Unable to check certificate with root CA
Dear All, I have an applet need to talk to a FoxPro table on the local system. Created the jar file, signed and verified, try to run in the browser (IE5.5, Win2K, JDK 1.3.1) gives me the Unable to check certificate with root CA message. What it means? Can you help me out?
Thanks
Solution found! export and install the cert. Sorry guys!
Similar Messages
-
Unable to check certificate validity online. check...
please help me on this... m not able to load anything
my phone is n73-1
Personal details removed by a moderator. We kindly ask you not to share your personal contact details publicly on this forum.Nokia Symbian/S60 wrote:
Unable to check certificate validity online.
As this could temper your security, before you change those settings (or at least after you changed them), please, have a look at a detailed explanation … -
I'm getting these errors in the eventlog and ULS, "An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root
Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS CERTIFICATE THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate."
The errors point to the SharePoint Security Token Service as the issue ("The revocation function was unable to check revocation for the certificate") reported back by the Topology service. This is apparent when executing a search, accessing
the managed metadata service, issuing SPSite commands in Powershell, or anything that needs to run through the "SharePoint Web Services" site. I've looked at the certificate assigned to that site and everything appears to be in order.
It would seem to me to be either an incorrect endpoint configuration (internally cached perhaps?) or related to security access for the configuration database (in order to validate the certificate root).
What I’ve tried so far:
I’ve been all over the certificate settings, both in the server store, and within SharePoint Token Service config. Both appear to be configured correctly such that the root CAs can be validated.
Re-entered the passwords for the application pool domain accounts to eliminate these as a potential cause. I’ve also verified the service accounts reporting the error, do have access to the configuration database.
Re-provisioned the STS service to see if that might clear out any cached issues and validated everything else according to this
MS Tech note.
So far nothing has worked. Is there anything else I could be looking at that I've missed? (Full eventlog detail below)
Log Name: Application
Source: Microsoft-SharePoint Products-SharePoint Foundation
Date: 2/20/2015 11:19:41 AM
Event ID: 8311
Task Category: Topology
Level: Error
Keywords:
User: <SP SERVICE ACCOUNT>
Computer: <SHAREPOINTSERVER>
Description:
An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US\nIssuer Name: CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US\nThumbprint: <STS
CERT THUMBPRINT>\n\nErrors:\n\n RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
<EventID>8311</EventID>
<Version>14</Version>
<Level>2</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-02-20T17:19:41.213852500Z" />
<EventRecordID>1611121</EventRecordID>
<Correlation />
<Execution ProcessID="10212" ThreadID="10328" />
<Channel>Application</Channel>
<Computer><SHAREPOINTSERVER></Computer>
<Security UserID="<SP SERVICE ACCOUNT>" />
</System>
<EventData>
<Data Name="string0">CN=SharePoint Security Token Service, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string1">CN=SharePoint Root Authority, OU=SharePoint, O=Microsoft, C=US</Data>
<Data Name="string2"><STS CERT THUMBPRINT></Data>
<Data Name="string3">RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
</Data>
</EventData>
</Event>Hi Darren,
This problem seems to occur when an administrator deletes the local trust relationship of the farm from the Security section of the Central Administration website
In order to resolve this problem, the local trust relationship has to be created. This can be done by running the following PowerShell commands
$rootCert = (Get-SPCertificateAuthority).RootCertificate
New-SPTrustedRootAuthority -Name "localNew" -Certificate $rootCert
After running the above commands, perform an IISReset on all servers in the farm.
More information:
http://support.microsoft.com/kb/2545744
Best Regards,
Wendy
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Wendy Li
TechNet Community Support -
Hi,
We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=xxxxx.ourdomain.com. Additional information: Error Verifying Request Signature or Signing Certificate
A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
configuration.
Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
Thank you for your help
//Crishello,
let me recap first:
you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
issued and which are still valid, right?
The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
do not contain CRL paths at all.
So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
Just a clean self-signed REQUEST.
That will succeed.
You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
ondrej. -
my location services is already on as well as with my facebook apps, but still i am unable to check in. what's wrong? even with my maps, it always say location unavailable. help please.
- The iPod uses the location of a nerby or connected router to determine it location based on a database of routers and their location. It appears that the routers near y are not in Appl'es database. As of yet, nobody here seems to know how to get routers added to the database.
- If you go to Strtbucks. McDonalds or another networks does the location show in the Maps app? -
Unable to check-in or refresh iPads with iCloud passwords.
I have 40 iPads and have recently been forced to upgrade to iOS 7 (because the users - students - did so on their own and a lot of issues occurred). I still can't believe that users are allowed to upgrade the OS (essentially the firmware) on loaned-out devices. It's an IT logistics nightmare. What if iOS 7 did what the AppleTV 6 upgrade did?
Anyway, if a user is assigned an iPad and they put their own iCloud account on the device, I am unable to check that device back in to Apple Configurator. I also am unable to successfully back it up or refresh the device.
I've had the student in question delete the iCloud account but if all 40 students did that, I'd be going crazy. Imagine if it were 400 iPads instead of 40?
Is there an easier way to allow students to utilize their own iCloud accounts to backup documents, etc, without requiring them to delete the account before I perform upgrades/mainenance? Is this going to happen every time or is this only happening because she upgraded to iOS 7 on her own?
I've never been so frustrated with Apple as I have with this upgrade to 7. Allowing individual users to upgrade a kiosk device... and then not communicating about the new Configurator... and then FORCING upgrades when preparing new devices... days of work lost and more days to come.We have had a similar problem as well - inCopy claims that an assignment is checked out, but the user cannot access it to check it back in or make changes.
Did you guys ever figure out a fix? -
HT5012 Can I install two root certificates with the same name in iPad?
Can I install two root certificates with the same name in iPad?
Antaeus00 wrote:
I tried sending a request for help,
But did you succeeed in sending a request for help?
Did you receive a response? How long has it been since you sent a request?
but I need someone with more authority to talk to.
There is no one with more authority than iTunes store support. We herem are only users. -
unable to check updates and couldnt download or install any application
Hi, mayca07.
Thank you for visiting Apple Support Communities.
I would need more information regarding the exact issue or errors received to provide a better answer. However, there are a couple things that I would recommend trying. Try forcing all open applications to close and restart the device. Next, go through the section labeled Troubleshoot issues on an iPhone, iPad, or iPod touch in the second article below.
iOS: Force an app to close
http://support.apple.com/kb/ht5137
Can't connect to the iTunes Store
http://support.apple.com/kb/ts1368
Cheers,
Jason H. -
Since updating my iphone 4s to the ios6 I am unable to check my email when in a hospital. I did not have this problem prior to updating.
http://discussions.apple.com/thread/4310494?tstart=30 go thru the suggestions given.
-
Unable to register system with sconadm
I'm trying to get smpatch working within my environment so I can get our patch management/automation under control. I've been able to successfully get this working on 1 system. When attempting to get this working on a second system, I have had nothing but issues. Any help with this would be greatly appreciated.
1. I have followed both ID 1288579.1 and ID 1311733.1 to a T.
2. I do have a valid MOS account, and to take it a step further, I have had my account set to Admin on the support contract I have.
3. I've verified that my account can download patches. I tested with PCA and it can retrieve patches without issue with me account.
4. my suc.sh output:
| Sun Update Collector V 1.0.10 |
Solaris release:
Solaris 10 10/08 s10x_u6wos_07b X86
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 27 October 2008
Solaris Kernel: Generic_137138-09
Machine Type: i86pc
Platform: i86pc
Software Cluster:
CLUSTER=SUNWCall
Environment:
HOME=/
HZ=
LOGNAME=root
MAIL=/var/mail/root
OLDPWD=/usr/jdk
PATH=/usr/sbin:/usr/bin
PWD=/export/home/bbranch
SHELL=/sbin/sh
SHLVL=1
TERM=vt100
TZ=US/Central
_=./suc.sh
Sun UC package status:
SUNWbreg not installed
SUNWdc not installed
Sun UC package information:
Sun UC package chk:
..done..
Sun UC patch revision:
120336-04
121082-06
121082-08
121119-13
121119-19
121454-02
123004-03
123004-04
123006-07
123006-09
123631-03
123896-05
123896-25
124187-07
137138-09
Patch install dates:
Note: The dates listed and patches listed may differ due to patches included with the OS release installed.
drwxr-xr-- 2 root root 512 2011-09-21 13:47:44.093500000 -0500 121082-08
drwxr-xr-- 2 root root 512 2011-09-21 11:04:00.643649000 -0500 121119-19
drwxr-xr-- 2 root root 512 2011-09-21 13:04:38.208182000 -0500 123004-04
drwxr-xr-- 2 root root 512 2011-09-21 11:04:23.198060000 -0500 123006-09
drwxr-xr-- 2 root root 512 2011-09-21 11:11:22.682756000 -0500 123896-25
Java versions:
System default:
java version "1.5.0_22"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_22-b03)
Java HotSpot(TM) Client VM (build 1.5.0_22-b03, mixed mode)
Java 5:
java version "1.5.0_22"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_22-b03)
Java HotSpot(TM) Client VM (build 1.5.0_22-b03, mixed mode)
Java 6:
Unable to locate JRE meeting specification "1.6*"
Java used by smpatch and updatemanager:
/usr/sbin/pprosvc:JAVACMD="/usr/jdk/latest/bin/java -version:1.5+"
/bin/updatemanager:JAVA_EXEC="/usr/jdk/latest/bin/java -version:1.5+"
Cacao Java version:
java-home=/usr/jdk/latest
Cacao Base Directories:
cacao.install.rt.base.dir=/
cacao.install.etc.base.dir=/
Cacao all settings:
snmp-adaptor-port=11161
snmp-adaptor-trap-port=11162
jmxmp-connector-port=11162
commandstream-adaptor-port=11163
rmi-registry-port=11164
secure-webserver-port=11165
java-flags= -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed
micro-agent=false
java-home=/usr/jdk/latest
jdmk-home=/usr/share/lib/jdmk
nss-lib-home=/usr/lib/mps/secv1
nss-tools-home=/usr/sfw/bin
retries=4
log-file-limit=1000000
log-file-count=3
log-file-append=true
enable-instrumentation=false
user=root
group=sys
network-bind-address=127.0.0.1
watchdog-heartbeat-timeout=60
Cacao Modules:
List of modules registered:
com.sun.cacao.agent_logging 1.0
com.sun.cacao.cached_connector 2.2
com.sun.cacao.command_stream_adaptor 1.0
com.sun.cacao.dtrace 1.0
com.sun.cacao.efd 2.2
com.sun.cacao.instrum 1.0
com.sun.cacao.invoker 1.0
com.sun.cacao.mib2simple 1.0
com.sun.cacao.rbac 2.1
com.sun.cacao.rmi 1.0
com.sun.cacao.session 2.2
com.sun.cacao.snmpv3_adaptor 1.0
com.sun.cacao.watchdog.heartbeat 1.0
com.sun.cacao.watchdog.probe 1.0
com.sun.scn.SolarisAssetModule 1.0
com.sun.scn.base.SCNBase 1.0
com.sun.scn.offering.ProductRegistration 1.0
com.sun.scn.offering.SoftwareUpdate 1.0
com.sun.scn.sensor.Sensor_Module 1.0
ls Cacao directories:
/etc/cacao/instances/default:
total 6
drwxr-xr-x 2 root sys 512 Sep 21 13:04 modules
drwxr-xr-x 3 root sys 512 Sep 21 11:11 private
drwxr-xr-x 5 root sys 512 Sep 21 10:12 security
/etc/cacao/instances/default/modules:
total 24
-rw-r----- 1 root sys 2581 Mar 27 2006 com.sun.scn.base.SCNBase.xml
-rw-r----- 1 root sys 2921 Dec 3 2007 com.sun.scn.offering.ProductRegistration.xml
-rw-r--r-- 1 root sys 2789 Dec 3 2007 com.sun.scn.offering.SWUPRegistration.xml
-rw-r----- 1 root sys 1307 Mar 17 2010 com.sun.scn.sam.SolarisAssetModule.xml
-rw-r----- 1 root sys 1010 Mar 16 2006 com.sun.scn.sensor.Sensor_Module.xml
/etc/cacao/instances/default/private:
total 26
-rw-r--r-- 1 root sys 5386 Sep 22 09:57 cacao.properties
-rw-r--r-- 1 root sys 559 Sep 21 10:12 logger.properties
drwxr-xr-x 2 root sys 3072 Sep 21 11:11 modules
-rw-r--r-- 1 root sys 2196 Sep 21 11:11 svc_cacao.xml
/etc/cacao/instances/default/private/modules:
total 82
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.auth.session.2.2.2.properties
-rw-r--r-- 1 root sys 1435 Sep 21 11:11 com.sun.cacao.auth.session.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.cached_connector.2.2.2.properties
-rw-r--r-- 1 root sys 1033 Sep 21 11:11 com.sun.cacao.cached_connector.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.command_stream_adaptor.2.2.2.properties
-rw-r--r-- 1 root sys 1005 Sep 21 11:11 com.sun.cacao.command_stream_adaptor.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 10:12 com.sun.cacao.dtrace.properties
-rw-r--r-- 1 root sys 957 Sep 21 10:12 com.sun.cacao.dtrace.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.efd.2.2.2.properties
-rw-r--r-- 1 root sys 1115 Sep 21 11:11 com.sun.cacao.efd.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.instrum.2.2.2.properties
-rw-r--r-- 1 root sys 1025 Sep 21 11:11 com.sun.cacao.instrum.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.invoker.2.2.2.properties
-rw-r--r-- 1 root sys 1086 Sep 21 11:11 com.sun.cacao.invoker.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.logging_manager.2.2.2.properties
-rw-r--r-- 1 root sys 903 Sep 21 11:11 com.sun.cacao.logging_manager.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.mib2simple.2.2.2.properties
-rw-r--r-- 1 root sys 2816 Sep 21 11:11 com.sun.cacao.mib2simple.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.rbac.2.2.2.properties
-rw-r--r-- 1 root sys 1295 Sep 21 11:11 com.sun.cacao.rbac.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.rmi.2.2.2.properties
-rw-r--r-- 1 root sys 960 Sep 21 11:11 com.sun.cacao.rmi.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.snmpv3_adaptor.2.2.2.properties
-rw-r--r-- 1 root sys 2049 Sep 21 11:11 com.sun.cacao.snmpv3_adaptor.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.watchdog.heartbeat.2.2.2.properties
-rw-r--r-- 1 root sys 2559 Sep 21 11:11 com.sun.cacao.watchdog.heartbeat.2.2.2.xml
-rw-r--r-- 1 root sys 56 Sep 21 11:11 com.sun.cacao.watchdog.probe.2.2.2.properties
-rw-r--r-- 1 root sys 1757 Sep 21 11:11 com.sun.cacao.watchdog.probe.2.2.2.xml
/etc/cacao/instances/default/security:
total 8
drwxr-xr-x 2 root sys 512 Sep 21 10:12 jsse
drwxr-xr-x 5 root sys 512 Sep 21 10:12 nss
-rw------- 1 root sys 197 Sep 21 10:12 password
drwxr-xr-x 2 root sys 512 Sep 22 09:57 snmp
/etc/cacao/instances/default/security/jsse:
total 8
-rw-r--r-- 1 root sys 639 Sep 21 10:12 agent.cert
-rw-r--r-- 1 root sys 1630 Sep 21 10:12 keystore
-rw-r--r-- 1 root sys 486 Sep 21 10:12 truststore
/etc/cacao/instances/default/security/nss:
total 6
drwxr-xr-x 2 root sys 512 Sep 21 10:12 localca
drwxr-xr-x 2 root sys 512 Sep 21 10:12 unknown
drwxr-xr-x 2 root sys 512 Sep 21 10:12 wellknown
/etc/cacao/instances/default/security/nss/localca:
total 226
-rw-r--r-- 1 root sys 65536 Sep 21 10:12 cert8.db
-rw-r--r-- 1 root sys 32768 Sep 21 10:12 key3.db
-rw-r--r-- 1 root sys 635 Sep 21 10:12 localca.cert
-rw-r--r-- 1 root sys 32768 Sep 21 10:12 secmod.db
/etc/cacao/instances/default/security/nss/unknown:
total 208
-rw-r--r-- 1 root sys 65536 Sep 21 10:12 cert8.db
-rw-r--r-- 1 root sys 32768 Sep 21 10:12 key3.db
-rw-r--r-- 1 root sys 32768 Sep 21 10:12 secmod.db
/etc/cacao/instances/default/security/nss/wellknown:
total 226
-rw-r--r-- 1 root sys 65536 Sep 21 10:12 cert8.db
-rw-r--r-- 1 root sys 32768 Sep 21 10:12 key3.db
-rw-r--r-- 1 root sys 32768 Sep 21 10:12 secmod.db
-rw-r--r-- 1 root sys 643 Sep 21 10:12 wellknown.cert
/etc/cacao/instances/default/security/snmp:
total 8
-rw------- 1 root sys 884 Sep 21 10:12 jdmk.acl
-rw------- 1 root sys 1110 Sep 22 09:57 jdmk.security
-rw------- 1 root sys 664 Sep 21 10:12 jdmk.uacl
/usr/lib/cacao/lib/tools/template:
total 8
drwxr-xr-x 5 root sys 512 Sep 21 09:49 config
drwxr-xr-x 2 root sys 1536 Sep 21 11:11 modules
drwxr-xr-x 2 root sys 512 Sep 21 11:11 startup
/usr/lib/cacao/lib/tools/template/config:
total 6
drwxr-xr-x 2 root sys 512 Sep 21 09:49 modules
drwxr-xr-x 3 root sys 512 Sep 21 11:11 private
drwxr-xr-x 3 root sys 512 Sep 21 09:49 security
/usr/lib/cacao/lib/tools/template/config/modules:
total 0
/usr/lib/cacao/lib/tools/template/config/private:
total 16
-rw-r--r-- 1 root sys 6045 Dec 7 2010 cacao.properties
-rw-r--r-- 1 root sys 565 Dec 7 2010 logger.properties
drwxr-xr-x 2 root sys 512 Sep 21 09:49 modules
/usr/lib/cacao/lib/tools/template/config/private/modules:
total 0
/usr/lib/cacao/lib/tools/template/config/security:
total 2
drwxr-xr-x 2 root sys 512 Sep 21 11:11 snmp
/usr/lib/cacao/lib/tools/template/config/security/snmp:
total 6
-rw-r--r-- 1 root sys 896 Dec 7 2010 jdmk.acl
-rw-r--r-- 1 root sys 1005 Dec 7 2010 jdmk.security
-rw-r--r-- 1 root sys 680 Dec 7 2010 jdmk.uacl
/usr/lib/cacao/lib/tools/template/modules:
total 54
-rw-r--r-- 1 root sys 1435 Dec 7 2010 com.sun.cacao.auth.session.2.2.2.xml
-rw-r--r-- 1 root sys 1033 Dec 7 2010 com.sun.cacao.cached_connector.2.2.2.xml
-rw-r--r-- 1 root sys 1005 Dec 7 2010 com.sun.cacao.command_stream_adaptor.2.2.2.xml
-rw-r--r-- 1 root sys 957 Feb 15 2007 com.sun.cacao.dtrace.xml
-rw-r--r-- 1 root sys 1115 Dec 7 2010 com.sun.cacao.efd.2.2.2.xml
-rw-r--r-- 1 root sys 1025 Dec 7 2010 com.sun.cacao.instrum.2.2.2.xml
-rw-r--r-- 1 root sys 1086 Dec 7 2010 com.sun.cacao.invoker.2.2.2.xml
-rw-r--r-- 1 root sys 903 Dec 7 2010 com.sun.cacao.logging_manager.2.2.2.xml
-rw-r--r-- 1 root sys 2816 Dec 7 2010 com.sun.cacao.mib2simple.2.2.2.xml
-rw-r--r-- 1 root sys 1295 Dec 7 2010 com.sun.cacao.rbac.2.2.2.xml
-rw-r--r-- 1 root sys 960 Dec 7 2010 com.sun.cacao.rmi.2.2.2.xml
-rw-r--r-- 1 root sys 2049 Dec 7 2010 com.sun.cacao.snmpv3_adaptor.2.2.2.xml
-rw-r--r-- 1 root sys 2559 Dec 7 2010 com.sun.cacao.watchdog.heartbeat.2.2.2.xml
-rw-r--r-- 1 root sys 1757 Dec 7 2010 com.sun.cacao.watchdog.probe.2.2.2.xml
/usr/lib/cacao/lib/tools/template/startup:
total 14
-rw-r--r-- 1 root sys 3770 Dec 7 2010 cacao
-rw-r--r-- 1 root sys 2164 Dec 7 2010 svc_cacao.xml
checking Cacao ports:
*.111 Idle
127.0.0.1.11161 Idle
*.111 *.* 0 0 49152 0 LISTEN
127.0.0.1.11164 *.* 0 0 49152 0 LISTEN
127.0.0.1.11163 *.* 0 0 49152 0 LISTEN
127.0.0.1.11162 *.* 0 0 49152 0 LISTEN
checking Cacao java process:
root 3225 0.3 4.011263241060 ? S 09:57:06 0:03 /usr/jdk/latest/bin/java -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed -classpath /usr/share/lib/jdmk/jdmkrt.jar:/usr/share/lib/jdmk/jmxremote_optional.jar:/usr/lib/cacao/lib/cacao_cacao.jar:/usr/lib/cacao/lib/cacao_j5core.jar:/usr/lib/cacao/lib/bcprov-jdk14.jar -Djavax.management.builder.initial=com.sun.jdmk.JdmkMBeanServerBuilder -Dcacao.print.status=true -Dcacao.config.dir=/etc/cacao/instances/default -Dcacao.monitoring.mode=smf -Dcom.sun.cacao.ssl.keystore.password.file=/etc/cacao/instances/default/security/password com.sun.cacao.container.impl.ContainerPrivate
root 1325 0.2 1.68425216216 ? S 09:42:59 0:02 /usr/jdk/latest/bin/java -version:1.5+ -jar /usr/lib/patch/swupna.jar -wait
noaccess 710 0.1 11.6196796119900 ? S 09:08:02 0:13 /usr/java/bin/java -server -Xmx128m -XX:+UseParallelGC -XX:ParallelGCThreads=4 -classpath /usr/share/webconsole/private/container/bin/bootstrap.jar:/usr/share/webconsole/private/container/bin/commons-logging.jar:/usr/share/webconsole/private/container/bin/log4j.jar:/usr/java/lib/tools.jar:/usr/java/jre/lib/jsse.jar -Djava.security.manager -Djava.security.policy==/var/webconsole/domains/console/conf/console.policy -Djavax.net.ssl.trustStore=/var/webconsole/domains/console/conf/keystore.jks -Djava.security.auth.login.config=/var/webconsole/domains/console/conf/consolelogin.conf -Dcatalina.home=/usr/share/webconsole/private/container -Dcatalina.base=/var/webconsole/domains/console -Dcom.sun.web.console.home=/usr/share/webconsole -Dcom.sun.web.console.conf=/etc/webconsole/console -Dcom.sun.web.console.base=/var/webconsole/domains/console -Dcom.sun.web.console.logdir=/var/log/webconsole/console -Dcom.sun.web.console.native=/usr/lib/webconsole -Dcom.sun.web.console.appbase=/var/webconsole/domains/console/webapps -Dcom.sun.web.console.secureport=6789 -Dcom.sun.web.console.unsecureport=6788 -Dcom.sun.web.console.unsecurehost=127.0.0.1 -Dwebconsole.default.file=/etc/webconsole/console/default.properties -Dwebconsole.config.file=/etc/webconsole/console/service.properties -Dcom.sun.web.console.startfile=/var/webconsole/tmp/console_start.tmp -Djava.awt.headless=true -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.NoOpLog org.apache.catalina.startup.Bootstrap start
root 3224 0.0 0.2 1864 1184 ? S 09:57:06 0:00 /usr/lib/cacao/lib/tools/launch -w /var/cacao/instances/default -L 16384 -A /usr/lib/cacao/lib/tools/proc_analysis -W /var/cacao/instances/default -T 300 -P /var/run/cacao/instances/default/run/hb.pipe -f -U root -G sys -- /usr/jdk/latest/bin/java -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed -classpath /usr/share/lib/jdmk/jdmkrt.jar:/usr/share/lib/jdmk/jmxremote_optional.jar:/usr/lib/cacao/lib/cacao_cacao.jar:/usr/lib/cacao/lib/cacao_j5core.jar:/usr/lib/cacao/lib/bcprov-jdk14.jar -Djavax.management.builder.initial=com.sun.jdmk.JdmkMBeanServerBuilder -Dcacao.print.status=true -Dcacao.config.dir=/etc/cacao/instances/default -Dcacao.monitoring.mode=smf -Dcom.sun.cacao.ssl.keystore.password.file=/etc/cacao/instances/default/security/password com.sun.cacao.container.impl.ContainerPrivate
copying cacao files to /tmp/suc-cacao...
done.
Solaris 10 cacao instances:
STATE NSTATE STIME CTID FMRI
online - 9:57:07 88 svc:/application/management/common-agent-container-1:default
9:57:06 3224 launch
9:57:06 3225 java
Full list of cacao SMF service(s):
fmri svc:/application/management/common-agent-container-1:default
name Cacao, a common Java container for JDMK/JMX based management solution
enabled true (temporary)
state online
next_state none
state_time Thu Sep 22 09:57:07 2011
logfile /var/svc/log/application-management-common-agent-container-1:default.log
restarter svc:/system/svc/restarter:default
contract_id 88
dependency require_all/none svc:/system/filesystem/local (online)
dependency require_all/none svc:/network/initial (online)
dependency require_all/none svc:/milestone/multi-user (online)
Services in maintenance/disabled state:
svc:/system/pkgserv:default (Flush package command database to disk (see pkgadm(1m)).)
State: offline since Thu Sep 22 09:07:25 2011
Reason: Dependency file://localhost/usr/sadm/install/bin/pkgserv is absent.
See: http://sun.com/msg/SMF-8000-E2
Impact: This service is not running.
All ccr properties:
18:
cns.assetid:
cns.br.SunUCenabled:
true
cns.ccr.keyGenPath:
/usr/lib/cc-ccr/bin/ccrKeyGen
cns.clientid:
cns.httpproxy.auth:
cns.httpproxy.ipaddr:
cns.httpproxy.port:
cns.regtoken:
cns.security.password:
dAw5y36sZJoC+XZR504J4YfvVN8gcxGUYp1bCb8i7x21
cns.security.privatekey:
cns.security.publickey:
cns.swup.UMautolaunch:
false
cns.swup.autoAnalysis.enabled:
true
cns.swup.checkinInterval:
2
cns.swup.lastCheckin:
0
cns.swup.patchbaseline:
current
cns.swup.regRequired:
true
cns.transport.serverurl:
patchsvr not installed.
Entitlement:
smpatch settings:
patchpro.backout.directory - ""
patchpro.baseline.directory - /var/sadm/spool
patchpro.download.directory - /var/sadm/spool
patchpro.install.types - rebootafter:reconfigafter:standard
patchpro.patch.source - https://getupdates.oracle.com/
patchpro.patchset - current3
patchpro.proxy.host - ""
patchpro.proxy.passwd **** ****
patchpro.proxy.port - 8080
patchpro.proxy.user - ""
debug smpatch analyze:
Effective proxy host : ""
Effective proxy port : "8080"
Effective proxy user : ""
... Submitting download request against a GUUS server
... ... Hostname of URL is getupdates.oracle.com
... ... Filename of URL is /xml/motd.xml
... ... File path portion of URL is /xml/motd.xml
Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 18:00:00 CST 1969
... Caught IO Exception.
((HttpURLConnection)connection).getResponseCode() : 401
((HttpURLConnection)connection).getResponseMessage() : Authorization Required
Error: Unable to download document : "xml/motd.xml"
Cannot connect to retrieve motd.xml: Authorization Required
Effective proxy host : ""
Effective proxy port : "8080"
Effective proxy user : ""
... Submitting download request against a GUUS server
... ... Hostname of URL is getupdates.oracle.com
... ... Filename of URL is /detector/detectors.jar
... ... File path portion of URL is /detector/detectors.jar
Effective proxy host : ""
Effective proxy port : "8080"
Effective proxy user : ""
... Submitting download request against a GUUS server
... ... Hostname of URL is getupdates.oracle.com
... ... Filename of URL is /database/current3.zip
... ... File path portion of URL is /database/current3.zip
Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 18:00:00 CST 1969
Defining request header : IF_MODIFIED_SINCE... valueWed Dec 31 18:00:00 CST 1969
... Caught IO Exception.
((HttpURLConnection)connection).getResponseCode() : 401
((HttpURLConnection)connection).getResponseMessage() : Authorization Required
... Caught IO Exception.
((HttpURLConnection)connection).getResponseCode() : 401
((HttpURLConnection)connection).getResponseMessage() : Authorization Required
Failure: Cannot connect to retrieve current3.zip: Authorization Required
ls /var/sadm/spool:
/var/sadm/spool:
total 2
drwxr-xr-x 5 root sys 512 Sep 22 10:00 cache
/var/sadm/spool/cache:
total 6
drwxr-xr-x 2 root root 512 Sep 22 10:00 Database
drwxr-xr-x 3 root sys 512 Sep 21 09:54 updatemanager
drwxr-xr-x 2 root root 512 Sep 22 10:00 xml
/var/sadm/spool/cache/Database:
total 0
/var/sadm/spool/cache/updatemanager:
total 2
drwxr-xr-x 2 root sys 512 Sep 21 09:54 analysis.results
/var/sadm/spool/cache/updatemanager/analysis.results:
total 0
/var/sadm/spool/cache/xml:
total 0
copying sconadm log files to /tmp/suc-sconadm...
done.
checking certificate...
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: jks
Keystore provider: SUN
Your keystore contains 11 entries
Alias name: smirootcacert
Creation date: Jun 18, 2002
Entry type: trustedCertEntry
Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Serial number: 200014a
Valid from: Tue Nov 07 16:39:00 CST 2000 until: Thu Nov 07 17:59:00 CST 2002
Certificate fingerprints:
MD5: D8:B6:68:D4:6B:04:B9:5A:EB:34:23:54:B8:F3:97:8C
SHA1: BD:D9:0B:DA:AE:91:5F:33:C4:3D:10:E3:77:F0:45:09:4A:E8:A2:98
Alias name: updateserver.sun.com
Creation date: Apr 20, 2004
Entry type: trustedCertEntry
Owner: CN=updateserver.sun.com, OU=Solaris Patch Server, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
Issuer: CN=updateserver.sun.com, OU=Solaris Patch Server, O="Sun Microsystems, Inc.", L=Santa Clara, ST=California, C=US
Serial number: 4085ad7d
Valid from: Tue Apr 20 18:08:45 CDT 2004 until: Fri Apr 18 18:08:45 CDT 2014
Certificate fingerprints:
MD5: C7:0D:9B:84:B2:E0:57:FA:F4:D1:0C:2E:F3:0E:68:DF
SHA1: 48:B3:6B:35:AB:15:FE:BF:C5:B9:FF:39:F9:7E:FF:BB:C2:07:9B:7A
Alias name: gtecybertrustglobalca
Creation date: Feb 6, 2006
Entry type: trustedCertEntry
Owner: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
Serial number: 1a5
Valid from: Wed Aug 12 19:29:00 CDT 1998 until: Mon Aug 13 18:59:00 CDT 2018
Certificate fingerprints:
MD5: CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
Alias name: verisignclass3g2ca
Creation date: Feb 6, 2006
Entry type: trustedCertEntry
Owner: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Serial number: 7dd9fe07cfa81eb7107967fba78934c6
Valid from: Sun May 17 19:00:00 CDT 1998 until: Tue Aug 01 18:59:59 CDT 2028
Certificate fingerprints:
MD5: A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
SHA1: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
Alias name: smicacert
Creation date: Jun 18, 2002
Entry type: trustedCertEntry
Owner: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Issuer: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Serial number: 1000006
Valid from: Mon Nov 13 13:23:10 CST 2000 until: Fri Nov 13 13:23:10 CST 2009
Certificate fingerprints:
MD5: B4:1F:E1:0D:80:7D:B1:AB:15:5C:78:CB:C8:8F:CE:37
SHA1: 1E:38:11:02:F0:5D:A3:27:5C:F9:6E:B1:1F:C4:79:95:E9:6E:D6:DF
Alias name: patchsigning3
Creation date: Dec 9, 2008
Entry type: trustedCertEntry
Owner: CN=patchsign 20081125, OU=Class B, OU=Corporate Object Signing, O=Sun Microsystems Inc
Issuer: CN=Object Signing CA, OU=Class 2 OnSite Subscriber CA, OU=VeriSign Trust Network, O=Sun Microsystems Inc
Serial number: c6c945f7361c6aa3c520502b3db45a7
Valid from: Mon Nov 24 18:00:00 CST 2008 until: Fri Nov 25 17:59:59 CST 2011
Certificate fingerprints:
MD5: 37:FD:5B:76:06:29:65:DB:47:D8:A5:AB:E7:D7:2C:08
SHA1: 30:C7:C3:AF:85:00:8F:3B:41:DC:55:A3:99:53:E4:00:D8:97:D7:01
Alias name: patchsigning2
Creation date: Feb 8, 2006
Entry type: trustedCertEntry
Owner: CN=Patch (No version), OU=Class B, OU=Corporate Object Signing, O=Sun Microsystems Inc
Issuer: CN=Object Signing CA, OU=Class 2 OnSite Subscriber CA, OU=VeriSign Trust Network, O=Sun Microsystems Inc
Serial number: 3ed0ec9de0eed991b93f09d331d05e93
Valid from: Tue Jan 24 18:00:00 CST 2006 until: Sat Jan 24 17:59:59 CST 2009
Certificate fingerprints:
MD5: 07:5C:E4:4F:4C:DC:4D:D5:D0:A8:A8:16:C8:DB:37:5F
SHA1: A2:A8:17:32:2C:C4:7E:DE:8E:67:70:5E:08:2B:91:E9:8A:48:8C:05
Alias name: patchsigning
Creation date: Jun 18, 2002
Entry type: trustedCertEntry
Owner: CN=Enterprise Services Patch Management, O=Sun Microsystems Inc
Issuer: O=Sun Microsystems Inc, CN=Sun Microsystems Inc CA (Class B)
Serial number: 1400007b
Valid from: Mon Sep 24 15:38:53 CDT 2001 until: Sun Sep 24 15:38:53 CDT 2006
Certificate fingerprints:
MD5: 6F:63:51:C4:3D:92:C5:B9:A7:90:2F:FB:C0:68:66:16
SHA1: D0:8D:7B:2D:06:AF:1F:37:5C:0D:1B:A0:B3:CB:A0:2E:90:D6:45:0C
Alias name: smirootcacert2
Creation date: Oct 21, 2002
Entry type: trustedCertEntry
Owner: CN=Sun Microsystems Inc Root CA, O=Sun Microsystems Inc, C=US
Issuer: CN=GTE CyberTrust Root, O=GTE Corporation, C=US
Serial number: 40002ae
Valid from: Wed Oct 16 10:45:00 CDT 2002 until: Sat Oct 16 18:59:00 CDT 2004
Certificate fingerprints:
MD5: 54:E3:D1:E4:79:B4:17:23:65:B4:F9:14:AD:C6:4A:FE
SHA1: 90:F1:AB:87:AE:A0:4C:1F:AF:43:60:DE:5D:A8:0E:D8:CE:E7:06:AE
Alias name: getupdates.oracle.com
Creation date: Apr 25, 2011
Entry type: trustedCertEntry
Owner: CN=*.oracle.com, OU=Terms of use at www.verisign.com/rpa (c)10, OU=Global IT, O=Oracle Corporation, L=Redwood Shores, ST=California, C=US
Issuer: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network
Serial number: 7854c9713b40a03d934e4b1b7f266170
Valid from: Mon Apr 12 19:00:00 CDT 2010 until: Thu May 05 18:59:59 CDT 2011
Certificate fingerprints:
MD5: 03:CB:5F:B8:58:40:23:03:7E:89:A7:49:AF:06:7C:23
SHA1: 63:95:E0:5C:87:42:8E:38:95:73:EE:03:1C:50:48:FE:43:8F:DC:8C
Alias name: oracle.com
Creation date: Apr 25, 2011
Entry type: trustedCertEntry
Owner: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 641be820ce020813f32d4d2d95d67e67
Valid from: Sun Feb 07 18:00:00 CST 2010 until: Fri Feb 07 17:59:59 CST 2020
Certificate fingerprints:
MD5: BA:B0:65:B4:3B:9C:E8:40:30:21:7D:C5:C6:CD:3F:EB
SHA1: B1:8D:9D:19:56:69:BA:0F:78:29:51:75:66:C2:5F:42:2A:27:71:04
checking network settings...
141.146.44.51 updates.oraclegha.com getupdates.oracle.com updates.oracle.com
164.58.129.138 a248.e.akamai.net
164.58.129.143 a248.e.akamai.net
141.146.44.51 updates.oraclegha.com cns-services.oracle.com updates.oracle.comSampath,
You can use one of the following workarounds :
1. Install redhat-release package from AS
or
2. Edit /etc/redhat-release
change (for example):
Red Hat Enterprise Linux ES release 4 (Nahant Update 4)
to:
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
The next version of "up2date" will correctly handle "ES" or "WS" systems.
Regards,
Björn -
"Unable to check revocation" error while checking CDP from non-domain user account
Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian -
How to use self-signed Certificate or No-Check-Certificate in Browser ?
Folks,
Hello. I am running Oracle Database 11gR1 with Operaing System Oracle Linux 5. But Enterprise Manager Console cannot display in Browser. I do it in this way:
[user@localhost bin]$ ./emctl start dbconsole
The command returns the output:
https://localhost.localdomain:1158/em/console/aboutApplication
Starting Oracle Enterprise Manager 11g Database Control ... ...
I open the link https://localhost.localdomain:1158/em/console/aboutApplication in browser, this message comes up:
The connection to localhost.localdomain: 1158 cannot be established.
[user@localhost bin]$ ./emctl status dbconsole
The command returns this message: not running.
[user@localhost bin]$ wget https://localhost.localdomain:1158/em
The command returns the output:
10:48:08 https://localhost.localdomain:1158/em
Resolving localhost.localdomain... 127.0.0.1
Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
ERROR: cannot verify localhost.localdomain's certificate, issued by `/DC=com/C=US/ST=CA/L=EnterpriseManager on localhost.localdomain/O=EnterpriseManager on localhost.localdomain/OU=EnterpriseManager on localhost.localdomain/CN=localhost.localdomain/[email protected]':
Self-signed certificate encountered.
To connect to localhost.localdomain insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
A long time ago when I installed Database Server Oracle 11gR1 into my computer, https://localhost.localdomain:1158/em in Browser comes up this message:
Website certified by an Unknown Authority. Examine Certificate...
I select Accept this certificate permanently. Then https://localhost.localdomain:1158/em/console/logon/logon in Browser displays successfully.
But after shut down Operating System Oracle Linux 5 and reopen the OS, https://localhost.localdomain:1158/em/console/logon/logon in Browser returns a blank screen with nothing, and no more message comes up to accept Certificate.
My browser Mozilla Firefox, dbconsole, and Database Server 11gR1 are in the same physical machine.I have checked Mozilla Firefox in the following way:
Edit Menu > Preferences > Advanced > Security > View Certificates > Certificate Manager > Web Sites and Authorities
In web sites tab, there is only one Certificate Name: Enterprise Manager on localhost.localdomain
In Authorities tab, there are a few names as indicated in the above output of wget.
My question is: How to use self-signed certificate and no-check-certificate in Mozilla Firefox for EM console to display ?
Thanks.Neither problem nor solution do involve Oracle DB
root cause of problem & fix is 100% external, detached, & isolated from Oracle DB.
This thread is OFF TOPIC for this forum. -
Failed to create Subordinate CA because of unable to check revocation
Hi all,
I am building a subordinate CA on my domain controller with Windows Server 2012 R2 installed.
I submitted the CSR to my root CA (running EJBCA), then I accept the CA request and generated a certificate file. I already configured my root CA to append OCSP and CRL in this generated certification.
However, I keep receiving "revocation server was offline" error, although I passed the OCSP check with OpenSSL.
Here's the detailed error from certutil.exe
Any help?
PS C:\Users\Administrator> certutil -urlfetch -verify -seconds \\tsclient\Downloads\winPDCCA.cer
Issuer:
C=CA
O=ROOT
CN=ROOT Server CA
Name Hash(sha1): xxx
Name Hash(md5): xxx
Subject:
CN=win-PDC-CA
Name Hash(sha1): xxx
Name Hash(md5): xxx
Cert Serial Number: 58b8a199528589b8
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: C=CA, O=ROOT, CN=ROOT Server CA
NotBefore: 3/5/2015 3:20 AM
NotAfter: 3/4/2040 8:18 AM
Subject: CN=win-PDC-CA
Serial: 58b8a199528589b8
Template: DomainController
12b9512bc6cc456929f73ea1ab0b597812164e46
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (17)" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ROOT%20Server%
20CA,O=ROOT,C=CA
Verified "Delta CRL (17)" Time: 0
[0.0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20
Server%20CA,O=ROOT,C=CA
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/status/ocsp
CRL (null):
Issuer: C=CA, O=ROOT, CN=ROOT Server CA
ThisUpdate: 3/5/2015 3:30 AM
NextUpdate: 3/5/2015 3:30 PM
xxxx
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: C=CA, O=ROOT, CN=ROOT CA
NotBefore: 3/4/2015 8:18 AM
NotAfter: 3/4/2040 8:18 AM
Subject: C=CA, O=ROOT, CN=ROOT Server CA
Serial: 198c1ca481078881
xxxx
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
Verified "Base CRL (13)" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=ROOT%20CA,O=ROOT,C=CA
Verified "Delta CRL (13)" Time: 0
[0.0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20
CA,O=ROOT,C=CA
---------------- Certificate OCSP ----------------
Expired "OCSP" Time: 0
[0.0] http://ca.xxxxxxxxxx.com:8080/ejbca/publicweb/status/ocsp
CertContext[0][2]: dwInfoStatus=10a dwErrorStatus=0
Issuer: C=CA, O=ROOT, CN=ROOT CA
NotBefore: 3/4/2015 8:18 AM
NotAfter: 3/4/2040 8:18 AM
Subject: C=CA, O=ROOT, CN=ROOT CA
Serial: 1def9f3b25d8ec1e
7487db4f9ea8055ca3d095b994fafdd7bbfd0283
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
Exclude leaf cert:
xxxx
Full chain:
xxxx
Issuer: C=CA, O=ROOT, CN=ROOT Server CA
NotBefore: 3/5/2015 3:20 AM
NotAfter: 3/4/2040 8:18 AM
Subject: CN=win-PDC-CA
Serial: 58b8a199528589b8
Template: DomainController
xxxx
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-214688561
3 CRYPT_E_REVOCATION_OFFLINE)
Revocation check skipped -- server offline
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
PS C:\Users\Administrator>The OCSP server is providing expired responses, there is something definitely wrong with the OCSP configuration. Because you are using the EJBCA OCSP server by PrimeKey, you are going to have to contact them regarding the issues with your
configuration.
Brian
Hi Brian,
I am very confused about the "expired" response... Did it means the certificate is expired or the OCSP response is expired, or something else?
Anyway, I sniff the traffic between this Windows subordinate CA and the OCSP server when I run "certutil -url -v winPDCCA.cer" and choose it to verify OCSP.
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.
Capturing on 'Ethernet 1'
-- omitted --
Online Certificate Status Protocol
responseStatus: successful (0)
responseBytes
ResponseType Id: 1.3.6.1.5.5.7.48.1.1 (id-pkix-ocsp-basic)
BasicOCSPResponse
tbsResponseData
responderID: byKey (2)
byKey: xx
producedAt: 2015-03-06 03:14:21 (UTC)
responses: 1 item
SingleResponse
certID
hashAlgorithm (SHA-1)
Algorithm Id: 1.3.14.3.2.26 (SHA-1)
issuerNameHash: xx
issuerKeyHash: xx
serialNumber: 1384483256
certStatus: good (0)
good
thisUpdate: 2015-03-06 03:14:21 (UTC)
signatureAlgorithm (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
signature: xx...
certs: 1 item
Certificate (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT Server CA)
signedCertificate
version: v3 (2)
serialNumber: -2130212735
signature (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT CA)
RDNSequence item: 1 item (id-at-commonName=ROOT CA)
RelativeDistinguishedName item (id-at-commonName=ROOT CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: ROOT CA
RDNSequence item: 1 item (id-at-organizationName=ROOT)
RelativeDistinguishedName item (id-at-organizationName=ROOT)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: ROOT
RDNSequence item: 1 item (id-at-countryName=CA)
RelativeDistinguishedName item (id-at-countryName=CA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: CA
validity
notBefore: utcTime (0)
utcTime: 15-03-04 11:48:18 (UTC)
notAfter: utcTime (0)
utcTime: 40-03-04 11:48:10 (UTC)
subject: rdnSequence (0)
rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT Server CA)
RDNSequence item: 1 item (id-at-commonName=ROOT Server CA)
RelativeDistinguishedName item (id-at-commonName=ROOT Server CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: ROOT Server CA
RDNSequence item: 1 item (id-at-organizationName=ROOT)
RelativeDistinguishedName item (id-at-organizationName=ROOT)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: ROOT
RDNSequence item: 1 item (id-at-countryName=CA)
RelativeDistinguishedName item (id-at-countryName=CA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: CA
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
Padding: 0
subjectPublicKey: xx...
extensions: 7 items
Extension (id-pe-authorityInfoAccessSyntax)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
AuthorityInfoAccessSyntax: 1 item
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-pkix.48.1)
accessLocation: 6
uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/status/ocsp
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: xx
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: xx
Extension (id-ce-freshestCRL)
Extension Id: 2.5.29.46 (id-ce-freshestCRL)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=ROOT%20CA,O=ROOT,C=CA
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://ca.xx.com:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=Whitebear%20Home%20CA,O=Whitebear%20Home,C=CA
cRLIssuer: 1 item
GeneralName: directoryName (4)
directoryName: rdnSequence (0)
rdnSequence: 3 items (id-at-countryName=CA,id-at-organizationName=ROOT,id-at-commonName=ROOT CA)
RDNSequence item: 1 item (id-at-commonName=ROOT CA)
RelativeDistinguishedName item (id-at-commonName=ROOT CA)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: ROOT CA
RDNSequence item: 1 item (id-at-organizationName=ROOT)
RelativeDistinguishedName item (id-at-organizationName=ROOT)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: uTF8String (4)
uTF8String: ROOT
RDNSequence item: 1 item (id-at-countryName=CA)
RelativeDistinguishedName item (id-at-countryName=CA)
Id: 2.5.4.6 (id-at-countryName)
CountryName: CA
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 86 (digitalSignature, keyCertSign, cRLSign)
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
algorithmIdentifier (shaWithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.5 (shaWithRSAEncryption)
Padding: 0
encrypted: 3f209f1ce8bfc017b1b4c889370b0a49e284dd9895672f4b...
1 ^C
Based on the response, it seems that the OCSP server did return "good", "successful" in response. This is also verified with OpenSSL ocsp verification command:
openssl ocsp -url http://ca.xxx.com:8080/ejbca/publicweb/status/ocsp -issuer ROOTServerCA.pem -cert winPDCCA.cer -CAfile ROOTCA.pem
Response verify OK
winPDCCA.cer: good
This Update: Mar 6 03:21:44 2015 GMTopenssl ocsp -url http://ca.xxx.com:8080/ejbca/publicweb/status/ocsp -issuer ROOTCA.pem -cert ROOTServerCA.pem -CAfile ROOTCA.pem
Response verify OK
ROOTServerCA.pem: good
This Update: Mar 6 03:23:29 2015 GMT -
Experts,
Please help me out here,Am facing this issue while scheduling a job in BIPublisher.
job submission failed : error occurred while scheduling the job. org.quartz.objectalreadyexistsexception: unable to store job with name
Thanks,You are probably installing on a hardened machine.
The "installation guide" says that if you are doing so, you need to create a file named libx11.so.4 and update your LD_LIBRARY_PATH (see http://docs.iplanet.com/docs/manuals/messaging/ims52/ig/unix/overview.htm)but:
1- the library name is libX11.so.4 and
2- for jre a common file is not enough, you need to install SUNWxwplt at least. This will install the library on /usr/openwin/lib.
You can check the results running <server-root>/bin/base/jre/bin/jre
Hope that helps and sorry about my poor english. -
I have two new Solaris 10 6/06 systems here that are not checking in with the Update Connection.
Looking in /var/log/swupas/swupas.log I see this -
Swup Agent run: Monday, 25 September 2006 11:31:29 BST
** DEBUG ON **
Attempt to get exclusive lock: 1
We have the lock!
prepare to register with Transport
Error: unable to register with Transport
com.sun.cc.transport.client.TransportDownException: proxy communication failure
at com.sun.cc.transport.client.TransportAdapter.translateException(TransportAdapter.java:616)
at com.sun.cc.transport.client.TransportAdapter.register(TransportAdapter.java:523)
at com.sun.cc.transport.client.TransportAdapter.<init>(TransportAdapter.java:314)
at com.sun.swup.client.agent.SwupAgent.main(SwupAgent.java:337)
Swup Agent finish: Monday, 25 September 2006 11:33:59 BST
Running /usr/lib/cc-ccr/bin/ccr -k shows this -
22
cns.assetid
cns.ccr.keyGenPath
cns.clientid
cns.component.ccragent.status
cns.component.fwagent.status
cns.component.invagent.status
cns.component.swupagent.status
cns.httpproxy.auth
cns.httpproxy.ipaddr
cns.httpproxy.port
cns.regtoken
cns.security.password
cns.security.privatekey
cns.security.publickey
cns.service.platform.status
cns.service.swupPortalMgmt.status
cns.swup.autoAnalysis.enabled
cns.swup.checkinInterval
cns.swup.lastCheckin
cns.swup.patchbaseline
cns.swup.regRequired
cns.transport.serverurl
Now from what I have read cns.transport.serverurl needs to be set, and im guessing as we go through a http proxy server here that cns.httpproxy.ipaddr and cns.httpproxy.port should also be set.
I have tried using ccr -p cns.transport.serverurl -v https://cns-transport.sun.com but it doesnt seem to make any difference, certainly when I run ccr -k again nothing in the output has changed.
Help, how do I get my servers to check in?
Thanks Adam.Hello,
Please can you check, which processes are running.
$ ps -ef | grep cc
If there is no cc-transport process, please can you try starting it and
then checking for any errors in the system log.
$ date
$ /etc/init.d/cc-transport start
$ sleep 30
$ grep 'CNS|cc-' /var/adm/messages
If you see errors relating CNS Transport SSL certificate problems
could you please check if patch 122231-01 "SunOS 5.10 Sun Connection
agents, transport certificate update" is installed.
$ showrev -p | grep 122231-01
If the patch is not installed, please install it and retry starting
the cc-transport process.
$ smpatch update -i 122231-01
Only if still unsucessful, please send the following information.
$ showrev -p | egrep -e '121453|121118|120335|121081|121563|122231|119788'
$ /usr/lib/cc-ccr/bin/ccr -g cns.assetid
$ /usr/lib/cc-cfw/platform/transport/bin/cctrunner -p
Regards,
Maybe you are looking for
-
I have a new Macbook pro and can't recall the password I used with my Time capsule - How can I (ideally) retrieve or possibly change the time capsule password?
-
How to use __createdAt in a query
Hi In Objective C, I'm trying to query a table and get all entities with __createdAt later than someDate. I tried the following code: NSPredicate *predicate = [NSPredicate predicateWithFormat:@"__createdAt > %@", somdeDate]; MSQuery *query = [aTable
-
Can I wirelessly project powerpoint presentation to projector without HDMI input?
Can I wirelessly project a powerpoint presentation to a projector that does not have HDMI in?
-
Cannot not connect to SQL Server instance.
Hello, I have SQL Server 2012 installed and when I run this command: sc query mssql$MSSQLSERVER I get this error: [SC] EnumQueryServicesStatus:OpenService FAILED 1060: The specified service does not exist as an installed service. I run this command o
-
TS2776 Itunes has detected an iphone in recovery mode
When i updated Itunes and then updated to the latest Iphone update, I get the message that Itunes has detected an Iphone in recovery mode.You must restore to connect to Apple's Itunes. I have uninstalled Itunes and all other recommended software in