Sun Java Web Console certificate based authentication ?
I'd like the Web Console to authenticate users thanks to their (x509) certificate. The certificate would be stored on the client side,
in the browser's certificate store.
I read that the console could use PAM, but the only PAM pkcs#11 module I found requires a smart card reader on the console host,
while I'd like to be able to use the user's certificate in the browser, thus possibly on a remote host.
Any idea ?
Make sure JAVA_HOME is set (+echo $JAVA_HOME+)
BTW, Sun Java Web Console is not the same thing as Sun Management Center
Similar Messages
-
Sun Java Web Console can not be connected over a browser through port 6789
Symptom:
If i want to connect the Sun Java Web Console with a Browser (Tried: Firefox and IE) over https://x6220:6789 the browser connects to the server but nothing more occures. Important: It is not a connection error!
What is the Problem:
I now cannot access the Sun web console server through a browser over port 6789. Before the installation of the Sun Management Center 4.0 it worked.
System Overview:
I have a Sun Blade x6220 with Solaris 10 8/07 witch is member of a two node sun cluster 3.2.
Some Troubleshooting information:
*# netstat -an | grep 6789*
*.6789 *.* 0 0 49152 0 LISTEN
127.0.0.1.6789 127.0.0.1.32852 49152 0 49152 0 CLOSE_WAIT
172.16.18.66.6789 172.16.18.67.32856 49640 0 49529 0 CLOSE_WAIT
172.16.18.66.6789 172.16.18.67.32858 49640 0 49529 0 CLOSE_WAIT
172.16.18.66.6789 172.16.18.67.32865 49640 0 49472 0 CLOSE_WAIT
172.16.18.66.6789 172.16.18.67.32866 49640 0 49529 0 ESTABLISHED
127.0.0.1.32916 127.0.0.1.6789 49152 0 49152 0 FIN_WAIT_2
127.0.0.1.6789 127.0.0.1.32916 49152 0 49152 0 CLOSE_WAIT
Who is listen on port 6789:
12930: /usr/java/bin/java -server -Xmx128m -XX:+BackgroundCompilation -XX:Per
*# svcs |grep webconsole*
online 10:10:01 svc:/system/webconsole:console
*# smcwebserver status*
Sun Java(TM) Web Console is running
*# svccfg -s svc:/system/webconsole listprop*
options application
options/stability astring Evolving
options/tcp_listen boolean true
console-multi-user dependency
console-multi-user/entities fmri svc:/milestone/multi-user
console-multi-user/grouping astring require_all
console-multi-user/restart_on astring none
console-multi-user/type astring service
general framework
general/entity_stability astring Unstable
*# cat /usr/share/webconsole/webapps/console/WEB-INF/app.xml*
<!--Tags used to determine a user's access to this app. Leave empty to indicate no auths required-->
<authTypes>
<authType name="">
<classType></classType>
<permissionParam name=""></permissionParam>
</authType>
</authTypes>
But now:
*# wcadmin list*
I'm waiting for some output till today but nothing...nothing---nothing!
Question:
What else could not work probably? Thank you for help.I also couldn't attach to port 6789
+21:38:33:helaman:root>svcadm enable webconsole+
+21:38:58:helaman.:root>svcs webconsole+
STATE STIME FMRI
offline* 21:53:17 svc:/system/webconsole:console
+21:54:02:helaman:root>+
Looking at the log didn't help
+21:55:26:helaman:root>cat /var/svc/log/system-webconsole:console.log+
+[ Aug 24 21:54:06 Executing start method ("/lib/svc/method/svc-webconsole start") ]+
Starting Sun Java(TM) Web Console Version 3.1 ...
Cannot determine if console started successfully
+[ Aug 24 21:54:55 Method "start" exited with status 0 ]+
+[ Aug 24 21:54:55 Stopping because all processes in service exited. ]+
+[ Aug 24 21:54:55 Executing stop method ("/lib/svc/method/svc-webconsole stop") ]+
The console is stopped.
+[ Aug 24 21:54:56 Method "stop" exited with status 0+ ]
The service started and stopped ....
so I looked at the debug file in */var/log/webconsole/console/console_debug_log*
+==============================================================+
Java Web Console Version 3.1 started on Sun Aug 24 21:54:54 PDT 2008
+==============================================================+
java.lang.ClassNotFoundException: org.apache.catalina.core.ApplicationContextFacade$1
+ at java.net.URLClassLoader$1.run(URLClassLoader.java:200)+
+ at java.security.AccessController.doPrivileged(Native Method)+
+ at java.net.URLClassLoader.findClass(URLClassLoader.java:188)+
+ at java.lang.ClassLoader.loadClass(ClassLoader.java:306)+
+ at java.lang.ClassLoader.loadClass(ClassLoader.java:251)+
+ at org.apache.catalina.security.SecurityClassLoad.loadCorePackage(SecurityClassLoad.java:53)+
+ at org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:40)+
+ at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:210)+
+ at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:390)+
Looks like the updates that I did lost a jar file ... Does anyone know what JDK I should use ... I have the following
+22:03:21:helaman:root>uname -a+
SunOS helaman 5.10 Generic_137112-05 i86pc i386 i86pc
+22:03:26:helaman:root>cat /etc/release+
+ Solaris 10 5/08 s10x_u5wos_10 X86+
+ Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.+
+ Use is subject to license terms.+
+ Assembled 24 March 2008+
+22:03:32:helaman:root>java -version+
java version "1.6.0_07"
Java(TM) Platform, Standard Edition for Business (build 1.6.0_07-b06)
Java HotSpot(TM) Server VM (build 10.0-b23, mixed mode)
+22:03:36:helaman:root>env | grep JAVA+
JAVA_HOME=/usr/java
+22:03:41:helaman:root>ls -dall /usr/java+
lrwxrwxrwx 1 root root 10 Aug 24 21:45 /usr/java -> jdk/latest
+22:03:53:helaman:root> smpatch analyze+
+ You have new messages. To retrieve: smpatch messages [-a]+
No patches required.
+22:06:06:helaman:root>+
Any insight on this would be much appreciated. -
How do I change the default certificate in Java Web Console?
I have a 3rd party issued server keystore & truststore ready to go in both jks and p12 file formats. I wish to use this in the Sun Java Web Console instead of the self signed certificate. I cannot find any documentation as to changing the certificate. I did find commands to change the keystore and truststore passwords, but I want to change the entire certificate.
I tried manually messing with the /var/webconsole/domains/console/conf/server.xml configuration file but realized it was more complex than that. Is there a documented procedure for changing the default certifcate?
ThanksSiri will use the default calendar specified in the Mail, Contacts, Calendars setting.
Go to Settings/Mail,Contacts,Calendars, then scroll down, and change the default in the Calendars section to your the one you prefer.
hope this helps. -
Hello friends:
trying to use Java Web Console under Sol10 / Sparc:
Please...any help?
root@uben:/$ smcwebserver start
Registering com.sun.web.console_2.2.2.
Registering com.sun.web.ui_2.2.2.
Registering /usr/share/webconsole/lib/serviceapi.jar
as com_sun_management_services_api.jar for scope ALL
Registering /usr/share/webconsole/lib/serviceimpl.jar
as com_sun_management_services_impl.jar for scope ALL
Registering /usr/share/webconsole/lib/consoleimpl.jar
as com_sun_management_console_impl.jar for scope ALL
Registering /usr/share/webconsole/lib/cc.jar
as com_sun_management_cc.jar for scope ALL
Registering /usr/share/webconsole/lib/SMIWebCommon.jar
as com_sun_management_webcommon.jar for scope ALL
Registering /usr/share/lib/jato/jato.jar
as com_iplanet_jato_jato.jar for scope ALL
Registering /usr/share/webconsole/lib/serviceimpl_es.jar
as com_sun_management_services_impl_2.2_es.jar for scope ALL
Registering /usr/share/webconsole/lib/cc_es.jar
as com_sun_management_cc_2.2_es.jar for scope ALL
Registering /usr/share/webconsole/lib/solaris_impl.jar
as com_sun_management_solaris_impl.jar for scope ALL
Registering login module com.sun.management.services.authentication.PamLogin Module
Registering login module com.sun.management.services.authentication.RbacRole LoginModule
Registering /usr/share/webconsole/lib/solaris_implx.jar
as com_sun_management_solaris_implx.jar for scope ALL
Server not started! No management applications registered.
root@uben:/$ smcwebserver start
Server not started! No management applications registered.
root@uben:/$Thanks Tim for the info, and thank you all too.
The issue here is not only if Essbase is fully supported or not by the new java version (or the other way around). A patch later on will solve the compatibility problem.
But the major problems here are two:
1. Oracle publishes java versions prematurely without warning the public for the compatibility issues, or at least to say that "we haven't checked everything yet".
2. The end users get pop ups (unless disabled) that their (older) java version is not secure anymore. That scares the users and drives them to update their JRE or JDK prematurely without telling that to anyone.
Cheers
George -
Certificate Based Authentication - Questions and Authentication Modules
Hi Everyone
I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
What I now need to achieve is authentication base on one of these two way :
- user and password authentication (which is working)
- Certificate based authentication ( working on it )
To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
All for now,
Thank you all for your help
RpHi Rp,
We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
HTH,
Vivek -
Client certificate based authentication
We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
/WEB-INF
/resources
- private.jar
- private.jnlp
/resources
- icon.png
- public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
<servlet-name>ResourceProvider</servlet-name>
<url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected resources awailiable from browser</web-resource-name>
<url-pattern>/resources/secret/browser/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>somerole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>somerole</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
<information>
<icon href="icon.png"/>
</information>
<resources>
<j2se version="1.6+"/>
<jar href="secret/javaws/secretkey/private.jar" />
<jar href="public.jar" />
</resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help! -
OWA and ActiveSync certificate based authentication
I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
Can anyone help me?Hi,
We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
Thanks,
Winnie Liang
TechNet Community Support -
Certificate based authentication using amclientsdk
Hi there,
We have written custom authentication framework around the amclientsdk. we are able to use the basic authentication (user/password) service configured in access manager for authentication. But we also like to do certificate based authentication where the user choose the the logon using certificate link and certificate from browser will be preseneted to our custom framework and from there i am using the AM API to invoke Cert auth service.It didn't work and reports User certificate not found error. I don't how to present the retrived user certificate to access manager as there is no call backs for Cert auth service.
Our custom application and access manager are running under different sun web server instance. And both configured for SSL (client authentication not required mode).
I tried changing the access manager instance to SSL client authentication required mode that time it sent 403 error code. but i need the previous scenario to work.Hi there
I've got to get this working aswell.
In my case I've got to have both the user/password authentication OR certificate based.
The thing is, the documentation says that I need to have the containers (don't know if both the am server and the agent containers or only one of them ) with SSL and "Client Authentication enabled"... now the problem is, when I make it Client Authentication Enabled the container gives me a similar error to the one you described, this is because the server requests the browser to send a certificate when trying to access the server .....
Can you give me any pointers to how this is supposed to be done? I would really appreciate help with this.
Thanks
Rp -
NetMail,Netlet,NetFile stop after enabling certificate based authentication
I use SunONE Portal6.1+SRA. I have installed the gateway and portal on the same machine and have installed the sample portal also. Everithing works fine (Netlet,NetMail,NetFile) untill I enabled the gateway to use certificate based client authentication. After this step the applications (NetFile,Netlet,NetMail) stopped working. It seems that they can't connect to the gateway after the initial applet download because of the client certificate based authentication.
Is there some workaround or configuration change that I can do in order to allow the applets to communicate with the gateway?At last I have found my mistake. I was using the JPI 1.4.1. If I use JPI 1.3.1 there is no problem because this version of java usesthe browser libraries in order to make the ssl connection and then the certificate that is imported in to the browser is used. Finally I have found the way to tell the JPI 1.4 which certificate to use and how.
Look here if you want more information:
http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html#Customization
http://java.sun.com/j2se/1.4.1/docs/tooldocs/tools.html#security
see also:
http://forum.java.sun.com/thread.jsp?forum=2&thread=361995 -
Need Help about Certificate based Authentication
Hi friends..
Currently, i'm trying to develop an applet that using Certificate Based Authentication..
i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
these is what Safarmer says about steps to generate CSR :
0. Generate key pair on the card.
1. Get public key from card
2. Build CSR off card from the details you have, the CSR will not have a signature
3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
4. Generate a SHA1 hash of the CSR (without the signature section)
5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
6. Send DigestInfo to the card
7. On the card, the matching private key to encrypt the DigestInfo
8. Return the encrypted digest info to the host
9. Insert the response into the CSR as the signature
Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
on step 4,
Generate a SHA1 hash of the CSR (without the signature section)
Does it mean we have to "build" CSR looks like :
Data:
Version: 0 (0x0)
Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
db:38:2f:5b:1f:85:c1:20:eb
Exponent: 65537 (0x10001)
Attributes:
a0:00
on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
Please help me regarding this..
Thanks in advance..
Leonardo CarreiraHi,
Leonardo Carreira wrote:
Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
I think its' easier to encode the public key by Off Card app..
Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
I have several some questions :
1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
- I think Applet must holds :
- its Private Key,
- its Public Key Modulus and its Public Key Exponent,
- its Certificate,
- Host Certificate
i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
~800 bytes for your private key
~260 bytes per public key for PKI hierarchy (CA trust points)
~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
Cheers,
Shane -
N1 system manager installation faied (newer version of Java web console)
Hi,
I am trying to install Sun N1 system manager on Solaris x86 U3 + all patches. Once I run the installer I got:
N1SM Installer (version 1.3.2 on SunOS)
1. Install OS packages. [Completed]
2. Install Expect. [Completed]
3. Install IPMI tool. [Completed]
4. Install JDK 1.5. [Completed]
5. Install service provisioning components. [Completed]
6. Install OS provisioning components. [Completed]
7. Copy DHCP configuration file. [Completed]
8. Install user interface components. [Partially Run]
9. Install service container components. [Not Completed]
10. Install N1 System Manager. [Not Completed]
Failed Step: Install user interface components.
The following is a portion of the installer
log which may indicate the cause of the error.
If this does not indicate the cause of the
error, you will need to view the full log
file. More information on how to do that is
available below.
The Sun Java(TM) Web Console software already installed (version 3.0.2)
is newer than the version (3.0) you are attempting to install.
Downgrading is not supported. If you wish to run the older version,
you can install it after unintalling the currently installed version.
Error running lockhart setup: 1792
Please fix the problem and then try this step again.
For a full log of the failed install see the file: /var/tmp/installer.log.9327.
t. Try this step again (correct the failure before proceeding)
x. Exit
Enter selection: (t/x) x
Is there any way to continue my installation and using currently installed version of Java Web Console?Tried removing the currently installed Java Web Console as described at http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5l4?a=view
It says to simply run /usr/share/webconsole/bin/setup -u, however there is no setup binary in the listed dir.
# ls -l /usr/share/webconsole/bin/
total 396
-r-xr-xr-x 1 root sys 9995 Oct 9 08:18 smcwebserver
-r-xr-xr-x 1 root sys 6571 Oct 9 08:17 smloginmodule
-r-xr-xr-x 1 root sys 171907 Oct 9 08:17 smreg
-r-xr-xr-x 1 root sys 1456 Oct 9 08:17 smwebapp
-r-xr-xr-x 1 root sys 2917 Oct 9 08:17 wcadmin
# uname -a
SunOS host 5.10 Generic_118855-33 i86pc i386 i86pc
It seems the docs are wrong? -
Certificate based authentication with SSL load balancer
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?I think the simplest and most secure way is to have the servers configured for
2-way ssl, since this would ensure that the certificate they receive and use for
authentication has been validated during the ssl handshake. In this case the load
balancer itself does not need to and cannot do the handshaking, and would need
to pass the entire SSL connection through to the WLS server (ie: act similar to
a router)
Pavel.
"George Coller" <[email protected]> wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit? -
Certificate Based Authentication and SSL
To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE. -
Transition to Certificate Based Authentication
Hello,
I was hoping someone could help provide some insight into a question I have. We are in the process of rolling out a new Mobile Device Management system that will give us the ability to insert User Certificates on the mobile devices.
My question is: While we are in transition to this system, is it possible to have both Digest AND Certificate Based authentication working on Exchange (2010) without causing service disruption to the devices that have not yet been migrated to the new MDM
system?
Thank you in advance,
RyanHi,
Reporting Services uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate
to a Reporting Services URL reservation to support report server connections through an encrypted channel.
Server certificates are installed on the Web server and typically require no additional configuration on the clients. Server certificates allow the clients to verify the identity of the server.
Because, some Web sites and applications might require client certificates. Client certificates are installed on the client and allow the server to authenticate the clients. For more information about configuring client certificates, see
Enabling Client Certificates in IIS 6.0 . But Client certificates is not supported in the SSRS 2005 later version. So SSRS 2008 R2 will not allow the server to authenticate the clients.
More details information in article below for your reference:
Configuring a Report Server for Secure Sockets Layer (SSL) Connections
If you still have any problem, please feel free to ask.
Regards,
Vicky Liu
Vicky Liu
TechNet Community Support -
X.509 certificate based authentication with load balancer
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?Hi George,
If you want the client's cert, the server has to ask for it and this
implies two-way SSL. Normal one-way SSL the server provides the cert to
the client and the client decides if it wants to continue the handshake.
If the client is OK with the server certs and two-way SSL is configured
on the server, then the server will request the client send it's certs.
If the client certs are OK, then the pipe is established.
Concerning the load balancer I'm assuming it is simply providing a
tunnel, but I don't have the experience to comment and it is something I
would suggest that you that you seek guidance from our outstanding
support team [1] or drop a note in the security newsgroup [2] for the
experts to review.
Regards,
Bruce
[1]
http://support.bea.com
[email protected]
[2]
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=xover&group=weblogic.developer.interest.security
George Coller wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?
Maybe you are looking for
-
can anyone help me????
-
Hello, After doing some research, I have found that the Touch requires either the Apple-branded component / composite cables or an approved system (presumably the system performs the authentication). Does anyone know of a list of these systems? I am
-
Merge of Cells in ALV table in ABAP webdynpro.
Hi All, We have a requirement to merge cells vertically if the consecutive cells have same data.(The merge of cells happens when we click on sort of a column.) This functionality needs to be achived with out sorting the cells.Sorted data is populated
-
Monitoring the status of a socket...
I'm using ServerSocket and Socket in a simple client/server model. The situation is unique in that there is only ever one client - ever. That is, the server starts up and listens for the client to connect, once connected the client and server communi
-
Can subreports use same selection parameter(s) as main report?
Hi, Is it possible to create subreports that use the selection selection parameter(s) as the main report. And if so, would the user need to make their selections twice, or just once when they open the report? Thanks, Jon