WebLogic - Forms - Microsoft AD with SSL (Kerberos)

Similar Messages

• Deploy Forms and Reports with Load Balancing

  I am trying to determine what we need to install here. I have read OracleAS, Web Cache, Application Server, and
  Forms documents and have no answer still.
  We are currently run 9iAS with Forms and Reports 6i only.
  I did not do any of those installs. We are migrating to
  Forms and Reports 10g. I need to setup an OracleAS 10g
  Forms and Reports application server with the ability to
  do Load Balancing over 2 windows Web servers to handle
  4,000+ users. The application database will be on its own
  Windows server.
  Do I need to install the Infastructure, BI, and Web cache?
  Or just Oracle 10g Application Server option? Or other?
  Do I need to install it on both web servers and do
  something like clustering? Do I need to install Web
  cache? I just took the 10g AS class and basically did not learn anything about deploying Forms and Reports.
  Can anyone give me a place to find the things I need to
  install and setup?
  Thanks.
  Kim

  I am a DBA and have not done an iAS or AS installation
  before but am now required to learn it. We will be using
  SSL and no load balancing hardware. We setup for other
  customer sites and setting Windows servers in the past.
  We have not done load balancing before.
  I am just confused with all the 10gAS options there are to
  install to just run 10g Forms and Reports and setup
  OracleAS 10g with the load balancing features.
  So I just need to install OracleAS Forms and Reports
  Server if I am just installing Forms and Reports with SSL.
  But if for Load Balancing Oracle 10g I need to cluster
  just Reports 10g? I thought I would need OracleAS10g
  installed on my two Windows servers and somehow cluster
  or let the two know they are the same web page handling
  the incoming requests? I do know about Apache redirct. Is
  that an Apache feature and is it covered in an Oracle
  documentation? They did not cover it in class either.

• Weblogic app server wsdl web service call with SSL Validation error = 16

  Weblogic app server wsdl web service call with SSL Validation error = 16
  I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
  Cannot complete the certificate chain: No trusted cert found
  Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
  Validation error = 16
  From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.
  Here is how I load trustStore and keyStore in my java program:
       System.setProperty("javax.net.ssl.trustStore",”cacerts”);
       System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
       System.setProperty("javax.net.ssl.trustStoreType","JKS");
  System.setProperty("javax.net.ssl.keyStoreType","JKS");
  System.setProperty("javax.net.ssl.keyStore", keyStoreName);
       System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd);      System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
  Here is how I create cacerts using verisign hierarchy certs (in this order)
  1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
  1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
  1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"
  Because my program is a weblogic app server, when I start the program, I have java command line options set as:
  -Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  -Dweblogic.security.SSL.enforceConstraints=strong
  That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.
  In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.
  I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
  1.     Do I create “cacerts” the correct order with right keeltool options?
  2.     Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
  3.     Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
  4.     Do I need to put the “cacerts” to some specific weblogic directory?
  ---------------------------------wsdl file
  <wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
       <wsp:Policy wsu:Id="TokenServices_policy">
            <wsp:ExactlyOne>
                 <wsp:All>
                      <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                           <wsp:Policy>
                                <sp:TransportToken>
                                     <wsp:Policy>
                                          <sp:HttpsToken RequireClientCertificate="true"/>
                                     </wsp:Policy>
                                </sp:TransportToken>
                                <sp:AlgorithmSuite>
                                     <wsp:Policy>
                                          <sp:Basic256/>
                                     </wsp:Policy>
                                </sp:AlgorithmSuite>
                                <sp:Layout>
                                     <wsp:Policy>
                                          <sp:Strict/>
                                     </wsp:Policy>
                                </sp:Layout>
                           </wsp:Policy>
                      </sp:TransportBinding>
                      <wsaw:UsingAddressing/>
                 </wsp:All>
            </wsp:ExactlyOne>
       </wsp:Policy>
       <wsdl:types>
            <xsd:schema targetNamespace="http://tempuri.org/Imports">
                 <xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
                 <xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
            </xsd:schema>
       </wsdl:types>
       <wsdl:message name="ITokenServices_GetUserToken_InputMessage">
            <wsdl:part name="parameters" element="tns:GetUserToken"/>
       </wsdl:message>
       <wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
            <wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
       </wsdl:message>
       <wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
            <wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
       </wsdl:message>
       <wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
            <wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
       </wsdl:message>
       <wsdl:portType name="ITokenServices">
            <wsdl:operation name="GetUserToken">
                 <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
                 <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
            </wsdl:operation>
            <wsdl:operation name="GetSSOUserToken">
                 <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
                 <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
            </wsdl:operation>
       </wsdl:portType>
       <wsdl:binding name="TokenServices" type="tns:ITokenServices">
            <wsp:PolicyReference URI="#TokenServices_policy"/>
            <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
            <wsdl:operation name="GetUserToken">
                 <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
                 <wsdl:input>
                      <soap12:body use="literal"/>
                 </wsdl:input>
                 <wsdl:output>
                      <soap12:body use="literal"/>
                 </wsdl:output>
            </wsdl:operation>
            <wsdl:operation name="GetSSOUserToken">
                 <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
                 <wsdl:input>
                      <soap12:body use="literal"/>
                 </wsdl:input>
                 <wsdl:output>
                      <soap12:body use="literal"/>
                 </wsdl:output>
            </wsdl:operation>
       </wsdl:binding>
       <wsdl:service name="TokenServices">
            <wsdl:port name="TokenServices" binding="tns:TokenServices">
                 <soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
                 <wsa10:EndpointReference>
                      <wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
                 </wsa10:EndpointReference>
            </wsdl:port>
       </wsdl:service>
  </wsdl:definitions>
  ----------------------------------application log
  adding as trusted cert:
  Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
  Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
  adding as trusted cert:
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
  Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
  adding as trusted cert:
  Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
  Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021
  <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
  <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
  <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
  Not Valid Before:Tue Dec 18 19:00:00 EST 2012
  Not Valid After:Wed Jan 07 18:59:59 EST 2015
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Not Valid Before:Sun Feb 07 19:00:00 EST 2010
  Not Valid After:Fri Feb 07 18:59:59 EST 2020
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
  Not Valid Before:Tue Dec 18 19:00:00 EST 2012
  Not Valid After:Wed Jan 07 18:59:59 EST 2015
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Not Valid Before:Sun Feb 07 19:00:00 EST 2010
  Not Valid After:Fri Feb 07 18:59:59 EST 2020
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
  <Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at com.certicom.tls.record.WriteHandler.write(Unknown Source)
       at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
       at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
       at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
       at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
       at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
       at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
       at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
       at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
       at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
       at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
       at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
       at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
       at javax.xml.ws.Service.<init>(Service.java:56)
       at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
       at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
       at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
       at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
       at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
  Not Valid Before:Tue Dec 18 19:00:00 EST 2012
  Not Valid After:Wed Jan 07 18:59:59 EST 2015
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Not Valid Before:Sun Feb 07 19:00:00 EST 2010
  Not Valid After:Fri Feb 07 18:59:59 EST 2020
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
  Not Valid Before:Tue Dec 18 19:00:00 EST 2012
  Not Valid After:Wed Jan 07 18:59:59 EST 2015
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
  Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
  Not Valid Before:Sun Feb 07 19:00:00 EST 2010
  Not Valid After:Fri Feb 07 18:59:59 EST 2020
  Signature Algorithm:SHA1withRSA
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
  <Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at com.certicom.tls.record.WriteHandler.write(Unknown Source)
       at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
       at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
       at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
       at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
       at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
       at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
       at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
       at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
       at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
       at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
       at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
       at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
       at javax.xml.ws.Service.<init>(Service.java:56)
       at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
       at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
       at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
       at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
       at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  >
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>

  I received a workaround by an internal message.
  The how to guide is :
  -Download the wsdl file (with bindings, not the one from ESR)
  -Correct it in order that the schema corresponds to the answer (remove minOccurs or other things like this)
  -Deploy the wsdl file on you a server (java web project for exemple). you can deploy on your local
  -Create a new logicial destination that point to the wsdl file modified
  -Change the metadata destination in your web dynpro project for the corresponding model and keep the execution desitnation as before.
  Then the received data is check by the metadata logical destination but the data is retrieved from the correct server.

• Weblogic 10.3.5 with oracle forms and reports 11.1.2.1.0

  Hi All,
  I am new to 11g concept (actually web based, have worked till 6i) and trying to upgrade my existing system (6i) to 11g. I have installed Weblogic 10.3.5 with forms and reports 11.1.2.1.0 on windows 7 32 bit. I can connect to my database (10g) from Form builder.
  But when I try to open a form/pll of 10g or 6i, it says PDE-PLI018 could not find library and it shows the path of my earlier folder, which now does not exist.
  I have made changes in registry FORMS_PATH, FORMS_BUILDER_PATH, UI_ICON
  And in default.env file FORMS_PATH and CLASSPATH
  I have added entry to tnsnames.ora, through which I can connect to DB. And have followed below site to configure weblogic and FM forms and reports;
  http://windows7bugs.wordpress.com/2013/04/06/install-configure-oracle-weblogic-server-10-3-6-forms-reports-11g-on-windows8windows-2008-r2/
  I have few doubts in my mind;
  1) Do we have to connect (create a bridge) to DB from weblogic except tnsnames.ora.
  2) For library error I think I am missing some settings to be done.
  3) If I am able to rectify above error then can I directly use http://localhost:8888/forms/frmservlet and access the system from another pc, or still there are some modifications needed.
  I am trying this from last 3 days, but couldn't find the solution, kindly help me out for same, eagerly waiting for your reply.
  Regards,
  Ash

  Hi InoL,
  Thanks for your reply, Yes, as there are many forms in my system, there is a chance that libraries attached are with the path.

• SOAP with SSL in weblogic 5.1

  Hello!
  Any idea of using SOAP with SSL in weblogic 5.1.?? My webservice works properly
  when I use http, but it doesn't work with http.
  It's very important to me, to get a solution for this problem!!
  Many thanks.
  Best regards,
  Rafa.

  Hi Rafa,
  Can you possibly upgrade? WLS 5.1 does not have a built-in web services
  stack. WLS 7 and WLS 8.1 make this very easy.
  You might try searching back in this newsgroup using the header search
  of "5.1"
  For starters, see:
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.developer.interest.webservices&item=1894&utag=
  HTHs,
  Bruce
  Rafa Nocete wrote:
  >
  Hello!
  Any idea of using SOAP with SSL in weblogic 5.1.?? My webservice works properly
  when I use http, but it doesn't work with http.
  It's very important to me, to get a solution for this problem!!
  Many thanks.
  Best regards,
  Rafa.

• Apache Proxy Plugin with SSL in Weblogic Cluster

  Hi,
  I have configured a weblogic cluster and configured SSL. Then I configured the apache plugin to work with the cluster machines with non ssl and worked succesfull but when I configured the ssl communication between apache and weblogic I´m having problems.
  The actual configuration is:
  <Location /spmlws>
  SetHandler weblogic-handler
  WLLogFile /var/log/httpd/tmpweblogic1.log
  DebugConfigInfo ON
  Debug ALL
  KeepAliveEnabled ON
  KeepAliveSecs 15
  WebLogicPort 7002
  SecureProxy ON
  TrustedCAFile /opt/freeware/etc/httpd/conf/trustedCA35cert.pem
  TrustedCAFile /opt/freeware/etc/httpd/conf/trustedCA36cert.pem
  WLProxySSL ON
  RequireSSLHostMatch false
  WebLogicCluster machine35:7002,machine36:7002
  EnforceBasicConstraints false
  </Location>
  The problem is that the plugin always takes the last TrustedCAFile. In this way if machine36 is down the plugin tries to send all the request to machine35 but it takes the TrustedCAFile for the machine36 (/opt/freeware/etc/httpd/conf/trustedCA36cert.pem) hence the apache complains
  [Wed Jun 30 11:13:56 2010] [error] [client 10.19.232.249] ap_proxy: trying GET /spmlws/OIMProvisioning at backend host '10.19.232.97/7002; got exception 'WRITE_ERROR_TO_SERVER [os error=0,  line 796 of ../nsapi/URL.cpp]: '
  What can I do to have multiple TrustedCAFile or to have working the communication between apache and weblogic cluster using SSL?
  thanks in advance

  Acording to the documentation this is not possible.
  One way to achieve the load balancing of n-weblogic servers in cluster using ssl is to configure de HttpClusterServlet.

• In Formscentral: is the form SECURE with SSL even if my existing website does not have SSL?

  I plan to embed my new form with html into my existing website. My website does not have SSL. I would like my new form to be SSL secure (will have credit card numbers.) Will the upgraded plan provide this security?

  When a form is embedded the submission is protected with SSL. You shouldn't collect credit card information using FormsCentral because the service is not PCI compliant. You should instead use our new integration with PayPal - it supports credit cards and paypal account payments. The credit card info is processed by paypal and they are PCI compliant.
  Here is a tutorial on the new payments features: http://forums.adobe.com/docs/DOC-1632

• Steps to configure Weblogic 10.3 with SSL enabled Sybase 12.5

  In WLS 10.3, there is a new feature for supporting the SSL encryption on Sybase 12.5.4.
  I want to connect from Weblogic 10.3 to the SSL enabled Sybase 12.5.4.
  Can any one please provide the step by step instructions for how to configure on the Weblogic 10.3? Do I need to create any custom class for this?
  Thanks

  Here is an example of connecting using the Sybase driver.
  SybDriver sybDriver = (SybDriver)
      Class.forName("com.sybase.jdbc3.jdbc.SybDriver").newInstance();
  sybDriver.setVersion(com.sybase.jdbcx.SybDriver.VERSION_6);
  DriverManager.registerDriver(sybDriver);
  Connection conn = DriverManager.getConnection
      ("jdbc:sybase:Tds:<host>:5000?ServiceName=<dbname>",<user>,<passwd>);Not sure that the setVersion() call is absolutely necessary.

• Password Sync not happening in AD with SSL 636

  I am working on OIM 9.1.0. I followed the Connector Guide for Microsoft Active Directory Password Synchronization.(Connector version 9.1.1)
  Configured AD with SSL. AD SSL Provisioning (636) is working fine.
  Configuration of SSL on Weblogic was done (generation of keys, signing, export, etc) & imported the Certificate in AD.
  Installed Password Sync on AD(389) without SSL & it worked.
  I re-configured it to SSL (AD 636) but it shows errors
  Can anyone give some info on it.
  ***********Inside sgslldpcopenLDAPConnection****************
  Debug [2/9/2012 4:43:35 PM] Inside sgsladac c-tor
  Debug [2/9/2012 4:43:35 PM] AD Host
  Debug [2/9/2012 4:43:35 PM] 10.129.149.131
  Debug [2/9/2012 4:43:35 PM]
  Debug [2/9/2012 4:43:35 PM] AD Port
  Debug [2/9/2012 4:43:35 PM] *636*
  Debug [2/9/2012 4:43:35 PM]
  Debug [2/9/2012 4:43:35 PM] AD Base DN
  Debug [2/9/2012 4:43:35 PM] DC=oimpad,DC=com
  Debug [2/9/2012 4:43:35 PM]
  Debug [2/9/2012 4:43:35 PM]
  Debugging the code
  Debug [2/9/2012 4:43:35 PM] Inside ConnectToADSI
  Debug [2/9/2012 4:43:35 PM]
  ldap_connect failed with
  Debug [2/9/2012 4:43:35 PM] Server Down
  Debug [2/9/2012 4:43:35 PM]
  Debug [2/9/2012 4:43:35 PM]
  Connection to AD failed
  Debug [2/9/2012 4:43:35 PM]
  ***********Out of openLDAPConnection****************
  Debug [2/9/2012 4:43:35 PM] Inside sgsladac destructor
  Debug [2/9/2012 4:43:36 PM] Datastore --- Connect to AD
  Debug [2/9/2012 4:43:36 PM]
  ***********Inside sgslldpcopenLDAPConnection****************
  Debug [2/9/2012 4:43:36 PM] Inside sgsladac c-tor
  Debug [2/9/2012 4:43:36 PM] AD Host
  Debug [2/9/2012 4:43:36 PM] 10.129.149.131
  Debug [2/9/2012 4:43:36 PM]
  Debug [2/9/2012 4:43:36 PM] AD Port
  Debug [2/9/2012 4:43:36 PM] 636
  Debug [2/9/2012 4:43:36 PM]
  Debug [2/9/2012 4:43:36 PM] AD Base DN
  Debug [2/9/2012 4:43:36 PM] DC=oimpad,DC=com
  Debug [2/9/2012 4:43:36 PM]
  Debug [2/9/2012 4:43:36 PM]
  Debugging the code
  Debug [2/9/2012 4:43:36 PM] Inside ConnectToADSI
  Debug [2/9/2012 4:43:36 PM]
  ldap_connect failed with
  Debug [2/9/2012 4:43:36 PM] Server Down
  Debug [2/9/2012 4:43:36 PM]
  Debug [2/9/2012 4:43:36 PM]
  Connection to AD failed
  Debug [2/9/2012 4:43:36 PM]
  ***********Out of openLDAPConnection****************
  Regards,
  Praveen

  Both the URLs are working & I configured the SSL one. Telnet to the port also happens with IP & hostname in OIM & Ad servers
  http://pwoim:7001/spmlws/OIMProvisioning
  https://pwoim:7002/spmlws/OIMProvisioning

• Confused about the 11g R2 Forms Server and using SSL

  All,
  I just installed the 11g R2 Forms Server software without configuring it.
  I then ran the config.sh script to configure it which creates a weblogic server domain.
  I'm a bit confused now. If I run opmnctl status command I get the following:
  Processes in Instance: frmrep_inst_1
  --------------------------------------------------------------+---------
  ias-component | process-type | pid | status
  --------------------------------------------------------------+---------
  emagent_frmrep_inst_1 | EMAGENT | 28279 | Alive
  RptSvr_eiaorapptest_frmrep_ins | ReportsServerComp~ | 28124 | Alive
  ohs1 | OHS | 27831 | Alive
  This looks to me like there is an Oracle Http Server installed.
  Is the Oracle Http Server answering web calls when I run forms or is the Weg Logic Server answering the call?
  Also, the Oracle Forms Installation Documentation talks about securing your environment with Oracle Identity Manager but we are not using Oracle Identity Manager. I want to use SSL but I'm not sure how to secure the environment with SSL. Do I need to configure the WebLogic server to use SSL or the OHS?
  Any help would be greatly appreciated.
  Cheers

  Fusion Middleware 11.1.x does include HTTP Server (OHS) and also requires WLS. Both HTTP Server and WLS are http listeners, amongst other things. So whether WLS handles a request or HTTP Server does it will be entirely up to you and/or the end-user.
  OHS has a listener which by default (in FMw) listens for requests on port 8888. On the other hand WLS_FORMS is preconfigured to listen on port 9001.
  This means that if your URL looks like the following, WLS_FORMS will directly answer the client:
  <blockquote>http://server:9001/forms/frmservlet?form=abc</blockquote>
  If the URL looks like the following, the HTTP Server will reply:
  <blockquote>http://server:8888/forms/frmservlet?form=abc</blockquote>
  The request path when using OHS as the listener to call Oracle Forms would look like this:
  <blockquote>CLIENT --- OHS --- WLS_FORMS --- FORMS SERVLET --- FORMS RUNTIME (frmweb.exe) --- DATABASE</blockquote>
  The request path when using WLS_FORMS as the listener to call Oracle Forms would look like this:
  <blockquote>CLIENT --- WLS_FORMS --- FORMS SERVLET --- FORMS RUNTIME (frmweb.exe) --- DATABASE</blockquote>
  Although removing OHS from the path would seem to be better because it is one less server to administer and less system resources consumed, generally it would be argued that the advantages of having it will outweigh the disadvantages.
  There are numerous advantages to use OHS in front of WLS, but the most obvious should be that OHS can be set up so that you have one and only one entry point into your FMw environment. In other words, even though for example Forms WLS listens on 9001 and Reports on 9002 and some other app on 9999, all requests can be routed through a single OHS port (e.g. 8888). This gives added security since only one port would need to be open assuming a firewall was in place. This configuration is also helpful when calling one application from another. For example when calling Reports from Forms. If you use OHS, references to other WLS managed servers can be called with a relative reference rather than a fully qualified one.
  Regarding whether or not SSL needs to be enabled at any particular point in the path is entirely up to you. You can enable SSL from the client all the way back to the db or any where in between. It is fairly common to see SSL between the client and OHS then no SSL to WLS. But if security is a great concern then you may want to consider SSL from front to back. However, keep in mind that SSL comes at a price. Performance will degrade slightly when SSL is enabled.
  Also, OAM (Oracle Access Manager) has nothing to do with SSL. SSL refers to traffic encryption. OAM is for authentication - single sign on.
  Consider reviewing the Forms Deployment Guide as well as the other Fusion Middleware documents referenced within it.
  <blockquote>http://docs.oracle.com/cd/E24269_01/index.htm</blockquote>
  Finally, and most important, this topic really has nothing to do with Oracle Forms. This is more about how a web server or its environment works.

• What's the matter with SSL?

  what's the matter with SSL?
  Anyone would help me?
  Thank you in advance.
  The following is the console output:
  Starting WebLogic Server ....
  <2001-9-4 ÏÂÎç03ʱ56·Ö34Ãë> <Notice> <Management> <Loading configuration
  file .\config\tbcn\config.xml ...>
  The WebLogic Server did not start up properly.
  Exception raised:
  eblogic.management.configuration.ConfigurationException: - with nested
  exception:
  [weblogic.security.internal.encryption.EncryptionServiceException - with
  nested exception:
  [COM.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid
  pad byte.]]
  COM.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid
  pad byte.
  at
  COM.rsa.jsafe.JA_PKCS5Padding.performUnpadding(JA_PKCS5Padding.java)
  at COM.rsa.jsafe.JG_BlockCipher.decryptFinal(JG_BlockCipher.java)
  at
  weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptByte
  s(JSafeEncryptionServiceImpl.java:68)
  at
  weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptStri
  ng(JSafeEncryptionServiceImpl.java:94)
  at
  weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearO
  rEncryptedService.java:53)
  at
  weblogic.management.internal.EncryptedData.decrypt(EncryptedData.java:45)
  at
  weblogic.management.internal.xml.ConfigurationParser$ConfigurationHandler.pa
  rseMBeanAttributes(ConfigurationParser.java:306)
  at
  weblogic.management.internal.xml.ConfigurationParser$ConfigurationHandler.st
  artElement(ConfigurationParser.java:185)
  at
  weblogic.apache.xerces.parsers.SAXParser.startElement(SAXParser.java:1340)
  at
  weblogic.apache.xerces.validators.common.XMLValidator.callStartElement(XMLVa
  lidator.java:1183)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner.scanElement(XMLDocumentS
  canner.java:1876)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner$ContentDispatcher.dispat
  ch(XMLDocumentScanner.java:1252)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentSca
  nner.java:381)
  at
  weblogic.apache.xerces.framework.XMLParser.parse(XMLParser.java:967)
  at
  weblogic.management.internal.xml.ConfigurationParser.parse(ConfigurationPars
  er.java:104)
  at
  weblogic.management.internal.xml.XmlFileRepository.loadDomain(XmlFileReposit
  ory.java:261)
  at
  weblogic.management.internal.xml.XmlFileRepository.loadDomain(XmlFileReposit
  ory.java:223)
  at java.lang.reflect.Method.invoke(Native Method)
  at
  weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
  .java:606)
  at
  weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
  90)
  at
  weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
  nImpl.java:350)
  at
  com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
  at
  com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:444)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:185)
  at $Proxy1.loadDomain(Unknown Source)
  at
  weblogic.management.AdminServer.configureFromRepository(AdminServer.java:186
  at weblogic.management.AdminServer.configure(AdminServer.java:171)
  at weblogic.management.Admin.initialize(Admin.java:233)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:354)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
  at weblogic.Server.main(Server.java:35)
  --------------- nested within: ------------------
  weblogic.security.internal.encryption.EncryptionServiceException - with
  nested exception:
  [COM.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid
  pad byte.]
  at
  weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptByte
  s(JSafeEncryptionServiceImpl.java:78)
  at
  weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptStri
  ng(JSafeEncryptionServiceImpl.java:94)
  at
  weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearO
  rEncryptedService.java:53)
  at
  weblogic.management.internal.EncryptedData.decrypt(EncryptedData.java:45)
  at
  weblogic.management.internal.xml.ConfigurationParser$ConfigurationHandler.pa
  rseMBeanAttributes(ConfigurationParser.java:306)
  at
  weblogic.management.internal.xml.ConfigurationParser$ConfigurationHandler.st
  artElement(ConfigurationParser.java:185)
  at
  weblogic.apache.xerces.parsers.SAXParser.startElement(SAXParser.java:1340)
  at
  weblogic.apache.xerces.validators.common.XMLValidator.callStartElement(XMLVa
  lidator.java:1183)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner.scanElement(XMLDocumentS
  canner.java:1876)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner$ContentDispatcher.dispat
  ch(XMLDocumentScanner.java:1252)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentSca
  nner.java:381)
  at
  weblogic.apache.xerces.framework.XMLParser.parse(XMLParser.java:967)
  at
  weblogic.management.internal.xml.ConfigurationParser.parse(ConfigurationPars
  er.java:104)
  at
  weblogic.management.internal.xml.XmlFileRepository.loadDomain(XmlFileReposit
  ory.java:261)
  at
  weblogic.management.internal.xml.XmlFileRepository.loadDomain(XmlFileReposit
  ory.java:223)
  at java.lang.reflect.Method.invoke(Native Method)
  at
  weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
  .java:606)
  at
  weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
  90)
  at
  weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
  nImpl.java:350)
  at
  com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
  at
  com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:444)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:185)
  at $Proxy1.loadDomain(Unknown Source)
  at
  weblogic.management.AdminServer.configureFromRepository(AdminServer.java:186
  at weblogic.management.AdminServer.configure(AdminServer.java:171)
  at weblogic.management.Admin.initialize(Admin.java:233)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:354)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
  at weblogic.Server.main(Server.java:35)
  --------------- nested within: ------------------
  weblogic.management.configuration.ConfigurationException: - with nested
  exception:
  [weblogic.security.internal.encryption.EncryptionServiceException - with
  nested exception:
  [COM.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid
  pad byte.]]
  at
  weblogic.management.internal.xml.ConfigurationParser$ConfigurationHandler.pa
  rseMBeanAttributes(ConfigurationParser.java:313)
  at
  weblogic.management.internal.xml.ConfigurationParser$ConfigurationHandler.st
  artElement(ConfigurationParser.java:185)
  at
  weblogic.apache.xerces.parsers.SAXParser.startElement(SAXParser.java:1340)
  at
  weblogic.apache.xerces.validators.common.XMLValidator.callStartElement(XMLVa
  lidator.java:1183)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner.scanElement(XMLDocumentS
  canner.java:1876)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner$ContentDispatcher.dispat
  ch(XMLDocumentScanner.java:1252)
  at
  weblogic.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentSca
  nner.java:381)
  at
  weblogic.apache.xerces.framework.XMLParser.parse(XMLParser.java:967)
  at
  weblogic.management.internal.xml.ConfigurationParser.parse(ConfigurationPars
  er.java:104)
  at
  weblogic.management.internal.xml.XmlFileRepository.loadDomain(XmlFileReposit
  ory.java:261)
  at
  weblogic.management.internal.xml.XmlFileRepository.loadDomain(XmlFileReposit
  ory.java:223)
  at java.lang.reflect.Method.invoke(Native Method)
  at
  weblogic.management.internal.DynamicMBeanImpl.invokeLocally(DynamicMBeanImpl
  .java:606)
  at
  weblogic.management.internal.DynamicMBeanImpl.invoke(DynamicMBeanImpl.java:5
  90)
  at
  weblogic.management.internal.ConfigurationMBeanImpl.invoke(ConfigurationMBea
  nImpl.java:350)
  at
  com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1555)
  at
  com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:444)
  at
  weblogic.management.internal.MBeanProxy.invoke(MBeanProxy.java:185)
  at $Proxy1.loadDomain(Unknown Source)
  at
  weblogic.management.AdminServer.configureFromRepository(AdminServer.java:186
  at weblogic.management.AdminServer.configure(AdminServer.java:171)
  at weblogic.management.Admin.initialize(Admin.java:233)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:354)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
  at weblogic.Server.main(Server.java:35)
  Reason: Fatal initialization exception
  C:\bea\wlserver6.1>goto finish

  I have been interested in computers for a long time. My husband and I had one of the first TRS-80 computers from Radio Shack, and we would have likely followed the Windows path, except a blessed event intervened and our interest in computers was sidetracked by raising
  a toddler.
  I had my first experience with a Mac (a Performa 630 CD) in December of 1994. Our 7-year-old son was using Macs at school, and was as interested in computers as we were. We had been out of the game for a long while by this time, so thought it was wise to buy a computer one of the three of us (7-year-old Zach) could use.
  I thought, "Well, by next year, I'll learn enough to do the income taxes on it." In January, I saw Zach playing around with Quicken, and I saw how easy it would be to do our taxes with it. I had them done faster than I'd ever managed it before.
  I guess that's my big first impression.
  I told Zach he'd be sorry about wanting a Mac because I knew the gaming thing was on the horizon. Sure enough, when he hit his teens, all his friends were gaming on Windows boxes, and he now uses XP. He is in his second year of college, a Computer Science major, and he and his dorm-mates have Vista available as a free download on the college server. Not one of them has installed it. I don't see how Microsoft thinks they can sell it if they can't give it away.
  I tried Windows 98 and Windows XP, and my reaction was "Why on earth am I banging my head against THIS wall, when my Mac does everything I want to do?" And back I went to my Mac.
  With Intel processors and Parallels and Boot Camp, Zachary may come back to the fold. His next computer may be a Mac.

• Calling PSP procedure with SSL

  I want to call a PSP (SCREEN_B) procedure from another PSP precedure(SCREEN_A) . The deal is the new page (SCREEN_B) should be called with SSL.
  Here is the regular way of calling PSP.
  document.form.action="SCREEN_B";
  document.form.method="POST"
  document.form.submit();
  Please advise, How to call this SCREEN_B using SSL.
  Thanks

  You mean you have a Java client that calls the servlet, and within your
  client you are using URLConnection.getConnection()? ... and the servlet
  is only servers via HTTPS.
  Then you need to get JSSE:
  http://java.sun.com/products/jsse
  John Salvo
  Alejandro wrote:
  >
  Dear all,
  we are trying to call a servlet by using the java
  URLConnection.getConnection method.
  Our Weblogic servlet is listening only throw the SSL port, and it's doesn't
  work.
  Someone knows how to solve this issue???
  Please, help us!!!!
  Thanks in advance,
  Alejandro Mejías
  CGE&Y

• URGENT: Form Import FAILED with  Unable to generate UI form: ORA-0650

  I am importing application components from one installation of portal 3.0.9.8 to another installation. Both installed versions of POrtal are the same.
  The application name is PROFILE_APP. I have created this same app with same specifications as in source, in the target portal instance.
  To import, I am using the SQL scripts generated through portal using the "Export" feature available for each component.
  I could successfully import LOV into this app from source to target by running the above generated SQL. When i run the SQL for the form component in the target - i get the following error :
  ...Importing component: ID = 5861481106 Name = WST_USER_PROFILE_V_FRM Owner = WST_PROFILE_PORTAL30_APP Type = FOT
  *** ERROR ***
  wwa_generate_module.transfer_fot_metadata: Unable to generate UI form: ORA-06502: PL/SQL: numeric or value error
  The form worked successfully in the source instance.
  Any help is greatly appreciated.
  Thank you,
  Tanushree.

  Form CustomForm_791b1adc_97fd_4de1_a077_646a418fe59b extends form Microsoft.EnterpriseManagement.ServiceManager.ChangeManagement.Forms.ChangeRequestForm, which already has another extension (CustomForm_3e2fd77f_cfed_40f9_9def_c6735078bf2a).
  you already have a form customization that extends the change request form, and this MP is also importing a different customization to the same form. each form can only have one customization. 

• How to configure sso with SSL step by step

  Purpose
  In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
  Overview
  In this document we will demonstrate:
  1.     How to configure OHS support SSL
  2.     How to Register SSO with SSL
  3.     Configure SSO for certificates
  Prerequisites
  Before start this document, you should have:
  1.     Oracle AS 10g infrastructure installed (10.1.2)
  2.     OCA installed
  Note:
  1.     “When you install Oracle infrastructure, please make sure you have select OCA.
  2.     How Certificate-Enabled Authentication Works:
  a.     The user tries to access a partner application.
  b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
  c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
  Enable SSL on the Single Sign-On Middle Tier
  The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
  l     You must configure SSL on the computer where the single sign-on middle tier is running.
  l     You are configuring one-way SSL.
  l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
  1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
  2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
  <ias-component id="HTTP_Server">
  <process-type id="HTTP_Server" module-id="OHS">
  <module-data>
  <category id="start-parameters">
  <data id="start-mode" value="ssl-enabled"/>
  </category>
  </module-data>
  <process-set id="HTTP_Server" numprocs="1"/>
  </process-type>
  </ias-component>
  3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
  4.     Reload the modified opmn configuration file:
  ORACLE_HOME/opmn/bin/opmnctl reload
  5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
  6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
  Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
  <VirtualHost ssl_host:port>
  RewriteEngine on
  RewriteOptions inherit
  </VirtualHost>
  Save and close the file.
  7.     Update the distributed cluster management database with the changes:
  ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
  8.     Restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
  9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
  Reconfigure the Identity Management Infrastructure Database
  Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
  1.     Change Single Sign-On URLs
  Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
  UNIX:
  $ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
  Windows:
  %ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
  In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
  Here is an example:
  ssocfg.sh https login.acme.com 4443
  2. Restart OC4J_SECURITY instance and verify the configuration
  To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
  If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Then try logging in to the single sign-on server at its SSL address:
  https://host:ssl_port/pls/orasso/
       3. Back up the file targets.xml:
  cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
  4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
  ·     HTTPMachine—the server host name
  ·     HTTPPort—the server port number
  ·     HTTPProtocol—the server protocol
  If, for example, you run ssocfg like this:
  ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
  Update the three attributes this way:
  <Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
  <Property NAME="HTTPPort" VALUE="4443"/>
  <Property NAME="HTTPProtocol" VALUE="HTTPS"/>
  5.Save and close the file.
  6.     Reload the OracleAS console:
       ORACLE_HOME/bin/emctl reload
  7. Issue these two commands:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Registering mod_osso
  1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
  $ORACLE_HOME/sso/bin/ssoreg.sh
       -oracle_home_path $ORACLE_HOME
       -config_mod_osso TRUE
       -mod_osso_url https://myhost.mydomain.com:4443
  2.     Restarting the Oracle HTTP Server
  After running ssoreg, restart the Oracle HTTP Server:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  Configuring the Single Sign-On System for Certificates
  1.     Configure policy.properties with the Default Authentication Plugin
  Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
  DefaultAuthLevel = MediumHighSecurity
  Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
  MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
  2.     Restart the Single Sign-On Middle Tier
  After configuring the server, restart the middle tier:
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
  ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
  Bringing the SSO Users to OCA User Certificate Request URL
  The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
  The URL for the SSO certificate Request is:
  https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
  You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
  To link the OCA server to OracleAS SSO server, use the following command:
  ocactl linksso
  opmnctl stoproc type=oc4j instancename=oca
  opmnctl startproc type=oc4j instancename=oca
  You also can use ocactl unlinksso to unlink the OCA to SSO.

  I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
  The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
  on a URL that looks like this :
  http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  and gives the error :
  ( Forbidden
  You don't have permisission to access /sso/auth on this server at port 7777)
  when I manually change the URL to :
  https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
  the SSO works correctly.
  The question is :
  How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
  Any ideas ?
  Thanks in advance

• Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)

  Fresh installation of Exchange Server 2013 on Windows Server 2012.
  Our first test account cannot access their email via Outlook but can access fine through OWA. The following message appears - "Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize
  your folders with your Outlook data file (.ost)" is displayed.
  If I turn off cached Exchange mode, setting the email account to not
  cache does not resolve the issue and i get a new error message - "Cannot open your default e-mail folders. The file (path\profile name).ost is not an Outlook data file (.ost). Very odd since it creates its own .ost file when you run it for the first
  time.
  I cleared the appdata local Outlook folder and I tested on a new laptop that has never connected to Outlook, same error message on any system.
  Microsoft Exchange RPC Client Access service is running.
  No warning, error or critical messages in the eventlog, it's like the healthiest server alive.
  Any help would be greatly appreciated. I haven't encountered this issue with previous versions of Exchange.

  So it looks like a lot of people are having this issue and seeing how Exchange 2013 is still new (relatively to the world) there isn't much data around to answer this. I've spend ALOT of time trying to figure this out.
  Here is the answer. :) - No I don't know all but I'm going to try to give you the most reasonable answer to this issue, in a most logical way.
  First thing I did when I was troubleshooting this issue is that I ignored Martina Miskovic's suggestion for Step4 http://technet.microsoft.com/library/jj218640(EXCHG.150)because it didn't make sense to me because I was trying to connect
  Outlook not outside the LAN but actually inside. However, Martina's suggestion does fix the issue if it's applied in the correct context.
  This is where the plot thickens (it's stew). She failed to mention that things like SSL (which I configure practically useless - anyone who ever worked in a business environment where the owner pretty much trusts anyone in the company, otherwise they don't
  work there - very good business practice in my eyes btw, can confirm that...) are some sort of fetish with Microsoft lately. Exchange 2013 was no exception.
  In exchange 2003, exchange 2007 and exchange 2010 - you could install it and then go to outlook and set it up. And when outlook manual Microsoft Exchange profile would ask you for server name, you would give it and give the name of the person who you setting
  up - as long as machine is on the domain, not much more is needed. IT JUST WORKS! :) What a concept, if the person already on premises of the business - GIVE HIM ACCESS. I guess that was too logical for Microsoft. Now if you're off premises you can use things
  like OutlookAnywhere - which I might add had their place under that scenario.
  In Exchange 2013, the world changed. Ofcourse Microsoft doesn't feel like telling it in a plain english to people - I'm sure there is an article somewhere but I didn't find it. Exchange 2013 does not support direct configuration of Outlook like all of it's
  previous versions. Did you jaw drop? Mine did when I realized it. So now when you are asked for your server name in manual outlook set up and you give it Exchange2013.yourdomain.local - it says cannot connect to it. This happens because ALL - INTERNAL AND
  EXTERNAL connection are now handled via OutlookAnywhere. You can't even disable that feature and have it function the reasonable way.
  So now the question still remains - how do you configure outlook. Well under server properties there is this nice section called Outlook anywhere. You have a chance to configure it's External and Internal address. This is another thing that should be logical
  but it didn't work that way for me. When I configured the external address different from the internal - it didn't work. So I strongly suggest you get it working with the same internal address first and then ponder how you want to make it work for the outside
  users.
  Now that you have this set up you have to go to virtual directories and configure the external and internal address there - this is actually what the Step 4 that Martina was refering to has you do.
  Both external and internal address are now the same and you think you can configure your outlook manually - think again. One of the most lovely features of Outlook Anywhere, and the reason why I had never used it in the past is that it requires a TRUSTED
  certificate.
  See so it's not that exchange 2013 requires a trusted certificate - it's that exchange 2013 lacks the feature that was there since Windows 2000 and Exchange 5.5.
  So it's time for you to install an Active Direction Certificate Authority. Refer to this wonderful article for exact steps - http://careexchange.in/how-to-install-certificate-authority-on-windows-server-2012/
  Now even after you do that - it won't work because you have to add the base private key certificate, which you can download now from your internal certsrv site, to Default Domain Policy (AND yes some people claim NEVER mess with the Default Domain Policy,
  always make an addition one... it's up to you - I don't see direct harm if you know what you want to accomplish) see this: http://technet.microsoft.com/en-us/library/cc738131%28v=ws.10%29.aspx if you want to know exact steps.
  This is the moment of ZEN! :) Do you feel the excitement? After all it is your first time. Before we get too excited lets first request and then install the certificate to actual Exchange via the gui and assign it to all the services you can (IIS, SMTP and
  there is a 3rd - I forgot, but you get the idea).
  Now go to your client machine where you have the outlook open, browse to your exchange server via https://exchang2013/ in IE and if you don't get any certificate errors - it's good. If you do run on hte client and the server: gpupdate /force This will refresh
  the policy. Don't try to manually install the certificate from Exchange's website on the client. If you wanna do something manually to it to the base certificate from the private key but if you added it to the domain policy you shouldn't have to do it.
  Basically the idea is to make sure you have CA and that CA allows you to browse to exchange and you get no cert error and you can look at the cert and see that's from a domain CA.
  NOW, you can configure your outlook. EASY grasshoppa - not the manual way. WHY? Cause the automatic way will now work. :) Let it discover that exachange and populate it all - and tell you I'm happy! :)
  Open Outlook - BOOM! It works... Was it as good for you as it was for me?
  You may ask, why can't I just configure it by manual - you CAN. It's just a nightmare. Go ahead and open the settings of the account that got auto configed... How do you like that server name? It should read something like [email protected]
  and if you go to advanced and then connection tab - you'll see Outlook Anywhere is checked as well. Look at the settings - there is the name of the server, FQDN I might add. It's there in 2 places and one has that Mtdd-something:Exchange2013.yourdomain.local.
  So what is that GUID in the server name and where does it come from. It's the identity of the user's mailbox so for every user that setting will be different but you can figure it out via the console on the Exchange server itself - if you wish.
  Also a note, if your SSL certs have any trouble - it will just act like outlook can't connect to the exchange server even though it just declines the connection cause the cert/cert authority is not trusted.
  So in short Outlook Anywhere is EVERYWHERE! And it has barely any gui or config and you just supposed to magically know that kind of generic error messages mean what... Server names are now GUIDs of the [email protected] - THAT MAKES PERFECT
  SENSE MICROSOFT! ...and you have to manage certs... and the only place where you gonna find the name of the server is inside the d*** Outlook Anywhere settings in the config tab, un it's own config button - CAN WE PUT THE CONFIG ANY FURTHER!
  Frustrating beyond reason - that should be Exchange's new slogan...
  Hope this will help people in the future and won't get delete because it's bad PR for Microsoft.
  PS
  ALSO if you want to pick a fight with me about how SSL is more secure... I don't wanna hear it - go somewhere else...