X509 certificates, hostname verification and SunCluster 3.1 failover.

Similar Messages

• How to disable the certificate hostname verification?

  In JSSE changes file <http://java.sun.com/products/jsse/CHANGES.txt>
  It states the following:
  "It is sometimes useful to "disable" the certificate hostname
  verification during project development. A single certificate can now be shared among many development machines so that the hostnames don't need to match. A bug was fixed in the HttpsURLConnection hostname verifier code that now allows this functionality to work."
  Any idea on how to disable it
  Thanks
  - rayed

  this is easily achieved :
  create your own class (for example 'MyHostNameVerifier' ..) as a subclass of the JSSE HostNameVerifier and overwrite the method :
  public boolean verify(String parm1, String parm2)
  to your special needs. This method implements the verifying of hostnames..
  For your HttpsURLConnection then call
  setHostnameVerifier(new MyHostNameVerifier());
  so the HttpsURLConnection will then use MyHostNameVerifier in order to verify the hostname registered in the certificate.

• Certificate chain received from localhost 127.0.0.1 failed hostname verification check.

  Hello friends. The dns name of our server recently changed. Since that time,
  nothing except the administration node will start up. Server logs reveal the
  following information:
  Certificate chain received from localhost - 127.0.0.1 failed hostname verification
  check. Certificate contained COTHUBT but check expected localhost>
  There is one trusted certificate that was added to the cacerts keystore. Does
  it need to be removed and re added? Any other insight would be appreciated.

  "brain" <[email protected]> wrote:
  Try this if you're running version 8
  In the admin node gui.
  Click on machines
  Click on the NodeManager tab for the machine that you are interested in.
  Change hostname in listen address.
  Bounce the app server
  >
  Hello friends. The dns name of our server recently changed. Since that
  time,
  nothing except the administration node will start up. Server logs reveal
  the
  following information:
  Certificate chain received from localhost - 127.0.0.1 failed hostname
  verification
  check. Certificate contained COTHUBT but check expected localhost>
  There is one trusted certificate that was added to the cacerts keystore.
  Does
  it need to be removed and re added? Any other insight would be appreciated.

• Hostname Verification failed for certificate with CommonName 'gawlsdev02.ss

  Hi All,
  I want to know the meaning and the reason of this exception:
  <Jun 17, 2010 2:05:52 PM EDT> <Warning> <Security> <BEA-090504> <Certificate chain received from gawlsdev02 - 147.141.83.104 failed
  hostname verification check. Certificate contained gawlsdev02.ssga.statestr.com but check expected gawlsdev02>
  <Jun 17, 2010 2:05:52 PM EDT> <Debug> <TLS> <000000> <Hostname Verification failed for certificate with CommonName 'gawlsdev02.ssga.
  statestr.com' against hostname: gawlsdev02>
  thanks in advance.

  When Webloigic Server tries to validate the certificate, it compares te CN of the certificate with the hostname from where the request is coming from.
  If they don't match, hostname verfication fails and SSL connection is not established.
  In your case I see the CN is gawlsdev02.ssga.statestr.com whereas WLS is expecting it to be gawlsdev02.
  U can use this option to ignore host name verification
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  To know about other SSL issues, u can refer this
  http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/
  -Faisal

• Invoking secure services inside bpel with x509 certificate and weblogic

  Hi, everyone. Here we have a problem with invoking secure webservices (*client authentication*) from a bpel deployed in weblogic that is consuming so much time (more than a week) and don't know what else to try.
  The scenario: we have a bpel process which invokes a series of web services without any security mechanisms. Now, we have to change it to invoke a series of webservices that do exactly the same, but using ssl and client authentication with x509 certificates. The first part of it, the ssl one, is done without any problems. But the second part is not working at all, and we (I) are running out of ideas how to configure it in weblogic.
  The situation: I want to invoke a webservice, say, Service1. It requires client authentication, so I should pass a certificate (*which I already have*). I put that certificate inside a keystore (with keytool -importkeystore, from p12 to jks). With SoapUI I have no problem now to invoke the service now. But, I'm not sure what should I do to make it work in weblogic; after all, the provider keeps answering with a HTTP 403 Forbidden error.
  The actions: inside the weblogic's enterprise manager, in SOA deployments (SOA / soa-infra / default ) I selected my composite, and in the Dashboard (down at Services and references), clicked the particular service (Service1). Then, it took me to another page where I can see statistics about that service, and a tab named Policies. There (in Policies) I have the chance to attach a policy, but I don't know which one is the approppriate; I guest it should be WSS11_x509_token_with_message_protection_service_policy, which in turn asks me to provide a value for keystore.recipient.alias, keystore.sig.csf.key and keystore.enc.csf.key. For this keys, I provide values that I configured in Credentials (Weblogic Domain / Security / Credentials, subtree oracle.wsm.security). My own logic tells me that what I have done is what I should have done, but still no luck :(
  I am sure the keystore is ok (if I rename the keystore file it tells me that the keystore file cannot be found, and if I specify an alias which is not inside the keystore it tells me that the alias is not found and list me valid aliases). I guess I am missing something, somewhere, but after many hours (days, almost 2 weeks) googling, still cannot make it work.
  Any ideas would be apreciated. If anyone knows about a post or article about this, it would be apreciated too, but I can tell is not that I just googled for 25 minutes, but I have spent more than a week googling, trying, analyzing and reading formal documentation, with no results.
  Thanks in advance!

  Try to enable SSL and WS debugging on your WLS. Add the following to your startup script:
  -Dweblogic.webservice.verbose=true
  -Dssl.debug=true
  ..then you might be able to spot if the rejection is based on some handshake problem.

• How can I retrieve/compute an X509 certificate's thumbprint in Python and then use it for accessing Service Management APIs from Python SDK?

  Hello,
  I am using Azure Python SDK to perform calls to ServiceManagement APIs.
  I have a .publishsettings file generated for my account which includes an encoded version of my X509 certificate and all of my subscription IDs.
  How can I retrieve/compute an X509 certificate's thumbprint in Python?
  Following is the code snippet that helps us do it in .Net.
  Is there a similar approach to do it in Python?
  var publishSettingsFile = @"C:\temp\CORP DPE Account-11-16-2011-credentials.publishsettings";
  XDocument xdoc = XDocument.Load(publishSettingsFile);
  var managementCertbase64string = xdoc.Descendants("PublishProfile").Single().Attribute("ManagementCertificate").Value;
  var importedCert = new X509Certificate2(Convert.FromBase64String(managementCertbase64string));
  thumbprint = importedCert.Thumbprint;
  Once I have the thumbprint, how can I use that thumbprint to access Service Management APIs from Python SDK?
  Thank you in Advance!
  Regards,
  Vaibhav Kale

  Hi,
  Please have check on the below article and check if it helps.
  http://azure.microsoft.com/en-in/documentation/articles/cloud-services-python-how-to-use-service-management/
  Regards,
  Mekh.

• Using X509 certificates to create a client in a JCo destination / pool

  Hi,
  Our administrators have set up JCo destinations for us developers to use in connecting to the SAP R/3 back-end.  We need to use X509 certificates instead of username/password to create a connection.  How is this done?  The JCo API doesn't seem to list any class/method combination that is suitable. 
  JCO.createClient allows me to pass an X509 certificate, but it doesn't allow me to specify what JCO.Pool (i.e., JCo destination) to use. 
  JCO.addClientPool seems to allow both, but I don't think I want to really "add" a pool-- don't I just want to "use" a  pre-existing pool, i.e., one of the JCo destinations our administrator has set up? 
  Do I need to create a Client using the X509 certificate and somehow add this Client to the JCO.Pool?  I thought JCo destinations were meant to be pre-established Client pools waiting for a Client to be plucked out of it and used.  Is that wrong?  What am I missing? 
  Thanks in advance for your responses.

  Hi,
  I'm note sure whether you can use prepared JCo destinations in this case. However, if it's possible to use single JCo clients you instantiate when you need them, you have different options depending on whether you have an Enterprise Portal installed on top of your J2EE Engine or not.
  --> Without Portal
  Retrieve the user's current certificate from UME using:
  [code]com.sap.security.api.IUser currentUser = ...;
  java.security.cert.X509Certificate[] certificates = currentUser.getUserAccounts()[0].getCertificates();
  byte[] certBytes = certs[0].getEncoded();
  String encodedCert = someBase64Method(certBytes);
  Properties jcoProperties = new Properties();
  // Add your backend properties like hostname and so on...
  jcoProperties.setProperty("jco.client.user", "$X509CERT$");
  jcoProperties.setProperty("jco.client.passwd", x509Cert);
  JCO.Client jcoClient = JCO.createClient(jcoProperties);[/code]
  --> With Portal installed
  In general: Define your backend system in the Portal's system landscape instead of as JCo destination. Configure it's logonmethod for X.509 certificates. Either use UME's user mapping feature directly via com.sap.security.api.UMFactory.getUserMapping()... to add the certificate properties to the JCO properties, or use some intermediate API, some of which are available in the portal, some of which reside in the J2EE Engine (details if you request them).
  Best regards
  Heiko

• Failed hostname verification check - even when disabled

  Hello Experts,
  I'm using WLS 923 configured as Admin Server that controls two Managed Servers.
  When i go to "Environment ---> Machines ---> Managed Machine ---> Monitoring ---> Node Manager Status
  It says:
  Status - Inactive
  failed hostname verification check. Certificate contained +v-ebpqadmz1+ but check expected +v-ebpqadmz1.dmzntqa.corp.adija.co.il+
  I've disabled verification check in:
  Servers ---> Managed Server -->SSL ---> Advanced ---> Hostname Verification = NONE
  How come hostname verification check is still being performed ?
  Does anyone knows how can i fix this ?
  Meanwhile i had to edit my hostsfile in order to work around it...
  Regards
  Adi J

  Please add the following parameter in your startup argument.
  -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Thanks
  Togotutor
  <b><a class="jive-link-external" href="http://www.togotutor.com">http://www.togotutor.com</a> (Learn Programming and Administration for Free)</b>
  Edited by: togotutor on Aug 12, 2010 3:38 PM

• Nodemanager hostname verification failure

  Hi, on some of my machines I installed WL 9.1 on, registry.xml had the fully qualified hostname (this is good), others did not (this is bad). When the admin server tries to connect to the node manager on these machines, I get hostname verification failure because the certificate has the non qual hostname but is expecting fully qual. Simply editing registry.xml to the good value did not fix the issue.
  How does weblogic determine the value that goes in the certificate and in registry.xml?
  Can I force it somehow?
  Can I have it just regenerate the certificate?
  Any help would be appreciated.
  Thanks

  Matthew Sacks <> wrote:
  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager.
  [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
  [[Failed to send command: 'ping to server 'null' to NodeManager at host:
  [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
  [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
  [[check. Certificate contained qa153 but check expected 10.32.33.2.
  [[Please ensure that the NodeManager is active on the target machine].]Hi,
  - If you are using scripts:
  you can use the following options in your
  scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  - If you want to use it from the adminserver:
  Go to the adminserver in the console
  Go to 'SSL'
  Select 'Advanced'
  Set 'Hostname Verification' to 'none'
  And restart the adminserver.
  cheers,
  Bart
  Schelstraete Bart
  [email protected]
  http://www.schelstraete.org

• Nodemanager fails hostname verification check

  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager. Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker: Failed to send command: 'ping to server 'null' to NodeManager at host: '10.32.33.2:5555' with exception [Security:090504]Certificate chain received from 10.32.33.2 - 10.32.33.2 failed hostname verification check. Certificate contained qa153 but check expected 10.32.33.2. Please ensure that the NodeManager is active on the target machine].]

  Matthew Sacks <> wrote:
  does anyone know how i might resolve this issue?
  [[NodeManager:300033]Could not execute command ping on the node manager.
  [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
  [[Failed to send command: 'ping to server 'null' to NodeManager at host:
  [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
  [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
  [[check. Certificate contained qa153 but check expected 10.32.33.2.
  [[Please ensure that the NodeManager is active on the target machine].]Hi,
  - If you are using scripts:
  you can use the following options in your
  scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  - If you want to use it from the adminserver:
  Go to the adminserver in the console
  Go to 'SSL'
  Select 'Advanced'
  Set 'Hostname Verification' to 'none'
  And restart the adminserver.
  cheers,
  Bart
  Schelstraete Bart
  [email protected]
  http://www.schelstraete.org

• Problem with creating a third party signed x509 certificate

  Dear all
  I'm working on pki project, in which i need to generate a key pair and and using it to create a self-signed x509 certificate, it will act as the CA and using it private key to sign all other x509 certificate, I have no problem on creating the self-signed cert, but when try to create other cert using CA private, I got the following exception
  Caught exception: java.security.InvalidKeyException: Public key presented not for certificate signature
  I'm using bouncycastle to do the cert generation, here is an example of my code
     Security.addProvider(new BouncyCastleProvider());
     //be sign key pair
     KeyPairGenerator keyGen=KeyPairGenerator.getInstance("DSA");
     keyGen.initialize(1024, new SecureRandom());
     KeyPair keypair=keyGen.generateKeyPair();
     PrivateKey prikey=keypair.getPrivate();
     PublicKey pubkey=keypair.getPublic();
     //ca key pair
     KeyPair cakeypair=keyGen.generateKeyPair();
     PrivateKey caprikey=cakeypair.getPrivate();
     PublicKey capubkey=cakeypair.getPublic();
     Hashtable attrs = new Hashtable();
     attrs.put(X509Principal.CN, "Test");
     //generate cert
     X509V3CertificateGenerator certGen=new X509V3CertificateGenerator();
     certGen.setSerialNumber(BigInteger.valueOf(1));
     certGen.setIssuerDN(new X509Principal(attrs ));
     certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
     certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
     certGen.setSubjectDN(new X509Principal(attrs));
     certGen.setPublicKey(pubkey);
     //certGen.setSignatureAlgorithm("MD5WithDSAEncryption");
     certGen.setSignatureAlgorithm("SHA1withDSA");
     X509Certificate cert=certGen.generateX509Certificate(caprikey);
     cert.checkValidity(new Date());
     cert.verify(pubkey);
     Set dummySet=cert.getNonCriticalExtensionOIDs();
     dummySet=cert.getNonCriticalExtensionOIDs();I have no idea what problem is
  I hope that bouncycastle supporter or anyone could help me or give some guidance and I'm much appreciate that.

  Hi tkfi
  your problem is you'er not using the ca public key to do the verification, replace the
  cert.verify(pubkey);
  to
  cert.verify(capubkey);
  and it should be work

• Complication if Hostname Verification Ignored enabled?

  Currently we are testing our application. The application need to
  connect to a remote system through an SSL connection. However,
  without the 'Hostname Verification Ignored' enabled, the application
  always received a UnknownHostException just until we enable the option
  above, the application can connect succesfully.
  The cert on the remote system is not a real cert yet (it will be once
  we move to production). However, we already add the CA into our
  trusted list. We are using JVM bundled with BEA WLS 6.1 SP3.
  The concern that our customer has right now is how it will affect
  production system? With this option enabled, is that meant any cert
  from any server will be accepted by the JVM/WLS as trusted?
  Currently looking at the trusted CA in the key ring, there are only 2
  company supported by default (Verisign and Thawte), is there any
  specific documentation on how to include another CA into WLS trusted
  list?
  Thank you,
  Irawan.

  I did some more research for the issue mentioned which I yet to get rid of.
  1) I wrote a REST web service which makes a call to another REST service deployed on another weblogic using HTTPs (same code as mentioned above is used). I delpoyed the war and made a http call to the first webservice, the other REST service was invoked successfully using HTTPs. So this confirmed that there is no problem with the certificates or keystore or hostname verifictaion.
  2) My actual application still throws the handshake exception as below -
  <Warning> <Security> <BEA-090542> <Certificate chain received from xx.yy.zz.rrr - xx.yy.zz.rrr was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
  So I think the problem is something else but weblogic is priniting the exception message wrong.
  The process hierarchy ( in UNIX ) is as shown below -
  bea 31914 31913 0 14:29 ? 00:00:00 /bin/sh <DOMAIN HOME>//bin/startWebLogic.sh
  bea 31989 31914 0 14:29 ? 00:01:25 /opt/bea/jdk160_24/bin/java <The weblogic start server process> started by startWebLogic.sh
  bea 32107 31989 0 14:29 ? 00:00:09 /opt/bea/jdk160_24/bin/java <One of custom process>
  bea 2038 32107 0 18:38 ? 00:00:15 /opt/bea/jdk160_24/bin/java <Another custom process which contains my java classes containing the REST client>
  The problem is there in both Weblogic 11 and 10.3 version.
  I will be grateful if someone gives any clue about the problem.

• Entourage + X509 Certificates

  I am trying to get rid of that annoying message when connecting to my US Army email account. According to what I've read, I am missing the X509 Certificates. According to http://www.macosxhints.com/comment.php?mode=display&format=threaded&order=ASC&pi d=56542 All I need to do is enable the X509 Certs. A few other websites say the same thing. But most are geared towards 10.4 systems. When I go to the Keychain, I have already enabled the X509 Anchors. Do the Certs. not exist anymore? I am still running 10.5.1 MacBook as well as an un-updated Entourage. It's hard to get big updates in the middle of the desert. Any ideas? Thanks.

  Forget about the local hostname question - all that is important at the moment is that my keystores and truststores (created using Sun JVM keytool) are transportable and usuable on the other host without change. The network resources associated with the names in the certificates are planned to move across as part of the resource gorup).
  In theory I guess this shoud work, but I wanted to know if anyone has had any experience of doing this and there were any gotchas.
  Thanks.

• Custom SSL Hostname Verifier - SSL Hostname Verification Failed

  Background:
  I am using a java client deployed in weblogic which connects to a 3rd party url over HTTPS.
  version: WebLogic server 10.3.0
  Issue:
  I am connecting to say www.abc.com and the site is presenting its certificate as **.ABC.com*. and I am getting Hostname verification failed.
  I am using weblogic's default hotname verifier.
  Setting hostname verification to false resolving this error, but I want to keep it for security.
  Can anybody please share some best practices to write a custom HostnameVerifier to overcome this kind of problems?
  Thanks in advance!

  An example - this validates that a cert sent to a cluster member ( such as by OSB's internals ) will be validated when the cluster uses a a load balancer address ( defined in the cluster's http tab )
  private final String QA_LB_NAME = "my_loadbalancer.net";
  private final String QA_HOST1 = "my_serverhost1.net";
  private final String QA_HOST2 = "my_serverhost2.net";
  public boolean verify(String hostname, SSLSession session) {
  try {
  Certificate cert = session.getPeerCertificates()[0];
  byte[] encoded = cert.getEncoded();
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
  X509Certificate xcert = (X509Certificate)cf.generateCertificate(bais);
  String cn = getCanonicalName(xcert.getSubjectDN().getName());
  if (cn.equals(hostname))
  return true;
  // Allow a match if the load balancer cert is presented from one of its
  // servers
  if (cn.equals(QA_LB_NAME) &&
  ((hostname.equals(QA_HOST1)) || (hostname.equals(QA_HOST2))))
  return true;
  // all other certs fail
  return false ;
  You can do something similar with your wildcard example - allow the validation if the cn is "*.abc.com" and the hostname is "www.abc.com"
  As far as best practices, I would suggest only have specific hard-coded validation entries for known certificates such as your wild card example. You want the default behavior ( of the hostname matching the CN name ) plus your particular case - and nothing else

• WebID (x509 certificate) on Windows Server 2012

  How can a (end) user log in to Windows Server 2012 using his WebID (x509 certificate)?

  Hi,
  I assume that you are talking about smart card logon, which makes it possible for user to logon using a smart card and a PIN (Personal Identification Number).
  More information for you:
  Set up a smart card for user logon
  http://technet.microsoft.com/en-us/library/cc775842(v=WS.10).aspx
  How to implement x.509 certificate-based windows logon and authentication
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0291dee1-1b10-4139-b36d-f1b953f8a09a/how-to-implement-x509-certificatebased-windows-logon-and-authentication?forum=winserversecurity
  I hope this helps.
  Amy Wang