Ssl issues with sgd 4.4

Similar Messages

• Install issue with sgd 4.40 on Linux

  Folks,
  When I try to install the sgd 4.40 rpm ,I get the below error message
  Preparing... ########################################### [100%]
  IMPORTANT: ttaserv/ttasys users not correctly defined. Setup will now exit.
  You must define users before you can install Secure Global Desktop.
  - The user names must be \"ttaserv\" and \"ttasys\".
  - Both must have their primary group set to \"ttaserv\".
  - You can use any UIDs and GID you want.
  - The ttaserv/ttasys users must have a valid shell, for example /bin/sh.
  - We recommend that you lock the ttaserv/ttasys user accounts (passwd -l).
  One way to create users and groups is with the useradd and groupadd
  commands, but your organization may use other methods. Please contact
  your network administrator if you're unsure of your organization's
  policies or need help creating users and groups.
  Setup runs the following commands as root to check that the user and group
  are correctly configured:
  su ttaserv -c \"/usr/bin/id -a\"
  su ttasys -c \"/usr/bin/id -a\"
  On your system this currently returns:
  You are required to change your password immediately (password aged)
  (current) UNIX password:
  Changing password for ttaserv
  su: incorrect password
  You are required to change your password immediately (password aged)
  (current) UNIX password:
  Changing password for ttasys
  su: incorrect password
  Setup checks for output like this:
  uid=nnn(ttaserv) gid=nnn(ttaserv) groups=nnn(ttaserv)
  uid=nnn(ttasys) gid=nnn(ttaserv) groups=nnn(ttaserv)
  Please note also that both these users must have a valid shell, and must
  have writeable home directories.
  Once the user and group have been created, run Setup again to install
  the software.error: %pre(tta-4.40-917) scriptlet failed, exit status 1
  error: install: %pre scriptlet failed (2), skipping tta-4.40-917
  Kindly advise

  I login with my personal id and su root to the box.
  The Linux version I am using is : Red Hat Enterprise Linux AS release 3
  What do u make of these lines in the message
  On your system this currently returns:
  You are required to change your password immediately (password aged)
  +(current) UNIX password:+
  Changing password for ttaserv
  su: incorrect password
  You are required to change your password immediately (password aged)
  +(current) UNIX password:+
  Changing password for ttasys
  su: incorrect password
  Any ideas how to proceed ?
  Thanks

• Safari SSl Issue with Online Grading Site

  I manage a department that offers grading of exams online. Users supply their answers and have the server grade the submissions.
  We randomly have an issue where Safari users will have their exams graded incorrectly. Basically failing the student even though they have supplied the correct answers.
  When we have them resubmit the same answers in IE for Mac the server correctly grades the exam.
  This issue is not consistent. Some exams grade correctly in Safari and some do not.
  Any advice would be appreciated.

  Hmmmm....
  via MacWorld:
  Nothing in Apple’s ridiculously minimal release notes suggested that this feature existed. But this time, the company’s intransigence in telling you what it has changed in the software you use may have further consequences. How Safari could “know” about these phishing and malware sites raises all kinds of interesting questions. Now we can tell you with reasonable confidence how it all works—but because Apple has not done the same thing, we cannot say with certainty that it is completely private, or that Safari is not sending information about the pages you visit to a third party.

• Flex + BlazeDS SSL issue with IE7

  Hi there,
  Am facing an unique issue when accessing my application using https (SSL) protocol. Actually my app is configured for "secure amf" and when it fails then it hits the "amf" of blazeds.
  All is fine, when i try to open an IE window and hit the url for the first time. The client side is able to hit the server side thru secure amf and its receiving the response back from the server. But when i open another new IE7 tab/window then am getting a NetConnection issue....
  i.e, NetConnection.Failed:HTTP error is popping up eventhough it tries to access the https url..
  Let me know if any of you guys have a work around for this.
  This works fine for FF & Chrome.
  Thanks.

  So it's definitely due to a change in Firefox, but I was able
  to find a workaround. We put headers in our flex pages so we can
  incorporate our global navigation at the top of the page.
  You're not going to believe the workaround. Here's what the
  code looked like before I fixed it:
  <cfinclude
  template="/cfdocs/proddev/common/cf/flex_header.cfm">
  <script src="AC_OETags.js"
  language="javascript"></script>
  Now, here's the fix:
  <script src="AC_OETags.js"
  language="javascript"></script>
  <cfinclude template="common/flex_header.cfm">
  So, I either had to put the script tag in the <head>
  tag, or put it before my html declarations.
  My guess is that Firefox over SSL doesn't allow <script
  src=''> tags in the body of an html document anymore.

• AD Password Filter - SSL Issues with MSFT CA ?

  - We have completed implementing one way EXPORT profile sync between OID to AD
  - SSL configs are complete as per documentation and password synchronizing from OID to AD
  successfully
  - We now want to implement a new import profile to synchronize ONLY password from AD to OID
  - Following documentation at
  http://download.oracle.com/docs/cd/B28196_01/idmanage.1014/b15995/odip_adpasswordsync.htm#CHDBIIJC
  - One of the first steps is to check if SSL is enabled at OID...when we do that using the tool(ldapbindssl.exe) we downloaded ...below
  is the error we get...
  +++++++++++++++++++++++++++++++++
  C:\>ldapbindssl.exe -h oid-host -p 636 -D cn=orcladmin -w xxxx
  Connecting server in SSL Mode
  Checking if SSL is enabled
  SSL not enabled.
  SSL being enabled...
  Binding ...
  Ldap bindERROR
  System Error Code: 1396
  LDAP Error Code: 52
  Error Message: Server Unavailable
  C:\>
  +++++++++++++++++++++++++++++++++
  - We know for sure that SSL is configured on OID . The SSL is configured as "Server Authentication
  Only" for Configset1 which is running on port 636
  when we do ldapbind from the oidhost for this port it works...
  ldapbind -U 2 -h oid-host -p 636 -W file://oracle/wallet -P xxxxx
  bind successful
  - For SSL configs we have used Micorsoft CA, hence the root certificate (CA) is also present on AD server and
  there is no need to import Oracle CA as per the documentation.
  Question:
  1) What is th specific SSL set-up that we need to do on OID server such that AD is
  able to detect SSL configuration ??? what is it that we are missing ?

  You do have to import the certificate (the OID Server certificate, that is), or the SSL setup will reject the connection as "not from the intended host".
  Apart from that - there's a bug, requiring the OID server certificate SUBJECT attribute matches the OID server hostname. (Note 430907.1/bug 5846519 ). I seem to hit that one :(

• SSL Issue with Dovecot Mac OS X Server 10.6.8

  I run IMAP mail on SL Server using SSL. It's been running beautifully for a year or so till my (self signed) certificate expired. I created a new cert and configured SMTP & IMAP to use the new cert. SMTP is fine but IMAP refuses to use the cert. The message i get in the log is :mail dovecot [32551] can't use etc/ssl/certs/dovecot.pem no such file or directory. Invalid configuration, keeping old one. SSL simply doesn't start.
  I've been right through the dovecot.conf file and checked and nowhere in the file is that location referred to. All the times SSL is mentioned in the conf file the correct location is referred to. I've looked and the certs are where they are supposed to be.
  So what other configuration file can dovecot possibly be referring to when it attempts to load the new configuration after I've made changes using server admin?
  I've even loaded a default conf file and started fresh and the same thing happens.
  Appreciate any ideas
  Mac OS X Server 10.6.8
  Rob

  Never Mind, I figured it out.

• SSL issue with BPEL

  Hello,
  I am trying to setup SSL in BPEL but need some help. This is what I have done so far.
  Added signed cerificate in wallet C:\product\wallets
  httpd.conf -
  Listen 7777
  Port 7777
  ssl.conf -
  Listen 4444
  <VirtualHost default:4444>
  Port 4444
  SSLWallet file:C:\product\wallets
  Verified in opmn.xml
  <ias-component id="HTTP_Server">
  <data id="start-mode" value="ssl-enabled"/>
  When I access https://localhost:4444 I receive Server Connect Failed
  When I access http://localhost:4444 I get the Welcome to Oracle SOA Suite (10.1.3.4) page
  What am I doing wrong or missing that 4444 is accessible via http and not https.
  Thanks in advance,
  Jim

  Hi Jim,
  Have you referred : http://download.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/security.htm#sthref102 and
  10 Enabling SSL for Oracle HTTP Server in Oracle® BPEL Process Manager Administrator's Guide
  10g (10.1.3.1.0)
  Part Number B28982-03
  Regards
  A

• SSL Issue with reverse proxy module

  Hi there,
  I'm hoping someone can help me. I am using Sun ONE Web Server 6.1SP7 Reverse Proxy Plugin to connect to a backend server over SSL.
  However the backend server is reporting errors on the SSL handshake: SSL_ERROR_NO_CYPHER_OVERLAP
  I have installed ssldump and can see the following set of cipher suites are offered by the client (in this case, the reverse proxy module:
  New TCP connection #6: dptettsw02(62951) <-> dptdevss01(31006)
  6 1 0.0105 (0.0105) C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  SSL2_CK_RC4
  SSL2_CK_RC2
  SSL2_CK_3DES
  SSL2_CK_DES
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2_EXPORT40
  TLS_RSA_WITH_RC4_128_MD5
  Unknown value 0xfeff
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  Unknown value 0xfefe
  TLS_RSA_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  How do I configure the reverse proxy module to use a different cipher suite?
  Any help would be greatly appreciated and please let me know if anything is unclear
  Thanks!
  Kev

  Hi there.
  The server.xml file is below:
  <?xml version="1.0" encoding="UTF-8"?>
  <!--
  Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
  Use is subject to license terms.
  -->
  <!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///opt/SUNWwbsvr/servers/bin/https/dtds/sun-web-server_6_1.dtd">
  <SERVER qosactive="no" qosmetricsinterval="30" qosrecomputeinterval="100">
  <PROPERTY name="docroot" value="/opt/iplanet/servers/docs"/>
  <PROPERTY name="user" value=""/>
  <PROPERTY name="group" value=""/>
  <PROPERTY name="chroot" value=""/>
  <PROPERTY name="nice" value=""/>
  <PROPERTY name="dir" value=""/>
  <PROPERTY name="accesslog" value="/opt/SUNWwbsvr/servers/https-ETT03WEB02/logs/accessSSL"/>
  <LS id="group1" ip="0.0.0.0" port="2080" acceptorthreads="1" blocking="no" security="off" defaultvs="https-ETT03WEB02" servername="dptettsw02"/>
  <LS id="ls2_default" ip="0.0.0.0" port="20443" acceptorthreads="1" blocking="no" security="on" defaultvs="https-ETT03WEB02" servername="ptpcam-ptpett-drs.dwpptp.londondc.com">
  <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="&#43;rc4,&#43;rc4export,&#43;rc2,&#43;rc2export,&#43;desede3,&#43;des" ssl3="on" ssl3tlsciphers="-rsa_rc4_128_sha,-rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,-rsa_3des_sha,-rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,&#43;rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,&#43;fortezza_null,-fips_3des_sha,-fips_des_sha" tls="on" tlsrollback="off" clientauth="off"/>
  </LS>
  <MIME id="mime1" file="mime.types"/>
  <ACLFILE id="acl1" file="/opt/SUNWwbsvr/servers/httpacl/generated.https-ETT03WEB02.acl"/>
  <VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
  <PROPERTY name="docroot" value="/opt/iplanet/servers/docs"/>
  <PROPERTY name="user" value=""/>
  <PROPERTY name="group" value=""/>
  <PROPERTY name="chroot" value=""/>
  <PROPERTY name="nice" value=""/>
  <PROPERTY name="dir" value=""/>
  <VS id="https-ETT03WEB02" connections="group1" urlhosts="dptettsw02" mime="mime1" aclids="acl1" state="on">
  <USERDB id="default" database="default"/>
  </VS>
  <VS id="ETT03WEB02_SSL" connections="ls2_default" urlhosts="ptpcam-ptpett-web.dwpptp.londondc.com" mime="mime1" aclids="acl1" state="on">
  <USERDB id="default" database="default"/>
  </VS>
  </VSCLASS>
  <JAVA javahome="/opt/SUNWwbsvr/servers/bin/https/jdk" serverclasspath="/opt/SUNWwbsvr/servers/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/opt/SUNWwbsvr/servers/bin/https/jar/webserv-ext.jar:/opt/SUNWwbsvr/servers/bin/https/jar/webserv-jstl.jar:/opt/SUNWwbsvr/servers/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" debug="false" debugoptions="" dynamicreloadinterval="2">
  <JVMOPTIONS>-Dorg.xml.sax.parser=org.xml.sax.helpers.XMLReaderAdapter</JVMOPTIONS>
  <JVMOPTIONS>-Dorg.xml.sax.driver=org.apache.crimson.parser.XMLReaderImpl</JVMOPTIONS>
  <JVMOPTIONS>-Djava.security.policy=/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/server.policy</JVMOPTIONS>
  <JVMOPTIONS>-Djava.security.auth.login.config=/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/login.conf</JVMOPTIONS>
  <JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
  <JVMOPTIONS>-Xmx256m</JVMOPTIONS>
  <JVMOPTIONS>-Xrs</JVMOPTIONS>
  <SECURITY defaultrealm="file" anonymousrole="ANYONE" audit="false">
  <AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
  <PROPERTY name="file" value="/opt/SUNWwbsvr/servers/https-ETT03WEB02/config/keyfile"/>
  <PROPERTY name="jaas-context" value="fileRealm"/>
  </AUTHREALM>
  <AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
  <PROPERTY name="directory" value="ldap://localhost:389"/>
  <PROPERTY name="base-dn" value="o=isp"/>
  <PROPERTY name="jaas-context" value="ldapRealm"/>
  </AUTHREALM>
  <AUTHREALM name="certificate" classname="com.iplanet.ias.security.auth.realm.certificate.CertificateRealm"/>
  </SECURITY>
  <RESOURCES/>
  </JAVA>
  <LOG file="/opt/SUNWwbsvr/servers/https-ETT03WEB02/logs/errors" loglevel="finest" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
  </SERVER>

• SSL VPN (WebVPN) issues with IOS 15.0(1)M1

  Hello everyone... I need your help!
  I am having some weird issues with webvpn/anyconnect, please find the relevant information below;
  Symptoms:
  - AnyConnect Client prompts users with the following error:
  "The secure gateway has rejected the agent's VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists."
  Debug:
  Mar  5 13:09:45:
  Mar  5 13:09:45: WV-TUNL: Tunnel CSTP Version recv  use 1
  Mar  5 13:09:45: WV-TUNL: Allocating tunl_info
  Mar  5 13:09:45: WV-TUNL: Allocating stc_config
  Mar  5 13:09:45: Inserting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 to routing table
  Mar  5 13:09:45: WV-TUNL: Use frame IP addr (172.25.130.126) netmask (255.255.255.255)
  Mar  5 13:09:45: WV-TUNL: Tunnel entry create failed:IP= 172.25.130.126 vrf=77 session=0x67234340
  Mar  5 13:09:45: HTTP/1.1 401 Unauthorized
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45:
  Mar  5 13:09:45: Deleting static route: 172.25.130.126 255.255.255.255 SSLVPN-VIF36 from routing table
  Mar  5 13:09:45: WV-TUNL: Failed to install (addr 172.25.130.126, table_id 77) to TCP
  Mar  5 13:09:45: WV-TUNL*: Received server IP packet 0x6692EB08:
  Mar  5 13:09:45: WV-TUNL: CSTP Message frame received from user usr-test (172.25.130.126)
  WV-TUNL:      Severity ERROR Type USER_LOGOUT
  WV-TUNL:      Text: HTTP response contained an HTTP error code.
  Mar  5 13:09:45: WV-TUNL: Call user logout function
  Mar  5 13:09:45: WV-TUNL: Clean-up tunnel session (usr-test)
  When the error occurs, the "SVCIP install TCP failed" counter increments:
  VPN-Router1#  show webvpn stats detail context CUSTOMER-VPN
  [snip]
  Tunnel Statistics:
      Active connections       : 1       
      Peak connections         : 3          Peak time                : 19:09:04
      Connect succeed          : 9          Connect failed           : 5       
      Reconnect succeed        : 0          Reconnect failed         : 0       
      SVCIP install IOS succeed: 14         SVCIP install IOS failed : 0       
      SVCIP clear IOS succeed  : 18         SVCIP clear IOS failed   : 0       
      SVCIP install TCP succeed: 9          SVCIP install TCP failed : 5       
      DPD timeout              : 0        
  [snip]
  IOS Version Details:
  Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)
  System image file is "disk2:c7200-advipservicesk9-mz.150-1.M1.bin"
  The router also runs IPSEC remote access VPN in addition to the webvpn/anyconnect scheme.
  Config:
  webvpn context CUSTOMER-VPN
  title "SSL VPN for Customer"
  ssl authenticate verify all
  login-message "Enter username and passcode"
  policy group CUSTOMER-VPN
     functions svc-required
     svc keep-client-installed
     svc split include 10.1.16.0 255.255.240.0
     svc split include 10.1.2.0 255.255.254.0
  vrf-name CUSTOMER-VPN
  default-group-policy CUSTOMER-VPN
  aaa authentication list AAA-LIST
  aaa authentication auto
  aaa accounting list AAA-LIST
  gateway vpn virtual-host customer.xx.com
  logging enable
  inservice
  The error happens sporadically, at least once a week, and on different contexts. Does anyone have any clue on what can cause this issue? Any help is appreciated!

  Have you seen my post https://supportforums.cisco.com/message/2016069#2016069 ?
  At that point in time we were running with local pool definition.
  As the http 401 rc happens very sporadically we still gathering incident reports internally.
  Will open a case if you did not yet.
  cheers, Andy

• Issue with SSL in web service.

  Hi All,
  We are having synchronous web service to proxy scenario in XI. We are trying to send a binary data using the SOAP web service to SAP via XI. Initially, we were posting large binary data using HTTP connection via XI from the SOAP client. The scenario was working without any issues.
  Since the data is sensitive changed the web service from HTTP to HTTPS.The interface works without issues when we test it using the SOAP client for testing. When the data is sent using the Dot Net application (the end application) using the same webservice, URL (HTTPS connection) the message errors out. The connection is borken and the message fails. In this scenario, XI does not even receive the message which I can make out looking into the SOAP adapter communication channel.
  The interesting fact here is the same  Dot Net application is able to connect and send smaller binary data using HTTPS connection.
  Could you please let us know if this could be the issue with HTTPS connection on XI side? I doubt it to be an issue on XI side because the adapter does not even receive any message when the scenario fails. But we used some HTTPS monitoring tools and found that the Dot Net Application receives some encrypted response from the server which the application is not able to decrypt and the handshake breaks.
  Could you please throw some inputs into this issue.
  Thanks,
  Manohar.

  Hi Manohar
  You have posted the same question with two different subject text
  anyway follow these SAP notes your problem will be short out
  Note 856597 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 SOAP Adapter
  https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856597&_NLANG=E
  Note 856599 - FAQ: XI 3.0 / PI 7.0 / PI 7.1 Mail Adapter
  https://websmp102.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=856599&_NLANG=E
  Note 870845 - XI 3.0 SOAP adapter SSL client certificate problem
  https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=916664&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
  https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=870845&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
  check the OSS Note 554174 & see if it helps
  Note 645357 - SAPHTTP: SSL error
  https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=645357&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
  https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1150980&nlang=EN&smpsrv=https%3a%2f%2fwebsmp102%2esap-ag%2ede
  one alternative may be Restart ICM (Internet Communication Manager) .This will solve your HTTP issue
  Cheers!!!!
  Regards
  sandeep
  if helpful kindly reward points

• Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

  We recently started suffering an issue with our CSS11501S-K9 units not performing URL stickiness on our SSL wrapped L5 rules.  I've spent dozens of manhours working on the problem, and have quite a bit of information to report, including a solution.  There is a high probability that anybody who uses SSL to an L5 rule on a CSS unit will become affected by this problem over the next few weeks/months as users update their browsers with new SSL patches.  
  We hadn't made any changes to our config in months, and eliminated hardware problems by testing a second unit. 
  Here are the exact symptoms we saw:
    Browsers affected: Firefox 10, Chrome, IE9, others (and some earlier versions of IE depending on patch levels)
    Browsers not affected: FireFox 3.5, w3m 0.5.2, curl7.19.7
    Impact 1: For SSL Rules backed by L5 rules, the initial response to the first request would be 3 seconds.  Further requests on the same TCP connection would not be delayed
    Impact 2: L5 rules being accessed via SSL would nolonger perform any URL based stickiness.  Accessing the same rule skipping SSL, would work fine
  I focused on the 3 second delay, since that was a new issue and was easier to debug than monitoring multiple servers to see if stickiness was broken.  This is what I found when a client tries to connect to an SSL rule that ultimately is routed to a L5 HTTP rule:
  1. Client/CSS perform initial TLS handshake, crypto cyphers determined (nearly instantly)
  2. Client sends HTTP 1.1 request for resource (nearly instantly)
  3. 3 seconds of no traffic in our out of the CSS related to this request
  4. CSS opens an HTTP connection to backend webserver, backend webserver responds (nearly instantly)
  5. The CSS seems to route to the backend server using the balance method (round-robin) instead of the advanced-balance method (url)
  6. Response is sent to the client with the resource (nearly instantly)
  7. Future requests sent from the browser on the same TCP connection have no delay, but the advanced-balance continues to be ignored
  The 3 seconds is quite an exact figure (within a few milliseconds) and appears to be entirely happening inside of the CSS unit itself, since it does not connect to the backend server until after the 3 seconds elapse.  3 seconds smelled like some sort of internal timeout set in the CSS unit after it gives up waiting for something.
  Looking at the packets from affected browsers I discovered that the GET /foobar HTTP/1.1 request was being broken into two separate TLSv1 application messages, the first was 24 bytes and the second was 400 bytes.  Decrypting these messages I found the first message was a
  G
  and the second message was:
  ET /foobar HTTP/1.1
  This essentially splits the initial request the client is sending into two pieces.  This confuses wireshark so much, it doesn't decode this as a HTTP request, and just decodes it as "continuation or non-HTTP traffic".
  On the working browsers I saw only one TLSv1 application message, decrypting it I saw:
  GET /foobar HTTP/1.1
  (obviously I'm simplifying the contents of the request, there were lots of headers and stuff)
  I am aware that the CSS can't handle L5 rules appropriately if they get fragmented, so I suspected this was the problem.  I pulled a packet trace from a few years ago, and at that time confirmed we never saw a double TLSv1 application messages before. 
  A number of openssl vulnerabilities were recently fixed: http://www.ubuntu.com/usn/usn-1357-1
  and browsers may have been recently updated to fix some of these issues, changing the way they encode their traffic. 
  Solution:
  Our ssl config looked something like this:
  ssl-proxy-list SSL_ACCEL
    ssl-server 10 vip address XX.XX.XX.XX
    ssl-server 10 rsakey XXXX
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-sha XX.XX.XX.XX 80
    ssl-server 10 cipher rsa-with-rc4-128-md5 XX.XX.XX.XX 80
    ssl-server 10 unclean-shutdown
    ssl-server 10 rsacert XXXXXX
  Removing:
    ssl-server 10 cipher rsa-with-3des-ede-cbc-sha XX.XX.XX.XX 80
  Solves the problem.  After that's removed, the browsers will nolonger fragment the first character of their request into a separate TLSv1 message.  The 3 second delay goes away, and L5 stickiness is fixed.  The "CBC" in the cyper refers to Cypher-Block-Chaining (a great article here:
  http://en.wikipedia.org/wiki/Cipher-block_chaining), and breaking the payload into multiple packages may have been an attempt to initialize the IV for encryption -- although I'm really just guessing, I stopped researching once I verified this solution was acceptable.
  This issue became serious enough for us to notice first on Monday Feb 13th 2012. We believe a number of our large customers distributed workstation updates over the weekend.  The customers affected were using IE7, although my personal IE7 test workstation did not appear to be affected.  It's quite possible our customers were going through an SSL proxy.  I suspect as more people upgrade their browsers, this will become a more serious issue for CSS users, and I hope this saves somebody a huge headache and problems with their production environment.
  -Joe

  Hi Joe,
  That's a very good analysis you did.
  As you already suspected, the issue comes from the TLS record fragmentation feature that was introduced in the latest browser versions to overcome a SSL vulnerability (http://www.kb.cert.org/vuls/id/864643). Unfortunately, similar issues are happening with multiple products.
  For CSS, the bug tracking this issue is CSCtx68270. The development team is actively working on a fix for it, which should be available (in an interim software release, so to get it you wil have to go through TAC) in the next couple of weeks
  In the meantime, as workaround, you can configure the CSS to use only RC4 cyphers (which is what you were suggesting also). These are not affected by the vulnerability, so, browsers don't apply the record fragmentation when they are in use. This workaround has been tested by several customers already, and the results seem to be very positive.
  Regards
  Daniel

• Issue with one of the Managed server while enabling SSL.__ Issue Resovled

  Weblogic version:wls 8.1sp6
  SSL: internal
  Environment:
  1 AdminServer and 2 Managed servers. Admin and M1 are on same host. M2 is on different host. We have enabled SSL on M1 & M2 only. Configuration of M1 & M2 are identical. After restarting the servers M1 has no issue with SSL but M2 throws javax.net.ssl.SSLKeyException as shown below,
  <Aug 4, 2008 12:29:01 PM BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Aug 4, 2008 12:29:02 PM BST> <Info> <WebLogicServer> <BEA-000213> <Adding address: 10.96.201.249 to licensed client list>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Error> <Cluster> <BEA-000141> <TCP/IP socket failure occurred while fetching statedump over HTTP from -6401422690190304510S:lonlxwebhost99:[16544,16544,16042,16042,16544,16042,-1,0,0]:etg:lonwpyq_16543_1.
  javax.net.ssl.SSLKeyException: [Security:090773]The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at com.certicom.tls.record.WriteHandler.write(Unknown Source)
  at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
  at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
  at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
  at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
  at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:122)
  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:322)
  at weblogic.cluster.HTTPExecuteRequest.connect(HTTPExecuteRequest.java:73)
  at weblogic.cluster.HTTPExecuteRequest.execute(HTTPExecuteRequest.java:121)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)>
  Please let me know where I am going wrong. Thnx in advance
  Message was edited by:
  Shashi_sr

  Solution given by BEA Engineer:
  <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  The reason for this was
  The CA Certificate was missing a required bit (according to RFC 3280).
  keyEncipherment bit is not in the KeyUsage and KeyUsage is marked as critical.
  As per RFC:
  The keyEncipherment bit is asserted when the subject public key is
  used for key transport. For example, when an RSA key is to be
  used for key management, then this bit is set.
  According to RFC3280, when the key will be used to encrypt other keys that are send over the wire ("key transport") the keyEncipherment bit of the KeyUsage extension must be set. If the KeyUsage extension is critical, the SSL certificate validation will check that the key can be used in the key agreement. That is, that the key can be used to encrypt the symmetric public key.
  Your KeyUsage only contains the following bits:
  [4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
  Since it is marked Critical, it MUST have the keyEncipherment bit.
  Otherwise, it should not be marked as Critical.
  So the three solutions that should work are
  1) Remove keyUsage
  2) Don't mark keyUsage as critical
  3) If keyUsage is critical, make sure keyEncipherment bit is set.

• SSL certificate issue with WLS 10.3

  Hi All,
  I am facing this issue with my WLS cluster.
  <21-Apr-2010 10:42:00 o'clock BST> <Warning> <Security> <BEA-090482> <BAD_CERTIF
  ICATE alert was received from system.core.com - 10.15.135.30.
  Check the peer to determine why it rejected the certificate chain (trusted CA co
  nfiguration, hostname verification). SSL debug tracing may be required to determ
  ine the exact reason the certificate was rejected.>
  <21-Apr-2010 10:42:00> <Warning> <Uncaught exception in server handler: javax.ne
  t.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from
  system.core.com - 10.15.135.30. Check the peer to determine wh
  y it rejected the certificate chain (trusted CA configuration, hostname verifica
  tion). SSL debug tracing may be required to determine the exact reason the certi
  ficate was rejected.>
  Please suggest. I have also tried the below settings.
  Node Manager:
  -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
  Admin Server:
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Many thanks in advance.

  Hi Sandip,
  I am facing this issue right after when I have configured the listen address to my system IP in Machine(NodeManager), earlier it was "localhost".
  Also I have tried to generate the certificates e.g.
  C:\bea\wlserver_10.3\server\bin>java utils.CertGen -cn system.core.com -keyfilepass DemoIdentityPassPhr
  ase -certfile mycertificate -keyfile .keystore
  Generating a certificate with common name system.core.com and key strength 1024
  issued by CA with certificate from C:\bea\WLSERV~1.3\server\lib\CertGenCA.der file and key from C:\bea\WLSERV~1.3\server
  \lib\CertGenCAKey.der file
  C:\bea\wlserver_10.3\server\bin>java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePa
  ssPhrase -keyfile .keystore.pem -keyfilepass DemoIdentityPassPhrase -certfile mycertificate.pem -alias demoidentity
  No password was specified for the key entry
  Key file password will be used
  Imported private key .keystore.pem and certificate mycertificate.pem
  into a new keystore DemoIdentity.jks of type jks under alias demoidentity
  Tried the above but not wokring. Please advise.
  Edited by: R Vashi on 21-Apr-2010 03:38

• Issues with our SSL connection to the Web dispatcher

  HI Alle,
  I having issues with our SSL connection to the Web dispatcher with SAP Web AS. Below is the error in the log files form dev_webdisp:
  Started service 80 for protocol HTTP on host "wdpeht1"(on all adapters) (processing timeout=120, keep_alive_timeout=30)
  [Thr 368] =================================================
  [Thr 368] = SSL Initialization  on  PC with Windows NT
  [Thr 368] =   (701_REL,Jan 28 2010,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
  [Thr 368]   profile param "ssl/ssl_lib" = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
             resulting Filename = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
  [Thr 368]   profile param "ssl/server_pse" = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
             resulting Filename = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  [Thr 368] =   found SAPCRYPTOLIB  5.5.5C pl29  (Jan 30 2010) MT-safe
  [Thr 368] =   current UserID: WDPEHT1\SAPServiceWDP
  [Thr 368] =   found SECUDIR environment variable
  [Thr 368] =   using SECUDIR=E:\usr\sap\WDP\W00\sec
  [Thr 368] * ERROR =>   secudessl_Create_SSL_CTX():  PSE "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" not found! [ssslsecu.c   1354]
  [Thr 368] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
    secude_error 4129 (0x00001021) = "The PSE does not exist"*
  [Thr 368] >> -
  Begin of Secude-SSL Errorstack -
  >>
  [Thr 368] ERROR in SSL_CTX_set_default_pse_by_name: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  ERROR in ssl_set_pse: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  ERROR in af_open: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  ERROR in secsw_open: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  ERROR in secsw_open_pse_or_extension: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  ERROR in sec_get_PSEtype: (4129/0x1021) The PSE does not exist : "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  [Thr 368] << -
  End of Secude-SSL Errorstack -
  [Thr 368] * ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
          for "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" [ssslxxi.c    2278]*
  [Thr 368]* ERROR => Initialization of SSL library failed -- NO SSL available!
  [Thr 368] =================================================
  [Thr 368] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR*
  [Thr 368] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c   319]
  [Thr 2128] IcmCreateWorkerThreads: created worker thread 0
  Regards

  Hi Olivier,
  Thanks for replay,
  The PSE does exist  in my SEC "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"  .
  I did tried Again I get  this error. I think I missing som parameter
  = SSL Initialization  on  PC with Windows NT
  [Thr 2292] =   (701_REL,Jan 28 2010,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
  [Thr 2292]   profile param "ssl/ssl_lib" = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
             resulting Filename = "E:\usr\sap\WDP\W00\sec\sapcrypto.dll"
  [Thr 2292]   profile param "ssl/server_pse" = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
             resulting Filename = "E:\usr\sap\WDP\W00\sec\SAPSSL.pse"
  [Thr 2292] =   found SAPCRYPTOLIB  5.5.5C pl29  (Jan 30 2010) MT-safe
  [Thr 2292] =   current UserID: WDPEHT1\SAPServiceWDP
  [Thr 2292] =   found SECUDIR environment variable
  [Thr 2292] =   using SECUDIR=E:\usr\sap\WDP\W00\sec
  [Thr 2292] -*ERROR =>   secudessl_Create_SSL_CTX():  PSE "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" not found! [ssslsecu.c   1354]
  [Thr 2292] secudessl_Create_SSL_CTX: SSL_CTX_set_default_pse_by_name() failed --
    secude_error 1281 (0x00000501) = "open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned"*-
  [Thr 2292] >> -
  Begin of Secude-SSL Errorstack -
  >>
  [Thr 2292] -*ERROR in SSL_CTX_set_default_pse_by_name: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"*-
  -*ERROR in ssl_set_pse: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
  ERROR in af_open: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"*-
  ERROR in secsw_open: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
  ERROR in secsw_open_pse_or_extension: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
  ERROR in sec_get_PSEtype: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
  ERROR in aux_read_PSEFile: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
  ERROR in aux_file2OctetString: (1281/0x0501) open("E:\usr\sap\WDP\W00\sec\SAPSSL.pse") returned : "Permission denied"
  [Thr 2292] << -
  End of Secude-SSL Errorstack -
  [Thr 2292] *** ERROR => SapISSLAddCredential(): Error SSSLERR_PSE_ERROR trying to create SERVER Credential
          for "E:\usr\sap\WDP\W00\sec\SAPSSL.pse" [ssslxxi.c    2278]
  [Thr 2292] *** ERROR => Initialization of SSL library failed -- NO SSL available!
  [Thr 2292] =================================================
  [Thr 2292] <<- ERROR: SapSSLInit(read_profile=1)==SSSLERR_PSE_ERROR
  [Thr 2292] *** ERROR => IcmAddService: SapSSLInit (rc=-40): SSSLERR_PSE_ERROR [icxxserv.c   319]
  Her is my profile parameter for https.
  h6*#Https parameters for Web dispatcher  E:\usr\sap\WDP\W00\sec
  #icm/server_port_0 = PROT=HTTPS,PORT=443$$
  DIR_INSTANCE = E:\usr\sap\WDP\W00\sec
  ssl/ssl_lib = E:\usr\sap\WDP\W00\sec\sapcrypto.dll
  ssl/server_pse = E:\usr\sap\WDP\W00\sec\SAPSSL.pse
  wdisp/ssl_cred = E:\usr\sap\WDP\W00\sec\SAPSSL.pse
  ssf/ssfapi_lib = E:\usr\sap\WDP\W00\sec\sapcrypto.dll
  sec/libsapsecu = E:\usr\sap\WDP\W00\sec\sapcrypto.dll
  ssf/name = SAPSECULIB
  wdisp/ssl_encrypt = 0
  icm/server_port_1=PROT=HTTPS, PORT=8400, TIMEOUT=120
  ###icm/server_port_1=PROT=HTTPS, PORT=44302, TIMEOUT=900 (old)
  ########icm/server_port_0 = PROT=HTTP,PORT=80, TIMEOUT=120
  icm/HTTPS/verify_client=0
  wdisp/add_client_protocol_header = true
  wdisp/auto_refresh = 120
  wdisp/max_servers = 100
  wdisp/ssl_auth= 0
  ms/https_port = 8400
  wdisp/HTTP/use_pool_for_new_conn=1
  wdisp/HTTPS/dest_logon_group = HTTPS
  #wdisp/server_info_protocol = https
  #wdisp/group_info_protocol = https
  #wdisp/url_map_protocol = https
  wdisp/ssl_ignore_host_mismatch = fals
  icm/HTTPS/forward_ccert_as_header = true
  icm/HTTPS/trust_client_with_issuer = CN = SAP CA,*
  icm/HTTPS/trust_client_with_subject = CN = sapwebdisp,*h6
  Regards

• Popup Issue with Application using SSL

  Hi
  I am having an issue with one of our apex applications using SSL.
  I have a few popups in my application and for that I am using the Popup2 function that is built into APEX.
  When I run the app without a secure layer (directly from the server) I am able to get the popups and everything works fine.
  but when I run the app using the regular url https: the popup(s) does not work. When I checked the source code on the web page the error I got is as shown below. I found that the following apex_legacy_4_0.js file was truncated in the source code. It was not retrieved fully.
  Message: Expected '}'
  Line: 1
  Char: 3769
  Code: 0
  URI: https://xxx/i/javascript/apex_legacy_4_0.js
  Can somebody please let me know how I can fix this issue.
  Please Note: This was an application that was working without any issues for more than 2years. All of a sudden (since last month) we are getting this error. According to Our Network and DBA's we have not made any changes/patches to our servers.
  Thanks
  knut
  Edited by: knut on Dec 16, 2011 11:18 AM

  Ok. I figured it out. The url rewrite was missing in the config. Put it there and its working now.