate Parsing Interfaces **
epifreg -r -p bea/cert-c/certificate_parsing -i engine/security/certificate_parsing -v 1.0 -f libcertctux.so -e epdl_certc_certificate_parsing
epifregedt -s -k SYSTEM/interfaces/engine/security/certificate_parsing -a DefaultImpl=bea/cert-c/certificate_parsing
----------------------------8<------------------------------------------------
Ldap log:
----------------------------8<------------------------------------------------
conn=0 fd=12 ACCEPT from IP=10.57.5.167:34885 (IP=10.57.5.167:8080)
conn=0 op=0 BIND dn="" method=128
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="o=TUX,dc=com" scope=2 deref=0 filter="(&(objectClass=strongAuthenticationUser)(mail=myapp))"
<= bdb_equality_candidates: (mail) not indexed
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=0 op=2 SRCH base="o=TUX,dc=com" scope=2 deref=0 filter="(&(objectClass=certificationAuthority)(cn=camyapp)(sn=camyapp))"
<= bdb_equality_candidates: (cn) not indexed
<= bdb_equality_candidates: (sn) not indexed
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
----------------------------8<------------------------------------------------
Message signing works fine
Note.
OpenLDAP must allow bind_v2
ULOGDEBUG, PIFDBG and CERTCDBG environment variables are set.
Any ideas?I got workaround by putting WSL parameters in a separate registry file.
System.rdp is registry with cert-c PKI plugin setup.
System_wsl.rdp is registry with key_management from libplugin.so (default installation values).
WSL is configured to read parameters from System_wsl.rdp.
ubbt SERVER section:
WSL SRVGRP=NOTMS_GROUP SRVID=200 CLOPT="-A -- -d /dev/tcp -n //10.57.5.167:12500 -S 12501 -z 40 -Z 128" ENVFILE="<absolute path>/WSL.env"<absolutel path>/WSL.env:
REG_KEY_SYSTEM=<absolute path>/System_wsl.rdpStill I am curious about Cert-C + SSL. -
I have a OIM on a cluster with two nodes running on WLS. I have a VIP URL that I connect to OIM with.
i am going to upload the OIM cert to AD for provisioning etc and get AD cert in OIM jdk keystore.
What I need to know is what hostname shall I use in the cert? The for VIP or hostname of a node? If its a node then I need two certs for OIM then?thx, I just added one cert which has the vip address and that worked fine. it stays ssl session validated successfully.
However, when I provision a user to AD, I see Password is required while provisioning user with SSL. Do you know what this means?
I have password in AD process form and password for admin user that will provision to AD. What am I missing?
thx for your reply sir. -
Use of Wildcard SSL cert with DRM
DRM needs a URL to be embedded in the protected PDF document(e.g., mysite.mycompany.com). The SSL certificate for the URL must be from a trusted provider (e.g., Verisign). My question is will Adobe Reader accept for DRM a wild card SSL certificate (e.g., *.mycompany.com) from a trusted provider?
Hi,
The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
Regards,
Yan Li
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Demostic SSL cert with no demostic WLS
the ssl certificate is a full version. but the license of WLS is not is domestic
version. How can I solve this
Wed Oct 31 15:28:43 HKT 2001:<E> <SSLListenThread> Inconsistent Security Configu
ration, java.lang.Exception: Attempting to use domestic (full) strength certific
ates without a domestic (full) strength license.
Wed Oct 31 15:28:43 HKT 2001:<I> <Security> Not listening for SSL: java.io.IOExc
eption: Inconsistent Security Configuration, java.lang.Exception: Attempting to
use domestic (full) strength certificates without a domestic (full) strength lic
ense.Get a domestic license or an "exportable" certificate...
"Kelvin" <[email protected]> wrote in message
news:3bdfab69$[email protected]..
the ssl certificate is a full version. but the license of WLS is not is
domestic
version. How can I solve this
Wed Oct 31 15:28:43 HKT 2001:<E> <SSLListenThread> Inconsistent Security
Configu
ration, java.lang.Exception: Attempting to use domestic (full) strength
certific
ates without a domestic (full) strength license.
Wed Oct 31 15:28:43 HKT 2001:<I> <Security> Not listening for SSL:
java.io.IOExc
eption: Inconsistent Security Configuration, java.lang.Exception: Attempting
to
use domestic (full) strength certificates without a domestic (full) strength
lic
ense. -
Multiple Failures for new trusted certs with ORA-28857
We are seeing problems with working APIs that use UTL_HTTP over SSL starting to fail with newer trusted certs. Importing these certificates into the wallet just leads to a ORA-28857 and a corrupted wallet. We are using 11.2.0.1. 3 trusted chains have now failed. Examples include the cert chains (hydrant and godaddy certs) from
https://api.betfair.com
https://www.flipkey.com/
I've had a support call open for the last month with no resolution.
If anyone has any potential avenues of workarounds / solutions might just save me some sleepless nights. Our products functionality is dying because of this problem!If the certificates are SHA2, they won't work in 11201.. they are fully supported from 11203 up.
Maybe you are looking for
-
ITunes gives error message when I try to open it
iTunes recently stopped working on my iMac... Any help is greatly appreciated. Here is a copy of the error: Process: iTunes [2610] Path: /Applications/iTunes.app/Contents/MacOS/iTunes Identifier: com.apple.iTunes Version:
-
My BB9810 refuse to load OS7.1 software on my phone after the download has completed. My phone has freezed/stucked since morning. Pls urgent help/assistant needed as I can not access/use my phone for over 24hrs now.
-
I couldn't seem to see how Facebook integration work in my Macbook Pro when I already downloaded the latest update. I wen't to the system preference, mail and calendars but can't find the facebook sign in? It worked ok with my other iOS device (iPhon
-
Photosmart first piece of paper goes through blank, second prints ok
My photosmart C4795 puts the first piece of paper through blank then prints the letter on the second piece of paper. This is a one page letter. It prints it fine on the second piece of paper so I have to keep picking up the first piece of blank paper
-
Interactive PDF show/hide button not working properly
I could use some help. I'm creating an interactive pdf using show hide buttons. A button is set to hidden and a second button controls it's visible on mouse enter and mouse exit. Sometimes these buttons which are set to visible turn to invisible in t