SSL certificates and GWIA

Similar Messages

• SSL certificates and Web Services Usage inside Oracle Database Questions!

  We have implemented a specific business logic using PL/SQL for our client, so we open a file and process each line of this, doing something in the Database and also call a Web Services (Service1) using UTL_HTTP package. Service1 runs in a Windows 2008 Server in the DMZ as Database server.
  Service1 is already working, and we can call the service from PL/SQL without troubles.
  However, according with security client's policies they requires all Web services be consumed via https including Service1, so we must to follow the procedure established for Oracle in order to enable the calling of service1 via https from the Database.
  Our client's DBA and IT Team are concerned about two subjects before to continue to follow the certificate installation:
       - SSL Certificates:
  1- Can installed certificates in the Database put in risk the stability of the database?
            2- Can installed certificates in the Database generate performance issues?
            3- Can installed certificates reloading the Databases?
            2- Can installed certificates in the Database generate security issues?
       - Web services:
  1- Can web services calling from the Database put in risk the stability of the database?
  2- Can web services calling from the Database generate performance issues?
  3- Can web services calling from the Database generate security issues in the DMZ?
  Could you please give us any clues, about the possible negative impact related with the SSL certificates and Web Services Usage inside Oracle Database, if it’s the case this impact exists?.
  Those are the links describing the procedure mentioned above.
  1 -http://www.kotti.es/2009/11/oracle-wallet/
  DB: Oracle 9i.
  Average number of lines in file: 300
  Periodicity: Twice at day.

  Thiago:
  You are correct in that there should be no problem interacting with a Web service that has an HTTPS endpoint as long as you create a wallet and specify it when you make your UTL_HTTP calls, like the PayPal example.
  I am not aware of a PL/SQL utility to create a XMLDsig Standard message, but if you find some Java source out there that does it, you may be able to follow a technique I used for a similar use case:
  http://jastraub.blogspot.com/2009/07/hmacsha256-in-plsql.html
  Regards,
  Jason

• SSL Certificate and SSL Authentication

  Hi-
  I'm hoping someone can shed some light on this issue.
  First off, is there a difference between SSL Certificate and SSL Authentication?
  I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
  But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
  If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
  Any advice would be appreciated.
  Thanks!

  Hi Imagine,
  You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
  Hope That Helps,
  Eric

• Creating SSL certificate and configuring it with JBOSS 4.0.1

  I have to post some data to a secured site from my application.
  For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
  But, while creating the stream it is showing SSLException and message is No trusted certificate found.
  For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
  Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

  I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
  See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

• SSL certificate and use?

  Hi,
  some time ago I've become aware of the presence of an SSL certificate for for the Arch homepage.
  Unfortunately Firefox tells me that the site "Contains unauthenticated content". And if I try to visit the forum, wiki or AUR (with https://...), then I get redirected to the Arch homepage.
  Is there a particular reason that on the one hand the infrastructure for SSL/https seems to be there, but on the other hand is not complete (in case of the Arch homepage) and not extended to the forum, wiki, and the AUR?
  And if SSL is not intended to be used for the sub domains of archlinux.org, how are the login-processes for the forum/wiki/AUR handled/secured?
  I ask mainly because of paranoia and secondly out of curiosity.

  cactus wrote:The ssl cert was purchased long ago (and recently renewed) for www.archlinux.org only.
  It is not a 'wildcard' ssl cert like you sometimes see, which would allow for *.archlinux.org (likely due to cost).
  It's been a while, but the situation has slightly changed, and I've also gained a bit of experience about PKIs, so I wanted to propose an idea.
  As I've seen today, the ssl certificate for www.archlinux.org seems to have expired, because it's no longer there and has been replaced by a self-signed certificate for dev.archlinux.org.
  As you're not using officially signed certs any longer, you could also do the following:
  You could start your own certificate authority, make one certificate for each domain {aur,bbs,wiki,dev,bugs,www,etc}.archlinux.org, and sign each of these with your own root-cert. Then you would only have to spread the public key of your root cert, and every signed cert of yours would be recognized and accepted by the users.
  I've found a really well-written howto here, and I've already tested it within my local network.
  Once the root cert has been imported/accepted on the client system, all signed certs will be accepted, too. And if you ever wanted to get an officially signed cert, you would only need to have your root cert signed (e.g. by CAcert). But that is only an assumption, as I don't have any experience how to get signed by an official institution.
  Or you could also ship your root cert with the installation iso, similar to Ubuntu shipping the public pgp-keys of their package-managers with there installation isos.
  This is of course only a suggestion, but as I think everyone should be aware of the importance of encrypted and signed communication, and in the end everyone would benefit from it.
  I'm pretty interested in everyone's feedback. Maybe there's even one who has experience about other distros and how they've handled that problem.

• SSL certificates and/ or Oracle Certificate Authority

  Our Oracle infrastructure is as follows:
  1.Database server
  (a)Oracle 9i R2 database
  (b) Oracle ApEx 2.2
  2. Infrastructure server
  (a) Oracle 10g (9.0.4.x.x) Infrastructure
  (b) OID - configured as external authentication to Microsoft 2003 Active Directory LDAP version 3
  (c) SSO - configured as Windows Native authentication
  3. Application server
  (a)Oracle 10g (9.0.4.x.x) Forms and reports server
  Network traffic currently is not encrypted. All we need is to ensure that network traffic is encrypted between the the end-user PC and all servers (database or app server)
  I was reading through Oracle Certificate Authority and Secure Sockets Layer.
  1. Is there a difference between the two products?
  2. Which product would be best to ensure the encryption (authentication is provided through MS LDAP)
  Thanks,
  Mayura

  Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
  SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
  The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
  To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
  1. From the web browser to the middle tier
  2. End user to database
  3. from the middle tier to OID
  4. from the middle tier to the database
  5. From OID to active directory

• SSL certificates and JES 2005Q1

  We encountered some issues installing certs on a JES 2005Q1 installation and wanted to get outside input on what we did and our conclusions:
  We have a msg store with iMS, admin server, web server for UWC, and directory server installed on an 8-way v880. Following the instructions on installing a self-signed certificate via the cli failed. When we used the Cert Wizard we found that the databases were in DirServerRoot/alias as msg-config-key3.db and msg-config-cert8.db owned by root. Once we copied these files to the MsgRoot/config directory as key3.db and cert8.db, changed the ownership of the three .db files to the msg server user, and made sure the sslpassword.conf file had the correct password all was fine. The problem I have is that it looks like each "application" or "service" might need a cert (directory, iMS, web, admin). Is there a way to get each of these applications to use the same certificate, even if I have to create copies of the .db files? We had installed on self-signed certificate on the admin server and tried to copy it into the MsgRoot/config but the msg software failed to recognize the admin server cert.

  Here's what one of my co-workers said, after he figured it out:
  The problem was the files cert8.db, cert7.db and key3.db were not correct under /var/opt/SUNWmsgsr/config area.
  The soft links u created was with the prefixes "msg-*" and this is no longer required by the messaging server.
  The files should be either cert7/cert8.db and key3.db
  I have made the correct soft links to /var/opt/mps/serverroot/alias area. The messaging server is running now w/ SSL mode.

• SSL certificates and more than one hostname / interface

  Hi,
  I'm trying to configure the directory proxy server of DSEE7 to listen at 636 (SSL) at 2 different interfaces. As both of them got different hostnames, I get a certificate error for one of them because the name does not match the one of the certificate. Is there a way to configure the proxy server with different certs for different interfaces / hostnames?
  thank you,
  solst_ice

  Hi,
  Did you tried SAN certificates (also known as Unified Communication Certificates by Public CA like DigiCert, Entrust etc..) ?
  SAN stands for Subject Alternate Names - this allows more than one hostname to be binded to a single certificate for such multihosting setup. I think you should try using a self-signed SAN certificate before purchasing a SAN certificate from External Public CA (if you rely on External Public CA). If you have Private CA then I think there should be much cost impact for you.
  HTH,
  Randip Malakar

• Exchange 2010 SSL certificate and internal names

  So I received an email from Digicert stating our certificate contains .local internal domain names and we need to remove the names and re-issue our cert. Our cert currently contains the following names:
  CN: mail.ourdomain.org
  mail.ourdomain.org
  mailservername.ourdomain.local
  autodiscover.ourodmain.org
  autodiscover.ourdomain.local
  So after removing all .local names and re-issuing/re-installing the certificate, is there any additional configuration I need to do on the Exchange side? We already have an internal DNS A record pointing mail.ourdomain.org to internal IP of Exchange server.
  This topic first appeared in the Spiceworks Community

  So I received an email from Digicert stating our certificate contains .local internal domain names and we need to remove the names and re-issue our cert. Our cert currently contains the following names:
  CN: mail.ourdomain.org
  mail.ourdomain.org
  mailservername.ourdomain.local
  autodiscover.ourodmain.org
  autodiscover.ourdomain.local
  So after removing all .local names and re-issuing/re-installing the certificate, is there any additional configuration I need to do on the Exchange side? We already have an internal DNS A record pointing mail.ourdomain.org to internal IP of Exchange server.
  This topic first appeared in the Spiceworks Community

• DSEE 6.3.1 and 2048-bit SSL certificates

  Related to my previous post, I'm standing up a new 6.3.1 proxy server and directory server instance that are being added to my existing environment. We use GoDaddy for SSL certificates and they require 2048-bit CSRs, which cannot be generated with 6.3.1 software. That being the case I generated the CSR for each host using openssl with the command:
  openssl req -new -newkey rsa:2048 -nodes -out ldp05_domain_com.csr -keyout ldp05_domain_com.key -subj "/C=us/ST=Massachusetts/L=Cambridge/O=My Corp/OU=Network Operations/CN=ldp05.domain.com"I then took the CSR and received a new signed 2048-bit cert from GoDaddy. I added the GoDaddy root bundle certs into my CA cert chain and then attempted to add the server cert.
  On the directory server I have the problem:
  # dsadm add-cert /usr/local/ds/domain/ ldp05.domain.com /tmp/ldp05.domain.com.crt
  Unable to find private key for this certificate.
  Failed to add the certificate.I get the same error when attempting to add the certificate through DSCC.
  I have a different problem with the 2048-bit certificate on the proxy server. I added the CA cert and that was fine. However, when I add the server cert, it shows up in the CA cert chain.
  # dpadm add-cert /usr/local/dps/domain/ dps05.domain.com /tmp/dps05.domain.com.crt
  # dpadm list-certs /usr/local/dps/domain/
  Alias             Valid from       Expires on       Self-signed? Issued by                          Issued to    
  defaultservercert 2011/02/25 10:08 2013/02/24 10:08 y            CN=dps05.domain.com:389 Same as issuer
  1 certificate found.
  # dpadm list-certs -C /usr/local/dps/domain/|grep dps05
  dps05.domain.com     2011/02/25 11:43 2014/02/25 11:43 n         SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US      CN=dps05.domain.com, OU=Domain Control Validated, O=dps05.domain.comHas anyone successfully added 2048-bit CA signed certificates to both DPS and DS instances? Is there a limitation on the size of a certificate that can be imported as a non CA cert in directory proxy server 6.3.1?

  Sadly after opening a case with Oracle support I was told that the hotfix wasn't built for Linux (which I'm running) and would take 1-2 weeks to complete. I have managed to solve 99% of the issue on my DPS host thus far and have only one remaining issue which is upon adding the cert.
  In order to generate the 2048-bit CSR I had to run the following:
  # cd /usr/local/dps/domain/alias
  # modutil -changepw "NSS Certificate DB" -dbdir .
  # certutil -R -s "CN=dps05.domain.com,OU=Network Operations,O=My Corp,L=City,ST=State,C=US" -o /tmp/dps05.domain.com.csr -d /usr/local/dps/domain/alias -a -g 2048For reference, running the dpadm command to set the cert db password didn't work.
  # dpadm stop /usr/local/dps/domain
  # dpadm get-flags /usr/local/dps/domain
  # dpadm set-flags /usr/local/dps/domain/ cert-pwd-prompt=onOnce I had the properly sized CSR I had the cert issued and attempted to add the root certs to the CA chain and the server cert to the server certificates:
  # dpadm add-cert /usr/local/dps/domain gd-root-bundle gd_bundle.crt
  # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
  - This shows the Go Daddy root cert bundle in the CA cert chain
  # dpadm add-cert /usr/local/dps/domain dps05.domain.com dps05.domain.com.crt
  # dpadm list-certs /usr/local/dps/domain
  - Shows only the defaultservercert
  # dpadm list-certs -C /usr/local/dps/endeca |grep -i daddy
  - The server cert now shows up in the CA chain.Does anyone have any idea how I can properly add the new cert to the server cert list so it can be used by the server?

• Replacing SSL keys and certificates for already defined services

  I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
  I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
  I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
  I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
  Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?

  "Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
  Please check if the below URL: could help:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153

• IPhone LDAP contacts and Self signed SSL certificates

  Hi,
  I am using OpenLDAP with self signed SSL certificate, and i am unable to get SSL work with LDAP contacts on the IPhone (4.x). I have tried to add a CA cert with a server certificate for the LDAP server and downloaded it to the IPhone by web, it adds the CA, but even with it, it does not want to connect to the LDAP server with SSL enabled.
  Does LDAP contacts should work by adding new CA ? if yes, what is the exact procedure to do it ? (maybe I used a wrong CA export format, or wrong SSL certificate encryption format ...)
  can someone tell me how to do it ?
  This is really anoying, since we have multiple iphones on the company.
  Thanks for the help.

  Hello, found your post.  I realize it's been 6 months since you posted, but I have a solution for you since I have struggled with the same problem since 2009.
  I discovered that when the iPhone is using LDAPS, it tries to bind with LDAPv2.  After it binds, it speaks LDAPv3 like it is supposed to.  Apparently this is a somewhat common practice since OpenLDAP includes an option for it.
  You'll want to set the following option in OpenLDAP:
  dn: cn=config
  olcAllows: bind_v2
  Walla! LDAPS works! (assuming you've correctly done all the certificate stuff).  Took some deep reading through the debug logs to figure out this problem.  Figured I'd share my answer with others.

• How to erase all self signed certificates and force Server to use Signed SSL

  I have been using a poorly managed combination of self-signed SSL certificates and a free one. I have purchased a good SSL from Digicert and am trying to configure the server to use it across the board. All of the services seem to be using it, but when I try to manage the server remotely, I seeing a self-signed certificate instead.
  I look under the system keychain in K-Access and there are several self signed certificates there (including the one that I am seeing when I try to remote manage).
  Can I replace those self-signed certs with the new one some how?

  Don't delete those.  However, you are on the right track.  Follow these steps to resolve.
  1:  Launch Keychain Access
  2:  Select the System Keychain
  3:  Find the com.apple.servermgrd IDENTITY PREFERENCE (looks like a contact card) and double click to open it
  4:  In the Preferred Certificate popup, change com.apple.servermgrd to your purchased certificate
  5:  Press Save Changes to save.
  6:  Reboot the server or kill the servermgrd process to restart the service.
  That should resolve your issue.
  R-
  Apple Consultants Network
  Apple Professional Services
  Author "Mavericks Server – Foundation Services" :: Exclusively available on the iBooks store

• SSL Certificate Export Password

  Hi ,
  I am trying to export certificate and Key from CSS, Unforunately i do not have password from them.
  Is their anyway to recover password or can i export keys and certificate without password.
  Thanks in Advance
  Aniruddha

  I think the only way to export the key is to use the password issues when importing the key. The SSL Certificate and Key are stored in DES encryption. There is no way to get the key without the password for the certificate and key except to break DES or guess the password.

• SSL certificate error on every SSL page

  Hello,
  I was having problems earlier with connecting to my wireless internet so I deleted some of my .plist files attempting to fix the problem. Now I am having problems connecting to ANY SSL page, (as well as google chat, etc.) saying "security certificate is not trusted". Same happens on all browsers. I think it is because I deleted some plist files (not sure which ones).
  How can I fix this problem? I cannot find any documentation of anyone else having this problem, so please help!
  Much thanks.

  The answer was found elsewhere: Android is much more picky when it comes to SSL certificates and what works in the browser doesn't necessarily work in an Android app.
  A technician had to add a "SSLCACertificateFile to the SSL conf to provide this intermediate chain". I don't know what this is, but it worked.