SSL communication....

Similar Messages

• Changing from non-ssl to ssl communication in OAM

  I have installed the Identity server and webpass on linux, I initially set them up for non ssl communication between them and the configuration/policy store & the user store. Now I must change that to use SSL. I have not configured them yet. how would I make this change without reinstalling?
  When I try to set the configuration data location with SSL checked I get the following error
  The files requires for SSL connection are missing.

  Hi Andy,
  Note 740034.1 on My Oracle Support describes how to do this. After performing those steps, I would also verify that you do not have any remaining Open Mode directory profiles being used (in the Identity System Console/System Configuration/Directory Profiles).
  Regards,
  Colin

• CF & MS-SQL SSL communication?

  I'm looking to do SSL communication between our CFMX8 server and MS-SQL 2005 server using the built in SQL SSL encryption.
  I wanted to do some testing prior to enabling the features to see it in a broken connection state so when I got it working I knew I was actually encrypting.  So I added ";EncryptionMethod=SSL" to the end of the connection string inside of the neo-datasource.xml file to force SSL connection from the CFMX8 side but I had not enabled SSL on the server side.  What I expected to see was an SSL connection failure message because EncryptionMethod=SSL means the system will require SSL from the JDBC side and fail if not available.  Well it connected right through with no issues...  I've found a couple articles online talking about this and at this point I'm not even sure if CFMX8 supports SSL JDBC communications or not...
  I've done a bunch of research and I've come up with nothing so far, and I know from looking at the CFAdmin that it's not a checkbox in there.  Any assistance would be wonderful.

  I just came across this.  From this article I see CFMX9 supportsSSL MS-SQL encryption, but we're running CFMX8 still.  EncryptionMethod=SSL is what I have in the connection string area too...
  http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WS50260aa90e50c24b-32f8955c122c2720693-7f ff.html

• How can I test SSL communication

  I have successfully imported a SSL certificate to d:\JRE\Sun\1.4.2\lib\security\cacerts in Windows 2003 server. How can I test this SSL communication between my server and the other SSL Windows server?

  michaelfromchattanooga wrote:
  There is a card plugged into the reader, and it has good data on it as I have just used the printers card reader to copy the pictures off of it. But the wireless printer is very slow.
  I contacted Sonnos (manufacturer of the expresscard/34) and Eric from their support department was kind of smart-mouthed about it. He assured me with 100% certainty that I had inserted the card reader backwards. I replied to him that the card will NOT allow you to insert it backwards, by design. This was yesterday and he has yet to reply.
  My main question is if the card reader  is defective, or is the slot on my Macbook Pro defective? I only have one MBP so I can't test the card reader in another machine.
  Anyone?
  Is the slot being recognized in your system profiler?  >(option key)About this Mac>Hardware.
  You can also run the Apple Hardware test by booting with the D key held down.
  You can try put the card in before you boot or reboot with it in. It may only recognize if  present at boot.
  MacBook Pro, Mac OS X (10.6.7), 2.4GHz IntelCore i5 320 HD 8GB RAM

• Reconfigure IDM 11g installation to Database for SSL communication.

  Experts,
  I've below environment.
  Oracle IDM 11g (OID,OVD,OAM,OAAM,OIF,OIM,etc,.) 11g talking to Oracle Database RAC 11g.
  At the time of IDM installation and configuration, database was not in SSL mode. Now I'm want to make SSL communication between IDM and Database.
  My Questions:
  1. Once I put Database in SSL mode, How can I reconfigure Oracle IDM suite so that it can talk to database in SSL mode ?
  2. How much effort does it require ?
  Please provide if you have any doc references.
  Thanks

  Hi,
  Hope this helps:
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/handlinglcm.htm
  Thanks,
  GP

• SSL communication with IBM Tivoli 5.2

  Hi,
  I have downloaded the free version of the IBM Tivoli 5.22 directory server. Its installed great and I can connect and query the sample data using port 389.
  I am working on enabling SSL communication with the same.
  I referred to
  http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itame.doc/am60_install33.html
  Followed the steps provided to enable SSL communication, it gave me errors saying that the password for the key database file was incorrect.
  Has anyone try to connect to the IBM Tivoli Directory server via SSL, is there a way to do it in the same way as we set up ssl with Active Directory.
  Any help in this regard would be great,
  Regards
  Zoharat

  Hey ,
  I got SSL enalbed on the Tivoli server. I follwed the instructions availabe on the IBM site to set up the GSKIT and create the key database , the certificates and also the setting up the server to use them. I used self signed certificates.
  For setting up the server I used the command line utilities.
  The ldapsearch command always failed it kept saying bad password. So I took the certificate file that created added it to the cacerts of the java client and then communicated with the server on port 636.
  It worked great.
  Regards
  Zoharat

• SSL communication issue with JDK 1.6.0_19

  Hi,
  I am facing issue with JDK 1.6.0_19. I have a Java client which communicate with the Server in SSL communication.so, It is able to communicate properly with the JDK <=1.6.0_18 version.But I got handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected  handshake message exception when the client is trying to communicate with the server in JDK 1.6.0_19.
  We are using mutual authentication.The client and the server both have the signed certificate.The client certificate has to be validated by the server to establish the connection.
  I have seen in forum that it is a renegotiation issue.So, if I enable the renegotiation flag by -Dsun.security.ssl.allowUnsafeRenegotiation=true it's working fine.But enabling renegotiation itself is a vulnerability.So, I can't enable renegotiation.
  I am using httpclient 4.0 and JSSE in client side and IIS in the server side for this SSL connection.
  I am not sure which side client or server initiating the renegotiation?
  Please help me out.
  I have tried Openssl command from console.
  The command is : openssl s_client -connect X.X.X:443 -CAfile "xxxxx" -cert "xxxxxxxx" -key "xxxxxxxxxx" -state -verify 20 here is the output:
  Loading 'screen' into random state - done
  CONNECTED(00000748)
  SSL_connect:before/connect initialization
  SSL_connect:SSLv2/v3 write client hello A
  SSL_connect:SSLv3 read server hello A
  xxxxxxxxxxx.................
  verify return:1
  xxxxxxxxxxx.................
  verify return:1
  SSL_connect:SSLv3 read server certificate A
  SSL_connect:SSLv3 read server done A
  SSL_connect:SSLv3 write client key exchange A
  SSL_connect:SSLv3 write change cipher spec A
  SSL_connect:SSLv3 write finished A
  SSL_connect:SSLv3 flush data
  SSL_connect:SSLv3 read finished A
  Certificate chain
  xxxxxxxxxxx.................
  Server certificate
  -----BEGIN CERTIFICATE-----
  xxxxxxxxxxx.................
  -----END CERTIFICATE-----
  xxxxxxxxxxx.................
  No client certificate CA names sent
  SSL handshake has read 1839 bytes and written 392 bytes
  New, TLSv1/SSLv3, Cipher is RC4-MD5
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : RC4-MD5
      Session-ID: xxxxxxxxxxx
      Session-ID-ctx:
      Master-Key: xxxxxxxxxxx
      Key-Arg   : None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1275564626
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
  read:errno=10054If you see the console output you can see that two statement is missing those are :
  SSL_connect:SSLv3 read server certificate request A
  SSL_connect:SSLv3 write client certificate ASo, I like to know if this is any clue which is asking for renegotiation.

  Thank you for your response.
  Yes I have set the particular proerty SSLAlwaysNegoClientCert to True and it is able to establish the ssl conneciton without initiating renegotiation from IIS server side.The property has to be set the metabase.xml file.
  Thank you very much once again.
  Edited by: arpitak on Jun 23, 2010 2:10 AM

• Implement TLS (or SSL) communication

  Hi all,
  I wish to make a very Keep It Simple and Stupid client server application that will conduct secured communication between the client and the server.
  The natural approach would be to use TLS (which supercedes SSL, but is a little new yet) or SSL.
  I would like to get some reliable and simple sample code, or alternatively, straight forward documentation which will directly fascilitate adding security to the communication done by my client-server application to be.
  Any help would be most welcome.
  Regards,
  Matan

  First read the basic cryptographic architecture in Java http://java.sun.com/products/jdk/1.2/docs/guide/security/CryptoSpec.html
  Then, if you want to implement application level security in the form of one side encrypting and other side decrypting, take a look at Java Cryptography Extension(JCE) http://java.sun.com/products/jce/index-121.html
  Else, ff you want to transparently use SSL/TLS, i.e. security above application level, chekc out Java Secure Socket Extension (JSSE) http://java.sun.com/products/jsse/index-102.html Examples are available as a separate download from that page.

• Configuring PI SSL for communicating with third-party web services

  Hi,
  I'm trying to load a COMODO certificate into a J2EE environment running in NetWeaver 7 (no enhancement packs), in order to connect to an external web service using SSL
  I have been looking at this reference:
  http://help.sap.com/saphelp_nw70/helpdata/en/a0/a5d13f83a14d21e10000000a1550b0/frameset.htm
  and in this document (and many others i've read) it talks about requiring a server key pair to support SSL.
  http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm
  My question is - is there a way to use the self-signed root CA certificates instead of having to generate CSRs and sign certs?  I ask this because it seems completely impractical to have to generate key pairs for each SAP installation that is required to access a third-party web service.
  Furthermore, the SSL connection may only be for the web service and I'd rather not have to ask that the entire J2EE server is switched to SSL in order to make this secure connection. I've recently discovered the AXIS framework for the SOAP adaptor however I'm not familiar with it and can't identify whether you could use this for the SSL handshake and avoid having to a) generate certificate key pairs and b) switch your J2EE server to SSL
  Does anyone have experience connecting to a third-party service using VeriSign, COMODO or Thawte certificates and can clear this up for me?
  Regards,
  John

  Did you resolve your issue?
  I´m posting some comments that maybe can help newer administrators facing similar doubts.
  I´m using NW PI 7.1 EHP1 also and some interfaces were developed for using an external site providing web services through SSL (HTTPS) connection.
  As in browser navigation, secure sites protected with SSL has a certificate emited by a international CA. We didn´t perceive the "handshake" in the most of cases because normally the web browser has a group of trusted CAs loaded on its certificate store.
  With SAP PI and its WAS Java a similar procedure occurs with a small difference. The WAS Java didn´t have the trusted CAs loaded on KeyStorage. So, when the adapter tries to establishing a connection with an HTTPS site (it is a background process)  a "handshake" is required to accepting the certificate and produces a error.
  We completes the handshake importing the entire certificate chain (you can upload the site´s certificate to your browser and export it as file) on Keytore under the Trusted CAs view.
  Hope this can help someone. It´s an "easy" part of SSL communication.
  Now I´m trying to configure the inverse: Some third party consuming the PI web services using SSL. I have an additional component on inbound/ incoming connections that is the SAP Web Dispatcher.
  The Help.sap.com is the reference but as always its a little difficult to find the (sequential) path following the links (go ahead, go ahead, go ahead, go back, go back, go ahead)...
  Regards,
  Rodrigo Aoki

• OBIEE 11g SSL Configuration Issue : Unable to import the Server certs

  Hello All,
  We are trying to configure OBIEE 11.1.1.6.0 with SSL using Windows server 2003 (IIS) and facing some issues with that.
  Followed the document : OBIEE11g SSL Setup and Configuration [1326781.1]
  http://obieedue.blogspot.sg/2012/08/obiee11g-ssl-setup-and-configuration.html
  and also completed generating the required certificate signing request and keystores for SSL communication and sent it to the CA (IT Admin team) to to have the certificate signed by CA. The issue comes when I am trying to import the CA certificate (Root certificate) and Server Certificate into the Java Keystore.
  I am importing the Root CA Certificate first which is successfully added to the keystore.
  keytool -import -trustcacerts -alias mycacert -file cacert.pem -keystore mykeystore.jks -storepass Welcome1
  Trust this certificate? [no]: yes
  Certificate was added to keystore.
  But when trying to add the Server Certificate to the keystore using the command below :
  keytool -import -v -alias testserver -file server.cer -keystore mykeystore.jks -keypass Welcome1 -storepass Welcome1
  Certificate reply was installed in keystore
  I get the following error:
  keytool error: java.lang.Exception: Failed to establish chain from reply
  java.lang.Exception: Failed to establish chain from reply
  at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
  at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
  at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
  at sun.security.tools.KeyTool.run(KeyTool.java:172)
  at sun.security.tools.KeyTool.main(KeyTool.java:166)
  Read many forums and tried to convert it to the PKCS#7 format and import the cert to the identity keystore, but was not successful in that either. I have also checked with the IT Admin team and found there is only one RootCA and no other intermediate CA's.
  Please advice if any one has similar issues or suggestions.
  Thanks in advance,
  SVS

  Hi,
  One obvious reason would be that you did not specify -trustcacerts, and the root CA is not included in the present server keystore. In that case, using the -trustcacerts option would solve the problem, if the root CA is indeed in the JDK cacerts.
  To print out the certificates present in the JDK cacerts, use the following command:
  keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -v
  Then check if the root CA that signed your server certificate is present, and has not expired (in which case,you would need to re-import a newer one into cacerts).
  Another common reason for that error message is when you have used a proprietary CA to sign your server certificate. Then it would obviously not be in the JDK cacerts. The solution in that case is to import your proprietary root CA into the JDK cacerts, using the following command:
  keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -file yourRootCA.pem -storepass changeit -alias youralias
  A third reason for that error message is when your server was signed by an intermediate certificate. In that case, you would have received from your CA a chain of certificates. One way to solve this (not the only one, but this one works well): Prepend your intermediate CA file to your server cert file, and import the obtained concatenated file into the server keystore. Be careful, the intermediate CA must be BEFORE the server cert. Example:
  copy rootca.cer certchain.p7b
  type server.cer >> certchain.p7b
  The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
  keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts
  If you only prepend the intermediate root CA, you must make sure the the final root CA is in cacerts. But you can also prepend your whole chain of trust inside the server keystore.
  Regards,
  Kal

• How to set the Certifcate to use for SSL when more than one available?

  I apologise for bad wording of question.
  We have a 11g Directory Server and when we created the directory instance it generated a self-signed certificate. very nice.
  We have recently requested and installed a CA signed certifcate, so we now have TWO certificates in the directory certificate store. Default Certificate and the new Server-Cert (the CA signed one)
  LDAP clients STILL seem to be presented with the self-sgned certificate though.
  Simple question... how do I make my Server-Cert the 'default' certificate presented to LDAP clients ???
  I would rather not delete the self-signed cert if possible.
  I cant find any documented method to achieve this.

  # Listing Certificate
  $ /certutil -L -d <path>/slapd-abc/alias -P slapd-
  # Add Trust by adding CT
  $ certutil -M -n "GeoTrust DV SSL CA" -t CT,, -d <path>/slapd-abc/alias -P slapd-
  # Verify the setup.
  $ certutil -L -d <path>/slapd-abc/alias -P slapd-
  ( You should see the CT beside the relevant cerficate, making it default for SSL communication )
  GeoTrust DV SSL CA CT,,
  Link : http://docs.oracle.com/cd/E19656-01/821-1504/6nmg10b6g/index.html ( Look around for different steps for configuring SSL )
  JPrince

• Using A 3rd Part SSL Certificate on DS 6.3

  Hello,
  I have a DS 6.3 server whose purpose is to authenticate Solaris 10 clients. All of my clients have been configured to communicate with the DS 6.3 server via SSL/TLS on port 636. To do this, I simply copied the slapd-cert8.db, slapd-key3.db and secmod.db files from the alias directory on the DS 6.3 server to the /var/ldap directory on each client. After renaming the files (removing the slapd- from the name) and configuring each client to bind using tls:simple, via a profile, things work just fine.
  However.....
  I used the default certificate generated by DS 6.3 during the install of the product. Unfortunately this certificate is signed with weak algorithms, and failed an audit. I have tried replacing the certificate with a GoDaddy 3rd party cert, and a self-signed certificate created using openssl, but as soon as I copy the cert8/key3 databases to the client as described above, the client can no longer connect to the server. I've added the server cert from GoDaddy as well as their root cert using both the dsadm tools and the certutil tools. I've done the same with the certs that I generated via openssl. In both cases, the only error message I receive on the client is the "libsldap: Status: 81 Mesg: openConnection: simple bind failed - Can't contact LDAP server". Yet if I go back to using the default certificate generated by DS 6.3, everything works just fine.
  Can anyone help with this?
  Thanks in advance...

  As you indicated, name resolution was the problem again, but in a different way. When I had the DS server configured to use my self-signed cert, I had the following entry in /etc/nsswitch.conf on my ldap client:
  hosts: ldap [NOTFOUND=continue] files
  Once I switched the DS server to using the 3rd Party (GoDaddy) cert, I was unable to ping the DS server by its FQDN, despite having that entry in my hosts file. I had to switch the /etc/nsswitch.conf on the client to look like this:
  hosts: files [NOTFOUND=continue] ldap
  Once I had done this, I was able to access the DS server from the client using the GoDaddy cert.
  I tried this same configuration on another DS server and ran into one additional problem. this new DS server had some of the ciphers disabled per recommendation by our auditors. I could not my client to connect until I reconfigured the server to use all available ciphers. How can I tell which ciper the client and server want to use when communicating, so that I don't disable it? Is there any way to configure which cipher is used for SSL communication?
  Thanks very much for your assistance

• Oim 9.1.0.1 to active directory using ssl

  Hi,
  I am working on OIM 9.1.0.1 and AD IS on WIN2K3 R2.
  I successfully installed CA certificate in AD Server as given in AD Connector Document 9.1.0.1 given below.
  Configuring SSL for Microsoft Active Directory
  To configure SSL communication between Oracle Identity Manager and Microsoft Active Directory, you must perform the following tasks:
  a) Installing Certificate Services
  b) Enabling LDAPS
  c) Setting Up the Target System Certificate As a Trusted Certificate
  a) Installing Certificate Services
  To install Certificate Services on the target system host computer:
  Before you begin installing Certificate Services, you must ensure that Internet Information Services (IIS) is installed on the target system host computer.
  Note:
  1. Insert the operating system installation media into the CD-ROM or DVD drive.
  2. Click Start, Settings, and Control Panel.
  3. Double-click Add/Remove Programs.
  4. Click Add/Remove Windows Components.
  5. Select Certificate Services.
  6. In the Windows Components Wizard, follow the instructions to start Certificate Services.
  I selected Enterprise root CA as the CA type as said in AD connector Doc.
  b) Enabling LDAPS
  The target system host computer must have LDAP over SSL (LDAPS) enabled. To enable LDAPS:
  1. On the Active Directory Users and Computers console, right-click the domain node, and select Properties.
  2. Click the Group Policy tab.
  3. Select Default Domain Policy.
  4. Click Edit.
  5. Click Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
  6. Right-click Automatic Certificate Request Settings, and then select New and Automatic Certificate Request. A wizard is started.
  7. Use the wizard to add a policy with the Domain Controller template.
  At the end of this procedure, the certificate is created and LDAPS is enabled on port 636. You can use an LDAP browser utility to verify that LDAPS is working.
  But my problem is i am not able to connect to AD over SSL through JExplorer LDAP Browser in AD Server itself.
  its saying Socket closed and some times binding failed.
  And Firewall is on and Telnet is happening to both 389 and 636 ports from outside AD Server and in AD Server
  Please give the solution to overcome this issue.
  regards
  Ramu

  Hi
  From Apache Directory Studio i am able to connect over SSL (port 636) to AD and also imported certificate in oim.
  In Diagnostic Dashboard Test Connectivy of AD i found the below error.
  ITResource information values are not correct. Enter the correct values.
  The root cause is . . .
  java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
       at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
       at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:176)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3498)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Caused by: javax.naming.CommunicationException: simple bind failed: adr.oimad.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
       at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:287)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
       at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.getLDAPConnection(Unknown Source)
       at com.thortech.xl.integration.ActiveDirectory.test.ADServerConnectorTest.testBasicConnectivity(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.thortech.xl.systemverification.tests.TestConnector.runInterfaceMethods(Unknown Source)
       at com.thortech.xl.systemverification.tests.TestConnector.execute(Unknown Source)
       at com.thortech.xl.systemverification.webapp.SystemVerificationServlet.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       ... 8 more
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:744)
       at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
       at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
       at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
       at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
       at com.sun.jndi.ldap.Connection.run(Connection.java:805)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
       at sun.security.validator.Validator.validate(Validator.java:218)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
       ... 12 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
       ... 18 more
  regards
  Ramu

• SSL/TLS for FTP connections

  I've built somekind of advanced ftp server, and i would now like to add SSL or TLS on the server.
  Implementing implicit SSL is easy. I used some SSL sockets, and everything was working fine.
  But if i want to use TLS or explicit SSL, i have a problem.
  With an SSL socket, any attemps to read/write with the streams initiate an handshake.
  But an explicit SSL connection is done that way:
  -> Connecting to myftpserver.com port 21
  -> Connected to myftpserver.com
  Server: Welcome to this nice ftp
  Server: Enjoy this nice server
  -> AUTH SSL
  Server: 234 AUTH SSL successful
  -> Now negociating SSL session...
  So, as u can see, some data(welcome msg, AUTH SSL command, etc) are exchanged BEFORE the SSL negociation.
  I dont know how to do that since "any attemps to read/write with the streams initiate an handshake"
  I hope someone will be able to help me :)
  Dundee

  What's wrong with my code then?You must make sure, before trying to send the first encrypted text, that both side are ready to negociate SSL.
  I'm pretty sure your problem is about that.
  Did you write both side (client and server) or only the client side?
  Because if you are the author of the server side, you must also make sure the server will act as the server during the SSL negociation ( ((SSLSocket)s).setUseClientMode(false)).
  So far, my understanding - based on my experimentation:
  The client must ask to the server to start SSL communication, but MUST wait for the server to say it is ready before creating the SSL layer. This mean the client send - over the unencrypted communication - a command saying to the server: "i want to start to talk to you over SSL". Then the server answer "Ok, ,i'm ready". Then, and only then, the client create the SSL socket (over the already connected socket - as you seem to have done) and start the SSL negociation. By the way, it is not necessary to call SSLSocket.startNegotiate() explicitly, it will be called when sending the first block of data for the new SSL session.
  I'm not sure if I made it clear. But I think the problem - the reason why you get the HandshakeException - is because the client try to negotiate SSL before the server is ready to accept SSL negotiation - maybe this should have been the only sentence of my answer ;-).
  About the use of SSLContext; I feel that it only have value if you want to use your own customized X509TrustManager or X509KeyManager. For me, I found it very useful because my server certificate may not be valid as per the default validation algorithm. But basicly we can use the SSLContext the following way:
  /* The creation of a KeyManager is a story in itself.
  * The way I used it is to specify in my program the KeyStore to be used.
  * I think it can be specified in other ways (-D java argument, for exemple).
  * For now I not sure how useful it can be for the client side. (sorry)
  KeyManager[] myKeyManagers= ....
  /* The TrustManager give you the opportunity to do your own validation
  * of the server / client - depending on the situation - certificate.
  * For now, I don't know how to use TrustManager and KeyManager
  * together.
  TrustManager[] myTrustManager= new TrustManager[] {new MyX509TrustManager()};
  /* The Key and Trust managers created above, can be used to initialize
  * the SSL context below.
  SSLContext context= SSLContext.getInstance("SSL");
  /* Initialize the context with your customized managers.
  * Note that all parameters are optional - they can be "null".
  * You only specify those you have customized.
  context.init( myKeyManager, myTrustManager, null);
  /* Then later I can get my SSL socket factory, which will use my
  * own customized key and trust manager and secure random.
  SSLServerSocketFactory sslSSF= context.getServerSocketFactory();
  SSLSocketFactory sslSF= context.getSocketFactory();I found an article in this forum about TrustManager.... seem very promising.
  Hope this will help.
  Hugues

• How to use  SSL Technology in JSP.

  Can anybody Tell me that How to use SSL Technology in JSP ?
  I am using Apache Tomcat 5.0.28 Server.
  How to configure the Tomcat server so that it will access any web application supported by Tomcat via SSL ?
  Thank you very much in advance.

  The JSP does not need to know that the request is coming over SSL. If the application must be over SSL, but the server also allows non-SSL communication, then, like I said, you need to build in a Filter that will check if the incoming request is an https or http request and redirect to the https url if the request was http. And you can do that using the method listed in the previous post. As far as setting up the SSL certificate for Tomcat to use, refer to the Tomcat Documentation that comes with the server. Other than those two things, you don't need to know anything else about SSL inorder to run an SSL application through a Tomcat server (or any other enterprise server either, for that matter), but do an internet search for SSL and maybe one or two other keywords that apply to your situation and you should find plenty that will help.