TLS vs. MLS

TLS vs. MLS: transport level security versus message level security
Hello everyone,
I've been busy configuring HTTPS and message security in my PI landscape but there are some points I'm not sure about.
What are the differences between TLS and MLS? Both say they encrypt the business document, validate the sender and receiver(TLS with client and server certificates, MLS with digital signatures using again the certificates) and offer message integrity. So why two different mechanisms for providing the same(or is it not?) functionality using the very same certificate technology?
What are the differencies between these two? Please do not provide any links as I've already read a bunch of them but still unsure, simple answers will do.
Thanks,
Gökhan

hi,
MLS:
Used when messages leave XI or bofore they come to XI
it has nothing to do with monitoring in XI
/people/michal.krawczyk2/blog/2006/01/02/xi-sxmbmoni--controlling-access-to-message-display
Also find some information in these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
/people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
TLS:
You can use transport security for consuming and providing Web services either at HTTP transport level or at SOAP message level. To do this, you can use the standard HTTP transport security mechanisms such as HTTPS and the WS standard mechanisms to set the transport security at the higher SOAP message level.
Transport security at SOAP message level is suited to the specific security requirements for WS access, and also allows you to use the strong SOAP message transport mechanisms such as XML signatures/encryption and SecureConversation for inbound and outbound WS communication
Thanks,
Vijaya,.

Similar Messages

  • Network security: SSL / TLS connections or not?

    Hi,
    Our small office-network is administered by a (very good) self-employed debian dev, and in the last six years I have learned a great deal by reading through configfiles on our server. I have even setup my own (modest) homeserver and am very interested in everything about networking.
    Earlier this year there were the SSL-vulnerabilities, so I glanced through our own setup and I think I have found a weakness that I'm not sure of if it is serious or not.
    Internal authentication is handled with LDAP / Kerberos, so at this level I see no problems, but connections to f.e. our LDAP-server are not protected with SSL or TLS and thus my question: should this not be mandatory on an office network that (although protected by iptables) allows connections with the internet?
    Our server handles next to LDAP / Kerberos also apache, postgresql, imap, smtp, calDAV, NFS, cups etc...
    THX!

    Our LDAP-server is used to authenticate users (LAN only), but also as an addressbook (LAN only, although exposed through a local web app).
    But other services are exposed to the internet: imap, smtp, http, etc. Whenever I need to add a new device (smartphone f.e.), I'm confronted with the setting 'encryption', which has to be left blank for our setup. That's why I have my doubts...
    But you seem to find encryption something 'optional' if I understand you completely. So my doubts are probably not warranted. THX for your reply!

  • Configuração SLL/NFe - PI para recebimento de e-mails usando SSL/TLS

    Usamos o GRC/SLL 10 NFe  - SP16  para emissão / recebimento de NFes.
    Estamos migrando nosso exchange 2003 para exchange 2010 e existe a necessidade de aumentarmos a segurança.
    Alguem poderia nos ajudar ? temos que usar o SSL/TLS -
    Existe alguma opção al´me de Plain/MD5 ? Podemos usar outro tipo de encriptação ?
    Agradeço desde já a ajuda de todos

    Boa tarde Daniela,
    Ao meu ver, a configuração dos dois ambientes da SEFAZ (Hom/Prod) em um mesmo ambiente PI (Dev, por ex) é desnecessária e acaba dobrando o esforço de configuração e é passível de erro.
    Após a primeira implementação, onde usei essa prática descrita por você, vi que não fazia sentido, já que após o transporte dos objetos de DEV para QAS, tive que refazer toda a configuração de canal de comunicação duas vezes (Homologação e Produção). Quando transportei para Produção, o mesmo tormento. Os canais produtivos em DEV/QAS nunca foram utilizados -- ainda bem, pois isto é o correto. O mesmo em produção -- canais de homologação nunca foram utilizados e apenas serviam de peso morto no ambiente.
    Agora, se na sua empresa você possui alguma ferramenta de transporte dos objetos do Directory que leva todos os canais de comunicação com os seus devidos valores, sem ter a necessidade de preenchê-los logo após o transporte (tenho isso no cliente atual - viva a API do Directory), aí as coisas mudam de figura.
    A recomendação que eu dou é de sempre configurar os cenários da maneira mais simples e genérica possível (Srv_SEFAZ_SP ao invés de Srv_SEFAZ_SP_HOM), utilizando a última versão do PI e configurar os cenários utilizando ICO.
    []'s
    JN

  • The difference between SSL & TLS

    dear experts,
    i need to know The difference between SSL & TLS and in which situations i should i have to use them.
    thanks
    Labib Makar

    Labib,
    At a 10,000 foot level v3.0 was superceded by . v1.0.
    TLSv1.0 (RFC 4346) was an upgrade to SSL v3.0 (but they don't interoperate)
    This "Cisco.com document" describes the workings of both in some detail:  SSL: Foundation for Web Security
    it states this as some basic differences:
    TLS uses slightly different cryptographic algorithms for such things as the MAC function generation of secret keys. TLS also includes more alert codes.
    Also See: Wikipedia TLS
    As far as which to use, it would depend on if both sides (server/client) support each?  TLS v1.0 or v1.1 is newer.
    Most modern Browsers tend to support both.
    i.e.
    Firefox 3.5.7 supported both SSL v3.0 and TLS v1.0
    Internet Explorer v6 supported both SSLv2, SSLv3, TLS v1.0
    etc.
    Hope that helps.
    Steve Ochmanski

  • Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

    We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
    The application is running on a server within a wide area network which is separated from the internet.
    The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
    The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call  "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
    The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
    The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
    are no problems with certificate revocation checks.
    The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
    "Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
    Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
    it cannot fetch the certificate under https://my-site.de:80.
    The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
    - Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
      has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
    - Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
      While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
      our users.
    It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
    Many thanks!
    This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
    (sorry for this is in german... and also my english above)
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    security: OCSP Response: GOOD
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    security: UNAUTHORIZED
    security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
    cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
    cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
    network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
    network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
    CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
    network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
    security: Revocation Status Unknown
    com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
        at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
        at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
        at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
        Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
            at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
            ... 35 more
    Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        ... 36 more
    security: Ungültiges Zertifikat vom HTTPS-Server
    network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

    Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

  • JRE 1.5 VS. JRE 1.6 - Could not convert socket to TLS

    I have an applet that is trying to send an email through an SMTP server. It works just fine 1.6 but on 1.5 it blows up and I'm kind of at the end of my rope. Any help here would be great.
    I've had to set up the DummySSLSocketFactory as described in the JavaMail readme but still no luck on 1.5.
    Here is the error:
    DEBUG: setDebug: JavaMail version 1.4ea
    DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc.]
    DEBUG SMTP: useEhlo true, useAuth true
    DEBUG SMTP: trying to connect to host "mail.bluebottle.com", port 25, isSSL false
    220 fe0.bluebottle.com ESMTP Sendmail 8.13.1/8.13.1; Thu, 28 Jun 2007 08:25:34 -0700
    DEBUG SMTP: connected to host "mail.bluebottle.com", port: 25
    EHLO CC-FRED
    250-fe0.bluebottle.com Hello 207-174-73-129.officepartners.us [207.174.73.129] (may be forged), pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-AUTH LOGIN PLAIN
    250-STARTTLS
    250-DELIVERBY
    250 HELP
    DEBUG SMTP: Found extension "ENHANCEDSTATUSCODES", arg ""
    DEBUG SMTP: Found extension "PIPELINING", arg ""
    DEBUG SMTP: Found extension "8BITMIME", arg ""
    DEBUG SMTP: Found extension "SIZE", arg ""
    DEBUG SMTP: Found extension "DSN", arg ""
    DEBUG SMTP: Found extension "AUTH", arg "LOGIN PLAIN"
    DEBUG SMTP: Found extension "STARTTLS", arg ""
    DEBUG SMTP: Found extension "DELIVERBY", arg ""
    DEBUG SMTP: Found extension "HELP", arg ""
    STARTTLS
    220 2.0.0 Ready to start TLS
    javax.mail.MessagingException: Could not convert socket to TLS;
      nested exception is:
                    java.net.SocketException: com.cc.util.controller.email.DummySSLSocketFactory
                    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1230)
                    at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:378)
                    at javax.mail.Service.connect(Service.java:275)
                    at javax.mail.Service.connect(Service.java:156)
                    at javax.mail.Service.connect(Service.java:176)
                    at com.cc.util.discovery.DiscoveryService.sendViaSMTP(DiscoveryService.java:422)
                    at com.cc.util.discovery.DiscoveryService.discoverSMTPService(DiscoveryService.java:378)
                    at com.cc.util.discovery.DiscoveryService.discoverPOP3Service(DiscoveryService.java:330)
                    at com.cc.util.discovery.DiscoveryService.checkEmailService(DiscoveryService.java:126)
                    at com.cc.applet.CCNonBlockingThread$1.run(CCNonBlockingThread.java:180)
                    at java.security.AccessController.doPrivileged(Native Method)
                    at com.cc.applet.CCNonBlockingThread.processEventData(CCNonBlockingThread.java:178)
                    at com.cc.applet.CCNonBlockingThread.run(CCNonBlockingThread.java:139)
    Caused by: java.net.SocketException: com.cc.util.controller.email.DummySSLSocketFactory
                    at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
                    at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:249)
                    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1226)
                    ... 12 moreHere is the code:
                   Properties props = new Properties();
                   props.put("mail.smtp.auth", "true");
                   props.put("mail.smtp.host", smtpServer);
                   props.put("mail.smtp.starttls.enable","true");
                   // the line below is for java 1.5
                   java.security.Security.setProperty("ssl.SocketFactory.provider","com.cc.util.controller.email.DummySSLSocketFactory");
                   // these are for java 1.4
                  props.setProperty("mail.smtps.socketFactory.class","com.cc.util.controller.email.DummySSLSocketFactory");
                  props.setProperty("mail.smtps.socketFactory.fallback", "false");
                   Session session = Session.getInstance(props, null);
                   session.setDebug(true);
                   // -- Create a new message --
                   Message msg = new MimeMessage(session);
                   // -- Set the FROM and TO fields --
                   msg.setFrom(new InternetAddress(from));
                   msg.setRecipients(Message.RecipientType.TO,InternetAddress.parse(to, false));
                   // -- Set the subject and body text --
                   msg.setSubject(subject);
                   msg.setText(body);
                   // -- Set some other header information --
                   msg.setHeader("X-Mailer", "FuserDiscoveryProcess");
                   msg.setSentDate(new Date());
                   // -- Send the message --
                   Transport tr = session.getTransport("smtp");
                   tr.connect(username, password);
                   tr.sendMessage(msg,msg.getAllRecipients());
                   tr.close();
                   CCLogger.getLogger().log(Level.INFO, "Message sent OK.");

    new info it works on 1.5.0_10 but not 1.5.0_06 any ideas?

  • MailAPI SMTP sending error: 'Could not convert socket to TLS'

    I'm stucked with smtp authentication in a project.
    The process works on port 25 with no STARTTLS, but unfortunately our company server uses port 587 and STARTTLS.
    It seems that only the half of the authentication process could be successful, as the server accepts EHLO, but when it switches to secure the program fails with the exception:
    'Could not convert socket to TLS'
    The simplified code (from a sample app) is:
    public void SendMail() throws Exception{
            Properties props = new Properties();
            props.setProperty("mail.transport.protocol", "smtp");
            props.setProperty("mail.smtp.host", "smtpserver");
            props.setProperty("mail.smtp.port", "587");
            props.setProperty("mail.smtp.auth", "true");
            props.setProperty("mail.smtp.auth.ntlm.domain", "codomain");
            props.setProperty("mail.smtp.starttls.required", "true");
            props.setProperty("mail.smtp.auth.mechanisms", "LOGIN NTLM");
            Session mailSession = Session.getDefaultInstance(props, null);
            mailSession.setDebug(true);
            Transport transport = mailSession.getTransport();
            MimeMessage message = new MimeMessage(mailSession);
            message.setSubject("My subject");
            message.setFrom(new InternetAddress("[email protected]"));
            message.setContent("<h1>Hello world</h1>", "text/html");
            message.addRecipient(Message.RecipientType.TO,
                                new InternetAddress("[email protected]"));
            transport.connect("smtpserver", 587, "CODOMAIN\\myaccount", "mypass");
            transport.sendMessage(message,
            message.getRecipients(Message.RecipientType.TO));
            transport.close();
       }

    I'll copy the full message below:
    +2010.06.29. 12:03:10 mailapi_2.Main main+
    SEVERE: null
    javax.mail.MessagingException: Could not convert socket to TLS;+
    nested exception is:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1652)
    at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:534)
    at javax.mail.Service.connect(Service.java:291)
    at mailapi_2.SimpleMail.SendMail1(SimpleMail.java:59)
    at mailapi_2.Main.main(Main.java:23)
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:503)
    at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:443)
    at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1647)
    +... 4 more+
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    Could not convert socket to TLS
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    +... 14 more+
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
    +... 20 more+
    And the output panel before the exception:
    Sending mail...
    DEBUG: setDebug: JavaMail version 1.4.3
    +DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Sun Microsystems, Inc]+
    DEBUG SMTP: useEhlo true, useAuth true
    DEBUG SMTP: trying to connect to host "smtpserver", port 587, isSSL false
    +220 exch.plt.local Microsoft ESMTP MAIL Service ready at Tue, 29 Jun 2010 12:03:08 +0200+
    DEBUG SMTP: connected to host "smtpserver", port: 587
    EHLO machine.codomain.local
    +250-smtpserver.codomain.local Hello [xxx.xxx.xxx.xxx]+
    +250-SIZE 15728640+
    +250-PIPELINING+
    +250-DSN+
    +250-ENHANCEDSTATUSCODES+
    +250-STARTTLS+
    +250-AUTH GSSAPI NTLM+
    +250-8BITMIME+
    +250-BINARYMIME+
    +250 CHUNKING+
    DEBUG SMTP: Found extension "SIZE", arg "15728640"
    DEBUG SMTP: Found extension "PIPELINING", arg ""
    DEBUG SMTP: Found extension "DSN", arg ""
    DEBUG SMTP: Found extension "ENHANCEDSTATUSCODES", arg ""
    DEBUG SMTP: Found extension "STARTTLS", arg ""
    DEBUG SMTP: Found extension "AUTH", arg "GSSAPI NTLM"
    DEBUG SMTP: Found extension "8BITMIME", arg ""
    DEBUG SMTP: Found extension "BINARYMIME", arg ""
    DEBUG SMTP: Found extension "CHUNKING", arg ""
    STARTTLS
    +220 2.0.0 SMTP server ready+

  • VCS X8.5.1 SIP TLS to CUCM 8.6.2

    I'm having problems enabling TLS on my SIP trunk from the VCS to CUCM.
    The SIP trunk shows active on the VCS, but I can't make calls from VCS to CUCM or from CUCM to VCS.
    Before configuring TLS, I was able to make these calls.
    With TLS enabled, the VCS search for calls from VCS to CUCM show the call rejected and give the reason "Forbidden"
    Calls from CUCM to VCS get fast busy and I do not see anything in the search history on the VCS.
    I've restarted the trunk and call manager service on the CUCM servers, but no change.
    I'm not really sure where to go from here.
    I followed the following guide for configuring the SIP trunk. http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-10-and-X8-5.pdf
    Any help is appreciated.
    Thanks,
    Joe

    I have again checked these and identical to what I set up, We have a multiple TX9000's on the CUCM in Secure mode working perfect and can make Encrypted calls to the TPS server via a TPS TCP Trunk.
    but any calls to the VCS just fail on a VCS To CUCM Trunk using TLS with a fast busy signal. and the VCS doesn't even show a search history for it.
    In the eyes of the VCS and the CUCM there is no Issues with the TLS SIP Trunk it seems to be working, but It seems SIP TLS packets don't even leave the CUCM. I have tried almost every resource known, and thought it was me just having some random issue until I saw Josef post the same issue.
    Tomorrow I will check the X.509 names on the CUCM SIP Security Profile as this is the only thing I can think of that might cause the SIP trunk to be OK up but not route correctly maybe?

  • ACS 5.3.40 is there patch available to support TLS 1.1 and 1.2 regarding SSL termination?

    Hi,
    We are trying to reduce our susceptibility to SSL BEAST information disclosure vulnerability regarding our ACS 5.3.40 system.
    It's been suggested that we consider some  defensive measures such as cipher suite selection.
    Wherever possible, we should ensure that servers and clients that support TLS/SSL are configured to support TLS versions 1.1 and 1.2, not just SSLv3 and TLSv1.0 which is often the default configuration.
    Can you advise how this is done within the ACS 5.3.40 application? Is it just a case of patching to another level?
    (Default SSLv3 and TLSv1.0 defaults are not deemed strong enough).
    Thanks.

    same Question~
    I believe we come from the same university~
    Tsinghua, isn't it?

  • ACS 5.3, EAP-TLS Machine Authentication with Active Directory

    I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
    My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
    Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
    Evaluating Identity Policy
    15006 Matched Default Rule
    22037 Authentication Passed
    22023 Proceed to attribute retrieval
    24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
    24437 Machine not found in Active Directory
    22016 Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    12506 EAP-TLS authentication succeeded
    11503 Prepared EAP-Success
    Evaluating Exception Authorization Policy
    15042 No rule was matched
    Evaluating Authorization Policy
    15006 Matched Default Rule
    15016 Selected Authorization Profile - Permit Access
    22065 Max sessions policy passed
    22064 New accounting session created in Session cache
    11002 Returned RADIUS Access-Accept
    I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
    Note: In my Identity Store Sequence, I did enable the option:
    For Attribute Retrieval only:
    If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
    but this only seems to work for internal identity stores (at least based on my testing)
    Under my Access Policy Identity tab, I configured the following Advanced features:
    Advanced Options
    If authentication failed
    RejectDropContinue
    If user not found
    RejectDropContinue
    If process failed
    RejectDropContinue
    And that didn't do anything either.
    Any ideas? Thanks in advance.

    Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
    Then can make a rule in the authorization policy such as
    If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

  • TLS support in C API's, follow-up

    Hello,
    In September 2013 I started a thread "SSL/TLS version in pre-built C api's" asking about the TLS support. I just want to share
    the info as a follow-up.
    The first approach was to change the current code for the Novell libraries but since the openSSL implementation was more of a
    "copy/paste" solution and the fact that the current source code available didn't match the binaries available I changed to
    openLDAP instead.
    Today we have built openLDAP libraries and openSSL libraries for Win32 and Win64 and changed the application code to use
    openLDAP instead of Novell's API's. Apart from the initialization and binding that switch was quite straight forward.
    The application now binds to LDAP directories requiring TLS and specific key exchange algorithms and cipher suites without any
    problem.
    I hope that Novell will update the openSSL part in their own libraries (and add features to eDirectory that let us set the
    SSL/TLS requirements).
    Best regards,
    Tobias

    These are some great comments; thanks for posting your experiences.
    Good luck.
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • How to submit a conurrent request with MLS attached from PL/SQL?

    Hi Friends,
    I am trying to submit RAXINV_SEL from backend. This one has MLS attached. If we submit it from request window,it fires 'Multilanguage' program first and then the RAXINV_SEL. How to set this MLS option from backend? I tried submitting the request after setting the apps context and set_nls_options...But,concurrent request ends with an error mainly because of the MLS not effective..
    1. What is the procedure to submit the concurrent program from PL/SQL which has MLS attached?
    Please help!
    Thanks
    Raj

    Hi Friends,
    I am trying to submit RAXINV_SEL from backend. This one has MLS attached. If we submit it from request window,it fires 'Multilanguage' program first and then the RAXINV_SEL. How to set this MLS option from backend? I tried submitting the request after setting the apps context and set_nls_options...But,concurrent request ends with an error mainly because of the MLS not effective..
    1. What is the procedure to submit the concurrent program from PL/SQL which has MLS attached?
    Please help!
    Thanks
    Raj

  • 10.4 Server TLS errors and other errors

    My mail server is giving me a variety of errors that I haven't been able to figure out how to fix.
    TLS server engine: cannot load cert/key data
    Feb 11 16:35:45 Mail-Server imap[421]: error initializing TLS
    Feb 11 16:35:45 Mail-Server imap[421]: TLS server engine: cannot load CA data
    Feb 11 16:35:45 Mail-Server imap[421]: unable to get certificate from '/etc/certificates/Default.crt'
    Feb 11 16:35:45 Mail-Server imap[421]: TLS server engine: cannot load cert/key data
    Feb 11 16:35:45 Mail-Server imap[421]: error initializing TLS
    DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: skiplist recovery /var/imap/user/f/frances.seen: 0240 should be ADD or DELETE
    Feb 11 16:52:15 Mail-Server imap[373]: DBERROR: opening /var/imap/user/f/frances.seen: cyrusdb error
    I'm using Plain authentication without SSL. I just bought a new MacBook Pro with 10.9.1, and whenever I send an email it says that Authentication fails, but sends the email anyway, and I'm not sure if that's something I should worry about or not.
    Feb 11 17:00:00 Mail-Server postfix/smtpd[626]: warning: AOD: Authentication failed for user rstilley. (Open Directroy error: -14090)
    Feb 11 17:00:00 Mail-Server postfix/smtpd[626]: warning: 24-178-136-163.dhcp.crtn.ga.charter.com[24.178.136.163]: SASL PLAIN authentication failed
    I haven't been able to find much out about this Open Directory error (odd that Directory is misspelled...)
    Any help anyone can give me would be most appreciated. I'll be glad to post any log files.
    Here is my postconf -n output:
    Mail-Server:/var/log root# postconf -n
    alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
    always_bcc =
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    daemon_directory = /usr/libexec/postfix
    debug_peer_level = 2
    delay_warning_time = 1h
    disable_vrfy_command = yes
    enable_server_options = yes
    inet_interfaces = all
    luser_relay =
    mail_owner = postfix
    mailbox_transport = cyrus
    mailq_path = /usr/bin/mailq
    manpage_directory = /usr/share/man
    maps_rbl_domains =
    maximal_queue_lifetime = 2d
    message_size_limit = 0
    mydestination = $myhostname,localhost.$mydomain,times-georgian.com
    mydomain_fallback = localhost
    myhostname = times-georgian.com
    mynetworks = 127.0.0.1/32,10.1.6.0/24
    mynetworks_style = host
    newaliases_path = /usr/bin/newaliases
    owner_request_special = no
    queue_directory = /private/var/spool/postfix
    readme_directory = /usr/share/doc/postfix
    recipient_delimiter = +
    relayhost =
    sample_directory = /usr/share/doc/postfix/examples
    sendmail_path = /usr/sbin/sendmail
    setgid_group = postdrop
    smtpd_client_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_rbl_client zen.spamhaus.org,permit
    smtpd_enforce_tls = no
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks,check_helo_access hash:/etc/postfix/helo_access,reject_non_fqdn_hostname,reject_invalid_hostname, permit
    smtpd_pw_server_security_options = plain
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit
    smtpd_sasl_auth_enable = yes
    smtpd_tls_loglevel = 0
    smtpd_use_pw_server = yes
    smtpd_use_tls = no
    unknown_local_recipient_reject_code = 550
    Thanks in advance.

    UPDATE: My VPN is now running!
    Through a series of Firewall configuration changes, I am now able to connect and access files on the server through VPN. I still have some small details to work-out (i.e., I can't browse the Windows environment under the Network tab of My Computer). I can however map to the drive directly using the IP address.
    Windows 7 and Vista clients connect via L2TP using shared secret.

  • How to Use Schannel for TLS Sockets on Windows?

    I need make a c++ TLS socket server running on Windows XP, and a c# TLS socket client on Windows 7.
    The reason of using Schannel TLS is that it is FIPS 140-2 validated.
    But it is not easy to find some sample code of Schannel.
    By search, I found two c++ TLS samples, but the samples use the secur32.dll, some APIs seem are FIPS non-approved.
    codeproject SSL/TLS client/server for .NET and SSL tunnelling
    http://www.coastrd.com/c-schannel-smtp C++ SSPI Schannel TLS example
    According to 140sp1000.pdf (Microsoft Windows Vista Kernel Mode Security Support Provider Interface (ksecdd.sys) Security Policy Document), following APIs are FIPS non-approved APIs.
    InitializeSecurityContextW
    ImpersonateSecurityContext
    EncryptMessage 
    DecryptMessage
    I am quite confused about two things:
    One is that the FIPS non-approved APIs of ksecdd.sys also are also non-approved in secur32.dll?
    Another question is what's the correct way of using Schannel. Are the samples using Schannel in the correct way, must the APIs InitializeSecurityContextW/EncryptMessage be used?
    I want some sample code about how to use Schannel in native c++ and managed c#.

    I'm not sure what information you are referring to that indicates InitializeSecurityContext() and EncryptMessage() are not FIPS compliant.  InitializeSecurityContext() is required API on the client side.  EncryptMessage() is the required API to
    encrypt data.  Both APIs are important APIs in SSPI.
    In .NET, you would use the SSLStream Class, https://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.110).aspx .
     MSDN has sample code for both the client and server.
    There used to be an SSPI client + server sample (WebClient & WebServer) on the Windows SDK.   I don't know if it is still there.  If you can't find them, please let me know.
    thanks
    Frank K [MSFT]
    Follow us on Twitter, www.twitter.com/WindowsSDK.
     

  • How can I provide my own list of CA-certificates for TLS-connections from within a Add-On

    I'm considering writing an Add-On that does a DNSSEC/DANE lookup.
    My scenario is that a DNSSEC query for the TLSA (DANE) records of a site return a full Root Certificate for a site. (2,0,0 in DANE jargon.)
    I want to create new TLS context with a CA-pool containing just that Certificate, so that when I browse to the site, the TLS-layer verifies the site certificate against the DNSSEC-specified Root CA.
    My question: how do I program that in an add on? How can I specify a *certain* CA root certificate before opening the connection.

    Replying to myself to add some more information.
    For doing the DNSSEC-DANE lookup, I use a strategy as pioneered by the DNSSEC validation Add On.
    My question is how to create a TLS-connection context with a certain Root CA before connection to the site.

Maybe you are looking for

  • Issue with use of shared variables in Crystal Reports 2008 Offline Viewer

    Hi, I have a report that contains a number of sub-reports which include drill-down functionality. The report returns data relating to an individual team with the user being able to view top level summary information in each area from the parent repor

  • Clicking noise from back-ups

    Since replacing my G5 with a new mac mini I hear frequent clicking noises from the APC Back-UPS that I have it plugged into. The only obvious difference is that the mini has an ungrounded two-prong plug while the G5 had a grounded three-prong plug. T

  • Bash-Completion notice

    Hi, I already flagged bash-completion several days ago in the packages system, but i wanted to stress the need for an update, here is the extract from the developer's site: http://www.caliban.org/bash/ bash 3.1 is now available. Initial reports sugge

  • Wich Character Set is used in iWeb?

    My web-server uses utf8unicodeic (default). Symbols like ä, ö, ü or € cannot be displayed on the web-pages, written in iWeb 09 v 3.0.1 (9833). These symbols are essential part of speech and text in Europe, especially in German, these characters are n

  • How do i do the 3 finger scroll left and right to go back or forward on web browsers or anything else?

    topic says it all. cant do that anymore since i got lion