SSL config

Similar Messages

• Https ssl config Oracle AS, webcache, portal...almost works

  Hi,
  I have searched the forums and I havent found anything that works for me.
  I have Oracle infrastructure on one server, and Oracle App server/portal on another server. I can get as far as the http server showing the "welcome to oracle" page in https form. When I try to access a page in the portal (plsql) I get a blank page. It does convert the "https://myserver:xxxx//pls/portal/url/page/IRWEB/HOME
  " to "https://myserver:xxxx/portal/page?_pageid=73,86254,73_86264:73_86316:73_8632...." but nothing comes up.
  Also, it uses the Infrastructure server for single-sign-on...so I need to make the app server do the single sign-on. I've tried by adding /pls/orasso entry in DADS.conf of http server..
  So as far as I can tell...the http server IS operating in https/ssl, but the single-sign-on and the pages in the portal are not.
  I have to do everything manually since I am using 10.1.2 (no Oracle Collab Suite installed, so no SSLConfigTool and other assistants)
  Here is what I've done to get https://myserver:xxxx/ to come up ok.
  server 1: Oracle Infrastructure and Oracle database release 1 10.1.2.0.0
  server 2: Oracle Application Server / Portal with webcache release 2 10.1.2
  using Oracle Wallet for certificate,
  http server -> process management "ssl-enabled",
  http server -> advanced -> ssl.config: SSLWallet file:, SSLWalletPassword, virtual host for ssl
  webcache -> added settings for ssl (I used the current entries for non-ssl as a guide for the ssl entries)
  Interesting issue...with the ports in the ssl.conf file example:
  Port 4459
  Listen 4459
  VirtualHose myserver.blah.edu:4450
  Port 4458
  When I get the blank page trying to use ssl and 4459, I can manually change the url in my browser to 4458 (or maybe its the other way around) and get this message: "Error: The portlet could not be contacted"
  Is this a problem with webcache? Do I have to do any ssl config on the server with the database?
  I've even tried disabling the webcache, both with the oracle sql script and through web interface but neither made a difference...same problem.
  Any help would be greatly appreciated..I feel as if I'm almost there.
  If I did not post enough info for accurate help, please ask what you need to know to provide help! Thanks in advance.

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• SSL-Config: Oc4J does not reload keystore/truststore at runTime

  Hi all, i have a little question about the SSL-Config into OC4J.
  I have a webApp bound to a secure web site that requires mutual-authentication. If I add at run-time (without stopping OC4J) a trusted entry (a CA) to the keystore the secure-web-site is related to, OC4J does not "reload" the keystore with the new entry. Thus, i have to restart the OC4J to be able to accept SSLconnection that are authenticated by means of that new CA. The qeustion is: Does it exist a conifguration that has to be performed to reload at run-time a keystore in OC4J or it's necessary to restart OC4J each time a new entry to a keystore mapped for a given secure-web-site is added?
  I hope someone can give me a tip,
  Best Regards

  Hi I tried this with latest 10.1.3 Developer Preview 4 and it worked great and I could start OC4J standalone in https mode. Can you please download the latest version of OC4J 10.1.3 DP4 stand-alone and try in there ? The OC4J version embedded with JDev 10.1.3 Preview is pretty old and there have been many bugs fixed since then
  http://www.oracle.com/technology/tech/java/oc4j/index.html
  -Debu

• 2 way ssl config in WLS 8.1

  Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to authenticate
  clients(browser) without prompting for userid & passwords just through digital
  certificate. With out writing any programming in deployed Java app . Only through
  server side config can be done.
  Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on win2000.
  To begin with development, we are just using the Demo cert. This is being tested
  on same machine both client and server. This works perfectly fine for 1-way ssl
  no need to do any config. To extend this config for 2-way.
  I need a one more digital cert for client.
  I create the client digital cert/private key using Cert Gen utility.
  Now the confusing part how to add this to Server Trust key store.
  There are no proper doc on how to continue further.
  Different places say different things to do.
  If any one can provide some example steps how to do it will be great.
  Thanks in advance.
  --Prav

  Did you use the Demo CA to issue the new certificate (CertGen uses it by default)?
  Then you do not need to do anything. The CA certificate already exists in the
  DemoTrust.jks.
  Otherwise you can use keytool to import trusted certificate into a keystore. See
  this page for more info: http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1178523
  Pavel.
  "prav" <[email protected]> wrote:
  >
  Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to
  authenticate
  clients(browser) without prompting for userid & passwords just through
  digital
  certificate. With out writing any programming in deployed Java app .
  Only through
  server side config can be done.
  Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on
  win2000.
  To begin with development, we are just using the Demo cert. This is being
  tested
  on same machine both client and server. This works perfectly fine for
  1-way ssl
  no need to do any config. To extend this config for 2-way.
  I need a one more digital cert for client.
  I create the client digital cert/private key using Cert Gen utility.
  Now the confusing part how to add this to Server Trust key store.
  There are no proper doc on how to continue further.
  Different places say different things to do.
  If any one can provide some example steps how to do it will be great.
  Thanks in advance.
  --Prav

• Soap RECEIVER adapter ssl config

  we are consuming a web service in sap ECC system via XI using SSL. So I configured receiver soap adapter. Imported the certificate provided by web service provider to J2EE visual admin key store. However I am not able to see my ceritificates popluated in my communication channel selection list.
  Could you please provide steps to configure SSL in receiver soap adapter not for Sender adapter.
  Thanks.
  Bijay

  Okay, so this is a client certificate and not a CA certificate, right?
  In this case, you need to import the client certificate under ICM_SSL_xxx and you can find SSL_Provider if you scroll completly down. You need to import the private key of the client certificate under ICM_SSL_xxx.
  Only CA certificates goes in TrustedCA view. You can create a new view ICM_SSL_xxx or put the certificate under any existing ICM_SSL_xxx view, it doesn't matter.
  Do this step and let me know if it works. Might be, there is no requirement for private key at this point of time. It completely depends how the receiving system will accept and verify the call from PI server.
  Since it's a client certificate, they must be having public and private keys. But this certificate has to be signed by some one like VeriSign and they provide a different key to make it more secured. But anyways, you don't need to go in so much of details right now.
  Follow the steps that I mentioned above and hopefully, it should work.
  Regards,
  Neetesh

• SSL config in PORTAL

  To all the Portal Guru's out there....I have a two simple questions....
  I have two servers - one that holds the MR (repository) and one that holds the OID Infrastructure and Portal tiers (2 different mount points)
  This is a new install - and upgraded to 10.1.4. With the OID and portal tiers on the same server, it is possible to SSL enable access to the portal (i.e. HTTPS in place of currently HTTP) - without having to re-install.......the entire stack.....
  Is it also wise to go ahead and do this - in other words, does religiously adhering to Sec 5.2 of the Oracle® Application Server Portal Configuration Guide
  10g Release 2 (10.1.4) B19305-03 - get me to enable SSL through out the portal?
  Thanks

  Hi,
  Yes you can go for SSl configuration without re-installing any of the components.
  Regards,
  access_tammy

• Console cannot connect to ldap after SSL config

  Hi,
  I configured our iplanet DS 5.0 to use SSL (requested cert from DS, signed and created a new cert with openSSL, verified that DS could read that cert, and turned on ssl). Restarted DS and admin-serv. The ldap is working but ldaps is not. The console is unable to connect to DS and just hangs when trying to connect. The console is configured to connect to ldap not ldaps, but when I view the configuration for DS in console it shows port 636. So -
  - how do I make the console use port 389 to connect to the DS?
  - What do I need to do to get ldaps working?
  TIA.
  Raj Dolas

  There are some limitations in using the Console when SSL is enabled for the Directory Server. These are documented... in the release notes at least.
  Regards,
  Ludovic.

• SSL Config for SAP webgui service of ABAP

  Hi Gurus,
  We have a duel stack system, details are as follows:
  ECC 6.0 SR2
  ABAP Stack 11
  Java Stack 13
  we want to access the webgui via internet and for this we have configured the webdispatcher which is behid the firewall. we had created the ccr and got the CA response which is imported in the Dispatcher. So the traffice from the end user to Dispatcher is SSL enabled. Then we did same thing for ABAP as well and now the completed trafic is SSL enabled. Our problem is...
  when we use the URL to login to webgui it changes the url and hence does not work from internet. Please note that we dont want to expose our ECC system to public netowrk.
  e.g :
  https://portal.mycompany.com:8100 --> this is the web dispatcher URL this should give us the login screen and stay as it is all the time. But ......when it gives the login screen it gets changed to
  https://ecc60server.mycompany.com:8000 --> and as the ECC server cant be accessed via internet this URL fails when we are outside the company network.
  similarly for the Java stack of the same system also we have the URL and it works just fine.
  rewards will be awarded for the solutions....
  Pravin

  Hi Pravin,
  So if I get it right, you need an End-to-End SSL setup for you WebDispatcher.
  This means that the Webdispatcher simply re-directs the calls but still shows the official url to the client.
  I think you have a problem in the webdispatcher profile.
  there should be one entry like
  icm/server_port_0 = PROT=ROUTER,PORT=443
  This means that the webdispatcher is listening for traffic on port 443.
  then there should be another entry like
  icm/server_port_1 = PROT=HTTPS,PORT=0
  this means that the webdispatcher does not listen to this port (PORT=0) but simply send data to it.
  Then, the actual connection to the ABAP-system
  ms/https_port = 8101  (or whatever port you used for https)
  rdisp/mshost = <full.host.name.including.domain.name>
  another important parameters is: wdisp/server_info_protocol = https

• SSL Config on Tomcat

  Hi Experts:
  My Apache+SSL is working now - thanks to you all. I checked it using https://www.hari.com.
  However, I have a small Application which contains JSP+Servlets which calls Oracle DB via JDBC. This application is working fine when I type http://www.hari.com:8080/hari/index.jsp but when I try HTTPS as https://www.hari.com:8080/hari/index.jsp it does'nt work - ie page does'nt shows up.
  I know that HTTPS listens to port 443 and my Application(Tomcat+JBoss) listens to port 8080 - so how do I integrate both the ports to work together? Any useful information on above is appreciated.
  THANKS!
  HARI

  Hi
  I guess that you haven't changed the pot that Tomcat listens for SSL connections.If not the default port for SSL is 8443 for Tomcat. SO if you want your application to run via SSL you must use s.g like https://localhost:8443/......
  if u use 8080 it won't run. The connection to the database should be again to the 8080 port, but the servlet should listen to 8443 for SSL. Check the port in the server.xml file

• Nodemanager SSL Config

  Anyone knows how to configure the SSL for nodemanager?

  please refer to http://e-docs.bea.com/wls/docs70/secmanage/ssl.html <br> for more
  information.
  Mike Han <[email protected]> wrote:
  Anyone knows how to configure the SSL for nodemanager?

• SSL Config problem

  Hi all,
  I uploaded a cert file and I am getting a runtime error when I try to delete a wrong certificate from Key Store in Visual Admin.
  Can you tell me how to delete the certificate?
  Thank you in advance.
  Regards,
  Subu

  This should not happen. Check if the entries in the orasso.wwsec_papp_configuration_in_t point portal to the right SSO entries. Also check if the OIDDAS operation url's are correct in the oid.
  cu
  Andreas

• WLS70 SSL encrypted keys and Certificate Request Generator

  Hi,
  we are trying to certificate our WLS 7.0. We use the Certificate Request Generator
  webapp for generating the request. The generator forces the user to give in a
  private key password. But in the server's SSL config tab the field "Use encrypted
  Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Is this a bug
  in WLS7.0?

  Hi Alain,
  thanks for your workaround. We will check it out ... although I've been instructed
  on the BEA admin trainee to never change config.xml manually :)
  "Alain Hsiung" <[email protected]> wrote:
  Hi Joern
  consider it a bug or not, you can go to the file config.xml and edit
  the
  XML attribute "KeyEncrypted" of the XML element "SSL" to "true".
  Hope this helps.
  Regards
  Alain Hsiung, Ideartis Inc.
  "Joern Wohlrab" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  we are trying to certificate our WLS 7.0. We use the Certificate RequestGenerator
  webapp for generating the request. The generator forces the user togive
  in a
  private key password. But in the server's SSL config tab the field"Use
  encrypted
  Keys" is fixed to "false" (in WLS 6.1 this field is a checkbox). Isthis a
  bug
  in WLS7.0?

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• AD Password Filter - SSL Issues with MSFT CA ?

  - We have completed implementing one way EXPORT profile sync between OID to AD
  - SSL configs are complete as per documentation and password synchronizing from OID to AD
  successfully
  - We now want to implement a new import profile to synchronize ONLY password from AD to OID
  - Following documentation at
  http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/odip_adpasswordsync.htm#CHDBIIJC
  - One of the first steps is to check if SSL is enabled at OID...when we do that using the tool(ldapbindssl.exe) we downloaded ...below
  is the error we get...
  +++++++++++++++++++++++++++++++++
  C:\>ldapbindssl.exe -h oid-host -p 636 -D cn=orcladmin -w xxxx
  Connecting server in SSL Mode
  Checking if SSL is enabled
  SSL not enabled.
  SSL being enabled...
  Binding ...
  Ldap bindERROR
  System Error Code: 1396
  LDAP Error Code: 52
  Error Message: Server Unavailable
  C:\>
  +++++++++++++++++++++++++++++++++
  - We know for sure that SSL is configured on OID . The SSL is configured as "Server Authentication
  Only" for Configset1 which is running on port 636
  when we do ldapbind from the oidhost for this port it works...
  ldapbind -U 2 -h oid-host -p 636 -W file://oracle/wallet -P xxxxx
  bind successful
  - For SSL configs we have used Micorsoft CA, hence the root certificate (CA) is also present on AD server and
  there is no need to import Oracle CA as per the documentation.
  Question:
  1) What is th specific SSL set-up that we need to do on OID server such that AD is
  able to detect SSL configuration ??? what is it that we are missing ?

  You do have to import the certificate (the OID Server certificate, that is), or the SSL setup will reject the connection as "not from the intended host".
  Apart from that - there's a bug, requiring the OID server certificate SUBJECT attribute matches the OID server hostname. (Note 430907.1/bug 5846519 ). I seem to hit that one :(

• Enabling SSL on MQ Adapter does not work

  Hi All,
  I have a MQ Adapter that enqueues the message properly in the MQ without SSL. Now MQ is SSL enabled and I have got a .DER certificate with me which I presume is the Public Key of the MQ Server.
  Now I have to use SSL-enabled MQSeries Adapter. The User's Guide for Technology Adapters says to set certain SSL related properties. I don't know how to get the values of these properties. So I have tried doing this.
  1.) I imported the Public Key certificate (.DER file) into default weblogic keystores DemoIdentity.jks and DemoTrust.jks. (I did not create my own keystores, didn't use key password)
  2.) I also imported it into the Java keystore cacerts file. (I did not send any certificates to Certification Authority)
  3.) I modified the JNDI and set the SSL related properties (as given in the guide) for JNDI in Weblogic.
  4.) Then I just test run my TestMQConnectivity composite and I get the following error.
  Caused by: BINDING.JCA-00001
  java.util.MissingResourceException
  java.util.MissingResourceException
  java.util.MissingResourceException
  java.util.MissingResourceException
  at oracle.tip.adapter.mq.ManagedConnectionImpl.setupSSLSocketFactory(ManagedConnectionImpl.java:684)
  at oracle.tip.adapter.mq.ManagedConnectionImpl.createPhysicalConnection(ManagedConnectionImpl.java:578)
  I don't know where I should be looking for the cause of the error : JNDI, SSL config, Keystores.
  Please can anyone tell me the steps I need to follow to use the SSL enabled MQ Adapter? The documentation for this is not much explanatory.
  Regards,
  Neeraj Sehgal

  Hi Neeraj,
  Please check the following BUG 8430239.
  This should help you.
  Regards,
  Kal