SSL Trust store (root CAs) for t3S client

Similar Messages

• Does JMS support reliable messaging (store-and-forward) for app clients?

  I need to write an enterprise application client (launched with Java web start or packaged with a tool like Sun's package-appclient) that can send messages reliably from Linux to Windows. JMS seems like the obvious solution, so I deployed an EAR file with an MDB and an application client on a Windows machine (running SJSAS 9). I was able to download the client jar file onto Linux and send JMS messages successfully. However, if the Windows machine is not available, the Linux client immediately throws exceptions and fails. Are there any JMS providers that provide a store-and-forward mechanism for enterprise clients, so that if the remote server is not available immediately, messages are delivered later? (Note that the client can't be a servlet or other server-managed component.)
  I'd prefer an open-source solution, but this requirement has an extremely high priority for my customer, so I'll use a commercial product if necessary. And if there's something other than JMS that works, that would be fine. (In my case, the messages on the remote side ultimately go to a .NET service, so WS-ReliableMessaging would be ideal, but it looks WS-RM won't be integrated into .NET until Vista, and the current WS-RM implementation is a beta, etc., etc.)
  Thanks,
  Mike

  You could use Apache ActiveMQ
  http://incubator.apache.org/activemq/
  which supports embedded brokers inside each JVM which can be networked together in a store-forward mechanism so that each application keeps working and store-forwarding messages.
  http://incubator.apache.org/activemq/networks-of-brokers.html
  or you can use failover transport to handle automatic reconnection...
  http://incubator.apache.org/activemq/how-can-i-support-auto-reconnection.html
  If you need to communicate with some .Net you can use the NMS - the .Net Messaging API which has a client for ActiveMQ as well...
  http://incubator.apache.org/activemq/nms.html
  James
  http://logicblaze.com/
  Open Source SOA

• SSL CA Trust Store issue in Android 2.1

  Here is one more reason Samsung/Verizon should push Android 2.2. Websites using SSL Certificates from some valid  Certificate AUthorities are throwing SSL Certificate warnings when accessed via Android 2.1. This is because the CA Trust store in Android 2.1 is old and incomplete. It does not contain the full list of trusted CAs that are commonly found in regular desktop browsers like Safari, Chrome, FF and IE. Android 2.2 has a more updated and complete Trusted CA store.
  Also, Android 2.1 does not have a published feature for importing CA Certificates (there are some manual workarounds for people who took their phone to the dentist). So, even if you had a valid reason to add a valid CA certificate from a company like Verisign or COMODO or your enterprise to your trust store, you can not do it. So, you have to get used to constantly accepting certificate warnings (which is a security risk in that you may inadvertenty accept a certificate signed by a really invalid/bad CA)
  Is anyone aware of a fix for this issue? If not, does Verizon have any plans to address it?
  ps: I do not want help for installing client certificates. These are not the same as CA certificates. Android can import client certificates from a URL or from an SD card using Settings->Locations&Security->Credential Storage section.

  [Edited to comply with Terms of Service]
  They were talking about this
  In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).
  Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA).
  A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate - a signature by a root certificate is somewhat analogous to "notarizing" an identity in the physical world. Certificates further down the tree also depend on the trustworthiness of the intermediates (often known as "subordinate certification authorities").
  Many software applications assume these root certificates are trustworthy on the user's behalf. For example, a Web browser uses them to verify identities within SSL/TLS secure connections. However, this implies that the user trusts their browser's publisher, the certificate authorities it trusts, and any intermediates the certificate authority may have issued a certificate-issuing-certificate, to faithfully verify the identity and intentions of all parties that own the certificates. This (transitive) trust in a root certificate is the usual case and is integral to the X.509 certificate chain model.
  The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers

• How to set a default trust store just for DirContext not the whole JVM

  I need to connect to a secure LDAP server ( URL is ldaps://..../). The Server certificate in this LDAP server is a self signed cert so I need to put this certificate in my Keystore as well for me to connect to it.
  My code is something like :
    DirContext ctx=null;
      Properties prop = .... ;
      // I set URL etc. in this.
      KeyStore ks = some_function_call();
      // save this keystore to file
      java.io.FileOutputStream fos =  new java.io.FileOutputStream("/tmp/newKeyStoreName.jks");
      char[] password = .....
      ks.store(fos, password);
      fos.close();
      // set this keystore as the default Keystore.
      System.setProperty("javax.net.ssl.trustStore", "/tmp/newKeyStoreName.jks");
      System.setProperty("javax.net.ssl.trustStorePassword", ...);
      System.setProperty("javax.net.ssl.trustStoreType", "jks");
      ctx = new InitialDirContext(prop);My problem is when I do a System.setProperty it makes it the default trust store for the whole JVM. I want a solution that would use this trust store only for the DirContext as I do not want this keystore to be used for other parts of my code. And its an MT application so setting keystore back to default one after this LDAP query gets over won't work.
  I tried changing System.setProperty to props.put() it doesn't work.
  Any ideas?

  I have the same problem. I have to make 2 different SSL calls to 2 different 2 servers and if I set to System truststore and keystore properties I have a problem, 'cause those are different for each server.
  I you have found the solution in the meanwhile, maybe you can write it here.
  thanks,
  Mihai

• Push windows trusted root certificate to adobe trusted store/certificate

  Hi,
  Can we push windows trusted root certificate to adobe trusted store/certificate ?
  Regards,
  Nitin Harikant

  I have tried something similar by trying to import the Windows Cert Store into Adobe, but I never did have it work. I just recently found the option is XI for Adobe to look at the Windows store itself.
  XI: Edit > Preferences > Signature > (Verification) More... > (Windows Integration) Check Validating Signatures, Check validating Certified Documents
  It should happen right away; although I will note I am having issues with this working for Non-Admins on a Terminal Server. Might be a privilege issue.
  If you want to set via GPO:
  Key Path: Software\Adobe\Adobe Acrobat\11.0\Security\cASPKI\cMSCAPI_DirectoryProvider
  Value Name: iMSStoreTrusted
  Value Type: Reg_DWORD
  Value Data: 62, or 60 (Hex)
  Link: Digital Signatures

• I'm trying to change my phone case, i have the bumper that screws in if i goto the apple store will they unscrew the case for me?

  I have the bumper case that screws in so it doesn't fall apart, but i want to take it off. Will the apple store unscrew the case for me? or would i have to go to At&T to have them screw it off?

  Hey,
  I can confirm what xtremecaron has said, Apple will defo not remove the bumper for you. Best bet is to try different screwdrivers.

• Should i get the sleeve or the case for my macbook air 13 inch. I work under air conditioned room most of the time. I also store my macbook air in an air conditioned room 24/7.

  I am a college student but I don't really bring my Mac with me all time. I have read that room temperature affects the macbook air and that it needs an optimum temperature. Some sites suggested sleeves as opposed to cases for room with cold temperature. What do you guys think since I use and store my macbook in a cold room. Thanks!!

  Hey kesh888,
  Thanks for the question. After reviewing your post, it sounds like you have a question about the operating temperature of a MacBook Air. I would recommend that you read this article, it may be able to help you resolve or isolate the issue.
  Mac notebooks: Operating temperature
  The location you are using your notebook should be within these ranges: 
  Operating temperature: 50° to 95° F (10° to 35° C)
  Thanks for using Apple Support Communities.
  Have a nice day,
  Mario

• LDAP SSL - ways to provide trust store/key store details.

  In our application we need to talk to LDAP over ssl.
  We are using following to create ldapContext
  System.setProperty ( "javax.net.ssl.trustStore",
                            tStoreFile.getAbsolutePath() );
  System.setProperty ( "javax.net.ssl.keyStore",
                            keyStoreFile.getAbsolutePath() );
  System.setProperty ( "javax.net.ssl.keyStorePassword", kspasswd );
  System.setProperty ( "javax.net.ssl.trustStorePassword", tspasswd );
  LdapContext ctx = new InitialLdapContext(env, null);is there any other way to provide Key/Trust store details?
  Thanks

  of course : http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization

• What store sells case-mate barely there cases for iphone 4S?

  I want to get a Case-Mate Barely There case for my iPhone 4S, but I want to find one in a store. Does anyone know of a store that sells them?

  I seriously doubt they will exchange your iPhone with one of the display units.
  Doubtful if Apple has any refurbished iPhone 4S in stock for an exchange under warranty at this point. An exchange under warranty is provided in a plain box with the iPhone only regardless if new or refurbished and there should be no way to tell the difference. The exchange will remain under the same warranty as your original purchase.

• Carry cases for the 11" MacBook Air and new 12" MacBook IN-STORE

  i came in-store today to look at the new MacBooks (which the store did not have) so I started to ask questions about what accessories the store was going to be stocking for it.  They didn't have any of the new USB-C accessories either and when I asked about cases, the employee became noticeably uncomfortable. Come to find out, it's because the stores don't really carry ANY cases for the smaller MacBooks in-store except a Thule bumper case. The employee began showing me Surface and Chromebook cases and a lot of them didn't look all that great. Interesting enough, I jumped online tonight, navigated over to BestBuy.com > Computers > Laptops > All Laptops and sorted them by "Best Selling."  The 11.6" MacBook Air came up within the top 45 results and the other 11.6" MacBook model, the top 60 results. So you have two 11" Apple MacBook Pros that, by your own admission, BOTH rank within the top 60 in regards to sales and you carry a whopping 1 case that is actually for them. I point that out because while you can use a Surface Case for an Air, most don't have pockets to accommodate a MagSafe adapter, for example, because the charger for the Surface is much smaller.  You're now (with the new MacBooks) adding TWELVE new sub 13-inch laptops to your inventory which would officially mean you have 14 notebooks with a screen smaller than 13" inches, 6 notebooks with a screen 13" inches and 2 notebooks with a 15" screen. 90% of your in-store case inventory are for 13" MacBooks, 9% are for 15" and 1% (being very modest here) are for the 11.6."  Now, I was not a math major, but I was a marketing and management minor and I can tell you that I see a huge problem with this picture that is begging to be solved. This problem only becomes more compounded when you consider that May-September, laptops take center stage in electronics/office stores for sales as students began to shop for laptops for back-to-school.

  Here are a few nice-looking 11" and 12" sleeves that I found online that I believe would be an asset to your inventory.  The Decoded MacBook Air Slim Cover - $99.99 MSRPBlack Python MacBook Leather Cover - $149.99 MSRPHampshire Laptop Sleeve - $72 MSRP I saved the best for last:MacBook Laptop SleeveCase - $45 to $75 MSRPThere's a pouch that attaches to the sleeve. At first glance it looks like part of the "case" but it's actually an add-on that converts a basic sleeve into a case with extra room for accessories (see below for sleeve without this pouch).Available trims for this sleeve/case.Sleeve with flap and without the shoulder strap or pouch add-on. 

• Does the apple store (not online) sale cases for the iphone?

  i was wondering because tonight im going to an apple store and look for a case i am hapopy with.

  Yes, but the two stores in my area have been out of stock on a lot of cases. They seem to be a hot item right now.

• Available cases for nano in apple retail stores

  Does anyone know if the Apple Stores carry any other cases for the nano besides the rubber silicon tube things? I have an Agent 18 Click Shield for my iPod mini right now, and I visited their website recently and saw that they make one for the nano too. If not, do you know of any other type of protection for the nano that works to prevent the scratches that everyone has talked about?

  Most of the third party cases still aren't out yet so you won't be seeing them in stores right away but you could look again after Halloween and see if there's anything by than. There are several threads about cases here are four from what I could remember http://www.iskin.com/ http://www.zcover.com/store/catalog/
  http://www.welovemacs.com/ipnaac.html
  http://www.decalgirl.com/browse.cfm/2,201.htm

• Setting Up Certificate Validation for Jabber clients

  Hi:
  I would like to get certificates signed from private internal CA for Jabber clients. Cisco documentation says it requires HTTP/Tomcat for CUPS, HTTP/Tomcat for CUCM and UCXN[8.6].
  The exiting Tomcat certificate has these two files: tomcat.pem, tomcat.der and a bunch of tomcat-trust certificates as well with associated files.
  My question is is there any harm in generating a new tomcat certifcate or could I just generate CSR's for the two existing Tomcat files to be signed? When you generate a new Tomcat certificate does it create or overwrite the .pem and .der? I don't want to break anything in this process so looking for some feedback.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_2_5/JABW_BK_CAAD3F25_00_cisco-jabber-for-windows-release-notes/JABW_BK_CAAD3F25_00_cisco-jabber-for-windows-release-notes_chapter_011.html

  Generating a CSR for the Tomcat certificate and installing the signed certificate will replace the .pem/.der file you see listed. Once you sign the CSR and upload the final certificate, you'll need to restart Cisco Tomcat from the CLI for it to pickup the new cert. Anything that is in a -trust store is something that server will accept during a TLS/SSL handshake, not something it uses itself.

• Unable to load custom trust store in cluster

  Weblogic 9.2 cluster with three nodes. Each is configured to use custom trust store. The same jks is copied to every node.
  On node1 ssl works perfectly but on node2 and node3 certificate validation fails. Interesting is the stack that is thrown after first validation request, when Weblogic starts to load truststore:
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211972> <000000> <SSLSetup: loading trusted CA certificates>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211984> <000000> <SSLContextManager: loading server SSL identity>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211986> <000000> <MBeanKeyStoreConfiguration: constructor - using mbean trust config>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211989> <000000> <PreMBeanKeyStoreConfiguration: constructor - explicitly configured=true>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211992> <000000> <PreMBeanKeyStoreConfiguration: constructor - TrustKeyStore[0]=FileName=/bea/keystores/MyTrust.jks, Type=jks, PassPhraseUsed=true>
  ####<Jan 17, 2011 5:46:51 PM EET> <Debug> <SecurityKeyStore> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279211994> <000000> <MBeanKeyStoreConfiguration: constructor - TrustKeyStore[0]=FileName=/bea/keystores/MyTrust.jks, Type=jks, PassPhraseUsed=true>
  ####<Jan 17, 2011 5:46:51 PM EET> <Notice> <Security> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1295279211998> <BEA-090171> <Loading the identity certificate and private key stored under the alias beal2.srv.sise from the jks keystore file /bea/keystores/MyIdentity.jks.>
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212009> <000000> <Failed to load server trusted CAs
  java.lang.NullPointerException
       at weblogic.security.utils.SSLContextManager.getRealmName(SSLContextManager.java:594)
       at weblogic.security.utils.SSLContextManager.getServerSSLIdentity(SSLContextManager.java:535)
       at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:276)
       at weblogic.security.utils.SSLContextManager.getDefaultServerSSLContext(SSLContextManager.java:221)
       at weblogic.security.utils.SSLContextManager.getServerTrustedCAs(SSLContextManager.java:183)
       at weblogic.security.utils.SSLSetup.getTrustedCAs(SSLSetup.java:505)
       at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:384)
       at weblogic.security.SSL.SSLSocketFactory.setSSLClientInfo(SSLSocketFactory.java:218)
       at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:36)
       at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:28)
       at weblogic.security.SSL.SSLSocketFactory.getDefault(SSLSocketFactory.java:55)
       at com.liferay.portal.security.auth.WeblogicSocketFactory.createSocket(WeblogicSocketFactory.java:21)
       at com.liferay.portal.security.auth.WeblogicSocketFactory.createSocket(WeblogicSocketFactory.java:30)
       at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
       at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
       at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
       at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
       at com.liferay.portal.servlet.filters.sso.cas.Cas20ProxyTicketValidator.retrieveResponse(Cas20ProxyTicketValidator.java:73)
       at com.liferay.portal.servlet.filters.sso.cas.Cas20ProxyTicketValidator.validate(Cas20ProxyTicketValidator.java:46)
       at com.liferay.portal.servlet.filters.sso.cas.CASFilter.processFilter(CASFilter.java:172)
       at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:91)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3242)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
  >
  ####<Jan 17, 2011 5:46:52 PM EET> <Deb...
  during the validation I get following:
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212020> <000000> <Cannot complete the certificate chain: No trusted cert found>
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212020> <000000> <Validating certificate 0 in the chain: Serial number: 1283510590
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212023> <000000> <validationCallback: validateErr = 16>
  ####<Jan 17, 2011 5:46:52 PM EET> <Debug> <SecuritySSL> <beal2.srv.sise> <bea2A> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1295279212025> <000000> <weblogic user specified trustmanager validation status 16>
  I have run out of ideas. The certificate is in trustore. I think my issues are related to that NullPointer but because it is Weblogic internal code I have no idea what's causing it. I know somehow node1 has to be different but I don't know where to look anymore.
  After decompiling SSLContextManager getRealmName looks like this:
  private final String getRealmName()
  return runtimeAccess.getDomain().getSecurity().getRealm().getName();
  What configuration am I missing?

  Maybe this helps....
  I would try to check the following steps:
  - Are node2 and node3 on the same machine as node1?
  - Is present and readable "/bea/keystores/MyTrust.jks" on each machine?
  - Who signs the trust certificate in "MyTrust.jks"? I.E.: it is needed a trust chain to validate MyTrust?
  From your decompilation it seems that one of these
  - runtimeAccess;
  - runtimeAccess.getDomain();
  - runtimeAccess.getDomain().getSecurity();
  - runtimeAccess.getDomain().getSecurity().getRealm();
  is null ...
  Bye
  Mariano

• ISE - Multiple Issuing Subordinate CAs for EAP Auth?

  Is it possible to utilise multiple issuing subordinate CAs with an ISE implementation? In short I have a situation where the client is wanting to issue certificates for one group of users from CA1 and issue certificates for another group of users from CA2.
  As far as I can see it is not possible to have two different server certificates installed on a policy node for the purposes of EAP authentication. Is the only way around this to install a policy node per issuing certifcate server?

  Ok to add to this I would really like some clarification on certificate installation for the purposes of EAP-TLS. The Cisco doco is at best vague on this topic. I have a distributed deployment with 2 x Admin, 1 x monitoring and 2 x PSN. I have installed a Public HTTPS server auth cert on each device and all nodes are joined. I would now like to utilise MS CA cert infrastructure to authenticate EAP-TLS.
  My understanding is that I need the MS CA Root Cert and Subordinate Cert on the Admin node with the subordinate cert ticked for trust for EAP Auth. Is there a requirement for a Server Authentication certificate on the Admin Node? Going forward with that Is there a requirement to add a server authentication certificate to the PSN Nodes?
  In addition back to my first question is it possible to utilise multiple subordinate CAs for client authentication if so how as I cannot seem to click trust for EAP on multiple certs