SSL for Weblogic 6.0: Server Certificate Chain File & Verisign

Similar Messages

• How to get the Server Certificate Chain File?

  Hi all,
  I config the SSL for weblogic 6.0 on a Win2k Machine .I followed WebLogic
  documentation:
  Generate a private key file, then submit to Verisign, get the certificate
  file.
  Because I have only one WebLogic server. I clear the "Server Certificate
  Chain File" field.
  But I get error message after reboot WebLogic. Following is the error
  message:
  <2001-1-21 04:57:56 pm> <Alert> <WebLogicServer> <Inconsistent security con
  figuration, java.lang.Exception: Required file server-certchain.pem which is
  spe
  cified by ServerCertificateChainFileName, was not found>
  java.lang.Exception: Required file server-certchain.pem which is specified
  by Se
  rverCertificateChainFileName, was not found
  at
  weblogic.t3.srvr.SSLListenThread.resolvePropertyFromLocalFile(SSLList
  enThread.java:152)
  at
  weblogic.t3.srvr.SSLListenThread.resolvePropertyFromAdminServer(SSLLi
  stenThread.java:180)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:939)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  My question is: Should I input the rootCA certificate into the Server
  Certificate Chain File field? If yes, where can I get the rootCA certificate
  file?
  Thanks

  [sorry, deleted irrelevant wrong answer]

• Verisign certificate & Chain File Name

  Perhaps a newbie question, but here goes:
  I am having trouble installing a Verisign certificate on my Weblogic 6.0
  server. I have my private key and certificate file installed properly I
  believe, but am unsure what to put in the Certificate Chain File entry
  in the console. I only have 1 certificate for this server. I have tried
  to
  a) leave it empty - in which case it uses a default file name which does
  not exist
  b) use the certificate I got from Verisign
  c) export a class 3 certificate from my browser and use that file
  In all the cases that I give it an existing file name, I get the
  following stack trace:
  weblogic.security.CipherException: Incorrect encrypted block
  at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
  at
  weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
  at weblogic.security.X509.verifySignature(X509.java:243)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  <Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
  security configuration, weblogic.security.AuthenticationException:
  Incorrect encrypted block possibly incorrect
  SSLServerCertificateChainFileName set for this server certificate>
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate
  at weblogic.security.X509.verifySignature(X509.java:251)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)

  OK. Found out what it was.
  The Server Certificate Chain File name is what Verisign calls the
  Intermediate Certificate. So what you need to do is grab that cert off the
  Verisign site, paste it into a new file on your server and put that file
  name in as the path to the Chain File name.
  New question: Why the 2 names for the same thing ? The documentation could
  be a bit clearer here, as it's a very simple process that seems more
  complicated than it needs to be (IMHO).
  Brian Hall wrote:
  Perhaps a newbie question, but here goes:
  I am having trouble installing a Verisign certificate on my Weblogic 6.0
  server. I have my private key and certificate file installed properly I
  believe, but am unsure what to put in the Certificate Chain File entry
  in the console. I only have 1 certificate for this server. I have tried
  to
  a) leave it empty - in which case it uses a default file name which does
  not exist
  b) use the certificate I got from Verisign
  c) export a class 3 certificate from my browser and use that file
  In all the cases that I give it an existing file name, I get the
  following stack trace:
  weblogic.security.CipherException: Incorrect encrypted block
  at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
  at
  weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
  at weblogic.security.X509.verifySignature(X509.java:243)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  <Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
  security configuration, weblogic.security.AuthenticationException:
  Incorrect encrypted block possibly incorrect
  SSLServerCertificateChainFileName set for this server certificate>
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate
  at weblogic.security.X509.verifySignature(X509.java:251)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)

• Untrusted Server Certificate Chain error

  I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
  My code is :
  KeyStore ks = null;
  String strURL = "https://myserver.com/myurl/lookup.asmx";
  SSLSocketFactory sslSocketFactory = null;
  System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  // Load certificate dynamically
  SSLContext sslContext = SSLContext.getInstance("SSLv3");
  TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
  CertificateFactory cert = CertificateFactory.getInstance("X.509");
  FileInputStream lo_fileinputstream = null;
  lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
  X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
  lo_fileinputstream.close();
  String s1 = servercacert.getSerialNumber().toString();
  if(ks == null)
  ks = KeyStore.getInstance("JKS");
  ks.load(null, null);
  ks.setCertificateEntry(s1, servercacert);
  trustMgtFactory.init(ks);
  sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
  sslSocketFactory = sslContext.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
  // Call webservice
  URL cascadeURL = new URL(strURL);
  HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
  String inputline=null;
  if (conn instanceof HttpsURLConnection) {
  conn.connect();
  BufferedReader in = new BufferedReader(
  new InputStreamReader(
  conn.getInputStream()));
  while ((inputline = in.readLine()) != null) {
  System.out.println(inputline);
  in.close();
  Please help - I am on a very tight deadline (as usual).

  Found the problem. I simply needed to add another certificate.

• Certificate Chain File

  Hello,
  I have certificates from two different CAs. How can I integrate them both in a root certificate chain file, so that the WLS accepts them both?
  thnaks for zour help
  hannele

  What version of WLS? Are the CA's i PEM or DER format?
  PaulF
  Hannele <[email protected]> wrote in
  news:3d6e2971$[email protected]:
  Hello,
  I have certificates from two different CAs. How can I integrate them
  both in a root certificate chain file, so that the WLS accepts them
  both? thnaks for zour help
  hannele

• SSL VPN Failed to validate server certificate (cannot access https)

  Hi all,
  I have the next problem.
  I've configured in an UC520 a SSL VPN.
  I can access properly and I can see the labels, but I only can access urls which are http, not https:
  I can access the default ip of the uc520 (192.168.1.10) but
  When I try to get access to a secure url I get the msg: Failed to validate server certificate
  I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
  Does the certificate of both hardware has to be the same?
  How can I add a https?
  Here is the config of the router:
  webvpn gateway SDM_WEBVPN_GATEWAY_1
  ip address 192.168.1.254 port 443 
  ssl trustpoint TP-self-signed-2977472073
  inservice
  webvpn context SDM_WEBVPN_CONTEXT_1
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  url-list "Intranet"
     heading "Corporate Intranet"
     url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
     url-text "Impresora" url-value "http://192.168.10.100"
     url-text "DMM" url-value "https://pc.sumkio.local:8443"
     url-text "DMM 1" url-value "http://192.168.10.10:8080"
     url-text "UC520" url-value "http://192.168.10.1"
  policy group SDM_WEBVPN_POLICY_1
     url-list "Intranet"
     mask-urls
     svc dns-server primary 192.168.10.250
     svc dns-server secondary 8.8.8.8
  default-group-policy SDM_WEBVPN_POLICY_1
  aaa authentication list sdm_vpn_xauth_ml_1
  gateway SDM_WEBVPN_GATEWAY_1
  max-users 10
  inservice
  Any help would be apreciatted.
  Thank you

  Hi, thanks for your advise.
  I'm trying to copy the certificate via cut and paste, but I'm getting a
  % Error in saving certificate: status = FAIL
  I dont know if I'm doing this right.
  I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
  I get a file which if I open with notepad is like
  -----BEGIN CERTIFICATE-----
  MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
  KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
  mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
  nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
  -----END CERTIFICATE-----
  If I try to authenticate the trustpoint, I get that error.
  how can I export the certificate from the DMM?
  I think that this file is not the right file.
  and then, do I have to make some changes in
  webvpn gateway SDM_WEBVPN_GATEWAY_1?
  Should I choose the new trustpoint?
  I understand that the old trustpoint is for the outside connection, no for the LAN connection.
  Dont worry about me, answer when you can but I really need to fix this.
  Thank you so much

• CA Certificate is not in the server certificate chain...

  Use keytool command to import server certificate.
  I got this error when running an ldap browser (I downloaded from the Net) to connect to my Active Directory server via SSL. Connecting via non-ssl is successful and I can browse the ldap tree. I'm not sure what is causing the problem. I did the following, but no success:
  1. I used the keytool command to successfully import a certificate to cacerts file found in the \java\j2re1.4...\lib\security\directory.
  2. I verified that the domain server accepts ldap queries via ssl over port 636.
  Now I'm wondering if I used the keytool command properly or is there anything I need to do to get this to work.
  Peter
  3.

  Perhaps you may want to post the output from keytool (you may want to edit any confidential information).
  For example from my Active Directory domain & Certificate Authority:
  #keytool -list -alias antipodes -keystore /usr/java/jdk1.5.0_01/jre/lib/security/cacerts
  Enter keystore password: xxxxxxx
  antipodes, 20-Aug-2005, trustedCertEntry,
  Certificate fingerprint (md5): B7:5B:DE:61:D5:89:A1:91:96:0E:C7:0A:52:86:BB:79My guess is that you have either not imported the certificate as a Trusted Certifcate entry, you may not have imported the correct CA certificate, or if you have a CA hierarchy, you may only have imported the intermediate CA certificate, and not the root CA certificate.
  Also I have noticed that many applications have separate keystores. I recall that when I first played around with Java/JNDI on Linux to access my AD, and imported my CA cert into the Java keystore, that when I wanted to use a browser on the Linux desktop to access my secure web site, I had to also import the same CA cert into the Netscape browser's keystore. (As a Windows guy, I thought how dumb, but that's another story)

• Do I need to set  system env variables for weblogic and SOA server installation?

  Hi All,
     I already have two weblogic application servers on my machine(that were installed by others).
  I observed some environment variables were also set in System variables(ORACLE_HOME,WEB_SERVER_HOME etc) section in Env variables section(Start Menu---> Computer --> properties ---).But why do we need to have system environment variables wherein we already have those variables in files like setDomainEnv.bat or/and setSOADoaminEnv.bat for each server.
  And one more thing system variables will be applicable for all servers(the whole machine) right.It may spoil the installation of new servers and present servers as variables should be unique to each server.
      I want to install weblogic and SOA server installation.
  So Can I remove the existing system variables(as they will applicable for every server) and install weblogic and SOA server installation without setting up the environment variables?
  Especially I have multiple Weblogic servers,In that case how it would be to have environment variables(JAVA_HOME,WL_HOME,ORACLE_HOME etc)?
  Please guide me on this to installl SOA suite .
  Thanks in advance

  Hi All,
     I already have two weblogic application servers on my machine(that were installed by others).
  I observed some environment variables were also set in System variables(ORACLE_HOME,WEB_SERVER_HOME etc) section in Env variables section(Start Menu---> Computer --> properties ---).But why do we need to have system environment variables wherein we already have those variables in files like setDomainEnv.bat or/and setSOADoaminEnv.bat for each server.
  And one more thing system variables will be applicable for all servers(the whole machine) right.It may spoil the installation of new servers and present servers as variables should be unique to each server.
      I want to install weblogic and SOA server installation.
  So Can I remove the existing system variables(as they will applicable for every server) and install weblogic and SOA server installation without setting up the environment variables?
  Especially I have multiple Weblogic servers,In that case how it would be to have environment variables(JAVA_HOME,WL_HOME,ORACLE_HOME etc)?
  Please guide me on this to installl SOA suite .
  Thanks in advance

• Policy in domai server2008 for remove tick Validate Server Certificate in win7 and xp

  hi
  i have a domain server 2008
  i need create a policy to remove tick Validate Server Certificate in win7 and xp
  please help me

  > i need create a policy to remove tick Validate Server Certificate in
  > win7 and xp
  Deploy your WLAN settings through Group Policy - this will allow you to
  create a WIFI for Vista and above, and another one for XP. Both offer
  you to untick this check box.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Apache 2.2 21 forward Proxy 2 way SSL for weblogic server as a client

  Hi All,
  Currently, i am trying to implement a forward SSL proxy. The client will hit my apache server which in return will hit a IIS Server.
  scenarios 1
  client(weblogic)--*2 way SSL*Apache(forward proxy)*2 way SSL*-- IIS
  If i were to implement 1 way ssl, i am able to see the content of the website.
  client(weblogic) --- Apache(forward proxy) --- IIS
  If i were to launch the web browser from the client machine (with the client certificate imported in the browser), i am able to view the content in the IIS. But if i were to simulate the connection from weblogic server, it just give me end of file exception (response contain no data) on the logs.
  Below is my configuration
  Listen 8080
  <VirtualHost default:8080>
  ServerName serverA
  ErrorLog "logs/ssl_error_log"
  CustomLog "logs/ssl_access_log" common
  SSLProxyEngine On
  SSLProxyMachineCertificateFile /certificate/servercert.cer
  SSLProxyCACertificateFile /certificate/rootCA.cer
  SSLProxyVerify require
  SSLProxyVerifyDepth 10
  ProxyRequests On
  ProxyVia On
  AllowConnect 12345
  <Proxy *>
  Order allow,deny
  Allow from all
  </Proxy>
  </VirtualHost>
  For 2 way SSL, will the client forward their client certificate to my apache proxy server and apache will on the client behalf forward the client certificate to the IIS server for authenication?
  Or the SSL authenication still happen between the client (weblogic) and the end server (IIS) bypassing the proxy server.
  Please help.

  It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

• Setting up SSL for Weblogic Server10.3.1

  I have read the doc http://download.oracle.com/docs/cd/E15523_01/web.1111/e13707/ssl.htm#i1194343 for Setting up SSL:
  1) Obtain Certs and keys: Public Certificates and Private Keys
  2) Store the private keys, digital certificates, and trusted CA certificates. Private keys and trusted CA certificates are stored in a keystore.
  3) Configure the identity and trust keystores in the Admin console.
  4) Set SSL configuration option for private key alias and password in Admin console.
  step 1)
  for the developement I'd use the demo certs offered by WLS install. I have found 4 certs in WLS_HOME\server\lib
  and they are CertGenCAKey, CertGenCA, demo and trusted.
  which are the Public Certificates? and the Private Keys? which ones should we use? Can we use them without any modifications ?
  Or we should use CertGen to create the certs and keys?
  TIA
  Z
  Edited by: user12220476 on May 12, 2010 4:34 PM

  2) Store the private keys, digital certificates, and trusted CA certificates. Private keys and trusted CA certificates are stored in a keystore.
  3) Configure the identity and trust keystores in the Admin console.
  4) Set SSL configuration option for private key alias and password in Admin console.
  I have used CertGen created the following key and cert files
  natcert.der, natcert.pem, natkey.der and natkey.pem
  For creating the keystore from the private key, I use utils.ImportPrivateKey
  steps (http://download.oracle.com/docs/cd/E15523_01/web.1111/e13749/utils.htm#ADMRF151)
  Convert the certificate from DER format to PEM format.
  $ java utils.der2pem CertGenCA.der
  Concatenate the certificate and the Certificate Authority (CA).
  $ cat natcert.pem CertGenCA.pem >> newnatcerts.pem
  Create a new keystore named natkeystore and load the private key located in the natkey.pem file.
  $ java utils.ImportPrivateKey -certfile newnatcerts.pem -keyfile natkey.pem -keyfilepass natkey123 -keystore natkeystore.jks -storepass nat123 -alias natalias
  Using Admin console to configure SSL
  configuration > general > enable ssl port 7002
  configuration > keytores > Custom Identity and Java Standard Trust
  --- Identity -----------------
  Custom Identity Keystore: $WLS_HOME/server/lib/natkeystore.jks
  Custom Identity Keystore Type: jks
  Custom Identity Keystore Passphrass: nat123
  ---Trust -----------------------
  Java Standard Trust keystore: JDK_HOME/jre/lib/security/cacerts
  Java Standard Trust keystore Type: jks
  Java Standard Trust keystore PassPhrass: changeit
  configuration > SSL
  Identity and Trust Locations : Keystores
  ---- Identity ----------------------
  Private key location: from custom identity keystores
  Private key alias: natalias
  Private key Passphrass: nat123
  Certificate Location: from custom identity keystore
  ---- Trust -------------------------
  Trust Certificate Authorities : from Java Standard Trust Keystores
  I restarted the WLS and fail to access the SSL port.
  Found following error mssages in the Admin server log:
  <BEA-090716> <Failed to retrieve identity key/certificate from keystore \...\wlserver_10.3\server\lib\natkeystore.jks under alias natalias on server AdminServer>
  <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Failed to retrieve identity key/certificate from keystore \..\wlserver_10.3\server\lib\natkeystore.jks under alias natalias on server AdminServer>
  <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore \..\wlserver_10.3\server\lib\natkeystore.jks under alias natalias on server AdminServer.>
  <BEA-090171> <Loading the identity certificate and private key stored under the alias natalias from the jks keystore file \..\wlserver_10.3\server\lib\natkeystore.jks.>
  By the way, it works if configured the keystores with the weblogic's demo identity and trusted.
  Edited by: user12220476 on May 18, 2010 12:38 AM

• Try to implement SSL for OMS console - Third Party Certificate

  Using 10.2.0.5.0 of Grid control. 11.1.0.7.0 DB
  Internet Explorer (or any browser)
  enter
  https://hostname.com:1159/em/
  gets
  There is a problem with this website's security certificate.
  The security certificate presented by this website was not issued by a trusted certificate authority.
  Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
  We recommend that you close this webpage and do not continue to this website.
  Click here to close this webpage.
  Continue to this website (not recommended).
  I have tried to follow instructions in Method 2
  http://download.oracle.com/docs/cd/B16240_01/doc/em.102/e10954/security2.htm
  emctl secure oms -trust_certs_loc <loc of trusted_certs.txt>
  completes without error
  I have a third party certificate from GEOTRUST. I have downloaded the Root CA certificate from GEOTRUST and placed them both in a file called trusted_certs.txt
  I have also imported both certificates in Oracle Wallet Manager. I can see the details within OWM and they are correct.
  I followed instructions in metalink How to provide HTTPS browser access to the Grid Control Console using a third party certificate? [ID 736103.1]
  When I view the certificate from IE after 'opmnctl startall', the cert is from grid control not GEOTRUST.
  It seems like the 'emctl secure oms ...' overwrites the wallet in $OMS_HOME/sysman/wallets/oms_hostname
  SSL is a part of Oracle's Best Practices for Grid Control but has anyone gotten it to work?
  Thanks in advance.

  These Certifications Authorities are supposed to work out of the box:
  Class 1 Public Primary Certification Authority by VeriSign, Inc.
  ■ Class 2 Public Primary Certification Authority by VeriSign, Inc.
  ■ Class 3 Public Primary Certification Authority by VeriSign, Inc.
  ■ Secure Server Certification Authority by RSA Data Security, Inc.
  ■ GTE CyberTrust Root by GTE Corporation
  ■ GTE CyberTrust Global Root by GTE CyberTrust Solutions, Inc.
  ■ Entrust.net Secure Server Certification Authority by Entrust.net ((c) 1999
  ■ Entrust.net Limited, www.entrust.net/CPS incorp. by ref. (limits liab.))
  ■ Entrust.net Certification Authority (2048) by Entrust.net ((c) 1999
  ■ Entrust.net Limited, www.entrust.net/CPS_2048 incorp. by ref. (limits liab.))
  ■ Entrust.net Secure Server Certification Authority by Entrust.net ((c) 2000
  ■ Entrust.net Limited, www.entrust.net/SSL_CPS incorp. by ref. (limits liab.))
  Has anyone used these with OEM?
  Verisign is $600 year - ouch
  Entrust is $200

• Where is the folders for weblogic as BI server

  anyone can help me,pls.
  P6 R8:
  I have installed the report database(staging ,ODS and star),and finished BI server with weblogic.
  now what should i do if i want to see how the P6 works with reports. (in p6 web, I can see the reports menu )
  following the doc "P6AnalyticsSampleData.pdf", but I found I cann't find the folders in weblogic envirenment.
  To set Up the P6 Analytics sample dashboards, do the following:
  1) If OBI is currently running, do the following:
  a. Stop all services (Oracle BI Presentation Server, Oracle BI Java Host, and Oracle BI Server).
  b. Ensure that the OBI Presentation Server (OC4J_BI by default) is also stopped.
  2) Copy the p6analytics folder from the following location:
  <P6 Analytics download location>\P6 Analytics\obi\catalog
  To:
  *<OBI Data Installation location>\web\catalog*
  Where:
  The default <OBI Data Installation location> is c:\OracleBIData on Windows.
  3) Copy the OraclePrimaveraP6Analytics.rpd file from the following location:
  <P6 Analytics download location>\P6 Analytics\obi\rpd
  To:
  *<OBI Installation location>\server\Repository*
  Where:
  The default <OBI Installation location> is c:\OracleBI on Windows.
  4) Copy the s_oraclep6 and sk_oraclep6 folders from the following location:
  <P6 Analytics download location>\P6 Analytics\obi\skin
  To: The following two locations:
  *<OBI Installation location>\web\app\res*
  *<OBI Java Application Server installation Location>\j2ee\home\applications\analytics\analytics\res folder*
  Where:
  The default <OBI Installation location> is c:\OracleBI on Windows.
  The default <OBI Java Application Server installation Location> is C:\OracleBI\oc4j_bi
  5) Modify the instanceconfig.xml file located in *<OBI Data Installation location>\web\config.*
  Where:
  The default <OBI Data Installation location> is c:\OracleBIData on Windows.
  -----------------------------------------------------------------

  The reports for P6 R8 use BI Publisher. Once BI Publisher is installed and configured, then you can link P6 R8, via the P6 r8 Administrator to the BI Publisher server. You can consult the P6 EPPM Administrator guide, page 192, for details about setting up P6 Reports using BI Publisher.

• Site Recovery Manager (SRM) v6.0 fails to pair sites - certificate chain not verified

  I have used the default self-signed certificates throughout the vCenter and SRM setup.  When going to pair the vCenters, I get "Server certificate chain not verified".  These are 2 new VCSA 6.0 VMs (embedded PSCs for each) and 2 new Windows 2012 R2 servers to run SRM 6.0.  I can view the Site in each respective vCenter but can't pair them.  Does anyone have suggestions?  We have tried valid SSL certs before on our original 6.0 deployment and continuously run into these certificate chain not valid errors.

  Yes, I always used the FQDN.  This issue was actually the result of having an incorrect vCenter topology.  The error resulted in us spending hours with support all around valid or self-signed certs.  In the end, I had to completely redeploy new VCSA 6.0 appliances and follow the 3rd recommend topology.
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548
  With this setup, it also links the vCenters and it seems to be much quicker than Linked Mode in previous versions.  I was able to pair the sites in SRM without issue.  FYI, I am using self-signed certs all around at the moment.  SRM is very finicky about trust with SSL certs so I won't try implementing valid SSL certs until I get some working failovers.

• Content server certificate verification

  Hello, everybody,
  we would like to use the proxy server as an HTTP-to-HTTPS converter for around 30 URLs/destination servers in a configuration as follows:
  clients (actually another proxy)
  --->HTTP---> web proxy
  --->HTTPS--> firewall
  --->Internet
  We added the forward (http-->https) and reverse (https-->http) mappings in the web proxy already, and they work.
  I'd like to know which certificate/key file is for client requests (not used here, only HTTP), and which is for the outgoing HTTPS requests for content servers, and how exactly content server certificate checking can be manipulated.
  There are:
  (a) a key file in magnus.conf
  (b) a cert database in magnus.conf
  (c) a security setting (on/off) in magnus.conf
  (d) a key file in the Init statement in the obj.conf
  (e) a cert file in the Init statement in the obj.conf
  (f) a security setting (on/off) in the Init statement in the obj.conf
  ...but which is for what?
  The admin document (which I have read up and down) mentions "security" and "encryption", but IMHO fails to state whether the terms refer to incoming requests (which I assume), and which refer to outgoing requests.
  So in more detail:
  1) If I generate a key and put a corresponding certificate into a key file, what is the effect if I mention this file in (a) or (d) above, resp.? Do these entries have to be the same (i.e., do they have to mention the same file)?
  2) In (1), for which connection does the certificate/key apply: to requests incoming from the clients (if HTTPS/SSL were used there), acting as a server certificate, or as client certificate for outgoing requests, or both?
  3) The certificate database in (b) and (e), resp., is it for verifying the client certificates in incoming requests (which is often mentioned), for verifying the content server certificates in outgoing requests (which is hardly ever mentioned), or both? I need to verify the content server certificates, and some of them are issued by strange or own CAs, so I need to add a few CA certificates.
  4) Do I have to add the CA certificates as chain certificates or as CA certificates? "CA certificates" would make sense to me (after all, they are CA certificates), but those are apparently only for client certificate verification, so I added them as chain certificates (a chain of a single element...). Strange that if I click "Do not trust", a certificate that was earlier trusted for client certs is now "only" valid as CA certificate -- as if one was somehow "less" than the other.
  5) With an Equifax server certificate on a certain host, I get a message that the content server allegedly refuses to respond to the connection or may be highly loaded. Using openssl, I can connect from the same host to the content server without problems, in SSL2, SSL3, TLSv1. It makes no difference if the Equifax CA certificate is in the cert database or not, or if "Security" is on or off, or if "Initialize certs only" is checked. Using ssldump, I see that the proxy gives a "bad_certificate" fatal alert to the server. (The list of supported ciphers is a lot shorter with the proxy than with openssl, BTW.) Happens with at least two content servers, both of which can be contacted without problems via openssl, and the server certificates of which can be verified with their corresponding CA certificates I have available.
  6) What does "Security on", "off" and "Initialize certs only" actually do? (...apart from putting a line into obj.conf...)."Security" is such a broad term used in (c) and (f), but does it refer to the client or the content server side? (Yes, I know that SSL provides authentication and encryption, I'm just not sure about how to configure what on the proxy software.) Guess I'm repeating myself here ;-)
  7) I read that there is a tool "certadmin". Is it provided with some other Sun software? (I think with the portal server, right?) I would love to get hold of a tool for really looking into the cert databases (not using the admin server functionality). I also heard of another tool, but don't recall its exact name -- something like idscertutil, or some other *certutil. Does this ring a bell with anybody?
  I'm using proxy 3.6 SP6.
  Any insights are welcome.
  Thanks for your help,
  Stefan

  Gerd,
  Don't know which version of fetchmail comes with 10.3.x and 10.4.x respectively.
  However, older versions would check for an SSL certificate in an opportunistic way and still go ahead if there wasn't one. More recent versions will interrupt comunications.
  In other words, since you do not use SSL you must disable it in fetchmail. If I remember correctly (not 100% sure), you must add:
  sslproto ''
  to .fetchmailrc
  Alex