Search Results

Search found 150 results on 6 pages for 'x509'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 4/6 | < Previous Page | 1 2 3 4 5 6  | Next Page >

  • WCF, Rampart, ADFS2 and SAML Interop issue

    - by user317647
    Hi, I'm working on establishing interoperability between .NET WCF 3.5 and Axis2/Rampart using ADFS2 as the STS and using SAML authentication. Initially I used Axis 1.4.1/Rampart 1.4 but in an attempt to rule out issues relating to WS-* standards compatbility have also created a duplicate environment running Axis 1.5.1/Rampart 1.5. Both envionment use Eclipse 3.5.1 (Galileo)/Tomcat 5.5 for the Java service side. My objective is: WCF-ADFS2-SAML token-Axis2/Rampart Using Kerberos authentication to obtain a SAML token from ADFS2 and propagating this to Rampart. Much progress has been made so far, but the error I'm now getting on Rampart is as follows (on both versions 1.4 & 1.5): [ERROR] General security error (SAML token security failure) org.apache.axis2.AxisFault: General security error (SAML token security failure) Caused by: org.apache.ws.security.WSSecurityException: General security error (SAML token security failure) at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(SAMLUtil.java:169) at org.apache.ws.security.saml.SAMLUtil.getSAMLKeyInfo(SAMLUtil.java:73) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.extractSecret(DerivedKeyTokenProcessor.java:170) at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:74) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243) at org.apache.rampart.RampartEngine.process(RampartEngine.java:144) After building source versions for Rampart (just 1.4 so far) I've traced this problem to the following source code: SAMUtil.java Element e = samlSubj.getKeyInfo(); X509Certificate[] certs = null; try { KeyInfo ki = new KeyInfo(e, null); if (ki.containsX509Data()) { X509Data data = ki.itemX509Data(0); XMLX509Certificate certElem = null; if (data != null && data.containsCertificate()) { certElem = data.itemCertificate(0); } if (certElem != null) { X509Certificate cert = certElem.getX509Certificate(); certs = new X509Certificate[1]; certs[0] = cert; return new SAMLKeyInfo(assertion, certs); } } The line ki.containsX509Data() above return false and fails. The value from the Element e is as follows: CN=Root Agency -147027885241304943914470421251724308948 JMYzUkmrT13JoYj2pGN5o/vxpGq8bKFXI1m18iEFu+5rF0wA4MYURGIEWE9/zg1apgjElQHus5qb4ZRCzg7IHyENCGq7um2w1SXxPzstoMsZ7oZ83Uq08lDdNV51QGzCCOdCi+YizKT7AJ1B6gaplxMnFEJ8TlnzFBCavMxSCho= The attempt to obtain the X509 data above is failing even when it appears in the message? (IssuerSerial). All references I've seen so far indicate that the style of X509 reference is supported by Rampart and WSS4J (default?!). This key reference is the certificate that ADFS2 has used to encrypt the message. Any help at all would be greatly appreciated! Thanks Jason

    Read the article

  • How to get BinarySecurityToken into the wcf soap request

    - by Mr Bell
    I need to sign my soap request to a 3rd party. The provided an example what the call should look like. And I am trying, rather unsuccessfully to make this call with wcf. I need to make a wcf soap call where the header contains BinarySecurityToken, Signature, and SecurityTokenReference. Here is the example they sent me (with some of the values omitted) I have a certificate for signing, but I cant for the life of me figure out how to make this work <?xml version="1.0" encoding="UTF-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="SecurityToken-..omitted.." xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">..omitted..</wsse:BinarySecurityToken> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#Body"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>..omitted...</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> ..omitted.. </ds:SignatureValue> <ds:KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI="#SecurityToken-..omitted.." ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header><soapenv:Body wsu:Id="Body"><in0 xmlns="http://test.3rdParty.com">123</in0></soapenv:Body></soapenv:Envelope>

    Read the article

  • Authorizing a computer to access a web application

    - by HackedByChinese
    I have a web application, and am tasked with adding secure sign-on to bolster security, akin to what Google has added to Google accounts. Use Case Essentially, when a user logs in, we want to detect if the user has previously authorized this computer. If the computer has not been authorized, the user is sent a one-time password (via email, SMS, or phone call) that they must enter, where the user may choose to remember this computer. In the web application, we will track authorized devices, allowing users to see when/where they logged in from that device last, and deauthorize any devices if they so choose. We require a solution that is very light touch (meaning, requiring no client-side software installation), and works with Safari, Chrome, Firefox, and IE 7+ (unfortunately). We will offer x509 security, which provides adequate security, but we still need a solution for customers that can't or won't use x509. My intention is to store authorization information using cookies (or, potentially, using local storage, degrading to flash cookies, and then normal cookies). At First Blush Track two separate values (local data or cookies): a hash representing a secure sign-on token, as well as a device token. Both values are driven (and recorded) by the web application, and dictated to the client. The SSO token is dependent on the device as well as a sequence number. This effectively allows devices to be deauthorized (all SSO tokens become invalid) and mitigates replay (not effectively, though, which is why I'm asking this question) through the use of a sequence number, and uses a nonce. Problem With this solution, it's possible for someone to just copy the SSO and device tokens and use in another request. While the sequence number will help me detect such an abuse and thus deauthorize the device, the detection and response can only happen after the valid device and malicious request both attempt access, which is ample time for damage to be done. I feel like using HMAC would be better. Track the device, the sequence, create a nonce, timestamp, and hash with a private key, then send the hash plus those values as plain text. Server does the same (in addition to validating the device and sequence) and compares. That seems much easier, and much more reliable.... assuming we can securely negotiate, exchange, and store private keys. Question So then, how can I securely negotiate a private key for authorized device, and then securely store that key? Is it more possible, at least, if I settle for storing the private key using local storage or flash cookies and just say it's "good enough"? Or, is there something I can do to my original draft to mitigate the vulnerability I describe?

    Read the article

  • Linux/OpenSSL:Send find output to openssl

    - by Starsky
    I am trying to send the output from the find command to OpenSSL in order to find out when certificates expire. This finds the files find . -name \*.pem -type f This generates the cert info I want openssl x509 -in certname.pem -noout -enddate Can I merge these two? Thanks for your help.

    Read the article

  • PR_USER_X509_CERTIFICATE extra data

    - by Mark
    Hi, I am trying to import an outlook PST file to my application running on Mac OS X. The PST file consists of contacts created in Outlook. The contacts have X509 certificates added to them. The problem I am facing is ASN decoding of the certificate fails. I have read somewhere that there is extra data before and after the certificate referred by PR_USER_X509_CERTIFICATE in the PST file. Can someone please tell me how to parse this information correctly. Thanks a lot Regards, Mark

    Read the article

  • Is there a Javascript equivalent of .NET HttpWebRequest.ClientCertificates?

    - by Coder 42
    I have this code working in C#: var request = (HttpWebRequest)WebRequest.Create("https://x.com/service"); request.Method = "GET"; // Add X509 certificate var bytes = Convert.FromBase64String(certBase64); var certificate = new X509Certificate2(bytes, password); request.ClientCertificates.Add(certificate, "password")); Is there any way to reproduce this request in Javascript? Third-party libraries would be fine for my purposes.

    Read the article

  • iPhone doesn't save password for Cisco IPsec VPN using racoon daemon

    - by dsx
    On my Debian server I had set up racoon daemon (1:0.8.0-14) for Cisco IPSec VPN using certificates for authentication. My racoon.conf is like following: log info; path certificate "/etc/racoon/certs"; listen { isakmp $SERVER_IP_HERE [500]; isakmp_natt $SERVER_IP_HERE [4500]; } timer { natt_keepalive 10 sec; } remote anonymous { lifetime time 24 hours; proposal_check obey; passive on; exchange_mode aggressive,main; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "cert_name.crt" "key_name.key"; ca_type x509 "ca.crt"; mode_cfg on; verify_cert on; ike_frag on; generate_policy on; nat_traversal on; dpd_delay 20; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_rsa_server; dh_group modp1024; } } mode_cfg { conf_source local; auth_source system; auth_throttle 3; save_passwd on; dns4 8.8.8.8; network4 $SOME_LAN_SUBNET; netmask4 255.255.255.0; pool_size 128; } sainfo anonymous { pfs_group 2; lifetime time 24 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } I'm not using PSK authentication here. Using iPhone configuration utility I had uploaded all required certificates to iPhone and set up VPN on demand. Everything works just fine except one thing: iPhone refuses to save VPN password regardless of save_passwd on; in racoon configuration file. As opposed to iPhone behaviour, Mac OS X 10.8.2 have no problems saving password. I had examined iPhone log file and found following: racoon[151] <Notice>: >>>>> phase change status = phase 1 established configd[50] <Notice>: IPSec Network Configuration started. configd[50] <Notice>: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = $SUBNET_IP_HERE. configd[50] <Notice>: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0. configd[50] <Notice>: IPSec Network Configuration: SAVE-PASSWORD = 0. configd[50] <Notice>: IPSec Network Configuration: INTERNAL-IP4-DNS = 8.8.8.8. configd[50] <Notice>: IPSec Network Configuration: BANNER = . configd[50] <Notice>: IPSec Network Configuration: DEF-DOMAIN = . configd[50] <Notice>: IPSec Network Configuration: DEFAULT-ROUTE = local-address $SUBNET_IP_HERE/32. configd[50] <Notice>: IPSec Phase2 starting. configd[50] <Notice>: IPSec Network Configuration established. configd[50] <Notice>: IPSec Phase1 established. Please note IPSec Network Configuration message containing SAVE-PASSWORD = 0.. Is it a bug in racoon daemon on server, or iPhone (iOS version is 6.0.1 (10A523)) or it is me missing something? How to make iPhone remember IPSec VPN password?

    Read the article

  • old ssl certficate didn't go away on apache2

    - by user1212143
    I have replaced the old ssl certficate with new one and restart apache several time but the old certificate still show on web browser and when I run a command openssl s_client -connect 127.0.0.1:443 -showcerts also I have delete all old certficate files. so not sure where apache still read these certficate. and not read the new one. here is my ssl.conf Listen 0.0.0.0:443 SSLEngine on SSLOptions +StrictRequire <Directory /> SSLRequireSSL </Directory> SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLMutex file:/usr/apache2/logs/ssl_mutex SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 SSLSessionCache shm:/usr/apache2/logs/ssl_cache_shm SSLSessionCacheTimeout 600 SSLPassPhraseDialog builtin SSLCertificateFile /usr/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/apache2/conf/ssl.key/server.key SSLVerifyClient none SSLProxyEngine off <IfModule mime.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfModule>

    Read the article

  • Filezilla/Puttygen doesn't recognize private key file

    - by devzoner
    I have generated a key for an Ubuntu Virtual Machine running on Azure Cloud Services http://www.windowsazure.com/en-us/manage/linux/how-to-guides/ssh-into-linux/ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout myPrivateKey.key -out myCert.pem When loading the private key into Filezilla, it asks me to convert the format, however, when converting the key it fails, the same happens with puttygen from linux console, using this: puttygen myPrivateKey.key -o myKey.ppk In both cases I have the following error: puttygen: error loading `myPrivateKey.key': unrecognised key type By the way, this key doesn't have a passphrase. I found an old thread about it, but I'm using 0.6.3 version which is newer than what this thread recommends: http://fixunix.com/ssh/541874-puttygen-unable-import-openssh-key.html I've managed to solve this issue by using another gui client Fugu for Mac, but one of my co-worker uses windows and I still have to figure this out. Since Filezilla is the de-facto ftp client, I thought it would be easier to solve it there. Thanks

    Read the article

  • Options for EC2 ec2-create-snapshot and family

    - by shabda
    I am trying to use the various tools provided by ec2-ami-tools Eg, ec2-create-snapshot -h .... -K, --private-key KEY Specify KEY as the private key to use. Defaults to the value of the EC2_PRIVATE_KEY environment variable (if set). Overrides the default. -C, --cert CERT Specify CERT as the X509 certificate to use. Defaults to the value of the EC2_CERT environment variable (if set). Overrides the default. -K and -C are two required values, and I cant understand what values are these expecting? If I create a Keypair from Elasticfox, I get only one file to download and a fingerprint. So which of this need to get where?

    Read the article

  • What do I need for SSL?

    - by Ency
    Hi guys, just a quick question, I'm kind of confused. I've had set-up my own certification authority and I can create requests and signed them. But, I'm not sure, what I need to give to Apache, currently I've got: CA Private key CA Certificate Website Private key Website Certificate Website Certificate Request (I think I do not need it, but just to be clear) Until today I was using snakeoil certificate, but I've decided to have more SSL services, than CA looks as good solution, so my Apache was configured well, but now I am not sure what I shall provide to apache in following rules: SSLCertificateKeyFile /path/to/Website Private Key SSLCertificateFile /path/to/CA Certificate But than I got [Mon Dec 27 12:09:33 2010] [warn] RSA server certificate CommonName (CN) `EServer' does NOT match server name!? [Mon Dec 27 12:09:33 2010] [error] Unable to configure RSA server private key [Mon Dec 27 12:09:33 2010] [error] SSL Library Error: 185073780 error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch Something tells me than the warning is quite weird, because "EServer" is a common name of CA, so I think I shall not use CA Certificate in SSLCertificateFile, shall I? Do I need to create Certificate from Website private key or something else?

    Read the article

  • How to generate a private/public key pair to use for a Linux server on Windows Azure?

    - by MainMa
    Following Windows Azure documentation, I generated a pair of private/public keys on an Ubuntu machine using the exact comment as given: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout myPrivateKey.key -out myCert.pem When I open the private key in puttygen, the following error is displayed: Couldn't load private key (unrecognised key type) The private key generated by openssl looks correct: -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG6w0xAQEFAASCBKcwggSjAgEsAoIBAQC6OEZ5ULe6F6u2 Cybhqqfqqh2ao9sd2tpqB+HGIoMMHrmnD3YegRgZJIddTQaWKdwaKrYul21YNt5y ... P0RyfL9kDnX/XmIOM38FOoucGvO+Zozsbmgmvw6AUhE0sPhkZnlaodAU1OnfaWJz KpBxkXulBaCJnC8w29dGKng= -----END PRIVATE KEY----- Note that the comments to Azure documentation (the same link as above) report that the pair should be generated using OpenSSL for Windows instead of openssl on Linux. This doesn't help, since the same error appears for a private key generated by OpenSSL for Windows. What am I doing wrong?

    Read the article

  • Creating a chain of certificates

    - by StackedCrooked
    This question is a follow up to my previous question, which was, in retrospect, not completely answered: http://superuser.com/questions/126121/how-to-create-my-own-certificate-chain. I'll represent my certificate chain like this: ROOT - A - B - C - ... I am now able to create the ROOT and A certificates, but I didn't succeed in continueing the chain. My command for creating the root certificate is: openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem Certificate A: openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.cer This command depends on the root certificate implicitly using the data found in the openssl config file. Certificate B will only rely on A, so the previous command won't work here. How can I complete the chain?

    Read the article

  • OpenSSL without prompt

    - by JP19
    Hi, I am using following code to generate keys: apt-get -qq -y install openssl; mkdir -p /etc/apache2/ssl; openssl genrsa -des3 -out server.key 1024; openssl req -new -key server.key -out server.csr; cp server.key server.key.org; openssl rsa -in server.key.org -out server.key; openssl x509 -req -days 12000 -in server.csr -signkey server.key -out server.crt; mv server.crt /etc/apache2/ssl/cert.pem; mv server.key /etc/apache2/ssl/cert.key; rm -f server.key.orig; rm -f server.csr How can I skip the passphrase prompting? thanks JP

    Read the article

  • Dovecot and StartSSL problems with issuer

    - by knoim
    I am using dovecot (1) and trying to get my StartSSL certificate running. ssl_key_file points to my private key I tried pointing ssl_cert_file to my public key, with and without using the class1 certificate from http://www.startssl.com/certs/sub.class1.server.ca.pem as ssl_ca_file aswell as combing them with cat publickey sub.class1.server.ca.pem chained My mail client keeps telling me the certificate has no issuer, but doing openssl x509 on my public certificate tells me it is C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA My option for the CSR were: openssl req -new -newkey rsa:4096 -nodes Dovecot's log doesn't mention any problems. EDIT: Doesn't seem to be a problem with dovecot. I am having the same problem with postfix. openssl verify gives me the same error.

    Read the article

  • How to generate new CSRs for TLS use in sendmail?

    - by Mikey B
    SendMail 8.13.8 | CentOS 5.x Hi Guys, I'm using ca-signed TLS certificates on my sendmail server and they are up for renewal soon. Our new CA doesn't like our old CSR so I need to generate a new CSR. Can someone point me to the procedure for doing this (without affecting the production certs that are already in use)? I'm paranoid of overwriting the old TLS certs in the process of generating a CSR. Most of the instructions I've found are for implementing self-signed TLS certs -- which isn't an option for me at this time. I'm thinking it would something like: openssl req -new -nodes -out new-tls.csr -keyout new-tls-private.key But I wasn't sure if I was missing some options there such as the -x509 option... -M

    Read the article

  • "Countersigning" a CA with openssl

    - by Tom O'Connor
    I'm pretty used to creating the PKI used for x509 authentication for whatever reason, SSL Client Verification being the main reason for doing it. I've just started to dabble with OpenVPN (Which I suppose is doing the same things as Apache would do with the Certificate Authority (CA) certificate) We've got a whole bunch of subdomains, and applicances which currently all present their own self-signed certificates. We're tired of having to accept exceptions in Chrome, and we think it must look pretty rough for our clients having our address bar come up red. For that, I'm comfortable to buy a SSL Wildcard CN=*.mycompany.com. That's no problem. What I don't seem to be able to find out is: Can we have our Internal CA root signed as a child of our wildcard certificate, so that installing that cert into guest devices/browsers/whatever doesn't present anything about an untrusted root? Also, on a bit of a side point, why does the addition of a wildcard double the cost of certificate purchase?

    Read the article

  • Apache2 unable to start: private key not found

    - by user3161330
    today I edited some vhosts in my Apache installation and when I tried to restart it I got this error: [Sun Jun 08 15:20:19 2014] [error] Init: Private key not found [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 218640442 error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 67710980 error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Sun Jun 08 15:20:19 2014] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error I have tried to generate new self signed certificates issuing this command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.cert.key -out server.cert.crt but the error still exists. The private key chmod is 600, and if I open it with nano looks, fine. I'm running Apache2 on a debian 7 machine.

    Read the article

  • Oracle Access Manager 11g - useful links

    - by Dmitry Nefedkin
    The main idea of this post is to collect in a single place the links to the most useful resources for everybody who are interested in Oracle Access Manager 11g.   If you have something valuable to add to this list - just let me know. Official documentation (Oracle Fusion Middleware 11.1.1.5): Administrator's Guide for Oracle Access Manager with Oracle Security Token Service - main guide for the  OAM 11g  administrator/consultant; Integration Guide for Oracle Access Manager - if you're in charge for setting up OAM integration with OIM, OAAM or OIF - that's a guide for you. Also has a chapter on WNA integration; Developer's Guide for Oracle Access Manager and Oracle Security Token Service - learn how to use Java Access JDK and develop custom authentication plugins; Oracle Fusion Middleware High Availability Guide, paragraph 8.8 Oracle Access Manager High Availability - set up HA for your OAM installation; Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management - learn the best practices of the real-world enterprise deployments.   Useful Oracle Support documents (go to support.oracle.com to retrieve the contents of the documents): OAM Bundle Patch Release History [ID 736372.1] Install and Configure Advisor: Oracle Fusion Middleware (FMW) Identity Access Management (OAM, OIM) 11g [ID 340.1] Procedure to Upgrade OAM 11.1.1.3.0 to OAM 11.1.1.5.0 [ID 1318524.1] OAM 11g: How to Enable Oracle Access Manager 11g Server Trace / Debug Logging [ID 1298296.1] OAM 11g: How To Create and Configure Policies For Application Resources Without Using OAM Console UI [ID 1393918.1] How To Configure X509 Authentication On Oracle Access Manager (OAM) 11g [ID 1368211.1] OAM 11g WNA Step by Step Setup Guide [ID 1416860.1]   Blogs: Oracle Access Manager Academy from the Fusion Security Blog OAM Product management blog Oracle IDM blog Books:  Oracle Identity and Access Manager 11g for Administrators

    Read the article

  • How to decrypt an encrypted Apple iTunes iPhone backup?

    - by afit
    I've been asked by a number of unfortunate iPhone users to help them restore data from their iTunes backups. This is easy when they are unencrypted, but not when they are encrypted, whether or not the password is known. As such, I'm trying to figure out the encryption scheme used on mddata and mdinfo files when encrypted. I have no problems reading these files otherwise, and have built some robust C# libraries for doing so. (If you're able to help, I don't care which language you use. It's the principle I'm after here!) The Apple "iPhone OS Enterprise Deployment Guide" states that "Device backups can be stored in encrypted format by selecting the Encrypt iPhone Backup option in the device summary pane of iTunes. Files are encrypted using AES128 with a 256-bit key. The key is stored securely in the iPhone keychain." That's a pretty good clue, and there's some good info here on Stackoverflow on iPhone AES/Rijndael interoperability suggesting a keysize of 128 and CBC mode may be used. Aside from any other obfuscation, a key and initialisation vector (IV)/salt are required. One might assume that the key is a manipulation of the "backup password" that users are prompted to enter by iTunes and passed to "AppleMobileBackup.exe", padded in a fashion dictated by CBC. However, given the reference to the iPhone keychain, I wonder whether the "backup password" might not be used as a password on an X509 certificate or symmetric private key, and that the certificate or private key itself might be used as the key. (AES and the iTunes encrypt/decrypt process is symmetric.) The IV is another matter, and it could be a few things. Perhaps it's one of the keys hard-coded into iTunes, or into the devices themselves. Although Apple's comment above suggests the key is present on the device's keychain, I think this isn't that important. One can restore an encrypted backup to a different device, which suggests all information relevant to the decryption is present in the backup and iTunes configuration, and that anything solely on the device is irrelevant and replacable in this context. So where might be the key be? I've listed paths below from a Windows machine but it's much of a muchness whichever OS we use. The "\appdata\Roaming\Apple Computer\iTunes\itunesprefs.xml" contains a PList with a "Keychain" dict entry in it. The "\programdata\apple\Lockdown\09037027da8f4bdefdea97d706703ca034c88bab.plist" contains a PList with "DeviceCertificate", "HostCertificate", and "RootCertificate", all of which appear to be valid X509 certs. The same file also appears to contain asymmetric keys "RootPrivateKey" and "HostPrivateKey" (my reading suggests these might be PKCS #7-enveloped). Also, within each backup there are "AuthSignature" and "AuthData" values in the Manifest.plist file, although these appear to be rotated as each file gets incrementally backed up, suggested they're not that useful as a key, unless something really quite involved is being done. There's a lot of misleading stuff out there suggesting getting data from encrypted backups is easy. It's not, and to my knowledge it hasn't been done. Bypassing or disabling the backup encryption is another matter entirely, and is not what I'm looking to do. This isn't about hacking apart the iPhone or anything like that. All I'm after here is a means to extract data (photos, contacts, etc.) from encrypted iTunes backups as I can unencrypted ones. I've tried all sorts of permutations with the information I've put down above but got nowhere. I'd appreciate any thoughts or techniques I might have missed.

    Read the article

  • Configuring WCF to Handle a Signature on a SOAP Message from an Oracle Server

    - by AlEl
    I'm trying to use WCF to consume a web service provided by a third-party's Oracle Application Server. I pass a username and password and as part of the response the web service returns a standard security tag in the header which includes a digest and signature. With my current setup, I successfully send a request to the server and the web service sends the expected response data back. However, when parsing the response WCF throws a MessageSecurityException, with an InnerException.Message of "Supporting token signatures not expected." My guess is that WCF wants me to configure it to handle the signature and verify it. I have a certificate from the third party that hosts the web service that I should be able to use to verify the signature. It's in the form of -----BEGIN CERTIFICATE----- [certificate garble] -----END CERTIFICATE----- Here's a sample header from a response that makes WCF throw the exception: <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <dsig:SignedInfo> <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <dsig:Reference URI="#_51IUwNWRVvPOcz12pZHLNQ22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue> [DigestValue here] </dsig:DigestValue> </dsig:Reference> <dsig:Reference URI="#_dI5j0EqxrVsj0e62J6vd6w22"> <dsig:Transforms> <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </dsig:Transforms> <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <dsig:DigestValue> [DigestValue here] </dsig:DigestValue> </dsig:Reference> </dsig:SignedInfo> <dsig:SignatureValue> [Signature Value Here] </dsig:SignatureValue> <dsig:KeyInfo> <wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#BST-9nKWbrE4LRv6maqstrGuUQ22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </dsig:KeyInfo> </dsig:Signature> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="BST-9nKWbrE4LRv6maqstrGuUQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> [Security Token Here] </wsse:BinarySecurityToken> <wsu:Timestamp wsu:Id="_dI5j0EqxrVsj0e62J6vd6w22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Created>2010-05-26T18:46:30Z</wsu:Created> </wsu:Timestamp> </wsse:Security> </soap:Header> <soap:Body wsu:Id="_51IUwNWRVvPOcz12pZHLNQ22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> [Body content here] </soap:Body> </soap:Envelope> My binding configuration looks like: <basicHttpBinding> <binding name="myBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding> </basicHttpBinding> I'm new at WCF, so I'm sorry if this is a bit of a dumb question. I've been trying to Google solutions, but there seem to be so many different ways to configure WCF that I'm getting overwhelmed. Thanks in advance!

    Read the article

  • Error adding certificate to cacerts. Unknown key spec

    - by Alvaro Villanueva
    I am using jdk 1.6 in Windows. I have a .der file (DER Encoded X509 Certificate) that will like to add to my cacerts file... so I tried the following: keytool -import -keystore "C:\Program Files\Java\jdk1.6.0_27\jre\lib\security\cacerts" -trustcacerts -alias openldap -file "C:\cacert.der" I got the following error: java.security.cert.CertificateParsingException: java.io.IOException: subject key, java.security.spec.InvalidKeySpecException: Unknown key spec At first, I thoght it was a problemen with the der certificate, but then doing the following I got exactly the same error: keytool -list -keystore "C:\Program Files\Java\jdk1.6.0_27\jre\lib\security\cacerts" Any ideas why is this problem appearing? I have not found anything in the Web. Thanks in advance.

    Read the article

  • Difference between Claims vs OAuth

    - by Venki
    What is the difference between Claims based authentication vs What is provided by OAuth. I am looking for conceptual difference and not technical difference. When do I choose Claims over OAuth and vice versa. Claims based authentication is proposed by Microsoft and build on top of WS-Security. But OAuth is more a open source protocol that is being proposed to allow fetching resources from different portals based on a security token. Claims also has this concept of token (SAML encoded or X509 certificates). I am trying to understand when do I choose Claims over OAuth and vice versa. Thanks

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 1 2 3 4 5 6  | Next Page >