SSL  Server Keystore (multiple entries)

Similar Messages

• SSL Connection Keystore(multiple entries)

  Hello
  i have folllowing situation:
  i made a keystore file with 2 entries
  keytool -genkey -alias nr1 -keystore keystore
  keytool -genkey -alias nr2 -keystore keystore
  After that i made two different truststores (for each nr?):
  keytool -export -keystore keystore -alias nr1 -file nr1.cer
  keytool -export -keystore keystore -alias nr2 -file nr2.cer
  keytool -import -keystore nr1 -alias nr1 -file nr1.cer
  keytool -import -keystore nr2 -alias nr2 -file nr2.cer
  So in the end i hava one keystore (keystore) and 2 truststores (nr1 and nr2)
  Now if i try to connect with the nr1 certificate all works fine.
  If i try it with nr2 it doesnt work. I get following exception
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
  y.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) ................
  Anyone can help me out?
  thanks for any help
  Michael

  Hi,
  have you found the solution? I have the same problem...

• Picking the value of PBEG and PEND incase of multiple entries 2002 on a day

  Hi Experts,
  Our client's business requirement is to have provision handling multiple entries multiple entries of same subtype of IT 2002 on same day with different Time entries.For example one IT 2002 Styp 1 has entry 10 am to 14 pm & other entry of IT 2002 styp 1 as 14 pm to 16 pm.
  In this scenario I want to have TWT with start time of 1st 2002 record i.e 10 & another TWT with end time of last 2002 record i.e. 16.
  I have written a PCR as
  OUTTPORIGS Origin status
      COLOP*     TIP  >TOP curr.TType
    P
      HRS=PBEG   Set
      ADDDB90T3  Add to day balance
      HRS=PEND   Set
      ADDDB90T4  Add to day balance
  But its giving me value of 2002 start time  as (1014=24) & END time (1416=30) respectively.
  Since TIP will have entries with origin E & A as well with P  and any entry can be 1st or last entry depending on time, I can't use VRSTFIRST & VARSTLAST.
  Please suggest me how to handle such scenario through PCR. Is there a way we can make decision on From & To of TIP entries.
  You can also suggest me if such need can be handled at masterdata level so that we can have just one entry
  Regards
  S S
  Hi All,
  Please also suggest me a better operation to pick the value of PBEG and PEND incase of multiple entries various subtypes of 2002 on same day.I need to compare start- end time of 2002 with 2011 entries and calculate total attendence hrs. Once again, I can't use VRSTFIRST & VRSTLAST as 1st & last TIP entry could be come from any infotype viz 2011,2002, 2001.
  Regards
  Sunita
  Edited by: Sunita on Feb 5, 2011 10:02 AM

  If you want to do it the T-SQL way, follow this article I wrote on deleting duplicates..
  http://sqlsaga.com/sql-server/how-to-remove-duplicates-from-a-table-in-sql-server/
  To read about what ranking functions does and how will they help you use this link..
  http://sqlsaga.com/sql-server/what-is-the-difference-between-rank-dense_rank-row_number-and-ntile-in-sql-server/
  Please mark as answer, if this has helped you solve the issue.
  Good Luck :) .. visit www.sqlsaga.com for more t-sql code snippets and BI related how to articles.

• SSL Server: No available certificate or key.... exception

  Hi,
  I want to create a very simple SSL Server for testing purposes.
  I have searched google and these forums for an answer, but anything that I found did not help (will say below what I tried).
  Here is my code:
  import java.io.IOException;
  import javax.net.ssl.SSLServerSocket;
  import javax.net.ssl.SSLServerSocketFactory;
  public class Server {
       private int port = 25000;
       private SSLServerSocketFactory factory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
       public Server() {          
            try {
                 SSLServerSocket socket = (SSLServerSocket) factory.createServerSocket(port);
                 Echo echo = new Echo(socket);
                 Thread t = new Thread(echo);
                 t.start();
            } catch (IOException e) {
                 e.printStackTrace();
       public static void main(String[] args) {
            new Server();
  }and
  import java.io.BufferedReader;
  import java.io.BufferedWriter;
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.InputStreamReader;
  import java.io.OutputStream;
  import java.io.OutputStreamWriter;
  import javax.net.ssl.SSLServerSocket;
  import javax.net.ssl.SSLSocket;
  public class Echo implements Runnable {
       SSLServerSocket socket;
       public Echo(SSLServerSocket socket) {
            this.socket = socket;
       @Override
       public void run() {
            try {
                 SSLSocket connectedSocket = (SSLSocket) socket.accept();
                 // creating the streams
                 InputStream inputstream = connectedSocket.getInputStream();
              InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
              BufferedReader in = new BufferedReader(inputstreamreader);
              OutputStream outputstream = connectedSocket.getOutputStream();
              OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream);
              BufferedWriter out = new BufferedWriter(outputstreamwriter);
              // echoing...
              String input = "";
              while (input.compareTo("abort") != 0) {
                   input = in.readLine();
                   System.out.println("Server received message: " + input);
                   out.write(input + " " + input);
                   out.flush();
            } catch (IOException e) {
                 e.printStackTrace();
  }When I run the code, I get
  javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
       at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
       at Echo.run(Echo.java:24)
  Line 24 in Echo.java is SSLSocket connectedSocket = (SSLSocket) socket.accept();
  I have created a keystore according to the JSSE documentation: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
  I have tried relative and full pathnames for javax.net.ssl.keyStore, as well as copying the keystore right into the directory with the class-files
  I have tried to set javax.net.ssl.keyStore (and javax.net.ssl.keyStorePassword) via the command line's -D switch and via System.setProperty
  After all that failed, I even tried to import the generated public key into the server's keystore as well
  No matter what I did, I always get above exception upon calling accept().
  I am using Java 6 (Java(TM) SE Runtime Environment (build 1.6.0_17-b04)) on Windows 7 64 Bit
  Any help is appreciated.

  I have created a keystore according to the JSSE documentation: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
  Are you sure you created a keystore with an RSA keypair, and not a DSA keypair?

• How to Add multiple entry to the group policy security filtering

  How to Add multiple entry to the group policy security filtering
  Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
  Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"

  Hi
  Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
  Try right clicking on the policy and then edit
  Then in Editor Right click on the name of the policy and Properties
  Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
  the correct option also "From this Location" is set to your entire directory not the local server.
  Update us with the above.
  Thanks

• How to find multiple entries in the Directory

  Hi,
  my directory contains lot of multiple entires and I want to find out is there a easier method by a script or command to find out all the mutiple entries in the directory.
  Thanks!!
  Message was edited by:
  Sun_One@TCS
  Message was edited by:
  Sun_One@TCS

  Are you talking about entries that have been renamed because of a Replication Naming conflict (like the entry was added on 2 masters at the same time) ?
  If so, please check the Administration Guide, Replication section.
  <http://docs.sun.com/app/docs/doc/819-0995/6n3cq3av8?a=view#gdquf>
  If you were talking about something else, please be more explicit. Directory Server does not allow you to create multiple entries with the same name. DNs are unique.
  Regards,
  Ludovic

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• Multiple entries in context menu

  Hi,
  when right click on a file to open with a programm, the context menu shows multiple entries for some apps. My question is now how to put away multiple entries?
  Best regards,
  Thomas

  If you are speaking of the "open with" list having multiple application entries, if could be caused by a couple of things.
  1) The entries could not actually be "duplicates", but essentiially are to you, as you only want one. If you have or have had more than one version of an application, the menu will list all versions of that app that are/were ever detected.
  2) The list could be populated with duplicates that the system detected when either networking with another Mac, or accessing a cloned drive of your system. If this is the case, you need to rebuild the database that is serving up these duplicates.
  Resetting the 'Open With' Menu
  Resetting the 'Open With' menu will remove duplicates and ghost applications (ones you have deleted) from the list. You reset the 'Open With' menu by rebuilding the Launch Services database your Mac maintains. There are multiple ways to rebuild the Launch Services database, including third-party system utilities like Cocktail and Onxy.
  If you don't own a system utility that can rebuild the Launch Services database, don't worry; you can perform the rebuild yourself using Terminal.
  Using Terminal to Rebuild the Launch Services Database
  Launch Terminal, located at /Applications/ Utilities/.
  For OS X 10.5.x and later, enter the following at the Terminal prompt, and press enter:
  /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.fram ework/Support/lsregister -kill -r -domain local -domain system -domain user

• HANDLING MULTIPLE ENTRIES IN THE INTERNAL TABLE

  Hi guys,
            I got some problem with handling multiple entries from database table. I am retriving four fields and an amount field from the database table and creatinf a file to upload in the application server.But the file has to be taken like below.
        If the four fields which i am retrieving are repeated then we have to take the net amount and make all the entries as one record. else if any of the four fields vary then i have to take it as a seperate record in the internal table. So how can we do this !! I have tried AT NEW and some other logics too but could get the exact one.
    Pls help me out ASAP....

  I think I may have misunderstood your problem.  If you have an exactly match(all four fields), only then you need to collect,  right?
  Try this example.
  report zrich_0002.
  data: begin of itab occurs 0,
        field1(10) type c,
        field2(10) type c,
        field3(10) type c,
        field4 type p decimals 2,
        end of itab.
  data: begin of icheck occurs 0,
        field1(10) type c,
        field2(10) type c,
        field3(10) type c,
        field4 type p decimals 2,
        end of icheck.
  data: begin of itab2 occurs 0,
        field1(10) type c,
        field2(10) type c,
        field3(10) type c,
        field4 type p decimals 2,
        end of itab2.
  start-of-selection.
    itab-field1 = 'A'.
    itab-field2 = 'B'.
    itab-field3 = 'C'.
    itab-field4 = '123.45'.
    append itab.
    itab-field1 = 'A'.
    itab-field2 = 'B'.
    itab-field3 = 'C'.
    itab-field4 = '123.45'.
    append itab.
    itab-field1 = 'A'.
    itab-field2 = 'B'.
    itab-field3 = 'C'.
    itab-field4 = '123.45'.
    append itab.
    itab-field1 = 'A'.
    itab-field2 = 'B'.
    itab-field3 = 'C'.
    itab-field4 = '678.90'.
    append itab.
    loop at itab.
      read table icheck with key field1 = itab-field1
                                 field2 = itab-field2
                                 field3 = itab-field3
                                 field4 = itab-field4.
      if sy-subrc = 0.
        move-corresponding itab to itab2.
        collect itab2.
      else.
        move-corresponding itab to icheck.
        append icheck.
        move-corresponding itab to itab2.
        append itab2.
      endif.
    endloop.
    check sy-subrc  = 0.
  Regards,
  Rich Heilman

• X.509v3 KeyUsage for an SSL Server

  Hello,
  Apparently, JSSE clients (incl. 1.0.2) will not trust an SSL server if its cert has a critical keyUsage extension that does not include the digitalSignature usage. However, I have come across a number of CAs which routinely issue SSL server certs including a critical keyUsage extension which only has the keyEncipherment usage.
  I came across a posting in the comp.lang.java.security newsgroup where the author indicated he subitted this behavior as a bug to Sun, but it's not currently showing up in the bug database.
  Does any one know if JSSE is correct in requiring the digitalSignature usage? Where can I find an authoritative answer? Also, what's Sun's position on the matter?
  Thanks in advance,
  Chase

  Here's a work around for this problem. I've tested it only on 1.3.1_01, so YMMV.
  The idea is to wrap the default X509TrustManagers with a new Manager that intercepts the isServerTrusted method. From there, you can wrap the first certificate in the chain with a new X509Certificate object that reports that the digitalSignature KeyUsage is present for all certs.
  Now when the REAL isServerTrusted is called, the certificate will report that digitalSignature is present -- even if it isn't.
  It may be possible to approach this from the other side and change the default CertificateFactory...but I haven't really looked into that...and probably won't.
  Wayne
  ---BEGIN CODE FRAGMENT---
  //Create TrustStore
  KeyStore ts = KeyStore.getInstance("JKS");
  InputStream truststream = new FileInputStream(truststore);
  ts.load(truststream, trustphrase.toCharArray());
  //Get Trust Factory
  TrustManagerFactory tmanagerFac = TrustManagerFactory.getInstance("SunX509");
  tmanagerFac.init(ts);
  //Wrap the TrustManagers
  TrustManager[] trustManagers = tmanagerFac.getTrustManagers();
  for(int mancount=0; mancount<trustManagers.length; mancount++) {
  if(trustManagers[mancount] instanceof X509TrustManager) {           
  TrustManager tempMan =
  new FixedX509TrustManager((X509TrustManager)trustManagers[mancount]);
  trustManagers[mancount] = tempMan;
  //Create Context
  SSLContext context = SSLContext.getInstance("TLS");
  context.init(
  kmanagerFac.getKeyManagers(), //very similar to creating TrustManagerFactory, code not provided.
  trustManagers,
  null);
  //Now you can pull SocketFactory's and ServerSocketFactory's off this SSLContext.
  //SUPPORTING CLASSES
  * Wrapper class for X509TrustManager.
  * It intercepts calls to isServerTrusted() to replace the base certificate
  * with a FixedX509Certificate which will report that the digitalSignature
  * flag is set in the KeyUsage extension.
  * By default, the Sun implementation of JSSE requires Server certs to have
  * the digitalSignature flag set. However, many production certs do not have
  * this set because it probably SHOULDN'T be set.
  * By using this class to wrap all the X509TrustManagers in your SSLContext,
  * you can defeat this bug, and restore order to the universe.
  private class FixedX509TrustManager implements X509TrustManager {
  private X509TrustManager tm_ = null; //wrapped trustmanager
  public FixedX509TrustManager(X509TrustManager tm) {
  tm_ = tm;
  //replace the base cert with a cert that has a forced digitalSignature Usage.
  public boolean isServerTrusted(X509Certificate[] chain) {
  if(chain.length > 0) {
  X509Certificate forcedCert = new FixedX509Certificate(chain[0]);
  chain[0] = forcedCert;
  return tm_.isServerTrusted(chain);
  public boolean isClientTrusted(X509Certificate[] chain) {
  return tm_.isClientTrusted(chain);
  public X509Certificate[] getAcceptedIssuers() {
  return tm_.getAcceptedIssuers();
  * Wrapper class for X509Certificate.
  * Calls to getKeyUsage() are intercepted to always report that the digitalSingature
  * usage flag is set.
  * @see FixedX509TrustManager
  private class FixedX509Certificate extends X509Certificate {
  private X509Certificate cert_ = null; //the wrapped cert
  public FixedX509Certificate(X509Certificate cert) {
  cert_ = cert;
  // "Override" to force every cert to have digitalSignature set.
  public boolean[] getKeyUsage()
  boolean[] bits = cert_.getKeyUsage();
  if(bits.length > 0) {
  bits[0] = true; //force digitalSignature.
  return bits;
  //Just wrap the rest of the methods....
  public void checkValidity()
  throws CertificateExpiredException, CertificateNotYetValidException
  cert_.checkValidity();
  public void checkValidity(Date date)
  throws CertificateExpiredException, CertificateNotYetValidException
  cert_.checkValidity(date);
  public int getVersion()
  return cert_.getVersion();
  public BigInteger getSerialNumber()
  return cert_.getSerialNumber();
  public Principal getIssuerDN()
  return cert_.getIssuerDN();
  public Principal getSubjectDN()
  return cert_.getSubjectDN();
  public Date getNotBefore()
  return cert_.getNotBefore();
  public Date getNotAfter()
  return cert_.getNotAfter();
  public byte[] getTBSCertificate()
  throws CertificateEncodingException
  return cert_.getTBSCertificate();
  public byte[] getSignature() {
  return cert_.getSignature();
  public String getSigAlgName()
  return cert_.getSigAlgName();
  public String getSigAlgOID()
  return cert_.getSigAlgOID();
  public byte[] getSigAlgParams()
  return cert_.getSigAlgParams();
  public boolean[] getIssuerUniqueID()
  return cert_.getIssuerUniqueID();
  public boolean[] getSubjectUniqueID()
  return cert_.getSubjectUniqueID();
  public int getBasicConstraints()
  return cert_.getBasicConstraints();
  public boolean hasUnsupportedCriticalExtension()
  return cert_.hasUnsupportedCriticalExtension();
  public Set getCriticalExtensionOIDs() {
  return cert_.getCriticalExtensionOIDs();
  public Set getNonCriticalExtensionOIDs()
  return cert_.getNonCriticalExtensionOIDs();
  public byte[] getExtensionValue(java.lang.String ext)
  return cert_.getExtensionValue(ext);
  public byte[] getEncoded() throws CertificateEncodingException
  return cert_.getEncoded();
  public PublicKey getPublicKey()
  return cert_.getPublicKey();
  public int hashCode()
  return cert_.hashCode();
  public String toString()
  return cert_.toString();
  public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException,
  InvalidKeyException, NoSuchProviderException, SignatureException
  cert_.verify(key);
  public void verify(PublicKey key, String provider) throws CertificateException, NoSuchAlgorithmException,
  InvalidKeyException, NoSuchProviderException, SignatureException
  cert_.verify(key, provider);
  </pre>
  ---END CODE FRAGMENT---

• Multiple entries in To

  Hi,
  I have a problem with my server. when certain people send mail with multiple entries in the " To" address field. the server only delivers them to the 1st entry. I spoke to apple and they advised this was a feature of the server and people who do this should really use the CC field. try telling 90% of the worlds population email etiquette. I was told this could be changed in the terminal but the rep would not give me that info over the phone without pro support. anyone have any ideas?

  I spoke to apple and they advised this was a feature of the server and people who do this should really use the CC field
  <cough>BS</cough>
  I can't believe anyone at Apple said that was expected. That's worth complaining to Apple Support about because clearly whoever you spoke to isn't qualified to take calls.
  Specifying multiple 'to' recipients should be entirely valid. I'd look at the mail logs to see what's going on.

• Ssl termination for multiple names

  trying to configure an additional secure http VIP on a css11503 running webns 7.4
  I've defined the second ssl service below:
  service ssl_serv2
  type ssl-accel
  keepalive type none
  add ssl-proxy-list list2
  slot 2
  however when I want to activate the service, I get an error about the slot already being used.
  How can I implement a second secure service? I already bought a second cert from Verisign, imported it and activated the list2 ssl-proxy-list.
  Is there a limitation of one secure VIP per CSS?
  dayo

  you can have only one ssl-proxy-list active.
  However, you can have multiple server defined inside a proxy-list
  ssl-server 1 ....
  ssl-server 2 ....
  ssl-server n ...
  So, you basically need only 1 service pointing to 1 ssl-proxy-list inside which you have all the ssl-server with different vip and reals.
  Regards,
  Gilles.

• CE SR1 doesnt start: Keystore - User entries doesnt start

  I had installed Composition environment SR 3 from SDN.
  But the server never completely starts: Some processes are always waiting to complete.
  Its Keystore -> User Entries: At least one entry has already expired......
  I unistalled and tried again. Same problem persists.
  Please help
  Prem
  Edited by: Prem Mascarenhas on Feb 20, 2008 8:25 AM

  It finally started up. Just give it at least 45 mins or n hour the first time

• How to setup Print server on multiple machines?

  Hi,
  Can someone please let me know the process to setup Print Server on multiple machines?
  This is what I have been thinking.
  1. Install Ghostscript on all the machines.
  2. Setup Print Server on all the machines.
  3. I guess I have to point the IP address somewhere as final step?
  Thanks in advance
  PM

  The steps you have mentioned is correct.
  When you set up the print service ,you will define the URL for Financial Reporting web application server in the .properties file and this will get registered in the HSS registry(This is the step where you run the FRprintserversetup.cmd).So when you run the setup from each print server there will entries created for the same in HSS registry.Then there will internal logic which will work on which server should take which process.
  Thx

• Single Host name has multiple entry in SCCM 2007 R3 Console

  Hi Experts,
  A single host name which was not in Active Directory is keep on discovering in SCCM console and makes multiple entries. I am deleting that Host from the SCCM console but it is keep on reoccurring in the console. Delta discovery is not enabled. 
  Kindly help me to fix this problem. Thanks
  Regards,
  Ranjith

  Check if SCCM client is installed on the machine. Uninstall the client setup using if you don't require the machine to report to SCCM server (browse to ccmsetup folder and run "ccmsetup.exe /uninstall" using cmd prompt).
  Just deleting the machine from console will not remove the client installed on it. The SCCM client will always try to report to the assigned server.
  ~ Rajeesh M | Blog:
  ScorpITsPlease remember to 'Mark as Answer' or 'Vote as Helpful' on the post that helps. It helps others reading the thread and recognizes useful contributions. |