WBL 7.0 and SSL private key problem

Similar Messages

• Private key problem

  hey folks,
  i would like to store a certificate's private key in a mysql db.
  my problem is that i don't know how to convert it back to a PrivateKey when i extract it from the db.
  i use the function Base64.encode(userPrivKey.getEncoded()); (org.bouncycastle.util.encoders.Base64; to store the private key base64 encoded in the db.
  when i extract the key from the db i can decode it with Base64.decode(). the problem is that the decode function only returns a byte array.
  so does anybody know how i can convert that byte array back to a private key?
  or is there any other (better) solution to store and retrieve private keys from a mysql db?
  many thanks
  toto

  I've been looking to do the same thing, and your code is helpful.
  If you do not want to pull in the BouncyCastle library, you can extract the RSA private key from the PKCS8 key format by parsing the DER directly. Here is some code that does it. All you need to add is the Base64 encode, and RSA begin and end flags.
  import java.util.*;
  import java.io.*;
  public class Pkcs8ToRsa {
      // rsaEncrytion is { pkcs-1 1 }
      // pkcs-1 is { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) 1 }
      private static final byte[] OID_rsaEncryption = {
          (byte)0x2a, (byte)0x86, (byte)0x48, (byte)0x86,
          (byte)0xf7, (byte)0x0d, (byte)0x01, (byte)0x01,
          (byte)0x01 };
      private static final byte[] INTEGER_v1 = { (byte)0x00 };
      private static final int TAG_INTEGER      = 0x02;
      private static final int TAG_OCTET_STRING = 0x04;
      private static final int TAG_OID          = 0x06;
      private static final int TAG_SEQUENCE     = 0x30;
      private byte[] buffer;
      private int offset;
      protected Pkcs8ToRsa(byte[] pkcs8key) {
          this.buffer = pkcs8key;
          this.offset = 0;
      public static byte[] convert(byte[] pkcs8key) {
          return (new Pkcs8ToRsa(pkcs8key)).extractPrivateKey();
      private int extractTag() {
          // Assume single octet tag
          return ((int)buffer[offset++]) & 0xff;
      private void matchTag(int tag) {
          if (extractTag() != tag) {
              throw new IllegalArgumentException("Bad input");
      private int extractLength() {
          int lengthOfLength = ((int)buffer[offset++]) & 0xff;
          if ((lengthOfLength & 0x80) == 0) {
              // Single octet
              return lengthOfLength;
          } else {
              // Multiple-octet
              lengthOfLength = lengthOfLength & 0x7f;
              int length = 0;
              for (int i = 0; i < lengthOfLength; i++) {
                  length = (length << 8) | (((int)buffer[offset++]) & 0xff);
              return length;
      private void matchLength(int length) {
          if (extractLength() != length) {
              throw new IllegalArgumentException("Bad input");
      private byte[] extractValue(int length) {
          byte[] value = new byte[length];
          System.arraycopy(buffer, offset, value, 0, length);
          offset += length;
          return value;
      private void matchValue(byte[] value) {
          for (int i = 0; i < value.length; i++) {
              if (buffer[offset+i] != value) {
  throw new IllegalArgumentException("Bad input");
  offset += value.length;
  public byte[] extractPrivateKey() {
  // Encoding should be
  // SEQUENCE {
  // version INTEGER,
  // privateKeyAlgorithm SEQUENCE {
  // id OBJECT IDENTIFIER,
  // Type OPTIONAL
  // privateKey OCTET STRING
  // attributes [0] Attributes OPTIONAL
  // We are after the contents of privateKey
  // Outer sequence
  matchTag(TAG_SEQUENCE);
  int totalLength = extractLength();
  if ((offset + totalLength) > buffer.length) {
  throw new IllegalArgumentException("Bad input");
  // Check version == v1
  matchTag(TAG_INTEGER);
  matchLength(INTEGER_v1.length);
  matchValue(INTEGER_v1);
  // Check algorithm
  matchTag(TAG_SEQUENCE);
  int algorithmLength = extractLength();
  int keyOffset = offset + algorithmLength;
  matchTag(TAG_OID);
  matchLength(OID_rsaEncryption.length);
  matchValue(OID_rsaEncryption);
  // Skip to privateKey
  offset = keyOffset;
  // Get it.
  matchTag(TAG_OCTET_STRING);
  int keyLength = extractLength();
  if ((offset + keyLength) > buffer.length) {
  throw new IllegalArgumentException("Bad input");
  return extractValue(keyLength);

• Creating a single public key and multiple private keys

  Hello,
  I am new to java cryptography. The problem statement is :-
  We have an accounting application, with flexibility of number of users and companies. The number of users and companies for this application has to be restricted based on the license the user has. That is the user will download our application via web while the user downloads he has to be given the key according to the license he has requested (i.e. single or multiple users/companies), I am unable to get the logic of private and public keys as such, y because which ever alogorithm i saw will generate a public and private key in pairs hence i am bit confused. Clearly, For ever additional user (or company) we r charging additional amount hence different license (keys) have to be generated dynamically for different users. I think this can be achived by creating one single public key and multiple private keys, but i am not sure . Please help me out.

  Hi kazim
  would u pls elaborate this , since i am working on same kind of scenario and finding solutions is difficult . Since encryption is done at our end and wen some user downloads an application he is unable to track where it was encrypted . What i have undestand about public /private is that they work in agreement between client and server and both has to come to agreement to share the data. Pls correct me if i am wrong.
  Ours is different senario we will send some key in download application and will want him to decrypt it . What would u suggest for this kind of scenario?
  Thanks in advance
  Janesh

• Exporting SSL Private Key

  In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
  Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

  I believe you have to run Keychain Access as root to export the private key.
  sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

• Reconver SSL private key?

  I have a bit of a dilemma since I tried to install an SSL certificate on my server that needs intermediate certs. Here's what I did:
  1) In Server Admin, create a new key for my domain and use that key to create a CSR to send to a certificate authority. (This creates a public key, a private key and a self-signed certificate in the system keychain on the server).
  2) Sent the CSR away and got the signed certificate back.
  3) Used Server Admin to add the signed certificate to the existing domain cert (this replaces the self-signed cert). Restart services etc.
  Here's the problem: the cert that I have needs intermediate certs installed in order to be functional- currently the certificate shows as an untrusted authority. If I delete the current certificate in Server Admin to start again from scratch, it will delete the private key that I need to reinstall. I downloaded the intermediate certificates from the CA's website, but now the certificate installed on the server can't be modified. Besides, there is no place to enter the intermediate certificates. My plan was to try to paste all the certs into the box where it asks for the new certificate, but no joy since it is now locked.
  I would like to create a new certificate (there is a place in there to install intermediate certs), but I'll need to get my private key out of Keychain Access into a pem formatted file but I can't seem to get the thing to export.
  Questions:
  1) Is there a way to export a private key from Keychain Access so that it can be used for server admin?
  2) Is there a way to get at this from the command line?
  3) Is there some other procedure that can magically fix this problem?
  Thanks,
  Miles

  Thanks,
  This is the part that I was looking for:
  Launch Keychain Access as root:
  sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access &
  I then went here http://www.gridsite.org/wiki/Convert_p12 and converted the p12 to pem so I could use it in server admin.
  Thanks again,
  Miles

• SSL private key password

  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
  SSL certificate. By defaul the private key is not encrypted with password
  (SSL.KeyEncrypted = false by default, according to the documentations) in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key from file
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is the same
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

  Thanks Tony - it worked!!
  "Tony" <TonyV> wrote in message news:[email protected]...
  It may be because the private key is both unprotected and in DER format.
  There are some things to try:
  1) Convert the private key file from a DER file to a PEM file and try
  that:
  a) Follow the for converting an unprotected private key at:
  http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
  b) Look at the resulting PEM file, it should look something like
  this:
  -----BEGIN RSA PRIVATE KEY-----
  -----END RSA PRIVATE KEY-----
  (Be sure there is no extra lines or whitespace after thefooter)
  >
  c) Change your configuration to point at the PEM file
  If that doesn work, then you can try protecting the key with apassword
  using
  the wlkeytool utility (It should be in the server/bin directory). The
  tool should prompt
  for a password to use to protect it:
  wlkeytool inputkey.pem outputkey.pem
  Then change your configuration to use the protected private key, andset
  the passwod to use.
  Tony
  "Makoto Suzuki" <[email protected]> wrote in message
  news:[email protected]...
  Hello everyone,
  I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0SP2
  with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
  same
  SSL certificate. By defaul the private key is not encrypted withpassword
  (SSL.KeyEncrypted = false by default, according to the documentations)in
  both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script resultsthe
  following error:
  <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
  <Inconsistent se
  curity configuration, java.lang.Exception: Cannot read private key fromfile
  C:\
  bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
  sure pa
  ssword specified in environment property weblogic.management.pkpassword
  is
  valid
  .>
  java.lang.Exception: Cannot read private key from file
  C:\bea7\user_projects\age
  ncyPortal\portal_islandinsurance_com-key.der. Make sure passwordspecified
  in en
  vironment property weblogic.management.pkpassword is valid.
  at
  weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
  ava:434)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
  at weblogic.Server.main(Server.java:32)
  Is this happening because the private key is actually encrypted with the
  password? It was working, although the KeyEncrypted is not set to true
  and
  the startup script for WLS 6.1 instance did have a line
  with -Dweblogic.management.pkpassword. Or could this error be result of
  something else? The physical machine the instances are located is thesame
  and IP address and the DNS entry hasn't been changed, either.
  Any insight will be greatly appreciated. Thanks!
  Makoto

• Import an SSL Private Key

  Hello.  Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key?  They both have the same host name.

  I guess its possible. Please correct me if i am wrong.
  Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
  following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
  Step 1: import the key pair into a PSE
  Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
  Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
  You'll need to go through a procedure similar to the one described in note 1178155, step 3.
  - Copy the PSE from step 1) to your workstation/PC
  - Start transaction STRUST
  - Doubleclick the "FILE" icon in the navigation area (left hand side)
  - Select the PSE on your workstation/PC
  - Execute the menu item "PSE --> save as..." and choose the SSL Server
  PSE as target. This will save the PSE from step 1 as SSL Server
  standard PSE.
  - The following step is a modification from note 1178155 which is
  only applicable in your special situation: right mouse button click
  on the SSL Server PSE entry in the navigation area. From the context
  menu appearing, select "Change".
  - Remove the distinguished names from all application server specific
  PSEs in the list. Pressing the green tick mark ('save') will remove
  all application server specific SSL Server PSEs, so the system is
  forced to use the SS Server standard PSE instead.
  Don't forget to restart the ICM in order to make your changes become effective.
  Regards,
  Jazz

• How to install PEM-format SSL private key from weblogic to NES

  I have unexpired PEM-format certificates in my weblogic 8.1sp4 domain. Since the architecture requires us to use Iplanet 6.0sp2 as the http/https server, we have to move the certificates to iplanet side. Is that possible ? Especially the private key ? Iplanet has key8.db format files. How do I install a PEM key in iplanet and store it in key3.db file ? Thanks !

  Hi
  I've already found code to answer my second question, but my first question still remains, is there a way that I can change a Encrypted Private Key Info for PEM to DER format??? I tried to delete the header and footer of some key in PEM format and Base64 decode the body, but It launches a Exception when I'm trying to create the EncryptedPrivateKeyInfo object.
  Thank you

• No bootable device -- insert boot disk and press any key - problem

  Hi,
  I'm running an early-2008 MacBook (13-inch) that has previously had Windows Vista and Windows 7 installed to it through Bootcamp over the years.
  A few weeks ago I did a fresh reinstall of OS X Lion (10.7.5) and decided to reinstall Windows 7 as well. I deleted all the partitions and started afresh. However, upon trying to reinstall Windows 7 I've become a wee bit stuck.
  Bootcamp works fine at first - it lets me partition the HDD without any issues (the partition is MS-DOS - FAT32), but when it reboots it gives me a message 'No bootable device -- insert boot disk and press any key' against a black screen. I've never seen this message before and it won't let me continue with the installation. I'm able to get back into OS X by pressing the option key upon reboot.
  Any idea what I'm doing wrong? As I said I've used Bootcamp several times in the past on this machine without any problems. The only difference between then and now is that my Superdrive no longer works so I'm using an external DVD drive. However, the error happens regardless of whether it's plugged in.
  Cheers,
  Matt

  jeffjefftyjeff wrote:
  The only difference between then and now is that my Superdrive no longer works so I'm using an external DVD drive. However, the error happens regardless of whether it's plugged in.
  For Macs with built-in Optical drives, it must be functional for a Windows installation/installer to work. You will also need a USB2 flash drive.
  On such Macs, the BCA sets the boot device to be the non-functional Optical drive, which is why you see a No boot device message.

• How to repair "No bootable device insert disk and press any key" problem?

  I was browsing sites using Google Chrome when all of a sudden, my laptop completely turned off. I turned the power back on only to find the error message "Intel UNDI, PXE-2.1 (build 082)" appear in white letters, followed by a bunch of other error messages, ending with, "No bootable device insert disk and press any key". Whenever I try restarting my laptop, the same error messages show up.
  I've been reading about Toshiba laptops, to try to remedy this issue, and I've learned that as of 2007, Toshiba discontinued the recovery disks that had always accompanied the laptops, and instead, allow you to totally restore your computer without the help of a disk. (The model of my laptop is Satellite L300D - 01P).
  Now, apparently to restore a Toshiba laptop, you're supposed to press the '0' key while also pressing the power button, but when I do this, there is a beeping noise (which is apparently supposed to happen), but the error messages (ending with "No bootable device insert disk and press any key") still show up. Other than the affirmative beeping noise, no changes occur.
  Anyone had this problem or have any suggestions of how to fix it?
  Thanks so much.

  >...and I've learned that as of 2007, Toshiba discontinued the recovery disks that had always accompanied the laptops, and instead, allow you to totally restore your computer without the help of a disk. (The model of my laptop is Satellite L300D - 01P).
  Have you also learned that you SHOULD create recovery DVD using preinstalled Toshiba recovery disc creator tool? When something goes wrong with HDD you can use this disc for operating system installation. This is clearly described in Users manuals document.
  Back to your problem:
  I don't know for sure but Im afraid you have some problem with HDD controller or HDD itself.
  Is HDD recognized in BIOS settings (F2 at start up)?

• No bootable device -- insert a boot disk and press any key problem

  My laptop model is L505 s59903.
  It is suddenly turn to black screen and not work,When I restart it , the screen shows "No bootable device -- insert a boot disk and press any key".
  I try to recovery the system, but it can not find the hard disk. In CMOS ,the hard disk shows "none".
  I have important data in my laptop. Is it hard disk Failure? How can I recovery my data in the hard disk?
  I try to replace other hard disk to the laptop , it is work. Then I made the failure hard disk as portable hard disk to other laptop ,it has normal sound ,but still can not be found.
  What`s problem is it?
  Can I recovery my data from hard disk ?

  It sounds to me like that hard drive has indeed failed. Please contact support at (800) 457-7777.
  - Peter

• SSL Private Key

  Hi,
  I would like to export my Portal private key, so that it can be used for network traffic capture (Wire shark).
  Can anyone point me in the direction as to where this file can be exported.
  Thanks
  Kai
  PS. Points will be awarded.....

  The Path to export the certificate is:
  On the Portal
  System administration -> system configuration -> Keystore administration -> download verify.der file
  Regards,
  Chengappa

• Help with "No bootable Device -- Insert boot disk and press any key" problem

  Alright, I am on an Early 2011 17inch macbook pro.  I have removed the superdrive to install a secondary disk drive for mass storage, then replaced the original one with an SSD blah blah blah.  I do everything from the books, run bootcamp, make my USB windows 7 bootable in Bootcamp, go through everything and allocate 65gb towards windows.  I have tried 4 different USB sticks and 3 different ISOs.  Every time I try it, I get the same "No bootable device -- insert boot disk and press any key".  I then have to hold down the power button, then restart, hold down option/alt key, and boot regularly into mac.  I also read that holding option/alt whilst starting the macbook pro will show the windows USB stick, well it never appears.  I dont know what I need to do, what I am doing wrong, but nothing is working.  I guess the last thing I have to try is buying a superdrive and burning ISO to disc then try that.  But I dont want to go out and spend more money.  Other people have gotten it to work just fine from USB, I dont know what I must do or what I am doing wrong...
  Open to suggestions and in desperate need of help.  Anything is appreciated.
  Thanks!

  Don't bump
  get a new usb2 only flash drive and try the solution posted by kunu here and report back
  https://discussions.apple.com/thread/5105056?tstart=0
  How to install Bootcamp on a 2009 Macbook Pro that does not have a disc drive

• Lion - num lock and caps lock keys problem

  Since installing lion I have to have num lock key and caps lock key turned on to type normally (otherwise I get all numbers if num lock off, or all caps if cap lock off). It's like the keys' functions have been reversed. (2.16 GHz MacBook).
  Any help much appreciated.

  CHi Chubrock
  if you run Windows 8 and I guess you have backlit keyboard for your GT70 ONE, please try to download new firmware here, and give it a try, I guess the worng firmware installed in your system ,  please choose the firmware with backlit KB and install , good luck
  http://www.msi.com/product/nb/GT70-0NE.html#/?div=Firmware&nbos=win8

• Two-way SSL: Private key is incorrectly read if the charset is set to UTF8

  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

  I would suggest posting this to the security newsgroup.
  -- Rob
  Govinda Raj wrote:
  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks