Trust and Key Store config values? - OBPM 10g (Linux) With Websphere6 (AIX)
HI,
We installed OBPM 10gR3 on Linux (10.3.2 for Websphere) with Websphere 6.1.0.21 on AIX,
When we try to save values in following section we are getting an error:
Engines > Edit Engine bpmengine > JMX Engine Management Configuration
Attributes are:
Host / Port / Security Enabled / Principal / Credentials / Trust store / Trust store password / Key store / Key store password
Can anybody please help what values to put for following parameters under JMX Engine Management Configuration with respect to Websphere Application Sever 6.1.0.21:
Trust store: ?
Trust store password: ?
Key store: ?
Key store password: ?
Please help us in case anybody came across this.
Thanks and Regards
SH
Well it seems that my trouble all started when I began using the 'printable = yes' option for shares. Since I removed that the troubles seem to have left me.
Does anyone know why that is listed as on option in smb.conf here:
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
As well as in a few other examples if it doesn't work? I seen the example and assumed that option was needed to print from those shared directories.
Also, it seems that the comma is not needed between the 'valid users' names.
Also, I guess it wasn't Windows XP's fault either but rather my own ignorance. I like the idea of blaming Windows better though.....
I hope this servers to help others to aviod my mistakes.
Similar Messages
-
Hello, I've successfully configured the Custom Trust and Key Store on one server (hosting OpenSSO,) but when I follow the exact same directions to configure the Custom Trust and Key Store on another server (hosting Identity Manager with OpenSSO policy agent) WebLogic pre-empts my configuration by loading the DemoTrust.jks and cacerts keystores. I think the issue is introduced because the OpenSSO policy agent requires an Authentication Provider (Agent_Authenticator, com.sun.identity.agents.weblogic.v10.AmWLAuthProvider) that is loaded before the WebLogic domain's config/config.xml file, which contains the Custom Trust and Key Store entities.
Thanks.
A part of the log file showing that these two stores are loaded before the custom identity and trust stores are loaded:
Note JAVA_OPTIONS has -verbose:class and -Dssl.debug=true set
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE KeyAgreement: SunPKCS11-Solaris version 1.6 for algorithm DiffieHellman>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm DiffieHellman>
[Loaded com.certicom.ecc.scheme.DH from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm ECDH>
[Loaded com.certicom.ecc.scheme.KeyAgreement from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.ecc.scheme.ECDH from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.ecc.scheme.KDF from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.certicom.tls.provider.Cipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.NullCipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_RC4 from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.des.ECCpresso_DESCBCNoPad from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_AESCBCNoPad from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.JSAFE_RSA from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.cipher.ECCpresso_RSACipher from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.jce.WLCipher from file:/opt/bea/wlserver_10.3/server/lib/wlcipher.jar]
[Loaded sun.security.pkcs11.P11Cipher from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunpkcs11.jar]
[Loaded sun.security.pkcs11.P11Cipher$Padding from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunpkcs11.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
[Loaded com.certicom.ecc.scheme.DES from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DES/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DES>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm AES/CBC/NoPadding>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm AES>
[Loaded com.certicom.ecc.scheme.AES from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm RC4>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm RC4>
[Loaded com.certicom.ecc.scheme.ARC4 from file:/opt/bea/wlserver_10.3/server/lib/EccpressoCore.jar]
[Loaded com.sun.crypto.provider.RSACipher from file:/usr/jdk/instances/jdk1.6.0/jre/lib/ext/sunjce_provider.jar]
[Loaded javax.crypto.spec.PSource from /usr/jdk/instances/jdk1.6.0/jre/lib/jce.jar]
[Loaded javax.crypto.spec.PSource$PSpecified from /usr/jdk/instances/jdk1.6.0/jre/lib/jce.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
[Loaded java.util.regex.Pattern$BranchConn from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.util.regex.Pattern$Branch from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
[Loaded com.certicom.tls.interfaceimpl.CertificateSupport from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.cert.CertificateParsingException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.CertificateNotYetValidException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.CertificateExpiredException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded com.certicom.security.cert.internal.x509.X509V3CertImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.KeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.net.ssl.TrustManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.net.ssl.impl.TrustManagerImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.SessionDBImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSL Session TTL :90000>
[Loaded com.certicom.tls.interfaceimpl.ProtocolVersions from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.ProtocolVersion from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLTrustValidator from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.cert.CertificateEncodingException from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded weblogic.security.SSL.CertPathTrustManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLWLSHostnameVerifier$DefaultHostnameVerifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <DefaultHostnameVerifier: allowReverseDNS=false>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: using pre-mbean command line configuration for SSL trust>
[Loaded weblogic.security.utils.KeyStoreConfigurationHelper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.PreMBeanKeyStoreConfiguration from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreConstants from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLContextManager from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:26 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/bea/wlserver_10.3/server/lib/DemoTrust.jks.>
[Loaded weblogic.jndi.ClientEnvironment from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.jndi.Environment from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.KeyStoreUtils from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.security.KeyStoreSpi from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore$JKS from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.DigestInputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.provider.JavaKeyStore$TrustedCertEntry from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded weblogic.security.utils.SSLCertUtility from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded javax.security.cert.CertificateException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.security.cert.CertificateEncodingException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLPeerUnverifiedException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 5 trusted CAs from /opt/bea/wlserver_10.3/server/lib/DemoTrust.jks>
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US; Issuer: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US>
... The Certs ....
<Jan 26, 2010 4:00:26 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US; Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US>
<Jan 26, 2010 4:00:26 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts.>
[Loaded sun.security.x509.CRLDistributionPointsExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.DistributionPoint from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.URIName from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.DNSName from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.CertificatePoliciesExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.PolicyInformation from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.CertificatePolicyId from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.security.cert.PolicyQualifierInfo from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.PrivateKeyUsageExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor9 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor10 from __JVM_DefineClass__]
[Loaded sun.security.x509.ExtendedKeyUsageExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor11 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor12 from __JVM_DefineClass__]
[Loaded sun.security.x509.IssuerAlternativeNameExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.AuthorityInfoAccessExtension from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.security.x509.AccessDescription from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 76 trusted CAs from /usr/jdk/instances/jdk1.6.0/jre/lib/security/cacerts>
... The 76 Certs ...
[Loaded sun.nio.cs.ISO_8859_1$Decoder from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US; Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US>
[Loaded com.certicom.security.asn1.ASN1ParsingException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Type from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Structured from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Sequence from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SequenceOf from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Extensions from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.SubjectPublicKeyInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1InputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Certificate from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1EncodingException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.TBSCertificate from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Tag from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Primitive from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Integer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.AlgorithmIdentifier from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Null from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkcs.pkcs1.DSSParams from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkcs.pkcs5.PBEParameter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Choice from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Name from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.RDNSequence from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.AttributeTypeAndValue from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SetOf from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.RelativeDistinguishedName from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1SimpleString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1PrintableString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1TeletextString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1IA5String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.UTF8String from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1BMPString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Validity from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Time from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1BitString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERInputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERDefiniteLengthInputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Time from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Set from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1OctetString from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1Boolean from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERInputStream$Header from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.ASN1UTCTime from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.pkix.Extension from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DEROutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DERByteArrayOutputStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.security.asn1.DEROutputSizer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.ECCpresso_ECKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.JSAFE_RSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.ECCpresso_RSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.provider.kf.DSAKeyFactory from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded sun.reflect.GeneratedConstructorAccessor13 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor14 from __JVM_DefineClass__]
[Loaded sun.reflect.GeneratedConstructorAccessor15 from __JVM_DefineClass__]
[Loaded com.certicom.locale.Resources from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.locale.jSSLPlusResources from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.locale.jSSLPlusResources_en from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.bea.logging.ThrowableWrapper from file:/opt/bea/modules/com.bea.core.logging_1.4.0.0.jar]
[Loaded weblogic.logging.ThrowableInfo from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.addTrustedCertificate(Unknown Source)
at com.certicom.net.ssl.SSLContext.addTrustedCertificate(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addTrustedCA(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addTrustedCA(SSLContextWrapper.java:62)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:320)
at weblogic.security.SSL.SSLClientInfo.getSSLSocketFactory(SSLClientInfo.java:101)
at weblogic.security.SSL.SSLSocketFactory.setSSLClientInfo(SSLSocketFactory.java:218)
at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:36)
at weblogic.security.SSL.SSLSocketFactory.getInstance(SSLSocketFactory.java:68)
at weblogic.net.http.HttpsClient.New(HttpsClient.java:561)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:242)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:237)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:191)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:93)
at com.iplanet.services.naming.WebtopNaming.getNamingTable(WebtopNaming.java:1038)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1074)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:991)
at com.iplanet.services.naming.WebtopNaming.access$000(WebtopNaming.java:74)
at com.iplanet.services.naming.WebtopNaming$SiteMonitor.<clinit>(WebtopNaming.java:1386)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:145)
at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:93)
at com.iplanet.services.naming.WebtopNaming.getNamingTable(WebtopNaming.java:1038)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1074)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:991)
at com.iplanet.services.naming.WebtopNaming.getServiceAllURLs(WebtopNaming.java:466)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:575)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:521)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:381)
at com.sun.identity.agents.common.ApplicationSSOTokenProvider.getApplicationSSOToken(ApplicationSSOTokenProvider.java:63)
at com.sun.identity.agents.arch.AgentConfiguration.setAppSSOToken(AgentConfiguration.java:541)
at com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfiguration(AgentConfiguration.java:646)
at com.sun.identity.agents.arch.AgentConfiguration.initializeConfiguration(AgentConfiguration.java:1054)
at com.sun.identity.agents.arch.AgentConfiguration.<clinit>(AgentConfiguration.java:1498)
at com.sun.identity.agents.arch.Manager.<clinit>(Manager.java:643)
at com.sun.identity.agents.weblogic.v10.AmWLAuthProvider.initialize(AmWLAuthProvider.java:57)
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:65)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(Unknown Source)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(Unknown Source)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(Unknown Source)
at weblogic.security.service.SecurityServiceManager.initialize(Unknown Source)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
[Loaded javax.net.ssl.impl.SSLSocketImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.net.SocksConsts from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.PlainSocketImpl from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocksSocketImpl from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocksSocketImpl$5 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.ProxySelector from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector$1 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.NetProperties from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.NetProperties$1 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded sun.net.spi.DefaultProxySelector$3 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.Socket$2 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocketInputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.Socket$3 from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded java.net.SocketOutputStream from /usr/jdk/instances/jdk1.6.0/jre/lib/rt.jar]
[Loaded javax.net.ssl.impl.StringID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.event.HandshakeWouldBlockException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded javax.net.ssl.SSLProtocolException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLHandshakeException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded javax.net.ssl.SSLKeyException from /usr/jdk/instances/jdk1.6.0/jre/lib/jsse.jar]
[Loaded com.certicom.tls.record.Message from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIO from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIO from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.bea.sslplus.TwoWaySSLHandshakeStageSocketException from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.TLSSession from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIOStreamWrapper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIOStreamWrapper from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.InputSSLIOStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.io.OutputSSLIOStream from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.alert.AlertHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.alert.Alert from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeInputBuffer from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.TLSSessionImpl from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.CryptoRecordState from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeTypes from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeState from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ClientStateSentHello from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.HandshakeMessage from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageSSL2Error from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageClientHelloVersion2 from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.MessageClientHello from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.interfaceimpl.SessionID from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ServerStateNoHandshake from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.handshake.ClientStateNoHandshake from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.WriteHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageEncryptor from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageFragmentor from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.ReadHandler from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded com.certicom.tls.record.MessageInterpreter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.utils.SSLIOContext from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.socket.SSLFilter from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.utils.collections.PartitionedStackPool from file:/opt/bea/modules/com.bea.core.utils_1.4.0.0.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
[Loaded weblogic.security.utils.SSLIOContextTable from file:/opt/bea/wlserver_10.3/server/lib/weblogic.jar]
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 16880245>
<Jan 26, 2010 4:00:27 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
Edited by: user585541 on Jan 26, 2010 1:23 PM
Edited by: user585541 on Jan 26, 2010 1:29 PMFaisal Khan wrote:
<BEA-000000> <Failure loading trusted CA list
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
The root problem is the Certicom SSL does not support SHA256 algorithm, which is required with the trusted certificates of “ttelesecglobalrootclass2ca" and "ttelesecglobalrootclass3ca"
A fix is included in JDK 1.6.0_13 wherein WLS just ignores these certificates.
You can get more information on the fix for Oracle Support
You can delete these certificates yourself using the keytool utility..Thank you. I removed them all, but WebLogic still loads the Demo and JDK keystores and not the custom keystores before loading the security realm.
Is there a way to specify the KeyStores for the security realm?
I've provided the following to the JVM but to no avail:
-Djavax.net.ssl.keyStore=/export/home/weblogic/keystore/keystore.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStore
Password=***** -Djavax.net.ssl.trustStore=/export/home/weblogic/keystore/keystore.jks -Djavax.net.ssl.trustStoreType=jks -Dj
avax.net.ssl.trsustStorePassword=***** -
What is the fundamental difference between trust store and key store ?
what this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever. -
WLST/start AdminServer - problems with trusted cert key store
Hello,
I have clustered environment. Machine1: AdminServer and odi_server1. Machine2: odi_server2. There is NodeManager running on each machine. This is my nodemanager.properties for NodeManager on Machine1:
#Thu Dec 19 13:18:30 CET 2013
#Thu Dec 19 11:29:43 CET 2013
#Thu Dec 19 11:17:53 CET 2013
#Tue Dec 11 11:40:20 CET 2012
DomainsFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains
LogLimit=0
PropertiesVersion=10.3
DomainsDirRemoteSharingEnabled=false
javaHome=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64
AuthenticationEnabled=true
NodeManagerHome=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager
JavaHome=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
LogLevel=INFO
DomainsFileEnabled=true
StartScriptName=startWebLogic.sh
ListenAddress=
NativeVersionEnabled=true
ListenPort=5556
LogToStderr=true
SecureListener=true
LogCount=1
DomainRegistrationEnabled=false
StopScriptEnabled=false
QuitEnabled=false
LogAppend=true
StateCheckInterval=500
CrashRecoveryEnabled=false
StartScriptEnabled=true
LogFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.log
LogFormatter=weblogic.nodemanager.server.LogFormatter
ListenBacklog=50
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/keystore.jks
CustomIdentityKeyStorePassPhrase={3DES}VRCBXCfDocQ=
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/cacerts.jks
CustomTrustKeyStorePassPhrase=
CustomIdentityAlias=keyAlias
CustomIdentityPrivateKeyPassPhrase={3DES}VRCBXCfDocQ=
As you can see, I have my custom trust (cacerts,jks) and identity (keystore.jks) keystores and they are set for node manager in this file. Next, nodemanager is started via wlst, like this:
bea_home = '/home/oracle/Oracle/Middleware';
pathseparator = '/';
listen_port = '5556';
listen_address = 'eb-etl1';
node_manager_home = bea_home + pathseparator + 'wlserver_10.3' + pathseparator + 'common' + pathseparator + 'nodemanager';
startNodeManager(verbose='true', NodeManagerHome=node_manager_home, ListenPort=listen_port, ListenAddress=listen_address);
I want to start my AdminServer via wlst (by connectiong to nodemanager), like this:
bea_home = '/home/oracle/Oracle/Middleware';
pathseparator = '/';
admin_username = 'weblogic';
admin_password = '1q2w3e1q2w3e';
listen_address = 'eb-etl1';
listen_port = '5556';
admin_server_url='t3://eb-etl1:7005'
domain_name = 'odi_cluster';
domain_home = bea_home + pathseparator + 'user_projects' + pathseparator + 'domains' + pathseparator + domain_name;
print 'CONNECT TO NODE MANAGER';
nmConnect(admin_username, admin_password, listen_address, listen_port, domain_name, domain_home, 'ssl');
print 'START ADMIN SERVER ONLY ON THE MACHINE WHERE THE ADMIN SERVER IS PRESENT';
nmStart('AdminServer');
print 'CONNECT TO ADMIN SERVER';
connect(admin_username, admin_password, admin_server_url);
print 'START MANAGED SERVERS ON THE MACHINE';
start('odi_server1','Server');
But I can't even connect to node manager:
CONNECT TO NODE MANAGER
Connecting to Node Manager ...
<2013-12-19 13:48:23 CET> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<2013-12-19 13:48:23 CET> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<2013-12-19 13:48:24 CET> <Warning> <Security> <BEA-090542> <Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
This Exception occurred at Thu Dec 19 13:48:24 CET 2013.
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
Problem invoking WLST - Traceback (innermost last):
File "/home/oracle/Oracle/Middleware/deploy/scripts/startBiatelbit_puw.py", line 12, in ?
File "<iostream>", line 123, in nmConnect
File "<iostream>", line 648, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090542]Certificate chain received from eb-etl1 - 172.18.0.106 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.
Use dumpStack() to view the full stacktrace
So - it seems my trust keystore is not even used, why? Why still demo key store is used??
If I remove this:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeystoreType=jks
CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/keystore.jks
CustomIdentityKeyStorePassPhrase={3DES}VRCBXCfDocQ=
CustomTrustKeystoreType=jks
CustomTrustKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/odi_cluster/cacerts.jks
CustomTrustKeyStorePassPhrase=
CustomIdentityAlias=keyAlias
CustomIdentityPrivateKeyPassPhrase={3DES}VRCBXCfDocQ=
from my nodemanager.properties, there is no exception while connecting to node manager and I can start admin server. But - I can't start odi_server1 (weblogic console says that node manager for Machine1 is unreachable). From other hand, when I run AdminServer via startWebLogic script (with above keystore definitions), I can start my odi_server1 via weblogic administration console without any problems.
Also, NodeManager for Machine2 is always unreachable, no matter what I do (with or without keystore definitions).
Do you have any idea what am I doing wrong?Hi,
If the admin URL is specified with the https protocol, then http tunneling must be enabled for the server from the console -> servers -> AdminServer ->Protocols -> http.
Moreover we also need to add following java options to the stopWebLogic.cmd or setDomainEnv.cmd:
set JAVA_OPTIONS=$JAVA_OPTIONS$ -Dweblogic.security.IdentityKeyStore=CustomIdentity -Dweblogic.security.CustomIdentityKeyStoreFileName=identity.jks -Dweblogic.security.CustomIdentityKeyStorePassPhrase=password -Dweblogic.security.Identity.KeyStoreType=JKS -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=trust.jks -Dweblogic.security.CustomTrustKeyStoreType=JKS -Dweblogic.security.CustomTrustKeyStorePassPhrase=password -Dweblogic.security.IgnoreHostNameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true
Regards,
Kal -
Questions on OBPM 10g features
Hi,
Can OBPM 10g integrated with Oracle BRE?
I want to define my business rules in Oracle BRE and access them from BPM 10g process. Please give me directions on how to achieve this? I know that in 10g there is an internal rules creation based on the project variables. But my requirement is to keep the business rules in the external Oracle BRE and access them from BPM 10g process.
Thanks in advanceIf you're using Oracle Business Rules 11g then they are exposed as a web service that can be invoked by Oracle BPM 10 directly once the WSDL is introspected. If it's Oracle Business Rules 10, then you need to add a BPEL wrapper and then invoke the BPEL as a web service.
Dan -
Display key in the selection screen and Key & Text in the report
Hi,
For the infoobject in the query,
In the variable selection screen When i want to select any value it should display only key, and in the report i want to display key and text of that infoobject.
Is it possible?
Thanks
RaniHi
Display As
Here you determine whether and in what format the individual characteristic values of the characteristic are presented:
· (Standard): The standard display type for characteristic values corresponds to the setting in InfoObject maintenance under Tab Page: Business Explorer.
· No Display: The characteristic display is hidden. This function is useful, for example, with the currency/unit characteristic as the currencies are also shown in the key figures.
· Key and Text: The characteristic values are displayed by their technical key and text.
· Text: The characteristic values are displayed by their text.
· Key: The characteristic values are displayed by their technical key.
· Text and Key: The characteristic values are displayed by their text and technical key.
In the dropdown box below, you can select the type of text you want to use if you set a display type that contains text. The following options are available:
· Standard: The shortest available text for the characteristic values is used as the text.
· Short text: The short text for the characteristic values is used as the text.
· Long text: The long text for the characteristic values is used as the text.
· Medium text: The medium text for the characteristic values is used as the text. -
Language and international content on iBook, iTunes and App Store
Hi,
when I try to buy any kind of apps, books, games, etc, the iBook, iTunes and App Store languages change to German, along with the content. I just bought my iPad yesterday, here in Germany, but I'm Dutch and would prefer to see american content, instead of all the translated, German, versions of products I get now. I have tried changing the store language on both my iPad and computer, and synched them, without effect. The only way to get the american content, for me, was to change the place I live to America. That worked fine, until I tried to get something. When I did, I got a message saying that my account was only usable in Germany. Does anyone know how to solve my problem????
thank you,
Leon O.In order to have an account in a particular country, you must a) have a valid billing address in that country, b) have a credit card billed to that address or use iTunes gift cards purchased in that country and c) be physically located in that country at the time of purchase. So, unless you actually change where you live to the U.S., you'll need to continue using the German iTunes Store.
Best of luck. -
Download Advance Chapter: Oracle Database 10g Linux Administration
A new "betabook" chapter of Wim Coekaerts' and Ed Whalen's "Oracle Database 10g Linux Administration" -- this one focusing on installation -- is available for download from OTN. Plus, you can discuss your thoughts and with the authors themselves. Check it out!
http://otn.oracle.com/books/betabooks/index.htmlPlease don't cross post on many forums,
check where can i download a vmware image of redhat and oracle preinstalled? -
Which table stores old value of IBAN number and how to retrive old value.
HELLO TEAM
We are going through an enhancement process that requires to display old value and new value of the IBAN number from the Vendor master records. As IBAN is a combination of the country key, Bank Key and Bank account number, which are all key fields, their values are stored in the form of key in CDHDR and and CDPOS tables. The bank details are only shown in other key tab/column and the field name is displayed as key in CDPOS. These sensitive field changes are displayed as created or deleted but do not show as old value=x and new value =Y.The old value and new value fields are blank. The same happens for object IBAN and the tiban table only stores iban numbers that are updated and does not store old value of the iban number.
If I have to display in the report s_alr_87012089, the old value and the new value of the iban number , how can i achieve the task. From which table we can retireve the old value of the IBAN number.
<< Moderator message - Everyone's problem is important. But the answers in the forum are provided by volunteers. Please do not ask for help quickly. >>
Thank you in anticipation of a solution
Shekhar
Edited by: Rob Burbank on Jul 19, 2011 4:59 PMHello Team
We have explored all the above means. We are working in 4.7 environment. As we could not find an appropriate solution, we have approached the forum. The old value is not stored in cdhdr and cdpos and has the indicator as 'E' -Delete. So if an updation is done then it will delete old value and create a new value. This happens especially for the fields Bank Country Key,Bank Key, Bank Account Number. All we have checked the object attributes in the table lfbk, where for some fields it does track changes and for other it does not track changes. This is especially for the fields kovon and kobis.
If the requirement is to track changes to the fields Bank Country Key,Bank Key, Bank Account Number, kovon, kobis, iban which are sensitive data, and the report has to display old value and new value for sox compliance, how can this be achieved?
I have also gone through the SAP note 580266
If we are running a report to track changes to all vendors or a selected group of vendors, only some fields show up the value old value and new value.
Would appreciate if an appropriate solution is provided.
Request for a solution as i waited for 2 days if any expert could help!!!
Thank you
shekhar
Edited by: V_Shekhar on Jul 27, 2011 1:18 PM
Edited by: V_Shekhar on Jul 28, 2011 4:36 PM -
Trust Key Store - Interesting question ....
Hi,
Currently, using one way SSL, we get a 200 millisecond overhead from the client perspective. I have a gut feel that the trust key store check adds a lot of overhead (since it does an I/O check)
if my gut is right ...
IS there anyway to cache the trust keys store (I am using a stand alone java client running it on Junit)
Thankswhat this means to an end user ?I have no idea, but what it means to me is that JBoss don't understand the difference between them any more than you did when you asked the question.
A keystore is a high-security item that needs to be kept under lock and key as it contains credentials sufficient to identify that peer legally, and I mean in a courtroom in a dispute over millions of dollars. A truststore on the other hand is a collection of public certificates whose security requirement is to prevent people adding untrustworthy certificates to it. A completely different matter. In any large organization, the personnel with the authority over the keystore would never be the same as the personnel with authority over the truststore. Putting both in the same file compromises the security of both. It makes no sense whatsoever. -
Help with understanding SSL on Netweaver 7.1 and the relevant key stores.
I am having a great difficulty in understanding how SAP manages and uses SSL certificates in Netweaver 7.1. More specifically, what the difference is between System, Server, and Client.
As I can see, there are three PSE key stores I see within STRUST.
1. SSL System PSE
2. SSL Server PSE
3. SSL Client PSE
The System PSE I believe is installed by default and enables the systems to communicate between each other, such as Application Servers and the Central Instance.
The Server PSE is the where I store the certificate I generated and had signed by a CA (certificate authority). It contains a root and intermediate certificate and both have been imported back into the Server PSE store. When partners connect to me and I agree to accept server only authentication, it is this cert that identifies my server as a trusted server the partner. Do I need to add the partneru2019s u201Crootu201D or u201Cintermediateu201D certs to my Server PSE in order to allow SSL login?
The Client PSE is where I store partneru2019s client certificates that I allow to login via u201Cclientu201D authentication. Without their key installed in this store, they will not be allowed to login via SSL.
When I wish to make connections to partners, I will take my Server key from the Server PSE, export the key, and send it to the partner so they can import it in their key store.
Does the above sounds right? Any clarification would be greatly appreciated.
Thanks,
Mike.
P.S. I also have questions about how and if certificates are synchronized from the ABAP stack (STRUST) to the JAVA stack (Netweaver Administrator), as keys can be stored in either direction. If not, does where you store the certificate depend if it is an ABAP or JAVA type connection?hi michael,
<br />
please be careful - actually, there is NO SSL System PSE.<br />
There is only a so called "System PSE", which is not at all related to SSL.<br />
<br />
The PSEs actually available for SSL as default are:<br />
<br />
- the SSL Server PSE (which is a rather complicated construction ... see below) [mandatory]<br />
- the SSL Client PSE (standard) <br />
- the SSL Client PSE (anonymous)<br />
<br />
Looking at connections using HTTPS/SSL, you always have two communication partners: an entity issuing a request, named the "client", and another entity, to which the request is sent in order to be responded to, named the "server".
Since an SAP ABAP system can be either client or server in this setup, we have the chance to provide different security environments (= PSE) for these communication roles.<br />
<br />
When the SAP system initializes a HTTPS communication, it will make use of one of the SSL Client PSEs. These PSEs mainly serve the purpose of storing the CA certificates that are trusted. Only servers whose server certificate is signed by a CA where the CA root certificate is contained in the SSL Client PSE can be connected to. If the server's certificate is not trusted, the error message "verification of the server's certificate chain faile" will appear in the ICM trace (see note 1094342).<br />
<br />
The difference between SSl Client PSEs "standard" and "anonymous" is the actual certificate - the "anonymous" PSE always contains the distinguished name (DN) "CN=anonymous", which can not be used for client authentication. In contrast, the "standard" PSE's DN can be defined freely, so this PSE can be signed by a CA and furthermore used for client authentication.<br />
<br />
Now for the SSL Server PSE.<br />
As mentioned already, the SSL Server PSE can be a complicated thing ... actually, this PSE is only a container for more PSEs. There must be at least the "default" PSE (unfortunately also called "standard"), and there can be up to 1 PSE for each application server.<br />
In a standard setup, the default PSE is used only for those cases where no application server specific PSE applies. The application server specific PSEs are supposed to be the ones that are actually used by the ICM.<br />
<br />
What does "up to 1 per AS" mean? Well - as soon as two SSL Server PSEs use the same DN, these PSEs are no longer distinguished, and will be mapped to the same PSE data (key pair, certificate list). So, if you define the same DN for several application servers, only one PSE is created and used by both application servers.<br />
<br />
I hope this (lengthy) epistle anwers more question than opens new ones...<br />
<br />
regards,<br />
sebastian
Edited by: Sebastian Broll on Apr 8, 2010 8:07 AM (formatting) -
How to store the value of request message and use it in Response mapping
Hi All,
We have an requirement where we need to store the data coming in Request Mapping and use the stored value in Response Mapping. Can anybody help us in how to proceed?
Thanks
SujataHi!
In Mapping you may use the RFC Lookup function to store values in database table during request mapping and to read values from database table during response mapping.
You can also use an ABAP or Java Mapping "in front of your" message mapping to store/read the values.
You can also use an Adapter Module (if applicable for the adapter type you use) and/or a UDF to store the data e.g. in Dynmaic Configuration Header of Request Message and to read these data from Dynamic Configuration Header of Response Message. But this works only for synchronous scenarios (and it means overhead in your message traffic).
Hope these thinkings help you o find the most suitable way for your concrete scenario!
Regards,
Volker
Note:
These techniques help you to avoid using BPM.
Edited by: Volker Kolberg on Aug 27, 2009 11:18 AM -
How to store multiple values associated to one key
hello all
In my program I need to store "multiple values associated to one key".
for example : key would be ="T"
Values are = 2,4,5,1,2Plz tell me which data structure I can use for this purpose.
I have tried Hashtable for it, unfortunately it does not support duplicate keys in one Hashtable.
Thanx.
RakeshThe easiest thing to do, is store another data structure as your value for a
particular key. So "T" being your your key, you would associate the value
to be an int[] (if you know the number of sub values) or create a new Vector
for each key, then you don't have to worry about the number of values at
compile time. All the while still using the Hashtable for constant time
look up. So like this:
public void storeMultValues(int[] arr)
Vector v = new Vector();
v.add(new Integer(1));
v.add(new Integer(2));
v.add(new Integer(3));
this.hashtable.put("T", v);
}See if you can work with that.
-Cludge -
How to store a RSA pair key in Java Key Store (jks) and VS
Hi Everyone ,
I have generated a RSA pair key . now I need to store my public key in a Java Key Store (.jks file) . and then I need to read this .jks file in another application and get this public key to use for verification .
I'll appreciate it if anyone could help me with this matter with a sample code for import/export public key to/from a java key store file or any hints.
Best Regards,
VivianI don't think this makes sense. How have you generated an RSA key pair and where is the result stored?
-
Use of PLSExtProc and key EXTPROC in Oracle 10g
Hi Friends,
My listener file has the following values:
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = C:\oracleinfra)
(PROGRAM = extproc)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = xyz.local)(PORT = 1521))
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
My question is ?
What is the use of the Instance PLSExtProc and key EXTPROC?
Is it must to have the entry ,shall i remove the entry? what will be the implications if i remove the entries?Please suggest
Regards,
DBIts used for external procedure calls like from Java and C. Its not a must and from the secuirty point of view, its actually a loophole. For more information, please read,
http://download.oracle.com/docs/cd/E11882_01/network.112/e10836/advcfg.htm#i443234
http://download.oracle.com/docs/cd/E11882_01/appdev.112/e17125/adfns_externproc.htm#ADFNS010
HTH
Aman....
Maybe you are looking for
-
Time to create initial time machine backup on time capsule
I am using a Time Capsule for my wifi service. Am attempting to use it for Time Machine for an iMac that has (with attached hard drives) ~ 268GB of stuff to back up. Time Machine says it will take 5 days. It never makes it past two before the compute
-
Does the gps still work iphone if not connected to internet
so some kid took my iphone5 out off my hand and passed it around at lunch and now i dont know what to do i put it in lost mode then it went offline can i still find it even when its offline
-
Hi. After I bought my Zen Nano Plus it doesn?t work right anymore. It allways shut off after a while. Unfortunately it sometimes even won?t restart. So often I have to wait for hours before I can restart the player. I discovered that it works if I co
-
Update work status over multiple categories, periods etc...
A customer of mine discussed the work status update procedure. In BPC 4.2, you could, via the webpage, select a list of entities with multiple time periods and then update them all at once. This would come in handy for instance if you need to set the
-
The person who has my iphone4 knows my passcode is there anyway i can re-set it remotely as i don't want to loose anything