Unable to configure SSL certificate on Apex

Similar Messages

• Configuring SSL certificates on ALBPM Studio

  Hi,
  I am invoking a web service which is deployed on a web logic server which is a secure server and needs SSL certificates to communicate. I have the certificates but don’t know how to configure it to my ALBPM Studio.
  Can I configure those to studio or do I need to deploy my code on the Enterprise edition installed on application server having these SSL certificates? But in that case I would land up investing so much time in deploying the code on server after even a small change. Since I don’t have those certificates configured to my studio it is not allowing me to catalog the service in my project and throwing Introspection error. The details of the error are mentioned below:
  +[Error] Web Service WSDL parse exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target..+
  +[Error] Instrospection exception: Web Service WSDL parse exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target...+
  Can anyone throw any pointers on this type of error
  Thanks,
  Akshay

  In order to communicate with SSL secured webservices (those with WSDL end point starting as https:// you need to have certificates from these servers.
  For BPM Standalone these are the steps
  1. Download the .cer file from server. (One way is you can use IE browser to get that file and export it from browser to a local directory)
  2. Put this file in %JAVA_HOME%\jre\lib\security. You can put it anywhere you want.
  3. Run the following command at a command prompt:
  C:\Program Files\Java\jre1.6.0_02\bin>keytool -import -trustcacerts -alias <CERT ALIAS NAME> -keystore ..\lib\security\cacerts -file ..\lib\security\gd_<cert file name>.cer
  4. You will be prompted for a password. If you have not changed the password, it will be "changeit".
  5. You will then get the following message if all is successful - "Certificate was added to keystore".
  6. Restart Tomcat (inbuilt server in BPM Studio).
  This should solve your problem.
  Pls note that if you have not configured your keyStore then first do so. you will find this document handy to do so.
  http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File
  Arvind
  Visit my blog at http://soa-bam-bi.blogspot.com/ for more tips on BPM & SOA

• Unable to install SSL Certificate - ADMIN4118: Only one server certificate can be installed at a time

  Hi,
  We are trying to install SSL certificate (Verisign Class 3) on iPlanet Web Server (version 7). However, at the final step we are getting the error "ADMIN4118: Only one server certificate can be installed at a time"
  We are following the below steps,
  Under "Server Certificates" tab,
       -> Click on "Install" button.
       -> On "Select Configuration" click on "Next" button.
       -> On "Select Tokens and Passwords", select default token as "internal" and click on "Next" button.
       -> On "Enter Certificate Data", select option as "Certficate File" and give path to the certificate file which is having .p7b extension
       -> On "Certificate Details" we are getting warning as "Duplicate Server Details Found" and it's by default using the existing certificate's nickname.
       -> On "Review" page after clicking "Finish" button, an error is displayed saying "ADMIN4118: Only one certificate server can be installed at a time"
  There are multiple sub-domains availble and the new certificate we want to install contains one more sub-domain.
  So, say currently the subdomains present are,
  1.abc.com
  2.abc.com
  so on...
  and now we are trying to install a SSL certificate having one more subdomain say 10.abc.com.
  Please let us know if you have solution to this problem.
  Thanks,
  Rajesh

  Hi Rajesh,
  That error is most commonly seen when you are trying to install a certificate chain into the Web Server.
  The chain should be installed using the "Certificate Authorities" tab per the following steps:
  1) Login to the Admin Console.
  2) Click Edit Configuration from Common Tasks > Configuration Tasks.
  3) Click the Certificates > Certificate Authorities tab from the Configurations page.
  4) Click the Install... tab from the Certificate Authorities (CAs) page.
  An Install CA Certificate Wizard opens. The wizard guides you through the settings available for installing a Certificate Chain. Select Certificate Chain when prompted for Certificate Type.
  You should then see the CA and intermediate certificate(s) listed in the security database.
  If you have access to MOS, more details can be found in the MOS KM Note:
     Oracle iPlanet Web Server - 'ADMIN4118: Only one server certificate can be installed at a time' When Installing Certificate Chain (Doc ID 1925025.1)
  regards
  Tracey

• Unable to reinstall SSL Certificate

  Hi I am getting the following message when i am trying to setup another virtual server with the same SSL ceritificate that i have installed on currently running virtual server.
  No private key
  The server could not find the private key associated with the certificate
  How do i add private key without requesting for a new SSL certificate?
  kishore

  You shouldn't see this error message when creating a new virtual server. Are you sure you aren't creating a new server instance? Server instances are different from virtual servers.
  If you are creating a new server instance, consider creating a new virtual server instead; virtual servers consume fewer system resources than server instances. Further, it's simpler to share certificates between virtual servers than it is to share certificates between server instances. The server instance and virtual server concepts are explained in the Administrator's Guide.
  If you've decided you do need a new server instance, you can manually copy an existing server instance's trust database over to the new server instance. The existing trust database consists of 2 files named <server_id>-<hostname>-cert?.db and <server_id>-<hostname>-key?.db, where <server_id> is the server ID of the instance and <hostname> is the hostname of the machine. These files are stored in the alias subdirectory. To copy the trust database to a new instance, simply create a copy of these two files, changing <server_id> to the server ID of the new instance.

• SAP Web Dispatcher Configuration (SSL, certificates)

  Hi all,
  We're trying to configure the SAP Web Dispatcher for the use of SSL (terminated) and client authentication using x.509 certificates. All works (almost)fine. However, there's some strange behavior that I can not explain.
  The following access point have been specified in the profile:
  Description of the Access Points
  icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
  icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
  icm/HTTPS/verify_client = 2
  Basicly we only need users to access the web dispatcher using SSL. However, when I remove the line: icm/server_port_2 = PROT=HTTP, PORT=83, TIMEOUT=15
  The Web Dispatcher returns an error upon accessing it using HTTPS:
  Dispatching Error
  Error: -26
  Version: 6040
  Component: HTTP_ROUTE
  Date/Time: Tue Mar 14 07:19:38 2006 
  Module: http_route.c
  Line: 2383
  Server: sapvm1_DVS_26
  Detail: no valid destination server available for '!ALL' rc=13
  Any help would be highly appreciated. Thanks!
  Frodo

  Hi KS,
  Maybe you were right afterall I found a nice How to on the servce.sap.com (https://websmp203.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000073632&_SCENARIO=01100035870000000202) and it seems you do have to add the HTTP server_port parameter in case SSL is being terminated (no re-encryption).
  icm/server_port_0 = PROT=HTTPS, PORT=443, TIMEOUT=15
  icm/server_port_1 = PROT=HTTP, PORT=0, TIMEOUT=15
  However, the trick is to set the port to zero (0), that way you can still only access the Web Dispatcher via HTTPS.
  All is working now.
  Frodo

• Unable to set (ssl) certificate on a SQL Server 2012 clustered instance

  Hello everyone!
  I'm trying to encrypt the SQL Server communication with SSL but I can't add the certificate in the configuration manager. I've found and tried a lot of different explaination but none of them worked. I'll described what I've done and hope someone will point
  out what I'm missing.
  Here is my situation:
  - SQL Server 2012 Enterprise Edition. Instance name = INSTANCE, FQDN =  SQINSTANCE.mydomain.com. The instance is running under a customized service account: mydomain\sql_sa
  - Two cluster nodes running Win Server 2008R2: NODE1.mydomain.com and NODE2.mydomain.com. Cluster itself is CLUSTER.mydomain.com
  What I've done:
  1) Asked the team in charge to generate a certificate issued to "SQINSTANCE.mydomain.com" with aliases to "NODE1.mydomain.com", "NODE2.mydomain.com" and "CLUSTER.mydomain.com". I get a certificate with "p7b"
  as extension
  2) Connect on "NODE2.mydomain.com" with account "mydomain\sql_sa". Opened MMC and added the certificate under "Personnal" folder. I tried to add it with "Current user" and "Local computer" settings. Saw both
  on internet since I use a specific service account
  3) Get the thumbprint of the certificate and add it under HKLM\Software\Microsoft\Microsoft SQL Server\MSSQL11.INSTANCE\MSSQLServer\SuperSocketNetLib\Certificate. (I triple checked to remove blanks or special characters)
  4) Reboot the node
  5) Open the SQL Server Configuration Manager, go to the network properties. Certificate does not appear in the list
  I tried to check with certutil and saw the certificate in the output. Some guys talked about some private key but I don't see this particularity in my situation. I tried to check if the certificate is valid and, according to the criterias, it is.
  Does anyone can help me with this?

  Hi,
  Are you sure you've got the certificate correct?  http://msdn.microsoft.com/en-us/library/ms191192.aspx
  To use encryption with a failover cluster, you must install the server certificate with the fully qualified DNS name of the virtual server
  on all nodes in the failover cluster. For example, if you have a two-node cluster, with nodes named test1.<your
  company>.com and test2.<your
  company>.com, and you have a virtual server named virtsql, you need to install a certificate for virtsql.<your
  company>.com on both nodes. You can set the value of the ForceEncryptionoption
  toYes
  In your case, shouldn't it be created for CLUSTER.mydomain.com?
  Thanks, Andrew
  My blog...

• How to configure SSL certificates on weblogic 10.3.5?

  Hi everybody,
  i' ve got 2 certificates: Server and Intermediate CA. I used java keytool command to import these two certificates into new keystore:
  keytool -import -v -alias server_cert -file certificate.pem -keystore keystore.jks
  keytool -import -v -alias intermediate_ca -file intermediate.pem -keystore keystore.jks
  Then as weblogic 10.3.5 documentation says i need to use ImportPrivateKey utility in order to import private key into keystore, so i use this command:
  java utils.ImportPrivateKey -keystore private.jks -storepass password -keyfile mykey -keyfilepass password -keyfile private.pem -alias private
  and get the following error:
  Exception in thread "main" java.lang.NoClassDefFoundError: utils.ImportPrivateKey
  at gnu.java.lang.MainThread.run(libgcj.so.7rh)
  Caused by: java.lang.ClassNotFoundException: utils.ImportPrivateKey not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:./], parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null}}
  at java.net.URLClassLoader.findClass(libgcj.so.7rh)
  at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
  at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
  at gnu.java.lang.MainThread.run(libgcj.so.7rh)
  Any ideas? Thanks.
  Regards,
  Karolis M.

  Hello,
  Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
  look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
  I suggest that you change the default configuration (not using the demo one),
  then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
  opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
  once your certificated is added to your trust store it should work.
  I hope it will help.

• How to install a SSL certificate on Azure?

  Hi,
  I am trying to install an SSL cert on my Azure instance. I followed this tutorial: http://www.windowsazure.com/en-us/documentation/articles/cloud-services-configure-ssl-certificate/
  However, when I deploy the package on to the staging instance it does not start up. And we can't retrieve detailed bug, and can't connect remotely to that instance.
  I am not sure what else can be done? Please help?

  hi,
  Did you upload cert into staging environment? How did you set the Https endpoint on your service definition file ?Did you try to change http to https to access cloud service? I suggest you could try to use https to visit your cloudservice firstly. If it
  doesn't work, please check your endpoints setting in your project.
  >>And we can't retrieve detailed bug, and can't connect remotely to that instance.
  Did you enable the Remote desktop? You could enable the remote desktop on your deployment (http://msdn.microsoft.com/en-us/library/windowsazure/gg443832.aspx ). Any latest info,
  please let me know.
  Hope this helps.
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Creating SSL certificate and configuring it with JBOSS 4.0.1

  I have to post some data to a secured site from my application.
  For this, I am creating connection to that site using URLConnection and to send data I create OutputStream using the connection.
  But, while creating the stream it is showing SSLException and message is No trusted certificate found.
  For this, I need to create SSL certificate (mostly using keytool command) and configure it with my application server which is JBOSS 4.0.1
  Now, my problem is that I don't know the exact steps to create a certificate and configure it with JBOSS. Please provide the steps in detail.

  I think you have this back to front. Unless this exception came from the server, in which case it is misconfigured, you don't have to create a certificate, you have to import the server's certificate, or that of one of its signers, into the client's truststore, and tell Java where the truststore is if it's in a non-standard location.
  See http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html. You'll have to ask about the JBoss part in a JBoss forum.

• Problem to configure Blink Pro (App). Error SSL certificate verification error (PJSIP_TLS_ECERTVERIF) (503)

  Problem to configure Blink Pro (App). Error SSL certificate verification error (PJSIP_TLS_ECERTVERIF) (503)

  Hi, William
  My question is if you can help me and support me to configure the Blink Pro App, I have a Mac Book Air, OS X 10.9.1.
  hope for your answer

• Can't find SSL certificate in SQL server configuration manager?

  Hi 
  It's been 2 days and I need a help. I have visited a number of sites and I still can't make it work
  Two severs I have: Windows 2012 Standard with SQL 2008 R2 and SQL 2012 
  I am trying to set it up on SQL 2008 R2 right now. 
  I have a certificate from a CA and did the followings.
  1. Open MMC
  2. Add Certificates Snap-in as a computer account (In fact, I tried all the three accounts)
  3. Right click-on Personal folder and All taks and Import 
  4. Installed the certificate with Certificate import Wizard
  5. The certificate shows up under Personal/Certificates and Trusted Root Certification Authorities/Certificates
  I did this with a local administrator account as well as MSSQL account(SQL Server service account I created). Even though the server is part of domain, SQL server is set up with local accounts. 
  This is a simply summary. I tried everything in the article such as 'Create Custom Request'. 
  I am not sure what I am missing. Why can't I see the certificate in SQL Server configuration manager? 
  I even made MSSQL (service account) as administrator. Not working.  
  as I am not using the domain service account, I believe below is not relevant. 
  Missing detail on "Install a certificate in the Windows certificate store..."
  When following recommended security procedures and running SQL server under a domain service account, the service will fail to start after assigning a certificate to the protocols.  This is because the service account does not have permissions to read
  the private key.  Fix this in the Certificates MMC snap-in (preferably right after installing the certificate.)  Select the certificate you just imported, then in the Action menu select "Manage private keys."  Grant the domain service
  account read access to the private key of the server certificate.
  Below is the few of reference I looked at.. 
  https://support.microsoft.com/en-us/kb/316898/
  https://msdn.microsoft.com/en-us/library/ms191192(d=printer).aspx
  https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
  http://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-
  http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspx

  Hi Dinesh 
  Thanks for the reply. 
  I did looked into the both sites as well. but it did not work. 
  Below is the step to install SQLs server certificate. and I was stuck with Step 9. when click 'next' in the wizard, I am not getting into a place to select 'computer' as certificate type. 
  Do you know what is wrong please? 
  Open the Microsoft Management Console (MMC): click Start, then click Run and in the Run dialog box type: MMC
  On the File menu, click Add/Remove Snap-in...
  Select Certificates, click Add.
  You are prompted to open the snap-in for your user account, the service account, or the computer account. Select the Computer Account.
  Select Local computer, and then click Finish.
  Click OK in the Add/Remove Snap-in dialog box.
  Click to select the Personal folder in the left-hand pane.
  Right-click in the right-hand pane, point to All Tasks, and then click Request New Certificate...
  Click Next in the Certificate Request Wizard dialog box. Select certificate type 'Computer'.
  You can enter a friendly name in text box if you want or leave it blank, then complete the wizard.
  Now you should see the certificate in the folder with the fully qualified computer domain name

• VPN: Configuration loses SSL certificate

  Hi there,
  *The challenge.*
  I'd like to conncet to our VPN netzwork with my MacBook Pro.
  In my network configuration I choose my SSL certificate.
  *The problem*
  Each time i try to connect, i get stucked at the "identification" (Normaly i should get this "trust certificate dialog".
  Having again a look into my network configuration the SSL certificate isnt select anymore.
  *Please help!*
  +// The SSL certificate passes severals tests on my windows-machine.+
  Please help.

  Not enough information, such as what VPN software you are using. For VPN issues, it almost always ends up that resolving the issue involves consulting with whomever manages the VPN.

• Configure OWA to require a client ssl certificate only for external connection

  Hello.
  At now i migrated OWA client from Exchange 2003 to Exchange 2010 and faced with a problem.
  I want to then external client (somebody like user from home PC) connect to Outlook Web App, client certificate will be required.
  But then client connect (somebody from work PC) to internal Outlook Web App Url, Integrate Windows Auth will be used and client ssl certificate not required.
  Is it possible? Or i need to enable Outlook Anywhere?

  Hi,
  Base on my konwledge, I don't think it is possible.
  When you install Exchange 2003, only one Default Web Site in Internet Information Services (IIS). if you change the authentication method and enable SSL on OWA, client ssl certificate always be required whether it's external or internal.
  I recommend you refer to the following articles:
  http://www.msexchange.org/articles-tutorials/exchange-server-2003/mobility-client-access/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
  http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft.
  Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks.
  Niko Cheng
  TechNet Community Support

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• File Adapter FTP SSL SSL Certificate Exception

  After reviewing the results of searching on this error, I do not find anything that fits my situation:
  SAP File Adapter (PI 7.1) using FTP with FTPS connection security.
  I am not using X.509 certificate for client authentication.
  My connection is using a non-public certificate.
  I have added the SSL certificate to TrustedCAs and DEFAULT keystores.
  I am getting the following error:
  Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.
  Any recommendations?

  Hi,
  The main reasons for this error are:
  1. The correct server certificate could not be present in the TrustedCA
  keystore view of NWA. Please ensure you have done all the steps
  described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for
  it (that was the cause for other customers as well) and if it's the case
  renew it or extend the validation.
  3. Some other people have reported similar problem and mainly the
  problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate
  is A which is issued by an intermediate CA B and then B's certificate is
  issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to
  have the right order of certificate in the chain. If the order is B
  first followed by A followed by C, then the IAIK library used by PI
  cannot verify the server as trusted. Please generate the certificate in
  the right order and then import this certificate in the TrustedCA
  keystore view and try again. Please take this third steps as the
  principal one.
  Hope it solves your querie.
  Regards,
  Caio Cagnani