Is it possible that weblogic uses a custom ssl socket implementation? I'm running into a problem with the JavaMail. Trying to use a smtp ssl connection fails even though I've setup a custom truststore with the mailserver ca. However if I set the javax.net.ssl.trustStore property to use a truststore with the mailserver ca everything works.
This makes me think that weblogic uses their custom sockets or custom config for sockets. While JavaMail relies on the standard mechanisms and will not take into account what's in the weblogic custom truststore.
Any ideas?
(posted as an answer - thanks!)
WebLogic Server doesn't use custom socket implementation that I'm aware of. I've integrated it in the past with a number of client applications or other servers. That being said, SSL is gloriously frustrating to get working right. Can you post the exceptions/errors you're getting in your logs when WebLogic Server tries to make the connection? If you're not seeing anything in the logs, depending on the version of WebLogic Server you're using, there are a number of debug flags you can enable to get more information.
By default WebLogic uses the Certicom SSL implementation. My experience of this library has been nothing but grief. You haven't provided any details of the error but I would enable the Sun implementation to see if that helps. In the "Advanced" tab in the SSL-configuration there is a checkbox called "Use JSSE SSL" which will do it.
Or you can do it with system properties like so:
http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
Related
I am creating a Linked Service to connect to BigQuery with Service Account authentication and p12 file has already been placed in IR VM directory.
Receiving following error:
ERROR [HY000] [Microsoft][DriverSupport] (1160) Cannot enable SSL for the connection when connecting to a server that has not enabled SSL. If the server has SSL enabled, please check if it has been configured to use a SSL protocol version that is lower than what is allowed for the connection. The minimum SSL protocol version allowed for the connection is: TLS 1.2.
But when i place p12 file in another IR VM, linked service is working correctly.
Tried to check TLS version in both VM's and everything looks same.
Please suggest ways to check SSL and TLS version in VM's and how to resolve this issue.
Based on the error message it seems the issue might be w.r.t SSL certificate so 1st step would be to compare the SSL/TLS across both the servers
In case if they are same, would suggest to monitor the traffic across both the server when trying to access GCP Big Query.
You might get the exact cause of failure which can be like :
Firewall blockage
some missing set up like Big query need Google_base set up as a signature
etc.
You could create a PowerShell script that checks the TLS & SSL registry entries mentioned in the following documentation:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Even if after enabling TLS/SSL settings the same issue arises then please try re-installing IR in the VM
I'm trying to configure Artemis to allow connections using the CERT provided by the java client using the DN as the username. I have read almost all the documents and things I could find asking 'the google', but alas, I find myself at a frustrating stand-still.
I have the acceptor configured:
<acceptor name="netty=ssl-acceptor">tcp://0.0.0.0:5500?sslEnabled=true;keyStorePath=xxxx;keyStorePassword=xxxx</acceptor>
And on client side I am passing the CERT (or at least I think I am). Here's the URL I'm using:
tcp://mynode:5500?sslEnabled=true;useDefaultSslContext=true
I have also used this URL:
tcp://mynode:5500?sslEnabled=true;keyStorePath=xxxx;keyStorePassword=xxxx
Without posting code (different network), can anyone provide any well-known issues or hints that might be causing the server to say:
Unable to validate user from /x.xxx.xxx.xxx:xxxx. Username: null; SSL certificate subject DN: unavailable
The message you're seeing indicates that you're not passing any credentials when you connect (either username/password or SSL certificate). The reason you're not passing any credentials is because your acceptor configuration is incorrect since you're not telling clients to actually provide a certificate. You need to set needClientAuth=true, e.g.:
<acceptor name="netty=ssl-acceptor">tcp://0.0.0.0:5500?sslEnabled=true;needClientAuth=true;keyStorePath=xxxx;keyStorePassword=xxxx</acceptor>
On the client, you should only use useDefaultSslContext=true if you're explicitly configuring the default SSL context (which is rare). You most likely should be using your second options where you configure keyStorePath and keyStorePassword.
Also, keep in mind that you'll need to either use certificates signed by a trusted authority or you'll need to create and configure trust stores on your client and broker and add the proper certificates to them.
You need to set the Artemis user Preferences. Click profile account and select Preferences. If it empty, please fill out the default user first.
You need to add an extra acceptor configuration to disable the SSL. Open up etc/broker.xml and add following configuration.
<acceptor name="netty-ssl-acceptor">tcp://0.0.0.0:61617?sslEnabled=false</acceptor>
Now it should work
I am using Ansible on a Linux computer connecting to a windows 8.1 embedded computer. It's able to connect with username and password over the HTTPS port 5986, but I need to specify the option:
ansible_winrm_server_cert_validation=ignore
The ansible documentation specifies:
The following is necessary for Python 2.7.9+ (or any older Python that
has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using
default WinRM self-signed certificates:
The windows computer has an SSL listener that was configured with Self-SignedCertificates from the powershell script:
https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
My question is that if I'm ignoring server cert validation, does that compromise the encryption that HTTPS is supposed to provide? or is server cert validation just a separate process of HTTPS?
Thanks
Yes, if you ignore certificate validation as recommended in the default Ansible config for WinRM, your connection is not secure - someone can spoof the target server using a man in the middle (MITM) attack on the HTTPS connection. (There should really be a security warning in the Ansible docs.)
The best alternative seems to be NTLM/Negotiate authentication, instead of HTTPS, removing the need for an SSL certificate. Your Ansible control machine will need to be able to authenticate over NTLM as a Windows user, just like using an SMB file share.
You will need pywinrm 0.2.0 or higher for NTLM/Negotiate support.
Useful links
Why NTLM/Negotiate for WinRM - background on why it's good to avoid the complex setup to install SSL certificates by using NTLM (Ruby based but still useful)
Example Ansible setup for NTLM
More complete Ansible setup including NTLM
Certificate validation is a separate process than encryption. The communication will be encrypted. You can read more on the issues with self-signed certificates but the high level is you remove any way for Ansible to validate who exactly is on the other side of the connection an open your self to a man in the middle attack that HTTPS usually protects you from.
I've been using Fiddler in C#.
So far I'm able to intercept requests. However, I need to set a proxy. I did so, the proxy is set.
In Proxy Settings Windows' form, I have for HTTP and Secure: 127.0.0.1 for Proxy address to use and for the Port, 8888.
This is the same that is done when I use Fiddler application directly.
However, when I set it through my C# code, instead of using Fiddler, I can't navigate. My pages give me the message:
Your connection is not secure
What more do I need to do? What Fiddler do that I'm missing to correctly set a proxy?
Usually if it cant make a secure connection, you need to trust Fiddler's root certificate on your development PC. If you are using Firefox you will have to do an additional step to trust the certificate inside FF.
My company uses PAC file to restrict any outgoing traffic through proxy server. The problem is, a lot of software does not provide the option to 'use IE setting', so that they cannot be connected to the internet.
I checked this PAC file up and found the right proxy server. But after I tried to use the proxy setting for these IE-unfriendly software, they still cannot get online. I used chrome to capture some packages and found the http header containing some Negotiation data. So I assume this proxy server uses some auto login mechanism like NTLM or kerberos.
But after I downloaded the famous Proxifier and tried to reroute the net traffic for some software, NTLM method did not work. I get the 502 error. Bummer...
Any hero comes to help! Am I thinking in the wrong way? Merci beacoup!
This is not a programming question but, did you try
cntlm (http://cntlm.sourceforge.net/) or
ntlmaps (http://ntlmaps.sourceforge.net/)?
Hope this helps