If I access my glassfish server at http://localhost:8080, I receive the glassfish welcome page, as it should be. But if I try to access the other http listener at https://localhost:8181, I receive a message like that:
(illustrative image)
How can I avoid this error message (thinking that I don't want my clients to see it)?
This is because GlassFish generates self-signed certificates for authentication (s1as and glassfish-instance). Your browser is (rightly) complaining that it doesn't trust these certificates, because anyone can fake them for a "man-in-the-middle" attack.
To get around this, you will need to obtain a new private key and certificate from a trusted CA to replace the self-signed ones.
These can then be imported to your keystore,jks and cacerts.jks, or you can create new keystores. If you're unfamiliar with how this works, I would suggest making backups of the originals, then importing to the existing keystores, since the communication between DAS and instances relies on certificates for authentication in a lot of places.
The GlassFish 4 Security Guide [PDF] should help you.
Related
I am able to get into SharePoint site using browser but not able to connect it using SSIS ODATA Connector. I have admin rights in that site. We have multiple imports successfully running using same SharePoint Server right now. Using SSDT2012. I tried another site successfully to confirm I don't have issue with SSDT. Any idea what I am missing.
Error msg:
TITLE: OData Connection Manager Editor
Test connection failed
ADDITIONAL INFORMATION:
The remote server returned an error: (401) Unauthorized. (System)
The logon attempt failed (System)
BUTTONS:
OK
What is the Service Document Location URL, you are giving in your case? Here is mine which works well.
Are you using basic authentication or Windows authentication?
If the former, double and triple-check that your userid and password are correct, and that the credentials have the proper access.
If the latter, check to see what user the package is running as. Also, I've found that when using Windows Authentication, you have to go back and double check what the Basic Authentication settings are, and zero them out before going back to Windows Authentication. It sounds crazy, but sometimes it works.
Our setup is like this: we use a coldfusion 10 server, and files are on a local intranet. Users use a domain login to access any files over https. I'm interested in using html5 websockets, but the first attempt gave me an error because no credentials were supplied. Is there a way around this? If not, is there a recommended technology for this scenario?
The user does log in on the client side. If it's possible, what I'd really like to do here is pass those credentials when making the connection to the server.
you should be able to supply the authentication header to your web socket server before the elevation to web socket read that and send it back in the headers for the elevation (first frame) then when the browser connects it should have the authentication it needs.
if your using a custom authentication E.G in page not authentication header you can also do this by passing any custom header to your server.
Or mandate that the first thing your web client sends is the authentication details this could be something like {username_hash}.{password_hash} if they don't close the socket to them.
Do not do this.
You're now responsible for sending and encrypting the authentication credentials yourself, bypassing something that already works and is tested.
Anyone can snoop on an unencrypted websocket port. Use HTTPs for an intranet, use stable solutions, don't reinvent this wheel because it tickles your fancy.
In a couple of years some colleague will have to maintain this and will have to figure out how your homebrew version works versus something that's solid like plain browser authentication.
My advice: Leave this to the browser and to well-tested coldfusion libraries.
Compare the 2 screencaps below.
Each is to a different unsecured page where a login can be performed.
Why does Chrome warn only in the first instance and not the second?
I'm assuming it is something to do with encryption... and if yes, what exactly?
Note:
the first screencap is from a visit to: http://test.idempiere.org/
the second screencap is from a visit to a PrestaShop installation on a private VPS. PrestaShop is a popular e-Commerce CMS
If you use http connections you are always prone to many attack vectors, but they are still so used that no browser warns about them yet (although, see Mozilla proposal for deprecating unencrypted http). But you are right, those connections are definitely insecure.
However, currently HTTPS connections are checked against "known good" Certificate Authorities. If your connection does not have a trusted certificate chain, it is frowned upon.
Thankfully, these days you can get a free HTTPS validation thanks to EFF's initiative Let's Encrypt.
First the SSL Certificate is created by PrestaShop, not by an SSL company, your os does not know the issuer of the SSL Cert. And the cert is expired. You can make a certificate at letsencrypt, if you want to make it free: https://letsencrypt.org/.
That was my browser say(in german)
In my wp8 app,
I enter a open wifi which is operated by communication operator
blocked by a portal page that needs using account and password to log in
after I post some data to a https url
I have the ability to use the wifi network to access to internet freely.
Now,I encounter a problem:
before the https connection established successfully,it will be running the Online Certificate Status Protocol (OCSP)
OCSP needs to access to CA like veriSign to verify the server certificate status
but I have no internet access at this moment.
So,my app return a Webexception whose description is "The remote server returned an error: NotFound".I think it is because of the failure of OCSP.
Based on above,I want to find a solution to sovle this:
My point is to disable the OCSP mechanism,Do you know how to do this?
And I also would like to know if there is another solution to sovle the problem.
Hope your advice,Thanks!
The way you'd do that on .NET is to set the ServicePointManager.ServerCertificateValidationCallback delegate and perform the logic you want to perform. But, unfortunately that is not yet available on Windows Phone.
There are various uservoice suggestions related to this, for example:
http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/2146033-allow-self-signed-and-corporate-certificates-for-s
http://windowsphone.uservoice.com/forums/101801-feature-suggestions/suggestions/4299617-client-ssl-certificate-authentication
They don't apply to you directly, but if they end up gaining access to ServicePointManager then you'll be able to do what you want to do.
I have created a certificate request for code signing purposes. The sys admins told me they have never given one before and told me they need to set up local windows certificate issuing to hand out certificates for code signing purposes. They have sent me a certificate base 64 encoded once it is enabled. I imported cert into my pc and tried to sign the microsoft access. Microsoft access claims the digital signature is not valid.
When I look at the signature, it looks valid. Is there anyway I can debug why the cert is no good for code signing purposes ? Thanks.
That was dumb but here's what happened. When I went through the certmgr, it did not let me request a certificate through the AD policy. I had to create a request using the custom request. What I did not realize is that, I was issuing the command from another computer and sending the request and then importing the certificate from another computer.
Basically I did not have a private key on the other computer to sign the certificate, the certificate looked ok but the prompt that says "you have a private key ..." was not there. When I went in and imported the certificate, on the same computer that I have created the request from, the private key was found and I was able to sign it. That was stupid but you think, I would get a more descriptive warning.
Of course now that I have signed my access 2007 package, I figured out it, it still gives me a warning about macros and asks me to still enable.. My understanding was that signing your package will let others to run the content without running into trust center issues... Fudge....