Search Results

Search found 2668 results on 107 pages for 'trusted certificate'.

Page 41/107 | < Previous Page | 37 38 39 40 41 42 43 44 45 46 47 48  | Next Page >

  • OAM11gR2: Enabling SSL in the Data Store

    - by Ekta Malik
    Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} Enabling SSL in the Data Store of OAM11gR2 comprises of the below mentioned steps. Import the certificate/s required for establishing the trust with the Store(backend) in the keystore(cacerts) on the machine hosting OAM's Weblogic Admin server Restart the Weblogic Admin server Specify the <Hostname>:<SSL port> in the "Location" field of the Data Store and select the "Enable SSL" checkbox Pre-requisite:- Certificate/s to be imported are available for import Data Store has already been created using OAM admin console and the connection to the store is successful on non-SSL port( though one can always create a Data Store with SSL settings on the first go) Steps for importing the certificate/s:- One can use the keytool utility that comes bundled with JDK to import the certificate. The step for importing the certificate would be same for self-signed and third party certificates (like VeriSign) $JAVA_HOME/bin/keytool -import -v -noprompt -trustcacerts -alias <aliasname> -file <Path to the certificate file> -keystore $JAVA_HOME/jre/lib/security/cacerts Here $JAVA_HOME refers to the path of JDK install directory Note: In case multiple certificates are required for establishing the trust, import all those certificates using the same keytool command mentioned above  One can verify the import of the certificate/s by using the below mentioned command $JAVA_HOME/bin/keytool -list -alias <aliasname>-v -keystore $JAVA_HOME/jre/lib/security/cacerts When the trust gets established for the SSL communication, specifying the SSL specific settings in the Data Store (via OAM admin console) wouldn't result into the previously seen error (when Certificates are yet to be imported) and the "Test Connection" would be successful.

    Read the article

  • 501 Error during Libjingle PCP on Amazone EC2 running Openfire

    - by AeroBuffalo
    I am trying to implement Google's Libjingle (version: 0.6.14) PCP example and I am getting a 501: feature not implemented error during execution. Specifically, the error occurs after each "account" has connected, been authenticated and began communicating with the other. An abbreviated log of the interaction is provided at the end. I have set up my own jabber server (using OpenFire on an Amazon EC2 server), have opened all of the necessary ports and have added each "account" to the other's roster. The server has been set to allow for file transfers. My being new to working with servers, I am not sure why this error is occur and how to go about fixing it. Thanks in advance, AeroBuffalo P.S. Let me know if there is any additional information needed (i.e. the full program log for either/both ends). Receiving End: [018:217] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:17:15 2012 [018:217] <iq to="[email protected]/pcp" type="set" id="5"> [018:217] <jingle xmlns="urn:xmpp:jingle:1" action="session-initiate" sid="402024303" initiator="[email protected]/pcp"> [018:217] <content name="securetunnel" creator="initiator"> [018:217] <description xmlns="http://www.google.com/talk/securetunnel"> [018:217] <type>send:winein.jpeg</type> [018:217] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [018:217] </description> [018:217] <transport xmlns="http://www.google.com/transport/p2p"/> [018:217] </content> [018:217] </jingle> [018:217] <session xmlns="http://www.google.com/session" type="initiate" id="402024303" initiator="[email protected]/pcp"> [018:217] <description xmlns="http://www.google.com/talk/securetunnel"> [018:217] <type>send:winein.jpeg</type> [018:217] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [018:217] </description></session> [018:217] </iq> [018:217] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [018:217] <presence to="[email protected]/pcp" from="forgesend" type="error"> [018:217] <error code="404" type="cancel"> [018:217] <remote-server-not-found xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> [018:217] </error></presence> [018:218] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [018:218] <presence to="[email protected]/pcp" from="forgesend" type="error"> [018:218] <error code="404" type="cancel"> [018:218] <remote-server-not-found xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> [018:218] </error></presence> [018:264] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [018:264] <iq type="result" id="3" to="[email protected]/pcp"> [018:264] <query xmlns="google:jingleinfo"> [018:264] <stun> [018:264] <server host="stun.xten.net" udp="3478"/> [018:264] <server host="jivesoftware.com" udp="3478"/> [018:264] <server host="igniterealtime.org" udp="3478"/> [018:264] <server host="stun.fwdnet.net" udp="3478"/> [018:264] </stun> [018:264] <publicip ip="65.101.207.121"/> [018:264] </query></iq> [018:420] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [018:420] <iq to="[email protected]/pcp" type="set" id="5" from="[email protected]/pcp"> [018:420] <jingle xmlns="urn:xmpp:jingle:1" action="session-initiate" sid="3548650675" initiator="[email protected]/pcp"> [018:420] <content name="securetunnel" creator="initiator"> [018:420] <description xmlns="http://www.google.com/talk/securetunnel"> [018:420] <type>recv:wineout.jpeg</type> [018:420] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [018:420] </description> [018:420] <transport xmlns="http://www.google.com/transport/p2p"/> [018:420] </content></jingle> [018:420] <session xmlns="http://www.google.com/session" type="initiate" id="3548650675" initiator="[email protected]/pcp"> [018:420] <description xmlns="http://www.google.com/talk/securetunnel"> [018:420] <type>recv:wineout.jpeg</type> [018:420] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [018:420] </description></session></iq> [018:421] TunnelSessionClientBase::OnSessionCreate: received=1 [018:421] Session:3548650675 Old state:STATE_INIT New state:STATE_RECEIVEDINITIATE Type:http://www.google.com/talk/securetunnel Transport:http://www.google.com/transport/p2p [018:421] TunnelSession::OnSessionState(Session::STATE_RECEIVEDINITIATE) [018:421] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:17:15 2012 [018:421] <iq to="[email protected]/pcp" id="5" type="result"/> [018:465] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [018:465] <iq to="[email protected]/pcp" id="5" type="result" from="[email protected]/pcp"/> [198:665] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:20:15 2012 [198:665] <iq type="get" id="162-10" from="forgejabber.com" to="[email protected]/pcp"> [198:665] <ping xmlns="urn:xmpp:ping"/> [198:665] /iq> [198:665] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:20:15 2012 [198:665] <iq type="error" id="162-10" to="forgejabber.com"> [198:665] <ping xmlns="urn:xmpp:ping"/> [198:665] <error code="501" type="cancel"> [198:665] <feature-not-implemented xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> [198:665] </error> [198:665] </iq> Sender: [019:043] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:17:15 2012 [019:043] <iq type="get" id="3"> [019:043] <query xmlns="google:jingleinfo"/> [019:043] </iq> [019:043] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:17:15 2012 [019:043] <iq to="[email protected]/pcp" type="set" id="5"> [019:043] <jingle xmlns="urn:xmpp:jingle:1" action="session-initiate" sid="3548650675" initiator="[email protected]/pcp"> [019:043] <content name="securetunnel" creator="initiator"> [019:043] <description xmlns="http://www.google.com/talk/securetunnel"> [019:043] <type>recv:wineout.jpeg</type> [019:043] <client-cert>--BEGIN CERTIFICATE----END CERTIFICATE--</client-cert> [019:043] </description> [019:043] <transport xmlns="http://www.google.com/transport/p2p"/> [019:043] </content> [019:043] </jingle> [019:043] <session xmlns="http://www.google.com/session" type="initiate" id="3548650675" initiator="[email protected]/pcp"> [019:043] <description xmlns="http://www.google.com/talk/securetunnel"> [019:043] <type>recv:wineout.jpeg</type> [019:043] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [019:043] </description></session></iq> [019:043] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [019:043] <presence to="[email protected]/pcp" from="forgereceive" type="error"> [019:043] <error code="404" type="cancel"> [019:043] <remote-server-not-found xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> [019:043] </error></presence> [019:044] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [019:044] <presence to="[email protected]/pcp" from="forgereceive" type="error"> [019:044] <error code="404" type="cancel"> [019:044] <remote-server-not-found xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> [019:044] </error></presence> [019:044] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [019:044] <iq to="[email protected]/pcp" type="set" id="5" from="[email protected]/pcp"> [019:044] <jingle xmlns="urn:xmpp:jingle:1" action="session-initiate" sid="402024303" initiator="[email protected]/pcp"> [019:044] <content name="securetunnel" creator="initiator"> [019:044] <description xmlns="http://www.google.com/talk/securetunnel"> [019:044] <type>send:winein.jpeg</type> [019:044] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [019:044] </description> [019:044] <transport xmlns="http://www.google.com/transport/p2p"/> [019:044] </content></jingle> [019:044] <session xmlns="http://www.google.com/session" type="initiate" id="402024303" initiator="[email protected]/pcp"> [019:044] <description xmlns="http://www.google.com/talk/securetunnel"> [019:044] <type>send:winein.jpeg</type> [019:044] <client-cert>--BEGIN CERTIFICATE--END CERTIFICATE--</client-cert> [019:044] </description></session></iq> [019:044] TunnelSessionClientBase::OnSessionCreate: received=1 [019:044] Session:402024303 Old state:STATE_INIT New state:STATE_RECEIVEDINITIATE Type:http://www.google.com/talk/securetunnel Transport:http://www.google.com/transport/p2p [019:044] TunnelSession::OnSessionState(Session::STATE_RECEIVEDINITIATE) [019:044] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:17:15 2012 [019:044] <iq to="[email protected]/pcp" id="5" type="result"/> [019:088] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [019:088] <iq type="result" id="3" to="[email protected]/pcp"> [019:088] <query xmlns="google:jingleinfo"> [019:088] <stun> [019:088] <server host="stun.xten.net" udp="3478"/> [019:088] <server host="jivesoftware.com" udp="3478"/> [019:088] <server host="igniterealtime.org" udp="3478"/> [019:088] <server host="stun.fwdnet.net" udp="3478"/> [019:088] </stun> [019:088] <publicip ip="65.101.207.121"/> [019:088] </query> [019:088] </iq> [019:183] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:17:15 2012 [019:183] <iq to="[email protected]/pcp" id="5" type="result" from="[email protected]/pcp"/> [199:381] RECV <<<<<<<<<<<<<<<<<<<<<<<<< : Thu Jul 5 14:20:15 2012 [199:381] <iq type="get" id="474-11" from="forgejabber.com" to="[email protected]/pcp"> [199:381] <ping xmlns="urn:xmpp:ping"/> [199:381] </iq> [199:381] SEND >>>>>>>>>>>>>>>>>>>>>>>>> : Thu Jul 5 14:20:15 2012 [199:381] <iq type="error" id="474-11" to="forgejabber.com"> [199:381] <ping xmlns="urn:xmpp:ping"/> [199:381] <error code="501" type="cancel"> [199:381] <feature-not-implemented xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/> [199:382] </error></iq>

    Read the article

  • Puppet's automatically generated certificates failing

    - by gparent
    I am running a default configuration of Puppet on Debian Squeeze 6.0.4. The server's FQDN is master.example.com. The client's FQDN is client.example.com. I am able to contact the puppet master and send a CSR. I sign it using puppetca -sa but the client will still not connect. Date of both machines is within 2 seconds of Tue Apr 3 20:59:00 UTC 2012 as I wrote this sentence. This is what appears in /var/log/syslog: Apr 3 17:03:52 localhost puppet-agent[18653]: Reopening log files Apr 3 17:03:52 localhost puppet-agent[18653]: Starting Puppet client version 2.6.2 Apr 3 17:03:53 localhost puppet-agent[18653]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Apr 3 17:03:53 localhost puppet-agent[18653]: Using cached catalog Apr 3 17:03:53 localhost puppet-agent[18653]: Could not retrieve catalog; skipping run Here is some interesting output: OpenSSL client test: client:~# openssl s_client -host master.example.com -port 8140 -cert /var/lib/puppet/ssl/certs/client.example.com.pem -key /var/lib/puppet/ssl/private_keys/client.example.com.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem CONNECTED(00000003) depth=1 /CN=Puppet CA: master.example.com verify return:1 depth=0 /CN=master.example.com verify error:num=7:certificate signature failure verify return:1 depth=0 /CN=master.example.com verify return:1 18509:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1102:SSL alert number 51 18509:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: client:~# master's certificate: root@master:/etc/puppet# openssl x509 -text -noout -in /etc/puppet/ssl/certs/master.example.com.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: master.example.com Validity Not Before: Apr 2 20:01:28 2012 GMT Not After : Apr 2 20:01:28 2017 GMT Subject: CN=master.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a9:c1:f9:4c:cd:0f:68:84:7b:f4:93:16:20:44: 7a:2b:05:8e:57:31:05:8e:9c:c8:08:68:73:71:39: c1:86:6a:59:93:6e:53:aa:43:11:83:5b:2d:8c:7d: 54:05:65:c1:e1:0e:94:4a:f0:86:58:c3:3d:4f:f3: 7d:bd:8e:29:58:a6:36:f4:3e:b2:61:ec:53:b5:38: 8e:84:ac:5f:a3:e3:8c:39:bd:cf:4f:3c:ff:a9:65: 09:66:3c:ba:10:14:69:d5:07:57:06:28:02:37:be: 03:82:fb:90:8b:7d:b3:a5:33:7b:9b:3a:42:51:12: b3:ac:dd:d5:58:69:a9:8a:ed Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 8C:2F:14:84:B6:A1:B5:0C:11:52:36:AB:E5:3F:F2:B9:B3:25:F3:1C X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 7b:2c:4f:c2:76:38:ab:03:7f:c6:54:d9:78:1d:ab:6c:45:ab: 47:02:c7:fd:45:4e:ab:b5:b6:d9:a7:df:44:72:55:0c:a5:d0: 86:58:14:ae:5f:6f:ea:87:4d:78:e4:39:4d:20:7e:3d:6d:e9: e2:5e:d7:c9:3c:27:43:a4:29:44:85:a1:63:df:2f:55:a9:6a: 72:46:d8:fb:c7:cc:ca:43:e7:e1:2c:fe:55:2a:0d:17:76:d4: e5:49:8b:85:9f:fa:0e:f6:cc:e8:28:3e:8b:47:b0:e1:02:f0: 3d:73:3e:99:65:3b:91:32:c5:ce:e4:86:21:b2:e0:b4:15:b5: 22:63 root@master:/etc/puppet# CA's certificate: root@master:/etc/puppet# openssl x509 -text -noout -in /etc/puppet/ssl/certs/ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: master.example.com Validity Not Before: Apr 2 20:01:05 2012 GMT Not After : Apr 2 20:01:05 2017 GMT Subject: CN=Puppet CA: master.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b5:2c:3e:26:a3:ae:43:b8:ed:1e:ef:4d:a1:1e: 82:77:78:c2:98:3f:e2:e0:05:57:f0:8d:80:09:36: 62:be:6c:1a:21:43:59:1d:e9:b9:4d:e0:9c:fa:09: aa:12:a1:82:58:fc:47:31:ed:ad:ad:73:01:26:97: ef:d2:d6:41:6b:85:3b:af:70:00:b9:63:e9:1b:c3: ce:57:6d:95:0e:a6:d2:64:bd:1f:2c:1f:5c:26:8e: 02:fd:d3:28:9e:e9:8f:bc:46:bb:dd:25:db:39:57: 81:ed:e5:c8:1f:3d:ca:39:cf:e7:f3:63:75:f6:15: 1f:d4:71:56:ed:84:50:fb:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 8C:2F:14:84:B6:A1:B5:0C:11:52:36:AB:E5:3F:F2:B9:B3:25:F3:1C Signature Algorithm: sha1WithRSAEncryption 1d:cd:c6:65:32:42:a5:01:62:46:87:10:da:74:7e:8b:c8:c9: 86:32:9e:c2:2e:c1:fd:00:79:f0:ef:d8:73:dd:7e:1b:1a:3f: cc:64:da:a3:38:ad:49:4e:c8:4d:e3:09:ba:bc:66:f2:6f:63: 9a:48:19:2d:27:5b:1d:2a:69:bf:4f:f4:e0:67:5e:66:84:30: e5:85:f4:49:6e:d0:92:ae:66:77:50:cf:45:c0:29:b2:64:87: 12:09:d3:10:4d:91:b6:f3:63:c4:26:b3:fa:94:2b:96:18:1f: 9b:a9:53:74:de:9c:73:a4:3a:8d:bf:fa:9c:c0:42:9d:78:49: 4d:70 root@master:/etc/puppet# Client's certificate: client:~# openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/client.example.com.pem Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Puppet CA: master.example.com Validity Not Before: Apr 2 20:01:36 2012 GMT Not After : Apr 2 20:01:36 2017 GMT Subject: CN=client.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ae:88:6d:9b:e3:b1:fc:47:07:d6:bf:ea:53:d1: 14:14:9b:35:e6:70:43:e0:58:35:76:ac:c5:9d:86: 02:fd:77:28:fc:93:34:65:9d:dd:0b:ea:21:14:4d: 8a:95:2e:28:c9:a5:8d:a2:2c:0e:1c:a0:4c:fa:03: e5:aa:d3:97:98:05:59:3c:82:a9:7c:0e:e9:df:fd: 48:81:dc:33:dc:88:e9:09:e4:19:d6:e4:7b:92:33: 31:73:e4:f2:9c:42:75:b2:e1:9f:d9:49:8c:a7:eb: fa:7d:cb:62:22:90:1c:37:3a:40:95:a7:a0:3b:ad: 8e:12:7c:6e:ad:04:94:ed:47 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 8C:2F:14:84:B6:A1:B5:0C:11:52:36:AB:E5:3F:F2:B9:B3:25:F3:1C X509v3 Extended Key Usage: critical TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 33:1f:ec:3c:91:5a:eb:c6:03:5f:a1:58:60:c3:41:ed:1f:fe: cb:b2:40:11:63:4d:ba:18:8a:8b:62:ba:ab:61:f5:a0:6c:0e: 8a:20:56:7b:10:a1:f9:1d:51:49:af:70:3a:05:f9:27:4a:25: d4:e6:88:26:f7:26:e0:20:30:2a:20:1d:c4:d3:26:f1:99:cf: 47:2e:73:90:bd:9c:88:bf:67:9e:dd:7c:0e:3a:86:6b:0b:8d: 39:0f:db:66:c0:b6:20:c3:34:84:0e:d8:3b:fc:1c:a8:6c:6c: b1:19:76:65:e6:22:3c:bf:ff:1c:74:bb:62:a0:46:02:95:fa: 83:41 client:~#

    Read the article

  • .NET Security Part 2

    - by Simon Cooper
    So, how do you create partial-trust appdomains? Where do you come across them? There are two main situations in which your assembly runs as partially-trusted using the Microsoft .NET stack: Creating a CLR assembly in SQL Server with anything other than the UNSAFE permission set. The permissions available in each permission set are given here. Loading an assembly in ASP.NET in any trust level other than Full. Information on ASP.NET trust levels can be found here. You can configure the specific permissions available to assemblies using ASP.NET policy files. Alternatively, you can create your own partially-trusted appdomain in code and directly control the permissions and the full-trust API available to the assemblies you load into the appdomain. This is the scenario I’ll be concentrating on in this post. Creating a partially-trusted appdomain There is a single overload of AppDomain.CreateDomain that allows you to specify the permissions granted to assemblies in that appdomain – this one. This is the only call that allows you to specify a PermissionSet for the domain. All the other calls simply use the permissions of the calling code. If the permissions are restricted, then the resulting appdomain is referred to as a sandboxed domain. There are three things you need to create a sandboxed domain: The specific permissions granted to all assemblies in the domain. The application base (aka working directory) of the domain. The list of assemblies that have full-trust if they are loaded into the sandboxed domain. The third item is what allows us to have a fully-trusted API that is callable by partially-trusted code. I’ll be looking at the details of this in a later post. Granting permissions to the appdomain Firstly, the permissions granted to the appdomain. This is encapsulated in a PermissionSet object, initialized either with no permissions or full-trust permissions. For sandboxed appdomains, the PermissionSet is initialized with no permissions, then you add permissions you want assemblies loaded into that appdomain to have by default: PermissionSet restrictedPerms = new PermissionSet(PermissionState.None); // all assemblies need Execution permission to run at all restrictedPerms.AddPermission( new SecurityPermission(SecurityPermissionFlag.Execution)); // grant general read access to C:\config.xml restrictedPerms.AddPermission( new FileIOPermission(FileIOPermissionAccess.Read, @"C:\config.xml")); // grant permission to perform DNS lookups restrictedPerms.AddPermission( new DnsPermission(PermissionState.Unrestricted)); It’s important to point out that the permissions granted to an appdomain, and so to all assemblies loaded into that appdomain, are usable without needing to go through any SafeCritical code (see my last post if you’re unsure what SafeCritical code is). That is, partially-trusted code loaded into an appdomain with the above permissions (and so running under the Transparent security level) is able to create and manipulate a FileStream object to read from C:\config.xml directly. It is only for operations requiring permissions that are not granted to the appdomain that partially-trusted code is required to call a SafeCritical method that then asserts the missing permissions and performs the operation safely on behalf of the partially-trusted code. The application base of the domain This is simply set as a property on an AppDomainSetup object, and is used as the default directory assemblies are loaded from: AppDomainSetup appDomainSetup = new AppDomainSetup { ApplicationBase = @"C:\temp\sandbox", }; If you’ve read the documentation around sandboxed appdomains, you’ll notice that it mentions a security hole if this parameter is set correctly. I’ll be looking at this, and other pitfalls, that will break the sandbox when using sandboxed appdomains, in a later post. Full-trust assemblies in the appdomain Finally, we need the strong names of the assemblies that, when loaded into the appdomain, will be run as full-trust, irregardless of the permissions specified on the appdomain. These assemblies will contain methods and classes decorated with SafeCritical and Critical attributes. I’ll be covering the details of creating full-trust APIs for partial-trust appdomains in a later post. This is how you get the strongnames of an assembly to be executed as full-trust in the sandbox: // get the Assembly object for the assembly Assembly assemblyWithApi = ... // get the StrongName from the assembly's collection of evidence StrongName apiStrongName = assemblyWithApi.Evidence.GetHostEvidence<StrongName>(); Creating the sandboxed appdomain So, putting these three together, you create the appdomain like so: AppDomain sandbox = AppDomain.CreateDomain( "Sandbox", null, appDomainSetup, restrictedPerms, apiStrongName); You can then load and execute assemblies in this appdomain like any other. For example, to load an assembly into the appdomain and get an instance of the Sandboxed.Entrypoint class, implementing IEntrypoint, you do this: IEntrypoint o = (IEntrypoint)sandbox.CreateInstanceFromAndUnwrap( "C:\temp\sandbox\SandboxedAssembly.dll", "Sandboxed.Entrypoint"); // call method the Execute method on this object within the sandbox o.Execute(); The second parameter to CreateDomain is for security evidence used in the appdomain. This was a feature of the .NET 2 security model, and has been (mostly) obsoleted in the .NET 4 model. Unless the evidence is needed elsewhere (eg. isolated storage), you can pass in null for this parameter. Conclusion That’s the basics of sandboxed appdomains. The most important object is the PermissionSet that defines the permissions available to assemblies running in the appdomain; it is this object that defines the appdomain as full or partial-trust. The appdomain also needs a default directory used for assembly lookups as the ApplicationBase parameter, and you can specify an optional list of the strongnames of assemblies that will be given full-trust permissions if they are loaded into the sandboxed appdomain. Next time, I’ll be looking closer at full-trust assemblies running in a sandboxed appdomain, and what you need to do to make an API available to partial-trust code.

    Read the article

  • How to use cURL to FTPS upload to SecureTransport (hint: SITE AUTH and client certificates)

    - by Seamus Abshere
    I'm trying to connect to SecureTransport 4.5.1 via FTPS using curl compiled with gnutls. You need to use --ftp-alternative-to-user "SITE AUTH" per http://curl.haxx.se/mail/lib-2006-07/0068.html Do you see anything wrong with my client certificates? I try with # mycert.crt -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- # mykey.pem -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- And it says "530 No client certificate presented": myuser@myserver ~ $ curl -v --ftp-ssl --cert mycert.crt --key mykey.pem --ftp-alternative-to-user "SITE AUTH" -T helloworld.txt ftp://ftp.example.com:9876/upload/ * About to connect() to ftp.example.com port 9876 (#0) * Trying 1.2.3.4... connected * Connected to ftp.example.com (1.2.3.4) port 9876 (#0) < 220 msn1 FTP server (SecureTransport 4.5.1) ready. > AUTH SSL < 334 SSLv23/TLSv1 * found 142 certificates in /etc/ssl/certs/ca-certificates.crt > USER anonymous < 331 Password required for anonymous. > PASS [email protected] < 530 Login incorrect. > SITE AUTH < 530 No client certificate presented. * Access denied: 530 * Closing connection #0 curl: (67) Access denied: 530 I also tried with a pk8 version... # openssl pkcs8 -in mykey.pem -topk8 -nocrypt > mykey.pk8 -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ...but got exactly the same result. What's the trick to sending a client certificate to SecureTransport?

    Read the article

  • Is there a tool that can test what SSL/TLS cipher suites a particular website offers?

    - by Jeremy Powell
    Is there a tool that can test what SSL/TLS cipher suites a particular website offers? I've tried openssl, but if you examine the output: $ echo -n | openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L 05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5 u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6 z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1777 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 748E2B5FEFF9EA065DA2F04A06FBF456502F3E64DF1B4FF054F54817C473270C Session-ID-ctx: Master-Key: C4284AE7D76421F782A822B3780FA9677A726A25E1258160CA30D346D65C5F4049DA3D10A41F3FA4816DD9606197FAE5 Key-Arg : None Start Time: 1266259321 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- it just shows that the cipher suite is something with AES256-SHA. I know I could grep through the hex dump of the conversation, but I was hoping for something a little more elegant. I would prefer Linux tools, but Windows (or other) would be fine. This question is motivated by the security testing I do for PCI and general penetration testing. Update: GregS points out below that the SSL server picks from the cipher suites of the client. So it seems I would need to test all cipher suites one at a time. I think I can hack something together, but is there a tool that does particularly this?

    Read the article

  • puppetca never returns anything

    - by mrisher
    Hi: I'm trying to configure Puppet on Ubuntu, and strangely I am never able to generate a certificate because my server never shows any pending certificate requests. Put differently, on the server I am running puppetmasterd and on the client I am able to connect to the server, but the client continues printing notice: Did not receive certificate warning: peer certificate won't be verified in this SSL session and yet the server never sees the request mrisher@lab2$ puppetca --list [nothing shows up] mrisher@lab2$ puppetca --sign clientname.domain.com clientname.domain.com err: Could not call sign: Could not find certificate request for clientname.domain.com Edit: There was a suggestion that autosign was happening, but that does not seem to be it. There is no autosign.conf file, and when I run puppetmasterd --no-daemonize -d -v I receive the following output: info: Could not find certificate for 'clientname.domain.com' every time the client says notice: Did not receive certificate I checked the certs on the server and there don't seem to be any: mrisher@lab2:~$ puppetca --list --all mrisher@lab2:~$ sudo puppetca --list --all + lab2.domain.com // this is the server (master) mrisher@lab2:~$ sudo puppetca --list [blank line] mrisher@lab2:~$ Note: This is mostly running the default install from Ubuntu, if that gives any leads. Thanks for any help out there.

    Read the article

  • Is there a tool that can test what SSL/TLS cipher suites a particular website offers?

    - by Jeremy Powell
    Is there a tool that can test what SSL/TLS cipher suites a particular website offers? I've tried openssl, but if you examine the output: $ echo -n | openssl s_client -connect www.google.com:443 CONNECTED(00000003) depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L 05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5 u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6 z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1777 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 748E2B5FEFF9EA065DA2F04A06FBF456502F3E64DF1B4FF054F54817C473270C Session-ID-ctx: Master-Key: C4284AE7D76421F782A822B3780FA9677A726A25E1258160CA30D346D65C5F4049DA3D10A41F3FA4816DD9606197FAE5 Key-Arg : None Start Time: 1266259321 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- it just shows that the cipher suite is something with AES256-SHA. I know I could grep through the hex dump of the conversation, but I was hoping for something a little more elegant. I would prefer Linux tools, but Windows (or other) would be fine. This question is motivated by the security testing I do for PCI and general penetration testing. Update: GregS points out below that the SSL server picks from the cipher suites of the client. So it seems I would need to test all cipher suites one at a time. I think I can hack something together, but is there a tool that does particularly this?

    Read the article

  • How to Set Up an SMTP Submission Server on Linux

    - by Kevin Cox
    I was trying to set up a mail server with no luck. I want it to accept mail from authenticated users only and deliver them. I want the users to be able to connect over the internet. Ideally the mail server wouldn't accept any incoming mail. Essentially I want it to accept messages on a receiving port and transfer them to the intended recipient out port 25. If anyone has some good links and guides that would be awesome. I am quite familiar with linux but have never played around with MTA's and am currently running debian 6. More Specific Problem! Sorry, that was general and postfix is complex. I am having trouble enabling the submission port with encryption and authentication. What Works: Sending mail from the local machine. (sendmail [email protected]). Ports are open. (25 and 587) Connecting to 587 appears to work, I get a "need to starttls" warning and starttls appears to work. But when I try to connect with the next command I get the error below. # openssl s_client -connect localhost:587 -starttls smtp CONNECTED(00000003) depth=0 /CN=localhost.localdomain verify error:num=18:self signed certificate verify return:1 depth=0 /CN=localhost.localdomain verify return:1 --- Certificate chain 0 s:/CN=localhost.localdomain i:/CN=localhost.localdomain --- Server certificate -----BEGIN CERTIFICATE----- MIICvDCCAaQCCQCYHnCzLRUoMTANBgkqhkiG9w0BAQUFADAgMR4wHAYDVQQDExVs b2NhbGhvc3QubG9jYWxkb21haW4wHhcNMTIwMjE3MTMxOTA1WhcNMjIwMjE0MTMx OTA1WjAgMR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEFA/S6VhJihP6OGYrhEtL+SchWxPZGbgb VkgNJ6xK2dhR7hZXKcDtNddL3uf1YYWF76efS5oJPPjLb33NbHBb9imuD8PoynXN isz1oQEbzPE/07VC4srbsNIN92lldbRruDfjDrAbC/H+FBSUA2ImHvzc3xhIjdsb AbHasG1XBm8SkYULVedaD7I7YbnloCx0sTQgCM0Vjx29TXxPrpkcl6usjcQfZHqY ozg8X48Xm7F9CDip35Q+WwfZ6AcEkq9rJUOoZWrLWVcKusuYPCtUb6MdsZEH13IQ rA0+x8fUI3S0fW5xWWG0b4c5IxuM+eXz05DvB7mLyd+2+RwDAx2LAgMBAAEwDQYJ KoZIhvcNAQEFBQADggEBAAj1ib4lX28FhYdWv/RsHoGGFqf933SDipffBPM6Wlr0 jUn7wler7ilP65WVlTxDW+8PhdBmOrLUr0DO470AAS5uUOjdsPgGO+7VE/4/BN+/ naXVDzIcwyaiLbODIdG2s363V7gzibIuKUqOJ7oRLkwtxubt4D0CQN/7GNFY8cL2 in6FrYGDMNY+ve1tqPkukqQnes3DCeEo0+2KMGuwaJRQK3Es9WHotyrjrecPY170 dhDiLz4XaHU7xZwArAhMq/fay87liHvXR860tWq30oSb5DHQf4EloCQK4eJZQtFT B3xUDu7eFuCeXxjm4294YIPoWl5pbrP9vzLYAH+8ufE= -----END CERTIFICATE----- subject=/CN=localhost.localdomain issuer=/CN=localhost.localdomain --- No client certificate CA names sent --- SSL handshake has read 1605 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: E07926641A5EF22B15EB1D0E03FFF75588AB6464702CF4DC2166FFDAC1CA73E2 Session-ID-ctx: Master-Key: 454E8D5D40380DB3A73336775D6911B3DA289E4A1C9587DDC168EC09C2C3457CB30321E44CAD6AE65A66BAE9F33959A9 Key-Arg : None Start Time: 1349059796 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 DSN read:errno=0 If I try to connect from evolution I get the following error: The reported error was "HELO command failed: TCP connection reset by peer".

    Read the article

  • How do I trust a self signed cert using https?

    - by dave
    Edit: I originally thought the server's certificate was self signed. Turns out it was signed by a self-signed CA certificate. I'm trying to write a Node.js application that accesses an HTTPS site that's protected using a self-signed certificate certificate signed by a private, self-signed CA certificate. I'd also like to not completely disable certificate checking. I tried putting the self signed certificate server's certificate in the request options, but that doesn't seem to be working. Anyone know how to do this? I expect the following code to print statusCode 200, but instead it prints [Error: SELF_SIGNED_CERT_IN_CHAIN]. I've tried similar code with request with the same results. var https = require('https'); var fs = require('fs'); var opts = { hostname: host, port: 443, path: '/', method: 'GET', ca: fs.readFileSync(serverCertificateFile, 'utf-8') }; var req = https.request(opts, function (res) { console.log('statusCode', res.statusCode); }); req.end(); req.on('error', function (err) { console.error(err); });

    Read the article

  • Now Available &ndash; Windows Azure SDK 1.6

    - by Shaun
    Microsoft has just announced the Windows Azure SDK 1.6 and the Windows Azure Tools for Visual Studio 1.6. Now people can download the latest product through the WebPI. After you downloaded and installed the SDK you will find that The SDK 1.6 can be stayed side by side with the SDK 1.5, which means you can still using the 1.5 assemblies. But the Visual Studio Tools would be upgraded to 1.6. Different from the previous SDK, in this version it includes 4 components: Windows Azure Authoring Tools, Windows Azure Emulators, Windows Azure Libraries for .NET 1.6 and the Windows Azure Tools for Microsoft Visual Studio 2010. There are some significant upgrades in this version, which are Publishing Enhancement: More easily connect to the Windows Azure when publish your application by retrieving a publish setting file. It will let you configure some settings of the deployment, without getting back to the developer portal. Multi-profiles: The publish settings, cloud configuration files, etc. will be stored in one or more MSBuild files. It will be much easier to switch the settings between vary build environments. MSBuild Command-line Build Support. In-Place Upgrade Support.   Publishing Enhancement So let’s have a look about the new features of the publishing. Just create a new Windows Azure project in Visual Studio 2010 with a MVC 3 Web Role, and right-click the Windows Azure project node in the solution explorer, then select Publish, we will find the new publish dialog. In this version the first thing we need to do is to connect to our Windows Azure subscription. Click the “Sign in to download credentials” link, we will be navigated to the login page to provide the Live ID. The Windows Azure Tool will generate a certificate file and uploaded to the subscriptions those belong to us. Then we will download a PUBLISHSETTINGS file, which contains the credentials and subscriptions information. The Visual Studio Tool will generate a certificate and deployed to the subscriptions you have as the Management Certificate. The VS Tool will use this certificate to connect to the subscription in the next step. In the next step, I would back to the Visual Studio (the publish dialog should be stilling opened) and click the Import button, select the PUBLISHSETTINGS file I had just downloaded. Then all my subscriptions will be shown in the dropdown list. Select a subscription that I want the application to be published and press the Next button, then we can select the hosted service, environment, build configuration and service configuration shown in the dialog. In this version we can create a new hosted service directly here rather than go back to the developer portal. Just select the <Create New …> item in the hosted service. What we need to do is to provide the hosted service name and the location. Once clicked the OK, after several seconds the hosted service will be established. If we went to the developer portal we will find the new hosted service in my subscription. a) Currently we cannot select the Affinity Group when create a new hosted service through the Visual Studio Publish dialog. b) Although we can specify the hosted service name and DNS prefixing through the developer portal, we cannot do so from the VS Tool, which means the DNS prefixing would be the same as what we specified for the hosted service name. For example, we specified our hosted service name as “Sdk16Demo”, so the public URL would be http://sdk16demo.cloudapp.net/. After created a new hosted service we can select the cloud environment (production or staging), the build configuration (release or debug), and the service configuration (cloud or local). And we can set the Remote Desktop by check the related checkbox as well. One thing should be note is that, in this version when we set the Remote Desktop settings we don’t need to specify a certificate by default. This is because the Visual Studio will generate a new certificate for us by default. But we can still specify an existing certificate for RDC, by clicking the “More Options” button. Visual Studio Tool will create another certificate for the Remote Desktop connection. It will NOT use the certificate that managing the subscription. We also can select the “Advanced Settings” page to specify the deployment label, storage account, IntelliTrace and .NET profiling information, etc.. Press Next button, the dialog will display all settings I had just specified and it will save them as a new profile. The last step is to click the Publish button. Since we enabled the Remote Desktop feature, the first step of publishing was uploading the certificate. And then it will verify the storage account we specified and upload the package, then finally created the website in Windows Azure.   Multi-Profiles After published, if we back to the Visual Studio we can find a AZUREPUBXML file under the Profiles folder in the Azure project. It includes all settings we specified before. If we publish this project again, we can just use the current settings (hosted service, environment, RDC, etc.) from this profile without input them again. And this is very useful when we have more than one deployment settings. For example it would be able to have one AZUREPUBXML profile for deploying to testing environment (debug building, less roles with RDC and IntelliTrace) and one for production (release building, more roles but without IntelliTrace).   In-Place Upgrade Support Let’s change some codes in the MVC pages and click the Publish menu from the azure project node. No need to specify any settings,  here we can use the pervious settings by loading the azure profile file (AZUREPUBXML). After clicked the Publish button the VS Tool brought a dialog to us to indicate that there’s a deployment available in the hosted service environment, and prompt to REPLACE it or not. Notice that in this version, the dialog tool said “replace” rather than “delete”, which means by default the VS Tool will use In-Place Upgrade when we deploy to a hosted service that has a deployment already exist. After click Yes the VS Tool will upload the package and perform the In-Place Upgrade. If we back to the developer portal we can find that the status of the hosted service was turned to “Updating…”. But in the previous SDK, it will try to delete the whole deployment and publish a new one.   Summary When the Microsoft announced the features that allows the changing VM size via In-Place Upgrade, they also mentioned that in the next few versions the user experience of publishing the azure application would be improved. The target was trying to accomplish the whole publish experience in Visual Studio, which means no need to touch developer portal any more. In the SDK 1.6 we can see from the new publish dialog, as a developer we can do the whole process, includes creating hosted service, specifying the environment, configuration, remote desktop, etc. values without going back the the developer portal.   Hope this helps, Shaun All documents and related graphics, codes are provided "AS IS" without warranty of any kind. Copyright © Shaun Ziyan Xu. This work is licensed under the Creative Commons License.

    Read the article

  • Is there a way to get SSL certificate details using JavaScript?

    - by sHz
    Hi all, I'd like to gather certain details of an SSL certificate on a particular web-site. I know this is straightforward using the openssl tool on Linux/MacOSX. However is the same or similar possible in JavaScript? I understand that the browser handles socket connections and that the SSL handshake occurs prior to any party sending data. However in an XMLHTTPRequest, I'd like to know if its possible to get these details as some sort of response code etc?

    Read the article

  • makecert gives "Fail to acquire a security provider from the issuer's certificate" - why?

    - by mark
    Dear ladies and sirs. Observe this simple batch file: makecert -n "CN=MyCA" -sr localmachine -ss root -a sha1 -cy authority -r -sv MyCA.pvk MyCA.cer del MyCA.pvk del MyCA.cer makecert -n "CN=il-mark-lt" -sr localmachine -ss my -cy end -pe -sky exchange -a sha1 -is root -ir localmachine -in MyCA However, the last makecert fails with the following error message: Error: Fail to acquire a security provider from the issuer's certificate How do I troubleshoot it? Any ideas? BTW, the first makecert succeeds. Of course, I delete it again, before running the commands again. Thanks. EDIT1 I understood the reasons for the failure. The second command expects the file MyCA.pvk to exist, but I do not want to keep it around. So, what can I do?

    Read the article

  • Trouble on setting SSL certificates for Virtual Hosts using Apache\Phusion Passenger in localhost

    - by user502052
    I am using Ruby on Rails 3 and I would like to make to work HTTPS connections on localhost. I am using: Apache v2 + Phusion Passenger Mac OS + Snow Leopard v10.6.6 My Ruby on Rails installation use the Typhoeus gem (it is possible to use the Ruby net\http library but the result doesn't change) to make HTTP requests over HTTPS. I created self-signed ca.key, pjtname.crt and pjtname.key as detailed on the Apple website. Notice: Following instruction from the Apple website, on running the openssl req -new -key server.key -out server.csr command (see the link) at this point Common Name (eg, YOUR name) []: (this is the important one) I entered *pjtname.com so that is valid for all sub_domain of that site. In my Apache httpd.conf I have two virtual hosts configured in this way: # Secure (SSL/TLS) connections #Include /private/etc/apache2/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> Include /private/etc/apache2/other/*.conf # Passenger configuration LoadModule passenger_module /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2/ext/apache2/mod_passenger.so PassengerRoot /Users/<my_user_name>/.rvm/gems/ruby-1.9.2-p136/gems/passenger-3.0.2 PassengerRuby /Users/<my_user_name>/.rvm/wrappers/ruby-1.9.2-p136/ruby # Go ahead and accept connections for these vhosts # from non-SNI clients SSLStrictSNIVHostCheck off # Ensure that Apache listens on port 443 Listen 443 # Listen for virtual host requests on all IP addresses NameVirtualHost *:80 NameVirtualHost *:443 # # PJTNAME.COM and subdomains SETTING # <VirtualHost *:443> # Because this virtual host is defined first, it will # be used as the default if the hostname is not received # in the SSL handshake, e.g. if the browser doesn't support # SNI. ServerName pjtname.com:443 DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public" ServerAdmin [email protected] ErrorLog "/private/var/log/apache2/error_log" TransferLog "/private/var/log/apache2/access_log" RackEnv development <Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"> Order allow,deny Allow from all </Directory> # SSL Configuration SSLEngine on # Self Signed certificates # Server Certificate SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt # Server Private Key SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key # Server Intermediate Bundle SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt </VirtualHost> # HTTP Setting <VirtualHost *:80> ServerName pjtname.com DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public" RackEnv development <Directory "/Users/<my_user_name>/Sites/pjtname.com/pjtname.com/public"> Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:443> ServerName users.pjtname.com:443 DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public" ServerAdmin [email protected] ErrorLog "/private/var/log/apache2/error_log" TransferLog "/private/var/log/apache2/access_log" RackEnv development <Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"> Order allow,deny Allow from all </Directory> # SSL Configuration SSLEngine on # Self Signed certificates # Server Certificate SSLCertificateFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.crt # Server Private Key SSLCertificateKeyFile /private/etc/apache2/ssl/wildcard.certificate/pjtname.key # Server Intermediate Bundle SSLCertificateChainFile /private/etc/apache2/ssl/wildcard.certificate/ca.crt </VirtualHost> # HTTP Setting <VirtualHost *:80> ServerName users.pjtname.com DocumentRoot "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public" RackEnv development <Directory "/Users/<my_user_name>/Sites/pjtname.com/users.pjtname.com/public"> Order allow,deny Allow from all </Directory> </VirtualHost> In the host file I have: ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost fe80::1%lo0 localhost # PJTNAME.COM SETTING 127.0.0.1 pjtname.com 127.0.0.1 users.pjtname.com All seems to work properly because I have already set everything (I think correctly): I generated a wildcard certificate for my domains and sub-domains (in this example: *.pjtname.com) I have set base-named virtualhosts in the http.conf file listening on port :433 and :80 My browser accept certificates also if it alerts me that those aren't safe (notice: I must accept certificates for each domain\sub-domain; that is, [only] at the first time I access a domain or sub-domain over HTTPS I must do the same procedure for acceptance) and I can have access to pages using HTTPS After all this work, when I make a request using Typhoeus (I can use also the Ruby Net::Http library and the result doesn't change) from the pjtname.com RoR application: # Typhoeus request Typhoeus::Request.get("https://users.pjtname.com/") I get something like a warning about the certificate: --- &id001 !ruby/object:Typhoeus::Response app_connect_time: 0.0 body: "" code: 0 connect_time: 0.000625 # Here is the warning curl_error_message: Peer certificate cannot be authenticated with known CA certificates curl_return_code: 60 effective_url: https://users.pjtname.com/ headers: "" http_version: mock: false name_lookup_time: 0.000513 pretransfer_time: 0.0 request: !ruby/object:Typhoeus::Request after_complete: auth_method: body: ... All this means that something is wrong. So, what I have to do to avoid the "Peer certificate cannot be authenticated with known CA certificates" warning and make the HTTPS request to work? Where is\are the error\errors (I think in the Apache configuration, but where?!)? P.S.: if you need some more info, let me know.

    Read the article

  • Curl_errno=55, "Failed sending network data."

    - by 4dplane
    Hi all: I have a php script that updates a database via an api. This script works on one server but not on another. Both servers have curl enabled and they have php 5.2.6 or above. The error happens in the do_put() method. The rest of the script seems to be fine. I have found that: curl_errno= 55 = "Failed sending network data". curl_error= select/poll returned error <?php //phpinfo(); require_once "class.DelveAuthUtil.php"; $access_key = ""; $secret = "W"; $org_id = ""; $media_id = ""; $new_tag_name = "uvideo"; $assign_tag_to_media_url = "http://api..com/rest/organizations/$org_id/media/$media_id/properties/tags/$new_tag_name"; $signed_create_new_tag_url = DAU::authenticate_request("PUT", $assign_tag_to_media_url, $access_key, $secret); # perform the creation of the new custom property $put_response = do_put($signed_create_new_tag_url); # Execute the POST function do_post($url, $params=array()) { # Combine parameters $param_string = ""; foreach ($params as $key => $value) { $value = urlencode($value); $param_string = $param_string . "&$key=$value"; } // Get the curl session object $session = curl_init($url); // Set the POST options. curl_setopt ($session, CURLOPT_POST, true); curl_setopt ($session, CURLOPT_POSTFIELDS, $param_string); curl_setopt($session, CURLOPT_HEADER, false); curl_setopt($session, CURLOPT_RETURNTRANSFER, true); // Do the POST and then close the session $response = curl_exec($session); curl_close($session); return $response; } # Execute the PUT function do_put($url) { // Get the curl session object $session = curl_init($url); print(" <br> session= " . $session . "<br>"); // Set the PUT options. print ("opt0= " . curl_setopt($session, CURLOPT_VERBOSE, TRUE) . "<br>"); print ("opt1= " . curl_setopt ($session, CURLOPT_PUT, true) . "<br>"); print ("opt2= " . curl_setopt ($session, CURLOPT_HEADER, false) . "<br>"); print ("opt3= " . curl_setopt ($session, CURLOPT_RETURNTRANSFER, true) . "<br>"); // Do the PUT and then close the session $response = curl_exec($session); if (curl_errno($session)) { print ( "curl_errno= " . curl_errno($session). "<br>"); print( "curl_error= " . curl_error($session) . "<br>"); } else { curl_close($session); } } I have small lead in the Apache log - there is an SSL issue that I do not know how to resolve. [Thu Mar 25 15:57:58 2010] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [Thu Mar 25 15:57:58 2010] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations [Thu Mar 25 15:58:59 2010] [notice] caught SIGTERM, shutting down [Thu Mar 25 15:58:59 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Mar 25 15:58:59 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Mar 25 15:58:59 2010] [warn] RSA server certificate CommonName (CN) `yourvps.a2hosting.com' does NOT match server name!? [Thu Mar 25 15:58:59 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Mar 25 15:58:59 2010] [warn] RSA server certificate CommonName (CN) `yourvps.a2hosting.com' does NOT match server name!? [Thu Mar 25 15:58:59 2010] [warn] Init: SSL server IP/port conflict: my1.com:443 (/home/httpd/my.com/conf/kloxo.my1.com:69) vs. elggtest.my1.com:443 (/home/httpd/elggtest.my1.com/conf/kloxo.elggtest.my1.com:71) [Thu Mar 25 15:58:59 2010] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [Thu Mar 25 15:58:59 2010] [notice] Digest: generating secret for digest authentication ... [Thu Mar 25 15:58:59 2010] [notice] Digest: done [Thu Mar 25 15:59:00 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Mar 25 15:59:00 2010] [warn] RSA server certificate CommonName (CN) `yourvps.a2hosting.com' does NOT match server name!? [Thu Mar 25 15:59:00 2010] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Mar 25 15:59:00 2010] [warn] RSA server certificate CommonName (CN) `yourvps.a2hosting.com' does NOT match server name!? [Thu Mar 25 15:59:00 2010] [warn] Init: SSL server IP/port conflict: my1.com:443 (/home/httpd/my1.com/conf/kloxo.my1.com:69) vs. elggtest.my1.com:443 (/home/httpd/elggtest.my1.com/conf/kloxo.elggtest.my1.com:71) [Thu Mar 25 15:59:00 2010] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [Thu Mar 25 15:59:00 2010] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations[/PHP] Any help would be great! Thanks, 4dplane

    Read the article

  • How to fix First Data payment gateway issues "unable to load certificate" ?

    - by Krishnan
    Our asp.net team working on Shopping cart projects We have integrated First Data payment gateway for payment process We have included Visa/master card verification using Alternative First Data payment gateway After visa/master card verification we got cavv(secure code), xid, eci values. After getting cavv, xid and eci values we have appended these values to First data payment gateway. We have set the host as "secure.linkpt.net" and port as 1129 and also set the config and pem files. Now we got an error when sending the xml values to payment gateway as given below Unable to load certificate ERRs: wsa=33558530 err=33558530 ssl=537317504 sys=33558530. INFO: ACE_SSL (3260|3384) error code: 33558530 - error:02001002:lib(2):func(1):reason(2) please help our team to fix the issue

    Read the article

  • Adobe Reader not loading form content

    - by wullxz
    We have an FDL file which is used to offer an online application possibility. The FDL is filled out and sent to a mailbox. When I open the received file, Adobe Reader starts, loads the document in Internet Explorer (had to change my default browser because it doesn't work in chrome - the customer uses IE as default) and displays a warning that Adobe Reader has blocked the connection to the server where the initial document is saved: I can then click on "Trust this document once" (translated by me!) or "Add this host to trusted hosts" (also translated by me!). The second option doesn't work at all. The first option works but is a little bit annoying. I looked into Adobe Readers options (Edit - "Voreinstellungen" in german / the last option - Security (advanced)) and found the possibility to add hosts, files and directories or allow Adobe Reader to use the "Trusted Websites" list from Internetoptions. When I add the website either to Trusted Websites or the trusted list in Adobe Readers options, the warning doesn't pop up but the content in the prefilled (by the applicant) input boxes of the document doesn't show up on Windows 7 but it does show up on Windows XP. This Screenshot shows the settings window described in the last paragraph. The big input box at the bottom normally holds the trusted files/directories/hosts list. System Information: Windows 7 Enterprise x64 Adobe Reader X multiple IE versions (mine is latest but there's also IE 7 or 8) How do I get Adobe Reader to load the content of the form? This behaviour can be reproduced on a PC. When opening an fdf from a command line the form fields are blank even though there is data in the fdf and the pdf is located in a mnaully entered trsuted folder. Steps to reproduce: Clean install a Windows 7 PC (or use a virtual box) Map a network drive to a shared folder with a subfolder e.g. c:\test\docs becomes m:\docs Set security permissions to allow full control to everyone Add an fdf and a matching pdf file in the subfolder Manually add m:\docs to each of the trusted folders in the trust manager registry settings Ensure that Enhanced Security is on Run a command line to open the fdf file Expected result: pdf is opened in Adobe Reader with form fields filled out with data Actual results: pdf is opened with blank fields 'Yellow bar' appears asking to add document to trusted locations It appears that Adobe Reader XI is ignoring the privileged locations entries in the registry. Adding the document via the 'yellow bar' adds the individual document, with the same folder, to the privileged locations but means that the process has to be repeated for every document that needs to be opened from the folder.

    Read the article

  • HTTPS with Self-Signed Certificate Issues... Solution or better way?

    - by stormin986
    All I need to do is download some basic text-based and image files from a web server that has a self-signed SSL certificate. I have been trying to figure out how to use HttpClient to do this, but getting the SSL to work is a nightmare that seems to be way too much trouble for such a simple task. Is there a better way to perform these file downloads? Perhaps through a WebView or Browser feature? Reinventing the wheel of making a simple HTTPS GET request is a major pain, and is significantly holding up my development schedule. ** Updated title to more accurately reflect question / solution **

    Read the article

  • Where are AnkhSVN CA certificates stored?

    - by Roger Lipscombe
    My Subversion repository is available over HTTPS. I've got a self-signed CA root certificate, and the server uses a certificate signed with that. The CA root certificate is stored in Trusted Root Certification Authorities, which means that (for example) Internet Explorer recognises it. AnkhSVN, on the other hand, reports "There are some problems with this server's certificate". So: what is AnkhSVN using as its certificate store? It doesn't appear to be the Windows one. And how do I put my CA root certificate in there?

    Read the article

< Previous Page | 37 38 39 40 41 42 43 44 45 46 47 48  | Next Page >