Thursday, October 31, 2013

Oracle WebLogic services and non-WebLogic clients

Currently trying to configure WebLogic web service to connect with non-WebLogic client for message-level encryption. It was suggested the following resources might hold the key. So far, my problem doesn't seem to involve any of these, rather a problem with certificates that have been set up properly with certificate chaining.

Oracle Fusion Middleware Documentation: Attaching Policies - 12c (12.1.2)

http://docs.oracle.com/middleware/1212/owsm/OWSMS/attach-owsm-policy.htm#OWSMS5613
  • http://docs.oracle.com/middleware/1212/owsm/OWSMS/attach-owsm-policy.htm#OWSMS5613
  • http://docs.oracle.com/middleware/1212/wls/WSSOV/owsm-security.htm#CHDBAHBI

It appears there are some proprietary resources that may be used to set up webservices using WebLogic. There are both Java code solutions as well as Java annotations to save the time of writing straight Java code.

weblogic.wsee.jws.jaxws.owsm.SecurityPolicyFeature class (single policy)
weblogic.wsee.jws.jaxws.owsm.SecurityPoliciesFeature class (multiple policies)

Java / Oracle SOA blog: Calling an OWSM protected service with Axis 1.4 and WSS4J

http://biemond.blogspot.com.au/2011/09/calling-owsm-protected-service-with.html
  • http://biemond.blogspot.com.au/2011/09/calling-owsm-protected-service-with.html
  • http://docs.oracle.com/cd/E21764_01/web.1111/e16098/interop_axis.htm#CHDCICGG

We're using Apache CXF. If you are using Fusion Middleware, there are some limitations to what Axis and WSS4J standards are supported.

...you can't use every OWSM policy with Axis. Oracle made an interoperability documentation page what is possible with Axis 1.4 and OWSM 11g, please check this first.

http://biemond.blogspot.com.au/2011/09/calling-owsm-protected-service-with.html

Oracle documentation provides some help on how you would create your webservices under various scenarios including SAML authentication/authorization and username token. Again, not useful in our case.

Posted by at No comments:
Labels:

understanding certificate chaining

Help - WebSphere MQ

http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10600_.htm

Illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins

Intel(R) AMT SDK Implementation and Reference Guide

http://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fcertificatechainsforhostbasedconfiguration.htm

Certificate chains may be included with a public key by simply including the rfc blocks in pem format. Their inclusion order is important, though. Consider using cat so that no extra whitespace gets introduced.

-----BEGIN CERTIFICATE-----
Body of the leaf certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the first intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the second intermediate certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
Body of the root certificate
-----END CERTIFICATE-----

OpenSSL - User - check certificate chain in a pem file

http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

It is highly recommended that you convert to and from .pfx files on your own machine using OpenSSL so you can keep the private key there. Use the following OpenSSL commands to convert SSL certificate to different formats on your own machine:

#Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

#see html reference for more

check certificate chain in a pem file

https://www.sslshopper.com/ssl-converter.html

Concatenate all the previous certificates and the root certificate to one temporary file (This example is for when you are checking the third certifate from the bottom, having already checked cert1.pem and cert2.pem

Thus for the first round through the commands would be

   Unix:     cat root.pem > root-chain.pem
   Windows:  copy /A root.pem root-chain.pem
   Both:     openssl verify -CAfile root-chain.pem cert1.pem

And the second round would be

   Unix:     cat cert1.pem root.pem > cert1-chain.pem
   Windows:  copy /A cert1.pem+root.pem cert1-chain.pem
   Both:     openssl verify -CAfile cert1-chain.pem cert2.pem

Etc.

"keytool -export/import" - Exporting and Importing Certificates

http://www.herongyang.com/JDK/keytool-export-import-Certificates.html
  • The "-export" command option exports the self-signed certificate of my public key into a file, my_home.crt.
  • The "-printcert" command option prints out summary information of a certificate stored in a file in X.509 format. As you can see from the print out, I am the issuer and the owner of this certificate.
  • The "-import" command option imports the certificate from the certificate file back into the keystore under different alias, my_home_crt.

TechStump.com: How to Rearrange a Certificate Chain using OpenSSL

http://www.techstump.com/2012/10/how-to-rearrange-certificate-chain.html

..you do need to know the correct certificate order. The first two are easy, the key should be first and the Server Certificate should be second. Generally the third certificate will be an intermediate and the last will be a root. If you look at each section, you’ll see a -------Begin Certificate------ and -------End Certificate------ section preceded by a header. In the header you’ll see what certificate is what.

keytool-Key and Certificate Management Tool

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/keytool.html 
-importcert {-alias alias} {-file cert_file} [-keypass keypass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg</pre>
 {-v} {-protected} {-Jjavaoption}

Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias. If no file is given, the certificate or certificate chain is read from stdin.

.. keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. In the latter case, the encoding must be bounded at the beginning by a string that starts with "-----BEGIN", and bounded at the end by a string that starts with "-----END".

Option defaults for keytool

-storetype the value of the "keystore.type" property in the security properties file,
           which is returned by the static getDefaultType method in
           java.security.KeyStore

Help - IBM SDK and Runtime Environment Java Technology Edition Version 6

http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2FkeytoolDocs%2Fsupportedkeystoretypes.html

Supported Key Store Types

  • JKS
  • JCEKS . This keystore implementation employs a much stronger protection of private keys (using password-based encryption with Triple DES) than JKS. You can upgrade your keystore of type "JKS" to type "JCEKS" by changing the password of a private-key entry in your keystore.
  • PKCS12. There is a difference between PKCS12 type keystore created on the keytool provided in the IBM JVM and the keytool provided in an Oracle JVM. The keytool in an IBM JVM uses a PKCS12 keystore to store both key entries and certificate entries.The keytool in an Oracle JVM uses a PKCS12 keystore to store key entries. The keytool program in IBM's JVM can read the keystore created by the keytool program provided by an Oracle JVM, but not the other way around.
  • PKCS12S2. This is a second version of PKCS12 type keystore. It can be read by the keytool program in an Oracle JVM.
  • JCERACFKS. This is a RACF® keyring keystore. This type is available only on z/OS® systems with RACF installed.

OpenSSL: Documents, pkcs7(1)

http://www.openssl.org/docs/apps/pkcs7.html

A different way to package a keystore. Like JKS, only different format.

Creating a PKCS7 (P7B) Using OpenSSL

https://langui.sh/2009/03/20/creating-a-pkcs7-p7b-using-openssl/

This example assumes that you have 2 different certificate files, each in PEM (Base64) format. You can add as many -certfile elements as you want to package in the file. Additionally, concatenated certificate chains are supported.

openssl crl2pkcs7 -nocrl -certfile cert1.cer -certfile cert2.cer -out outfile.p7b

OpenSSL: Documents, verify(1)

http://www.openssl.org/docs/apps/verify.html

The verify command verifies certificate chains.

Posted by at No comments:
Labels: ,

Monday, October 14, 2013

jQuery timepicker

Subversion (source control)

Subversion Tutorial: 10 Most Used SVN Commands with Examples

Needed to know how to retrieve information in svn. It's been a long time. Git is so much better.

svn checkout/co URL PATH

jQuery Timepicker

Was looking for a viable time picker for tracker.

JQuery

.addClass() | jQuery API Documentation

http://api.jquery.com/addClass/

Adds the specified class(es) to each of the set of matched elements.

$( "p" ).addClass( "myClass yourClass" );

How can I make a redirect page in jQuery/JavaScript? - Stack Overflow

http://stackoverflow.com/questions/503093/how-can-i-make-a-redirect-page-in-jquery-javascript

Redirecting users after an AJAX call using JavaScript.

window.location.replace(...)

It is better than using window.location.href =, because replace() does not put the originating page in the session history, meaning the user won't get stuck in a never-ending back-button fiasco

Ryan McGeary, Feb 3 '09

Ruby/Rails

ruby - Radio buttons on Rails - Stack Overflow

http://stackoverflow.com/questions/623051/radio-buttons-on-rails

How to use Rails models in combination with radio buttons.

<div class="form_row">
    <label for="theme">Theme:</label>
    <% [ 'plain', 'desert', 'green', 'corporate', 'funky' ].each do |theme| %>
      <br><%= radio_button_tag 'theme', theme, @theme == theme %>
      <%= theme.humanize %>
    <% end %>
</div>

Run migrations from rails console - Stack Overflow

I love this! Use console to run migrations instead of waiting for the environment to load with each run.

# run migrations
ActiveRecord::Migrator.migrate "db/migrate"
ActiveRecord::Migrator.down "db/migrate", 20131011115823

# show the available migrations
puts ActiveRecord::Migrator.get_all_versions
puts ActiveRecord::Migrator.migrations_path

# show the available migrations; does not show whether those migrations have been applied or not 
puts (ActiveRecord::Migrator.migrations "db/migrate").map{|x| "#{x.version}: #{x.filename}"}
Posted by at No comments:
Labels: ,

Thursday, October 3, 2013

Illegal key size and JCE

android - java.security.InvalidKeyException: Illegal key size - Stack Overflow

Java publishes the "JCE Unlimited Strength Jurisdiction Policy Files" separate from it's normal distribution so that laws around cryptography are not violated. In order to get past this error, you must update local_policy.jar and US_export_policy.jar as indicated in the installation instructions (which come packaged with the download). One place you can download these is from Oracle.

  • local_policy.jar
  • US_export_policy.jar

maven 2 - Can I change the alias of my key? - Stack Overflow

Want to change the alias for a trusted public key or private key entry? Easy, peasy.

keytool -changealias -alias "your-very-very-long-alias" -destalias "new-alias" -keypass keypass -keystore /path/to/keystore -storepass storepass

iOS 7 iMessages and Facetime won't activate! - MacRumors Forums

http://forums.macrumors.com/showthread.php?t=1594713

I was experiencing some problems on my iMac with getting iMessages to be active. I applied updates and restarted the computer and I was back in business.

Apparently other people have had problems, especially with iOS 7.

My Apple ID

https://iforgot.apple.com/password/verify/appleid?app_type=ext&app_id=1581

Hey; it's hard remembering all those passwords all the time, right?

Bash-Prog-Intro-HOWTO-8: Functions

http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-8.html

Bash functions.

   #!/bin/bash 
   function quit {
       exit
   }
   function hello {
       echo Hello!
   }
   hello
   quit
   echo foo
Posted by at No comments:
Labels: , ,

Tuesday, October 1, 2013

weblog; missing CA Root

X.509 Certificates

The Most Common Java Keytool Keystore Commands

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

Display the contents of a stand-alone certificate. Doesn't show as much details as the openssl command.

Keytool

keytool -printcert -v -file mydomain.crt

OpenSSL

openssl x509 -noout -text -in mydomain.crt

Download Primary PCA Root Certificates | Symantec

http://www.symantec.com/page.jsp?id=roots

Needed to complete CA Root chain for Oracle/PeopleSoft. This seems to do the trick.

wget http://www.verisign.com/repository/roots/root-certificates/PCA-3G3.pem

No trusted certificate found : when opeing a ssl connection from behind the proxy. (Open Source Projects forum at JavaRanch)

http://www.coderanch.com/t/62494/open-source/trusted-certificate-opeing-ssl-connection
  • http://www.coderanch.com/t/62494/open-source/trusted-certificate-opeing-ssl-connection
  • http://stackoverflow.com/questions/10749803/validatorexception-no-trusted-certificate-found-in-java

Two-way ssl handshake

  1. handshake initiated by client; client sends it's identification
  2. server receives, authenticates client and accepts
  3. server sends it's identification
  4. client receives, but fails to authenticate

In our case, it seems the problem is an incomplete CA Root chain.

Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)