Using SSL with client auth from a JNLP-launched app

Similar Messages

• WS security, SSL and client auth

  Hello all,
  I need to secure a web service using SSL with client auth (client has a certificat issued by the web service provider wich he can use to access it... i suppose).
  Being a newbie i have no idea what are the options and how to implement them.
  If good tutos are available on the subject it would be nice.
  I also had another question: with a web service, what guarantee do i have that the client has consumed the web service and received the information he wants etc., it is critical for me to know that everything went ok...
  Cheers

  Hi
  One of the best books I found that covers security is located at:
  http://www.lulu.com/content/214643
  You will, or get you company to :), buy it (it's not expensive). It covers axis1.3, note that axis2 is out, but since your just starting with web services this will be a very good start on many of the concepts and how to implement them.
  Should you decide to use Axis give it's documentation and many tutorials a look, the main site is: http://ws.apache.org/axis2/
  Re: getting a guarantee, I might be wrong, but I do not see how this can be done with services and to be honest with any other type of application (especially the "received the information he wants" bit). The only way I can think one to do this is to include it as part of the SOP (standard operating procedure) for specific functionality in your application. The "it" would be an additional step that the user needs to do e.g. click an "accept" button that kicks of another "request" to the web service indicating that the initial request satisfied the users query - logically this request will need to contain some type of identifier that will enable you to map it to a previous request.

• Configuring SquirrelMail to use SSL with SMTP

  I ran the conf.pl script to have SquirrelMail access my IMAP server via SSL, and everything works.
  I then tried to use SSL with SMTP as well but when I used SquirrelMail to send mail, I got an error saying "Can't open SMTP stream". What is the correct setting to tell conf.pl to use?
  I had secure SMTP enabled and chose CRAM-MD5 for the authentication method.
  I actually have my web server and smtp server on the same machine, so this is more of a hypothetical question. In the end I turned off secure SMTP and set authentication back to none.
  Ben

  I don't have access to logs right now, but to answer your other question, SSL works fine when sending from Mail.
  But with Mail, I supply the username and password; which user does SquirrelMail use to send?

• Any Problems using SSL with Safari and the move with Internet explorer to require only TLS encryption.

  Any Problems using SSL with Safari and the move with Internet explorer to require only TLS encryption.

  Hi .
  Apple no longer supports Safari for Windows if that's what you are asking >  Apple apparently kills Windows PC support in Safari 6.0
  Microsoft has not written IE for Safari for many years.

• HTTPS with client auth

  Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?

  Hi together,
  i have the same problem? is anybody out there who could give us some hints?
  many thanks
  alex schramm

• I am from argentina and i want to buy an iPhone 5s, but in my country i can only use it if the phone is unlocked , i want to know if i buy one of t mobile with no contract and i travel to mi country ( internationaly) i can use it with a sim from argentina

  i am from argentina and i want to buy an iPhone 5s, but in my country i can only use it if the phone is unlocked , i want to know if i buy one of t mobile with no contract and i travel to mi country ( internationaly) i can use it with a sim from argentina

  You should go onto the Tmobile web site and look around. Very soon a pop up window will ask you if you want to chat. You can try asking for someone who knows Spanish (if you prefer), they might have someone available who can chat with you in Spanish.
  I give this suggestion because I remember on the Tmobile website, you can order on line, but they let you choose to pay only a little money up front, then pay off the rest over 24 months, or you can choose to pay for it in full. However, their ordering process does not say whether the paid for in full phone is going to be unlocked or not.
  It may not be, You may have to make a request and say that since you have paid in full please unlock. I am not so sure that a paid for in full phone is automatically sold in unlocked state.
  This is why I suggest you talk to Tmobile to get a definite answer.
  Unless someone else on this forum knows for sure? Hope someone else jumps in to answer. But the best way is to ask for yourself directly from Tmobile.

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• How to invalidate the client part of a HTTPS Session with client auth

  Hi to everybody here,
  I'm having an issue with HTTPS and client authentication related with how SSLHandshake works and the behavior of the client browser. I hope you can help.
  I'm setting up a web application that ask for a valid session in order to allow access to the application. If the user has no valid session, he's redirected to the login form, and if the auth process is ok, the user gets a session and is redirected again to the secured pages.
  We are in the way to create a new login service with client certificates, so the user identificates himself with a certificate valid on the application server.
  We have an application server with a secure listener in port 8443. It's configured to request client certificates so we can access to the certificate and validate it and create a session for the user automatically. The user just type his pin code in the browser, no passwords at all. This process is working and sessions are created. The problem comes up when we are trying to log the user out.
  We invalidate the session using a logout.jsp, but if the user goes to the secured pages again, we have observed that the authentication takes place automatically and the user can see the secured pages, so he thinks the logout.jsp doesn't work.
  My questions are: can we access to delete or modify the client browser ssl part in order to reset the https connection established against our application server? Are there any other ways to avoid this behavior?
  Thanks in advance.
  Miss.

  An enduser presents a certificate from a CAC for authentication to our website.
  They pick the Cert off the inserted CAC and submit it. Get logged into the application successfully.
  The user removes the card form the reader and the SSO session times out.
  In the same browser the user clicks log in with CAC and is not prompted for the cert this time the browser just goes ahead and presents the cached cert even though the card is no longer in the reader. The user logs in successfully.
  The desired behavior would be to prompt the user for for a cert again obviously.
  I am wondering how to turn this off as well.

• Problem using SSL with JMX

  Hi ,
  I am trying to implement SSL with JMX. I took the example of Luis Miguel Alventosa to see how it works. I imported all the classes, password a access properties file. When I am able to start the MyApp server in the example. But when I am trying to run MyClient, it is giving me the following exception
  Initialize the environment map
  Create an RMI connector client and connect it to the RMI connector server
  Exception in thread "main" java.rmi.ConnectIOException: Exception creating connection to: <IP>; nested exception is:
       java.net.SocketException: Default SSL context init failed: null
       at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
       at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
       at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
       at sun.rmi.server.UnicastRef.newCall(Unknown Source)
       at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
       at com.example.MyClient.main(MyClient.java:30)
  Caused by: java.net.SocketException: Default SSL context init failed: null
       at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
       at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(Unknown Source)
       ... 6 moreHere is the MyApp code I used
  package com.example;
  import java.lang.management.*;
  import java.rmi.registry.*;
  import java.util.*;
  import javax.management.*;
  import javax.management.remote.*;
  import javax.management.remote.rmi.*;
  import javax.rmi.ssl.*;
  public class MyApp {
      public static void main(String[] args) throws Exception {
          // Ensure cryptographically strong random number generator used
          // to choose the object number - see java.rmi.server.ObjID
          System.setProperty("java.rmi.server.randomIDs", "true");
          // Start a secure RMI registry on port 3000.
          System.out.println("Create a secure RMI registry on port 3000");
          SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
          SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory(null, null, true);
          Registry registry = LocateRegistry.createRegistry(3000, csf, ssf);
          // Retrieve the PlatformMBeanServer.
          System.out.println("Get the platform's MBean server");
          MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
          // Environment map.
          System.out.println("Initialize the environment map");
          Map<String,Object> env = new HashMap<String,Object>();
          // Provide the password file used by the connector server to
          // perform user authentication. The password file is a properties
          // based text file specifying username/password pairs.
          env.put("jmx.remote.x.password.file", "password.properties");
          // Provide the access level file used by the connector server to
          // perform user authorization. The access level file is a properties
          // based text file specifying username/access level pairs where
          // access level is either "readonly" or "readwrite" access to the
          // MBeanServer operations.
          env.put("jmx.remote.x.access.file", "access.properties");
          // Create and start an RMI connector server.
          // As specified in the JMXServiceURL the RMIServer stub will be
          // registered in the RMI registry running in the local host on
          // port 3000 with the name "jmxrmi". This is the same name the
          // out-of-the-box management agent uses to register the RMIServer
          // stub too.
          // JMXServiceURL = "service:jmx:rmi:///jndi/rmi://:3000/jmxrmi"
          System.out.println("Create and start an RMI connector server");
          JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://");
          RMIJRMPServerImpl server = new RMIJRMPServerImpl(3000, csf, ssf, env);
          RMIConnectorServer cs = new RMIConnectorServer(url, env, server, mbs);
          cs.start();
          registry.bind("jmxrmi", server);
          System.out.println("Waiting for incoming connections...");
  }Here is the MyClient
  package com.example;
  import java.rmi.registry.*;
  import java.util.*;
  import javax.management.*;
  import javax.management.remote.rmi.*;
  import javax.rmi.ssl.SslRMIClientSocketFactory;
  public class MyClient {
      public static void main(String[] args) throws Exception {
          // Environment map
          System.out.println("\nInitialize the environment map");
          Map<String,Object> env = new HashMap<String,Object>();
          // Provide the credentials required by the server to successfully
          // perform user authentication
          String[] credentials = new String[] { "username" , "password" };
          env.put("jmx.remote.credentials", credentials);
          // Create an RMI connector client and
          // connect it to the RMI connector server
          System.out.println("\nCreate an RMI connector client and " +
                  "connect it to the RMI connector server");
          SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
          Registry registry = LocateRegistry.getRegistry(null, 3000, csf);
          RMIServer stub = (RMIServer) registry.lookup("jmxrmi");
          RMIConnector jmxc = new RMIConnector(stub, env);
          jmxc.connect(env);
          // Get an MBeanServerConnection
          System.out.println("\nGet an MBeanServerConnection");
          MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
          // Get domains from MBeanServer
          System.out.println("\nDomains:");
          String domains[] = mbsc.getDomains();
          for (int i = 0; i < domains.length; i++) {
              System.out.println("\tDomain[" + i + "] = " + domains);
  // Get MBean count
  System.out.println("\nMBean count = " + mbsc.getMBeanCount());
  // Close MBeanServer connection
  System.out.println("\nClose the connection to the server");
  jmxc.close();
  System.out.println("\nBye! Bye!");
  Here is the password.properties
  monitorRole mrpasswd
  controlRole crpasswdand access.properties
  monitorRole readonly
  controlRole readwriteI used the following jvm parameters to run the apps
  -Djavax.net.ssl.keyStore=.keystore -Djavax.net.ssl.keyStorePassword=keypass -Djavax.net.ssl.trustStore=proxytruststore -Djavax.net.ssl.trustStorePassword=trustpassI really don't know where I am doing the mistake. Can anyone please give any idea ? For security I didnt disclosed the IP of my mechine in the error, insted I replace it with <IP>

  Hi,
  I assume you did create a keystore and trustore, right?
  Could you verify that the paths to these files you give in your java options
  are correct?
  You could also try to activate debug traces - in particular security traces - see
  at the end of this blog:
  http://blogs.sun.com/jmxetc/entry/troubleshooting_connection_problems_in_jconsole
  This may help you diagnose what is going wrong.
  Hope this helps,
  -- daniel
  JMX, SNMP, Java, etc...
  http://blogs.sun.com/jmxetc

• Does XI support FTP over SSL with Command AUTH TLS??

  Hi All,
  Can we change Command AUTH TLS to AUTH SSL in the Command Order of receiver FTP adapter when you select FTPS (FTP using SSL/TLS) for Controal and Data Connection??
  We are able to transfer business documents to bank's FTP server (Following RFC 2228 standards) using WS FTP Pro (I think follows RFC 959 and 1123 standards) which using AUTH SSL in Command order.
  We did go through SAP note 821267 (FAQ for XI 3.0 / PI 7.0 File Adapter)...question number 33 address about the "AUTH TLS" command. But we not getting the same error. We get different as in this forum:
  Re: Error: Message processing failed: FTPEx: PBSZ=0
  Can someone please confirm if this is the issue with FTP RFC standarads?? Or can we coustomize FTPS adapter to send AUTH SSL command??
  Thank you,
  Indrasena Janga

  Dear Andy,
  I am also looking for the same information.
  Could you please share with ,if u have got anything related....
  Hi Experts,
  Pls share your exp with us if u have any....
  Regards,
  Srinivas

• How to make call to Sender Soap Adapter using HTTPS with Client Aut

  Hello everyone, I have spent some time trying to get this to work. We downloaded a trail certificate from SAP and installed it on our machine and I created a webservice that works great. I tested the HTTPS without client authentification and it works great, as soon as I change it to use with Client Authentification I can't get it to go through. I am using Soap Sonar to test the certificates. To get the certificate I called the url with firefox then saved the certificate in my trust store, from there I import it to soap sonar as a signed certificate, but I am getting the error  <Exception>Object contains only the public half of a key pair. A private key must also be provided.</Exception>  I assume I am doing something way wrong, is there a way to get the certificate with both public and private key pair, or a way to test this that I can't seem to find in documentation or blogs?
  I def award points
  Cheers
  Devlin

  Hi
  I think This link is useful to u
  http://www.sapag.co.in/SAP-XI-SOAP-Adapter-FAQ'S.html
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/40611dd6-e66e-2910-f383-e80fb44f9cd4
  Thanks
  Santosh

• Any compatibility issues using MacBook with client's A/V setups geared towards PCs?

  I travel giving PowerPoint seminars to US companies. I bring my PC laptop and plug into their projector.  I'm considering switching from my 12" ThinkPad to the MacBook Air 13".  In that every one of my clients for the past 13 years have used PC machines will I encounter any compatibility problems with clients' PC A/V setups?

  Ok, I solved the problem. Thanks to those who at least thought about replying.
  For those having the same issue: I found the problem lies in the "hot plug detect" feature of dvi. What I did I just cut the hot plug pin (see wikipedia:dvi) off the dvi adaptor, isn't it clever? Hah, I wouldn't call it "plug 'n play", but at least it works. Then I connect the dvi to the g2400w and set the monitor "hdmi in", then detect displays from display settings, it'll detect it, and then simply i set the monitor to dvi in.

• Search Results web part - Custom Query using "Value with a parameter from URL" inconsistent

  I have encountered what I think may be a bug, but I am hoping that there is something that I am missing.
  Within my search site, I have created a new search results page where I want to customize the "Search Results" web part query.  I can add in any number of property and keyword filters (using the "Build Your Query" dialog) without
  issue... until I add a filter that uses the QueryString property (the builder dialog calls this "Value with a parameter from URL").
  If I use {QueryString.MyParameterX} for filtering, it works beautifully in the query builder dialog.  I see the expected results in the search results preview pane, but as soon as I apply the changes things become inconsistent. 
  If I close/reopen my browser and navigate to my page at http://myaddress/search/Pages/testresults.aspx?MyParameterX=test I see results.  If I then refresh the page, I get a "Nothing here matches your search" message.  I can then go to
  the same address but change one character to an uppercase character and get results.  Refreshing that same page again returns "Nothing here matches your search".  I can only get search results one time per uniquely cased URL without having
  to close/reopen my browser.  This behavior was seen on both Firefox and IE.
  Finally, I found that if I instead navigate to http://myaddress/search/testresults?MyParameterX=test, it always returns results.  This, unfortunately isn't the best solution for me... but it is a solution.
  Any insight that anyone can provide is greatly appreciated!  I would really like to be able to depend on this working in all logical cases (especially since the search center of other sites is set using the path all the way down to /Pages).
  Thanks!

  Hi, have you been able to solve this issue? I'm getting the same issue and I cant solve it (required CU is installed).
  Fabio

• Is it possible to use SSL with LDAP, but not rest of Hyperion environment?

  Hello Experts,
  We need to encrypt the user credentials passed between LDAP and Shared Services. For this, I believe, we need to use SSL. And for that, we need to SSL enable the Web App Server that Shared Services runs off? If we enable SSL on this, is it possible to continue using non-SSL versions of App & Web servers in the rest of the Hyperion environment? This is because SSL will cause a negative impact to performance, and we want to reduce that impact as much as possible.
  Environment:
  Shared Services 9.3.1.0.7 on WebSphere Application Server 6.0.2.11 on Windows 2003
  Planning 9.3.1.1
  Essbase 9.3.1
  HFM 9.3.1
  BI+ 9.3.1
  Please Suggest. Thanks in advance.
  Regards,
  Sonu

  Both windows and osx do a few things that can cause problems, they do what you say, they assume that you will connect to the same network you last connected and try to use the same configuration, they try to skip most steps like dhcp and arp and it will probably work fine if it actually is the same network and no one else got the same IP otherwise they will have to go through all the steps.
  I have seen a blog post describing the differences a while ago but now I can't find it and I don't remember how I got there, I guess that if you search long enough you might stumble upon some description of this. From what I remember, the short story is that on linux programs go by the book and try to be good neighbors, windows and osx don't and they can cause trouble just for the sake of shaving a few seconds of the time to get connected, the thing is most of the times it works fine

• ACE end-to-end SSL with Client Authentication

  we have a need to perform an end-to-end SSL with the ACE doing client authentication. Is there a mechanism to allow the ACE to inspect certain fields in the user certificate? All I see are checks for signature, validity, expiration, etc. Nothing that would allow me to inspect a user cert field such as "OU" and take an action based on content of the field.
  any ideas? thanks
  Bob Overberg
  RABA Technologies
  SRA International, Inc.

  Thanks for the quick response. Is there another Cisco device that does have those capabilities?
  thanks.
  Bob O.