SSL Certificate and SSL Authentication

Hi-
I'm hoping someone can shed some light on this issue.
First off, is there a difference between SSL Certificate and SSL Authentication?
I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
Any advice would be appreciated.
Thanks!

Hi Imagine,
You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
Hope That Helps,
Eric

Similar Messages

3rd party Certificate and AAA Authentication

I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
In the connection profile i have set up that users should authenticate using both certificate and AAA.
Due to a high security requirement, the user certificate is issued from a 3rd party.
This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
Problem:
If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
I am happy for any help that could point me in the right direction on how to accomplish this.
Best regards,
Kenneth

I actually got a better idea, and i think this will work great!
One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
[123] LDAP Search:
        Base DN = [dc=Testlab,dc=local]
        Filter = [department=xxxx-xxxx-xxxxxxxxx]
        Scope   = [SUBTREE]
[123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
[138] LDAP Search:
        Base DN = [dc=Testlab,dc=local]
        Filter = [serialNumber=xxxx-xxxx-xxxxxxxxx]
        Scope   = [SUBTREE]
[138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
Worked like a charm!
I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
Thank you for the input Marcin

SSL: how to use Multiple Private key/Certificate pair for authentication.

Hi all,
i am implementing SSL in java using X509 Certificate/private key combination.
i have two set of private key/certificate pair.
one is factory default and another is generated at run time.
my problem is to try ssl connection with both pairs on same tcp/ip connection.
e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
Thanks In Advance
Saurabh Ahuja

Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
It's like this. The idea of PKI with SSL is as follows:
- the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
- the client has a truststore that trusts the server, one way or the other, see above.
- the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
- the server sends its cert to the client along with a digital signature signed by its private key.
- the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

Connecting Using SSL Authentication Without Username and Password

Hi,
We're on RedHat Linux 4.0 using 10.2.0.3 (server/client). We're trying to figure out a way to connect to the database using instantclient and JDBC-OCI and SSL authentication without using a username or password. According to the documentation this should be possible but no sample code is given.
LD_LIBRARY_PATH is set /opt/app/oracle/product/10.2.0/db_1/lib:/usr/lib:/home/oracle/instantclient where the instantclient was installed from the 10.2.0.1 client software
and we are using JDK version 1.6.0_03.
We're also referencing the following paper:
http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/wp-oracle-jdbc_thin_ssl_2007.pdf
We've got our client and server wallets configured and the sample code we tried looks like this:
import java.sql.*;
import java.sql.*;
import java.io.*;
import java.util.*;
import oracle.net.ns.*;
import oracle.net.ano.*;
import oracle.jdbc.*;
import oracle.jdbc.pool.*;
import java.security.*;
import oracle.jdbc.pool.OracleDataSource;
public static void main(String[] argv) throws Exception {
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
Security.addProvider(new oracle.security.pki.OraclePKIProvider());
System.setProperty("oracle.net.tns_admin", "/opt/app/oracle/product/10.2.0/db_1/network/admin");
String url = "jdbc:oracle:thin:@orcl";
java.util.Properties props = new java.util.Properties();
props.setProperty("oracle.net.authentication_services","(TCPS)");
props.setProperty("javax.net.ssl.trustStore",
"/opt/app/oracle/product/10.2.0/db_1/admin/wallet/server/cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType","SSO");
props.setProperty("javax.net.ssl.keyStore", "/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client/cwallet.sso");
props.setProperty("javax.net.ssl.keyStoreType","SSO");
props.put ("oracle.net.ssl_version","3.0");
props.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/opt/app/oracle/product/10.2.0/db_1/admin/wallet/client)))");
System.out.println("At Here...");
OracleDataSource ods = new OracleDataSource();
//ods.setUser("scott");
//ods.setPassword("tiger");
ods.setURL(url);
ods.setConnectionProperties(props);
System.out.println("At Here1...");
Connection conn = ods.getConnection();
System.out.println("At Here2...");
Statement stmt = conn.createStatement();
ResultSet rset = stmt.executeQuery("select 'Hello Thin driver SSL "
+ "tester ' from dual");
while (rset.next())
System.out.println(rset.getString(1));
rset.close();
stmt.close();
conn.close();
When this code is compiled and run, the following error is thrown:
Exception in thread "main" java.sql.SQLException: invalid arguments in call
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
If a username and password is supplied, the code works. So does anyone have a working of using SSL to authenticate without supplying username/password?
Thanks
mohammed

Hi,
I just solved this. I noticed from another thread that I was not using the OCI driver (see below):
String url = "jdbc:oracle:thin:@pki14";
Once I changed it to:
String url = "jdbc:oracle:oci:@pki14";
The code worked perfectly. One more setting that you'll have to do is to create the user you want to connect as externally:
create user scott identified externally as
'CN=acme, OU=development, O=acme, C=US';
grant connect,create session to scott;
Note that the DN should be the same as the SSL certificate that you created in your wallet.
hth
mohammed

Creating SSL certificate and configuring it with JBOSS 4.0.1

I have to post some data to a secured site from my application.
For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
But, while creating the stream it is showing SSLException and message is No trusted certificate found.
For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

SSL authentication between business connectoe and other system

Hi every1,
One system has to be connected to SAP BC(Business connector). I want to know how to setup the connectivity between these two systems. Also I want to know how to handel the SSL authentication between these two systems with complete details for how to do this.
Thankx in advance.
Regards
Karan

Hi Karan,
Find everything related to SAPBC at http://service.sap.com/connectors _> SAP business connector.
For SSL check
http://service.sap.com/connectors _> SAP business connector -> Tools and Services -> SSL Version.
Regards
Juan

SSL certificates and Web Services Usage inside Oracle Database Questions!

We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
Service1 is already working, and we can call the service from PL/SQL without troubles.
However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
     - SSL Certificates:
1- Can installed certificates in the Database put in risk the stability of the database?
          2- Can installed certificates in the Database generate performance issues?
          3- Can installed certificates reloading the Databases?
          2- Can installed certificates in the Database generate security issues?
     - Web services:
1- Can web services calling from the Database put in risk the stability of the database?
2- Can web services calling from the Database generate performance issues?
3- Can web services calling from the Database generate security issues in the DMZ?
Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
Those are the links describing the procedure mentioned above.
1 -http://www.kotti.es/2009/11/oracle-wallet/
DB: Oracle 9i.
Average number of lines in file: 300
Periodicity: Twice at day.

Thiago:
You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
Regards,
Jason

How to erase all self signed certificates and force Server to use Signed SSL

I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
Can I replace those self-signed certs with the new one some how?

Don't delete those. However, you are on the right track. Follow these steps to resolve.
1: Launch Keychain Access
2: Select the System Keychain
3: Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
4: In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
5: Press Save Changes to save.
6: Reboot the server or kill the servermgrd process to restart the service.
That should resolve your issue.
R-
Apple Consultants Network
Apple Professional Services
Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

SSL certificates and GWIA

I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
Any suggestions would be welcome !
Thanks !

Hi, I very recently had a similar problem...our existing 3rd party ssl external Verisign certificate expired!!!!
I have'nt been able to in the past configure a 3rd party ssl certificate into our current Groupwise 7 system due to lots of various methods of doing this task....i got quite confused and if you do not do things in the correct order the whole process will need to ber started over again.
Ive managed to eventually cracked it and figure out a simple and more structured approach to setting this up.
The following was in relation to applying the 3rd party external certificate to WEBACCESS
This was the steps i took:
Firstly ensure you have the registered details you completed already with your 3rd party SSL supplier, they should have provided you with a:
OU
O
L
S
C
the CN is the webaddress or DNS name your users will hit to access your secured page - we will add this later.
1) Highlight the container where your server is located which will be the host application part of the webaccess that the ssl is assigned to.
(my setup is, i have my main grpwise system in one tree, my application - webaccess component in a separate tree) - we need to re-create the SSL object in the second tree or the container where the application component is located.
2) Right-click to create an object > from the list choose > NDSPKI:Key Material.
3) Give a name for the certificate name object > then select the second option > Custom.
(This will allow you to enter more specific information relating to the 3rd party ssl certificate)
4) The next screen select "External Certificate authority" - this would be your 3rd party ssl. Click next
5) Next screen asks for the Key size, accept the default value of "2048 bits" > tick "Allow private key to be exported", click next.
6) Next screen asks for the Certificate Parameters, depending on the order of your, CN, OU,O,L,S,C
I clicked the edit button and then clicked the small arrow icon to switch the SSL URL around so that my .cn=webserver url address will be read first then the - OU,O,L,S,C.
(PLEASE NOTE: The (OU,O,L,S,C) should be identical to what was initially registered with your 3rd party SSL supplier.
7)Once you are happy with the details click "Finish".
8) You will immediately be asked where to save the "b64" file that will be generated which will be sent off to your 3rd party supplier for re-minting.
choose a file name - ensure no hyphens,or special characters etc are used and keep to the 8.3 naming length just to avoid any long name issues, i do believe that by adding a hyphen may cause problems as the system automatically puts a hyphen to separate the names automatically hence that is why its advised not to use this.
I saved my file to root of my c:\
9)Once this has been done and you click save, send the file off to your 3rd party SSL supplier, they will re-mint the "b64" file and you should get back 2 files:
a)file.cer
b)Intermediate.cer
(filenames could be anything)
10) Select the "KMO object" you created earlier in step 2, then goto the Certificate tab > Trusted Root certificate" tab to import the Intermediate.csr file sent to you.
Select import > then read from file and browse for the "Intermediate.csr" file - i chose root of my c:\ to save the re-minted 2 files sent back to me.
Select the Intermediate file, you should see some encrypted characters show in the blank screen, then select Ok or finish.
If you see a pop up window stating " Subject name mismatch error" dont worry this is merely a cosmetic issue due to the details not being in the exact naming order, it has been IMPORTED!!
Click OK.
Once you have done this you should see your first key pair file imported, check the subject name, Issuer name, effect date, expiration date, certificate status details, these should all show the 3rd party certificate details.
Then next part is to import the second key pair file.
Click Certificate>Public Key Certificate tab > import.
Select to read from file> then browse for the file.csr
You should see the encrypted characters, then select ok or finish.
Now you have competed the difficult part you now need to tell you application what SSL object to point to in order to use the SSL encryption.
For webaccess, you have to edit the apache conf files and enter the name of the SSL/KMO object you created earler.
11) Goto your application server that will use the ssl, then browse to:
server\sys\apache2\conf
edit a file called "httpd.conf"
then
amend or add the section:
SecureListen 443 "Verisign"
Save theses changes - then shut down your web services on the server, apache, etc. ie, type :
Apache shutdown commands:
ap2webdn
tc4stop
admsrvdn
Apache load commands:
apache2
ap2webup
tc4stop
admsrvup
wait a minute or so so that the services can be unloaded.
If you think its safer to do so, you can restart the server - that way you know for sure that everything has been unloaded and re-loaded cleanly.
ALL done.
SSL now in operation and working.
I carried out this method - my own steps and this worked for me.
Good luck!!!
Dennis
Originally Posted by shale999
I have run up against a wall trying to install a third party SSL certificate with GWIA 7.0.3 and securing IMAP connections;
Certificate (And SSL) works fine, but the infamous "The origin of this certificate cannot be verified" type of message comes up for all mail clients attaching, and this is particularly bad for handheld devices like iPhone connecting via IMAP using SSL.
Has anyone ever successfully installed a 3rd party SSL cert into GWIA with chain of trust back to root CA and been able to overcome this ?
It' basically the same problem one would run into if issuing a self-signed cert out of NDS/Edir Cert server 2.x or 3.x.
Any suggestions would be welcome !
Thanks !

Certificate and SSL combination

Hi,
We use a certificate to package the AIR application, we need to communicate with a J2EE server using AMF secure? AMF secure requires that a certificate be installed on the J2EE server which gets downloaded when the AIR application communicates with the Server. We would assume that using the same certificate installed on the server to package the AIR application should do the trick. But that doesn’t work as the certificate types are different for Server vs. packaging the AIR application. The client prompts for certificate acceptance for every communication between AIR client and Server. Is there a way to avoid Client from prompting for certificate? Adding to system Keystore does not work either.
Thanks in advance.

I'm having this same issue.
I switched over from AMFChannel to SecureAMFChannel, modified the proper xml files on the serverside and now my messaging and remote calls work over https. Here's the problem: Everytime the AIR client requests something from the server or the server sends a message over blazeDS I get that Windows prompt box that asks if I trust this server and want to accept the certificate. I click "Yes" and it keeps popping up over and over for each request or message. I click "View Certificate" and then "Install Certificate" but that does not stop the continued prompt boxes over and over. My server is Tomcat 6 and I created a self-signed cert. It looks like it uses the same certificate store that IE uses, and when I open IE and look at current certificates I see it in there. So it's getting installed, but for some reason AIR just doesn't care.
Anyone have any suggestions?

Java sp 2-way SSL authentication

I've written a java stored proc that uses JSSE to implement an HTTPS client to a partner's server. In the past, this strategy has worked well, and we have several successful projects under our belts.
This time, the partner's server is configured for 2-way ssl authentication. When I try to open the connection from my client, it is reporting-
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate.
I'm not 100% sure what that means, but I think that it means the server is asking for a public cert from the client, and it isn't happy with what it is getting back.
Can anyone tell me how to configure the client-side cert in a way that will make it available for my java code running in the Oracle JVM. I understand how to set up the keystore so that it is available for Tomcat, for example, but I'm at a loss to find how to setup client certs for access within an Oracle Java Stored Procedure...
I hope that I have explained this clearly. If I need to provide more information, just ask.
Thanks in advance for any help.
Cole

http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff

SSL authentication Connectivity using Oracle JDK1.3

Please let me know whether Oracle JDK1.3 will support the SSL authentication Connectivity.
If not what is the workaround to make the SSL authentication connectivity work
in oracle JDK 1.3
since this urgent,Please let us know this information at the earliest

Hi,
Oracle furnish an embedded Java VM with the database but does not furnish JDKs; there is no such a thing as Oracle JDK 1.3.
You are probably referring to JDBC but which release?
SSL Authentication is supported in JDBC-Thin 11g and JDBC-OCI pre-11g.
Kuassi http://db360.blogspot.com

Configuring SSL Authentication

I am attempting to set up SSL authentication in a test environment with Oracle 9.2 on Windows XP. When I try to connect the client I get ORA-28862: SSL connection failed. I switched on client tracing which appears to show that the wallet is being opened successfully but the connection fails on the SSL handshake with ORA-28862 and a minor code of 542. Where can I find out what this minor code means? There doesn't appear to be any further indication of what the problem might be in the trace file but here is the section with the handshake error, any assistance gratefully received:
[04-DEC-2008 18:44:40:795] ntzCreateConnection: performing NZOS handshake - pass 1
[04-DEC-2008 18:44:40:795] nzos_Handshake: entry
[04-DEC-2008 18:44:40:795] nttwr: entry
[04-DEC-2008 18:44:40:795] nttwr: socket 1772 had bytes written=51
[04-DEC-2008 18:44:40:795] nttwr: exit
[04-DEC-2008 18:44:40:795] nttrd: entry
[04-DEC-2008 18:44:40:795] ntt2err: entry
[04-DEC-2008 18:44:40:795] ntt2err: soc 1772 error - operation=5, ntresnt[0]=530, ntresnt[1]=53, ntresnt[2]=0
[04-DEC-2008 18:44:40:795] ntt2err: exit
[04-DEC-2008 18:44:40:795] nttrd: exit
[04-DEC-2008 18:44:40:795] nzos_Handshake: exit
[04-DEC-2008 18:44:40:795] ntzCreateConnection: SSL handshake failed with error 28862.
[04-DEC-2008 18:44:40:795] ntzchknb: entry
[04-DEC-2008 18:44:40:795] nttctl: entry
[04-DEC-2008 18:44:40:795] nttctl: Setting connection into async mode
[04-DEC-2008 18:44:40:795] ntzchknb: exit
[04-DEC-2008 18:44:40:795] ntzchknb: entry
[04-DEC-2008 18:44:40:795] nttctl: entry
[04-DEC-2008 18:44:40:795] nttctl: Setting connection into callback mode
[04-DEC-2008 18:44:40:795] ntzchknb: exit
[04-DEC-2008 18:44:40:795] ntzCreateConnection: returning NZ error 28862 in result structure
[04-DEC-2008 18:44:40:795] ntzCreateConnection: failed with error 542
[04-DEC-2008 18:44:40:795] ntzCreateConnection: exit
[04-DEC-2008 18:44:40:795] ntzdisconnect: entry
[04-DEC-2008 18:44:40:795] ntzFreeNTZData: entry
[04-DEC-2008 18:44:40:795] ntzFreeNTZData: exit
[04-DEC-2008 18:44:40:795] nttdisc: entry
[04-DEC-2008 18:44:40:795] nttdisc: exit
[04-DEC-2008 18:44:40:795] ntzdisconnect: exit
[04-DEC-2008 18:44:40:795] ntzconnect: failed with error 542
[04-DEC-2008 18:44:40:795] ntzconnect: exit
[04-DEC-2008 18:44:40:795] nserror: entry
[04-DEC-2008 18:44:40:795] nserror: nsres: id=0, op=65, ns=12560, ns2=0; nt[0]=28862, nt[1]=542, nt[2]=0; ora[0]=28862, ora[1]=0, ora[2]=0
[04-DEC-2008 18:44:40:795] nsopen: unable to open transport
[04-DEC-2008 18:44:40:795] nsbfr: entry
[04-DEC-2008 18:44:40:795] nsbfr: normal exit
[04-DEC-2008 18:44:40:795] nsbfr: entry
[04-DEC-2008 18:44:40:795] nsbfr: normal exit
[04-DEC-2008 18:44:40:795] nsmfr: entry
[04-DEC-2008 18:44:40:795] nsmfr: 2348 bytes at 0xdee0b8
[04-DEC-2008 18:44:40:795] nsmfr: normal exit
[04-DEC-2008 18:44:40:795] nsmfr: entry
[04-DEC-2008 18:44:40:795] nsmfr: 492 bytes at 0xdbd2d0
[04-DEC-2008 18:44:40:795] nsmfr: normal exit
[04-DEC-2008 18:44:40:795] nsopen: error exit
[04-DEC-2008 18:44:40:795] nsclose: entry
[04-DEC-2008 18:44:40:795] nsclose: normal exit
[04-DEC-2008 18:44:40:795] nladget: entry
[04-DEC-2008 18:44:40:795] nladget: exit
[04-DEC-2008 18:44:40:795] nsmfr: entry
[04-DEC-2008 18:44:40:795] nsmfr: 164 bytes at 0xdd7ea0
[04-DEC-2008 18:44:40:795] nsmfr: normal exit
[04-DEC-2008 18:44:40:795] nladtrm: entry
[04-DEC-2008 18:44:40:795] nladtrm: exit
[04-DEC-2008 18:44:40:795] nscall: error exit
[04-DEC-2008 18:44:40:795] nioqper: error from nscall
[04-DEC-2008 18:44:40:795] nioqper: nr err code: 0
[04-DEC-2008 18:44:40:795] nioqper: ns main err code: 12560
[04-DEC-2008 18:44:40:795] nioqper: ns (2) err code: 0
[04-DEC-2008 18:44:40:795] nioqper: nt main err code: 28862
[04-DEC-2008 18:44:40:795] nioqper: nt (2) err code: 542
[04-DEC-2008 18:44:40:795] nioqper: nt OS err code: 0
[04-DEC-2008 18:44:40:795] niomapnserror: entry
[04-DEC-2008 18:44:40:795] niqme: entry
[04-DEC-2008 18:44:40:795] niqme: reporting ORA-28862 error

Hi Ian,
Well, I'm pretty sure Oracle Advanced Security is an Oracle product so you may not need to contact Microsoft just yet. :)
I don't have too much to offer but I can say that I have seen this error when the operating system user used to create the wallet is not the same user that the listener and database services run as (these likely are running as the default Local System account unless you've already changed them).
That is to say, if a user named "abc" created the wallet the listener and database services should be edited to run as that user using the Log On tab for the service properties. Hopefully that makes sense.
Perhaps that will help a bit,
Regards,
Mark

Mutual SSL Authentication

Hi,
We are trying to implement Mutual SSL Authentication in our environment with Reverse Proxy and the Client's Browser.
Can anybody help me out in this.
We are using OAM

Make sure the following for reverse proxy:
1. make sure the webserver that uses reverse proxy accepts requests from reverse proxies.
2. update the virtual hosts configured in the policy manager
3. prevent people from using the direct url, u can use web server ACL's
4.redirect all existing URL's to reverse proxy hostname with port
5. deploy enough proxy servers to handle the load
Thanks.
Subhani Shaik

SSL authentication

Hello
I am configuring ssl authentication ( document oracle support 736510.1)
But when doing tnsping from client side i have an tns-12560
[oracle@testrac3 admin]$ tnsping TEST
TNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 17-JUN-2013 10:04:14
Copyright (c) 1997, 2011, Oracle. All rights reserved.
Used parameter files:
/opt/app/oracle/product/11.2.0.3/db/network/admin/sqlnet.ora
Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = testrac1.XX.XX)(PORT =2484)) (SECURITY= (SSL_SERVER_CERT_DN=CN=dbasecurityRoot,O=dbasecurity,C=US)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME= TEST.XXX.XXX)))
TNS-12560: TNS:protocol adapter error
Can someone give me an help
Best regards

Hi, djoloff,
I already answered in this thread, may be it will help.
https://forums.oracle.com/thread/2527585

SSL Certificate and SSL Authentication

Similar Messages

Maybe you are looking for