Using OC4J keystore VS Verisign SSL
Hello
I expose a web service Java over HTTPS. It will be used by a third party service that does not use any Oracle server. I deploy my Java on Oracle SOA Suite 10.1.3.4 webservice.
Reading some documents as https://docs.oracle.com/cd/E16439_01/doc.1013/e13977/configssl.htm , I realized that we can generate a pair of public-private key on the server. The public key will be shared with third-party applications so that it can consume our service.
Now my question is the keys that I generate from the server, is intended to be consumed by any web service or services deployed on Oracle servers only? Or it is recommended to opt for the implementation of SSL by Verisign. Thawte, etc.
Kind regards
Arindam
Hi Arindam,
Your Web service can be consumed by any third-party application as long as they have the SSL certificate and the public key deployed on any server.
As a normal practice, you create a CSR (certificate signing request) and have it signed by a third party (such as versign etc.) Security Agency and then you finish by using the certificate signed back. Then you share that certificate with the webservice of third party to import the certificate to the keystore.
But to test the object, you can use free self-signed certificates.
Tags: Fusion Middleware
Similar Questions
-
I use Live Mail client and SSL, but I can't recover the messages in my subfolders in my Hotmail account, how can I do this? I can use a web browser to display, but Live Mail client only update the subfolders, only the Inbox.
View all Windows Live and Hotmail questions in the appropriate forum found here:
http://windowslivehelp.com/ -
CFHTTP or webservice to Verisign SSL
I tried many things on getting this work, and I come to the same conclusion at each end... IT simply doesn't get it.
If I try to connect to a site using SSL with CFHTTP or via cfinvoke, I get a result like this:
struct
Charset [empty string]
ErrorDetail I/O Exception: peer not authenticated
FileContent connection failure
Header [empty string]
MimeType unable to determine the MIME type of the file.
ResponseHeader struct [empty]
StatusCode connection failure. Not available status code.
Text YES
In my case, I try to connect to a Verisign Class 3 certificate. I went to verisign, downloaded the current intermediate certificates, install them using the keytool utility, rebooted my machine, re-tested, did not work. I have installed the keys through MMC in windows, did not work. I also tested with Godaddy ssl key... does not always work. I have read just about every post in the forums about this, and none of them never seemed to have the problem resolved. I have a box with 7 and 8.01 and I've tried it on both boxes, and none of them had set. My installation 8.01 running jvm 1.6, which was supposed to have this fixed number... I am at a loss here...
Has anyone fixed this problem?
Surprisingly, I found the snipped below on livedocs.
Please note that I was on my own dedicated server Windows to which I had access command prompt, so that I could perform the commands below. It's the only thing that worked for me.
http://livedocs.Adobe.com/ColdFusion/8/htmldocs/help.HTML?content=Tags_g-h_09.html
Manually import a certificate
Go to a page on the SSL server in question.
Double-click the lock icon.
Click the Details tab.
Click on copy to a file.
Select the base64 option and save the file.
Copy the REB in C:\CFusionMX7\runtime\jre\lib\security (or if it uses ColdFusion JRE).
Run the following command in the same directory (keytool.exe is located in C:\CFusionMX7\runtime\jre\bin):
keytool-import - keystore cacerts-alias giveUniqueName-file NomFichier.cer -
Use of keyStores (.jks) by default in production of WLS
Hi all
I need confirmation on the use of default keystore (.jks) on the web logical servers 10.3.5 running in PRODUCTION Mode?
I configured the file demo - trust.jks and demo - identity.jks by logical web server that runs on the mode of production, but the link below says we should not use the demoidentity.jks and demotrust.jks file in the default key stores and Production of trial only.
In general, the mode of production requires you to configure additional security features.
For info... http://oracle-solutions.com/en/configuration-ssl-weblogic-server/
FYI, some of the major logical webserver journal entries:
-The system is vulnerable to security attacks, because he trusts of certificates signed by the CA trust demo.
-BEA-000330 > < started WebLogic Server managed by "bi_server1" for the domain "bifoundation_domain" running in Production Mode >.
-WARNING: DOMAINS\BIFOUNDATION_DOMAIN\SERVERS\BI_SERVER1\TMP\_WL_USER\ORACLE.APPLCORE.MODEL\VY4GK6/META-INF/APPLICATION.XML. A version attribute is required, but this version of the Weblogic Server will assume that the JEE5 is used. Future versions of the Weblogic Server will reject the descriptors that do not specify the JEE version. >
Basically, we are trying to implement SSO between OBIEE11g and j2e request to WLS 10.3.5, I just finished configuring SAML2 on two different servers managed, but SSO does not work and also not able to find error messages on the server connects
I would like to know, if we chose / use keystore default in WLS production, is it impacting on the SSO (SAML2) feature?
Thanks in advance
It should not be a problem...
You can use tools like a violin to capture http headers and see where it crashes.
You can also enable SAML WLS Console debugging for more information.
It will be useful.
Thank you
Faisal -
Using the HTTP Services with SSL using Internet Explorer
Hello
Basically what is happening, is that secure services are not load when I shoot to the top of the Web site when you use Internet Explorer. The site works perfectly in FireFox and Safari support however nothing via the HTTP services when using SSL. I read the Wired article http://weblogs.macromedia.com/lin/archives/flex/security/index.cfm on the use of SSL with THE de Lin Lin, however I am confused as how to implement the changes that she mentions. Basically, she mentioned a couple of the reasons why the httpServices would not be able to load data in the event of connection via SSL. I've read about the Adobe TechNote at http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fdc7b5c & SSP = rss_flashplayer_fdc7b5 c , but it was not clear either.
1. How can I change the settings of the server have the correct header information?
2. can I change something in the compiler Flex for SSL and IE?
It works perfectly in FireFox and Safari, and retrieves the data without any problem. All ideas, information would be appreciated.
Hello
Basically what is happening, is that secure services are not load when I shoot to the top of the Web site when you use Internet Explorer. The site works perfectly in FireFox and Safari support however nothing via the HTTP services when using SSL. I read the Wired article http://weblogs.macromedia.com/lin/archives/flex/security/index.cfm on the use of SSL with THE de Lin Lin, however I am confused as how to implement the changes that she mentions. Basically, she mentioned a couple of the reasons why the httpServices would not be able to load data in the event of connection via SSL. I read on the Adobe TechNote http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=fdc7b5c&pss=rss_flashplayer_fdc7b5 c , but it was not clear either.
1. How can I change the settings of the server have the correct header information?
2. can I change something in the compiler Flex for SSL and IE?It works perfectly in FireFox and Safari, and retrieves the data without any problem. All ideas, information would be appreciated.
-
CFHTTP Standard GoDaddy SSL keystore
Try to connect via CFHTTP to a server that has put a Verisign SSL to Godaddy. While they were with Verisign had no problem.
I spent about 5-6 hours of searches on several messages, but none seem to have a solution.
I downloaded the .cer file on my machine, installed in the keystore of the jre coldfusion with the keytool utility. Restart ColdFusion, same error, connection refused.
Then I tried to download the files of REB godaddy since their deposit, imported, restarted coldfusion, same error.
I then downloaded and installed the latest jdk installed and moved coldfusion JVM included and in the news. Imported all keys in this file of keys, coldfusion is restarted, same error.
I've performed this task on a server running CF8 and CF9.
Does anyone at - he had success with godaddy ssl that could give me some advice about where I'm wrong?
Thank you
Steve
For me, it turns out the company bought the el-cheapo godaddy ssl certificate. If they spent a little more money and got the standard, I would have no problem.
I eventually found cfx_http5. I bought that for the server and passed my code to use it without problem.
Steve
-
SSL certificate not used for Admin Server connections
I have a GoDaddy SSL certificate installed on OS X Server 10.11.4. It works very well for the web server (https). Connection via Server.app off-site, produces a warning SSL and self-signed certificate. There is a related error regularly in newspapers:
[[servermgr_certs]:-[CertsRequestHandler(KeychainOpenSSLExport) exportIdentity:]: SecKeychainItemExport (certificateChain) no certificate string available, defaulting to a cert leaves only
Any suggestions? I reinstalled the cert...
You must raise the.app of 3rd party certificate. Follow these steps:
1: Open Keychain Access.
2: select the system Keychain in the keychains list.
3: find the preference of identity com.apple.servermgrd and double click it.
4: select your SSL certificate 3rd party in the contextual menu of preferred certificate.
5: Press the button Save changes. You will be asked to authenticate.
6: restart the server or restart the process of servermgrd to activate the changes.
Now when you connect to the server from a remote device using.app, sign in using your valid 3rd party SSL certificate and avoid mistakes.
Reid
Apple Consultants Network
Author - "El Capitan Server - Foundation Services.
Author - "El Capitan Server - Collaboration & control»
Author - "El Capitan Server - Advanced Services '.
: IBooks exclusively available in Apple store
-
SSL/tls over TCP using tcplistner socket or a tcpclient
I am trying to use ssl/tls, TCP, but in my code, the socket is used not a tcpclient or tcplistner. I searched on the net at least 200 links but I have not everything related that. I want to use less coding and fact ssl or tsll during the tcp socket connection. I have a client, server, certification authority, a key to the .key format. Please help with the example.
Hello
TechNet support team can solve your problem correctly since your question is beyond the scope of what is generally answered here.
Kind regards.
-
ASA 5520: SSL VPN by using a different IP address that the ASA public IP address
Hi guys,.
I'm trying to configure an SSL VPN on a Cisco ASA5520.
Unfortunately port 443 interface OUTSIDE of the SAA is already used by Microsoft Outlook Web Access and I can not change the configuration of Outlook. This configuration already in place allows me to use the public IP address of the ASA as IP Cisco VPN for the Web page.
I don't not want to use a different port so to keep life easy for users.
I have a few available public IPs that I can use so I wanted to use one of them instead of the OUTSIDE of the ASA interface. Any idea how I could do?
Thank you
Dario
Unfortunately you can not use any other public ip address, except the ASA outside IP interface to complete the SSL VPN.
The only options that you have is to change the Outlook to use another port or the SSL VPN to use a different port.
-
The ASA - Client to use SSL and connections options I have?
We have a large site and have only allowed using IPSEC for all our branch in branch and the user tunnels. We tried SSL years but she limits so we stopped deployment. We must now begin the SSL VPN user and I have a few questions basic ASA.
I have a unused ASA 5510 for tests that currently holds the 8.3.2 on it, Security code more license, 100 SSL VPN peers and 250 total peers of VPN, VLAN max 100, 2 seconds, active/active contexts, 2 proxies of phone CPU and everything else is disabled. We do not intend on using a SSL connection web anywhere (Anyconnect essentials?) and will not use the entire customer VPN SSL which will be hand loaded on machines or downloaded from the ASA and loaded on the computer if possible. I want to know is what version of the current code can install on my ASA without losing my existing SSL VPN 100 peers license and that the Anyconnect customer would be sustained? I've seen talk about premium Anyconnect but do not know its relationsonship. If I improve the ASA of new releases or versions of code my peer SSL VPN license turns into an Anyconnect Premium license?
Any help to get started you in the right direction would be appreciated. I know I can spend days trying to understand Cisco licenses and traps and still get burned in the end with the function or the wrong license. Basically, I want to know what I have to install the end-user complete SSL VPN clients and I have to do with the ASA to provide this functionality with current license / feature set there. I also want to know what the end user should be used because it seems that Anyconnect Secure Mobile is the same if I use all its security features. Example - I am not able to check for firewall/malware etc programs but we currently have a policy in place which does not allow browsing the Internet or access when end users have connections VPN tunnel on our site. That restriction will always be kept if this is possible thanks to the SSL VPN connection also.
Thank you
Paul
The SSL VPN client-based license will remain active on your box through Software ASA updates later. AnyConnect Essentials (which you already have) will work with the feature of SSL VPN license.
You would be upgrading to AnyConnect Premium only if you wanted to add features like clientless SSL VPN (purely based on a browser) or other items such as Advanced Endpoint Assessment (AEA). AnyConnect Premium can coexist with Anyconnect Essentials on the SAA even if you can't mix and match licenses Premium and Essentials.
Essential distinction or Premium is mainly directed towards the installation of the ASA. The same AnyConnect Secure Mobility client software (version 3.1 is the latest for Windows and OS X and is quite a nice new version) is used in both cases. Functional additional client plug-ins are things such as the AEA and the NAC 802.1 x. Your group policies based on the SAA as no split tunneling, etc. remain in force.
If you intend to allow clients of mobile devices (iPhone, iPad, and Android (a very limited support for the last BTW)) to access your VPN, you will need to add the mobile on the SAA AnyConnect license and install the client from the respective AppStore. Note that Windows Phone and Blackberry don't are not supported as client AnyConnect.
-
Generate certificates for use with the VMware SSL certificate automation tool
Hello
I am trying to use the tool to automate SSL certificate. Our vCenter Server is configured in pulse mode. When I'm trying to generate the request (CSR companies) for Single sing - on (SSO) of certificate signing, option 1 is to provide the FULL domain name. I want to know what domain name FULL should I provide the name of the node or virtual.
Also I will try to use this tool for other components like updatemanager, inventory service, service of vcenter server, web client. Have experience how to use this tool?
Thank you
I successfully replaced certificates for all services. I used the FQDN of the virtual name and not the name of the node to generate the CSR. Thank you
-
You can use cipher suites different use different SSL certificates?
Using JSSE for SSL, so firstly do javax.net.ssl.SSLContext.init () where you specify as the [KeyManagers]. Here I specify an X509KeyManager where I specify the list of the X 509 certificates I would like to use all by SSL communication with a peer SSL. I'm then a SSLSocket context using SSLContext.getSocketFactory.createSocket () where the created SSL socket use the KeyManager created in the previous step.
However, when I use this plug to negotiate SSL, I have not any control that cert is used with which cipher suite is chosen during the SSL handshake. For example, if I have two certificates in KeyManager, say A and B, I might want to use one during the continuation of encryption in SSL negotiation is TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA although I could use B when the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA (the cipher suites are according to RFC 5264 for TLS 1.2).
Is it possible to have this kind of control while using the JSSE in Java?I might want to use A only when chosen to negotiate SSL encryption suite is...
You can not. The encryption suite is chosen after the certificate.
I don't really see what the choice of the certificate must make the choice of cipher suites. One is for authentication; the other is for encryption.
-
How to use the JKS-based Keystore in Oracle 11g SOA
I'm doing FTPS on remote server of third party (with UNIX operating system) using SOA 11 g adapter FTP. I installed and configured vsftpd and generated vsftpd.pem file on the remote server certificate.
Follow the steps mentioned in http://download.oracle.com/docs/cd/E17904_01/integration.1111/e10231/adptr_file.htm#CIABDGCF
In one step "Adjusting upward the FTP Oracle adapter" walletLocation is necessary, then I went through the steps mentioned in http://download.oracle.com/docs/cd/E17904_01/core.1111/e10105/wallets.htm#CHDGIJDC
(Tried using both 1) JKS Keystore Management 2) portfolio management
Impossible to find two of them in the Oracle 11g SOA em but the steps do not match.
Can someone tell me how to use JKS Keystore or portfolio management?
Thank you very much!!
Concerning
YogeshHi yogesh,
I think that the portfolio can be created from the FMW console only if the HTTP server is installed and available. If there is no Oracle HTTP server, configure a specified in the.
[http://download.oracle.com/docs/cd/E12839_01/doc.1111/e14260/toc.htm |] Oracle HTTP Server installation]
Agress,
Neeraj Sehgal -
Hello
I'm here because I have exhausted my Coldfusion/Java ssl keystore certs troubleshooting capabilities. Here's the question. I'm developing a Coldfusion 11 application which must make calls to api for services SOAP Chase payconnexion. I use the tags of cfhttp in coldfusion to do this, that is using java jre 1.7.x to achieve this. The problem I'm getting generic 500 internal server errors of Chase. They claim that I'm not sending a cert in the exchange of ssl. What I did is:
-put our generic cert/key pair in the keystore of coldfusion
-put our root and the string in the keystore
-put the chase Server certs in the keystore
-converted files of key/crt in .pfx and make calls
for hunting with those, something like:
< cfset objSecurity = createObject ("java", "impossible") / >
< cfset storeProvider = objSecurity.getProvider ("JsafeJCE") / >
< cfset Application.sslfix = true / >
< cfhttp url = "" #chase_api_server #/ ' "
result = "http_response.
method = "post".
port = "1401" charset = "utf-8".
clientCert = "#cert_path #/ #cert_file1 #
clientCertPassword = "#cert_password #" >
< cfhttpparam type = "header" name = "SOAPAction" value = "updateUserProfileRequest" / >
< cfhttpparam type = "header" name = "Host" value = "ws.payconnexion.com" / > "
< cfhttpparam type = "xml" value = "#trim (my_xml) #" / >
< / cfhttp >
Here is what I see in the newspapers of the CF, can someone help me interpret what
is happening?
Thank you
Bob
=============================================================
***
found the key for: 1
String [0] =]
[
Version: V3
Object: CN = *. payments.austintexas.gov, O = city of Austin, L = Austin, ST = Texas, C = US
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip >
Validity: [from: Mon Aug 11 12:39:37 CDT 2014]
[To: Fri Oct 01 18:34:24 CDT 2016]
Issuer: CN = Entrust Certification Authority - L1C, OR = "(c) 2009 Entrust, Inc.", OR = www.entrust.net/rpa is incorporated by reference, O = 'Entrust, Inc.', C = US "
Serial number: [< snip > 7]
Certificate extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://OCSP.entrust.NET
,
accessMethod: caIssuers
accessLocation: U: http://AIA.entrust.NET/2048-L1C.CER
]
]
[2]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[3]: ObjectId: 2.5.29.19 criticality = false
BasicConstraints:]
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://crl.entrust.net/level1c.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [1.2.840.113533.7.75.2]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]]
[] ]
]
[6]: ObjectId: 2.5.29.37 criticality = false
[ExtendedKeyUsages
serverAuth
AutClient
]
[7]: ObjectId: 2.5.29.15 criticality = false
[KeyUsage
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 criticality = false
[SubjectAlternativeName
DNSName: *. payments.austintexas.gov
DNSName: payments.austintexas.gov
]
[9]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
[1] string =]
[
Version: V3
Object: CN = Entrust Certification Authority - L1C, OR = "(c) 2009 Entrust, Inc.", OR = www.entrust.net/rpa is incorporated by reference, O = 'Entrust, Inc.', C = US "
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip >
public exponent: 65537
Validity: [from: Fri 11 Nov 09:40:40 CST 2011,]
[To: Thu Nov 11 20:51:17 CST 2021]
Issuer: Authority of Certification CN = Entrust .net (2048), OR = (c) 1999 Entrust.net Limited, www.entrust.net/CPS_2048 incorp =. by Ref. (limits liab.), O = Entrust .net
Serial number: [< snip >]
Certificate extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://OCSP.entrust.NET
]
]
[2]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[3]: ObjectId: 2.5.29.19 criticality = true
BasicConstraints:]
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://crl.entrust.net/2048ca.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [2.5.29.32.0]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
]] ]
]
[6]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
[2] string =]
[
Version: V3
Subject: Authority of Certification CN = Entrust .net (2048), OR = (c) 1999 Entrust.net Limited, www.entrust.net/CPS_2048 incorp =. by Ref. (limits liab.), O = Entrust .net
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip > public exponent: 65537
Validity: [from: Fri dec 24 11:50:51 CST 1999]
[To: kill Jul 24 09:15:12 CDT 2029]
Issuer: Authority of Certification CN = Entrust .net (2048), OR = (c) 1999 Entrust.net Limited, www.entrust.net/CPS_2048 incorp =. by Ref. (limits liab.), O = Entrust .net
Serial number: [< snip >]
Certificate extensions: 3
[1]: ObjectId: 2.5.29.19 criticality = true
BasicConstraints:]
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
Key_CertSign
Crl_Sign
]
[3]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
***
trustStore is: / opt/coldfusion11/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is:
init truststore
adding that cert trust:
< certs snip 85 >
trigger the seeding of SecureRandom
done seeding SecureRandom
January 23, 2015 13:15:37 information [ajp-bio-8014-exec-7] - HTTP request to leave {URL ='https://ws.payconnexion.com:1401/pconWS/9_5 /", method = 'post'"}
Ignoring the unsupported encryption suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring the unsupported encryption suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring the unsupported encryption suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring the unsupported encryption suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring the unsupported encryption suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring the unsupported encryption suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow the dangerous renegotiation: true
Allow legacy Hello messages: true
Is the first handshake: true
Is secure renegotiation: false
% No session caching client
ClientHello, TLSv1
RandomCookie: GMT: 1405197529 bytes = {191, 115, 95, 85, 79, 234, 145, 176, 62, 70, 36, 102, 168, 15, 127, 174, 88, 118, 4, 177, 226, 5, 254, 55, 108, 203, 80, 80}
Session ID: {}
Cipher suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_RC4_128_MD5]
Compression methods: {0}
Extension elliptic_curves, the names of curve: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Servername extension, server_name: [hostname: ws.payconnexion.com]
***
AJP-bio-8014-exec-7, WRITING: TLSv1 Handshake, length = 191
AJP-bio-8014-exec-7, READ: TLSv1 Handshake, length = 81
ServerHello, TLSv1
RandomCookie: < snip >
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
Compression method: 0
Extension renegotiation_info, renegotiated_connection: < empty >
***
%% Initialized: [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
* TLS_RSA_WITH_AES_256_CBC_SHA
AJP-bio-8014-exec-7, READ: TLSv1 Handshake, length = 4183
Certificate chain
String [0] =]
[
Version: V3
Subject: CN = ws.payconnexion.com, OR is PayConnexion, O is JPMorgan Chase, L = New York, ST = New York, C = US
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip >
public exponent: 65537
Validity: [from: Sun Apr 20 19:00:00 CDT 2014]
[To: kill Jun 02 18:59:59 CDT 2015]
Issuer: CN = VeriSign Class 3 International Server CA - G3, OU = terms of use at https://www.VeriSign.com/RPA (c) 10, OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
Serial number: [< snip >]
Certificate extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://se.symcd.com
,
accessMethod: caIssuers
accessLocation: U: http://se.symcb.com/se.CRT
]
]
[2]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[3]: ObjectId: 2.5.29.19 criticality = false
BasicConstraints:]
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://se.symcb.com/se.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
], PolicyQualifierInfo:]
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: < snip >
]] ]
]
[6]: ObjectId: 2.5.29.37 criticality = false
[ExtendedKeyUsages
serverAuth
AutClient
2.16.840.1.113730.4.1
]
[7]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 criticality = false
[SubjectAlternativeName
DNSName: ws.payconnexion.com
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
[1] string =]
[
Version: V3
Object: CN = VeriSign Class 3 International Server CA - G3, OU = terms of use at https://www.VeriSign.com/RPA (c) 10, OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip >
public exponent: 65537
Validity: [from: Sun 07 Feb 18:00:00 CST 2010]
[To: Fri Feb 07 17:59:59 CST 2020]
Issuer: CN = VeriSign Class 3 Public Primary Certification Authority - G5, OR = "(c) 2006 VeriSign, Inc. - use only permitted", OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
Serial number: [< snip >]
Certificate extensions: 10
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 criticality = false
Unknown extension: coded DER BYTE string =
< snip >
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://OCSP.VeriSign.com
]
]
[3]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[4]: ObjectId: 2.5.29.19 criticality = true
BasicConstraints:]
CA:true
PathLen:0
]
[5]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://crl.verisign.com/pca3-g5.crl]
]]
[6]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
], PolicyQualifierInfo:]
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: < snip >
]] ]
]
[7]: ObjectId: 2.5.29.37 criticality = false
[ExtendedKeyUsages
serverAuth
AutClient
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
]
[8]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
Key_CertSign
Crl_Sign
]
[9]: ObjectId: 2.5.29.17 criticality = false
[SubjectAlternativeName
CN = VeriSignMPKI-2-7
]
[10]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
[2] string =]
[
Version: V3
Object: CN = VeriSign Class 3 Public Primary Certification Authority - G5, OR = "(c) 2006 VeriSign, Inc. - use only permitted", OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip >
public exponent: 65537
Validity: [from: Tue Nov 07 18:00:00 CST 2006]
[To: Sun Nov 07 17:59:59 CST 2021]
Issuer: OU = class public primary Certification Authority 3, O = "VeriSign, Inc.", C = US
Serial number: [< snip >]
Certificate extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.12 criticality = false
Unknown extension: coded DER BYTE string =
< snip >
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://OCSP.VeriSign.com
]
]
[3]: ObjectId: 2.5.29.19 criticality = true
BasicConstraints:]
CA:true
PathLen:2147483647
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://crl.verisign.com/pca3.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [2.5.29.32.0]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
]] ]
]
[6]: ObjectId: 2.5.29.37 criticality = false
[ExtendedKeyUsages
serverAuth
AutClient
resynced
2.16.840.1.113730.4.1
2.16.840.1.113733.1.8.1
]
[7]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
Key_CertSign
Crl_Sign
]
[8]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
***
Found the certificate of trust:
[
[
Version: V3
Subject: CN = ws.payconnexion.com, OR is PayConnexion, O is JPMorgan Chase, L = New York, ST = New York, C = US
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: public exponent: 65537
Validity: [from: Sun Apr 20 19:00:00 CDT 2014]
[To: kill Jun 02 18:59:59 CDT 2015]
Issuer: CN = VeriSign Class 3 International Server CA - G3, OU = terms of use at https://www.VeriSign.com/RPA (c) 10, OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
Serial number: [< snip >]
Certificate extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://se.symcd.com
,
accessMethod: caIssuers
accessLocation: U: http://se.symcb.com/se.CRT
]
]
[2]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[3]: ObjectId: 2.5.29.19 criticality = false
BasicConstraints:]
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://se.symcb.com/se.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [2.16.840.1.113733.1.7.54]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
], PolicyQualifierInfo:]
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: < snip >
]] ]
]
[6]: ObjectId: 2.5.29.37 criticality = false
[ExtendedKeyUsages
serverAuth
AutClient
2.16.840.1.113730.4.1
]
[7]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 criticality = false
[SubjectAlternativeName
DNSName: ws.payconnexion.com
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
AJP-bio-8014-exec-7, READ: TLSv1 Handshake, length = 13
CertificateRequest
CERT types: RSA, DSS
CERT authorities:
< empty >
ServerHelloDone
corresponding to the alias: 1
Certificate chain
String [0] =]
[
Version: V3
Object: CN = *. payments.austintexas.gov, O = city of Austin, L = Austin, ST = Texas, C = US
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
< snip > public exponent: 65537
Validity: [from: Mon Aug 11 12:39:37 CDT 2014]
[To: Fri Oct 01 18:34:24 CDT 2016]
Issuer: CN = Entrust Certification Authority - L1C, OR = "(c) 2009 Entrust, Inc.", OR = www.entrust.net/rpa is incorporated by reference, O = 'Entrust, Inc.', C = US "
Serial number: [< snip >]
Certificate extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://OCSP.entrust.NET
,
accessMethod: caIssuers
accessLocation: U: http://AIA.entrust.NET/2048-L1C.CER
]
]
[2]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[3]: ObjectId: 2.5.29.19 criticality = false
BasicConstraints:]
CA:false
PathLen: undefined
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://crl.entrust.net/level1c.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [1.2.840.113533.7.75.2]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]]
[] ]
]
[6]: ObjectId: 2.5.29.37 criticality = false
[ExtendedKeyUsages
serverAuth
AutClient
]
[7]: ObjectId: 2.5.29.15 criticality = false
[KeyUsage
DigitalSignature
Key_Encipherment
]
[8]: ObjectId: 2.5.29.17 criticality = false
[SubjectAlternativeName
DNSName: *. payments.austintexas.gov
DNSName: payments.austintexas.gov
]
[9]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
[1] string =]
[
Version: V3
Object: CN = Entrust Certification Authority - L1C, OR = "(c) 2009 Entrust, Inc.", OR = www.entrust.net/rpa is incorporated by reference, O = 'Entrust, Inc.', C = US "
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip >
public exponent: 65537
Validity: [from: Fri 11 Nov 09:40:40 CST 2011,]
[To: Thu Nov 11 20:51:17 CST 2021]
Issuer: Authority of Certification CN = Entrust .net (2048), OR = (c) 1999 Entrust.net Limited, www.entrust.net/CPS_2048 incorp =. by Ref. (limits liab.), O = Entrust .net
Serial number: [< snip >]
Certificate extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 criticality = false
[Field
[
accessMethod: ocsp
accessLocation: U: http://OCSP.entrust.NET
]
]
[2]: ObjectId: 2.5.29.35 criticality = false
[AuthorityKeyIdentifier
[KeyIdentifier
< snip >]
]
[3]: ObjectId: 2.5.29.19 criticality = true
BasicConstraints:]
CA:true
PathLen:0
]
[4]: ObjectId: 2.5.29.31 criticality = false
[CRLDistributionPoints
[DistributionPoint:]
[U: http://crl.entrust.net/2048ca.crl]
]]
[5]: ObjectId: 2.5.29.32 criticality = false
[CertificatePolicies
[CertificatePolicyId: [2.5.29.32.0]]
[PolicyQualifierInfo: []]
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: < snip >
]] ]
]
[6]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
Key_CertSign
Crl_Sign
]
[7]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
[2] string =]
[
Version: V3
Subject: Authority of Certification CN = Entrust .net (2048), OR = (c) 1999 Entrust.net Limited, www.entrust.net/CPS_2048 incorp =. by Ref. (limits liab.), O = Entrust .net
Signature algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun public key RSA 2048 bits
module: < snip > public exponent: 65537
Validity: [from: Fri dec 24 11:50:51 CST 1999]
[To: kill Jul 24 09:15:12 CDT 2029]
Issuer: Authority of Certification CN = Entrust .net (2048), OR = (c) 1999 Entrust.net Limited, www.entrust.net/CPS_2048 incorp =. by Ref. (limits liab.), O = Entrust .net
Serial number: [< snip >]
Certificate extensions: 3
[1]: ObjectId: 2.5.29.19 criticality = true
BasicConstraints:]
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.15 criticality = true
[KeyUsage
Key_CertSign
Crl_Sign
]
[3]: ObjectId: 2.5.29.14 criticality = false
[SubjectKeyIdentifier
[KeyIdentifier
< snip >]
]
]
Algorithm: [SHA1withRSA]
Signature:
< snip >
]
***
ClientKeyExchange, RSA PreMasterSecret, TLSv1
AJP-bio-8014-exec-7, WRITING: TLSv1 Handshake, length = 3970
SESSION KEYGEN:
PreMaster Secret:
< snip >
KEYGEN OF CONNECTION:
Nuncio of the client:
< snip >
Nuncio of server:
< snip >
Master Secret:
< snip >
Give your MAC Secret client:
< snip >
MAC server write Secret:
< snip >
Write the client key:
< snip >
Server write key:
< snip >
Client write IV:
< snip >
Server write IV:
< snip >
CertificateVerify
AJP-bio-8014-exec-7, WRITING: TLSv1 Handshake, length = 262
AJP-bio-8014-exec-7, WRITING: TLSv1 Change Cipher Spec length = 1
Finish
verify_data: {51, 254, 40, 56, 247, 218, 130, 183, 112, 239, 95, 4}
***
AJP-bio-8014-exec-7, WRITING: TLSv1 Handshake, length = 48
AJP-bio-8014-exec-7, READ: TLSv1 Change Cipher Spec length = 1
AJP-bio-8014-exec-7, READ: TLSv1 Handshake, length = 48
Finish
verify_data: {89, 182, 137, 178, 177, 31, 27, 115, 151, 90, 169, 49}
***
% Cache the client session: [Session-5, TLS_RSA_WITH_AES_256_CBC_SHA]
AJP-bio-8014-exec-7, setSoTimeout (60000) called
AJP-bio-8014-exec-7, WRITING: TLSv1 Application Data, length = 1520
AJP-bio-8014-exec-7, READ: TLSv1 Application Data, length = 128
January 23, 2015 13:15:38 information [ajp-bio-8014-exec-7] - complete HTTP request {status Code = 500, time = 1302 ms}
AJP-bio-8014-exec-7, READ: TLSv1 Application Data, length = 256
AJP-bio-8014-exec-7, READ: alert TLSv1, length = 32
AJP-bio-8014-exec-7, RECV TLSv1 ALERT: attention, close_notify
AJP-bio-8014-exec-7, called closeInternal (false)
AJP-bio-8014-exec-7, SEND TLSv1 ALERT: attention, description = close_notify
AJP-bio-8014-exec-7, WRITING: alert TLSv1, length = 32
AJP-bio-8014-exec-7, call closeSocket (selfInitiated)
AJP-bio-8014-exec-7, called close()
AJP-bio-8014-exec-7, called closeInternal (true)
OK, apparently nobody Chase who said that we don't send the certificates and realization mutual auth
was wrong. Https calls were connection and mutual authentication took place. The 500
error was on a soap envelope during delivery and NOT of SSL that I directed to. Everything that
works fine now.
Thank you
Bob
-
Create new keys SSL for Weblogic
I want to activate SSL for servers of IOM - which means that I must be able to access the URL sysadmin and identity via https. I activated SSL in the console of the managed server, but it does not work.
While I was looking at the doc Doc-ID 1218695.1 and in the doc under Doc ID 1230333.1 they took the measures. I follow the similar steps for my application server, but for the IOM weblogic servers, I need to use the keystore DemoTrust.jks as I have other certificates imported into them. So I can generate a new key using the following command with an existing key file?
keytool - genkey-alias alias aliases1 - keyalg RSA - keysize 2048 -keystore < I want to use the existing DemoTrust.jks here > - dname "CN = xxx, OU = xx, O = C = xx, xxx, L = xx, S = xx" - storepass xxxx - xxxx keypass.
I would send the key generated for approval, then import the root and certificates approved in DemoTrust.jks. Is there anything else I need to do?
Thank you.
genkey generates a self-signed certificate. If you want to send to a CA for signature, then you will need to use certreq option instead. You can use an existing key file if you wish.
Maybe you are looking for
-
My iPhone 5s cannot hold a charge
IiPhone 5s cannot hold a charge
-
When I open Firefox, I have a unwanted Bing toolbar
For the last month, when I open Firefox I get an unwanted Bing toolbar. Also when I open Internet Explorer, I get a newspaper additional Firefox in the screen. IE is prepackaged in my PC. The re-booting, I can't get the last system restore. Firefox i
-
Satellite P10 and Netgear USB dongle use
Hello NETGEAR insist it is a Toshiba system problem... Whenever I try to inslall wg111v2 cherif I get... Failed to install... "RegDBCreateKeyEx failed", and/or... "cannot read the control on the Netgear server file. I don't have this problem with my
-
R720 PSU fan failure after restored power reports
I have a rack with 18 R720s in it. They all have two power supplies (most with a couple of 750W 495W) with a set connected to a PDU to the power of the wall, and the second set on a PDU is connected to a UPS. Servers are configured for redundancy of
-
Is it possible to set up a vpn between a cisco 2621 and a windows xp with dynamic IP (adsl connection, I can use the home network. I would be grateful all documentation. Cisco Internetwork Operating System software IOS (TM) C2600 software (C2600-I-M)