SSL implementation - Certificate Authority

Hi,
We are planning to implement SSL in the portal using digital certificate. Version of portal is EP7 SP11(2004s). We are planning to have a clustered environment. Please let me know which all certificates are supported by portal and how many certificate licence we need in this scenario?
regards,
Sujesh

Hi ,
1)     Login to the visual administrator using admin userid and pwd
2)     Goto server >services>keystore
3)     Select the service_ssl and create new entry with name ssl_credentials
Click on create button and generated one new entry with name:  ssl_credentilas
4)     After generating  new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
now select the new entry and click on generate CSR request button and send the c
ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
5)     Select the Trusted CAs and click on import from other button
6)     Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
7)     ssl-credentials will be added into the Trusted CAs
8)Goto SSL provider and  select the  dispatcher
9)Select the new sockets radio button and select server identity tab and click on Add button.
10)     Select the (new entry created just now)  ssl-credential and click on ok.
11)     Add the same for Active sockets and reboot the sun 128 displatcher.
Result:  Https is working for sun 128 server .

Similar Messages

  • Oracle Certificate Authority OCA and SSL Immlementation

    Hi
    Is anybody can clear that:
    1) Does OCA only work on intranet or it does work internet also.
    2) What is the difference between OCA and Verisign or any other third party CA
    3) What are the benifits for OCA
    4) What are the advantages and disadvantages for both of them
    5) what are the main steps invloved to implement OCA and SSL
    I'll be very appraciated, if anybody give me the answers as soon as possible. Please gIve me the answers whichever you knows very well.
    Thanks in Advance
    Munir Muhammad

    Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
    SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
    The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
    To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
    1. From the web browser to the middle tier
    2. End user to database
    3. from the middle tier to OID
    4. from the middle tier to the database
    5. From OID to active directory

  • SSL certificates and/ or Oracle Certificate Authority

    Our Oracle infrastructure is as follows:
    1.Database server
    (a)Oracle 9i R2 database
    (b) Oracle ApEx 2.2
    2. Infrastructure server
    (a) Oracle 10g (9.0.4.x.x) Infrastructure
    (b) OID - configured as external authentication to Microsoft 2003 Active Directory LDAP version 3
    (c) SSO - configured as Windows Native authentication
    3. Application server
    (a)Oracle 10g (9.0.4.x.x) Forms and reports server
    Network traffic currently is not encrypted. All we need is to ensure that network traffic is encrypted between the the end-user PC and all servers (database or app server)
    I was reading through Oracle Certificate Authority and Secure Sockets Layer.
    1. Is there a difference between the two products?
    2. Which product would be best to ensure the encryption (authentication is provided through MS LDAP)
    Thanks,
    Mayura

    Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
    SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
    The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
    To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
    1. From the web browser to the middle tier
    2. End user to database
    3. from the middle tier to OID
    4. from the middle tier to the database
    5. From OID to active directory

  • Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

    We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
    Currently i am only able to generate SSL cert with md5RSA.

    Hi,
    Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
    Therefore, you need to build a new CA to use a new algorithm.
    More information for you:
    Is it possible to change the hash algorithm when I renew the Root CA
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
    Changing public key algorithm of a CA certificate
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
    modify CA configuration after Migration
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
    Best Regards,
    Amy Wang

  • SSL Certificate Authority TÜRKTRUST

    I see listed under preferences - advanced - certificates:
    TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
    Begins On 13/05/2005
    Expires On 22/03/2015
    What is this SSL Certificate Authority?
    What does it do?

    Hi ,
    1)     Login to the visual administrator using admin userid and pwd
    2)     Goto server >services>keystore
    3)     Select the service_ssl and create new entry with name ssl_credentials
    Click on create button and generated one new entry with name:  ssl_credentilas
    4)     After generating  new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
    now select the new entry and click on generate CSR request button and send the c
    ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
    5)     Select the Trusted CAs and click on import from other button
    6)     Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
    7)     ssl-credentials will be added into the Trusted CAs
    8)Goto SSL provider and  select the  dispatcher
    9)Select the new sockets radio button and select server identity tab and click on Add button.
    10)     Select the (new entry created just now)  ssl-credential and click on ok.
    11)     Add the same for Active sockets and reboot the sun 128 displatcher.
    Result:  Https is working for sun 128 server .

  • Certificate Authority chain issue

    Hello,
    I have a problem with using root and sub Certificates in our PKI environment. Specifically, I have a problem with the way the Java implementation of certificates is working in our environment.
    We use Entrust as our external Certificatation Authority. We are a predominantly Microsoft environment and have implemented PKI for user accounts and Smartcard logons across our domain. Our certificates are generated under Entrusts certificatation authority and we have added their DCOMROOTCA and DCOMSUBCA (Root and Subordinate) certificates to our trusted root certification Authorities store for all MS clients. Entrust have recently reissued their DCOMROOTCA and DCOMSUBCA certificates and we have included those new certificates in our trusted root certification Authorities store. The old Entrust certificates are still valid and dont expire for another 2 years. Our PKI environment and authentication continues to work as normal in an MS environment.
    In a Windows environment which is using Microsoft’s implementation of certificates, a smart card which was issued under Entrust’s old root certificate will successfully authenticate with a certificate issued under Entrusts’s new root certificate.
    I am having a problem with VMWare View. VMWare View is a Web interface broker server which uses Java’s implementation of certificate security, ie uses keytool.exe and cacerts as its trusted certificate store. I have secured the web interface with a certificate issued under Entrust’s new root certificate. I am trying to authenticate with a smart card which has been issued with a certificate under Entrust’s old root certificate. This has not been successful. I have imported the old DCOMROOT and DCOMSUB certificates and the new DCOMROOT and DCOMSUB certificates into the cacerts file. The client (a Wyse Terminal) also has the old and new DCOMROOT and DCOMSUB certificates in its trusted store. When I attempt to logon I get the following event in the logs on the Web interface broker server:
    16:54:18,789 DEBUG <pool-1-thread-17> PooledProcessor SSL handshake exception from /10.42.2.138:2867, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
    If I reissue the Smartcard with a new certificate which has been generated under Entrust's new root and sub certificates I am able to successfully authenticate.
    The conclusion I can draw from this is that Java certification (at least in the way I have set it up) breaks if a new issuing certificate is being used to generate a certificate to secure the Web interface and an old issuing certificate is being used on a smart card / client.
    Does this sound correct? Is this a known issue or have I not imported or setup up the certificate chains correctly?
    Any advice would be most welcome.
    Many thanks,
    Ben

    Hi,
    thanks for your reply.
    Here is some more from the log. The log has some VMWare specific entries.
    10:44:41,337 DEBUG <pool-1-thread-7> [PooledProcessor] SSL handshake exception from /10.42.2.134:1104, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
    10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=11, availableVMs=11, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
    10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(11) > vmHeadroomCount(5)
    10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
    10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int
    10:44:41,963 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=10, availableVMs=9, zombieVMs=0, busyVMs=1, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(9) > vmHeadroomCount(5)
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=6, availableVMs=6, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=0, vmMinimumCount=0, vmHeadroomCount=0, customizingVMs=0
    10:44:42,713 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Peer unverified
    10:44:42,713 DEBUG <Thread-19> [SimpleAJPService] (Request128) SimpleAJPService request: /broker/xml
    10:44:42,728 DEBUG <TP-Processor3> [XmlAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter
    10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) read XML input
    10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) added: configuration
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for disclaimer
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for SecurID
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for gssapi
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against gssapi
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for cert-auth
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against cert-auth
    10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Client did not use Certificate Authentication, skipping or failing
    10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Failing Certificate authentication, bypassing for OPTIONAL mode
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for windows-password
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against windows-password
    10:44:42,775 DEBUG <TP-Processor3> [WinAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting authentication against AD
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Not authenticated, requesting login page for windows-password
    10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) AuthorizationFilter: XML Authorization Filter in doFilter()
    10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) paeCtx == null, forwarding to login page: /broker/xml
    10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Start processing: configuration
    10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Processing: configuration
    10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Finished processing: configuration, Result: ok
    10:44:42,806 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) End processing: configuration
    Many thanks again,
    Ben

  • How do I set up my own certificate authority

    I tried google on the above question, and the most recent thing I found was 7 years old. replacing the phrase used generates a lot of hits with a very poor signal to noise ratio.
    I have OpenSSL (in the cygwin distribution), which is quite recent, but frankly its documentation leaves just about everything to be desired. I found pyca, but it has no documentation at all (and it is a couple years old).
    I tried the steps appended below, but invariably the attempt to sign the certificates fails with an obscure error message about OpenSSL not finding one thing or another.
    At this stage, I just don't care whether I do this using something in the J2SDK such as keytool or OpenSSL, as long as I can get it done. Or if there is some other opensource software tool I can use, terrific. This is primarily for the purpose of securing communications within an Intranet, and secondarily for signing applets and applications distributed through WebStart. If I am not mistaken, I'll need a certificate for each of my servers. Right?
    If you know of an URL where this is well explained and illustrated, great. Give that to me.
    Otherwise, a simple illustration (or a correction of what I've appended below) would be appreciated. I believe I understand what ought to be happening. It ought to be rather simple to do, but there are these irritating and frustrating minor details getting in the way. For example, the steps I show below seem simple, but everything appears to get messed up by some of the contents of openssl.cnf in 'usr/ssl', in the cygwin directory, and there is no explanation of how to set things up for the first time you use OpenSSL within Cygwin (or on unix for that matter).
    Any assistance would be appreciated.
    Thanks,
    Ted
    ========failed attempt=====================
    # Generation of Certificate Authority(CA)
    openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config /usr/ssl/openssl.cnf
    # Create server request and key
    openssl req -new -keyout server-key.pem -out server-req.pem -days 36502 -config /usr/ssl/openssl.cnf
    # Remove the passphrase from the key
    openssl rsa -in server-key.pem -out server-key.pem
    # Sign server cert
    openssl ca -policy policy_anything -out server-cert.pem -infiles server-req.pem -config /usr/ssl/openssl.cnf
    # Create client request and key
    openssl req -new -keyout client-key.pem -out client-req.pem -days 36502 -config /usr/ssl/openssl.cnf
    # Remove a passphrase from the key
    openssl rsa -in client-key.pem -out client-key.pem
    # Sign client cert
    openssl ca -policy policy_anything -out client-cert.pem -infiles client-req.pem -config /usr/ssl/openssl.cnf

    The following works for me:
    NB: Some of the output has been removed in the interests of privacy (this will not affect the outcome)
    1. Create CA key and certificate
    1.1 Create a new file called "serial" containing the value "01".
    1.2 Create an empty file "index.txt"
    1.3 Create a subdirectory "newcerts"
    1.4 Execute.... create a key for your CA
    [ben@localhost ca]$ openssl genrsa -out ca.key 2048
    Generating RSA private key, 2048 bit long modulus
    .....................................+++
    ..........................................................+++
    e is 65537 (0x10001)
    1.5 Execute... create a certificate for your own CA
    [ben@localhost ca]$ openssl req -config ./openssl.cnf -new -x509 -key ca.key -out cacert.pem -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [GB]:
    County or State (full name) []:
    City or town (eg, Hitchin) []:
    Organization Name (eg, company) []:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:
    2. Create PK key and .csr
    2.1 Execute...
    [ben@localhost ca]$ keytool -genkey -alias PK
    Enter keystore password: password
    What is your first and last name?
    [Unknown]:
    What is the name of your organizational unit?
    [Unknown]:
    What is the name of your organization?
    [Unknown]:
    What is the name of your City or Locality?
    [Unknown]:
    What is the name of your State or Province?
    [Unknown]:
    What is the two-letter country code for this unit?
    [Unknown]:
    Is CN=, OU=, O=, L=, ST=, C=GB correct?
    [no]: yes
    Enter key password for <PK>
    (RETURN if same as keystore password):
    2.2 Create .csr
    [ben@localhost ca]$ keytool -certreq -alias PK -file PK.csr
    Enter keystore password: password
    3. Sign PK with CA cert
    [ben@localhost ca]$ openssl ca -config ./openssl.cnf -in PK.csr -out PK.pem -keyfile ca.key -days 365
    Using configuration from ./openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 0 (0x0)
    Validity
    Not Before: Jan 5 19:48:33 2006 GMT
    Not After : Jan 5 19:48:33 2007 GMT
    Subject:
    countryName = GB
    stateOrProvinceName =
    organizationName =
    organizationalUnitName =
    commonName =
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    D6:2D:7E:71:77:9E:1A:BB:54:69:98:63:6A:6A:E2:BA:12:C4:D7:DD
    X509v3 Authority Key Identifier:
    keyid:92:7C:33:7C:EC:1D:76:C5:B8:F0:30:6D:10:12:40:E5:E7:EA:24:31
    DirName:/C=GB/ST=/L=/O=/OU=/CN=/emailAddress=
    serial:F0:D1:38:36:65:6D:71:D5
    Certificate is to be certified until Jan 5 19:48:33 2007 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    4. Convert PK certificate into DER format
    [ben@localhost ca]$ openssl x509 -in PK.pem -out PK.der -outform DER
    5. Import CA certificate into keystores
    [ben@localhost ca]$ keytool -import -alias ca -file cacert.pem
    Enter keystore password: password
    Owner: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
    Issuer: EMAILADDRESS=, CN=, OU=, O=, L=, ST=, C=GB
    Serial number: f0d13836656d71d5
    Valid from: Thu Jan 05 19:41:09 GMT 2006 until: Fri Jan 05 19:41:09 GMT 2007
    Certificate fingerprints:
    MD5: AF:3D:8E:25:12:24:04:1F:40:70:BC:A0:9E:0E:44:84
    SHA1: B8:E8:0B:A5:86:33:21:0C:B5:3C:6E:F2:DE:7B:31:0F:59:AE:21:E4
    Trust this certificate? [no]: yes
    Certificate was added to keystore
    6. Import signed PK into keystore
    [ben@localhost ca]$ keytool -import -alias pk -file PK.der
    Enter keystore password: password
    Certificate reply was installed in keystore
    REF:
    http://www.yorku.ca/dkha/docs/jsse_cert/jsse_cert.htm
    http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#ownca
    http://www.openssl.org/docs/apps/ca.html#
    openssl.cnf:#
    # OpenSSL example configuration file.
    # This is mostly being used for generation of certificate requests.
    # This definition stops the following lines choking if HOME isn't
    # defined.
    HOME               = .
    RANDFILE          = $ENV::HOME/.rnd
    # Extra OBJECT IDENTIFIER info:
    #oid_file          = $ENV::HOME/.oid
    oid_section          = new_oids
    # To use this configuration file with the "-extfile" option of the
    # "openssl x509" utility, name here the section containing the
    # X.509v3 extensions to use:
    # extensions          =
    # (Alternatively, use a configuration file that has only
    # X.509v3 extensions in its main [= default] section.)
    [ new_oids ]
    # We can add new OIDs in here for use by 'ca' and 'req'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6
    [ ca ]
    default_ca     = CA_default          # The default ca section
    [ CA_default ]
    dir          = .               # Where everything is kept
    certs          = $dir/certs          # Where the issued certs are kept
    crl_dir          = $dir/crl          # Where the issued crl are kept
    database     = $dir/index.txt     # database index file.
    #unique_subject     = no               # Set to 'no' to allow creation of
                             # several ctificates with same subject.
    new_certs_dir     = $dir/newcerts          # default place for new certs.
    certificate     = $dir/cacert.pem      # The CA certificate
    serial          = $dir/serial           # The current serial number
    #crlnumber     = $dir/crlnumber     # the current crl number must be
                             # commented out to leave a V1 CRL
    crl          = $dir/crl.pem           # The current CRL
    private_key     = $dir/private/cakey.pem# The private key
    RANDFILE     = $dir/private/.rand     # private random number file
    x509_extensions     = usr_cert          # The extentions to add to the cert
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt      = ca_default          # Subject Name options
    cert_opt      = ca_default          # Certificate field options
    # Extension copying option: use with caution.
    # copy_extensions = copy
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions     = crl_ext
    default_days     = 365               # how long to certify for
    default_crl_days= 30               # how long before next CRL
    default_md     = md5               # which md to use.
    preserve     = no               # keep passed DN ordering
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy          = policy_match
    # For the CA policy
    [ policy_match ]
    countryName          = match
    stateOrProvinceName     = match
    organizationName     = match
    organizationalUnitName     = optional
    commonName          = supplied
    emailAddress          = optional
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName          = optional
    stateOrProvinceName     = optional
    localityName          = optional
    organizationName     = optional
    organizationalUnitName     = optional
    commonName          = supplied
    emailAddress          = optional
    [ req ]
    default_bits          = 1024
    default_keyfile      = privkey.pem
    distinguished_name     = req_distinguished_name
    attributes          = req_attributes
    x509_extensions     = v3_ca     # The extentions to add to the self signed cert
    # Passwords for private keys if not present they will be prompted for
    # input_password = secret
    # output_password = secret
    # This sets a mask for permitted string types. There are several options.
    # default: PrintableString, T61String, BMPString.
    # pkix      : PrintableString, BMPString.
    # utf8only: only UTF8Strings.
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
    # so use this option with caution!
    # we use PrintableString+UTF8String mask so if pure ASCII texts are used
    # the resulting certificates are compatible with Netscape
    string_mask = MASK:0x2002
    # req_extensions = v3_req # The extensions to add to a certificate request
    [ req_distinguished_name ]
    countryName               = Country Name (2 letter code)
    countryName_default          = GB
    countryName_min               = 2
    countryName_max               = 2
    stateOrProvinceName          = County or State (full name)
    stateOrProvinceName_default     =
    localityName               = City or town (eg, Hitchin)
    localityName_default          =
    0.organizationName          = Organization Name (eg, company)
    0.organizationName_default     =
    # we can do this but it is not needed normally :-)
    #1.organizationName          = Second Organization Name (eg, company)
    #1.organizationName_default     = World Wide Web Pty Ltd
    organizationalUnitName          = Organizational Unit Name (eg, section)
    organizationalUnitName_default     =
    commonName               = Common Name (eg, your name or your server\'s hostname)
    commonName_max               = 64
    emailAddress               = Email Address
    emailAddress_max          = 64
    # SET-ex3               = SET extension number 3
    [ req_attributes ]
    challengePassword          = A challenge password
    challengePassword_min          = 4
    challengePassword_max          = 20
    unstructuredName          = An optional company name
    [ usr_cert ]
    # These extensions are added when 'ca' signs a request.
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    basicConstraints=CA:FALSE
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    # This is OK for an SSL server.
    # nsCertType               = server
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    # For normal client use this is typical
    # nsCertType = client, email
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    # This will be displayed in Netscape's comment listbox.
    nsComment               = "OpenSSL Generated Certificate"
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    # Copy subject details
    # issuerAltName=issuer:copy
    #nsCaRevocationUrl          = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    [ v3_req ]
    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    [ v3_ca ]
    # Extensions for a typical CA
    # PKIX recommendation.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer:always
    # This is what PKIX recommends but some broken software chokes on critical
    # extensions.
    #basicConstraints = critical,CA:true
    # So we do this instead.
    basicConstraints = CA:true
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign
    # Some might want this also
    # nsCertType = sslCA, emailCA
    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy
    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF
    [ crl_ext ]
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always

  • Error 403.7 - Forbidden: SSL client certificate is required

    Hi people!
    I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
    I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
    I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
    _THE CODE_
    package principal;
    import java.io.BufferedReader;
    import java.io.FileInputStream;
    import java.io.FileNotFoundException;
    import java.io.FileReader;
    import java.io.IOException;
    import java.net.URL;
    import java.net.UnknownHostException;
    import java.security.KeyStore;
    import java.security.Security;
    import javax.net.ssl.HttpsURLConnection;
    import javax.net.ssl.KeyManagerFactory;
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.SSLSocket;
    import javax.net.ssl.SSLSocketFactory;
    import javax.net.ssl.TrustManagerFactory;
    import org.apache.axis.client.Call;
    import org.apache.axis.client.Service;
    import entidade.Certificado;
    public class SSLClient {
    private static final int PORT_NUMBER = 443;
    private static final String HTTPS_ADDRESS = "10.200.140.117";
    private static String strCabecalhoMsg = "";
    private static String strDadosMsg = "";
    public static void main(String[] args) throws Exception {
    System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
    System.setProperty("javax.net.ssl.keyStorePassword", "senha");
    System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
    System.setProperty("javax.net.ssl.keyStoreType", "JKS");
    Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
    System.setProperty("javax.net.debug","ssl,handshake,record");
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
    Certificado.getArranjoCharSenhaCertificadoServidor());
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
    KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
    ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ksT);
    SSLContext sc = SSLContext.getInstance("SSLv3");
    sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
    SSLSocketFactory factory = sc.getSocketFactory();
    try{
    // method to load the values of the strings strCabecalhoMsg and strDadosMsg
    carregarXMLCabecalhoDados();
    SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
    socket.startHandshake();
    String [] arr = socket.getEnabledProtocols();
    URL url = new URL("https://10.200.140.117/dirNotes");
    HttpsURLConnection.setDefaultSSLSocketFactory(factory);
    HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
    urlc.setDoInput(true);
    urlc.setUseCaches(false);
    Object[] params = {strCabecalhoMsg, strDadosMsg};
    Service service = new Service();
    Call call = (Call) service.createCall();
    call.setTargetEndpointAddress(url);
    call.setOperationName("serviceName");
    String ret = (String) call.invoke(params);
    System.out.println("Result: " + ret);
    catch (UnknownHostException uhe) {
    uhe.printStackTrace();
    System.err.println(uhe);
    catch (Exception uhe) {
    uhe.printStackTrace();
    System.err.println(uhe);
    private static void carregarXMLCabecalhoDados()
    try
    BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
    String str;
    while((str=input.readLine()) != null)
    strCabecalhoMsg += str ;
    System.out.println("Cabe�a: " + strCabecalhoMsg);
    input = new BufferedReader( new FileReader("notas/nota.xml"));
    while((str=input.readLine()) != null)
    strDadosMsg += str ;
    System.out.println("Nota: " + strDadosMsg);
    catch (FileNotFoundException e)
    // TODO Auto-generated catch block
    e.printStackTrace();
    catch (IOException e)
    // TODO Auto-generated catch block
    e.printStackTrace();
    _THE TRACE_
    adding as trusted cert:
    Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Algorithm: RSA; Serial number: 0x1
    Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
    *others trusted certs*
    trigger seeding of SecureRandom
    done seeding SecureRandom
    export control - checking the cipher suites
    export control - no cached value available...
    export control - storing legal entry into cache...
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 3953
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
    Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    Version: V3
    *many chains and related data*
    Found trusted certificate:
    Version: V3
    Subject:
    *many trusted certificates and related data*
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
    main, WRITE: TLSv1 Handshake, length = 134
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
    0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
    0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
    0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
    Server Nonce:
    0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
    0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
    Master Secret:
    0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
    0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
    0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
    Client MAC write Secret:
    0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
    Server MAC write Secret:
    0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
    Client write key:
    0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
    Server write key:
    0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
    ... no IV for cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished
    verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
    main, WRITE: TLSv1 Handshake, length = 32
    main, READ: TLSv1 Change Cipher Spec, length = 1
    main, READ: TLSv1 Handshake, length = 32
    *** Finished
    verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
    %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
    setting up default SSLSocketFactory
    use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
    class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
    keyStore is : Certificados/certificadoSondaMonitor.jks
    keyStore type is : JKS
    keyStore provider is :
    init keystore
    init keymanager of type SunX509
    trustStore is: Certificados\cacerts
    trustStore type is : jks
    trustStore provider is :
    init truststore
    adding as trusted cert:
    Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
    Algorithm: RSA; Serial number: 0x1
    Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
    adding as trusted cert:
    * many certificates*
    init context
    trigger seeding of SecureRandom
    done seeding SecureRandom
    instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
    export control - checking the cipher suites
    export control - found legal entry in cache...
    %% No cached client session
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
    Compression Methods: { 0 }
    main, WRITE: TLSv1 Handshake, length = 73
    main, WRITE: SSLv2 client hello message, length = 98
    main, READ: TLSv1 Handshake, length = 3953
    *** ServerHello, TLSv1
    RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
    Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
    Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
    Compression Method: 0
    %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
    ** SSL_RSA_WITH_RC4_128_MD5
    *** Certificate chain
    chain [0] = [
    many chains again
    *** ServerHelloDone
    *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
    Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
    main, WRITE: TLSv1 Handshake, length = 134
    SESSION KEYGEN:
    PreMaster Secret:
    0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
    0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
    0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
    CONNECTION KEYGEN:
    Client Nonce:
    0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
    0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
    Server Nonce:
    0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
    0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
    Master Secret:
    0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
    0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
    0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
    Client MAC write Secret:
    0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
    Server MAC write Secret:
    0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
    Client write key:
    0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
    Server write key:
    0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
    ... no IV for cipher
    main, WRITE: TLSv1 Change Cipher Spec, length = 1
    *** Finished
    verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
    main, WRITE: TLSv1 Handshake, length = 32
    main, READ: TLSv1 Change Cipher Spec, length = 1
    main, READ: TLSv1 Handshake, length = 32
    *** Finished
    verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
    %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
    main, setSoTimeout(600000) called
    main, WRITE: TLSv1 Application Data, length = 282
    main, WRITE: TLSv1 Application Data, length = 8208
    main, WRITE: TLSv1 Application Data, length = 1102
    main, READ: TLSv1 Application Data, length = 1830
    main, received EOFException: ignored
    main, called closeInternal(false)
    main, SEND TLSv1 ALERT: warning, description = close_notify
    main, WRITE: TLSv1 Alert, length = 18
    main, called close()
    main, called closeInternal(true)
    AxisFault
    faultCode: {http://xml.apache.org/axis/}HTTP
    faultSubcode:
    faultString: (404)Not Found
    faultActor:
    faultNode:
    faultDetail:
         {}:return code: 404
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <HTML><HEAD><TITLE>The page cannot be found</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
    <STYLE type="text/css">
    BODY { font: 8pt/12pt verdana }
    H1 { font: 13pt/15pt verdana }
    H2 { font: 8pt/12pt verdana }
    A:link { color: red }
    A:visited { color: maroon }
    </STYLE>
    </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
    <h1>The page cannot be found</h1>
    The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
    <hr>
    <p>Please try the following:</p>
    <ul>
    <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
    <li>If you reached this page by clicking a link, contact
    the Web site administrator to alert them that the link is incorrectly formatted.
    </li>
    <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
    </ul>
    <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
    <hr>
    <p>Technical Information (for support personnel)</p>
    <ul>
    <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
    <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
    and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
    </ul>
    </TD></TR></TABLE></BODY></HTML>
         {http://xml.apache.org/axis/}HttpErrorCode:404
    (404)Not Found
         at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
         at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
         at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
         at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
         at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
         at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
         at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
         at org.apache.axis.client.Call.invoke(Call.java:2767)
         at org.apache.axis.client.Call.invoke(Call.java:2443)
         at org.apache.axis.client.Call.invoke(Call.java:2366)
         at org.apache.axis.client.Call.invoke(Call.java:1812)
         at principal.SSLClient.main(SSLClient.java:86)
    (404)Not Found
    -----

    I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
    public class NFeClient {
         static{
              Security.addProvider(new BouncyCastleProvider());
         public static void main(final String[] args) throws Exception {
              final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
              final String keyStoreProvider = "BC";
              final String keyStoreType = "PKCS12";
              final String keyStore = "/home/mendes/certificados/cert.p12";
              final String keyStorePassword = "xxxx";
              System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
              System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
              System.setProperty("javax.net.ssl.keyStore",keyStore);
              System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
              System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
              final SSLContext context =  SSLContext.getInstance("TLS");
              final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              final KeyStore ks = KeyStore.getInstance(keyStoreType);
              ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
              kmf.init(ks, keyStorePassword.toCharArray());
              context.init(kmf.getKeyManagers(), null, null);
              final URL url = new URL(path);
              final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
              httpsConnection.setDoInput(true);
              httpsConnection.setRequestMethod("GET");
              httpsConnection.setRequestProperty("Host", "iis-server");
              httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
              httpsConnection.setSSLSocketFactory(context.getSocketFactory());
              try{
                   final InputStream is = httpsConnection.getInputStream();
                   final byte[] buff = new byte[1024];
                   int readed;
                   while((readed = is.read(buff)) > 0)
                        System.out.write(buff,0,readed);
              }catch(final IOException ioe){
                   ioe.printStackTrace();
    }and the response of the server is always the same:
    java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
         at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
         at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
         at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

  • Untrusted server cert chain & does not recognize the certificate authority

    I have java code that makes an ssl connection to an HTTPS server.
    The code workes fine when I connect to a server that has a
    certificate that was issued by a recognizable authority.
    But when I try to connect to our test HTTPS server which has a
    certificate that was created by ourselves for debug, I get this
    java exception: "untrusted server cert chain".
    When I connect to our test HTTPS server with a browser, I get
    this message from the browser in a popup window:
    "www.xyz.com is a web site that uses a security certifcate to
    identify itself. However netscape 6 does not recognize the
    certificate authority that issued this certificate."
    At this point I am able to accept the certificate in the popup
    window and continue.
    Question: In my java code how can I accept a certificate
    that was signed by an unrecognizable authority just like the
    browser can. Or during debug, how can I set an override
    to accept ALL certs no matter what.
    Thanks.....Paul

    You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
    keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
    The keystore password is 'changeit' by default, keytool comes with the JDK.
    The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
    Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
    Ronny.

  • How to filter certificate templates in Certificate Authority snap-in with the correct values

    How to filter certificate templates in Certificate Authority snap-in with the correct values
    I have a 2012 R2 server running Microsoft Certificate Authority snap-in.
    I want to do a filter on a specific Certificate Template which i know exists in the 'Issued Certificates' folder.
    All the documentation i can find seems to suggest i copy the certificate name and use this in the View Filter.
    1). I add the 'Certificate Template' option into the Field drop-down.
    2). I leave the Operation as the '=' symbol
    3). I paste in just the name of the template in question. for example: 'my computers'
    The search results always come back blank 'There are no items to show in this view.' even when i know there are many instances of this template. I've tried on a win 2008 server and same issue.
    Is there a correct value to enter for the Certificate Template name?
    Can this be done easier using certutil commands?
    When i run the certutil tool i can confirm i have several issued templates. Certutil -catemplates -v > c:\mytemplate_log.csv
    Anybody know what i'm doing wrong?
    I seem to be getting nowhere with this one.

    > But its important you are using the template name, not the display name
    this is incorrect. OIDs are mapped to *display name*, not common name (it is true for all templates except Machine template). That is, in order to translate template name to a corresponding OID, you need to use certificate template's display name. And, IIRC,
    template name in the filter can be used only for V1 templates. For V2 and higher, OID must be used.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • ISE Certificate Authority Certificate

    I'm confussed about the certificates:
    Some weeks ago a certificate was installed in the ISE to avoid the browser certificate error when the customer access the sponsor portal ...
    Now, the customer is requesting to authenticate the sponsor users through LDAPS ... I understand Active Directory or LDAP as External Identity Sources are not secure. So, in order to enable LDAPS we must check the Secure Atuthentication box in the LDAP configuration, but a ROOT CA must be chooseen also.
    I understand the ISE should validate the customer PKI in order to validate the user certificate ... Am I right?
    Do I need request the customer to provide me the "Certificate Authority Certificate" from its PKI ??
    Is it a file completely different to the certificate already loaded in the ISE ??
    With this certificate, would the ISE validate the user's computer certificate additional to user and password ??
    Would the user must use a computer with certificate in order to access the sponsor portal ??
    Thanks in advance.
    Regards
    Daniel Escalante.

    Please follow the "secure authentication tab" in the below table( highlighted)
    go to >LDAP Connection Settings
    Table lists the fields in the LDAP connection tab and their descriptions.
    Table :     LDAP Connection Tab 
    Option Description
    Enable Secondary Server
    Check this option to enable the secondary LDAP server to be used as a  backup in the event that the primary LDAP server fails. If you check  this check box, you must enter configuration parameters for the  secondary LDAP server.
    Primary and Secondary Servers
    Hostname/IP
    (Required) Enter the IP address or DNS name of the machine that is  running the LDAP software. The hostname can contain from 1 to 256  characters or a valid IP address expressed as a string. The only valid  characters for hostnames are alphanumeric characters (a to z, A to Z, 0  to 9), the dot (.), and the hyphen (-).
    Port
    (Required) Enter the TCP/IP port number on which the LDAP server is  listening. Valid values are from 1 to 65,535. The default is 389, as  stated in the LDAP specification. If you do not know the port number,  you can find this information from the LDAP server administrator.
    Access
    (Required) Anonymous Access—Click to ensure that searches on the LDAP  directory occur anonymously. The server does not distinguish who the  client is and will allow the client read access to any data that is  configured as accessible to any unauthenticated client. In the absence  of a specific policy permitting authentication information to be sent to  a server, a client should use an anonymous connection.
    Authenticated Access—Click to ensure that searches on the LDAP directory  occur with administrative credentials. If so, enter information for the  Admin DN and Password fields.
    Admin DN
    Enter the DN of the administrator. The Admin DN is the LDAP account that  permits searching of all required users under the User Directory  Subtree and permits searching groups. If the administrator specified  does not have permission to see the group name attribute in searches,  group mapping fails for users who are authenticated by that LDAP.
    Password
    Enter the LDAP administrator account password.
    Secure Authentication
    Click to use SSL to encrypt communication between Cisco ISE and the  primary LDAP server. Verify that the Port field contains the port number  used for SSL on the LDAP server. If you enable this option, you must  choose a root CA.
    Root CA
    Choose a trusted root certificate authority from the drop-down list box  to enable secure authentication with a certificate.
    See the "Certificate Authority  Certificates" section on page 12-17 and "Adding a Certificate  Authority Certificate" section on page 12-19 for information  on CA certificates.
    Server Timeout
    Enter the number of seconds that Cisco ISE waits for a response from the  primary LDAP server before determining that the connection or  authentication with that server has failed. Valid values are 1 to 300.  The default is 10.
    Max. Admin Connections
    Enter the maximum number of concurrent connections (greater than 0) with  LDAP administrator account permissions that can run for a specific LDAP  configuration. These connections are used to search the directory for  users and groups under the User Directory Subtree and the Group  Directory Subtree. Valid values are 1 to 99. The default is 20.
    Test Bind to Server
    Click to test and ensure that the LDAP server details and credentials  can successfully bind. If the test fails, edit your LDAP server details  and retest.

  • How to import a Root Certificate Authority for signing

    How can I import a Root Certificate Authority in order to use it with Certificate Assistant as a CA to sign other certs?
    I have the CA cert imported in keychain along with it's associated private key (from a .p12), it's got the gold icon and is recognized as a Root certificate authority, yet Certificate Assistant will not list it as an available Root CA in the "Set Default CA" action dialog, the "Add..." dialog seems only interested in a ".certAuthorityConfig" plist file.
    Do I have to generate a certAuthorityConfig for the CA? I can't seem to find a way to do that. No clues from certtool & security CLI utils even.
    Any info/leads on how to get this to work would be much appreciated.
    Regards,
    -david

    Hi Alex,
    From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
    http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
    Thanks,
    Olivier

  • How to find/replace existing certificates before decommissioning certificate authority?

    We plan to decommission a multi-use server that also contains our internal certificate authority and replace it with new dedicated CA servers in a more secure design (offline root CA etc.).
    Before we decommission our existing CA servers, how do we find a list of all the issued certificates that are still valid?
    We would need replace all those old certificates with new certificates from our new CA so the applications that use them don't break when the old certificates are removed/revoked and before we remove the GPO setting that makes our current CA a trusted root
    CA for our domain computers. 

    on CA server you can filter issued certificates by "Certificate Expiration Date" column. In the Certification Authority MMC snap-in, select Issued Certificates folder, then click View -> Filter. Add a filter that would filter certificates
    where "Certificate Expiration Date" is greater than current date.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • I am replacing a Domain Controller (Windows 2003 Server) with a 2012 box. Can I have the Certificate authority exist in both locations during the process?

    Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully? Will it impact the users in any way or cause problems?

    > Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully?
    no. You have to uninstall CA role before you uninstall Domain Controller role from existing server.
    this is why it is not recommended to keep CA role on domain controllers.
    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell File Checksum Integrity Verifier tool.

  • SocketException: SSL implementation not available

    Anyone every see this error? I have the three JSSE1.0.2 jar files in my classpath. Anyone know what I'm missing to get this error? I also get the same error running the Sample SSLSocketClient that comes with JSSE1.0.2

    even i am trying to invoke a servlet through java Client
    using an "https" protcol.i am using jsse 1.0.2 .i got all the three jar files installed in my classpath and my code all contains
    java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
         System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
         System.setProperty("javax.net.ssl.trustStore","d:\\certificate");
    where d:\\certificate is the path where i have my client side certificate
    but i am getting the Error
    keyStore is :
    keyStore type is : jks
    init keystore
    init keymanager of type SunX509
    trustStore is: d:\certificate
    trustStore type is : jks
    default context init failed: java.security.PrivilegedActionException <<java.io.FileNotFoundExcepti
    on: d:\certificate (Access is denied)>>
    java.net.SocketException: SSL implementation not available
    at javax.net.ssl.DefaultSSLSocketFactory.createSocket([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect([DashoPro-V1.2-120198
    at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer([DashoPro-V1.2-120
    198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a([DashoPro-V1.2-120198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect([DashoPro-V1.2-1
    20198])
    at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getOutputStream([DashoPr
    o-V1.2-120198])
    at JavaClient.main(JavaClient.java:57)
    can anybody help me out.
    I thank you guys for your help in advanced,
    Taimina

Maybe you are looking for

  • Dynamic date parameters for a scheduled report that runs every day

    I have a report that has input parameters for a start date and end date. The report will be scheduled to run once a day at a scheduled time. I need the report to automatically set the start date and end dates when the report runs at the scheduled tim

  • BPC 10.0 MS Version - Error when performing consolidation - Error FX-300 nothing extract from Fact - CLCFXTrans

    Dear All, In BPC 10.0 Microsoft Version, I am performing consolidation. Running consolidation pckg was successful initially. Suddenly, it fails - giving the following error message: Error FX-300 nothing extract from Fact - CLCFXTrans I believe the ab

  • XML Node Extraction Help

    Hi, Guys: I have a snippet of code here as attached. The problem is that it appears that even though my nameHolder variable returns me with the right values, I still get all the nodes instead of one that has @name parameter set up. Could anyone pleas

  • Serial# and SID

    hi!!! I am a DBA funa-1 9i WDP student.I need some help: (If i am not wrong)v$session is dynamic view which store some information about oracle.but my question is why serial# and SID is required to kill the session??why not just only SID to kill the

  • wsse:SecurityTokenReference vs. SecurityTokenReference xmlns="..."

    and <ds:KeyInfo xmlns:ds="http://..."> vs. <KeyInfo xmlns:"http://..."> Hi there. In working with the securesimple/Ping program I am noticing something and I'm not certain if this is just an exigency/peculiarity of that program or whether it is a str