SSL on IISPROXY

Hello All,
We have set up proxy server in DMZ and installed IISPROXY in it. Now we want to apply the SSL on IISPROXY.
Browser to IISPROXY (HTTPS) -->IISPROXY to Portal (HTTP)
--> IISPROXY to R3 (HTTP)
We access all other SAP Enterprise Portal and SAP R/3, BW systems using http. We wanted to terminate the SSL at IISPROXY itself.
I have successfully configured the SSL based on SAP documentation. I have maintained <protpcol-header> at each mapping also. Everything works except accessing SAP R3/BW Systems. I guess request is being sent as https instead of http and its gives Forbidden 403.4 error.
Can anyone kindly post me the iisproxy.xml with SSL for verification. or Does anybody know as what else had to be done to terminate ssl at IISPROXY and send http request to R3 or BW servers.
Thanks,
Maya

Hello All,
Anybody has suggestions on this??
Thanks,
Maya

Similar Messages

SSL and IISProxy

We are using IIS in a DMZ and proxy servlet requests to WLS inside a
firewall. The clients will connect using a SSL session to IIS, passing a
client certificate. How do we get access to the certificate in order to
parse it and identify the client on WLS? Should WLS be set up with SSL as
well? Is the certificate proxied as well?
What is the best way to configure this scenario?
Thanks,
Ernst.

e> How do we get access to the certificate in order to parse it and
e> identify the client on WLS?
Our servlet documentation should explain how to do this.
<b

EP Administration Project

hi all,
I want to know the sites where i can get the EP-Admin Projects for testing my skills in this domain.If anybody knows plz help me.
bye
pradeep

Sathish,
First of all welcome to EP Administrators world.
Enterprise Portal Administration contains the below tasks:
1.SAP Enterprise Portal installation.
2. Database Installation for EP.
3. SAP WebAs installation.
4. EP upgradation (versions 5.0 ->6.0 -> 7.0)
5. IIS Configuration.
6. SPNego Configuration.
7. Windows Kerberos Authentication.
8. Service Pack upgradation (SP10->SP11 etc..)
9. UME Configuration settings.
10. Active Directory Configuration
11. Visual Admin/Config tool Configurations
12. JVM Parameter settings
13. Solution Manager Settings/Configurations.
14. Wiley tool Installation/Configuration.
15. Portal performance management.
16. iView Creation for BW report
17. Role Assigning/Creation
18. Creating Groups/Worksets/Pages/iViews/roles/layouts and maintenence
19. Knowledge management and Collaboration installation/upgradation
20.Optimizing Network traffic
21. load balancer setup
22. DNS configuration
23.Installation of MSCS Clustering Portals
24.Secure Socket layer Management like turn off ssl between IISproxy and sap j2ee engine.
25.Configuration of Universal Worklist.
and so on...
I think I have given almost 75% of the job that EP Administrators do.
If you need more clarification please let me know.
Regards,
Karthick Eswaran

Iisforward iisproxy error

Hi,
I have installed and configured the iisforward/iisproxy plugin with IIS 6.0 + WLS 8.1 SP5.
iisproxy.ini [CONTENT]:
WebLogicHost=10.20.140.34
WebLogicPort=8010
Debug=ON
DebugConfigInfo=ON
WlForwardPath=/portal
I tried to load the page but nothing happens..just an error page from IE.
wlproxy.log [CONTENT]:
Mon May 28 15:22:49 2007 loadFile(): Properties loaded from \\?\C:\bea\weblogic81\server\bin\iisproxy.ini
Mon May 28 15:22:49 2007 init: created a new server node: id='10.20.140.34:8010'
Mon May 28 15:22:49 2007
================New Request: [portal/console.wlforward] =================
Mon May 28 15:22:49 2007 SSL is not being used
Mon May 28 15:22:49 2007 resolveRequest: wlforward: /portal/console
Mon May 28 15:22:49 2007 Mon May 28 15:22:49 2007 timer thread starting
URI is /portal/console, len=15
Mon May 28 15:22:49 2007 Request URI = [portal/console]
Mon May 28 15:22:49 2007 attempt #0 out of a max of 5
Mon May 28 15:22:49 2007 Trying a pooled connection for '10.20.140.34/8010/8010'
Mon May 28 15:22:49 2007 getPooledConn: No more connections in the pool for Host[10.20.140.34] Port[8010] SecurePort[8010]
Mon May 28 15:22:49 2007 general list: trying connect to '10.20.140.34'/8010/8010 at line 1265 for '/portal/console'
Mon May 28 15:22:49 2007 INFO: New NON-SSL URL
Mon May 28 15:22:49 2007 Connect returns -1, and error no set to 10035, msg 'Unknown error'
Mon May 28 15:22:49 2007 EINPROGRESS in connect() - selecting
Mon May 28 15:22:49 2007 Local Port of the socket is 1283
Mon May 28 15:22:49 2007 Remote Host 10.20.140.34 Remote Port 8010
Mon May 28 15:22:49 2007 general list: created a new connection to '10.20.140.34'/8010 for '/portal/console', Local port: 1283
Mon May 28 15:22:49 2007 WLS info in sendRequest: 10.20.140.34:8010 recycled? 0
Mon May 28 15:22:49 2007 URL::parseHeaders: StatusLine set to [200 OK]
Mon May 28 15:22:49 2007 parsed all headers OK
Mon May 28 15:22:49 2007 sendResponse() : uref->getStatus() = '200'
Mon May 28 15:22:49 2007 for 10.20.140.34/8010/8010, updating JVMID: 336430126
Mon May 28 15:22:49 2007 Going to send headers to the client. Status :200 OK
Mon May 28 15:22:49 2007 *******Exception type [WRITE_ERROR_TO_CLIENT] raised at line 1545 of .\iisproxy.cpp
Mon May 28 15:22:49 2007 NOT failing over after sendResponse() exception: idempotent=1 pastFailover=1
Mon May 28 15:22:49 2007 request [portal/console] did NOT process successfully ..................
Anyone can help me?
[]'s
Emerson Santos

In your source, you have set the prefix to /irj/. If you change it to /irj it will work.
Note - IISProxy is no longer supported, SPNegro should be used instead.
Paul

Alteon Systems ISD-SSL 310 and Weblogic 5.10

Does anyone know of any problems using an external SSL device such as
the iSD-SSL 310? I know BEA has stated problems with SSL add-on cards
but what about external SSL devices such as this one? With this type
of device the SSL traffic is between the browser and the iSD-SSL
device. Traffic between the device and the weblogic server is
standard http only.

Maybe this is a trusted CA failure?
Double check that the CA's specified in
D:\weblogic\myserver\fw1-ap28-cert.pem really match
the CA used to issue the cert chain that the WLS server is configured with.
Tony
"the_snookums" <[email protected]> wrote in message
news:[email protected]..
I am trying to setup up an iis server to handle some traffic from our
weblogic server
Currently, I have a win2000 advanced server running weblogic with ssl
functioning.
I also have an NT4.0 server with IIS running. I need to install the
weblogic plugin witch I thought I had done correctly.
I copied over my iisproxy.ini, created my virtual directory to the
weblogic server gave correct permissions and everything else the
documentation suggests.
When I attempt to access the weblogic page from the iis server i get
an error message No backend server available for connection: timed out
after 10 seconds.
My iisproxy.ini looks something like this
WebLogicHost=111.11.1.111
WebLogicPort=443
SecureProxy=ON
WLProxySSL=ON
Debug=ALL
DebugConfigInfo=ON
TrustedCAFile=D:\weblogic\myserver\fw1-ap28-cert.pem
In the wlproxy.log I get several error messages including
INFO: sysSend 52
INFO: SSL certificate chain validation failed: 3015
trusted certs = 1
dumping cert chain
commonName is 111.11.1.111
ERROR: SSLWrite failed
SEND failed (ret=-1) at 558 of file ../nsapi/URL.cpp
Marking 111.11.1.111:443 as bad
Exception occurred for backend host 111.11.1.111/443' while sending
request : 'WRITE_ERROR [os error=0, line 559 of ../nsapi/URL.cpp]:
'Wed Jul 09 14:39:33 2003 got exception in sendRequest phase:
WRITE_ERROR [os error=0, line 559 of ../nsapi/URL.cpp]: at line 710
Wed Jul 09 14:39:33 2003 INFO: Closing SSL context
Any tips suggestion or help would be apprecaited. I was suposed to
have this working last week.

IISPROXY failure: - SapSSLSessionInit() failed: -6 (SSSLERR_INIT_FIRST)

Hi SDN,
we have tried to install a reverseproxy for an enterprise portal. Now we have changed the communication to SSL. We have installed the iisproxy on a MS IIS server. We are now trying to use SSL. But the iisproxy gives us the following error message (I have repleaced the name of the server and of the domain.):
10:09:58 Filter IIS    - GET /
10:09:58 Filter J2EE --> GET /irj/
10:09:58   4028 Proxy    GET https://<servername>.<domain>.de:50001/irj/
10:09:58   4028 SAP    E SslConnection(): Cannot connect to <server>:<port>
SapSSLSessionInit() failed: -6 (SSSLERR_INIT_FIRST)
10:09:58   4028 Proxy W FAILED | queued for 0.015 sec, aborted after 0.000 sec.
What could be wrong. Do we have to initialise the ssl via an intermediary server on WEBAS???
Thanks for your help.
Best Regards,
Olaf Reiss
Edited by: Olaf Reiss on Feb 1, 2008 3:42 PM

Hi Alon,
yes we can access the portal by ssl. Our error has changed after some configuration.
We have now the following problem:
14:41:07   3184 Proxy    GET https://<server>.<domain>.de:50001/irj/portal
14:41:07   3184 SAP    E SslConnection(): Cannot connect to <server>.<domain>.de:50001
SapSSLSetSessionCredential( 'C:\Inetpub\scripts' ) failed: -40 (SSSLERR_PSE_ERROR)
14:41:07   3184 Proxy W FAILED | queued for 0.000 sec, aborted after 0.015 sec.
14:41:07   3184 Proxy W | GET https://<server>.<domain>.de:50001/irj/portal | FAILED | 0.000 | 0.015
14:41:07   3184 Ext      500 Internal Server Error
14:54:31 Filter J2EE --> GET /irj/portal
14:54:31   3184 Proxy    GET https://<server>.<domain>.de:50001/irj/portal
My internet browser shows the same error message: IisProxy.dll: 500 Internal Server Error
ProxyWorker(): IOException: SapSSLSetSessionCredential( 'C:\Inetpub\scripts' ) failed: -40 (SSSLERR_PSE_ERROR)
at SapConnection.cpp:676
We just wanna use ssl for our j2ee via iisproxy.
Do you have any idea?
Our iisproxy.xml is configured in this way:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE ISAPI-config (View Source for full doctype...)>
- <ISAPI-config version="1.5">
<filter name="IisProxy filter" authentication="forward" log-level="3" log-flags="0" debug-flags="0" priority="high" extension-url="/scripts/IisProxy.dll" />
- <extension name="IisProxy extension" log-level="3" log-flags="0" debug-flags="0" access="filter">
<keystore-dir>C:\Inetpub\scripts</keystore-dir>
</extension>
- <mapping name="SAP Enterprise Portal 6.0 - NTLM" keep-alive="true" log-level="3" use-continue="false" log-flags="0" debug-flags="0" close-socket="true" close-socket-delay="1000" thread-count="100" max-socket-age="10">
- <source access="filter">
<protocol>http</protocol>
<prefix>/logon/</prefix>
</source>
- <source access="filter">
<protocol>http</protocol>
<prefix>/irj/</prefix>
</source>
- <target>
<protocol>https</protocol>
<host>server.domain.de</host>
<port>50001</port>
</target>
<compress-types min-size="1024">text/html, text/plain</compress-types>
</mapping>
- <config>
- <source access="filter">
<protocol>http</protocol>
<host>localhost</host>
<prefix>/IisProxy/</prefix>
</source>
- <source access="filter">
<protocol>https</protocol>
<host>localhost</host>
<prefix>/IisProxy/</prefix>
</source>
</config>
</ISAPI-config>
I have replaced the server name and the domain in the message.
Thanks for your help.
Best Regards,
Olaf Reiss
Message was edited by: Olaf Reiss

IISProxy redirection with absolute URIs

Hi all,
We have a problem on my site where we are using Squid 2.5 as a reverse proxy to access the Portal via a firewall. We have an issue where the IISProxy is expecting a URI of '/irj/servlet/etc...' and the reverse proxy is delivering the absolute URI e.g. 'https://myhost.com/irj/servlet etc...'. According to RFC 2616, the portal should be able to handle both forms as it is supposed to be http 1.1 compliant.
Has anyone else experienced problems running the portal via a reverse proxy, specifically Squid ?
Thanks

Hi All,
We had SAP consultants do our installation so I guess (!!) that the files are correct. We see no problems when we use the machine internally, just when we go through the Squid firewall from the Internet using SSL.
We use Squid to handle authentication through our firewall and to act as a reverse proxy/accelerator. We are seeing https://<myportal.com>/irj/servlet/etc... requests going into Squid, and the same requests coming out and into Portal. Squid is treating the portal as proxy and is sending the full path URI, but the Portal seems to be handling only the file path URI e.g. the /irj/servlet/etc... part.
IIS seems to know what to do with it as we get the company logo and some other portal info served by IIS, but no java information is passed back to the broswer. We get a '404 - file not found' error because it is expecting '/irj' and we are passing 'https://'. According to the http 1.1 standards, you must be able to handle both sets of address, but Portal doesn't.
We have raised this as an OSS message so I will post the reply from SAP support once the problem is resolved. If anyone has any other ideas, I'd appreciate them.
Thanks

SSL and IIS Plugin possible ? How ?

Hi,
I wonder if it is possible to proxy both normal and SSL requests through the iis
plugin. We use WLCS 3.2 and everything except checkout should be proxied without
SSL, but checkout with SSL how can I configure (running in a cluster) the iis
proxy to handle this problem. When it is not possible what could you suggest in
a clustered scenario with the above mentioned cirumstances ?
Can I use the iisproxy and iisforward dlls from WLS 6 SP1 in WLS 5.1 ?
Thanks a lot in advance
Oliver

Hi,
I wonder if it is possible to proxy both normal and SSL requests through the iis
plugin. We use WLCS 3.2 and everything except checkout should be proxied without
SSL, but checkout with SSL how can I configure (running in a cluster) the iis
proxy to handle this problem. When it is not possible what could you suggest in
a clustered scenario with the above mentioned cirumstances ?
Can I use the iisproxy and iisforward dlls from WLS 6 SP1 in WLS 5.1 ?
Thanks a lot in advance
Oliver

EP6 SSL windows authentication

I have found a couple of issues we are experiencing has anybody come
across these before.
1. When using windows authentication both with and without SSL on the import screen,if you try to browse you receive the following error.
"BAD REQUEST (Invalid URL)" if you log in directly to the portal it works fine.
2. This issue occurs only under SSL instead of going straight into the portal, you are stopped at the logon screen with "user authentication failed" , but if you just hit return you proceed straight into the portal.
I am guessing that this is potentialy an IIS issue, but not sure where at this point, any help would be appreciated.
This is a windows system EP6 SP2 patch 4 hotfix 5
iisproxy 1.6.0.0

Aha, now I now what you mean. I think you are talking about uploading files either in CM or with import/export data, correct? If so, take a look at HTTP 400 errors in Collaboration with IISProxy
The problem is that IIS 6 cannot handle long urls and urls with the charcters < > in it by default.
hope this helps.

How do i open a web page with VeriSign Class 3 Extended Validation SSL SGC SS CA certfificate i can't open web pages with this, how do i open a web page with VeriSign Class 3 Extended Validation SSL SGC CA certfificate i can't open web pages with this

how do i open a web page with VeriSign Class 3 Extended Validation SSL SGC SS CA ?

Hi
I am not suprised no one answered your questions, there are simply to many of them. Can I suggest you read the faq on 'how to get help quickly at - http://forums.adobe.com/thread/470404.
Especially the section Don't which says -
DON'T
Don't post a series of questions in a single post. Splitting them into separate threads increases your chances of a quick answer.
PZ
www.pziecina.com

IP Phone SSL VPN and Split tunneling

Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
Eva

Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered!

SSL VPN, "Login failed" and "WebVPN: error creating WebVPN session!"

Hi,
Just ran the wizard for Anyconnect SSL VPN, created a tunnel group, a vpn pool and added user to it. When trying to logon on the SSL service, it simply says "login failed". I suspect that the user might not be in correct groups or so?
some relevant config
webvpn
enable wan
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy vpnpolicy1 internal
group-policy vpnpolicy1 attributes
vpn-tunnel-protocol svc
tunnel-group admins type remote-access
tunnel-group admins general-attributes
address-pool sslpool2
default-group-policy vpnpolicy1
username myuser password 1234567890 encrypted privilege 15
username myuser attributes
vpn-group-policy vpnpolicy1
Debug:
asa01# debug webvpn 255
INFO: debug webvpn enabled at level 255.
asa01# webvpn_allocate_auth_struct: net_handle = CD5734D0
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-867034168) and nh (-849922864)!
webvpn_add_auth_handle: auth_handle = 17
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (myuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
webvpn_session.c:http_webvpn_create_session[184]
WebVPN: error creating WebVPN session!
webvpn_remove_auth_handle: auth_handle = 17
webvpn_free_auth_struct: net_handle = CD5734D0
webvpn_allocate_auth_struct: net_handle = CD5734D0
webvpn_free_auth_struct: net_handle = CD5734D0

AnyConnect says:
"The secure gateway has rejected the agents VPN connect or reconnect request. A new connection requires re-authentication and must be started manually. Please contact your network administrator if this problem persists.
The following message was received from the secure gateway: Host or network is 0"
Other resources indicate that it's either the tunnel group, or the address pool.. The address pool is:
ip local pool sslpool2 172.16.20.0-172.16.20.254 mask 255.255.255.0
asa01# debug webvpn 255
INFO: debug webvpn enabled at level 255.
asa01# debug http 255
debug http enabled at level 255.
asa01# webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_login_resolve_tunnel_group: tgCookie = NULL
webvpn_login_resolve_tunnel_group: tunnel group name from default
webvpn_login_resolve_tunnel_group: TG_BUFFER = DefaultWEBVPNGroup
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_not_resuming[3137]
webvpn_portal.c:http_webvpn_kill_cookie[790]
webvpn_auth.c:http_webvpn_pre_authentication[2321]
WebVPN: calling AAA with ewsContext (-845538720) and nh (-828624376)!
webvpn_add_auth_handle: auth_handle = 22
WebVPN: started user authentication...
webvpn_auth.c:webvpn_aaa_callback[5138]
WebVPN: AAA status = (ACCEPT)
webvpn_portal.c:ewaFormSubmit_webvpn_login[3203]
webvpn_portal.c:webvpn_login_validate_net_handle[2234]
webvpn_portal.c:webvpn_login_allocate_auth_struct[2254]
webvpn_portal.c:webvpn_login_assign_app_next[2272]
webvpn_portal.c:webvpn_login_cookie_check[2289]
webvpn_portal.c:webvpn_login_set_tg_buffer_from_form[2325]
webvpn_portal.c:webvpn_login_transcend_cert_auth_cookie[2359]
webvpn_login_transcend_cert_auth_cookie: tg_cookie = NULL, tg_name =
webvpn_portal.c:webvpn_login_set_tg_cookie_form[2421]
webvpn_portal.c:webvpn_login_set_tg_cookie_querry_string[2473]
webvpn_portal.c:webvpn_login_resolve_tunnel_group[2546]
webvpn_portal.c:webvpn_login_negotiate_client_cert[2636]
webvpn_portal.c:webvpn_login_check_cert_status[2733]
webvpn_portal.c:webvpn_login_cert_only[2774]
webvpn_portal.c:webvpn_login_primary_username[2796]
webvpn_portal.c:webvpn_login_primary_password[2878]
webvpn_portal.c:webvpn_login_secondary_username[2910]
webvpn_portal.c:webvpn_login_secondary_password[2988]
webvpn_portal.c:webvpn_login_extra_password[3021]
webvpn_portal.c:webvpn_login_set_cookie_flag[3040]
webvpn_portal.c:webvpn_login_set_auth_group_type[3063]
webvpn_login_set_auth_group_type: WEBVPN_AUTH_GROUP_TYPE = 4
webvpn_portal.c:webvpn_login_aaa_resuming[3093]
webvpn_auth.c:http_webvpn_post_authentication[1485]
WebVPN: user: (myuser) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2938]
HTTP: net_handle->standalone_client [0]
webvpn_session.c:http_webvpn_create_session[184]
webvpn_session.c:http_webvpn_find_session[159]
WebVPN session created!
webvpn_session.c:http_webvpn_find_session[159]
webvpn_remove_auth_handle: auth_handle = 22
webvpn_portal.c:ewaFormServe_webvpn_cookie[1805]
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CE9C3208
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE9C3208
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C3208
webvpn_allocate_auth_struct: net_handle = CE863DE8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE863DE8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE863DE8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_allocate_auth_struct: net_handle = CE863DE8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE863DE8
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CE9C32C8
webvpn_auth.c:webvpn_auth[581]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
WebVPN: session has been authenticated.
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_allocate_auth_struct: net_handle = CE9C32C8
ewsStringSearch: no buffer
Close 0
webvpn_free_auth_struct: net_handle = CE9C32C8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:http_webvpn_find_session[159]
webvpn_allocate_auth_struct: net_handle = CC894AA8
webvpn_session.c:http_webvpn_find_session[159]
webvpn_session.c:webvpn_update_idle_time[1463]
Close 1043041832
webvpn_free_auth_struct: net_handle = CC894AA8

SSL private key password

Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
SSL certificate. By defaul the private key is not encrypted with password
(SSL.KeyEncrypted = false by default, according to the documentations) in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key from file
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is the same
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto

Thanks Tony - it worked!!
"Tony" <TonyV> wrote in message news:[email protected]...
It may be because the private key is both unprotected and in DER format.
There are some things to try:
1) Convert the private key file from a DER file to a PEM file and try
that:
a) Follow the for converting an unprotected private key at:
http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
b) Look at the resulting PEM file, it should look something like
this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
(Be sure there is no extra lines or whitespace after thefooter)
>
c) Change your configuration to point at the PEM file
If that doesn work, then you can try protecting the key with apassword
using
the wlkeytool utility (It should be in the server/bin directory). The
tool should prompt
for a password to use to protect it:
wlkeytool inputkey.pem outputkey.pem
Then change your configuration to use the protected private key, andset
the passwod to use.
Tony
"Makoto Suzuki" <[email protected]> wrote in message
news:[email protected]...
Hello everyone,
I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
same
SSL certificate. By defaul the private key is not encrypted withpassword
(SSL.KeyEncrypted = false by default, according to the documentations)in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
following error:
<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key fromfile
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword
is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)
Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true
and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is thesame
and IP address and the DNS entry hasn't been changed, either.
Any insight will be greatly appreciated. Thanks!
Makoto

SSL TEST IN R12

Hi,
we are about to implement SSL in ebs r12.0.4 to ensure that the user name and password get passed over the browser as encrypted(by default which is passed as simple text).
Now i am following metalink document Enabling SSL in Release 12 [ID 376700.1]
Initially i was testing with the demo certifcatest at the $INST_TOP/certs/Apache.
All the middle tier setups has been done.Then when i restarted the Application and tried to connect my url that get redirected to the SSL port correctly but then failed with following:--
500 Internal Server Error
java.lang.NoClassDefFoundError     at oracle.apps.fnd.sso.AppsLoginRedirect.AppsSetting(AppsLoginRedirect.java:120)
at oracle.apps.fnd.sso.AppsLoginRedirect.init(AppsLoginRedirect.java:161)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.loadServlet(HttpApplication.java:2231)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.findServlet(HttpApplication.java:4617)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.findServlet(HttpApplication.java:4541)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:2821)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:740)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:230)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:33)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:831)
at com.evermind[Oracle Containers for J2EE 10g (10.1.3.0.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)Please help.
Edited by: Susmit on Dec 24, 2010 4:24 PM

Hi;
please check below notes:
"500 Internal Server Error - java.lang.NoClassDefFoundError: oracle.apps.fnd.profiles.Profiles" on 10G [ID 567554.1]
R12: Troubleshooting 500 Internal Server Error in Oracle E-Business suite [ID 813523.1]
Regard
Helios

How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
     User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root:           myname
admin:          myname
sysadmin:       myname
certadmin:      myname
webmaster:      myname
my_alternate:   myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost    # Default is localhost
REMOTEPORT_DEFAULT=3128         # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
    -p) shift;                  # -p option
        SSHPORT=$1;
        shift;;
     *) TUNNEL_DETAILS=$1;      # 1st argument option
        shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob                        # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%@}                            # delete @
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ]                # no hostname given
then
    HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
    && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
    || echo "SSH tunnel FAIL."

SSL on IISPROXY

Similar Messages

Maybe you are looking for