I'm developing a webapp with a webservice for a WL 12.1.2 server. The information it sends/recieves does not contain any secret information, so my advisers told me to disable SSL hostname verification.
After some research, I found that turning the option off in the Admin Consol doesn't help.
Then I found that, I have to write '-Dweblogic.security.SSL.ignoreHostnameVerification=true' in server start. After this, when I restart the server it still doesn't work, but when I log in to the Admin Console, it passes validation. But after a while it resets, and goes back to not skipping validation, thus failing the program.
Do you have any idea how to keep this option turned off, how to make it stable, or any other way to make it work?
I tried adding the certificate information to the Demo Trusts, Certs, but the weblogic hostname verifier somehow doesn't understand that 123.asd.com should be accepted by a *.asd.com cert. If there is a way, I'd like to skip the whole thing instead of overwriting the ssl verifier.
Thanks in advance!
Botond
After a while I have found the solution of the problem I was encountering.
The problem was that I thought that changing stuff in the admin console would be saved and loaded every time I started the server, but the truth is, it is not.
I had to add the following line to the startWebLogic.cmd script: "set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.ignoreHostnameVerification=true" and this worked. Now the server starts as it should, and it always skips the verification as I wanted. There are no anomalies!
This screenshot speaks all:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
Related
Apologies in advance - I'm pretty new to Kerberos/GSSAPI, so I've probably got something really simple stuffed up.
I'm trying to run what is essentially the sample client code from the GSSAPI tutorials.
I have two VMs set up. One is named KDC-TESTING. It's a Domain Controller with Active Directory installed and a user named "testuser". It's running on the KDC.COM domain.
The second is running an IIS server named IIS-WEB that runs on the KDC.COM domain.
I also have my computer (windows 7). It's on a different domain, but it's currently using the domain controller's IP as its DNS. I'm trying to run the Basic GSSAPI client from eclipse on here.
When you go to iis-web.kdc.com (from either the domain controller vm or my computer), you're prompted for a username/password combo. You can log in using testuser (with its password, obviously).
When I run the client program, I get the following error:
org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: SubjectCredFinder: no JAAS Subject
It's thrown from this line:
GSSContext context = manager.createContext(clientName, krb5Mechanism, null, GSSContext.DEFAULT_LIFETIME);
Since it says the credentials are invalid, I added in the following (and tried creating the context with creds rather than null):
GSSCredential creds = manager.createCredential(clientName, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);
That changed literally nothing (except for the stack trace).
Looking at this question and a bunch of docs/blogs, I think the problem is somewhat related to configuration, but I'm not sure what configuration needs to be done exactly.
I've got a krb5.conf file set up, and I'm running it with the command line arguments shown here.
I haven't done any Kerberos setup on my computer, but I've an SPN to testuser and maybe set up a keytab on the VMs (but I'm almost certain that that's not the cause).
EDIT/UPDATE:
I ran it from a new VM that was both on the KDC.COM domain and used KDC-TESTING.KDC.COM as its DNS and it seemed to work as expected (there was another error, this time with authenticating - progress! I think I know what's wrong with this one though).
I ran it as a JAR (as opposed to from inside eclipse) and, as expected, I was prompted in the command window for a username and password. Could this have been an issue (as in, is eclipse not able to take input, so it just crashes or something)?
I also hadn't been seeing any of the security debugging logs in eclipse (I'd been using -Djava.security.debug=all), but on the the VM it was all there (there was a lot of it).
Pretty much says it all, but when I try to log in to the Glassfish console I am get a "Error Authentication Failed Re-enter your username and password"
However when i use asadmin I am able to login, deploy, etc. it all works.
If there is a particular place I can alter the log level or a place I can look.
FYI part of the reason I think this happened is that I have changed the master password.
Any tips?
Not Exactly sure why it works, but I think it may be due to some cached values. I already had secure admin enabled when I stared the process of adding SSL certificates, and based on information in this post:
Right way to configure Glassfish SSL certificate nickname? I was able to find a solution.
With the server running Disable Secure Admin.
Restart Server
Enable Secure Admin
Restart Server.
Sorry in advance if this question has been posted before. I have look around but couldn't find an answer.
I am creating a server in Java that has a SSL socket to accept clients. I have been looking around on how to create the socket and have started to add the code to my application. After looking around the find out how to allow a self-signed certificate for testing I found that I create a keystore and add the certificate to that. To use the certificate I would need to add "System.setProperty("javax.net.ssl.keyStore", "keystorename.jks")" The only problem is I have to specify the password in the code as well if I go off other developers examples.
I would like to know if I have to specify the password and if I do need to what is the security implications?
Thanks in advance,
Yes you do, and the security implication is that the password is (1) fixed by the code and (2) probably visible in the object code. The solution to (2) is ultimately physical security of the software and the host it runs on.
As a premise, I am not very experienced yet, but I have tried to read and search everything I possibly could, related to this topic, and still no luck.
I was given a simple client to call a webservice but once it was fully setup (which included the use of a certificate and a couple more properties to set) I got the error mentioned in the title:
javax.xml.ws.WebServiceException: {http://http://cert.controller.portaapplicativa.ictechnology.it//}MyService is not a valid service. Valid services are:
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:159)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:82)
at javax.xml.ws.Service.<init>(Service.java:56)
at package.client.wsimport.MyService..<init>(MyService.java:46)
at package.client.Client.doRicercaDEN(Client.java:55)
at package.client.Client.main(Client.java:36)
I tried generating the client again with JAX-WS:
java -classpath C:\Programmi\Java\jdk1.6.0_38\lib\tools.jar com.sun.tools.internal.ws.WsImport -verbose C:\WsdlFile.wsdl -p package.client.wsimport -s C:\tmp\ws\
And I get the same issue. I am using a local copy of the wsdl because wsimport doesn't seem to like the certificate I'm trying to set in the properties (I'm most likely doing something wrong, but I opted for the simple workaround, given I have more pressing issues).
Trying to use SoapUI to test the service, everything works fine, though I need to set the preferences for the proxy to "None".
So I tried to make sure the connection doesn't use any proxy in my client as well:
(...)
systemSettings.remove("http.proxyHost");
systemSettings.remove("http.proxyPort");
systemSettings.remove("https.proxyHost");
systemSettings.remove("https.proxyPort");
System.setProperty("http.nonProxyHosts","*");
System.setProperty("https.nonProxyHosts","*");
(BTW, before "*", which as I understand it should work as a wildcard for "every domain", I have tried specifying the specific domains as well)
Anyway, the result is always the same.
Is there something I am doing wrong, something left to try?
I doubt this is a proxy issue. If you can share the code you are using to create the Service object it might help.
As a kick start try reading the below thread Is not a valid service exception in JAX-WS
What I think is that the QName you have provided when creating the Service is not proper. To get the correct QName you might try to open the generated stub.
As it turns out, what I was missing was importing the certificate in my local truststore (or better, when I first tried doing so, I thought I was using the correct truststore, but I wasn't).
For anyone who may need it, here is an explanation of how to do that using keytool: http://javarevisited.blogspot.it/2012/03/add-list-certficates-java-keystore.html
Another option is to use specific GUI like Portecle.
I'm trying to get OAuth through SoundCloud set up, but I'm having tremendous trouble. My newest issue is this:
I have the user login through a popup window which is connected to SoundCloud. It gives me a back a code once the user logs in. This is all working; however, the next step is failing for me. Once I have the code, I run this snippet of Java code:
URI redir = new URI("http://localhost:9000/auth/soundcloudcapturetoken");
ApiWrapper api = new ApiWrapper(SC_CLIENT_ID, SC_CLIENT_SECRET, redir, null, Env.SANDBOX);
Token authToken = api.authorizationCode(code);
Java fails on the api.authorizationCode(code) line with this error:
SSLPeerUnverifiedException occured : peer not authenticated
I snooped around online, and stumbled upon this post: http://davidjb.com/blog/2012/02/java-http-request-fails-with-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated
It suggested that I add the two mentioned certs to my java cacerts file(s). I added the two certificates to both my jdk and jre, but my app still fails with the same error. Is there something I am missing here?
As a side note, I am currently using this api to access SoundCloud: https://github.com/soundcloud/java-api-wrapper
SoundCloud dev here.
Are you trying to use the sandbox (i.e. connecting to https://api.sandbox-soundcloud.com) ? If so, I was trying to reproduce your issue and just realised that our certificate for that host expired, we are deploying a new certificate as we speak, really sorry about that.
Also, you can find help from SoundCloud engineers in our mailing list: http://bit.ly/yqcubH