WLS81sp6 and webservices ssl issues ?

Similar Messages

• 2-Way SSL and Webservices

  Greetings,
  After spending some time searching the docs and several dev2dev newsgroups I haven't been able to find a clear cut answer to an urgent question:
  I have a two webservices, the client (.jpd) and the server (.jws) which are installed on a separate weblogic 8.1 instances on different machines. The requirement is that the webservices must communicate with one another only over a 2-Way SSL connection.
  My question is how to setup this 2-way SSL configuration between the client and sever webservices. Do I need to write code or can I configure it using the web.xml files of the two webservies? I don't think it would make sense to configure the two weblogic instances to always use 2-WaySSL (via the startup script or config.xml), in which case the webservies might not inherit the truststore and other SSL connfiguration of the respective instances.
  If someone has already solved this problem, I would appreaciate to hear from you. This is an urgent problem and I am stumped. Any help would be appreciated!
  Regards

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable

• The Ultimate Guide to Resolving Profile and Device Manager Issues

  The following article also applies to issues after re-setting the severs' hostname. It also applies to situations where re-setting the Code Signing Certifictateas described by Apple has not resolved the issue.
  Hello,
  I have been plagued with Profile Manager and Device Manager issues since day one.
  I would like to share my experience and to suggest a way how to resolve issues such as device cannot be enrolled or Code Signing Certificate not accepted.
  I shall try to be as brief as possible, just giving an overview of the steps that resolved my issues. The individual steps have been described elsewhere in this forum. For users who have purchased commercial SSL certs the following may not apply.
  In my view many of these issues are caused by missing or faulty certificates. So let us first touch on the very complex matter of certificates.
  Certificates come in many flavours such as CA (Certificate Authority), Code Signing Certificate, S/MIME and Server Identification.
  (Mountain?) Lion Server creates a so-called Intermediate CA certificate (IntermediateCA_hostname_1") and Server Identification Certificate ("hostname") when it installs first. This is critical for the  operation of many server functionalities, including Open Direcory. These certs together with the private/public keys can be found in your Keychain. Profile  and Device Manager may need a Code Signing Certificate.
  The most straightforward way to resolve the Profile Manaher issues is in my view to reset the server created certicates.
  The bad news is that this procedure involves quite a few steps and at least 2 hours of your precious time because it means creating a fresh Direcory Master.
  I hope that I have not forgotten to mention an important step. Readers' comments and addenda are welcome.
  I shall outline a sensible strategy:
  1. Clone your dysfunctional server to an external harddrive (SuperDuper does a reliable job)
  2. Start the server fom the clone and shut down ALL services.
  3. It may be sensible to set up a root user access.
  4. Back-up all user data such as addess book, calendar and other data that you *may* need to set up your server.
  5. Open Workgroup Manager and export all user and workgroup accounts to the drive that you using to re-build your server (it may cause problems if you back-up to an external drive).
  6. Just in case you may also want to back-up the Profile Manager database and erase user profiles:
  In Terminal (this applies to Lion Server - paths may be diferent in Mountain Lion !)
  Backup: sudo pg_dump -U _postgres -c device_management > $HOME/device_management.sql
  Erase database:
  sudo /usr/share/devicemgr/backend/wipeDB.sh
  7. Note your Directory (diradmin) password for later if you want to re-use it.
  8. Open Open Server Admin and demote OD Master to Standalone Directory.
  9. In Terminal delete the old Certificate Authority
  sudo rm -R /var/root/Library/Application\ Support/Certificate\ Authority/
  This step is crucial because else re-building you OD Master will fail.
  9. Go back to Server Admin and promote the Standalone Directory to OD Master. You may want to use the same hostname.
  10. When the OD Master is ready click on Overview and check that the LDAP and Keberos Realm reflect your server's hostname.
  11. Go back to Workgroup Manager and re-import users and groups.
  NOTE: passwords are not being exported. I do not know how to salvage user passwords. (Maybe passwords can be recovered by re-mporting an OD archive - comments welcome! ).
  12. Go to Server App and reset passwords and (not to forget) user homefolder locations, in particular if you want to login from a network account!
  If the home directory has not been defined you cannot login from a network account.
  13. You may now want to restore Profile Manager user profiles in Terminal. Issue the following commands:
  sudo serveradmin stop devicemgr
  sudo serveradmin start postgres
  sudo psql -U _postgres -d device_management -f $HOME/device_management.sql
  sudo serveradmin start devicemgr
  14. You can now switch back on your services, including Profile Manager.
  In Profile Manager you may have to configure Device Management. This creates a correct Code Signng Certicate.
  15. Check the certificate settings in Server App -> Hadware -> Settings-> SSL Certificates.
  16. Check that Apple Push Notifications are set.(you easily check if they are working later)
  17. You may want to re-boot OS Server from the clone now.
  18. After re-boot open Server App and check that your server is running well.
  19. Delete all profiles in System Preferences -> Profiles.
  19. Login to Profile Manager. You should have all users and profiles back. In my experience devices have to be re-enrolled before profiles can be pushed and/or devices be enrolled. You may just as well delete the displayed devices now.
  20. Grab one of your (portable) Macs that you want to enrol and go to (yourhostname)/mydevices and install the server's trust profile. The profile's name  should read "Trust Profile for...) and underneath in green font "Verified".
  21. Re-enrol that device. At this stage keep your finger's crossed and take a deep breath.
  22. If the device has been successfully enrolled you may at last want to test if pushing profiles really works. Login to Profile Manager as admin, select the newly enrolled device. Check that Automatic Push is enabled (-> Profile -> General). Create a harmless management profile such as defining the dock's position on the target machine. (Do not forget to click SAVE at the end - this is easily missed here). If all is well Profile Manager will display an active task (sending) and the dock's position on the target will have changed in a few seconds if you are on a LAN (Note: If sending seems to take forever: check on the server machine and/or on your router that the proper ports are open and that incoming data is not intercepted by Little Snitch or similar software).
  Note: if you intend to enrol an Apple iPhone you may first need to install the proper Apple Configuration software.
  Now enjoy Profile and Device Manager !
  Regards,
  Twistan

  HI
  1. In Action profiles, logon to system and recheck correcion are available in action definition as well in condition configuration and the schedule condition is also maintained. but the display is not coming(i.e in the worklist this action is not getting displayed).
  You can check the schedule condition for the action and match the status values...or try recreating the action with schedule condition again....for customer specific ....copy the standard aciton with ur zname and make a schedule condition and check the same.
  2, In suppport team of incident when i give individual processor it throwing a warning that u r not the processor. but when i give org unit it is working perfectly. Could anyone guide on this.
  You need to have the empolyee role for BP ..goto BP and got here dropdown for ur bp and choose role Employee and then enter ur userid
  also make sure that u have the message processing role
  Hope it clarifies ur doubt and resolve ur prob
  Regards
  Prakhar

• OIM 11g R1 - AD 9.1.1.7.2 SSL Issue

  Hi All,
  I am trying to configure the SSL b/w OIM 11g R1 BP05 running on IBM AIX 6.1 and AD Connector 9.1.1.7.2. The recon/provisioning is working fine on port 389.
  For SSL Configuration, I imported the AD root certificate in custom keystore configured in WLS and Standard Java Keystore i.e., cacerts. I have updated the ADIT Resource to change the port and use SSL as yes.
  So, now when I am running recon, I am getting below error:
  *[2013-05-28T13:37:02.043-07:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: OIMQuartzScheduler_Worker-5] [userId: oiminternal] [ecid: 0000JvgXEpH4ykJLQm5Eid1HdFwe000001,1:28614] [APP: oim#11.1.1.3.0] com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController : searchResultPageEnum : The error occured in tcADUtilLDAPController::connectToAvailableAD():host:636*
  *[2013-05-28T13:37:02.083-07:00] [oim_server1] [ERROR] [] [OIMCP.ADCS] [tid: OIMQuartzScheduler_Worker-5] [userId: oiminternal] [ecid: 0000JvgXEpH4ykJLQm5Eid1HdFwe000001,1:28614] [APP: oim#11.1.1.3.0] com.thortech.xl.exception.ConnectionException: host:636[[*     at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
       at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
       at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
       at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:384)
       at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
       at java.lang.reflect.Method.invoke(Method.java:611)
       at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
       at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
       at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
  I am able to connecto to AD on port 636 using LDAP Browser and also using JNDI Code. Also, I used XIMDD to test the Target System SSL Trust Verification and it worked too. Also, the telnet/ping are working too.
  Any clue on this issue?

  Hi Praveen,
  Here is the solution suggested by Oracle for this particular error:
  This exception is encountered because the Connector Server uses a port that has already been used (mostly by another instance of the Connector Server). You can fix this issue by performing one of the following steps:
  If the Connector Server service is running, then stop it.
  Search for and open the ConnectorServer.exe.Config file, change the port value to 8758 or 8755, and then start the Connector Server. The default location of the ConnectorServer.exe.Config file is C:\Program Files\Identity Connectors\Connector Server.
  Ref: http://docs.oracle.com/cd/E22999_01/doc.111/e20347/trbleshoot.htm
  If you still face the issue then try changing Port and Time wait registry values(Take registry backup before making any changes to registry):
  Changing the Dynamic Port Range
  Open regedit.
  Open key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
  Edit (or create as DWORD) the MaxUserPort value.
  Set it to a higher number. (i.e. 65534)
  Changing the TIME_WAIT delay
  Open regedit.
  Open key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
  Edit (or create as DWORD) the TCPTimeWaitDelay.
  Set it to a lower number. Value is in seconds. (i.e. 60 for 1 minute delay)
  Thanks and Regards,
  Chinni

• Two way SSL issue in weblogic

  Hi All,
  we have enabled 2 way SSL in weblogic, we have one Admin Server and one managed (soa) server version 11.1.1.5
  steps we have followed:
  we have imported identity certificate and key file to a custom identity store
  improted trust certificates to a custom trust keystore
  in weblogic consile: soa_server1-> keystires : we have updated custom identity and trust details
  in weblogic consile: soa_server1-> ssl - we have updated required custom identity details and selected " Client Certs Requested And Enforced" for Two Way Client Cert Behavior.
  but while testing our process we are getting below error:
  we have tried openssl to test the connectivity but not sure about the output, is there any way to trace the SSL connection?
  any input will be really helpful.
  <AIASessionPoolManagerFault xmlns="http://xmlns.oracle.com/AIASessionPoolManager">
  -<part name="summary">
  <summary xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  com.oracle.bpel.client.BPELFault: faultName: {{http://xmlns.oracle.com/AIASessionPoolManager}AIASessionPoolManagerFault}
  messageType: {{http://schemas.oracle.com/bpel/extension}RuntimeFaultMessage}
  parts: {{
  summary=<summary xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel when attempting Get operation</summary>
  ,detail=<detail xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel: Operation=Get.
       SessionPoolHost.getSession(Siebel,170006): getSession(Siebel,170006) failed: Thread [weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4] faild to initialize the session pool. SessionPoolHost.create() thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4]: Failed to obtain a session after 3 attempts. SPM cannot successfully connect to web server Login credentials [endpoint: https://+<host>+:443/ngbeai_enu/start.swe?SWEExtSource=SecureWebService&amp;SWEExtCmd=Execute&amp;WSSOAP=1 ]
       java.lang.Throwable: SOAPException occured when requesting : javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure
       javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure.
       </detail>
  ,code=<code xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error</code>}
  </summary>
  </part>
  -<part name="detail">
  <detail xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  Error on AIASessionPoolManager.bpel: Operation=Get.
       SessionPoolHost.getSession(Siebel,170006): getSession(Siebel,170006) failed: Thread [weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4] faild to initialize the session pool. SessionPoolHost.create() thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4]: Failed to obtain a session after 3 attempts. SPM cannot successfully connect to web server Login credentials [endpoint: https://+<host>+/ngbeai_enu/start.swe?SWEExtSource=SecureWebService&SWEExtCmd=Execute&WSSOAP=1 ]
       java.lang.Throwable: SOAPException occured when requesting : javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure
       javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure.
  </detail>
  </part>
  TIA,
  Vivek
  Edited by: 909283 on Apr 15, 2013 12:07 AM

  Hi Kishor/Rene,
  Thanks for the reply, we have already referred to the mentioned Oracle Note and enabled SSL debugging.
  while starting Admin server we are getting below output:
  Can you please confirm from below logs that SSL connection is correct, i have also provided below the error message we are getting in our process.
  <Apr 2, 2013 6:49:56 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 316588026>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write SSL_20_RECORD>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 105197569742293346305268
  Issuer:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN= Test AD Objects CA1
  Subject:C=AU, ST=NSW, L=Sydney, O=<xyz>, OU=Operations and Shared Services, CN= xyz>.com.au, EMAIL=<abcd>@<.com>
  Not Valid Before:Thu Oct 11 11:00:23 EST 2012
  Not Valid After:Sat Oct 11 11:00:23 EST 2014
  Signature Algorithm:SHA1withRSA
  >
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 458601664052503175495693
  Issuer:CN=<xyz> Test Policy CA
  Subject:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN=<xyz> Test AD Objects CA1
  Not Valid Before:Thu Nov 10 15:24:24 EST 2011
  Not Valid After:Thu Nov 10 15:34:24 EST 2016
  Signature Algorithm:SHA1withRSA
  >
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 105197569742293346305268
  Issuer:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN=<xyz> Test AD Objects CA1
  Subject:C=AU, ST=NSW, L=Sydney, O=<xyz>, OU=Operations and Shared Services, CN=<abcd>.<.com>, EMAIL=<abcd>@<.com>
  Not Valid Before:Thu Oct 11 11:00:23 EST 2012
  Not Valid After:Sat Oct 11 11:00:23 EST 2014
  Signature Algorithm:SHA1withRSA
  >
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 458601664052503175495693
  Issuer:CN=<xyz> Test Policy CA
  Subject:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN=<xyz> Test AD Objects CA1
  Not Valid Before:Thu Nov 10 15:24:24 EST 2011
  Not Valid After:Thu Nov 10 15:34:24 EST 2016
  Signature Algorithm:SHA1withRSA
  >
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: <abcd>.<.com>>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerKeyExchange RSA>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 70>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received CHANGE_CIPHER_SPEC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 8>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 26>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 26>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 26>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 24>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 45>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 45>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 45>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 15>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 30>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 30>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 30>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 18>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 23>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 23>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 23>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 20>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 41>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 41>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 41>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 7>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 13>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 13>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 13>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
  at javax.net.ssl.impl.SSLLayeredSocket.close(Unknown Source)
  at weblogic.nodemanager.client.NMServerClient.disconnect(NMServerClient.java:276)
  at weblogic.nodemanager.client.NMServerClient.done(NMServerClient.java:138)
  at weblogic.nodemanager.mbean.NodeManagerRuntime.getState(NodeManagerRuntime.java:423)
  at weblogic.nodemanager.mbean.NodeManagerRuntime.getState(NodeManagerRuntime.java:440)
  at weblogic.server.ServerLifeCycleRuntime.getStateNodeManager(ServerLifeCycleRuntime.java:752)
  at weblogic.server.ServerLifeCycleRuntime.getState(ServerLifeCycleRuntime.java:584)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.management.jmx.modelmbean.WLSModelMBean.getAttribute(WLSModelMBean.java:525)
  at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:666)
  at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:638)
  at weblogic.management.mbeanservers.domainruntime.internal.FederatedMBeanServerInterceptor.getAttribute(FederatedMBeanServerInterceptor.java:308)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$12.run(WLSMBeanServerInterceptorBase.java:326)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.getAttribute(WLSMBeanServerInterceptorBase.java:324)
  at weblogic.management.mbeanservers.internal.JMXContextInterceptor.getAttribute(JMXContextInterceptor.java:157)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$12.run(WLSMBeanServerInterceptorBase.java:326)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.getAttribute(WLSMBeanServerInterceptorBase.java:324)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$12.run(WLSMBeanServerInterceptorBase.java:326)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.getAttribute(WLSMBeanServerInterceptorBase.java:324)
  at weblogic.management.mbeanservers.internal.SecurityInterceptor.getAttribute(SecurityInterceptor.java:299)
  at weblogic.management.jmx.mbeanserver.WLSMBeanServer.getAttribute(WLSMBeanServer.java:279)
  at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$5$1.run(JMXConnectorSubjectForwarder.java:326)
  at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$5.run(JMXConnectorSubjectForwarder.java:324)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
  at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.getAttribute(JMXConnectorSubjectForwarder.java:319)
  at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1404)
  at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
  at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265)
  at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367)
  at javax.management.remote.rmi.RMIConnectionImpl.getAttribute(RMIConnectionImpl.java:600)
  at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
  at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222)
  at javax.management.remote.rmi.RMIConnectionImpl_1035_WLStub.getAttribute(Unknown Source)
  at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.getAttribute(RMIConnector.java:878)
  at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:263)
  at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:504)
  at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
  at $Proxy138.getState(Unknown Source)
  at com.bea.console.actions.core.server.ServerTableAction.populateServerRuntimeTableBean(ServerTableAction.java:365)
  at com.bea.console.actions.core.server.ServerTableAction$ServerTableWork.run(ServerTableAction.java:498)
  at weblogic.work.commonj.CommonjWorkManagerImpl$WorkWithListener.run(CommonjWorkManagerImpl.java:203)
  at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  >
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 316565651>
  <Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 316588026>
  error in bpel process:
  summary=<summary xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel when attempting Get operation</summary>
  ,detail=<detail xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel: Operation=Get.
  SessionPoolHost.getSession(Siebel,190001): SessionPoolHost.create() thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@16670d1d]: Failed to obtain a session after 3 attempts. SPM cannot successfully connect to web server Login credentials [endpoint: https://<host>:443/eai_enu/start.swe?SWEExtSource=SecureWebService&amp;SWEExtCmd=Execute&amp;WSSOAP=1 ].
  java.lang.Throwable: SOAPException occured when requesting : javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure
  javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure</detail>
  ,code=<code xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error</code>}
  </summary>
  TIA,
  Vivek
  Edited by: 909283 on Apr 15, 2013 12:08 AM

• Making a call over HTTPS with LoadVars, XML.load(), and WebService - Yes or No?

  Hello, do LoadVars, XML.load(), or WebService support HTTPS-based endpoints, Yes or No?
  BACKGROUND
  ============
  I've been trying to get a LoadVars to actually make a call to an HTTPS endpoint. There is nothing in the documentation that says it can't. I know that there's also XML.load() and WebService class, but from the looks of it they don't do HTTPS.
  During my tests I have absolutely no issues with making calls to the same service over HTTP. When I change it to HTTPS I don't see HTTPStatus or even failures. Also, netstat on my server will show a connection being established with the endpoint when using HTTP but not when using HTTPS. I've also tried setting SSLVerifyCertificate to "false" in my Server.xml and after a restart of AMS it doesn't help, same symptom.
  I've also googled and looked through all Adobe forum posts that I can find:
  https://forums.adobe.com/message/4938426#4938426
  https://forums.adobe.com/thread/1661461
  https://forums.adobe.com/thread/782037
  https://forums.adobe.com/message/74981
  https://forums.adobe.com/message/5107735#5107735
  https://forums.adobe.com/message/7815#7815
  https://forums.adobe.com/message/53870#53870
  https://forums.adobe.com/message/87797#87797
  WebService Class - http://stackoverflow.com/questions/5619776/webservice-and-fms
  The best I found from the posts above is a non-commital answer from adobe staff at https://forums.adobe.com/message/4938426#4938426 and a 3rd party person saying that Webservice doesn't work at http://stackoverflow.com/questions/5619776/webservice-and-fms.
  All I need is an official supported/not-supported from the Adobe staff. Shouldn't be to hard after 5 years or so of ignoring the questions in the forum right?

  Adobe, please provide some details to your current and possibly potential customers, in at least one of the many unanswered posts about making HTTPS requests from AMS.
  P.S.
  realeyes_jun,
  RealEyes Media has been an inspiration to me for many years, and I would like to thank them for their efforts to better the media streaming community.
  Also, would it be possible to please release the source to REDbug?

• WebLogic 7.0.1 and apache ssl plug-in

  I am not seeing any forwarding of SSL requests from Apache to WebLogic once I upgraded
  from 7.0.0.1 to 7.0.1 and used the new plug-in. I actually found the plug-in
  size for solaris to be smaller then the 7.0.0.1 which I found to be a little strange.
  The old plug-in does not work either.
  I am not sure if this is a bug or what, just want to see if anyone has a similar
  setup and seeing similar issues. We run OpenSSL on Apache 1.3.9 and this was
  working fine in 7.0.0.1 and just stopped working for the SSL pages only, the regular
  pages pass through no problem.

  I am not seeing any forwarding of SSL requests from Apache to WebLogic once I upgraded
  from 7.0.0.1 to 7.0.1 and used the new plug-in. I actually found the plug-in
  size for solaris to be smaller then the 7.0.0.1 which I found to be a little strange.
  The old plug-in does not work either.
  I am not sure if this is a bug or what, just want to see if anyone has a similar
  setup and seeing similar issues. We run OpenSSL on Apache 1.3.9 and this was
  working fine in 7.0.0.1 and just stopped working for the SSL pages only, the regular
  pages pass through no problem.

• Possible Safari wildcard SSL issue

  I really hope this is the right venue for this sort of thing. This is my first post here, so please forgive me if this is not the place.
  That said, I think that I have run into an issue with the way that wildcard SSL is handled in Safari.
  I have an SSL cert for *.sld.tld (a wildcard cert) I expect the cert to operated properly with 'www.some.sld.tld' under SSL but interestingly, that won't work under Safari.
  I'm sorry to be dry and cite RFPs, but I think it best illustrates the problem and perhaps why both Firefox and Opera will allow for the above as valid in SSL with a wildcard cert.
  The author for RFC2818 (which is the RFC I think that most folks will probably point to regarding this issue) says "Matching is performed using the matching rules specified by [RFC2459]." and then goes on to give some examples.
  RFC2459 says, "For URIs, the constraint applies to the host part of the name. The constraint may specify a host or a domain. Examples would be "foo.bar.com"; and ".xyz.com". When the the constraint begins with a period, it may be expanded with one or more subdomains. That is, the constraint ".xyz.com" is satisfied by both abc.xyz.com and abc.def.xyz.com. However, the constraint ".xyz.com" is not satisfied by "xyz.com". When the constraint does not begin with a period, it specifies a host. " - Page 35 RFC 2459
  and this:
  "DNS name restrictions are expressed as foo.bar.com. Any subdomain satisfies the name constraint. For example, www.foo.bar.com would satisfy the constraint but bigfoo.bar.com would not." - Same page RFC 2459
  Specifically, if you substitute 'abc' with 'www' in this phrase from above -".xyz.com" is satisfied by both abc.xyz.com and abc.def.xyz.com., you pretty much get what I want to have happen in Safari. Specifically, www.sld.tld and www.def.sld.tld would be both valid for HTTPS requests using the wildcard *.sld.tld SSL certificate.
  If I have DNS control of a domain and I have a wildcard cert for that domain, then really based on logic and the RFC cites above, any valid DNS sub domain under the controlled domain should be available for SSL.
  Tell me where I am going wrong here. Or, if I actually found a problem, please fix the bug when you can.
  I don't wish to be accused of self promotion, so I won't list my real world URL example here, however if someone at Apple would like to have it, they are welcome to contact me and I will provide a direct example of the problem.
  Thanks,
  CommerceCompany

  I have not independently researched the RFCs, but I am running into a similar problem and require a similar solution as you request. In my case, the issue arises in Mail.app instead of Safari.
  I found the following reference in another forum, which would indicate that this person's interpretation of the RFC for wildcard domains in certificates is that an asterisk (*.foo.com) is only valid at one sub level (this interpretation is opposite yours, unfortunately). This behavior seems counter-intuitive, and I, like you, would hope that it would match all sub levels under foo.com.
  http://www.dreamhoststatus.com/2007/06/17/ssl-certificate-renewal-for-most-custo mers/#comment-42283
  In my case, I am trying to secure mail connections using SSL in Mail.app when connecting to a mail server hosted by a hosting company (MediaTemple.net). Their hosting domain is gridserver.com, and their SSL cert is for *.gridserver.com. Their hosted mail servers are provided via machine names similar to the following:
  myhosteddomain.com.myaccountnumber.gridserver.com
  Even after storing the *.gridserver.com cert in my keychain appropriately, this will not match in Mail.app.
  Other forums (including the one above) seem to indicate that other mail clients honor the wildcard match for all manner of subdomains, regardless of whatever the 'correct' interpretation of the RFCs are. I hope that Apple will either set us straight on an appropriate way to achieve this, set us straight on why it is a dangerous thing to do, or consider modifying their certificate matching in Mail and Safari, etc., to support these subdomain issues.

• Unable to add XML and Webservices Datasource in Crystal Reports

  Hi,
      when I am trying to add a Web service datasource upon clicking the XML and Webservices Datasource in Database Manager I get the following error.
  Invalid Arguments Provided.
  Details: Java server startup failure. Verify PATH (JDK), CLASSPATH, and IORFileLocation properties in the CRConfig.xml file. In addition, verify that you are using JDK 1.5.
  I am using Windows server 2003 OS. Java is version 1.6. I tried the below things but none of them worked.
  1.Edit the crconfig.xml file to add classpath and license information
  2.reverted to java 1.5
  3.uninstalled and installed the CR 2008 software. None of these worked. Please help.

  Thanks Don but my issue is not proxy related.
                      I am not using a proxy though I am using a VPN to be in the network of the Webservice hosting server. Also, my problem is that I am not able to even enlarge the XML and Webservices Data source to add any xml or web service file let alone the one I want to.
  Edited by: iamkhader on May 10, 2010 7:26 AM

• Exchange 2013 POP3 and IMAP connectivity issues 0x800CCC0F

  Hi all,
  there's an Exchange 2013 server running without problems during "regular" use, but when it comes to POP3 and/or IMAP (we really need that for some systems), everything is fine until there's a message with an attachment of about 100kb or more.
  We can poll messages with smaller attachments without problem, but bigger sizes won't work.
  So for testing I tried POP3 within Outlook Express, it gives Error 0x800CCC0F
  Telnet to TCP110 simply breaks up the connection when I try "retr"
  IMAP shows those messages as "to be deleted", but they are accesible within OWA.
  Test-PopConnectivity (also for IMAP) runs smoothly and successfully.
  Firewall is opened for all connections.
  Problem is and has always been there. The server is updated to the newest SP/updates.
  I tried both 110/143 and corresponding SSL - no difference.
  Pop3 and Imap logging shows no errors
  There's Trend Micro Messaging Security installed, but has been disabled for testing - no difference. (Issue has been there before installation of TM)
  So, any ideas how to fix this? I'd appreciate...
  Thanks in advance,
  Robert

  Hello,
  Take a network trace on both ends to see if there are any devices like firewalls drop the package.
  http://www.microsoft.com/en-us/download/details.aspx?id=4865
  Thanks,
  Simon Wu
  TechNet Community Support

• Applet using webservice+ssl.jar

  how to configure a webservice ssl connection from an applet?
  webservice+ssl.jar is setting in my classpath,
  but i can't use System.setProperty... in an applet.
  Is there an example?
  JM

  Hello,
  Try the clientauth example [1] and see if it doesn't answer most of your
  questions.
  Regards,
  Bruce
  [1]
  http://webservice.bea.com/clientauth.zip
  Jean-Marie Patard wrote:
  >
  how to configure a webservice ssl connection from an applet?
  webservice+ssl.jar is setting in my classpath,
  but i can't use System.setProperty... in an applet.
  Is there an example?
  JM

• Gmail/Exchange email and calendar syncing issues

  I have wiped my email accounts several times and entered in my data in the various ways as shown through the forums but my email accounts do no sync properly whether it is manual or active synced.
  I read my emails in my gmail and my Microsoft exchange account and will delete or file them away but then when I check my accounts on my desktop, they are not synced as I've done so on my phone. I've also noticed that my calendars are not synced correctly either.
  Could someone help me understand why and how these issues can be fixed? I'm in meetings for most of the day so I rely on my phone to keep me mobile. Was this a bad purchase?!?!

  Hi JadeyMU,
  How do you have your Microsoft Exchange account configured on your BlackBerry Z10? Are you using ActiveSync, BlackBerry Enterprise Server (BES), IMAP or POP?
  Thanks.
  -CptS
  Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
  Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

• My experience with Apple TV and HDMI/HDCP issues

  I am convinced that it is the software update to 4.2.2 from 4.2.1 that is causing this issue.  All forms of applications only worked once for me and then it reverted back to HDCP issues.  I read several postings everywhere including plenty at Apple's forum and AVS where people were very frustrated with this HDCP issues.  Anyways, here is what I did before taking it back to Apple store....I bought AUVIO high speed cables from Radio Shack which is rated very high and tried that and I still got HDCP issues when using NetFlix or AirPlay from iPad.  Youtube from Apple TV always worked well without HDCP complaints.
  I packed everything back and took it to Apple Store (you can return without re-stocking fee up to 14 days from the day of purchase).  After 14 days, you cannot even return it and you can ONLY fix it.  I waited for a Technician.  They heard my complaints but didn't refute any of it (possibly because they have had numerous complaints on this product).  It took 5 minutes inside for them to test and see similar issues with the box that I had.  So, they have swapped it for a new box.  Before I left the store, I checked the settings including software version and Audio/Video settings in the Apple TV that is connected at the store.  I found three main differences none of which the Apple customer service staff agreed could be the reason for my problems (surprise!!)
  1.  The software update from the shelf and the one they were using was NOT updated to 4.2.2 (it was still running 4.2.1)
  2.  Because of the software update, the Audio/Video setting for HDMI had the options to toggle between Auto, RGBy, RGBhi & RGBlo bandwidth.  I believe this was in place to make the HDMI interface output as component with higher or lower bandwidth but the newer update will ONLY give you the Auto option (!!!)
  3.  They had this directly Ethernet wired and not through Wireless network and were recieving the all the full bar strength signals.  On the box that I returned, eventhough I have 18 Mbps speed at the house (any given time of the day), the Network speed test was taking a long time.  Moreover, after the Apple TV network test, it doesn't spit out the outcome of the tests (a BIG bummer and useless for testing).
  Anyways, I took the new box and hooked it up directly to my SONY BRAVIA XBR3 TV to one of the HDMI ports, disabled the feature to send or recieve data to Apple directly and did NOT update the software.  It worked fine and have tested all of the options.  From what I have read so far (I have only spent 30 hours of my weekend on this when Apple product hookups are supposed to take 5 minutes ONLY), there is NO guarantee that it will work continuously as people have had things work on them for 6 months and then suddenly have the HDCP issues.
  Will wait to see....if it continues to work....

  I figured it out. Had to go to general settings on the main screen and restart. Synch of audio is much better.

• I have a serious (and bizarre!) issue with my novation impulse (Although i've tried it with two other keyboards and i still have the same problem) and its compatibility with mainstage 3

  i have a serious (and bizarre!) issue with my novation impulse (Although i've tried it with two other keyboards and i still have the same problem) and its compatibility with mainstage 3.
  the problem is best explained on the following one - page thread: 
  https://discussions.apple.com/thread/3951518?start=0&tstart=0
  (Clearly i'm not alone in this problem, although i think i figured out what's going wrong a little more than he did...read on!)
  his solution, to put mainstage in jump mode, is very unsatisfactory to me, as it bounces all of a sudden to drastically different settings.
  basically, my analysis is that my controller is NOT receiving MIDI date from mainstage.  in other words, mainstage knows what my controller is doing, but my controller doens't know what mainstage is doing.
   let's say i turn the knob all the way to the right ... 127...and the virtual fader goes to the right like it's supposed to. 
  now...next...let's say i change to a different patch, where that same VIRTUAL fader is not at the max clockwise position..maybe it's only at 1pm.  now when i turn the physical knob to the RIGHT, the midi data is still at 127 on the controller!  it didn't "reset" to sync up with the new level (say 80 or so) setting on the new patch.  so i can't increase that new setting of 80 by continuing to turn the knob to the right.  i have to turn it all the way to zero,...and then continue PAST zero until the controller thinks that IT is at 0...at that point the controller and mainstage are in agreement, and things work fine....so bascially, the keyboard thinks the level is at max...but mainstage thinks the level is at 1pm.
  i am using Logic 9, and i have a macbook pro 2.9 Ghz I7 with 8 gigs of memory and OS X 10.8.4

  Hi Josh,
  Thanks for taking the time to contact us here a Novation for technical support. Lets continue to correspond via email so we can get your issue resolved.
  Thanks.
  Mike Towns