SSL with XDB for RAC

Similar Messages

• Ssl with NES for files inside '.war' in WLS.

  hi
  Is this connection possible for pages served by WLS?
  browser ---(ssl)https--->NES->plug-in----plain-http--->WLS
  If yes, then my question is how to setup a secure session for my form-based login.jsp page that resides inside a '.war' file.
  I want to use ssl to transmit the login-id and password between the browser and NES only.
  2. In the above setup does the user-data-constraint element in web.xml have any effect on the data flow between the browser and NES?
  thanks
  sriram

  hi
  Is this connection possible for pages served by WLS?
  browser ---(ssl)https--->NES->plug-in----plain-http--->WLS
  If yes, then my question is how to setup a secure session for my form-based login.jsp page that resides inside a '.war' file.
  I want to use ssl to transmit the login-id and password between the browser and NES only.
  2. In the above setup does the user-data-constraint element in web.xml have any effect on the data flow between the browser and NES?
  thanks
  sriram

• How Do I Configure SSL for RAC Installation.

  Experts,
  Requesting your inputs on configuring SSL for my RAC environment.
  - Oracle DB version is 11.2.0.2
  - RAC is with two nodes.
  - Two nodes are : rac1.oracle.com and rac2.oracle.com
  - RAC setup has SCAN feature configured. SCAN FQDN : racscan.oracle.com
  - All clients talk to RAC DB using SCAN feature as shown below.
  client applications -> racscan.oracle.com ---> rac1.oracle.com
  ---> rac2.oracle.com
  - tnsnames.ora file on both RAC instances has hostname as "racscan.oracle.com" instead of their individual phyiscal host names.
  How do I configure SSL for RAC:
  1. Do I need to generate certificate request for individual hostnames or only for SCAN hostname ?.
  2. If I generate a certificate based on SCAN hostname, how does SSL work since SCAN hostname is not a phyiscal host name ?
  3. What is recommended strategy for configuring SSL for RAC environment ?
  Thanks

  The documentation on the creation of Oracle Wallets is not specific to RAC, and the RAC SCAN instructions for TCPS are very vague on the specific requirements for the certificates required in the wallets for proper operation. I too am struggling to get it to work. Does anyone have a more technical guide to the specific configuration of the certificates needed and what specific configuration file changes need to be made?
  Also, the self signed documentation is getting REALLY old. Oracle, please stop giving instructions that demonstrate irresponsibility and show the proper method of certificate requesting and importing to wallets.
  Edited by: user11338513 on Mar 21, 2012 2:23 PM

• Please help with RMAN dup for RAC db

  Happy Holidays!! All,
  I need help with the following issue:
  Both target and auxiliary databases are:
  Database version is 10.2.0.3 with 2-node RAC db
  Servers are MS 2003
  Oracle Clusterware 10.2.0.3
  Oracle ASM for storage
  I have run the rman dup from RAC to a single instance db for a while. This is the first time I ran from RAC to RAC. This auxiliary db was refreshed before and was up for a while and was managed by server control tool. Now I am trying to refresh it with new backup files from production. I did the following as people suggested:
  1)     shutdown instance in the second node.
  2)     Startup nomount mode in the first node
  3)     Run RMAN dup
  It failed in the same place with slightly different errors. I pasted error messages at the bottom. I already created a TAR with Oracle but would like to know if anybody has any info related to this. Also I have several questions to ask:
  1)     Should I stop all services related to Oracle in node-2
  2)     Should I stop all clustware related services in node-1 except oracleCSServie since ASM uses it?
  3)     Is there any way I can finish the dup manually from the place I failed? What going to happen if I don’t finish the rest of the dup and go ahead with “alter database open resetlogs”?
  4)     How do I remove the database from under Server control – I already run “srvctl remove database -d atlrac” successfully. Is this all?
  Thanks a lot for your help and have a great holiday season!!!
  First time run:
  contents of Memory Script:
  shutdown clone;
  startup clone nomount ;
  executing Memory Script
  database dismounted
  Oracle instance shut down
  connected to auxiliary database (not started)
  RMAN-00571: ====================================================
  RMAN-00569: ======= ERROR MESSAGE STACK FOLLOWS ==============
  RMAN-00571: =============================================
  RMAN-03002: failure of Duplicate Db command at 12/21/2009 20:24:47
  RMAN-03015: error occurred in stored script Memory Script
  RMAN-04014: startup failed: ORA-00610: Internal error code
  Second time run:
  contents of Memory Script:
  shutdown clone;
  startup clone nomount ;
  executing Memory Script
  database dismounted
  Oracle instance shut down
  connected to auxiliary database (not started)
  RMAN-00571: ===================================================
  RMAN-00569: ========== ERROR MESSAGE STACK FOLLOWS ==========
  RMAN-00571: ===================================================
  RMAN-03002: failure of Duplicate Db command at 12/22/2009 15:53:27
  RMAN-03015: error occurred in stored script Memory Script
  RMAN-04014: startup failed: ORA-03113: end-of-file on communication channel
  Shirley

  1) Should I stop all services related to Oracle in node-2
  No, you just need to stop the second instance.
  2) Should I stop all clustware related services in node-1 except oracleCSServie since ASM uses it?
  No, you don't need to stop anything. Just have the instance startup nomount.
  3) Is there any way I can finish the dup manually from the place I failed? What going to happen if I don’t finish the rest of the dup and go ahead with “alter database open resetlogs”?
  You have not shown enough information. Did the restore succeed ? Did the recover succeed ? What was it doing when it failed ?
  4) How do I remove the database from under Server control – I already run “srvctl remove database -d atlrac” successfully. Is this all?
  Yes, srvctl remove database is all you need. (unless you also want to remove from listener.ora, tnsnames.ora, oratab etc)

• CSS11500 SSL handling question for multiple url/FQDNs with the same ip address

  I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url.   For instance, I can set up www.cats.com and www.dogs.com at the same 192.168.35.12 address in DNS, and set up two different content rules:
  content cats
  vip address 192.168.35.12
  port 80
  url "//www.cats.com/*"
  add server cats1
  add server cats2
  active
  content dogs
  vip 192.168.35.12
  port 80
  url "//www.dogs.com/*"
  add server dogs1
  add server dogs2
  active.
  Easy and straightforward.
  But what if I want to add SSL handling for https://www.cats.com and https://www.dogs.com?
  I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
  Can this be done?  Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service?  Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
  Thanks in advance for any insights.

  Hi Tim,
  Unfortunately this is not possible; you can't associate multiple certificates to a single proxy list due to the fact that SSL handshake is done first with no visibility of the URL being requested, so the CSS won't know which public server to use in order to perform the traffic decryption.
  But there are a couple of options that you may want to look at (depending on the URL string)
  If your URLs are subdomains and you hold a wildcard SSL certficate to match multiple requests, i.e your domain being "pets.com" you can have a certficate that will match request for dogs.pets.com or cats.pets.com because the cert will be in the form *.pets.com
  The second option is SAN (Subject alternative names) certificates; which give you the option to include up to 4 flavors of the domain within the same file, such as pets.com, pets.net, www.1pets.com.
  I hope this helps.
  Pablo

• Oracle RAC + Clusterware and another Cluster with Clusterware for SAP

  Hi,
  I have some questions about implementation of Oracle RAC and Clusterware with SAP
  For exemple, an architecture with 4 servers ( 2 real and 2 vritual ).
  I would like to know if i can do this
  2 servers for the first cluster.
  First cluster is with Clusterware and Oracle RAC
  This is for all the SAP Oracle databases environment
  I think there is no problem here.
  Now, with 2 others servers il would like to make another cluster (with also clusterware ) for SAP Central services (SCS) and enque replication server (ERS)
  Because all architecture is for only one SAP environment with separate services.
  1 for Database (cluster 1)
  1 for Central services ( cluster 2, virtual machine )
  1 for Dialogue Instance (no cluster)
  To be clear, the second cluster is to make HA of central services SAP (SCS and ERS )
  My question 2 are :
  Is it a good job to do this ? or there is anything wrong ?
  Do i have to install antoher clusterware for this 2 servers or i have to make anything with the existing clusterware + oracle RAC ??
  Thank you very much for you help
  Edited by: user12395221 on 29 déc. 2009 15:36

  Hi Givre,
  have you checked: Providing High Availability for SAP Resources (http://www.oracle.com/technology/products/database/clusterware/pdf/sap-availability-on-rac-twp.pdf) available on otn.oracle.com/clusterware? Not being an SAP expert myself, I still think, this paper describes the configuration - at least partially - that you are trying to set up.
  Just an idea. Thanks,
  Markus

• Oracle10g RAC with ASM for stretch cluster

  Assuming suitable network between sites is in place for RAC interconnect (e.g. dark fibre / DWDM), does it make sense (or is it possible) to stretch a RAC cluster across 2 sites, using ASM to mirror database files between SAN storage devices located at each site? The idea being to combine local high availability with a disaster recovery capability, using hardware that is all active during normal operation (rather than say a single RAC cluster on one site with Data Guard to transport data to the other site for DR).
  Or, for a stretch cluster, would SAN / OS implemented remote mirroring be a better idea? (I'd have thought this is likely to incur even more overhead on the network than ASM, but that might be dependant on individual vendors' implementations).
  Any thoughts welcome!
  Rob

  Please refer the thread Re: 11GR2 ASM in non-rac node not starting... failing with error ORA-29701
  and this doc http://docs.oracle.com/cd/E11882_01/install.112/e24616/presolar.htm#CHDHAAHE

• LabVIEW network library with support for SSL, Ping and IPv6

  I have posted on LAVA
  an OpenG package that will install a LabVIEW network library with
  support for SSL, Ping and IPv6.
   Please go there if you are
  interested to look it up.
  Rolf Kalbermatter
  CIT Engineering Netherlands
  a division of Test & Measurement Solutions

  Bob Y. wrote:
  OK,  but what is it and why should I use it?  What need does it fulfill?  I have been unable to find much documentation for this at the wiki page and maybe a couple of paragraphs here would help.
  Thanks,
  Bob Young
  Hi Bob,
  Yes, this info got burried.  Basically, it's a tool for building LabVIEW-based software products.  It is highly flexible/extensible and tries to fill the holes left by LabVIEW's built-in Application Builder.  Here are some good links to more info:
  OpenG Builder Homepage
  OpenG Builder 1.0 Documentation
  Thanks,
  -Jim

• Using HttpSupport library for SSL with User Id/Password

  Does anybody know how to use UDS HttpSupport library for SSL connection which requires user id and password?
  Got no problem so far in getting pages using https and HttpBaseRequest but can't figure out how to setup user id and password for logging in to server. Have tried https://userid:password@server/... but UDS treated password@server as the port!
  Any help is appreciated.

  I assume you mean that you need to provide the password needed for a certificate for SSL authentication.
  For both client and server, these are configuration items.
  If you want to do HTTP authorization, which is not related to SSL, you should use the Authorization and WWW-Authenticate (in a 401 response) to get a user name and password to the server.

• Problem with $ORACLE_HOME 10g RAC

  Hi, I have a doubt that I want to post here.
  The SAP-ORACLE Installation guide specifies that the path to ORACLE_HOME for a oracle 10.2g intallation should be "/oracle/<SAPSID>/102_64", but we got
  "/oracle/<SAPSID>/1020_64"
  I'm asking: Is any problem (or possible issue) with that for any component of mySAP ERP 2005 or  Netweaver2004s SR1
  We are new at this, and we never thought that THAT could be any problem..but we've been adviced by sap consultors that it could be.
  Please I'm asking if someone with a GOOD knowledge if SAP-ORACLE installations could say what's exactly the problem with that , if there's any.
  Also, if there's someone who knows some procedure (or where to find some guidelines) to install SAP on a 2machine RAC with a oracle 10.2g installation (just the software, with any database yet) would be appreciated.
  Thank you very much in advance.

  Hi Mauri,
  if you go to http://www.oracle.com/newsletters/sap/products/rac/rac4sap_howto.html
  you'll find white papers to implement RAC on either UNIX/Linux or Windows
  The main page is www.oracle.com/sap and on the left you see Real Application Clusters
  regards
  Barthez

• Urgent help needed in configuring X1151A for RAC cluster

  for RAC requirements I have to configure this card to use the interface name of ce1 but I have tried changing slots and puting /etc/hostname.ce1 file out there but it fails .. it always comes up as ce0.
  my question is : How can I cofigure this card to come up as ce1 ? in the other box I had to do nothing .. i just placed the /etc/hostname.ce1 file with hostname and it works perfect.
  can you please email me a copy of your response at [email protected] ?
  thanks
  Sami

  Look for "ce" instances in the /etc/path_to_inst file. You'll need to change the lines so that the hardware path you want is "1".
  Keep a backup and write down the pathname. You can give that path to a 'boot -a' prompt if anything bad happens.
  Darren

• AAM SSL not working for welcome page

  Hi all,
  I have enabled SSL for my sharepoint server recently. After follow the procedure to insert cert in IIS, add binding and add AAM mapping, there is an issue when accessing the site URL with https, the server will return a http welcome page. If I browse with
  https welcome page and browse arround, it won't redirect back to http.
  For example:
  https://portal.abc.com  -->  http://portal.abc.com/SitePages/index.aspx
  https://portal.abc.com/community/asia  -->  http://portal.abc.com/community/asia/SitePages/Index.aspx
  https://portal.abc.com/SitePages/index.aspx --> https://portal.abc.com/SitePages/index.aspx
  https://portal.abc.com/community/asia/SitePages/Index.aspx  -->  https://portal.abc.com/community/asia/SitePages/Index.aspx
  How can I force it keep using https during the redirection?
  Warm Regards,
  Wayne

  This is by design behavior.  AAMs are a nice feature, but realistically, the idea is to push users towards one URL.  If you have
  http://domain.com,
  http://www.domain.com, http://domain.org, etc, you would use AAMs to allow SharePoint to respond to requests on any of those domain names, but SharePoint will always use the Public URL for the zone in redirects.  i.e.
  any email alerts that go out, welcome page redirects, rediects from system pages, etc.  So, if you have a scenario like this where maybe HTTP is only available internally, and HTTPS is required externally. either create a different zone by extending
  the web application or change the Public URL to be the HTTPS which is available internal and external, with an internal mapping for the HTTP.  This will push users to move towards only using SSL, but allows for HTTP to be recognized.
  I will say, it is unusual that you would allow HTTP once you've got SSL set up though.  I would just change the public URL and stop accepting HTTP altogether. 
  Christopher Webb | Microsoft Certified Master: SharePoint 2010 | Microsoft Certified Solutions Master: SharePoint Charter | Microsoft Certified Trainer| http://christophermichaelwebb.com

• Any Problems using SSL with Safari and the move with Internet explorer to require only TLS encryption.

  Any Problems using SSL with Safari and the move with Internet explorer to require only TLS encryption.

  Hi .
  Apple no longer supports Safari for Windows if that's what you are asking >  Apple apparently kills Windows PC support in Safari 6.0
  Microsoft has not written IE for Safari for many years.

• Problem using SSL with JMX

  Hi ,
  I am trying to implement SSL with JMX. I took the example of Luis Miguel Alventosa to see how it works. I imported all the classes, password a access properties file. When I am able to start the MyApp server in the example. But when I am trying to run MyClient, it is giving me the following exception
  Initialize the environment map
  Create an RMI connector client and connect it to the RMI connector server
  Exception in thread "main" java.rmi.ConnectIOException: Exception creating connection to: <IP>; nested exception is:
       java.net.SocketException: Default SSL context init failed: null
       at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
       at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
       at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
       at sun.rmi.server.UnicastRef.newCall(Unknown Source)
       at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
       at com.example.MyClient.main(MyClient.java:30)
  Caused by: java.net.SocketException: Default SSL context init failed: null
       at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
       at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(Unknown Source)
       ... 6 moreHere is the MyApp code I used
  package com.example;
  import java.lang.management.*;
  import java.rmi.registry.*;
  import java.util.*;
  import javax.management.*;
  import javax.management.remote.*;
  import javax.management.remote.rmi.*;
  import javax.rmi.ssl.*;
  public class MyApp {
      public static void main(String[] args) throws Exception {
          // Ensure cryptographically strong random number generator used
          // to choose the object number - see java.rmi.server.ObjID
          System.setProperty("java.rmi.server.randomIDs", "true");
          // Start a secure RMI registry on port 3000.
          System.out.println("Create a secure RMI registry on port 3000");
          SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
          SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory(null, null, true);
          Registry registry = LocateRegistry.createRegistry(3000, csf, ssf);
          // Retrieve the PlatformMBeanServer.
          System.out.println("Get the platform's MBean server");
          MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
          // Environment map.
          System.out.println("Initialize the environment map");
          Map<String,Object> env = new HashMap<String,Object>();
          // Provide the password file used by the connector server to
          // perform user authentication. The password file is a properties
          // based text file specifying username/password pairs.
          env.put("jmx.remote.x.password.file", "password.properties");
          // Provide the access level file used by the connector server to
          // perform user authorization. The access level file is a properties
          // based text file specifying username/access level pairs where
          // access level is either "readonly" or "readwrite" access to the
          // MBeanServer operations.
          env.put("jmx.remote.x.access.file", "access.properties");
          // Create and start an RMI connector server.
          // As specified in the JMXServiceURL the RMIServer stub will be
          // registered in the RMI registry running in the local host on
          // port 3000 with the name "jmxrmi". This is the same name the
          // out-of-the-box management agent uses to register the RMIServer
          // stub too.
          // JMXServiceURL = "service:jmx:rmi:///jndi/rmi://:3000/jmxrmi"
          System.out.println("Create and start an RMI connector server");
          JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://");
          RMIJRMPServerImpl server = new RMIJRMPServerImpl(3000, csf, ssf, env);
          RMIConnectorServer cs = new RMIConnectorServer(url, env, server, mbs);
          cs.start();
          registry.bind("jmxrmi", server);
          System.out.println("Waiting for incoming connections...");
  }Here is the MyClient
  package com.example;
  import java.rmi.registry.*;
  import java.util.*;
  import javax.management.*;
  import javax.management.remote.rmi.*;
  import javax.rmi.ssl.SslRMIClientSocketFactory;
  public class MyClient {
      public static void main(String[] args) throws Exception {
          // Environment map
          System.out.println("\nInitialize the environment map");
          Map<String,Object> env = new HashMap<String,Object>();
          // Provide the credentials required by the server to successfully
          // perform user authentication
          String[] credentials = new String[] { "username" , "password" };
          env.put("jmx.remote.credentials", credentials);
          // Create an RMI connector client and
          // connect it to the RMI connector server
          System.out.println("\nCreate an RMI connector client and " +
                  "connect it to the RMI connector server");
          SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
          Registry registry = LocateRegistry.getRegistry(null, 3000, csf);
          RMIServer stub = (RMIServer) registry.lookup("jmxrmi");
          RMIConnector jmxc = new RMIConnector(stub, env);
          jmxc.connect(env);
          // Get an MBeanServerConnection
          System.out.println("\nGet an MBeanServerConnection");
          MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
          // Get domains from MBeanServer
          System.out.println("\nDomains:");
          String domains[] = mbsc.getDomains();
          for (int i = 0; i < domains.length; i++) {
              System.out.println("\tDomain[" + i + "] = " + domains);
  // Get MBean count
  System.out.println("\nMBean count = " + mbsc.getMBeanCount());
  // Close MBeanServer connection
  System.out.println("\nClose the connection to the server");
  jmxc.close();
  System.out.println("\nBye! Bye!");
  Here is the password.properties
  monitorRole mrpasswd
  controlRole crpasswdand access.properties
  monitorRole readonly
  controlRole readwriteI used the following jvm parameters to run the apps
  -Djavax.net.ssl.keyStore=.keystore -Djavax.net.ssl.keyStorePassword=keypass -Djavax.net.ssl.trustStore=proxytruststore -Djavax.net.ssl.trustStorePassword=trustpassI really don't know where I am doing the mistake. Can anyone please give any idea ? For security I didnt disclosed the IP of my mechine in the error, insted I replace it with <IP>

  Hi,
  I assume you did create a keystore and trustore, right?
  Could you verify that the paths to these files you give in your java options
  are correct?
  You could also try to activate debug traces - in particular security traces - see
  at the end of this blog:
  http://blogs.sun.com/jmxetc/entry/troubleshooting_connection_problems_in_jconsole
  This may help you diagnose what is going wrong.
  Hope this helps,
  -- daniel
  JMX, SNMP, Java, etc...
  http://blogs.sun.com/jmxetc

• Use of SSL with Apple Mail 3.4 on FIOS

  I can use SSL with email to and from comcast.net, me.com. and gmail.com, but not to and from verizon.net, using FIOS. I have been using FIOS since August on my Mac PPC G5 and OS 10.5.7. Of the threads I have checked, the consensus seems to be that SSL will not work with Apple Mail. However, when I log in via my browsers, the connection is secured via SSL. Anybody out there know if one can use SSL with Apple Mail via verizon's servers? If so, what are the port settings?

  Sad, but true.
  http://www.dslreports.com/forum/r23039329-Verizon-eMail-Service-Insecure
  ^^
  Comon Verizon, other ISPs have had e-mail over SSL for years. Please, get with the program.
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.