Trusted certificate expired when starting cluster domain

Similar Messages

• Getting "No trusted certificate found" when attempting to connect to 10g DB

  Greetings,
  I have an Oracle 10g DB configured to listen via TCPS. I am able to tnsping and sql+ into the DB just fine. However, when attempting to connect via SQL Developer, I get the following error:
  *"Status: Failure -lo exception: sun.security.validator. ValidatorException: No trusted certificate found"*
  Here is my tnsnames.ora entry:
  EMCECCH01.CORPORATE.MY.COM =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCPS)(HOST = emcecch01.corporate.my.com)(PORT = 1575))
  (CONNECT_DATA =
  (SERVICE_NAME = rambdb)
       (SECURITY = (MY_WALLET_DIRECTORY = C:\DBSafes\Cincinnati\dbSafe))
  Obviously when I create my connection, I am using 'TNS'. I've also attempted to connect via the JDBC thin driver, but when testing the connection, it just sits and spins without ever returning a result. Here is the URL I'm using:
  jdbc:oracle:thin:@emcecch01.corporate.my.com:1575:rambdb
  I've verified that the appropriate JAR files are in place in the jlib directory.
  Any advice in this matter would be greatly appreciated.
  Regards

  Hi,
  If your connection entry is unusual you could try these simple things that may cause variation/different code paths:
  1/ORACLE_HOME being set /unset by for example a bat script before launching sqldeveloper [see in sqldeveloper help/about/properties/ oracle.home and jdbc.library to see what oracle is using]
  (you could be using sqldeveloper or other oracle install jdbc)
  2/Tools/preferences/database/Advanced Parameters/Use oci thick driver set/unset
  (you could be using 'pure' jdbc thin or 'mixture of c & java' ie. thick oci driver using another Oracle Home or instant client)
  3/use Connection type=advanced then you can enter a fancy description (these descriptions are simple but you could have load balancing for example):
  thin is pure java
  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MACHINE_NAME_OR_IP)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dev11gr1)))
  oci8 is thick/c/oci-java
  jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MACHINE_NAME_OR_IP)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dev11gr1)))
  (or get SQLDev to look up tnsnames.ora, connection type = tns might work)
  Please post your findings and put in an enhancement request for particular connection feature support, documented with a test case.
  -Turloch

• Trust Certificate expiration Notification from RTMT

  Hello,
  I am getting Certificate expiration Notification from RTMT (Trust Certificates)
  Below are the Notification:
  Certificate name:CAPF-4a2e3437 Unit:CallManager-trust Type:trust-cert Expiration:Mon Jul 5 01:02:20:000 IST 2010
  Certificate name:CAPF-4a2e3437 Unit:CAPF-trust Type:trust-cert Expiration:Mon Jul 5 01:02:20:000 IST 2010
  Let me know how to regeneate Trust Certificate or do i need to conatct cisco for this.
  Attched the alert .
  Thanks,
  Shaijal Allipra

  Hello,
  Can any one help me on this ?Attched few more details.
  Thanks,
  Shaijal Allipra

• Error "Subscription Expired" when starting MUSE

  I recently installed MUSE CC as part of the ADOBE CREATIVE CLOUD. I have a current membership and are currently working with InDesign CC, Illustrator CC, Photoshop CC and even Dreamweaver CC in the same machine. I used the installer as with any other program but I get the attached  error when starting MUSE CC. Again, it does happen only with ADOBE MUSE, I am able to work with any other CC application. Moreover, I installed a trial version of MUSE CC on another computer following the suggestion of a ADOBE Support Rep, and I got the same error. I called again, and the support rep asked me to call on Monday!.
  Does anybody knows how to fix this bug? Many thanks in advance
  Best regards

  Hi,
  I already replied:
    - Mac OS X 10.9 but I also use a Dell Windows Laptop
     - No proxies or firewalls
     - I am able to use any other CC app such as Dreamweaver CC, Photoshop CC, Indesign CC, etc.
  This is the error log:
  Build 329: Mon Dec 2 04:58:48 2013 UTC: Error: CSI: OOBE: Serial Number: Error Code: O-10 Error Message: Unable to retrieve the serial number (Note: this may not be an error)
  Build 329: Mon Dec 2 04:58:48 2013 UTC: Error: CSI: OOBE: Serial Number: Error Code: O-10 Error Message: Unable to retrieve the serial number (Note: this may not be an error)
  Build 329: Mon Dec 2 05:00:36 2013 UTC: Error: CSI: OOBE: Serial Number: Error Code: O-10 Error Message: Unable to retrieve the serial number (Note: this may not be an error)
  Build 329: Mon Dec 2 05:00:36 2013 UTC: Error: CSI: OOBE: Serial Number: Error Code: O-10 Error Message: Unable to retrieve the serial number (Note: this may not be an error)
  Build 329: Mon Dec 2 05:00:38 2013 UTC: Error: CSI: OOBE: Serial Number: Error Code: O-10 Error Message: Unable to retrieve the serial number (Note: this may not be an error)
  Build 329: Mon Dec 2 05:00:38 2013 UTC: Error: CSI: OOBE: Serial Number: Error Code: O-10 Error Message: Unable to retrieve the serial number (Note: this may not be an error)
  Thanks

• Error "Certificate expired" when trying to install...

  I keep getting error "Certificate expired" while trying to install Skype on my phone.
  The phone is Nokia E52 running Symbian S60 3.2.
  The software I try to install is Skype for Symbian 1.50(12) that I download from Nokia Store (size 3,91 MB).
  Certificate details:
  Issuer: Symbian CA I
  Subject: Skype Technology SARL
  Valid from: 02/12/2010
  Valid until: 02/12/2020
  Is there anything I should do about my phone settings to install Skype?

  Presumably exactly the same version directly from Skype? skype.com/go/getskype-symbian-s60-3 filename: Skype_S60_3_0_v_1_5_0_12.sisx
  Happy to have helped forum in a small way with a Support Ratio = 37.0

• When starting webcenter domain, how not to enter userid and password?

  Dear All,
  I followed this link http://yonaweb.be/start_webcenter_domain in installing my webcenter domain and I was successful in setting my own webcenter and busy exploring the webcenter spaces.
  My only concern is that when I am starting my webcenter domain it always ask for user id and password for the weblogic.
  I created a small batchfile for this.
  call C:\Oracle\Middleware\user_projects\domains\webcenter_domain\bin\startManagedWebLogic.cmd WC_Spaces http://localhost:7001but how can I get away from typing the user id and password?
  Thanks

  >
  otherwise,you can specify the userid and password in boot properties file of your domain.
  \user_projects\domains\dryrun_domain\servers\AdminServer\security\boot.properties.
  # Generated by Configuration Wizard on Wed
  username={AES}dbjKVafUpVLPvTG04tGl12RJRCaYmU5dmv2Yw=
  password={AES}5WHBgndS2Fq2uoiIKKWI+rM2uwTPAYQ0I=
  replace the username and password with your credentials.There's a nice tutorial with screenshots describing how to do this here:
  http://st-curriculum.oracle.com/obe/fmw/wls/10g/r3/installconfig/enable_auto_login/boot_identity_file.htm#t4

• Expired encryption and Trust certificates

  Suppose:
  a Mac OS X 10.8 server shut down for summer,
  Linked to Active Directory Win Serv 2008 R2 x64,
  Managing Macs and iDevices,
  with an encription certificate expired early June 2013
  and a Trust certificate expired late August 2013.
  1- Do I read correctly that all Macs and iDevice (and Net Boot/Restore/install images) need to be reimaged with the New certificates?
  2- Do I unedrstand also that all Update Server's Apple Updates need to be redownloaded. (just read that tonight).
  3- What other thing to do in that case and in which order?
  4- If nothing very important was done on that OS X server besides being linked to Active Directory and a few test Wikis., it it easier to rinstall from scratch?
  ==

  I'd want a correct, current and valid certificate chain (and would likely set up a private CA, as is my wont), as bad certs can block some sorts of secure network access until either corrected or overridden, and as training the end-users to always "yeah, whatever" with certificate security can potentially lead to... well, other issues.
  The software update server will certainly download new and updated changes, but shouldn't need to re-download everything.  Disk images will need to be updated.
  I'd verify proper local DNS services and correct certs as part of the initial validation of the configuration, yes.
  That's entirely your call.  Won't really help with the disk images, and will require a re-download of updates.

• SSL certificate expiration CCMS Monitoring

  Hi All,
  We are using ECC 6.0 server, HP-Unix and Oracle 10.2.0.5 database.
  CCMS monitoring is setup in our environment for alerts Monitoring. We use SSL certificates for SSO logins.
  As we know SSL certificates get expire in approx one year and when 2-3 days left in certificate expiration system start showing message to all uses for this cetificate expiration.
  Now we are planning to include SSL certificate expiration in CCMS monitoring so that whenever before 10-15 days we get a message for certificate expire and we implmenet the certificate without any User intervention.
  Now we search a lot but I do not find any option available in RZ20 and RZ21 to include this alert in CCMS.
  Please let me do we have any way by which we can get an message of certification before user get this message.
  Shivam

  Hi Murali,
  Thanks for the reply.
  I checked links and they are meeting my requirement but one thing I could not find is SSL information in RZ20.
  I checked RZ20 tcode and I do not find where SSL information is available to assign auto reaction method to it to start getting Alert.
  Can you please help me where I can find SSL certification path in RZ20.
  Shivam

• Trusted Certificates???

  I was looking through the settings on my phone and noticed in the Location & Security settings, there is a setting called Manage Trusted Certificates. When I tap on it, a huge list of them comes up that I've never heard of like AC Raiz Certicamara S.A, America Online Root Certification Authority 1 and 2, Autoridad de Certificacion Firmaprofesional CIF A6263..., Baltimore Cybertrust Root, etc, etc, etc. Does anyone know what this is?! Are these supposed to be on my phone?! I did a factory wipe before installing Gingerbread, so this has to be either app installed, or part of Gingerbread...

  bearone21 wrote:
  interesting info wildman.
  the sites i go to with 340/gb have the certificate issue.
  i don't worry too much as they're the same sites i go to on the pc/laptop.
  Keep in mind thar Google Market didnt pass certification for a while because of  a out of data certification...  This really doesnt mean its not safe it just means the server hasnt been able to verify it recently and awaiting verification update..

• Weblogic Start script fails while Loading trusted certificates from jks

  Hi,
  I have a Weblogic Portal 10.3.2 installation on a Solaris Unix box. There is one Admin server and two Managed servers. I am trying to deploy an EJB based application on one of the Managed servers. Note that this application has been working fine in the Weblogic 9.2 environment.
  When the Managed Server is started, I get the below messages in the Weblogic console log. We have an internal SSO authentication system, which is integrated with this application. When this integration is removed, we are able to login to the application without any issues. When it is turned on, the redirection from SSO to the application fails - most likely because of the below SSL related errors.
  I have accessed the below link and accordingly set the property -Dweblogic.ssl.JSSEEnabled=true. But it didn't help.
  http://justasg.blogspot.com/2012/04/tlsssl-certificate-errors-and-warnings.html
  Please let me know if you have any suggestions.
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /data/applications/norkom/BEA103/wlserver_10.3/server/lib/DemoTrust.jks.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/jdk1.6.0_32/jre/lib/security/cacerts.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure[1]". The address 127.0.0.1 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>
  <Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure". The address 10.228.12.24 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.228.12.24:7020 for protocols iiop, t3, ldap, snmp, http.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7020 for protocols iiop, t3, ldap, snmp, http.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <WebLogicServer> <BEA-000332> <Started WebLogic Managed Server "NCA_Server" for domain "norkom" running in Development Mode>
  <Jun 4, 2012 4:52:01 PM MEST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
  <Jun 4, 2012 4:52:01 PM MEST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
  <WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
  <WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
  <WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
  <WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
  <WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
  Note: We have another Solaris Unix box, with the same installation of Weblogic with the same SSO redirection, but another EJB application is deployed. Also, there is no Managed and the application is deployed on the Admin server itself. But when the server is started, I don't see any attempts to load any certificates and also there are no issues.
  So either please suggest how this certificate loading can be rectified or suggest a way to disable the certificate loading (if at all its an option).
  Please let me know if you need any further details.

  Firstly,
  938767 wrote:
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/jdk1.6.0_32/jre/lib/security/cacerts.>
  <Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>I don't think that this will be your problem... Unless you are actually using some of those certificates you can ignore those messages.
  But the following looks suspicious, I guess 7022 is your SSL port...
  <Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure[1]". The address 127.0.0.1 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>
  <Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure". The address 10.228.12.24 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>Hope that helps.
  Cheers,
  Vlad
  Give points - it is good etiquette to reward an answerer points (5 - helpful; 10 - correct) for their post if they answer your question. If you think this answer is helpful, please consider giving points.

• Trusted CA Certificate Ignored When Connecting To Node Manager

  I have a question about Node Manager.
  I have the following configuration:
  OS: Linux (CentOS 5.4) 32bit
  Oracle WebLogic Server 11gR1 (10.3.2)
  Portal, Forms, Reports and Discoverer (11.1.1.2.0) - only Forms and Reports are installed and configured
  All configured components start successfuly, but I receive the following security related messages when I connect to Node Manager.
  java -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust weblogic.WLST
  Initializing WebLogic Scripting Tool (WLST) ...
  Welcome to WebLogic Server Administration Scripting Shell
  Type help() for help on available commands
  wls:/offline> nmConnect('weblogic', <weblogic password>, 'icweb001', '5556', <domain name>)
  Connecting to Node Manager ...
  <Nov 25, 2009 3:35:35 PM EST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  <Nov 25, 2009 3:35:35 PM EST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
  Successfully Connected to Node Manager.
  wls:/nm/DynaMed>I understand that the two BEA-090898 messages associated with the specified certificates are informational, but is there anything I can do to either,
  1) correct the certificate so the messages are not generated, or
  2) change my setup so that the messages are not displayed?
  Thanks in advance for your help.

  The certificates at issue belong to the $JAVA_HOME keystore in weblogic
  $JAVA_HOME/jre/lib/security/cacerts
  ttelesecglobalrootclass3ca, Feb 10, 2009, trustedCertEntry,
  ttelesecglobalrootclass2ca, Feb 10, 2009, trustedCertEntry,I was able to stop the warning messages from appearing when connecting to node manager, by removing these two certificates from the $JAVA_HOME/jre/lib/security/cacerts keystore.
  cd $JAVA_HOME/jre/lib/security
  cp -p cacerts cacerts.original
  chmod 644 cacerts
  keytool -delete -alias ttelesecglobalrootclass2ca -keystore cacerts
  keytool -delete -alias ttelesecglobalrootclass3ca -keystore cacerts
  chmod 444 cacerts cacerts.originalOnce the certs are removed from the keystore, the warning messages no longer appear when connecting to node manager.
  Some additional information on these two certificates can be found at:
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6803022Edited by: wblum on Feb 18, 2010 1:10 PM

• Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

  2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
  2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
  Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
  but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
  authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
  A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
  can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
  The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

  You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
  to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
  problems.
  What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
  will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• Glassfish Sun Cluster domain instance unable to start

  Hi guys' plz assist.
  I am trying to bring up all the node agent on the cluster but i 1st need to start the production_domain using this command:./asadmin start-domain prod_domain but it fails to start. I am running a JES Portal and currently is offline. pls help.
  Thanks.
  Twala.
  [#|2009-10-27T06:42:37.491+0200|SEVERE|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;java.lang.RuntimeException: org.omg.CORBA.OBJ_ADAPTER:   vmcid: SUN  minor code: 202  completed: No;_RequestID=cc16b98c-b7e6-421d-8e79-f46e0b8368ce;|CORE5081: Exception while creating ORB: [java.lang.RuntimeException: org.omg.CORBA.OBJ_ADAPTER:   vmcid: SUN  minor code: 202  completed: No]|#]
  [#|2009-10-27T06:42:37.492+0200|SEVERE|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;java.lang.RuntimeException: Unable to create ORB;_RequestID=cc16b98c-b7e6-421d-8e79-f46e0b8368ce;|CORE5082: Exception running j2ee services: [java.lang.RuntimeException: Unable to create ORB]|#]
  [#|2009-10-27T06:42:37.496+0200|SEVERE|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;_RequestID=cc16b98c-b7e6-421d-8e79-f46e0b8368ce;|com.sun.enterprise.server.ondemand.ServiceGroupException: java.lang.RuntimeException: Unable to create ORB
  com.sun.enterprise.server.ondemand.ServiceGroupException: com.sun.enterprise.server.ondemand.ServiceGroupException: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.ServiceGroup.startChildren(ServiceGroup.java:198)
       at com.sun.enterprise.server.ondemand.MainServiceGroup.start(MainServiceGroup.java:58)
       at com.sun.enterprise.server.ondemand.ServerEntryListenerImpl.notifyEntry(ServerEntryListenerImpl.java:85)
       at com.sun.enterprise.server.ondemand.entry.ServerEntryHelper.sendEvent(ServerEntryHelper.java:75)
       at com.sun.enterprise.server.ondemand.entry.ServerEntryHelper.generateStartUpEntryContext(ServerEntryHelper.java:64)
       at com.sun.enterprise.server.ondemand.OnDemandServer.generateEntryContext(OnDemandServer.java:154)
       at com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:133)
       at com.sun.enterprise.server.PEMain.run(PEMain.java:409)
       at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
  Caused by: com.sun.enterprise.server.ondemand.ServiceGroupException: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.EjbServiceGroup._start(EjbServiceGroup.java:160)
       at com.sun.enterprise.server.ondemand.EjbServiceGroup.start(EjbServiceGroup.java:143)
       at com.sun.enterprise.server.ondemand.ServiceGroup$1.run(ServiceGroup.java:193)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.enterprise.server.ondemand.ServiceGroup.startChildren(ServiceGroup.java:190)
       ... 13 more
  Caused by: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.EjbServiceGroup.startORB(EjbServiceGroup.java:501)
       at com.sun.enterprise.server.ondemand.EjbServiceGroup._start(EjbServiceGroup.java:156)
       ... 17 more
  Caused by: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.EjbServiceGroup.startORB(EjbServiceGroup.java:452)
       ... 18 more
  |#]
  [#|2009-10-27T06:42:37.500+0200|SEVERE|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;_RequestID=cc16b98c-b7e6-421d-8e79-f46e0b8368ce;|CORE5071: An error occured during initialization
  java.lang.RuntimeException: com.sun.enterprise.server.ondemand.ServiceGroupException: com.sun.enterprise.server.ondemand.ServiceGroupException: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.ServerEntryListenerImpl.notifyEntry(ServerEntryListenerImpl.java:88)
       at com.sun.enterprise.server.ondemand.entry.ServerEntryHelper.sendEvent(ServerEntryHelper.java:75)
       at com.sun.enterprise.server.ondemand.entry.ServerEntryHelper.generateStartUpEntryContext(ServerEntryHelper.java:64)
       at com.sun.enterprise.server.ondemand.OnDemandServer.generateEntryContext(OnDemandServer.java:154)
       at com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:133)
       at com.sun.enterprise.server.PEMain.run(PEMain.java:409)
       at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
  Caused by: com.sun.enterprise.server.ondemand.ServiceGroupException: com.sun.enterprise.server.ondemand.ServiceGroupException: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.ServiceGroup.startChildren(ServiceGroup.java:198)
       at com.sun.enterprise.server.ondemand.MainServiceGroup.start(MainServiceGroup.java:58)
       at com.sun.enterprise.server.ondemand.ServerEntryListenerImpl.notifyEntry(ServerEntryListenerImpl.java:85)
       ... 11 more
  Caused by: com.sun.enterprise.server.ondemand.ServiceGroupException: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.EjbServiceGroup._start(EjbServiceGroup.java:160)
       at com.sun.enterprise.server.ondemand.EjbServiceGroup.start(EjbServiceGroup.java:143)
       at com.sun.enterprise.server.ondemand.ServiceGroup$1.run(ServiceGroup.java:193)
       at java.security.AccessController.doPrivileged(Native Method)
       at com.sun.enterprise.server.ondemand.ServiceGroup.startChildren(ServiceGroup.java:190)
       ... 13 more
  Caused by: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.EjbServiceGroup.startORB(EjbServiceGroup.java:501)
       at com.sun.enterprise.server.ondemand.EjbServiceGroup._start(EjbServiceGroup.java:156)
       ... 17 more
  Caused by: java.lang.RuntimeException: Unable to create ORB
       at com.sun.enterprise.server.ondemand.EjbServiceGroup.startORB(EjbServiceGroup.java:452)
       ... 18 more
  |#]
  [#|2009-10-27T06:42:37.504+0200|SEVERE|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;_RequestID=cc16b98c-b7e6-421d-8e79-f46e0b8368ce;|Server Startup failed. Exiting...|#]

  only the following process gets started when start-msg
  mailsrv 1643 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/enpd
  mailsrv 1643 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/enpd
  mailsrv 1649 1 0 11:43:34 ? 0:01 /opt/SUNWmsgsr/lib/tcp_smtp_server
  mailsrv 1650 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/tcp_smtp_server
  mailsrv 1644 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/imsched
  root 1642 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/watcher INADDR_ANY 49994 /opt/SUNWmsgsr/config/job_controlle
  mailsrv 28934 1 0 11:26:53 ? 0:05 /opt/SUNWmsgsr/lib/tcp_smtp_server
  mailsrv 1646 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/dispatcher
  mailsrv 1652 1 0 11:43:34 ? 0:00 /opt/SUNWmsgsr/lib/job_controller
  When we start stored daemon separately it gets started...
  # /opt/SUNWmsgsr/sbin/start-msg stored
  Connecting to watcher ...
  Starting store server .... 2308
  checking store server status ... ready
  imap, pop , http services are disabled...

• RMI over SSL under Web Start can't find trusted certificate

  I have implemented RMI over SSL to get a Java EJB Client application talking to a JRun server over SSL. It works fine from the command line, but when I try to run it as a Web Start application, I get
  java.security.cert.CertificateException: Couldn't find trusted certificate
  (More complete stack trace below)
  I am using a test certificate, not one from a bona fide CA.
  I have tried putting the key store file in one of the jars used by the application, and adding:
  <argument>-Djavax.net.ssl.trustStore=jssecacerts</argument>
  and
  <argument>-Djavax.net.ssl.trustStore=jar:http://ip/app/xxx/lib/JarWithCacs.jar!/jssecacerts</argument>
  to no avail.
  If I copy the jssecacerts to Web Start's jre/lib/security directory, it works fine.
  I have seen other postings that say to use keytool to update the JRE used by Web Start, but that kind of defeats the purpose of Web Start: zero admin client. I can't touch each user's machine.
  I have seen other posts saying to implement a more relaxed trust manager, but that doesn't seem right either.
  I am using JDK 1.4.1_02b6 on Win2k. This should be irrelevant: JRun 4 sp1a.
  Is there a way to specify the jssecacerts file in the jnlp file so Web Start will recognize it?
  Thanks for any help,
  John

  I think I have an answer:
  1) Package the truststore file in the client JAR file
  2) Add code to the client to copy the truststore from the JAR file to the client hard drive
  3) Add code to the client to set the truststore properties to refer to the file on the client hard drive
  <<code>>
  private void setupTrustStore() {
  try {
  // save truststore file to local disk
  File homeDir = new File(System.getProperty("user.home"));
  File trustStoreFile = new File(homeDir, "mytruststore");
  URL url =
  this.getClass().getClassLoader().getResource("mytruststore");
  BufferedInputStream in =
  new BufferedInputStream(url.openStream());
  BufferedOutputStream out =
  new BufferedOutputStream(new FileOutputStream(trustStoreFile));
  while(true) {
  int data = in.read();
  if(data < 0) break;
  out.write(data);
  in.close();
  out.flush();
  out.close();
  // set truststore properties
  System.setProperty("javax.net.ssl.trustStore",
  trustStoreFile.getPath());
  System.setProperty("javax.net.ssl.trustStorePassword", "mypasswd");
  } catch(Exception e) {
  e.printStackTrace();
  }

• ISE - What happens when the on-boarded certificate expires?

  I'm trying to design a good BYOD deployment model but have a few questions that need direct answers.  I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways.  My questions come from a design perspective before and after the BYOD deployment is completed.
  1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.
       (I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)
       a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)
       b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)
       c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)
       d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)
       e. Other options I have not thought about, would love input from the crowd
  2. What happens to the device once the Certificate expires?
       (I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)
       a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)
       b. Use MDM for Cert management (may not have one)
       c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)
  Would appreciate some feed back and would like to know if anyone has run into these issues.                   

  Neno,
  Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI.  I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding.  This way you can use your private CA for EAP and a public CA for web traffic.  Have you tried a public CA bound to management and a private CA for EAP yet?
  I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2.  EAP-FASTv2 is available now but you must use anyconnect as your supplicant.  Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP.  It will support TLS, MD5, and CHAPv2.  If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work.  This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.
  I currently do machine and user auth I just don't require them.  If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah.  Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly.  Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy.  I won't go into anymore detail, but there is lots you can do.