SSL Exceptions

Similar Messages

• Web Service over SSL exception

  Hi,
  Using NetBeans 6.5 (updated), I have created a web service like this:
  package test.webservice;
  import javax.jws.WebMethod;
  import javax.jws.WebParam;
  import javax.jws.WebService;
  import javax.ejb.Stateless;
  @WebService()
  @Stateless()
  public class TestWebService {
      @WebMethod(operationName = "testOperation")
      public String testOperation(@WebParam(name = "firstParameter") String firstParameter) {
          //TODO write your implementation code here:
          return "This method has executed " + (firstParameter == null ? "no strings attached." : firstParameter);
  }I've deployed and tested it on a local Glassfish server. Some additional information:
  - Sun GlassFish Enterprise Server v2.1 (9.1.1) (build b60e-fcs)
  - jdk1.6.0_13
  It worked fine when accessing it through 'http://localhost:8080/TestWebServiceService/TestWebService?Tester', however, when accessing it through the SSL port (using this link: 'https://localhost:8181/TestWebServiceService/TestWebService?Tester'), it has produced an exception with the following stack trace:
  Exceptions details : null
  java.lang.NullPointerException at java.io.File.(File.java:222) at com.sun.enterprise.webservice.monitoring.WebServiceTesterServlet.initializePort(WebServiceTesterServlet.java:524) at com.sun.enterprise.webservice.monitoring.WebServiceTesterServlet.doGet(WebServiceTesterServlet.java:184) at com.sun.enterprise.webservice.monitoring.WebServiceTesterServlet.invoke(WebServiceTesterServlet.java:119) at com.sun.enterprise.webservice.EjbWebServiceServlet.service(EjbWebServiceServlet.java:142) at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) at com.sun.enterprise.web.AdHocContextValve.invoke(AdHocContextValve.java:114) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587) at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:87) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648) at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579) at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831) at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341) at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440) at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228) at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265) at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
  Question 1: Why isn't the tester working when using the SSL port? A reason or a bug (possibly fixed in later releases)?
  Question 2: Will the Web Service itself also not work when invoked through the SSL port? Is it possible to invoke a simple web service over the simple SSL port?
  Question 3: When accessing the WSDL description through the SSL port it produces a blank (empty) response - a blank page. Why so?
  Thank you very much in advance!
  Best regards
  Matej

  Hello,
  I used this example, when I made my experiments with SSL and Glassfish (GF):
  http://java.sun.com/developer/EJTechTips/2006/tt0527.html#1
  If you have problems with GF I suggest to post a message here:
  http://forums.java.net/jive/forum.jspa?forumID=56
  e.g. here is one thread:
  http://forums.java.net/jive/thread.jspa?threadID=59993&tstart=0
  Miro.

• Problem in weblogic sip server 3.1 ( Giving ssl exception )

  Hi All ,
  I am facing some issue while trying to run weblogic server it is saying "WLSTException: 'Error occured while performing nmConnect : Cannot connect to Node Manager.[Security:090542]Certificate chain received from" , I also tried the options -Dweblogic.security.TrustKeyStore=DemoTrust but nothing is helping , Below are the logs please help.
  wls:/offline> wls:/offline> Launching NodeManager ...
  Properties: {NodeManagerHome=/opt/bea/sipserver311/common/nodemanager,}
  Command: /opt/bea/jrockit-R27.5.0-jdk1.5.0_14/jre/bin/java -classpath /opt/bea/jrockit-R27.5.0-jdk1.5.0_14/jre/lib/rt.jar:/opt/bea/jrockit-R27.5.0-jdk1.5.0_14/jre/lib/i18n.jar:/opt/bea/patch_weblogic311/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/bea/jrockit-R27.5.0-jdk1.5.0_14/lib/tools.jar:/opt/bea/sipserver311/server/lib/weblogic_sp.jar:/opt/bea/sipserver311/server/lib/weblogic.jar:/opt/bea/sipserver311/server/lib/wlss/sipservlet.jar:/opt/bea/sipserver311/server/lib/wlss/wlss.jar:/opt/bea/sipserver311/server/lib/wlss/wlss-descriptor-binding.jar:/opt/bea/sipserver311/server/lib/wlss/profile-service-descriptor-binding.jar:/opt/bea/sipserver311/server/lib/wlss/wlss-mbeaninfo.jar:/opt/bea/sipserver311/server/lib/wlss/wlss_i18n.jar:/opt/bea/sipserver311/server/lib/wlss/wlssechosvr.jar:/opt/bea/sipserver311/server/lib/wlss/wlssdiameter.jar:/opt/bea/sipserver311/server/lib/wlss/sctp.jar:/opt/bea/sipserver311/server/lib/webservices.jar weblogic.NodeManager
  NMProcess: <Apr 8, 2009 3:19:40 AM> <INFO> <Loading domains file: /opt/bea/sipserver311/common/nodemanager/nodemanager.domains>
  NMProcess: <Apr 8, 2009 3:19:43 AM> <INFO> <Loading identity key store: FileName=/opt/saurabh.jks, Type=jks, PassPhraseUsed=true>
  NMProcess: <Apr 8, 2009 3:19:44 AM> <INFO> <Loaded node manager configuration properties from '/opt/bea/sipserver311/common/nodemanager/nodemanager.properties'>
  NMProcess: <Apr 8, 2009 3:19:46 AM> <INFO> <Secure socket listener started on port 5556, host ari23bems>
  Successfully launched the Node Manager.
  The Node Manager process is running independent of the WLST process.
  Exiting WLST will not stop the Node Manager process. Please refer
  to the Node Manager logs for more information.
  The Node Manager logs will be under /opt/bea/sipserver311/common/nodemanager
  wls:/offline> Connecting to Node Manager ...
  <Apr 8, 2009 3:19:53 AM CDT> <Warning> <Security> <BEA-090542> <Certificate chain received from ari23bems - 10.82.23.11 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
  Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 1379, in nmConnect
  WLSTException: 'Error occured while performing nmConnect : Cannot connect to Node Manager.[Security:090542]Certificate chain received from ari23bems - 10.82.23.11 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client. Use dumpStack() to view the full stacktrace'
  wls:/offline> NMProcess: <Apr 8, 2009 3:19:54 AM CDT> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from ari23bems - 10.82.23.11. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
  Not connected to Node Manager
  wls:/offline> NMProcess: <Apr 8, 2009 3:19:54 AM> <Warning> <Uncaught exception in server handler: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from ari23bems - 10.82.23.11. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
  NMProcess: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from ari23bems - 10.82.23.11. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
  NMProcess: at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  NMProcess: at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
  NMProcess: at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
  NMProcess: at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
  NMProcess: at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  NMProcess: at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  NMProcess: at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.read(Unknown Source)
  NMProcess: at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
  NMProcess: at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:411)
  NMProcess: at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:453)
  NMProcess: at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:183)
  NMProcess: at java.io.InputStreamReader.read(InputStreamReader.java:167)
  NMProcess: at java.io.BufferedReader.fill(BufferedReader.java:136)
  NMProcess: at java.io.BufferedReader.readLine(BufferedReader.java:299)
  NMProcess: at java.io.BufferedReader.readLine(BufferedReader.java:362)
  NMProcess: at weblogic.nodemanager.server.Handler.run(Handler.java:66)
  NMProcess: at java.lang.Thread.run(Thread.java:595)
  NMProcess:
  Connecting to t3s://ari23bems:7002 with userid saurabhAdmin ...
  Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 22, in connect
  WLSTException: 'Error occured while performing connect : Error getting the initial context. There is no server running at t3s://ari23bems:7002 Use dumpStack() to view the full stacktrace'
  wls:/offline> Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 1250, in start
  WLSTException: 'Error occured while performing start : Error starting the serverError occured while performing start : You should be connected to an admin server or a NM to start a server Use dumpStack() to view the full stacktrace'
  wls:/offline> Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 1250, in start
  WLSTException: 'Error occured while performing start : Error starting the serverError occured while performing start : You should be connected to an admin server or a NM to start a server Use dumpStack() to view the full stacktrace'
  wls:/offline>
  Exiting WebLogic Scripting Tool.

  Hi All ,
  I am facing some issue while trying to run weblogic server it is saying "WLSTException: 'Error occured while performing nmConnect : Cannot connect to Node Manager.[Security:090542]Certificate chain received from" , I also tried the options -Dweblogic.security.TrustKeyStore=DemoTrust but nothing is helping , Below are the logs please help.
  wls:/offline> wls:/offline> Launching NodeManager ...
  Properties: {NodeManagerHome=/opt/bea/sipserver311/common/nodemanager,}
  Command: /opt/bea/jrockit-R27.5.0-jdk1.5.0_14/jre/bin/java -classpath /opt/bea/jrockit-R27.5.0-jdk1.5.0_14/jre/lib/rt.jar:/opt/bea/jrockit-R27.5.0-jdk1.5.0_14/jre/lib/i18n.jar:/opt/bea/patch_weblogic311/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/opt/bea/jrockit-R27.5.0-jdk1.5.0_14/lib/tools.jar:/opt/bea/sipserver311/server/lib/weblogic_sp.jar:/opt/bea/sipserver311/server/lib/weblogic.jar:/opt/bea/sipserver311/server/lib/wlss/sipservlet.jar:/opt/bea/sipserver311/server/lib/wlss/wlss.jar:/opt/bea/sipserver311/server/lib/wlss/wlss-descriptor-binding.jar:/opt/bea/sipserver311/server/lib/wlss/profile-service-descriptor-binding.jar:/opt/bea/sipserver311/server/lib/wlss/wlss-mbeaninfo.jar:/opt/bea/sipserver311/server/lib/wlss/wlss_i18n.jar:/opt/bea/sipserver311/server/lib/wlss/wlssechosvr.jar:/opt/bea/sipserver311/server/lib/wlss/wlssdiameter.jar:/opt/bea/sipserver311/server/lib/wlss/sctp.jar:/opt/bea/sipserver311/server/lib/webservices.jar weblogic.NodeManager
  NMProcess: <Apr 8, 2009 3:19:40 AM> <INFO> <Loading domains file: /opt/bea/sipserver311/common/nodemanager/nodemanager.domains>
  NMProcess: <Apr 8, 2009 3:19:43 AM> <INFO> <Loading identity key store: FileName=/opt/saurabh.jks, Type=jks, PassPhraseUsed=true>
  NMProcess: <Apr 8, 2009 3:19:44 AM> <INFO> <Loaded node manager configuration properties from '/opt/bea/sipserver311/common/nodemanager/nodemanager.properties'>
  NMProcess: <Apr 8, 2009 3:19:46 AM> <INFO> <Secure socket listener started on port 5556, host ari23bems>
  Successfully launched the Node Manager.
  The Node Manager process is running independent of the WLST process.
  Exiting WLST will not stop the Node Manager process. Please refer
  to the Node Manager logs for more information.
  The Node Manager logs will be under /opt/bea/sipserver311/common/nodemanager
  wls:/offline> Connecting to Node Manager ...
  <Apr 8, 2009 3:19:53 AM CDT> <Warning> <Security> <BEA-090542> <Certificate chain received from ari23bems - 10.82.23.11 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
  Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 1379, in nmConnect
  WLSTException: 'Error occured while performing nmConnect : Cannot connect to Node Manager.[Security:090542]Certificate chain received from ari23bems - 10.82.23.11 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client. Use dumpStack() to view the full stacktrace'
  wls:/offline> NMProcess: <Apr 8, 2009 3:19:54 AM CDT> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from ari23bems - 10.82.23.11. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
  Not connected to Node Manager
  wls:/offline> NMProcess: <Apr 8, 2009 3:19:54 AM> <Warning> <Uncaught exception in server handler: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from ari23bems - 10.82.23.11. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
  NMProcess: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from ari23bems - 10.82.23.11. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
  NMProcess: at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  NMProcess: at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
  NMProcess: at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
  NMProcess: at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
  NMProcess: at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  NMProcess: at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  NMProcess: at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  NMProcess: at com.certicom.tls.record.ReadHandler.read(Unknown Source)
  NMProcess: at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
  NMProcess: at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:411)
  NMProcess: at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:453)
  NMProcess: at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:183)
  NMProcess: at java.io.InputStreamReader.read(InputStreamReader.java:167)
  NMProcess: at java.io.BufferedReader.fill(BufferedReader.java:136)
  NMProcess: at java.io.BufferedReader.readLine(BufferedReader.java:299)
  NMProcess: at java.io.BufferedReader.readLine(BufferedReader.java:362)
  NMProcess: at weblogic.nodemanager.server.Handler.run(Handler.java:66)
  NMProcess: at java.lang.Thread.run(Thread.java:595)
  NMProcess:
  Connecting to t3s://ari23bems:7002 with userid saurabhAdmin ...
  Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 22, in connect
  WLSTException: 'Error occured while performing connect : Error getting the initial context. There is no server running at t3s://ari23bems:7002 Use dumpStack() to view the full stacktrace'
  wls:/offline> Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 1250, in start
  WLSTException: 'Error occured while performing start : Error starting the serverError occured while performing start : You should be connected to an admin server or a NM to start a server Use dumpStack() to view the full stacktrace'
  wls:/offline> Traceback (innermost last):
  File "<console>", line 1, in ?
  File "<iostream>", line 1250, in start
  WLSTException: 'Error occured while performing start : Error starting the serverError occured while performing start : You should be connected to an admin server or a NM to start a server Use dumpStack() to view the full stacktrace'
  wls:/offline>
  Exiting WebLogic Scripting Tool.

• SSL exception: Duplicate extensions not allowed

  Hi,
  I have problem with connecting to exchange mail server with java(java mail)
  I get this exception.
  javax.net.ssl.SSLProtocolException: java.io.IOException: Duplicate extensions not allowed.
  Caused by: java.io.IOException: Duplicate extensions not allowed
  at sun.security.x509.CertificateExtensions.parseExtension(Unknown Source)
  at sun.security.x509.CertificateExtensions.init(Unknown Source)
  at sun.security.x509.CertificateExtensions.<init>(Unknown Source)
  at sun.security.x509.X509CertInfo.parse(Unknown Source)

  So, google has very little about that.
  I found that x509 have something like extensions and if i run java with debug -Djavax.net.debug=ssl
  I see
  adding as trusted cert:
  Subject: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
  Issuer: CN=T-TeleSec GlobalRoot Class 2, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
  Algorithm: RSA; Serial number: 0x1
  Valid from Wed Oct 01 12:40:14 CEST 2008 until Sun Oct 02 01:59:59 CEST 2033
  adding as trusted cert:
  Subject: EMAILADDRESS=[email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: EMAILADDRESS=[email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Sat Jun 26 02:19:54 CEST 1999 until Wed Jun 26 02:19:54 CEST 2019
  I dont know if this is that extensions. But i see that some subject are duplicated. Maybe this is all about.

• SSL exception when using FileAdapter - PI 7.0

  Hi,
  I'm currently using the FileAdapter to send a CSV file to an external FTPs server. I have loaded the FTPs server certificated into the ClientCertificates keystore in J2EE as well as the Verisign intermediate and root certs into the Trusted CAs. When testing the connection, i'm still getting a chain verification exception like below:
  Delivery of the message to the application using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: Peer certificate rejected by ChainVerifier: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.
  Has anyone had experience configuring this scenario and might be able to help out?
  Many thanks,
  Nicholas

  This is a typical answer to OSS ticket concerning this issue:
  "A strict server name check is first performed in the SSL handshake,    
  before any certificate chain is verfied against the certificates in the
  Trusted CA keytore view.                                                                               
  The strict server name check means that the CN in the server certificate
  must exactly match the host name in the request URL.                   
  In this step, the certificates in the client (J2EE engine) Trusted CA  
  keystore view are not yet involved.                                                                               
  You'll either need to configure the host name, as the CN of the        
  server certificate or create the server certificate with the CN (and   
  import/use it in the server), as you plan to use it in the FTP Adapter 
  receiver channel configuration.                                                                               
  Please ensure your channel configuration uses the hostname expected    
  by the server. i.e. that you are also using: *.sap.com                 
  and that this FQHN is used consistently.                                                                               
  If you still have problems, please note that the FTP protocol itself   
  has no concept of hostnames, so an FTP client is reliant on the IP     
  address of the server to obtain the hostname. If any reverse DNS       
  lookup is taking place during the processing on your network, you need 
  to ensure the DNS lookup returns the FQHN of your FTP server, which    
  is: *.sap.com                                                                               
  Try run the scenario using a public certificate and adding the IP      
  address and host name to the host file."
  Hope that helps
  Stefan

• SSL Exception

  I am working on RMI based SSL application. I got the following exception when I run my client
  Exception in thread "main" java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
       javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:274)
       at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:171)
       at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:306)Looking up rmi://localhost:7123/Test ...
       at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
       at java.rmi.Naming.lookup(Naming.java:84)
       at TestClient.main(TestClient.java:24)
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:843)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:619)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at java.io.DataOutputStream.flush(DataOutputStream.java:106)
       at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
       ... 5 more
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
       at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
       at sun.security.validator.Validator.validate(Validator.java:203)
       at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
       at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:836)
       ... 16 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
       at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
       at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
       ... 21 more

  Hi
  Have you managed to solve this problem? I'm facing the same issue despite the fact that I have added an all trusting TrustManager...
          // Create a trust manager that does not validate certificate chains
          TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
              public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                  return null;
              public void checkClientTrusted(
                      java.security.cert.X509Certificate[] certs, String authType) {
              public void checkServerTrusted(
                      java.security.cert.X509Certificate[] certs, String authType) {
          // Install the all-trusting trust manager
          try {
              SSLContext sc = SSLContext.getInstance("SSL");
              // Create empty HostnameVerifier
              HostnameVerifier hv = new HostnameVerifier() {
                  public boolean verify(String urlHostName, SSLSession session) {
                      // logger.info("Warning: URL Host: "+urlHostName+"
                      // vs."+session.getPeerHost());
                      return true;
              sc.init(null, trustAllCerts, new java.security.SecureRandom());
              HttpsURLConnection
                      .setDefaultSSLSocketFactory(sc.getSocketFactory());
              HttpsURLConnection.setDefaultHostnameVerifier(hv);
          } catch (Exception e) {
          }Is there something special to do for RMI+SSL????
  Thanks

• Error while setting the SSL with trusted cert --  any help on this?

  Connecting to Node Manager ...
  <Aug 3, 2010 5:20:17 PM CDT> <Warning> <Security> <BEA-090542> <Certificate chai
  n received from localhost - 127.0.0.1 was not trusted causing SSL handshake fail
  ure. Check the certificate chain to determine if it should be trusted or not. If
  it should be trusted, then update the client trusted CA configuration to trust
  the CA certificate that signed the peer certificate chain. If you are connecting
  to a WLS server that is using demo certificates (the default WLS server behavio
  r), and you want this client to trust demo certificates, then specify -Dweblogic
  .security.TrustKeyStore=DemoTrust on the command line for this client.>
  This Exception occurred at Tue Aug 03 17:20:18 CDT 2010.
  javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from
  localhost - 127.0.0.1 was not trusted causing SSL handshake failure. Check the c
  ertificate chain to determine if it should be trusted or not. If it should be tr
  usted, then update the client trusted CA configuration to trust the CA certifica
  te that signed the peer certificate chain. If you are connecting to a WLS server
  that is using demo certificates (the default WLS server behavior), and you want
  this client to trust demo certificates, then specify -Dweblogic.security.TrustK
  eyStore=DemoTrust on the command line for this client.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknow
  n Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknow
  n Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
  Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
  Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.hand
  le(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMes
  sage(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMes
  sages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown S
  ource)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Sou
  rce)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)

  Go through this link
  http://weblogic-wonders.com/weblogic/2010/03/03/ssl-exceptions-in-admin-server-and-node-manager/

• "ORA-29532: Java call terminated by uncaught Java exception

  Dear Oracle:
  I am trying to establish an HTTPS connection from a Java stored
  procedure that is wrapped in a PL/SQL procedure and loaded into a
  Package. We are running on Oracle 8.1.7.
  My Java code compiles and runs fine when run stand-alone outside
  Oracle; I can establish the connection to a secure server and talk to
  the server. However when I load this Java class (using the loadjava
  utility) this class can no longer run and I get a the following
  exception:
  "ORA-29532: Java call terminated by uncaught Java exception:
  javax.net.ssl.SSLException: SSL handshake failed:
  X509CertChainIncompleteErr"
  I have tried loading the JSSE from Sun and I still get the same error.
  Searching in the Discussing Forums I found the following link (which
  describes a procedure that logs into the UPS secure server site and
  grabs some XML) http://osi.oracle.com/~mbpierma/SSL_Java_DB.html .
  This code works ok if we try to connect to UPS server. However this
  code doesn't work if we try to log in to a different server (such as
  ???). If I modify this code slightly and try to log to any other
  sever server I get the same error as the one above. Investigation
  lead us to understand that the certificate at the UPS web site is a
  self-signed certificate -- not one generated by a major 'recognized'
  authority such as Verisign or Thawte.
  Further research pointed me to the following URL
  http://www.znow.com/sales/oracle/network.816/a76932/appf_ora.htm#619367
  This URL has the documentation for JAVA SSL for 8.1.6 which I figure
  I could read and try to make it work in 8.1.7.
  I looked at your Secure Hello World example, however the code is
  missing the most critical parts of the whole example, it does not
  specify where the certificate or any of the security settings come
  from (see the attached JavaCertExample.txt file).
  So, my questions are the following:
  1) What should I do to avoid the error mentioned above?
  2) Do you have a sample piece of code that describes how to make a
  HTTPS connection using a Java stored procedure?
  3) Can I make the HTTPS connection using a URL class and not using
  sockets directly?
  4) Do I need to load the JSEE provided by Sun?
  5) Will the solution be different for Oracle 9i?
  // SecureHelloClient.java
  import java.net.*;
  import java.io.*;
  import java.util.*;
  import javax.net.ssl.*;
  import javax.security.cert.X509Certificate;
  import oracle.security.ssl.OracleSSLCredential;
  import oracle.security.ssl.OracleSSLSocketFactory;
  import oracle.security.ssl.OracleSSLProtocolVersion;
  import oracle.security.ssl.OracleSSLSession;
  public class SecureHelloClient
  public static void main(String argv[])
  String hostName = "localhost";
  if(argv.length != 0)
  String hostName = argv[0];
  // Set the SSLSocketFactoryImpl class as follows:
  java.util.Properties prop = System.getProperties();
  prop.put("SSLSocketFactoryImplClass",
  "oracle.security.ssl.OracleSSLSocketFactoryImpl");
  try
  // Get the default socket factory
  OracleSSLSocketFactory sSocFactory
  = (OracleSSLSocketFactory)SSLSocketFactory.getDefault();
  sSocFactory.setSSLProtocolVersion(OracleSSLProtocolVersion.SSL_Version_3_0);
  OracleSSLCredential sslCredObj = new OracleSSLCredential();
  // Where did these values come from? caCert, userCert, trustedCert,
  // Set the certificate chain and private key if the
  // server requires client authentication
  sslCredObj.addCertChain(caCert)
  sslCredObj.addCertchain(userCert)
  sslCredObj.setPrivateKey(userPvtKey, userPassword)
  // Populate credential object
  sslCredObj.addTrustedCert(trustedCert);
  sSocFactory.setSSLCredentials(sslCredObj);
  // Create the socket using factory
  SSLSocket jsslSoc =
  (SSLSocket)sSocFactory.createSocket(hostName, 8443);
  String [] ciphers = jsslSoc.getSupportedCipherSuites() ;
  // Select the ciphers you want and put them.
  // Here we will put all availabel ciphers
  jsslSoc.setEnabledCipherSuites(ciphers);
  // We are creating socket in client mode
  jsslSoc.setUseClientMode(true);
  // Do SSL handshake
  jsslSoc.startHandshake();
  // Print negotiated cipher
  System.out.println("Negotiated Cipher Suite: "
  +jsslSoc.getSession().getCipherSuite());
  System.out.println("");
  X509Certificate[] peerCerts
  = ((javax.net.ssl.SSLSocket)jsslSoc).getSession().getPeerCertificateChain();
  if (peerCerts != null)
  System.out.println("Printing server information:");
  for(int i =0; i ? peerCerts.length; i++)
  System.out.println("Peer Certificate ["+i+"] Information:");
  System.out.println("- Subject: " + peerCerts.getSubjectDN().getName());
  System.out.println("- Issuer: " + peerCerts[i].getIssuerDN().getName());
  System.out.println("- Version: " + peerCerts[i].getVersion());
  System.out.println("- Start Time: " + peerCerts[i].getNotBefore().toString());
  System.out.println("- End Time: " + peerCerts[i].getNotAfter().toString());
  System.out.println("- Signature Algorithm: " + peerCerts[i].getSigAlgName());
  System.out.println("- Serial Number: " + peerCerts[i].getSerialNumber());
  else
  System.out.println("Failed to get peer certificates");
  // Now do data exchange with client
  OutputStream out = jsslSoc.getOutputStream();
  InputStream in = jsslSoc.getInputStream();
  String inputLine, outputLine;
  byte [] msg = new byte[1024];
  outputLine = "HELLO";
  out.write(outputLine.getBytes());
  int readLen = in.read(msg, 0, msg.length);
  if(readLen > 0)
  inputLine = new String(msg, 0, readLen);
  System.out.println("");
  System.out.println("Server Message:");
  System.out.println(inputLine );
  else
  System.out.println("Can't read data from client");
  // Close all sockets and streams
  out.close();
  in.close();
  jsslSoc.close();
  catch(SSLException e)
  System.out.println("SSL exception caught:");
  e.printStackTrace();
  catch(IOException e)
  System.out.println("IO exception caught:");
  e.printStackTrace();
  catch(Exception e)
  System.out.println("Exception caught:");
  e.printStackTrace();

  Hi,
  I have the same problem.
  Is some ORACLE guru that can help us ?
  We need to communicate with some servlet
  via POST method of https (SSL3)
  and with using private certificate on the client site.
  We need furthermore allow using of some proxy.
  Client site is realized as set of stored procedures within ORACLE 8.1.7
  In this time I am able to communicate with server without SSL and certificate
  using package utl_tcp
  (but with this solution without certificate is our customer not satisfied -:))
  ORACLE help us please !
  Pavel Pospisil
  [email protected]

• VSphere Client SSL error build 10041

  So I'm seeing an odd error after upgrading to build 10041 (from 9926). The vSphere client (both 5.1 and 5.5) will no longer connect to my vCenter instance. I receive the following error
  "vSphere Client could not connect to "<server>" An unknown connection error occured. (The request failed due to an SSL error. (The request was aborted: Could not create SSL/TLS secure channel.))"
  Checking the event log I see Schannel 36888 errors with the following message: "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows
  SChannel error state is 813."
  I managed to find out that error 40 means "handshake_failure". The error state (813) I haven't been able to find additional information on.
  When I look at the vpxd.log file I see the following log lines which seems to confirm its a handshake error.
  2015-04-02T13:26:08.442-05:00 [07548 error 'Default'] SSLStreamImpl::DoServerHandshake for SSL(TCPStreamWin32(socket=TCP(fd=38244) local=xxx:443,  peer=yyy:64839)): SSL_accept failed with BIO Error
  2015-04-02T13:26:08.442-05:00 [07548 warning 'ProxySvc'] SSL Handshake failed for stream TCPStreamWin32(socket=TCP(fd=38244) local=xxx:443,  peer=yyy:64839), error: class Vmacore::Ssl::SSLException(SSL Exception: BIO Error)
  Does anyone know if there were any changes around Schannel that would be causing a handshake error? I can't seem to find any additional information. It looks like vCenter accepts TLS 1.0, which in IE at least is enabled.

  Hi Jeff,
  I think we'd better involve the VMware side to further look at this issue.
  For Windows 10 build 10049, you might need to notice the information below:
  No access to Internet Protocol (v4 or v6) in 10049
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

  Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
  Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
  The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• Need help in setting up SSL

  Hi,
  I need to configure SSL so that we can access the portal through https.
  I am getting struck in last step.
  I have done till Configuration Adapter changes. I have set the entries for startup-mode as always under Propertysheet ssl-runtime.
  After that under SSL provider I am not able to find the 50001 port under Active Socket.
  How can I add that ? Under active socket I am able to view 50003 and 50006 port only.
  I got following details in the trace file... any idea ??
  Cannot open HTTPS server socket on port 50001Check port for usage by another process.
  com.sap.engine.services.ssl.exception.BaseIOException: General I/O Exception.
  at com.sap.engine.services.ssl.exception.BaseIOException.wrapException(BaseIOException.java:81)
  at com.sap.engine.services.ssl.factory.SSLTransportFactory.getServerSocket(SSLTransportFactory.java:90)
  at com.sap.engine.core.port.impl0.TransportLayerImpl.openServerSocket(TransportLayerImpl.java:76)
  at com.sap.engine.core.port.impl0.PortsManagerImpl.registerTCPListener(PortsManagerImpl.java:270)
  at com.sap.engine.core.port.impl0.PortsManagerImpl.registerTCPListener(PortsManagerImpl.java:255)
  at com.sap.engine.core.service630.context.cluster.session.CommunicationSessionContextImpl.openServerSocket(CommunicationSessionContextImpl.java:82)
  at com.sap.engine.services.httpserver.dispatcher.HttpDispatcherFrame.openSocket(HttpDispatcherFrame.java:752)
  at com.sap.engine.services.httpserver.dispatcher.HttpDispatcherFrame.initChangedPorts(HttpDispatcherFrame.java:850)
  at com.sap.engine.services.httpserver.dispatcher.HttpDispatcherFrame.setServiceProperties(HttpDispatcherFrame.java:632)
  at com.sap.engine.core.service630.container.ContainerEventListenerWrapper.setServiceProperties(ContainerEventListenerWrapper.java:287)
  at com.sap.engine.core.service630.container.ServiceWrapper.notifyPropertiesChange(ServiceWrapper.java:269)
  at com.sap.engine.services.basicadmin.mbean.StandardServiceManagement.notifyServiceOfPropertiesChange(StandardServiceManagement.java:417)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at com.sap.pj.jmx.introspect.DefaultMBeanInvoker.invoke(DefaultMBeanInvoker.java:58)
  at com.sap.pj.jmx.mbeaninfo.AdditionalInfoProviderMBean.invoke(AdditionalInfoProviderMBean.java:289)
  at com.sap.pj.jmx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:944)
  at com.sap.pj.jmx.server.interceptor.MBeanServerWrapperInterceptor.invoke(MBeanServerWrapperInterceptor.java:288)
  at com.sap.engine.services.jmx.CompletionInterceptor.invoke(CompletionInterceptor.java:409)
  at com.sap.pj.jmx.server.interceptor.BasicMBeanServerInterceptor.invoke(BasicMBeanServerInterceptor.java:277)
  at com.sap.jmx.provider.ProviderInterceptor.invoke(ProviderInterceptor.java:258)
  at com.sap.engine.services.jmx.RedirectInterceptor.invoke(RedirectInterceptor.java:340)
  at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:330)
  at com.sap.engine.services.jmx.MBeanServerInvoker.invokeMbs(MBeanServerInvoker.java:131)
  at com.sap.engine.services.jmx.JmxServiceConnectorServer.receiveWait(JmxServiceConnectorServer.java:172)
  at com.sap.engine.core.service630.context.cluster.message.MessageListenerWrapper.process(MessageListenerWrapper.java:81)
  at com.sap.engine.core.cluster.impl6.ms.MSListenerThread.run(MSListenerThread.java:47)
  at com.sap.engine.frame.core.thread.Task.run(Task.java:64)
  at com.sap.engine.core.thread.impl6.SingleThread.execute(SingleThread.java:78)
  at com.sap.engine.core.thread.impl6.SingleThread.run(SingleThread.java:148)
  Caused by: java.net.BindException: The socket name is already in use.
  at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:381)
  at java.net.ServerSocket.bind(ServerSocket.java:341)
  at java.net.ServerSocket.<init>(ServerSocket.java:208)
  at java.net.ServerSocket.<init>(ServerSocket.java:164)
  at com.sap.engine.core.port.impl0.BaseTransportFactory.getServerSocket(BaseTransportFactory.java:43)
  at com.sap.engine.services.ssl.factory.SSLTransportFactory.getServerSocket(SSLTransportFactory.java:87)
  ... 31 more

  Hi Niraj
  Follow the below steps
  Only if you have problems during the execution of the following configuration task then ensure that the SAP Cryptographic Library is installed correctly. How you can check and install the SAP Cryptographic Library is described in
  The configuration task Configuring Secure Sockets Layer (SSL) -  Therefore you do not have to execute this configuration task explicitly. During the configuration a certificate signing request will be generated and saved on the host under \usr\sap\<SID>\SYS\global\<SID>_SSL_Certificate_Request.pem
  When the official process for server certificates is clarified you would send the file \usr\sap\<SID>\SYS\global\<SID>_SSL_Certificate_Request.pem to the Certificate Authority (CA) for signing. Afterwards you will get the signed request and have to save it under the file \usr\sap\<SID>\SYS\global\<SID>_SSL_Certificate_Response.pem.
  For now you can use Test-CA:
  a)     Open the file \usr\sap\<SID>\SYS\global\<SID>_SSL_Certificate_Request.pem, copy the content.
  b)     Go to https://security.wdf.sap.corp/public/projects/iaik (Please use EMEA WTS for calling the URL if the page cannot be displayed at your local internet browser).
  Scroll down and click on Test-CA.
  c)     A new window is opened. Click on u201CTest it Now!u201D, enter the text you have copied before and select SAP Web Application Server 6.20 and newer  as server type.
  d)     Click on Continue.
  e)     You got a signed request shown. Copy and save it under the file \usr\sap\<SID>\SYS\global\<SID>_SSL_Certificate_Response.pem
  Regards,
  Jayakumar

• Default ssl context init failed: Cannot resolve key

  Hi, I get this SSL Exception when I try to run my server using
  ssl socket:
  "default ssl context init failed: Cannot resolve key"
  it is thrown at this line: "sslServerFactory.createServerSocket(port)"
  I created a kestore and trustore files using 'keytool' and the step by step from the Jsse reference guide:
  http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore
  why do I get this exception and how to solve it, thank you.
  Yves

  SSL error messages are sometimes cryptic.
  Set:
  System.getProperties().put("javax.net.debug","all");to really see what is happening.
  Cheers'
  Kullervo

• Messaging Bridge with MQ using SSL

  Hi everybody,
  I'm using JMS messaging bridge to transfer messages from WLS 10.3.6 running on a Solaris machine to remote WebSphere MQ 7 running on an AIX machine. Weblogic reads the configuration of remote MQ from a text file, called .bindings, created using the MQ JMSAdmin tool. The file defines a connection factory with the IP address, port, queue and queue manager name and other important definitions of the remote MQ.
  The thing is that the bridge starts pretty well and transfer messages normally, but I need to change the configuration to use SSL. To do it I just added the parameter SSLCIPHERSUITE(SSL_RSA_WITH_RC4_128_MD5) and thought it was enough to achieve the goal.
  <May 12, 2014 3:05:45 PM BRT> <Debug> <MessagingBridgeRuntimeVerbose> <BEA-000000> <Exception:
  com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
  MQJE016: MQ queue manager closed channel immediately during connect
  Closure reason = 2009
  Wondering the error could be relatedo to an SSL exception, I enabled the SSL debugging (-Dssl.debug=true) to the managed server, but there were no evidences of an SSL handshake of Weblogic and MQ, so there is no SSL communication between the peers.
  Does anybody know if this kind of communication is feasible? What may I be missing here?
  Tks!

  Hi everybody,
  I'm using JMS messaging bridge to transfer messages from WLS 10.3.6 running on a Solaris machine to remote WebSphere MQ 7 running on an AIX machine. Weblogic reads the configuration of remote MQ from a text file, called .bindings, created using the MQ JMSAdmin tool. The file defines a connection factory with the IP address, port, queue and queue manager name and other important definitions of the remote MQ.
  The thing is that the bridge starts pretty well and transfer messages normally, but I need to change the configuration to use SSL. To do it I just added the parameter SSLCIPHERSUITE(SSL_RSA_WITH_RC4_128_MD5) and thought it was enough to achieve the goal.
  <May 12, 2014 3:05:45 PM BRT> <Debug> <MessagingBridgeRuntimeVerbose> <BEA-000000> <Exception:
  com.ibm.mq.MQException: MQJE001: An MQException occurred: Completion Code 2, Reason 2009
  MQJE016: MQ queue manager closed channel immediately during connect
  Closure reason = 2009
  Wondering the error could be relatedo to an SSL exception, I enabled the SSL debugging (-Dssl.debug=true) to the managed server, but there were no evidences of an SSL handshake of Weblogic and MQ, so there is no SSL communication between the peers.
  Does anybody know if this kind of communication is feasible? What may I be missing here?
  Tks!

• Creating "Valid" SSL Cert

  Hi.
  I have a small webserver and I want to run ssl for my webmail and I created a ssl cert by running
  openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
  Firefox 2, and IE 7 both give me a nice warning that the cert might not be valid. Firefox 3 (cvs) however completely blocks from going the site. So how can I make a "valid" ssl cert?
  Thanks!

  Well I found how to do it...
  http://boblord.livejournal.com/18402.html wrote:To override the error, you need to create an exception. The SSL exception dialog is located in the Preferences window, under Advanced/Encryption/View Certificates. Once there, click on the Servers tab, and then on "Add Exception...". The UI should be straightforward from there.
  It suppose to be a new feature, but I do hope they add some button to easily add a cert or else I'm afraid the user base might drop drastically as there are many sites that have "untrusted" ssl certs.
  For those interested in seeing what the error looks like... http://mezoko.net/stuff/fxsslcerterror.png

• Policy Agent SSL?

  I am new to access manager and have used another product that creates self-signed certs for their web agents. The self-signed certs provide an encrypted connection between the web agent and access server. How do I encrypt the connection between the policy agent and access manager? AFAIK I set up SSL for the access manager host and when I create a configuration file for the policy agent I state the access manager server protocol as https. Is it that simple? Will the policy agent be affected somehow when I renew the cert on the access manager host?
  And more general, whats best business practice? I assume you want the traffic between the policy agent and access manager to be encrypted.

  I made mine work by adding the same Root CA certificate and two server certificates from the same CA authority to both AM Web Server and the application (policy agent) web server...
  it really depends, if you application contains some sensitive information benig displayed to your user, you should have SSL on the app server (sun one web server) as well..
  if u renew the CA(root) cert on the AM Web server, the same needs to installed on the app web server as well...
  as a practice, your entire architecture should be on SSL except the DS and AM interaction .. since that is probably behind a firewall - again, depends on your configuration...
  let me know if u need mroe help..
  regards,
  saahil