WL 7.x, JDK 1.4, SSL

Hello,
Given that:
(1) WL will not be certified for use with JDK 1.4 until the Olympic
release (otherwise known as version 8.1, hopefully available sometime
early this summer if we're lucky?).
(2) Our application requires JDK 1.4 functionality (preferences
package, regular expressions, XML parsing, etc.) on both the client AND
server side.
(3) SSL handshake fails if either the client or server (or both) are
using JDK 1.4.
(4) WL 7.x seems to run under JDK 1.4 with no apparent negative
consequences other than (3).
What options are available to provide SSL for client connections? As far
as I can tell, using a SSL proxy (software or hardware) may be the only
alternative. If anyone has an alternate solution, or can share their
knowledge gained from similar experience, I would like to hear from you.
Futher, if anyone is aware of other 'gotchas' that will come up due to
our running WL 7.x with JDK 1.4, please share your experiences.
Thanks,
Elias

Similar Messages

JDK 1.6 SSL/TLS vulnerability

Hi all,
I read SUN review about this vulnerability (http://java.sun.com/javase/javaseforbusiness/docs/TLSReadme.html).
How can I set a client application to avoid renegotiation? sun.security.ssl.allowUnsafeRenegotiation=false ?
Regards

Hi,
I have found the solution of my problem.
As ghstark wrote, the problem can be fix in the apache side.
In this URL (https://access.redhat.com/kb/docs/DOC-20491), I found something like this:
Server-initiated renegotiations can be avoided by:
* Changing the site layout so that a client certificate authentication is required for the whole site, rather than only a part. In other words, so that "SSLVerifyClient" is used only when directly inside a <VirtualHost> section.
* Using the same cipher suite for the whole site. The highest cipher strength requirement of all directories and locations should be set in the <VirtualHost> section.
This solved my problem.
Regards

Loosing Params

Problem Description:
From time to time we are loosing the parameters coming in a request from
a SSL secured static page and transfered to our servlets.
There are no more Params in the Request, all are NULL.
If we are restarting the server, everything works fine again (for a
while).
The Error is not bound to the load on the machine or a specific time.
If the error occurs, no client can send parameters anymore.
HW/SW Config:
IWS 4.1 with SP6
OS. Solaris 7 with all required patches Installed.
Servlet Architecure
We Are using jre delivered with the Product.
Development: JDK 1.3
SSL: Switched on SSL2 and SSL3
SessionManager: SimpleSessionManager
(maxSessions=1000,timeOut=1800,reapInterval=600)
Hardware: Netra and Ultra5
Did we configured something wrong??
Any hints or tips?
Thanks in Advance,
Matthias Zieger
Software Architect
Seals GmbH
[email protected]
www.seals.net

Nobody can tell without knowledge of your jdev version and the technology you are using for UI, middle tier and db.
There have been reports in early 10.3.1 versions going in the direction, that bind parameters are not stored is the application module is passivated.
The best thing to do is to test the app without application module pooling. This pooling can be turned off in the configuration of the application module. After turning it of each call to the application module gets passivated and activated again, simulating a timeout for every request.
Timo

Remote JConsole Monitoring in Weblogic Not Working

HI,
Attempting to monitoring weblogic data source parameters via jconsole.
The weblogic server is SSL enabled.
1. When i connect to the server via jconsole using local process I am able to view the com.bea beans
2. Connecting to server remotely via jconsole, connection is successfully established however I am not able to view com.bea beans
WE had tried various options, specifically connecting to SSL enabled weblogic server based on discussions in https://community.oracle.com/thread/884708?start=0&tstart=0 and http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html
However we get the same problem, ie. we are able to connect to weblogic via jconsole but not able to view jconsole. Please find attached
Please note We do not have permissions to set IIOP communications in weblogic.
Details below:
Weblogic Server : weblogic 10.3.5
Jdk - jdk 6
Server SSL enabled with custom identity
Any help would be appreciated

Hi,
Please follow the documentation
http://visualvm.java.net/jmx_connections.html
See chapter 'Making an Explicit JMX Connection'
Making an Explicit JMX Connection
Before you can make an explicit JMX connection from VisualVM to a running
application, this application must be started with the correct system
properties. The system properties in question are the following:
   com.sun.management.jmxremote.port
        to specify the port number through which the application will be exposed
   com.sun.management.jmxremote.ssl
        to specify whether secure sockets layer (SSL) encryption will be activated
        to secure the connection to the application
   com.sun.management.jmxremote.authenticate
        to specify whether the connection will be password protected
So, something like follows will be needed for the WLS server:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8082
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
Here is more documentation on this:
http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html
Monitoring and Management Using JMX Technology
Thanks,
Sharmela

How to setup /dev/random to SSL seed no. in JDK 1.4

In order to speed up the SSL encryption and reduce CPU resources in WebServer, pls let us how to setup/define the /dev/random for SSL seed no in JDK 1.4 on Solaris 8 (Latest Patch).
Current Setup:
H/W:
+ Sun V880 with 2 x 1.2GHz US-III CPU, 2GB RAM
S/W:
+ SunOne Web Server 6.1 SP1
+ Solaris 8 (latest patch) support /dev/random
+ JDK 1.4
Rgds,
William

You may get a better response posting this question to one of the security forums, specifically:
http://forum.java.sun.com/forum.jsp?forum=2
http://forum.java.sun.com/forum.jsp?forum=60
You could also try the App server product forum:
http://swforum.sun.com/jive/category.jspa?categoryID=30

CF7 and JDK 1.4.2 - EV SSL Certificate Issue

Let me start off by telling the group that we do not use CF for any of our applications. We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use. We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API. About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy. I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck. Here are the details:
EV Certificate issued by DigiCert (4096-bit).
Customer is on CF7 and JDK 1.4.2.
When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application. He is using cfhttp to post his requests. We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates. Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
Thanks in advance to those gurus that reply. I have attached a sample post from our customers logs with non-essential data removed.
I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
- Dave

Dave,
I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
to either CF 8 or CF 9 to get the issue quickly resolved.
I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
if I do find a solution, I'll definitely post it there for you.
Cheers

SSL JDK 1.4 problem

I have a java client (using jdk 1.3.1_03) talking to a web service deployed
on Weblogic 7.0.1 (using JDK 1.4 instead of default 1.3.1_03) through ssl
sucessfully. But If I swith client JDK also to JDK 1.4, I am getting a
handshake failure. I know weblogic 7 is not certified for JDK 1.4. But I
really need to use 1.4. Is there a work around? Here is the error log I am
getting. Any response is appreciated.
Thanks,
Vish
D:\dev\cie\client>set JAVA_HOME=D:\JBuilder8\jdk1.4
D:\dev\cie\client>set WL_HOME=c:\bea\weblogic700
D:\dev\cie\client>set
ANTCLASSPATH=D:\JBuilder8\jdk1.4\lib\tools.jar;c:\bea\webl
ogic700\server\lib\weblogic_sp.jar;c:\bea\weblogic700\server\lib\weblogic.ja
r;c:
\bea\weblogic700\server\lib\webservices.jar;
D:\dev\cie\client>set
PATH=c:\bea\weblogic700\server\bin;D:\JBuilder8\jdk1.4\jre
\bin;D:\JBuilder8\jdk1.4\bin;
D:\dev\cie\client>java -classpath
D:\JBuilder8\jdk1.4\lib\tools.jar;c:\bea\weblo
gic700\server\lib\weblogic_sp.jar;c:\bea\weblogic700\server\lib\weblogic.jar
;c:\
bea\weblogic700\server\lib\webservices.jar; org.apache.tools.ant.Main runssl
Buildfile: build.xml
runssl:
[java] [BaseWLSSLAdapter] : SSLAdapter verbose output enabled
[java] [BaseWLSSLAdapter] : Strict cert checking disabled by default
[java] [BaseWLSSLAdapter] : Trusted certificates will be loaded from
c:\bea
\user_projects\cip\trusted.crt
[java] [BaseWLSSLAdapter] : Loaded local trusted certificates from
java.io.
FileInputStream@1e232b5
[java] [BaseWLSSLAdapter] : Disabling strict checking on adapter
weblogic.w
ebservice.client.WLSSLAdapter@16f144c
[java] [BaseWLSSLAdapter] : Set TrustManager to
weblogic.webservice.client.
BaseWLSSLAdapter$NullTrustManager@19da4fc
[java] [WLSSLAdapter] : Set HostnameVerifier to
weblogic.webservice.client.
WLSSLAdapter$NullVerifier@f6ac0b
[java] [BaseWLSSLAdapter] : Got new socketfactory
javax.net.ssl.impl.SSLSoc
ketFactoryImpl@1938039
[java] [WLSSLAdapter] :
openConnection(https://teilhard.darwin.nasa.gov:802
1/time-service/TimeService?WSDL) returning
weblogic.webservice.client.https.Http
sURLConnection:https://teilhard.darwin.nasa.gov:8021/time-service/TimeServic
e?WS
DL
[java] [WLSSLAdapter] : -- using HostnameVerifier
weblogic.webservice.clien
t.WLSSLAdapter$NullVerifier@f6ac0b
[java] [WLSSLAdapter] : -- loaded certs from
c:\bea\user_projects\cip\trust
ed.crt
[java] java.io.IOException: Write Channel Closed, possible SSL
handshaking
or trust failure
[java] at com.certicom.tls.record.WriteHandler.write(Unknown
Source)
[java] at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSen
t(Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(
Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(
Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.handleHand
shakeMessage(Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.handleHand
shakeMessages(Unknown Source)
[java] at
com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
[java] at com.certicom.tls.record.ReadHandler.readRecord(Unknown
Source
[java] at
com.certicom.tls.record.ReadHandler.readUntilHandshakeComplet
e(Unknown Source)
[java] at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHand
shake(Unknown Source)
[java] at com.certicom.tls.record.WriteHandler.write(Unknown
Source)
[java] at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown
Source)
[java] at
com.certicom.net.ssl.internal.HttpURLConnection.getInputStrea
m(Unknown Source)
[java] at
weblogic.webservice.client.https.HttpsURLConnection.getInputS
tream(HttpsURLConnection.java:216)
[java] at
weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefin
ition(DefinitionFactory.java:71)
[java] at
weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.
java:63)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:108)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:84)
[java] at
weblogic.webservice.core.rpc.ServiceImpl.<init>(ServiceImpl.j
ava:73)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeService_Impl.<
init>(TimeService_Impl.java:23)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
testTimeSvc(TimeServiceClient.java:69)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
main(TimeServiceClient.java:55)
[java] weblogic.webservice.tools.wsdlp.WSDLParseException: Failed to
retrie
ve WSDL from
https://teilhard.darwin.nasa.gov:8021/time-service/TimeService?WSDL
. Please check the URL and make sure that it is a valid XML file
[java.io.IOExce
ption: Write Channel Closed, possible SSL handshaking or trust failure]
[java] at
weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefin
ition(DefinitionFactory.java:86)
[java] at
weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.
java:63)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:108)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:84)
[java] at
weblogic.webservice.core.rpc.ServiceImpl.<init>(ServiceImpl.j
ava:73)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeService_Impl.<
init>(TimeService_Impl.java:23)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
testTimeSvc(TimeServiceClient.java:69)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
main(TimeServiceClient.java:55)

On the client side, try removing the the jsse.jar from the j2sdk1.4.1\jre\lib.
"Vish Magapu" <vm> wrote:
I have a java client (using jdk 1.3.1_03) talking to a web service deployed
on Weblogic 7.0.1 (using JDK 1.4 instead of default 1.3.1_03) through
ssl
sucessfully. But If I swith client JDK also to JDK 1.4, I am getting
a
handshake failure. I know weblogic 7 is not certified for JDK 1.4. But
I
really need to use 1.4. Is there a work around? Here is the error log
I am
getting. Any response is appreciated.
Thanks,
Vish
D:\dev\cie\client>set JAVA_HOME=D:\JBuilder8\jdk1.4
D:\dev\cie\client>set WL_HOME=c:\bea\weblogic700
D:\dev\cie\client>set
ANTCLASSPATH=D:\JBuilder8\jdk1.4\lib\tools.jar;c:\bea\webl
ogic700\server\lib\weblogic_sp.jar;c:\bea\weblogic700\server\lib\weblogic.ja
r;c:
\bea\weblogic700\server\lib\webservices.jar;
D:\dev\cie\client>set
PATH=c:\bea\weblogic700\server\bin;D:\JBuilder8\jdk1.4\jre
\bin;D:\JBuilder8\jdk1.4\bin;
D:\dev\cie\client>java -classpath
D:\JBuilder8\jdk1.4\lib\tools.jar;c:\bea\weblo
gic700\server\lib\weblogic_sp.jar;c:\bea\weblogic700\server\lib\weblogic.jar
;c:\
bea\weblogic700\server\lib\webservices.jar; org.apache.tools.ant.Main
runssl
Buildfile: build.xml
runssl:
[java] [BaseWLSSLAdapter] : SSLAdapter verbose output enabled
[java] [BaseWLSSLAdapter] : Strict cert checking disabled by default
[java] [BaseWLSSLAdapter] : Trusted certificates will be loaded
from
c:\bea
\user_projects\cip\trusted.crt
[java] [BaseWLSSLAdapter] : Loaded local trusted certificates from
java.io.
FileInputStream@1e232b5
[java] [BaseWLSSLAdapter] : Disabling strict checking on adapter
weblogic.w
ebservice.client.WLSSLAdapter@16f144c
[java] [BaseWLSSLAdapter] : Set TrustManager to
weblogic.webservice.client.
BaseWLSSLAdapter$NullTrustManager@19da4fc
[java] [WLSSLAdapter] : Set HostnameVerifier to
weblogic.webservice.client.
WLSSLAdapter$NullVerifier@f6ac0b
[java] [BaseWLSSLAdapter] : Got new socketfactory
javax.net.ssl.impl.SSLSoc
ketFactoryImpl@1938039
[java] [WLSSLAdapter] :
openConnection(https://teilhard.darwin.nasa.gov:802
1/time-service/TimeService?WSDL) returning
weblogic.webservice.client.https.Http
sURLConnection:https://teilhard.darwin.nasa.gov:8021/time-service/TimeServic
e?WS
DL
[java] [WLSSLAdapter] : -- using HostnameVerifier
weblogic.webservice.clien
t.WLSSLAdapter$NullVerifier@f6ac0b
[java] [WLSSLAdapter] : -- loaded certs from
c:\bea\user_projects\cip\trust
ed.crt
[java] java.io.IOException: Write Channel Closed, possible SSL
handshaking
or trust failure
[java] at com.certicom.tls.record.WriteHandler.write(Unknown
Source)
[java] at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSen
t(Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(
Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(
Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.handleHand
shakeMessage(Unknown Source)
[java] at
com.certicom.tls.record.handshake.HandshakeHandler.handleHand
shakeMessages(Unknown Source)
[java] at
com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
[java] at com.certicom.tls.record.ReadHandler.readRecord(Unknown
Source
[java] at
com.certicom.tls.record.ReadHandler.readUntilHandshakeComplet
e(Unknown Source)
[java] at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHand
shake(Unknown Source)
[java] at com.certicom.tls.record.WriteHandler.write(Unknown
Source)
[java] at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown
Source)
[java] at
com.certicom.net.ssl.internal.HttpURLConnection.getInputStrea
m(Unknown Source)
[java] at
weblogic.webservice.client.https.HttpsURLConnection.getInputS
tream(HttpsURLConnection.java:216)
[java] at
weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefin
ition(DefinitionFactory.java:71)
[java] at
weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.
java:63)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:108)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:84)
[java] at
weblogic.webservice.core.rpc.ServiceImpl.<init>(ServiceImpl.j
ava:73)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeService_Impl.<
init>(TimeService_Impl.java:23)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
testTimeSvc(TimeServiceClient.java:69)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
main(TimeServiceClient.java:55)
[java] weblogic.webservice.tools.wsdlp.WSDLParseException: Failed
to
retrie
ve WSDL from
https://teilhard.darwin.nasa.gov:8021/time-service/TimeService?WSDL
.. Please check the URL and make sure that it is a valid XML file
[java.io.IOExce
ption: Write Channel Closed, possible SSL handshaking or trust failure]
[java] at
weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefin
ition(DefinitionFactory.java:86)
[java] at
weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.
java:63)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:108)
[java] at
weblogic.webservice.WebServiceFactory.createFromWSDL(WebServi
ceFactory.java:84)
[java] at
weblogic.webservice.core.rpc.ServiceImpl.<init>(ServiceImpl.j
ava:73)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeService_Impl.<
init>(TimeService_Impl.java:23)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
testTimeSvc(TimeServiceClient.java:69)
[java] at
gov.nasa.darwin.cip.middleware.time.client.TimeServiceClient.
main(TimeServiceClient.java:55)

Problems running SSL connection using JRUN 4.0/JDK 1.4.2

Hi,
Our project is to run a SSL connection to FedEx. When we test the connection with WebSphere 5.0 test server, it connected and worked. But, when we tested with our environment (JRUN4), exception thrown:
The following are the exceptions:
===========================
socket = (SSLSocket)factory.createSocket("gateway.fedex.com", 443);
causes the error:
java.net.SocketException: Export restriction: this JSSE implementation is non-pluggable.
Which implies that we are trying to use a SSL impementation other than Sun's, which is not allowed in JDK 1.4.x. Googleing for similar cases confirms that creating SSL sockets has been problematic for JDK 1.4.x users in particular.
However, the following code
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
System.out.println("Classname: "+factory.getClass().getName());
produces
Classname: javax.net.ssl.DefaultSSLSocketFactory
This seems to imply that we are using the Sun SSL implementation. So I am not sure what could be causing the error. Have any you ever run into this particular problem before and if so what is your recommendation?
Any idea, thinking is greatly appreciated.
Thank you.

I have plenty of HD space (130GB) left, so that's not the problem.
Actually, the amount of free space is not nearly as relevant to the issue as the % of free space. If your HD is over about 50% full, especially doing video, there will be performance degradation compared to an HD that is less than about 50% full. It's the physics of the hard drive. In addition, if you are working on HD video you can easily need 50-100GB per hour of video for working storage & render files. And if you render multiple times, FCE is not good at cleaning up old render files, so multiple renders take more & more disk space. The only effective way to clean out old render files is to manually delete them from your FCE /Render Files folder. And it's nearly impossible to tell which render files are actually in current use, so you end up having to delete them all and then re-render your entire timeline if you really want to free up disk space.
To answer your question about upgrading, yes, once you install Snow Leopard you should be able to update to 10.6.8 via Software Update. That's how I've always done it.
If your black Macbook is the one I suspect it is, the official max is 4GB RAM but it appears it will work with 6GB. Overall, the system specs are on the low side for FCE 4
As for still images, I have generally found sizing them to no more than 2x your video frame size works pretty well. Larger than that, FCE will be discarding lots of pixels to fit the image into your video frame. You need to consider the actual pixel dimensions of your image, not the embedded resolution or dpi. Actual pixel dimensions are what's important. The larger your jpeg image the more pixels will be discarded, so images that are much larger than your frame size are not advisable.

SSL communication issue with JDK 1.6.0_19

Hi,
I am facing issue with JDK 1.6.0_19. I have a Java client which communicate with the Server in SSL communication.so, It is able to communicate properly with the JDK <=1.6.0_18 version.But I got handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message exception when the client is trying to communicate with the server in JDK 1.6.0_19.
We are using mutual authentication.The client and the server both have the signed certificate.The client certificate has to be validated by the server to establish the connection.
I have seen in forum that it is a renegotiation issue.So, if I enable the renegotiation flag by -Dsun.security.ssl.allowUnsafeRenegotiation=true it's working fine.But enabling renegotiation itself is a vulnerability.So, I can't enable renegotiation.
I am using httpclient 4.0 and JSSE in client side and IIS in the server side for this SSL connection.
I am not sure which side client or server initiating the renegotiation?
Please help me out.
I have tried Openssl command from console.
The command is : openssl s_client -connect X.X.X:443 -CAfile "xxxxx" -cert "xxxxxxxx" -key "xxxxxxxxxx" -state -verify 20 here is the output:
Loading 'screen' into random state - done
CONNECTED(00000748)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
xxxxxxxxxxx.................
verify return:1
xxxxxxxxxxx.................
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
Certificate chain
xxxxxxxxxxx.................
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxx.................
-----END CERTIFICATE-----
xxxxxxxxxxx.................
No client certificate CA names sent
SSL handshake has read 1839 bytes and written 392 bytes
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher    : RC4-MD5
    Session-ID: xxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxx
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1275564626
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
read:errno=10054If you see the console output you can see that two statement is missing those are :
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 write client certificate ASo, I like to know if this is any clue which is asking for renegotiation.

Thank you for your response.
Yes I have set the particular proerty SSLAlwaysNegoClientCert to True and it is able to establish the ssl conneciton without initiating renegotiation from IIS server side.The property has to be set the metabase.xml file.
Thank you very much once again.
Edited by: arpitak on Jun 23, 2010 2:10 AM

IE Javascript Error when Creating-Posting SC - JDK/JVM issue in SSL mode?!?

Hi SDN
We are running on SRM 5.0, with server at 5.5 and we have just implemented SP 11. Since then, our users running IE with the Sun JVM 1.4.2_10 are getting a JavaScript error everytime an applet loads (EPCF) on their page (in this case, it is the applet within the Document & Attachments section). Moreover, our portal is being hosted on an SSL secured server within our DMZ, in conjunction with a Provencia IDS System, Blue Coat hardarware, RadWare, ...etc.
The only way we can make that page work, is by disabling the Sun JVM (1.4.2.10) and use the MS Version of the Java Virtual Machine within IE. At that point, no issue with the applet on our SSL Secured Portal. Even funnier, is that when I'm calling directly the Portal Server (without the SSL proxy), even if i run the Sun JVM, I'm not getting the error. Since we have over 1000 users, it would be impossible to have all of them making that change... We need to make that work, especially that the IE JVM is not supported anymore.
Have you ever experienced something like that? If yes, what have you done to fix it? Any suggestion, OSS notes
Thanks in advance
Eric L.

Hi Andrea
This is the Javascript Error I'm receiving (extracted for the JVM Console). I thought I've found an OSS Note (1140460) but it did'nt work.
22/08/08 10:29:30 AM INFO
     DataBag #0 getObjectType: urn:com.sapportals.portal.SWF2EPCM:DataBag BBP0002.0001.00000000 class Null
Invoking method: public com.sapportals.portal.epcf.IDataBag com.sapportals.portal.epcf.EPCMfactory.getDataBag()
Invoking method: public java.lang.Object com.sapportals.portal.epcf.DataBag.getObject(java.lang.String,java.lang.String)
Needs conversion: java.lang.String --> java.lang.String
Needs conversion: java.lang.String --> java.lang.String
22/08/08 10:29:30 AM INFO
     DataBag #0 getObject: urn:com.sapportals.portal.SWF2EPCM:DataBag BBP0002.0001.00000000 null
Invoking method: public com.sapportals.portal.epcf.IDataBag com.sapportals.portal.epcf.EPCMfactory.getDataBag()
java.lang.ClassCastException
     at sun.plugin.com.DispatchImpl.convertParams(Unknown Source)
     at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
     at sun.plugin.com.DispatchImpl$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.plugin.com.DispatchImpl.invoke(Unknown Source)
java.lang.Exception: java.lang.ClassCastException
     at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
     at sun.plugin.com.DispatchImpl$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.plugin.com.DispatchImpl.invoke(Unknown Source)

Error while trying SSL on OHS

I'm getting "Init: SSL call to NZ function nzos_OpenWallet failed with error 29248" error in log file HTTP_Server~1 while starting OHS (using opmnctl startall).
I created a Wallet with auto login option checked. I was able to create certificate Request and got a certificate from verisign (14 days Validity). I imported Root certificate and intermediate certificate from verisign into the wallet and then successfully imported the trial certificate. After saving the wallet in default location I got 2 files (cwallet.sso and ewallet.p12) there.
Configuration in opmn.xml is :
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<environment>
<variable id="PERL5LIB" value="D:\product\10.1.3\OracleAS_1\Apache\Apache\mod_perl\site\5.8.3\lib\MSWin32-x86-multi-thread;$ORACLE_HOME\perl\5.8.3\lib;$ORACLE_HOME\perl\site\5.8.3\lib"/>
<variable id="PHPRC" value="D:\product\10.1.3\OracleAS_1\Apache\Apache\conf"/>
<variable id="PATH"
value="$ORACLE_HOME\Perl\5.8.3\bin\MSWin32-x86-multi-thread" append="true"/>
</environment>
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
my httpd.conf file is as follows:
## httpd.conf -- Apache HTTP server configuration file
# Based upon the NCSA server configuration files originally by Rob McCool.
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://www.apache.org/docs/> for detailed information about
# the directives.
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# After this file is processed, the server will look for and process
# D:\product\10.1.3\OracleAS_1\Apache\Apache/conf/srm.conf and then D:\product\10.1.3\OracleAS_1\Apache\Apache/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do not begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "D:\product\10.1.3\OracleAS_1\Apache\Apache" will be interpreted by the
# server as "D:\product\10.1.3\OracleAS_1\Apache\Apache/logs/foo.log".
# NOTE: Where filenames are specified, you must use forward slashes
# instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
# If a drive letter is omitted, the drive on which Apache.exe is located
# will be used by default. It is recommended that you always supply
# an explicit drive letter in absolute paths, however, to avoid
# confusion.
### Section 1: Global Environment
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
# ServerType is either inetd, or standalone. Inetd mode is only supported on
# Unix platforms.
ServerType standalone
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
# Do NOT add a slash at the end of the directory path.
ServerRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache"
# PidFile: The file in which the server should record its process
# identification number when it starts.
PidFile logs/httpd.pid
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this. But if yours does (you'll know because
# this file will be created when you run Apache) then you must ensure that
# no two invocations of Apache share the same scoreboard file.
ScoreBoardFile logs/httpd.scoreboard
# In the standard configuration, the server will process httpd.conf (this
# file, specified by the -f command line option), srm.conf, and access.conf
# in that order. The latter two files are now distributed empty, as it is
# recommended that all directives be kept in a single file for simplicity.
# The commented-out values below are the built-in defaults. You can have the
# server ignore these files altogether by using "/dev/null" (for Unix) or
# "nul" (for Win32) for the arguments to the directives.
#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf
# Timeout: The number of seconds before receives and sends time out.
Timeout 300
# SendBufferSize: controls setsockopt() call made to set send buffer size on
# all sockets. Default OS value on most Windows platforms is too small.
# Larger values can help if the average page size served by OHS is
# large (~64 k)
SendBufferSize 16384
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
KeepAliveTimeout 15
# Apache on Win32 always creates one child process to handle requests. If it
# dies, another child process is created automatically. Within the child
# process multiple threads handle incoming requests. The next two
# directives control the behaviour of the threads and processes.
# MaxRequestsPerChild: the number of requests each child process is
# allowed to process before the child dies. The child will exit so
# as to avoid problems after prolonged use when Apache (and maybe the
# libraries it uses) leak memory or other resources. On most systems, this
# isn't really needed, but a few (such as Solaris) do have notable leaks
# in the libraries. For Win32, set this value to zero (unlimited)
# unless advised otherwise.
# NOTE: This value does not include keepalive requests after the initial
# request per connection. For example, if a child process handles
# an initial request and 10 subsequent "keptalive" requests, it
# would only count as 1 request towards this limit.
MaxRequestsPerChild 0
# Number of concurrent threads (i.e., requests) the server will allow.
# Set this value according to the responsiveness of the server (more
# requests active at once means they're all handled more slowly) and
# the amount of system resources you'll allow the server to consume.
ThreadsPerChild 50
# Server-pool size regulation. Rather than making you guess how many
# server processes you need, Apache dynamically adapts to the load it
# sees --- that is, it tries to maintain enough server processes to
# handle the current load, plus a few spare servers to handle transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).
# It does this by periodically checking how many servers are waiting
# for a request. If there are fewer than MinSpareServers, it creates
# a new spare. If there are more than MaxSpareServers, some of the
# spares die off. The default values are probably OK for most sites.
#MinSpareServers 5
#MaxSpareServers 20
# Limit on total number of servers running, i.e., limit on the number
# of clients who can simultaneously connect --- if this limit is ever
# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
# It is intended mainly as a brake to keep a runaway server from taking
# the system with it as it spirals down...
#MaxClients 150
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#Listen 3000
#Listen 12.34.56.78:80
# BindAddress: You can support virtual hosts with this option. This directive
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain name.
# See also the <VirtualHost> and Listen directives.
#BindAddress *
# Dynamic Shared Object (DSO) Support
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available before they are used.
# Please read the file README.DSO in the Apache 1.3 distribution for more
# details about the DSO mechanism and run `apache -l' for the list of already
# built-in (statically linked and thus always available) modules in your Apache
# binary.
# Note: The order in which modules are loaded is important. Don't change
# the order below without expert advice.
# Example:
# LoadModule foo_module libexec/mod_foo.dll
LoadModule mime_magic_module modules/ApacheModuleMimeMagic.dll
LoadModule mime_module modules/ApacheModuleMime.dll
LoadModule dbm_auth_module modules/ApacheModuleAuthDBM.dll
LoadModule digest_auth_module modules/ApacheModuleAuthDigest.dll
LoadModule anon_auth_module modules/ApacheModuleAuthAnon.dll
LoadModule cern_meta_module modules/ApacheModuleCERNMeta.dll
LoadModule digest_module modules/ApacheModuleDigest.dll
LoadModule expires_module modules/ApacheModuleExpires.dll
LoadModule headers_module modules/ApacheModuleHeaders.dll
LoadModule proxy_module modules/ApacheModuleProxy.dll
LoadModule speling_module modules/ApacheModuleSpeling.dll
LoadModule status_module modules/ApacheModuleStatus.dll
LoadModule info_module modules/ApacheModuleInfo.dll
LoadModule usertrack_module modules/ApacheModuleUserTrack.dll
LoadModule vhost_alias_module modules/ApacheModuleVhostAlias.dll
LoadModule agent_log_module modules/ApacheModuleLogAgent.dll
LoadModule referer_log_module modules/ApacheModuleLogReferer.dll
LoadModule perl_module modules/ApacheModulePerl.DLL
LoadModule fastcgi_module modules/ApacheModuleFastCGI.dll
LoadModule php4_module modules/ApacheModulePHP4.dll
LoadModule onsint_module modules/ApacheModuleOnsint.dll
LoadModule wchandshake_module modules/ApacheModuleWchandshake.dll
ClearModuleList
AddModule mod_so.c
AddModule mod_onsint.c
AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_negotiation.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
#AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_setenvif.c
AddModule mod_isapi.c
AddModule mod_vhost_alias.c
AddModule mod_log_referer.c
AddModule mod_log_agent.c
AddModule mod_auth_anon.c
AddModule mod_auth_dbm.c
AddModule mod_auth_digest.c
AddModule mod_cern_meta.c
AddModule mod_digest.c
AddModule mod_expires.c
AddModule mod_headers.c
AddModule mod_proxy.c
AddModule mod_speling.c
AddModule mod_info.c
AddModule mod_status.c
AddModule mod_usertrack.c
AddModule mod_perl.c
AddModule mod_fastcgi.c
AddModule mod_php4.c
AddModule mod_wchandshake.c
<IfDefine SSL>
LoadModule ossl_module modules/ApacheModuleOSSL.DLL
</IfDefine>
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
ExtendedStatus On
### Section 2: 'Main' server configuration
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
# Port: The port to which the standalone server listens. Certain firewall
# products must be configured before Apache can listen to a specific port.
# Other running httpd servers will also interfere with this port. Disable
# all firewall, security, and other services if you encounter problems.
# To help diagnose problems use the Windows NT command NETSTAT -a
Port 7777
Listen 7777
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents.
ServerAdmin [email protected]
# ServerName allows you to set a host name which is sent back to clients for
# your server if it's different than the one the program would get (i.e., use
# "www" instead of the host's real name).
# Note: You cannot just invent host names and hope they work. The name you
# define here must be a valid DNS name for your host. If you don't understand
# this, ask your network administrator.
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address (e.g., http://123.45.67.89/)
# anyway, and this will make redirections work in a sensible way.
# 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your
# machine always knows itself by this address. If you use Apache strictly for
# local testing and development, you may use 127.0.0.1 as the server name.
ServerName IFLMUD5DLHY4G.i-flex.com
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache\htdocs"
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# First, we configure the "default" to be a very restrictive set of
# permissions.
<Directory />
Options FollowSymLinks MultiViews
AllowOverride None
</Directory>
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
# This should be changed to whatever you set DocumentRoot to.
<Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\htdocs">
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named explicitly --- "Options All"
# doesn't give it to you.
Options FollowSymLinks MultiViews
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
AllowOverride None
# Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
# UserDir: The name of the directory which is appended onto a user's home
# directory if a ~user request is received.
# Under Win32, we do not currently try to determine the home directory of
# a Windows login, so a format such as that below needs to be used. See
# the UserDir documentation for details.
<IfModule mod_userdir.c>
UserDir "D:\product\10.1.3\OracleAS_1\Apache\Apache\users\"
</IfModule>
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS PROPFIND>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS PROPFIND>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index. Separate multiple entries with spaces.
<IfModule mod_dir.c>
DirectoryIndex index.html
</IfModule>
# AccessFileName: The name of the file to look for in each directory
# for access control information.
AccessFileName .htaccess
# The following lines prevent .htaccess files from being viewed by
# Web clients. Since .htaccess files often contain authorization
# information, access is disallowed for security reasons. Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files. If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
# document that was negotiated on the basis of content. This asks proxy
# servers not to cache the document. Uncommenting the following line disables
# this behavior, and proxies will be allowed to cache the documents.
#CacheNegotiatedDocs
# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a URL that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name. With this setting off, Apache will
# use the hostname:port that the client supplied, when possible. This
# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
UseCanonicalName On
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
<IfModule mod_mime.c>
TypesConfig conf/mime.types
</IfModule>
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
DefaultType text/plain
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
# mod_mime_magic is not part of the default server (you have to add
# it yourself with a LoadModule [see the DSO paragraph in the 'Global
# Environment' section], or recompile the server and include mod_mime_magic
# as part of the configuration), so it's enclosed in an <IfModule> container.
# This means that the MIMEMagicFile directive will only be processed if the
# module is part of the server.
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you do define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/error_log 43200"
# LogLevel: Control the number of messages logged to the error.log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# Alternate "common" format to use when fronted by webcache:
# LogFormat "%{ClientIP}i %l %u %t \"%r\" %>s %b %h" common_webcache
# When webcache is forwarding requests to OHS, %h becomes the IP of
# the originating webcache server and the real client IP is stored
# in the ClientIP header. The common_webcache format can be used
# in place of the common format when using webcache but with one
# important caveat: if clients are capable of bypassing webcache
# then it is possible to spoof the client IP by manually setting
# the ClientIP header so the %h field should be monitored in such
# an environment. Another alternative to specifying the ClientIP
# header directly in a LogFormat is to use the "UseWebCacheIp"
# directive:
# UseWebCacheIp On
# When this is specified, %h is derived internally from the ClientIP
# header and the access log format does not need to be modified.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you do
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and not in this file.
CustomLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/access_log 43200" common
# If you would like to have agent and referer logfiles, uncomment the
# following directives.
#CustomLog logs/referer.log referer
#CustomLog logs/agent.log agent
# If you prefer a single logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#CustomLog logs/access.log combined
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature On
# Apache parses all CGI scripts for the shebang line by default.
# This comment line, the first line of the script, consists of the symbols
# pound (#) and exclamation (!) followed by the path of the program that
# can execute this specific script. For a perl script, with perl.exe in
# the C:\Program Files\Perl directory, the shebang line should be:
#!c:/program files/perl/perl
# Note you mustnot_ indent the actual shebang line, and it must be the
# first line of the file. Of course, CGI processing must be enabled by
# the appropriate ScriptAlias or Options ExecCGI directives for the files
# or directory in question.
# However, Apache on Windows allows either the Unix behavior above, or can
# use the Registry to match files by extention. The command to execute
# a file of this type is retrieved from the registry by the same method as
# the Windows Explorer would use to handle double-clicking on a file.
# These script actions can be configured from the Windows Explorer View menu,
# 'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
# button allows you to modify the Actions, of which Apache 1.3 attempts to
# perform the 'Open' Action, and failing that it will try the shebang line.
# This behavior is subject to change in Apache release 2.0.
# Each mechanism has it's own specific security weaknesses, from the means
# to run a program you didn't intend the website owner to invoke, and the
# best method is a matter of great debate.
# To enable the this Windows specific behavior (and therefore -disable- the
# equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
# The directive above can be placed in individual <Directory> blocks or the
# .htaccess file, with either the 'registry' (Windows behavior) or 'script'
# (Unix behavior) option, and will override this server default option.
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
<IfModule mod_alias.c>
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/"..
Alias /icons/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\icons/"
Alias /javacachedocs/ "D:\product\10.1.3\OracleAS_1\javacache\javadoc/"
<IfModule mod_perl.c>
Alias /perl/ "D:\product\10.1.3\OracleAS_1\Apache\Apache/cgi-bin/"
</IfModule>
<Directory "icons">
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
ScriptAlias /cgi-bin/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\cgi-bin/"
# "D:\product\10.1.3\OracleAS_1\Apache\Apache/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
<Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</IfModule>
# End of aliases.
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
# Directives controlling the display of server-generated directory listings.
<IfModule mod_autoindex.c>
# FancyIndexing is whether you want fancy directory indexing or standard
# Note, add the option TrackModified to the IndexOptions default list only
# if all indexed directories reside on NTFS volumes. The TrackModified flag
# will report the Last-Modified date to assist caches and proxies to properly
# track directory changes, but it does not work on FAT volumes.
IndexOptions FancyIndexing
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
DefaultIcon /icons/unknown.gif
# AddDescription allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
# HeaderName is the name of a file which should be prepended to
# directory indexes.
# If MultiViews are amongst the Options in effect, the server will
# first look for name.html and include it if found. If name.html
# doesn't exist, the server will then look for name.txt and include
# it as plaintext if found.
ReadmeName README
HeaderName HEADER
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>
# End of indexing directives.
# Document types.
<IfModule mod_mime.c>
# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
# AddLanguage allows you to specify the language of a document. You can
# then use content negotiation to give a browser a file in a language
# it can understand.
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
# Note 2: The example entries below illustrate that in quite
# some cases the two character 'Language' abbriviation is not
# identical to the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. But there is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
# French (fr) - German (de) - Greek-Modern (el)
# Italian (it) - Korean (kr) - Norwegian (no)
# Portugese (pt) - Luxembourgeois* (ltz)
# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
# Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
# Russian (ru)
AddLanguage ar .ar
AddLanguage da .dk .da
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .ee
AddLanguage fi .fi
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage es .es_ES .es
AddLanguage he .he .iw
AddLanguage hu .hu
AddCharset ISO-8859-8 .iso8859-8
AddLanguage it .it
AddLanguage ja .ja
AddCharset ISO-2022-JP .jis
AddLanguage ko .ko
AddLanguage kr .kr
AddCharset ISO-2022-KR .iso-kr
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddCharset ISO-8859-2 .iso-pl
AddLanguage pt .pt
AddLanguage pt-br .pt_BR .pt-br
AddLanguage ltz .lu
AddLanguage ca .ca
AddLanguage sk .sk
AddLanguage sv .sv
AddLanguage th .th
AddLanguage tr .tr
AddLanguage cz .cz .cs
AddLanguage ro .ro
AddLanguage ru .ru
AddLanguage zh-cn .zh_CN
AddLanguage zh-tw .zh_TW
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251
AddCharset CP866 .cp866
AddCharset ISO-8859-5 .iso-ru
AddCharset KOI8-R .koi8-r
AddCharset UCS-2 .ucs2
AddCharset UCS-4 .ucs4
AddCharset UTF-8 .utf8
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
<IfModule mod_negotiation.c>
LanguagePriority ar en da nl et fi fr de el it ja ko kr no pl pt pt-br ro ru ltz ca es sk sv th tr zh-cn zh-tw zh-cn
</IfModule>
# AddType allows you to tweak mime.types without actually editing it, or to
# make certain files to be certain types.
# For example, the PHP 3.x module (not part of the Apache distribution - see
# http://www.php.net) will typically use:
#AddType application/x-httpd-php3 .php3
#AddType application/x-httpd-php3-source .phps
# And for PHP 4.x, use:
AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps
AddType application/x-tar .tgz
# AddHandler allows you to map certain file extensions to "handlers",
# actions unrelated to filetype. These can be either built into the server
# or added with the Action command (see below)
# If you want to use server side includes, or CGI outside
# ScriptAliased directories, uncomment the following lines.
# To use CGI scripts:
#AddHandler cgi-script .cgi
# To use server-parsed HTML files
#AddType text/html .shtml
#AddHandler server-parsed .shtml
# Uncomment the following line to enable Apache's send-asis HTTP file
# feature
#AddHandler send-as-is asis
# If you wish to use server-parsed imagemap files, use
#AddHandler imap-file map
# To enable type maps, you might want to use
#AddHandler type-map var
</IfModule>
# End of document types.
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
# MetaDir: specifies the name of the directory in which Apache can find
# meta information files. These files contain additional HTTP headers
# to include when sending the document
#MetaDir .web
# MetaSuffix: specifies the file name suffix for the file containing the
# meta information.
#MetaSuffix .meta
# Customizable error response (Apache style)
# these come in three flavors
# 1) plain text
#ErrorDocument 500 "The server made a boo boo.
# n.b. the single leading (") marks it as text, it does not get output
# 2) local redirects
#ErrorDocument 404 /missing.html
# to redirect to local URL /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
# N.B.: You can redirect to a script or a document using server-side-includes.
# 3) external redirects
#ErrorDocument 402 http://some.other_server.com/subscription_info.html
# N.B.: Many of the environment variables associated with the original
# request will not be available to such a script.
# Customize behaviour based on the browser
<IfModule mod_setenvif.c>
# The following directives modify normal HTTP response behavior.
# The first directive disables keepalive for Netscape 2.x and browsers that
# spoof it. There are known problems with these browser implementations.
# The second directive is for Microsoft Internet Explorer 4.0b2
# which has a broken HTTP/1.1 implementation and does not properly
# support keepalive when it is used on 301 or 302 (redirect) responses.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
# The following directive disables HTTP/1.1 responses to browsers which
# are in violation of the HTTP/1.0 spec by not being able to grok a
# basic 1.1 response.
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>
# End of browser customization directives
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to enable.
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost IFLMUD5DLHY4G.i-flex.com IFLMUD5DLHY4G
</Location>
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".your_domain.com" to match your domain to enable.
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>
# There have been reports of people trying to abuse an old bug from pre-1.1
# days. This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org. Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#<Location /cgi-bin/phf*>
# Deny from all
# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#<IfModule mod_proxy.c>
# ProxyRequests On
# <Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
# </Directory>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
# ProxyVia On
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
# CacheRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache\proxy"
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# NoCache a_domain.com another_domain.edu joes.garage_sale.com
#</IfModule>
# End of proxy directives.
### Section 3: Virtual Hosts
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
# for further details before you try to setup virtual hosts.
# You may use the command line option '-S' to verify your virtual host
# configuration.
# Use name-based virtual hosting.
#NameVirtualHost *
#NameVirtualHost 12.34.56.78:80
#NameVirtualHost 12.34.56.78
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#<VirtualHost *>
# ServerAdmin [email protected]
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
#<VirtualHost default:*>
#</VirtualHost>
# Required for cgi perl scripts that are run from /cgi-bin/.
SetEnv PERL5LIB "D:\product\10.1.3\OracleAS_1\perl\5.8.3\lib;D:\product\10.1.3\OracleAS_1\perl\site\5.8.3\lib"
<IfModule mod_perl.c>
# Perl Directives
# PerlWarn On
# PerlFreshRestart On
# PerlSetEnv PERL5OPT Tw
# PerlSetEnv PERL5LIB "D:\product\10.1.3\OracleAS_1\perl\5.8.3\lib;D:\product\10.1.3\OracleAS_1\perl\site\5.8.3\lib"
PerlModule Apache
# PerlModule Apache::Status
PerlModule Apache::Registry
# PerlModule Apache::CGI
# PerlModule Apache::DBI
# PerlRequire
<Location /perl>
SetHandler perl-script
PerlHandler Apache::Registry
AddHandler perl-script .pl
Options +ExecCGI
PerlSendHeader On
</Location>
# <Location /perl-status>
# SetHandler perl-script
# PerlHandler Apache::Status
# order deny,allow
# deny from all
# allow from localhost
# </Location>
</IfModule>
#Protect WEB-INF directory
<DirectoryMatch /WEB-INF/>
Order deny,allow
Deny from all
</DirectoryMatch>
# Setup of FastCGI module
<IfModule mod_fastcgi.c>
Alias /fastcgi/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\fastcgi/"
ScriptAlias /fcgi-bin/ "D:\product\10.1.3\OracleAS_1\Apache\Apache\fcgi-bin/"
<Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\fcgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
SetHandler fastcgi-script
<IfModule mod_ossl.c>
SSLOptions +StdEnvVars
</IfModule>
</Directory>
</IfModule>
# Include the mod_oc4j configuration file
include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\mod_oc4j.conf"
# Include the mod_dms configuration file
include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\dms.conf"
# Loading rewrite_module here so it loads before mod_oc4j
LoadModule rewrite_module modules/ApacheModuleRewrite.dll
# Include the SSL definitions and Virtual Host container
include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\ssl.conf"
# Include the mod_osso configuration file
#include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\mod_osso.conf"
# Include the Oracle configuration file for custom settings
include "D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\oracle_apache.conf"
my ssl.conf is as follows:
<IfDefine SSL>
## SSL Global Context
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache dbm:logs\ssl_scache
#SSLSessionCache shmht:logs\ssl_scache(512000)
SSLSessionCache shmcb:logs\ssl_scache(512000)
# SessionCache Timeout:
# This directive sets the timeout in seconds for the information stored
# in the global/inter-process SSL Session Cache. It can be set as low as
# 15 for testing, but should be set to higher values like 300 in real life.
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual explusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex sem
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog logs\ssl_engine_log
SSLLogLevel warn
## SSL Virtual Host Context
# NOTE: this value should match the SSL Listen directive set previously in this
# file otherwise your virtual host will not respond to SSL requests.
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
## SSL Support
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
# NOTE: if virtual hosts are used and you change a port value below
# from the original value, be sure to update the default port used
# for your virtual hosts as well.
Listen 443
<VirtualHost IFLMUD5DLHY4G.i-flex.com:443>
# General setup for the virtual host
DocumentRoot "D:\product\10.1.3\OracleAS_1\Apache\Apache\htdocs"
ServerName IFLMUD5DLHY4G.i-flex.com
#ServerAdmin [email protected]
ErrorLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/error_log 43200"
TransferLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/access_log 43200"
Port 443
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# Server Wallet:
# The server wallet contains the server's certificate, private key
# and trusted certificates. Set SSLWallet at the wallet directory
# using the syntax: file:<path-to-wallet-directory>
SSLWallet D:\product\10.1.3\OracleAS_1\Apache\Apache\conf\ssl.wlt\default\ewallet.p12
#SSLWalletPassword iflex2007
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath conf\ssl.crl
#SSLCARevocationFile conf\ssl.crl\ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional and require
SSLVerifyClient optional
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "D:\product\10.1.3\OracleAS_1\Apache\Apache\cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent "MSIE" nokeepalive ssl-unclean-shutdown
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "|D:\product\10.1.3\OracleAS_1\Apache\Apache\bin\rotatelogs logs/ssl_request_log 43200" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Please help me rectifying this error.
Thanks a lot in advance.

Hi,
Found a note explaining the significance of these errors.
It says:
"NZE-28862: SSL connection failed
Cause: This error occurred because the peer closed the connection.
Action: Enable Oracle Net tracing on both sides and examine the trace output. Contact Oracle Customer support with the trace output."
For further details you may refer the Note: 244527.1 - Explanation of "SSL call to NZ function nzos_Handshake failed" error codes
Thanks & Regards,
Sindhiya V.

Issue in applying SSL selectively to Login JSP Page--Session getting lost.

Hi,
I am facing some issues with SSL configuration on my web site running on tomcat 5.5. I am using jdk 1.5 and form based authentication with JAAS framework.
The SSL configuration is working perfectly when applied to complete web site, but starts giving problem when applied selectively to some JSP pages. At present I am trying to apply SSL just on the login page.
When the login screen loads up, the URL in the browser has a protocol "*https*", as expected, but it doesn't gets changed to "*http*" once the user has successfully logged in. Why is the automatic change from https to http not ocurring?
Also I want to know which is the default page, tomcat will direct the logged in user to, once successfully authenticated using form based login; Is there any way to change this default page to some other page. It looks like that tomcat automatically directs to index.html , once the user has been successfully authenticated, but I am not so sure. My index.html page is having 4 frames; the source of these frames are different JSP pages, which are not under SSL.
My aim is to apply SSL just on login.jsp so that password doesn't travel in clear text. Once the user is authenticated he should see index.html and the address bar's URL should change it's protocol from https to http.
Please, find below the code in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>CWA Application</web-resource-name>
<url-pattern>/about.jsp</url-pattern>
<url-pattern>/admin_listds.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/*login.jsp*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>CWA Application</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
My login. jsp has below code:
<form name="login" method="POST" action='<%= response.encodeURL(*"j_security_check*") %>' >
<tr>
<td width="100%">
<table width="260" border="0" cellspacing="0" cellpadding="1">
<tr>
<td align="left" valign="top" rowspan="4"><img src="images/space.gif" width="15" height="5"></td>
<td align="right" class="login-user" nowrap ><p>User name: </p></td>
<td align="left" valign="top"><input maxLength="64" name="j_username" size="20"></td>
</tr>
<tr>
<td align="right" nowrap class="login-user"><p>Password: </p>
</td>
<td align="left" valign="top">
<input maxLength=\"64\" tabindex="2" type="password" name="j_password" size="20">
</td>
</tr>
</form>
The entries in my server.xml are following:
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="${java.home}\lib\security\cacerts" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
I have gone through the http://forums.sun.com/thread.jspa?threadID=197150 and tried implementing it; The filter as explained in the thread does gets called but the session values are still lost.
Please note I am using javascript to go from secure "https" to "http" once the user has successfully logged in The javascript code is as below:
top.location.href="http://localhost:8080/qtv/index.html." ;
If I use response.sendRedirect("http://localhost:8080/qtv/index.html") for going to non-secure mode, the index.html page does not gets loaded properly. (Please note that my index.html is made of *4 frames*, as explained earlier. This is a legacy code and frames can't be removed).
The reason for index.html not getting loaded properly is that the Address bar URL does NOT change its URL and protocol from https (https://localhost:8443/qtv/index.html ) to "*http*" (http://localhost:8080/qtv/index.html) when esponse.sendRedirect() is used ;this is the default behaviour of response.sendRedirect(). And because the protocol in address bar is https, index.html is not able to load the other JSP's in it's frames because of cross-frame-scripting security issues (The other JSP's to be loaded in frames are are NOT secure as discussed earlier).
Please let know if any way out.
Thanks,
Masaai

Hi
try to set the maximum interval between requests
eg:
session.setMaxInactiveInterval(6000);
vis

Reading private key: works in jdk 1.5, but throws exception in 1.4

Hello,
I am trying to read an RSA private key from a file. I am using the following code snippet:
KeySpec spec = new RSAPrivateKeySpec(modulus, pExp);
KeyFactory factory = KeyFactory.getInstance("RSA");
PrivateKey key = factory.generatePrivate(spec);
This runs perfectly fine under jdk 1.5 on keys I generate with OpenSSL. However, if I recompile and run under jdk 1.4, I get the following exception:
java.security.spec.InvalidKeySpecException: Unknown key spec.
     at com.sun.net.ssl.internal.ssl.JS_KeyFactory.engineGeneratePrivate(DashoA6275)
     at com.sun.net.ssl.internal.ssl.JSA_RSAKeyFactory.engineGeneratePrivate(DashoA6275)
     at java.security.KeyFactory.generatePrivate(KeyFactory.java:237)
I have also tried using RSAPrivateCrtKeySpec but I get the same error. Can anyone shed some light on what is going on?
Thank you.

'Unlimited Strength Jurisdiction Policy Files 1.4' Could be the solution.
I had a similar problem with java 1.4 and those files do the work.
... finally the problem was that the password that protectd the keystore had 7 characters, using one of 5 characters works ok...

HTTPS from JDK1.2.1 to JDK 1.4.1

We are trying to connect application running on JDK1.2.1 to application in JDK 1.4.1. Both applications are in Oracle 9ias application server but with different JDK and different physical machines.
We are getting following error while trying to access to application on JDK 1.4.1
java.lang.ArrayStoreException
at java.lang.System.arraycopy(System.java)
at java.util.Vector.copyInto(Vector.java)
at com.sun.net.ssl.internal.www.protocol.https.ChunkedInputStream.c(DashoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.ChunkedInputStream.<init>(DashoA6275
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.b(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.a(DashoA6275)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.getInputStream(Da
shoA6275)
at Perc939CallServlet.callServlet(Perc939CallServlet.java:103)
We are using Entrust certificate and we already put cacerts file from jdk1.4 to jdk1.2.1 in jdk/jre/lib/security.
This application was working till we upgraded version from 1.3.1 to 1.4.1.
Is this is problem of 1.4.1 and how do we resolve this?
Small code that will help is as follows
//Dynamic registration of SunJSSE provider
System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("ssl.SocketFactory.provider", "com.sun.net.ssl.internal.ssl.Provider");
//Create a URL object from the sURL String representation.
uRemoteURL = new URL(sURL);
//Get a connection to the remote object referred to by the URL
ucConn = uRemoteURL.openConnection();
//Set the DoOutput flag to true to use the URL connection for output
ucConn.setDoOutput(true);
ucConn.setRequestProperty("Pragma", "no-cache");
oosToWrite = new ObjectOutputStream(ucConn.getOutputStream());
//Write sInputString to the OutputStream which will be read from the remote servlet
oosToWrite.writeObject(sInputString);
oosToWrite.flush();
oosToWrite.close();
ucConn.connect();
System.out.println("Connection " + ucConn.toString());
if(ucConn==null)
System.out.println("Connection is Null");
System.out.println("getInputStream " + ucConn.getInputStream());
if(ucConn.getInputStream()==null)
System.out.println("ucConn.getInputStream() is Null");
// Read the string object from the InputStream and return
oisToRead = new ObjectInputStream(ucConn.getInputStream());
Object oReadObject = oisToRead.readObject();
sOutputString = oReadObject.toString();
oisToRead.close();
return (sOutputString);

Basically ArrayStoreException comes :
Indicate that an attempt has been made to store the wrong type of object into an array of objects.
But in jdk1.4.1 it is said that
No usage of java.lang.ArrayStoreException
it may be problem of jdk1.4.1 and try to upgrade to 1.4.2
Regards,
Anand

SSL CertGen & Private key import errors - 7.0

I am trying to install weblogic generated ssl certificate and because the private
key needs to be encrypted with a password, i am loading this in a new JDK keystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Created Private Key files - testkey.der and testkey.pem
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
to encode X500Name.
at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
at utils.CertGen.createCertificateRequest(CertGen.java:312)
at utils.CertGen.processCommand(CertGen.java:185)
at utils.CertGen.main(CertGen.java:170)
I went ahead and ran the same CertGen on unix and got the certificate file and
the key file
to my box to check to see if i can install it. I created a new keystore with keytool,
loaded the private key with the alias and the password phrase, made this key store
the default keystore, supplied the management password, changed the files to read
the new cert file and key file.
Attached is the log for the SSL debug.
Do i need to import the private key stored in the JDK for weblogic ? I tried doing
that by running.
X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
ASN.1 tag
java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
Source)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
X:\>
Attached log is SSL debug enabled and it cant see the private key.
Any help is appreciated.
thanks,
mallik
[ssldebuglog.txt]

"Mallik" <[email protected]> wrote in message
news:3f3274e9$[email protected]..
>
I am trying to install weblogic generated ssl certificate and because theprivate
key needs to be encrypted with a password, i am loading this in a new JDKkeystore
and trying to configure WL.
I am running utils.CertGen from weblogic 7.0 sp3 on XP.
X:\SSLTest>java utils.CertGen testpassword testcert testkey
Creating Domestic Key Strength - 1024
..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
Encoding
Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
in hostnames.

WL 7.x, JDK 1.4, SSL

Similar Messages

Maybe you are looking for