WS security, SSL and client auth

Similar Messages

• JDBC Thin Connections with SSL and client certificates

  Hi ,
  we are going have a look at JDBC Thin Connections with SSL and client certificates.
  I have two questions:
  1. Is it possible to use SSL connections from JDBC Thin Driver and which release of the driver introduced it
  2. Is it possible to use client certificates with JDBC Thin Driver and which release of the driver introduced it
  Thanks for your help
  regards
  Markus Reichert

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• Web Service, SSL and Client Authentication

  I tried to enable SSL with client authentication over a web service. I am using App Server 10.1.3.4.
  The test page requires my certificate (firefox asks me to choose the certificate) the response page of the web service returns this error:
  java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 405 Method Not Allowed
  Has anyone used web services with SSL client authentication?
  Any clue why?
  Regards

  Any comment?
  Thank you.

• SSL and mutual auth. for webservice

  Does anyone have a simple example that runs OOTB to demonstrate calling a webservice
  using SSL with mutual auth.? We are using WLS7.0.1. Thanks....

  To get mutual authentication working over SSL, try the SSLClient example shipped
  with WLS. Once you get this connecting to your remote HTTPS endpoint it is relatively
  straighforward to make sure your web service activation code configures SSL in
  the same way.
  One gotcha is when creating certificate chains in PEM files, make sure you concatenate
  the certificate files in the order of trust i.e. cert followed by CA cert.

• Using SSL with client auth from a JNLP-launched app

  We have an application that is launched by JNLP, and which needs to make a mutually authenticated SSL connection to a server. The client cert and trusted certs that it needs to do this are stored in the Sun\Java\Deployment\security directory where JNLP knows to look for them. And Java WebStart itself seems to be able to use these certs just fine. However, our app seems blithely unaware of the location of the keystore/truststore unless we explicitly set the system properties javax.net.ssl.keystore and truststore. But we don't want to do that (it could be different for different users), and we shouldn't have to do that. So the question is, how can we use the same KeyManager/TrustManager that Java WebStart itself is using? Are they somehow available for the JNLP-launched app to use?
  Failing that, is there a way for a JNLP-launched app to query the deployment properties? There are a bunch of properties to direct the behavior of Java WebStart (see [http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/properties.html]), such as deployment.user.security.trusted.cacerts. These don't seem to be System properties. Can the app see them, or are the "private" to Java WebStart itself?

  HI:
  see also shine enterprise pattern.
  I have worked with it and it helps me and results spead up.
  it has a class which is named "code" and does encryption and ... by md5. it is incredibly secure! tey it.
  you can download it via links bellow:
  http://groups.google.com/group/j2sos.
  http://sourceforge.net/projects/shine-enterpris/
  it has also document

• SSL and Client Certificates

  Hi,
  We are using Forms 6i deployed using 9iAS Release 1(1.0.2.2.2a).
  We are using the "Forms Listener Servlet" implementation, and have successfully configured Apache (Oracle HTTP Server) using mod_ssl to use Server Side certificates to provide SSL / HTTPS communications.
  I have also been attempting to validate the existence of Client Side (personal) certificates. This has been successful when accessing normal Web Pages, but not when accessing the Forms Application.
  We are using JInitiator on the client (1.1.8.19), and receive a Java Exception ---
  javax.net.ssl.SSLException: SSL handshake failed: SSLSessionNotFoundErr
  Looking on the server logs, we can see the following error
  OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
  I have used all the Oracle documentation (notes 130728.1, 147836.1 and 161161.1), but nowhere does this state that Client Side Certification is supported by using JInitiator (or any other JVM).
  Searching other forums, it appears that this may just not be
  supported by any JVM running on the client machine.
  Has anyone any information or expererience of successfully using Client Side Certificates to deploy Oracle Forms with 9iAS ?
  Many Thanks
  Marc Ludwig

  I could not reproduce the error after appending the SSL certificate to the certdb.txt file available under $Jinitiator_Home/lib/security folder.
  Steps to add the SSL Certificate:
  1. Run the form with the https mode in the IE Browser.
  2. Security Alert is raised.
  3. Click on the View Certificate button.
  4. In the Certificate Window, click on the Details tab.
  5. Click on the Copy to File button to copy the certificate.
  6. Copy the certificate and append to the certdb.txt file.

• CSS SSL and client certificate

  Hello,
  In a situation where SSL Traffic is terminated on a SSL Module.
  And having clients which to clientcertification.
  There are 2 contents aviable on the webserver.
  One for certified users and one for both.
  Is there a way to restrict a path of a url to clients which performed a client cert?
  And have all other content on that server aviable to both , certified and not certified clients?
  Sven

  Hi Gilles,
  i have not described my problem at all.
  Currently we are doing the SSL Termination on a webserver.
  There are two locations specified in the apache config.
  Like this:
  location /webservices/onlytoca>
  SSLVerifyClient require
  SSLVeridfyDepth 0
  So the path /webservices/onlyToCa is only allowd to clients which did a certification via clientcert.
  The /content is allowed to all.
  I have to migrate to the SSL-Module because we need to analyse the URL for stickyness.
  My question was, is there a way to restrict a url path to clients which did a client certification.
  I can set up the ssl-server to ignore certificaton failures.
  Also, do you know about the HTTP-Header insert? Is the header to be inserted also if the client has not been certified via cc or only if the client performed a certification?
  If not, a solution would be to have 3 contet_rules
  one, which checks for a existing of http-header which is set when the request is cerfified.
  There i can limit the URL to /webservices/toCaOnly/*
  one cr, which allows any other content
  one cr, which sends a redirect to a error page. This one should only be accessed if the url is /webservices/toCaOnly and the http header is not set.
  I hope i wrote it down clear enough to understand.
  Sven

• Jbo.security.enforce and FORM Auth

  i have web application on JHeadStart with FORM based auth.
  when i change jbo.security.enforce = None to
  jbo.security.enforce = Auth i ha exception:
  Authentication failed:
  User null does not exist in system.
  why?

  This sounds like a OC4J/J2EE issue that is not related to JHeadstart. To simplify the test case, you could create a simple drag-and-drop ADF application without JHeadstart, use that as the 2nd application, and see if the same problem occurs there. Can you please log a TAR at MetaLink ( http://metalink.oracle.com/ ), or ask this question at the OC4J/J2EE forum at OC4J ? Thanks.
  kind regards,
  Sandra Muller
  JHeadstart Team
  Oracle Consulting

• Empty request when using IE5.5 and client auth.

  We are in the process of enabling Client Authentication for one of our websites. When enabling client authentication in iPlanet 6.1SP2 somethings go wrong when using the client uses Internet Explorer 5.0 or 5.5.
  It seems that when using a IE browser older than 6.0 the Content Type is being sent twice:
  Contect type: application/x-www-form-urlencode, application/x-www-form-urlencode and the servlet that needs to capture the data which is sent by the Client replies with a Cannot process an empty request.Does anyone have a workaround for this??

  I hadn't heard of this problem before, but it should be possible to work around it by adding the following lines to obj.conf:
  <Client headers="Content-type: application/x-www-form-urlencode, application/x-www-form-urlencode">
  AuthTrans fn="set-variable" set-headers="Content-type: application/x-www-form-urlencode"
  </Client>Of course, you could also a) modify the affected Servlet or b) write a Servlet Filter that would modify the header before it's passed to the affected Servlet.
  Please let us know whether you're able to solve the problem

• Secure area and client upload via browser

  Hi,
  Our client wants to be able to setup username and password
  'user areas' on demand for their clients.
  From within these areas they want their client to be able to
  upload a number of different files through the browser and be able
  to view and access them online.
  Does anybody know of any 3rd party software or company that
  would be able to help me set this up as i have very limited
  knowledge of PHP, Cold Fusion or whatever would be required, and
  the timescale of the job would not allow me to spend a lot of time
  learning it.
  thanks for any help
  Gareth

  boneykingofnowhere wrote:
  > Hi,
  >
  > Our client wants to be able to setup username and
  password 'user areas' on
  > demand for their clients.
  >
  > From within these areas they want their client to be
  able to upload a number
  > of different files through the browser and be able to
  view and access them
  > online.
  >
  >
  > Does anybody know of any 3rd party software or company
  that would be able to
  > help me set this up as i have very limited knowledge of
  PHP, Cold Fusion or
  > whatever would be required, and the timescale of the job
  would not allow me to
  > spend a lot of time learning it.
  >
  > thanks for any help
  >
  > Gareth
  >
  >
  >
  If you don't have time to learn a server-side solution, it
  would be
  easiest to configure some kind of blog software, such as
  Wordpress.
  There's no easy way to do this with only html and css.
  Bonnie
  in California
  8 ^ )

• Client auth error

  I am using iPlanet Web Server 6.0 SP4 on Solaris 2.8 that is enabled for SSL and Client-auth.
  In order to validate the client certificate, I configured this server to use my own Plug-in by adding authTrans line in "obj.conf":
  <Object name=default>
  AuthTrans fn="vsCheckClientCert"
  </Object>
  During startup, web server fails with following error.
  Thanks in advance!!!
  [20/Sep/2002:11:50:58] info ( 1984): successful server startup
  [20/Sep/2002:11:50:58] info ( 1984): iPlanet-WebServer-Enterprise/6.0SP4 B07/17/2002 14:04
  [20/Sep/2002:11:51:00] info ( 1985): Installing a new configuration
  [20/Sep/2002:11:51:00] info ( 1985): [LS ls1] https://xx-sun.yy.com, port 444 ready to accept requests
  [20/Sep/2002:11:51:00] info ( 1985): A new configuration was successfully installed
  [20/Sep/2002:11:51:01] info ( 1985): Using the Solaris VM v1.2.2 from Sun Microsystems Inc.
  [20/Sep/2002:11:51:01] info ( 1985): Java VM classpath: /usr/netscape/servers/plugins/servlets/examples/legacy/beans.10/SDKBeans10.jar:/usr/n
  etscape/servers/bin/https/jar/NSServletLayer.jar:/usr/netscape/servers/bin/https/jar/NSJavaUtil.jar:/usr/netscape/servers/bin/https/jar/Admin
  NativeUtil.jar:/usr/netscape/servers/bin/https/jar/NSJavaMiscUtil.jar:/usr/netscape/servers/bin/https/jar/servlet.jar:/usr/netscape/servers/b
  in/https/jar/servlet-2.3-filters-api.jar:/usr/netscape/servers/bin/https/jar/jsp092.jar:/usr/netscape/servers/bin/https/jar/jaxp.jar:/usr/net
  scape/servers/bin/https/jar/crimson.jar:/usr/netscape/servers/bin/https/jar/xalan.jar:/usr/netscape/servers/bin/https/jar/jspengine.jar:
  [20/Sep/2002:11:51:01] info ( 1985): Loading IWSSessionManager by default.
  [20/Sep/2002:11:51:01] info ( 1985): IWSSessionManager: Maximum number of sessions is 1000
  [20/Sep/2002:11:51:01] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:01] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:02] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Error getting document-root for this virtual server; please check your server c
  onfiguration.
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Cannot create web applications virtual server environment.
  [20/Sep/2002:11:51:02] failure ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (h
  ttps-cvm-test-444)
  [20/Sep/2002:11:51:02] info ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (http
  s-cvm-test-444)
  [20/Sep/2002:11:51:02] failure ( 1985): The new configuration was rejected, rolling back

  Thanks for the reply!!
  My SAF (vsCheckClientCert) works fine if I disable the servlets. It also works by disabling the Web Application State in server.xml
  <VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
  <VS id="https-cvm-test-444" state="on" urlhosts="psingal-sun.verisign.com" mime="mime1" aclids="acl1" connections="group1">
  ===> <VARS webapps_file="web-apps.xml" webapps_enable="off"/>
  </VS>
  </VSCLASS>
  I am facing the problem only with iPlanet 6.0, the SAF worked fine with "Servlet Enabled" in the previous releases of iPlanet 4.x. Is there any way by which my SAF works with default server settings i.e. Servlet Enabled and Web Application State On?

• Client Auth  and SSL with Seeburger AS2 adapter

  Hello All,
  We are using the Seeburger AS2 adapter in our landscape and I am in the process of setting the same up and have made quite some progress in all my issues.
  and I  hope that you will be able to help me out.
  1. Server SSL on Receiver AS2 adapter
  I am sending a message from XI using the Receiver AS2 adapter to my AS2 test tool using Server SSL.
  This is working perfectly fine. In my AS2 adapter I have selected HTTPS as the protocol and the message goes via SSL to the target test tool, is processed and the MDN comes back to XI perfectly.
  The issue here is :
  Irrespective of what is provided in the Server Certificate ( Keystore) , the message goes to my target test tool. I even left this field blank with no certificate entry and still the SSL connection was established and the message went to the target system.
  Is there no validation that XI does here? I am lost what is the use of this entry Server Certificate if XI blindly accepts all SSL connections.
  I am using a Decentral Adapter Engine with LoadBalancer.
  2. Client Auth on Receiver AS2 Adapter
  I tried to perform Client Authentication by proving my Server's private key in the AS2 adapter. The corresponding public key is loaded in my partner's Keystore.
  XI error's with the error "SSL handshake failed - Bad Certificate" .
  I am not sure why XI is erroring out here and I have a feeling that I have misunderstood the use of the fields in the AS2 adapter,
  Server Certificate ( Keystore) and Private Key for Client Authentication.
  Has anyone tried this? If further details are needed, I will be able to furnish the same.
  Regards,
  Bhavesh

  Hello Jens,
  Thanks for your reply.
  1. The Encryption and Signature part of the Interface is working absolutely fine and I use the same concept highlighted by you - The Sender always signs the message with his private key and encrypts with message with the partner's public key in the corresponding agreement.
  2. Server SSL is also working perfectly fine, i.e, when XI initiates the connection the SSL connection is established to the partner.
  3. Mutual Auth was the issue where I was getting the bad certificate issue.
  To investigate further I moved the same setup to my Central Adapter Engine and all the issues I had described above seem to have vanished and things work exactly as I was expecting, ie.
  The field : Server Certificate (Keystore) is used to provide the Target System's Server SSL's public Certificate.
  The field : Private Key for Client Authentication is used where XI provides its own Server SSL's private key for Mutual / Client Authentication.
  The problem seems to be with my Decentral Adapter engine and not my central adapter engine and so I guess,
  1. I either have the incorrect certificates on my Decentral Adapter Engine.
  2. I also have 2 instances of a Decentral Adapter Engine with a Webdispatcher and so maybe the 2 Visual Admin's of the 2 Decentral AE are inconsistent.
  3. Maybe it was just a long day and I did something wrong
  Will investigate further for the root cause but I am glad that my concepts remain intact and things do work as I expected them to work.
  A blog on all this is on the cards sometime soon.
  Cheers,
  Bhavesh

• Probelm client auth from jsse client with open ssl server

  I tried to connect jsse client with a openssl server.. with clientAuth
  This is what i did ..
  Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
  The communication works fine without client authentication.
  To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
  This is how i invoke the client ..
  java
  -Djavax.net.debug=all
  -Djavax.net.ssl.trustStore=cacerts
  -Djavax.net.ssl.trustStorePassword=changeit
  -Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
  After which i get following error in server
  SSL3 alert write:fatal:handshake failure
  SSL_accept:error in SSLv3 read client certificate B
  SSL_accept:error in SSLv3 read client certificate B
  ERROR
  17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
  shutting down SSL
  CONNECTION CLOSED
  The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...

  i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?

• Client Security Solution and Office 2010's Word and Outlook

  I purchased my system June 16, 2009 with Vista downgraded to XP Pro so I was not able to purchase a upgrade disk from Lenovo to upgrade to Win 7 (deadline was June 22). This week I purchased the Windows 7,retail  64 bit Home Premium upgrade package at a local store.
  I did the upgrade (clean install) Windows 7 64 bit Home Premium on my ThinkPad T400 type 2764-CTO. Also successfully installed all Win 7, 64 bit ThinkVantage software with System Update 4.
  I manually Installed the file z909zis1032us00.exe Client Security Solution 8.3 for Windows 7 (64-bit only) Version: 8.30.0032.00 Note: When upgrading from Windows XP To use TPM with Win 7 erase TPM in the BIOS configuration utility. In the Security and Security Chip menu, locate the option to clear the security device referred to as Security Chip and clear. If not done you can install but not use the program.
  Then I had this issue with Client Security - Password Manager version 8.30.00.32.00 and Office 2010's Word & Outlook. This was before I spotted a tread with the same issue between Password Manager 3.20.0320.00 and Office 2007.
  I noticed that whenever I run Word 2010 or Outlook in conjunction with Client Security SolutionI I could not select text. I could no longer use CSS because of it...
  I called Lenovo and was told that they do not support retail version of Win 7. (Remember they refuse to sell me their version a week earlier). Because I dint know what to do, I deactivated the TPM in Client Security and it solve the problem in both Word & Outlook.
  On the following automatic System Update at the Lenovo site the system pick up something was wrong with Client Security (it did not when the TPM was activated???) and offered to download and install "Client Security Solution Office 2007 Patch 64bit". I did and following installation I re activated the TPM. The problem in Word & Outlook was no longer there.
  Then on the next system update the system offered to download and install "Patch for IE crash with Password Manager (Win7) version 1.0". I had not experience that problem but downloaded and let the system install it anyway.
  So the problem is not restricted to version 8. 3.20.0320.00 and Office 2007 as reported in the other thread. Because the patch was automatically downloaded fron the web site (Client Security Solution Office 2007 Patch 64bit)  I do not know if it is the same patch the was offered in that thread.
  I hope this will help other people having the same problem.
  Claude

  Hi All,
  May i know the version of the CSS? Is it Windows 7 CSS 8.3 ? 32 bit or 64 bit? Would love to know more in detailed for i could report to the development team.
  Thanks!
  Regards,
  Cleo
  WW Social Media
  T61, T410, x240, Z500, Flex 14
  Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
  Follow @LenovoForums on Twitter!
  How to send a private message? --> Check out this article.
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество

• How to extract information from client security certificates and display it

  Hi guys,
  just wanted to know is it possible to extract information from an digital security certificate and get that displayed on top level navigation of the portal. So for ex. I want to extract the clients name and code and area from where they come from to be displayed on top level.
  thanks
  anton

  RoopeshV wrote:
  Hi,
  The below code shows how to read from txt file and display in the perticular fields.
  Why have you used waveform?
  Regards,
  Roopesh
  There are so many things wrong with this VI, I'm not even sure where to start.
  Hard-coding paths that point to your user folder on the block diagram. What if somebody else tries to run it? They'll get an error. What if somebody tries to run this on Windows 7? They'll get an error. What if somebody tries to run this on a Mac or Linux? They'll get an error.
  Not using Read From Spreadsheet File.
  Use of local variables to populate an array.
  Cannot insert values into an empty array.
  What if there's a line missing from the text file? Now your data will not line up. Your case structure does handle this.
  Also, how does this answer the poster's question?