SSL Client example from dev2dev

Similar Messages

• AnyConnect SSL-client Certificate AND AAA RADIUS

  Hi All,
  I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
  I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
  Here are some relevant log messages I'm getting:
  Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
  Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
  Certificate chain was successfully validated with warning, revocation status was not checked.
  Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
  Device completed SSL handshake with client outside:72.91.xx.xx/42501
  Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
  Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
  Relevant Config:
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  authentication-server-group RADIUS
  default-group-policy GroupPolicy1
  tunnel-group SSLClientProfile webvpn-attributes
  authentication aaa certificate
  radius-reject-message
  pre-fill-username ssl-client
  group-alias SSLClientProfile enable
  group-url https://URL enable
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  wins-server none
  dns-server value <ip1> <ip2>
  vpn-tunnel-protocol ssl-client
  default-domain value xxxxxxxx
  address-pools value VPNPOOL
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.102.242
  key *****
  aaa-server RADIUS (inside) host 192.168.240.242
  key *****
  ASA version 8.4
  What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

  PRogress....
  I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

• Using JSSE : "Invalid Netscape CertType extension for SSL client" Error

  Hi all,
  Im using the sample code given sun site for JSSE with Client Authentication. The sample as such it worked with the testkeys provided in that. But it didn't workout when I tried using other certificates.
  Both client and server certificates I generated from our internal Netscape Certificate Manager.
  Function of the server :
  The server will read a private key from the given keystore and starts listening on a port. This server will server only GET request.
  Function of the client :
  The Client sends a GET request to the server and gets the response back.
  I simply changed the key store name alone in the working sample code.
  It is not working.
  The Exception thrown on client side :
  D:\users\Jp\java\jssesamples\sockets\client\class>java SSLSocketClientWithClientAuth1 localhost 1089 /urls
  localhost
  1089
  /urls
  java.net.SocketException: Software caused connection abort: socket write error
  at java.net.SocketOutputStream.socketWrite0(Native Method)
  at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
  at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
  at com.sun.net.ssl.internal.ssl.OutputRecord.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
  at SSLSocketClientWithClientAuth1.main(SSLSocketClientWithClientAuth1.java:119)
  Exception thrown on server side :
  D:\users\Jp\java\jssesamples\sockets\server\class>java ClassFileServer 1089 . TLS true
  USAGE: java ClassFileServer port docroot [TLS [true]]
  If the third argument is TLS, it will start as
  a TLS/SSL file server, otherwise, it will be
  an ordinary file server.
  If the fourth argument is true,it will require
  client authentication as well.
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
  at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
  at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
  at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
  at java.io.InputStreamReader.read(InputStreamReader.java:167)
  at java.io.BufferedReader.fill(BufferedReader.java:136)
  at java.io.BufferedReader.readLine(BufferedReader.java:299)
  at java.io.BufferedReader.readLine(BufferedReader.java:362)
  at ClassServer.getPath(ClassServer.java:162)
  at ClassServer.run(ClassServer.java:109)
  at java.lang.Thread.run(Thread.java:536)
  Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
  ... 17 more
  error writing response: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExce
  ption: Invalid Netscape CertType extension for SSL client
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.Certificate
  Exception: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.e(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at java.io.DataOutputStream.writeBytes(DataOutputStream.java:256)
  at ClassServer.run(ClassServer.java:128)
  at java.lang.Thread.run(Thread.java:536)
  Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension
  for SSL client
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
  at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
  at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
  at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
  at java.io.InputStreamReader.read(InputStreamReader.java:167)
  at java.io.BufferedReader.fill(BufferedReader.java:136)
  at java.io.BufferedReader.readLine(BufferedReader.java:299)
  at java.io.BufferedReader.readLine(BufferedReader.java:362)
  at ClassServer.getPath(ClassServer.java:162)
  at ClassServer.run(ClassServer.java:109)
  ... 1 more
  Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
  ... 17 more
  The Client code :
  * @(#)SSLSocketClientWithClientAuth.java     1.5 01/05/10
  * Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
  * Redistribution and use in source and binary forms, with or
  * without modification, are permitted provided that the following
  * conditions are met:
  * -Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  * -Redistribution in binary form must reproduct the above copyright
  * notice, this list of conditions and the following disclaimer in
  * the documentation and/or other materials provided with the
  * distribution.
  * Neither the name of Sun Microsystems, Inc. or the names of
  * contributors may be used to endorse or promote products derived
  * from this software without specific prior written permission.
  * This software is provided "AS IS," without a warranty of any
  * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
  * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
  * EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
  * DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
  * RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
  * ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
  * FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
  * SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
  * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
  * THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  * You acknowledge that Software is not designed, licensed or
  * intended for use in the design, construction, operation or
  * maintenance of any nuclear facility.
  import java.net.*;
  import java.io.*;
  import javax.net.ssl.*;
  import javax.security.cert.X509Certificate;
  import java.security.KeyStore;
  * This example shows how to set up a key manager to do client
  * authentication if required by server.
  * This program assumes that the client is not inside a firewall.
  * The application can be modified to connect to a server outside
  * the firewall by following SSLSocketClientWithTunneling.java.
  public class SSLSocketClientWithClientAuth1 {
  public static void main(String[] args) throws Exception {
       String host = null;
       int port = -1;
       String path = null;
       for (int i = 0; i < args.length; i++)
       System.out.println(args);
       if (args.length < 3) {
       System.out.println(
            "USAGE: java SSLSocketClientWithClientAuth " +
            "host port requestedfilepath");
       System.exit(-1);
       try {
       host = args[0];
       port = Integer.parseInt(args[1]);
       path = args[2];
       } catch (IllegalArgumentException e) {
       System.out.println("USAGE: java SSLSocketClientWithClientAuth " +
            "host port requestedfilepath");
       System.exit(-1);
       try {
       * Set up a key manager for client authentication
       * if asked by the server. Use the implementation's
       * default TrustStore and secureRandom routines.
       SSLSocketFactory factory = null;
       try {
            SSLContext ctx;
            KeyManagerFactory kmf;
            KeyStore ks;
            char[] passphrase = "passphrase".toCharArray();
            ctx = SSLContext.getInstance("TLS");
            kmf = KeyManagerFactory.getInstance("SunX509");
            ks = KeyStore.getInstance("JKS");
  //          ks.load(new FileInputStream("testkeys"), passphrase);
            ks.load(new FileInputStream("clientkey"), passphrase);
            kmf.init(ks, passphrase);
            ctx.init(kmf.getKeyManagers(), null, null);
            factory = ctx.getSocketFactory();
       } catch (Exception e) {
            throw new IOException(e.getMessage());
       SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
       * send http request
       * See SSLSocketClient.java for more information about why
       * there is a forced handshake here when using PrintWriters.
       socket.startHandshake();
       PrintWriter out = new PrintWriter(
                      new BufferedWriter(
                      new OutputStreamWriter(
                      socket.getOutputStream())));
       out.println("GET " + path + " HTTP/1.1");
            /* Some internet sites throw bad request error for HTTP/1.1 req if hostname is not specified so the foll line */
            out.println("Host: " + host);
       out.println();
       out.flush();
       * Make sure there were no surprises
       if (out.checkError())
            System.out.println(
            "SSLSocketClient: java.io.PrintWriter error");
       /* read response */
       BufferedReader in = new BufferedReader(
                      new InputStreamReader(
                      socket.getInputStream()));
       String inputLine;
       while ((inputLine = in.readLine()) != null)
            System.out.println(inputLine);
       in.close();
       out.close();
       socket.close();
       } catch (Exception e) {
       e.printStackTrace();
  The Server code :
  * @(#)ClassFileServer.java     1.5 01/05/10
  * Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
  * Redistribution and use in source and binary forms, with or
  * without modification, are permitted provided that the following
  * conditions are met:
  * -Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  * -Redistribution in binary form must reproduct the above copyright
  * notice, this list of conditions and the following disclaimer in
  * the documentation and/or other materials provided with the
  * distribution.
  * Neither the name of Sun Microsystems, Inc. or the names of
  * contributors may be used to endorse or promote products derived
  * from this software without specific prior written permission.
  * This software is provided "AS IS," without a warranty of any
  * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
  * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
  * EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
  * DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
  * RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
  * ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
  * FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
  * SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
  * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
  * THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  * You acknowledge that Software is not designed, licensed or
  * intended for use in the design, construction, operation or
  * maintenance of any nuclear facility.
  import java.io.*;
  import java.net.*;
  import java.security.KeyStore;
  import javax.net.*;
  import javax.net.ssl.*;
  import javax.security.cert.X509Certificate;
  /* ClassFileServer.java -- a simple file server that can server
  * Http get request in both clear and secure channel
  * The ClassFileServer implements a ClassServer that
  * reads files from the file system. See the
  * doc for the "Main" method for how to run this
  * server.
  public class ClassFileServer extends ClassServer {
  private String docroot;
  private static int DefaultServerPort = 2001;
  * Constructs a ClassFileServer.
  * @param path the path where the server locates files
  public ClassFileServer(ServerSocket ss, String docroot) throws IOException
       super(ss);
       this.docroot = docroot;
  * Returns an array of bytes containing the bytes for
  * the file represented by the argument <b>path</b>.
  * @return the bytes for the file
  * @exception FileNotFoundException if the file corresponding
  * to <b>path</b> could not be loaded.
  public byte[] getBytes(String path)
       throws IOException
       System.out.println("reading: " + path);
       File f = new File(docroot + File.separator + path);
       int length = (int)(f.length());
       if (length == 0) {
       throw new IOException("File length is zero: " + path);
       } else {
       FileInputStream fin = new FileInputStream(f);
       DataInputStream in = new DataInputStream(fin);
       byte[] bytecodes = new byte[length];
       in.readFully(bytecodes);
       return bytecodes;
  * Main method to create the class server that reads
  * files. This takes two command line arguments, the
  * port on which the server accepts requests and the
  * root of the path. To start up the server: <br><br>
  * <code> java ClassFileServer <port> <path>
  * </code><br><br>
  * <code> new ClassFileServer(port, docroot);
  * </code>
  public static void main(String args[])
       System.out.println(
       "USAGE: java ClassFileServer port docroot [TLS [true]]");
       System.out.println("");
       System.out.println(
       "If the third argument is TLS, it will start as\n" +
       "a TLS/SSL file server, otherwise, it will be\n" +
       "an ordinary file server. \n" +
       "If the fourth argument is true,it will require\n" +
       "client authentication as well.");
       int port = DefaultServerPort;
       String docroot = "";
       if (args.length >= 1) {
       port = Integer.parseInt(args[0]);
       if (args.length >= 2) {
       docroot = args[1];
       String type = "PlainSocket";
       if (args.length >= 3) {
       type = args[2];
       try {
       ServerSocketFactory ssf =
            ClassFileServer.getServerSocketFactory(type);
       ServerSocket ss = ssf.createServerSocket(port);
       if (args.length >= 4 && args[3].equals("true")) {
            ((SSLServerSocket)ss).setNeedClientAuth(true);
       new ClassFileServer(ss, docroot);
       } catch (IOException e) {
       System.out.println("Unable to start ClassServer: " +
                 e.getMessage());
       e.printStackTrace();
  private static ServerSocketFactory getServerSocketFactory(String type) {
       if (type.equals("TLS")) {
       SSLServerSocketFactory ssf = null;
       try {
            // set up key manager to do server authentication
            SSLContext ctx;
            KeyManagerFactory kmf;
            KeyStore ks;
            char[] passphrase = "passphrase".toCharArray();
            ctx = SSLContext.getInstance("TLS");
            kmf = KeyManagerFactory.getInstance("SunX509");
            ks = KeyStore.getInstance("JKS");
  //          ks.load(new FileInputStream("testkeys"), passphrase);
            ks.load(new FileInputStream("serverkey"), passphrase);
            kmf.init(ks, passphrase);
            ctx.init(kmf.getKeyManagers(), null, null);
            ssf = ctx.getServerSocketFactory();
            return ssf;
       } catch (Exception e) {
            e.printStackTrace();
       } else {
       return ServerSocketFactory.getDefault();
       return null;
  Could anyone help ?
  thanks in advance
  Jayaprakash

  The same thing.
  I have found the place where the exception throws.
  It is com.sun.net.ssl.internal.ssl.AVA class.
  It has a constructor AVA(StringReader)
  There is a check in this constructor of different certificate extensions
  (if-else). If it sees no familiar extension it throws exception and handshake fails.
  It is not difficult to fix this problem: just ignore unknown extension.
  Everything works fine with this "improved" class (under VA 3.5).
  But the problem is - the using of this class in applets.
  How can I say the browser to use my "improved" class and not the one it downloaded with java plug-in?

• Applet does not get client certificate from browser (Firefox, IE7)

  I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
  Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
  All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
  Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
  I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
  I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
  So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
  1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
  2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
  BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
  Thanks all.

  My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
  This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
  it is not relevant to your issue.
  due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
  I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
  Applet database to function. Surprise!
  Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
  I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
  If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
  Further it opens up a complete NIO server ands starts listening for connections on a random port
  (Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
  This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
  There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
  etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
  which I like the best ATM as it (X fingers it stays so) always has worked.
  Sadly that tidbit doesn't help you either I am afraid.
  What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
  SSLCACertificateFile D:/Certificates/ca.crt
  SSLVerifyClient require
  SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
  Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
  automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
  On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
  The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
  So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
  (or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
  I am thinking maybe there is another method of doing this I do not know.
  Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
  Maybe someone else has other ideas; did you try the security forum??
  Sorry but I am afraid that is not much help.
  I did snarf this tidbit which may have some relevance
  The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
  In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
  -Djavax.net.ssl.keyStore=<name and path to client keystore file>
  -Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
  If it is a PKCS12 format keystore, specify:
  -Djavax.net.ssl.keyStoreType=PKCS12
  In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
  Dennis
  Posted Date : 2005-07-28 19:55:50.0Good Luck!
  Sincerely:
  (T)
  Edited by: tswain on 23-Jul-2008 10:07 AM

• ACE as ssl client

  Hello all,
  has anyone been able to successfully configure the ACE board to initiate and terminate ssl connections as ssl client. We tried a lot, but no luck... Is there a working configuration example out there, because the documentation does not tell anything useful? Would be great to get some hints on this issue.
  And what IP is the ACE using, when initiating the ssl connection to the outside? As we can not configure NAT through a VIP address, how can the ACE board recognize the right IP association?
  Thanks in advance and regards,
  Rene

  Hi,
  thank you, i red this doc already. I tried several different ways of configuring all this. But no luck in any way. Is the vserver address the one of the external server? And do i need to configure the external server as serverfarm? All this is not very clear from my point of view. Do you have a working example?
  regards,
  rene

• View data in client B from client A in the same SID without a valid logon?

  Hi Folks
  We are planning on upgrading our 4.6C system to ERP 6.0, and are initialy considering having two clients in the same sandbox SID.  One would be for the developers to perform code remediation checks (client A), and one would contain a copy of production data for performing testing of functionality over live data (client B).
  Would it be possible to view data in client B from client A in the same system without a valid logon to client B or RFC connection to client B from client A?   For example via the use on an ABAP program to SQL the database?
  I know one can use transactions like SM30/SM31 to view, compare, and adjust data between clients, but this requires an RFC connection and valid logon to the target client.
  Regards
  Kevin.

  Hi Kevin.
  >
  Kevin McLatchie wrote:
  > Would it be possible to view data in client B from client A in the same system without a valid logon to client B or RFC connection to client B from client A?   For example via the use on an ABAP program to
  Short answer: yes.
  If someone has the right to write and execute ABAP reports on the system he is able to access the data of all clients. So I don't think that this setup is advisable. Don't mix development and production data in one system.
  Best regards,
  Jan

• Attempting to use SSL over RMI from a web application to a RMI server

  Hi,
  I am attempting to use SSL over RMI to a server. The client is the web
  application that is hosted on WebLogic and that attempts to connect to the
  server. There is no client or server verification at either the client or
  the server end. The code works outside of WebLogic 7/8 but has the following
  issues when running the web application inside weblogic:
  java.rmi.ConnectException: Connection refused to host: gkhanna1; nested
  exception is:
  java.net.ConnectException: Connection refused: connect
  java.net.ConnectException: Connection refused: connect
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124)
  at java.net.Socket.<init>(Socket.java:268)
  at java.net.Socket.<init>(Socket.java:95)
  at
  sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketF
  actory.java:20)
  at
  sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketF
  actory.java:115)
  at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:494)
  at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:185)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:169)
  at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:313)
  at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
  at java.rmi.Naming.lookup(Naming.java:79)
  at
  com.hyperion.css.spi.impl.ntlm.NTLMConnectionClient.initConnection(NTLMConne
  ctionClient.java:59)
  at
  com.hyperion.css.spi.impl.ntlm.NTLMConnectionClient.getUsers(NTLMConnectionC
  lient.java:197)
  at com.hyperion.css.CSSAPIImpl.getUsers(Unknown Source)
  at com.hyperion.css.CSSAPIImpl.initialize(Unknown Source)
  at com.hyperion.css.CSSAPIImpl.initialize(Unknown Source)
  at jsp_servlet._jsp._app1.__app1signin._jspService(__app1signin.java:133)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
  at
  weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1058)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :401)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :445)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :306)
  at
  weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletContext.java:5445)
  at
  weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:780)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:3105)
  at
  weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2588)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)
  The code at the client that initiates the connection:
  socketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket socket = (SSLSocket) socketFactory.createSocket(host, port);
  socket.setEnabledCipherSuites(CIPHERS);
  socket.setEnableSessionCreation(true);
  Any ideas?
  Thanks

  I don't see anything that indicates SSL was directly a factor in the
  failure.
  From the exception stack it looks like a more basic connectivity issue,
  maybe the URL for the
  RMI server is incorrect for some reason or the server was down.
  It looks like you are doing something like this:
  SSL client -> WLS server with servletA, servletA RMI client
  (com.hyperion.css) -> RMI server
  The connection failure appears to be the connection from servletA RMI client
  to the RMI server.
  Is that a correct picture?
  Tony
  "Gaurav Khanna" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I am attempting to use SSL over RMI to a server. The client is the web
  application that is hosted on WebLogic and that attempts to connect to the
  server. There is no client or server verification at either the client or
  the server end. The code works outside of WebLogic 7/8 but has thefollowing
  issues when running the web application inside weblogic:
  java.rmi.ConnectException: Connection refused to host: gkhanna1; nested
  exception is:
  java.net.ConnectException: Connection refused: connect
  java.net.ConnectException: Connection refused: connect
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124)
  at java.net.Socket.<init>(Socket.java:268)
  at java.net.Socket.<init>(Socket.java:95)
  at
  sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketF
  actory.java:20)
  at
  sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketF
  actory.java:115)
  at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:494)
  at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:185)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:169)
  at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:313)
  at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
  at java.rmi.Naming.lookup(Naming.java:79)
  at
  com.hyperion.css.spi.impl.ntlm.NTLMConnectionClient.initConnection(NTLMConne
  ctionClient.java:59)
  at
  com.hyperion.css.spi.impl.ntlm.NTLMConnectionClient.getUsers(NTLMConnectionC
  lient.java:197)
  at com.hyperion.css.CSSAPIImpl.getUsers(Unknown Source)
  at com.hyperion.css.CSSAPIImpl.initialize(Unknown Source)
  at com.hyperion.css.CSSAPIImpl.initialize(Unknown Source)
  at jsp_servlet._jsp._app1.__app1signin._jspService(__app1signin.java:133)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:27)
  at
  weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1058)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :401)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :445)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :306)
  at
  weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletContext.java:5445)
  at
  weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:780)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:3105)
  at
  weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2588)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)
  The code at the client that initiates the connection:
  socketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket socket = (SSLSocket) socketFactory.createSocket(host, port);
  socket.setEnabledCipherSuites(CIPHERS);
  socket.setEnableSessionCreation(true);
  Any ideas?
  Thanks

• A fatal error occurred while creating an SSL client credential. The internal error state is 10011.

  Need help.  I have my pilot lync 2013 pool up (in coexistence with 2010 production environment) and can log into Lync 2013 environment with a lync 2010 client but am not able to with a lync 2013 client.  It just prompts for password but will not
  take it. I'm sseeing this on my front end server multiple times:
  A fatal error occurred while creating an SSL client credential. The internal error state is 10011.
  Came across this http://www.logicspot.net/index.php?id=50 and tried disabling TLS 1.2, which I did and verified but yet the issue still exists.
  All my certs are good coming from internal CA.  My signin logs show below but keep in mind, this works just fine if using a 2010 lync client to my lync 2013 servers.  Issue only occurs when trying to connect using a lync 2013 client.
  1 Login: FAIL (hr = 0x1) 
  this request needs authentication, trying webticket from: https://domain.com/WebTicket/WebTicketService.svc
  1.1 Get-NewWebTicket: FAIL (hr = 0x1) 
  CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
  1.1.1 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
  Executing wws method with windows auth auth, asyncContext=0A4FC348,
   context: WebRequest context@ :173931816
    MethodType:4
    ExecutionComplete? :1
    Callback@ :0A5A1864
    AsyncHResult:80f10041
    TargetUri:https://domain.com/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
   Error:
  There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
  The requested resource requires user authentication.
  1.1.2 ExecuteWithWindowsOrNoAuthInternal: PASS
  1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  Executing wws method with windows auth auth, asyncContext=0A4FC348,
   context: WebRequest context@ :173931816
    MethodType:4
    ExecutionComplete? :1
    Callback@ :0A5A1864
    AsyncHResult:80f10041
    TargetUri:https://domain.com/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
   Error:
  There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
  The requested resource requires user authentication.
  1.1.4 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  Discovery task(0A4FF830) sent to URL http://domain.com completed with hr=0x80f10045
  1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  Executing wws method with windows auth auth, asyncContext=0A4FC348,
   context: WebRequest context@ :173931816
    MethodType:4
    ExecutionComplete? :1
    Callback@ :0A5A1864
    AsyncHResult:80f10041
    TargetUri:https://domain.com/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
   Error:
  There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
  The requested resource requires user authentication.
  1.1.6 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
  Rich

  Hi,
  Please check the server role and Web Services for Internet Information Services (IIS) are set correctly.
  For the detailed IIS configuration, please check:
  http://technet.microsoft.com/en-us/library/gg412871.aspx
  As Lync client 2013 attempt to query in order to perform autodiscover of the Lync registration server. First
  lyncdiscoverinternal.<sipdomain> Host (A) record and then
  lyncdiscover.<sipdomain> Host (A) record. If neither of these records are resolvable then the legacy DNS SRV and A record fall-back process is used. So make sure you have add the two A record in DNS server.
  More details:
  http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Error 403.7 - Forbidden: SSL client certificate is required

  Hi people!
  I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
  I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
  I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
  _THE CODE_
  package principal;
  import java.io.BufferedReader;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.FileReader;
  import java.io.IOException;
  import java.net.URL;
  import java.net.UnknownHostException;
  import java.security.KeyStore;
  import java.security.Security;
  import javax.net.ssl.HttpsURLConnection;
  import javax.net.ssl.KeyManagerFactory;
  import javax.net.ssl.SSLContext;
  import javax.net.ssl.SSLSocket;
  import javax.net.ssl.SSLSocketFactory;
  import javax.net.ssl.TrustManagerFactory;
  import org.apache.axis.client.Call;
  import org.apache.axis.client.Service;
  import entidade.Certificado;
  public class SSLClient {
  private static final int PORT_NUMBER = 443;
  private static final String HTTPS_ADDRESS = "10.200.140.117";
  private static String strCabecalhoMsg = "";
  private static String strDadosMsg = "";
  public static void main(String[] args) throws Exception {
  System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
  System.setProperty("javax.net.ssl.keyStorePassword", "senha");
  System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  System.setProperty("javax.net.ssl.keyStoreType", "JKS");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("javax.net.debug","ssl,handshake,record");
  KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
  ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
  Certificado.getArranjoCharSenhaCertificadoServidor());
  KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
  kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
  KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
  ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
  tmf.init(ksT);
  SSLContext sc = SSLContext.getInstance("SSLv3");
  sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
  SSLSocketFactory factory = sc.getSocketFactory();
  try{
  // method to load the values of the strings strCabecalhoMsg and strDadosMsg
  carregarXMLCabecalhoDados();
  SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
  socket.startHandshake();
  String [] arr = socket.getEnabledProtocols();
  URL url = new URL("https://10.200.140.117/dirNotes");
  HttpsURLConnection.setDefaultSSLSocketFactory(factory);
  HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
  urlc.setDoInput(true);
  urlc.setUseCaches(false);
  Object[] params = {strCabecalhoMsg, strDadosMsg};
  Service service = new Service();
  Call call = (Call) service.createCall();
  call.setTargetEndpointAddress(url);
  call.setOperationName("serviceName");
  String ret = (String) call.invoke(params);
  System.out.println("Result: " + ret);
  catch (UnknownHostException uhe) {
  uhe.printStackTrace();
  System.err.println(uhe);
  catch (Exception uhe) {
  uhe.printStackTrace();
  System.err.println(uhe);
  private static void carregarXMLCabecalhoDados()
  try
  BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
  String str;
  while((str=input.readLine()) != null)
  strCabecalhoMsg += str ;
  System.out.println("Cabe�a: " + strCabecalhoMsg);
  input = new BufferedReader( new FileReader("notas/nota.xml"));
  while((str=input.readLine()) != null)
  strDadosMsg += str ;
  System.out.println("Nota: " + strDadosMsg);
  catch (FileNotFoundException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  catch (IOException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  _THE TRACE_
  adding as trusted cert:
  Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
  *others trusted certs*
  trigger seeding of SecureRandom
  done seeding SecureRandom
  export control - checking the cipher suites
  export control - no cached value available...
  export control - storing legal entry into cache...
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 3953
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
  Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  Version: V3
  *many chains and related data*
  Found trusted certificate:
  Version: V3
  Subject:
  *many trusted certificates and related data*
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
  main, WRITE: TLSv1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
  0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
  0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
  0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
  Server Nonce:
  0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
  0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
  Master Secret:
  0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
  0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
  0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
  Client MAC write Secret:
  0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
  Server MAC write Secret:
  0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
  Client write key:
  0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
  Server write key:
  0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
  ... no IV for cipher
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
  main, WRITE: TLSv1 Handshake, length = 32
  main, READ: TLSv1 Change Cipher Spec, length = 1
  main, READ: TLSv1 Handshake, length = 32
  *** Finished
  verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
  %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  setting up default SSLSocketFactory
  use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
  class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
  keyStore is : Certificados/certificadoSondaMonitor.jks
  keyStore type is : JKS
  keyStore provider is :
  init keystore
  init keymanager of type SunX509
  trustStore is: Certificados\cacerts
  trustStore type is : jks
  trustStore provider is :
  init truststore
  adding as trusted cert:
  Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
  adding as trusted cert:
  * many certificates*
  init context
  trigger seeding of SecureRandom
  done seeding SecureRandom
  instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
  export control - checking the cipher suites
  export control - found legal entry in cache...
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 3953
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
  Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  many chains again
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
  main, WRITE: TLSv1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
  0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
  0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
  0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
  Server Nonce:
  0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
  0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
  Master Secret:
  0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
  0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
  0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
  Client MAC write Secret:
  0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
  Server MAC write Secret:
  0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
  Client write key:
  0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
  Server write key:
  0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
  ... no IV for cipher
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
  main, WRITE: TLSv1 Handshake, length = 32
  main, READ: TLSv1 Change Cipher Spec, length = 1
  main, READ: TLSv1 Handshake, length = 32
  *** Finished
  verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
  %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
  main, setSoTimeout(600000) called
  main, WRITE: TLSv1 Application Data, length = 282
  main, WRITE: TLSv1 Application Data, length = 8208
  main, WRITE: TLSv1 Application Data, length = 1102
  main, READ: TLSv1 Application Data, length = 1830
  main, received EOFException: ignored
  main, called closeInternal(false)
  main, SEND TLSv1 ALERT: warning, description = close_notify
  main, WRITE: TLSv1 Alert, length = 18
  main, called close()
  main, called closeInternal(true)
  AxisFault
  faultCode: {http://xml.apache.org/axis/}HTTP
  faultSubcode:
  faultString: (404)Not Found
  faultActor:
  faultNode:
  faultDetail:
       {}:return code: 404
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <HTML><HEAD><TITLE>The page cannot be found</TITLE>
  <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
  <STYLE type="text/css">
  BODY { font: 8pt/12pt verdana }
  H1 { font: 13pt/15pt verdana }
  H2 { font: 8pt/12pt verdana }
  A:link { color: red }
  A:visited { color: maroon }
  </STYLE>
  </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
  <h1>The page cannot be found</h1>
  The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
  <hr>
  <p>Please try the following:</p>
  <ul>
  <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
  <li>If you reached this page by clicking a link, contact
  the Web site administrator to alert them that the link is incorrectly formatted.
  </li>
  <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
  </ul>
  <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
  <hr>
  <p>Technical Information (for support personnel)</p>
  <ul>
  <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
  <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
  and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
  </ul>
  </TD></TR></TABLE></BODY></HTML>
       {http://xml.apache.org/axis/}HttpErrorCode:404
  (404)Not Found
       at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
       at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
       at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
       at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
       at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
       at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
       at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
       at org.apache.axis.client.Call.invoke(Call.java:2767)
       at org.apache.axis.client.Call.invoke(Call.java:2443)
       at org.apache.axis.client.Call.invoke(Call.java:2366)
       at org.apache.axis.client.Call.invoke(Call.java:1812)
       at principal.SSLClient.main(SSLClient.java:86)
  (404)Not Found
  -----

  I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
  public class NFeClient {
       static{
            Security.addProvider(new BouncyCastleProvider());
       public static void main(final String[] args) throws Exception {
            final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
            final String keyStoreProvider = "BC";
            final String keyStoreType = "PKCS12";
            final String keyStore = "/home/mendes/certificados/cert.p12";
            final String keyStorePassword = "xxxx";
            System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
            System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
            System.setProperty("javax.net.ssl.keyStore",keyStore);
            System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
            System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
            final SSLContext context =  SSLContext.getInstance("TLS");
            final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            final KeyStore ks = KeyStore.getInstance(keyStoreType);
            ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
            kmf.init(ks, keyStorePassword.toCharArray());
            context.init(kmf.getKeyManagers(), null, null);
            final URL url = new URL(path);
            final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
            httpsConnection.setDoInput(true);
            httpsConnection.setRequestMethod("GET");
            httpsConnection.setRequestProperty("Host", "iis-server");
            httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
            httpsConnection.setSSLSocketFactory(context.getSocketFactory());
            try{
                 final InputStream is = httpsConnection.getInputStream();
                 final byte[] buff = new byte[1024];
                 int readed;
                 while((readed = is.read(buff)) > 0)
                      System.out.write(buff,0,readed);
            }catch(final IOException ioe){
                 ioe.printStackTrace();
  }and the response of the server is always the same:
  java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
       at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

• A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

  Hi All
  I am seeing the below event appearing in the system log on all our Exchange 2013 servers regularly. I am not seeing any connectivity issues between any clients and the servers and no other issues have been reported at this stage.
  Log Name:      System
  Source:        Schannel
  Date:          10/04/2015 9:21:17 AM
  Event ID:      36871
  Task Category: None
  Level:         Error
  Keywords:     
  User:          SYSTEM
  Computer:     
  Description:
  A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
  I am not sure if its related to the public certificate we are using or if its related to the one provided from the local CA.I have searched and found other links that suggest it could be related to SSL versions being disabled etc.
  All servers are running Windows 2012 R2 Datacenter. The Exchange CAS servers do also sit behind a pair of F5 BIG IP Load Balancers 
  Any suggestions on where to look?
  Thanks

  Hi,
  According to the event log, the issue is related to Schannel instead of Exchange.
  Please try the following steps:
  1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.
  2.In Local Security Settings, expand Local Policies, and then click Security Options.
  3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.
  4. Ran gpupdate /force
  If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart server to have a try.
  Here is a similar thread for your reference:
  https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Why was my GoDaddy SSL Cert "Not from a Recognized Authority"

  I've seen many reports here of people experiencing problems installing and renewing SS Certificates in OS X Server.
  In my case a simple Certificate renewal turned into a Very Worrying Episode as the new certificate was "Not from a recognised authority" according to OS X Server 3.1.2 on Mavericks. Email clients could not log in etc. etc. without being told the server was insecure.
  I tried several times to renew the certificate. Last year's was from GoDaddy and we had no problems. This year was not straightforward and has wasted 8 or so hours of my life.
  This is of course only anecdotal, but it seems that OS X Server cannot properly install SSL Certificated generated from SHA-2 but can from SHA-1. SHA-2 is the default at GoDaddy now (SHA-1 can be chosen) as SHA-1 Certificates will no longer be created or accepted as standard in 18 months or so's time.
  My solution was to generate an SHA-1 Certificate from my GoDaddy account.
  All the necessary Root and Intermediate Certificated seemed to be in place but OS X Server could not correctly link up all the Certificates in the SHA-2 chain.

  @heinzfromconcord were you replacing a Cert with the same name by any chance? (i.e. Were you renewing an SHA-1 Cert with an SHA-2 Cert perhaps). I have absolutely no idea whether this matters or not but can only assume that not everyone is suffering this problem as there are so few forum posts about it. I am trying to gather diagnostic information tp pass on to the Apple Engineers who replied "cannot reproduce" to my bug report.

• ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

  Hi
  Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
  Example:
  Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
  The "client" Server does not support SSL.
  Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
  Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
  Regards

  Hello Byron,
  Yes, the ACE can do it
  Here you have some of the flavors of SSL with the ACE.
  Here you have a sample about it:
  parameter-map type http CASE_PARAM
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  class-map match-all CLEAR_TEXT_VIP
    2 match virtual-address 172.20.120.19 tcp eq www
  policy-map multi-match JORGE-MULTIMATCH
    class CLEAR_TEXT_VIP
      loadbalance vip inservice
      loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
    class class-default
      serverfarm ENCRYPTED-SERVERFARM
      ssl-proxy client SSL-PROXY-JORGE
  ssl-proxy service SSL-PROXY-JORGE
    key TAC-key
    cert TAC-cert
  serverfarm host ENCRYPTED-SERVERFARM
    rserver JORGE-SERVER 443
      inservice
  Here you have some additional details under the configuration guide:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
  Here you have some additional samples:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
  Hope this helps for you and fix your issue
  Jorge

• (DII) Client Example - - missing class error

  To jump into DII, I have copied the source for the "Dynamic Invocation Interface (DII) Client Example" into a new class created in netbeans. The api jar for JAX-RPC has been mounted in the environment. The example compiles fine, but upon execute the following error comes up:
  javax.xml.rpc.ServiceException: java.lang.ClassNotFoundException: com.sun.xml.rpc.client.ServiceFactoryImpl
  at javax.xml.rpc.ServiceFactory.newInstance(ServiceFactory.java:65)
  at node.HelloClient.main(HelloClient.java:29)
  Do I need to get another api here? Looking into the jax-rpc jar file I can see the javax.xml.rpc.ServiceFactory class, but can not see com.sun.xml.rpc.client.ServiceFactoryImpl .
  Could someone point me to an answer? Thanks in advance for the help.

  The jaxrpc jar that I downloaded was from under the xml downloads (jaxrpc-1_0-fr-api-class.zip). Once extracted this gave me a jar file of jaxrpc-api.jar.
  It seems that you might be using a different jar? (jaxrpc-ri.jar)?
  Under my downloaded jar file, there is no client belwo the heirarchy of javax/xml/rpc . Where could I find the download for the jar file that you are refrencing?
  Thank you for your help.
  R

• How to load a excel sheet on the client machine from jsp

  hai all,
  I want an excel sheet to be opened like "c:\excelsheet.xls" on the client machine from my JSP so that i can send the out put of my jsp to it.i will press a button on jsp and i want the query out put in the excel sheet. if it is already opened then it has to be closed and reopened with new data, the old data has to be lost.
  can any one help me out....
  Thanks for any help...
  regards,
  ravikiran

  Hai friend,
  you add mime type in web.xml
  for example,
  <mime-mapping>
  <extension>xls</extension>
  <mime-type>application/excel</mime-type>
  </mime-mapping>

• RMI client running from different machine giving error

  HI all
  I am trying to run the sample application getStart hello world.
  I am able to run the java applet from the same machine ....
  but i am get error when i am trying run client applet from the different machine .
  (HelloApplet exception: access denied (java.net.SocketPermission)
  client applet on machine1 and server and registory on machine2 in same lan .
  i copied the Helloapplet.class and Helloclient.html to machine1.
  appletviewer Helloclient.html
  but the java version is different in both machines.......
  can any one give some idea ....
  the errror i am geting is :
  HelloApplet exception: access denied (java.net.SocketPermission Neind-ws-003 res
  olve)
  java.security.AccessControlException: access denied (java.net.SocketPermission N
  eind-ws-003 resolve)
  at java.security.AccessControlContext.checkPermission(AccessControlConte
  xt.java:272)
  at java.security.AccessController.checkPermission(AccessController.java:
  399)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
  at java.lang.SecurityManager.checkConnect(SecurityManager.java:1042)
  at java.net.InetAddress.getAllByName0(InetAddress.java:559)
  at java.net.InetAddress.getAllByName0(InetAddress.java:540)
  at java.net.InetAddress.getByName(InetAddress.java:449)
  at java.net.Socket.<init>(Socket.java:100)
  at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirect
  SocketFactory.java:25)
  at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMaster
  SocketFactory.java:120)
  at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:499)
  at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:190
  at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:174)
  at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:318)
  at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
  at java.rmi.Naming.lookup(Naming.java:84)
  at examples.hello.HelloApplet.init(HelloApplet.java:23)
  at sun.applet.AppletPanel.run(AppletPanel.java:344)
  at java.lang.Thread.run(Thread.java:484)
  The helloapplet.java code is :
  package examples.hello;
  import java.applet.Applet;
  import java.awt.Graphics;
  import java.rmi.Naming;
  import java.rmi.RemoteException;
  public class HelloApplet extends Applet {
  String message = "blank";
  // "obj" is the identifier that we'll use to refer
  // to the remote object that implements the "Hello"
  // interface
  Hello obj = null;
  public void init() {
       try {
            System.out.println("Path looking: " +getCodeBase().getHost());
       //obj = (Hello)Naming.lookup("//" +
            //     getCodeBase().getHost() + "/HelloServer");
                 obj = (Hello)Naming.lookup("//Neind-ws-003/HelloServer");
       message = obj.sayHello();
       } catch (Exception e) {
       System.out.println("HelloApplet exception: " +
                      e.getMessage());
       e.printStackTrace();
  public void paint(Graphics g) {
       g.drawString(message, 25, 50);
  The helloclient.html code:
  <HTML>
  <title>Hello World</title>
  <center> <h1>Hello World</h1> </center>
  The message from the HelloServer is:
  <p>
  <applet
            code="examples.hello.HelloApplet"
  width=500 height=120>
  </applet>
  </HTML>

  Your problem is at the following line.
  obj = (Hello)Naming.lookup("//Neind-ws-003/HelloServer");
  The line you had commented beforehand is
  //obj = (Hello)Naming.lookup("//" +
  // getCodeBase().getHost() + "/HelloServer");
  This worked because the applet was being retreived from the same server where the RMI server exists.
  Remember, applets can only connect themselfs to the same host they are stored in and retreived from. This is because of VM, the sandbox does not allow you to connect to other machines other than the server where it resides on. If you use a applet viewer it might work if you loosen the security features. On a browser i do not belive it can be done. Maybe if you modify your security options for the VM you are able to achieve something, but personally i'm going for the "It cannot be done " answer because of what I said before.
  Hope this helps
  If any trouble then reply and I'll answer later.
  Rui P.