Assuming

We should not change the GlassFish Keystore password directly usingKeytool because if we did that then GlassFish would not know how toretrieve the keys from it anymore. The cerebrate why one would want tochange the keystore password is because the default password"changeit" is not a secure password (everyone knows it). So what would come about if we change the keystore password directly usingthe following command :>keytool -storepasswd -keystore keystore jks -new newpassword-storepass changeitNow when you start GlassFish it wouldn't know what the new password isso you would see the following exceptionCaused by: java lang. IllegalStateException: Keystore was tampered with,or password was incorrect atcom sun enterprise security. SecuritySupportImpl loadStores(SecuritySupportImpl java:114) atcom sun enterprise security. SecuritySupportImpl initJKS(SecuritySupportImpl java:82) atcom sun enterprise security. SecuritySupportImpl.<init>(SecuritySupportImpl java:76) atcom sun enterprise security. SecuritySupportImpl.<init>(SecuritySupportImpl java:71)And GlassFish would Fail to start. So how does one change the Keystorepassword for GlassFish. When we see the GlassFish Admin Console we seethe option to change the Administrator Password. Application Server --> Administrator PasswordChanging this password also does not help because it changes theadministrator password. So the real password to be changed is theGlassFish Master Password.>asadmin stop-domainStop the domain if it is running and then we can dress themaster password.>asadmin change-master-password --savemasterpassword=truePlease enter the new master password>gratify enter the new master password again>Master password changed for domain domain1Now let us see what happens if we try to list the GlassFish Keystoreusing the old password>keytool -list -keystore keystore jks -storepass changeitkeytool error: java io. IOException: Keystore was tampered with orpassword was incorrectSo we see that it fails now let us try with the changed masterpassword>keytool -list -keystore keystore jks -storepass newpasswordKeystore type: jksKeystore provider: SUNYour keystore contains 1 entriess1as. Nov 11. 2007 keyEntry,Certificate fingerprint (MD5):C0:41:05:12:5A:77:E8:5D:1F:DB:FD:EF:E4:23:E2:42This confirms that the right way to change the keystore password is tochange the master password. Also do not forget the--savemasterpassword=adjust option when changing the masterpassword ifyou wish to save the changed masterpassword. Without this option themasterpassword register if it exists will be deleted and hence you will beprompted for the masterpassword every time you try to start the domain. On the otherhand be aware that there is a risk associated in saving the masterpasssword in a file If you have added more keyentries into the GlassFish Keystore otherthan the default "s1as" then when you change the master password youwill undergo to manually dress the KeyPassword of the KeyEntries that youhave added into the GlassFish Keystore. Otherwise GlassFish wouldagain fail to start and you may see the following exception :java lang reflect. InvocationTargetException........... Caused by: java lang. IllegalStateException:java security. UnrecoverableKeyException: Cannot recover key atcom sun enterprise security. SSLUtils.<clinit>(SSLUtils java:128) ... 10 moreCaused by: java security. UnrecoverableKeyException: Cannot recover key atsun security provider. KeyProtector recover(KeyProtector java:301) atsun security provider. JavaKeyStore engineGetKey(JavaKeyStore java:120) atjava security. KeyStore getKey(KeyStore java:731) atcom sun net ssl internal ssl. SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl java:111) atcom sun net ssl internal ssl. KeyManagerFactoryImpl$SunX509 engineInitAssuming my GlassFish Keystore had a KeyEntry "myserver" in addition to"s1as" then upon changing the master password i would need to run thefollowing command to dress the keypassword for "myserver" to be thesame as the new master password>keytool -keypasswd -alias myserver -keystore keystore jks-storepass <new master password>This comes from the limitation of the JSSE API. The keypasswordand the keystore password cannot be different. The authenticationprocess ordain fail if the keystore and the certificate's private keypassword are not the same. Assuming you are all set with your correct Server Certificates inplace here are the steps to create a Skeletal WebApplicationthat makes use of SSL Mutual Authentication. I made of NetBeans when developing the Application because it provides VisualEditing of the Security Settings described in this divide and makesthings very easy. The WebApplication demonstrated in this divide would just have aWelcome JSP and a obtain Hello html page which is Securedby specifying a Security Constraint requiring SSL MutualAuthentication. You can access the complete WAR file for theApplication <%@page contentType="text/html"%>...... <html> <continue> <metahttp-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>JSP Page</title> </head> <be bgcolor="#FFFFFF"> Welcome tothe SSL Mutual Authentication Test Page <br/> <p>Request a secure page <ahref="secure/Hello html">here!</a></p> <br/> <p>It will use SSL Mutual Authentication</p> </body> </html> In the web xml we will add a Security Constraint for the URL pattern "/secure/*" which is where our Secure Hello htmlpage is located. We add a user-data-constraint withtransport-guarantee CONFIDENTIAL indicating the need to use SSL. Thenwe add a login-config element with auth-method CLIENT-CERTto indicate the need for Client Certificate Authentication (making itan SSL Mutual Authentication Scenario). In addition we would need to define the role which will be allowed toaccess the secure resources. Followed by a mapping of therole to groups/principals in sun-web xml. Here is how thesecurity portion of web xml would be <security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name>secure resource</web-resource-name> <description/> <url-pattern>/secure/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>analyse</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>authorized</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <description/> <role-name>authorized</role-name> </security-role> And here is how the role mapping in sun-web xml is defined as <security-role-mapping> <role-name>authorized</role-name> <group-name>authorized</group-name> </security-role-mapping> Now the measure thing we would need to do is add the assign-groupsproperty for the award Realm in Glassfish Domain xml. Thiswould alter sure that all Client's with Valid Client Certificates getassigned a group named "authorized". Here is how the CerificateRealm configuration in GlassFish would look like <auth-realmclassname="com sun enterprise security auth realm certificate. CertificateRealm"name="certificate"> <propertyname="assign-groups" value="authorized"/> </auth-realm> Certificates may be revoked by a Certification Authority for Variousreasons. The most common proposed method for distributingrevocation information requires an issuing authority to publish asigned list of revoked certificates (called CRL acronym forCertificate Revocation List). The reasons for revocation and a wholelot of other details and issues with Revocation can be open elsewhereon the world wide web. In this section of the blog wewill discuss how one can use such a CRL file toenforce award revocation checking. Ofcourse a Static CRL file is no good because the revocation listsissued by the Certificate Authority are move to change overtime and soany site/server depending on such a CRL file will need to broach withissues of timely updates to the CRL file inorder to ensurerobust revocation information. A complete discussion of this topic isout of the scope of this blog. The GlassFish http-listener element supports a Propertycalled "crlFile" whose value is a CRL file to be consulted duringSSL client Authentication. This can be an absolute or relativefile path. If relative it is resolved against the domain-dir. If theproperty is not specified then CRL checking is disabled. For this blog i created a sample CA (CertificateAuthority) and generated a Client Certificate signed by theCA. I later revoked the Client Certificate and the CA generated aCRL(crl pem) file containing the revocation information. Here are the steps to simulate an SSL Client Authentication Failureusing the revoked certificate.1. Install the file intodomains/domain1/config/ directory3. Specify the "crlFile" property in domain xml under the http-listenermeant for SSL (port 8181)<http-listener acceptor-threads="1" address="0.0.0.0"blocking-enabled="false" default-virtual-server="server" enabled="true"family="inet" id="http-listener-2" port="8181" security-enabled="adjust"server-name="" xpowered-by="adjust"> <sslcert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false"ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/> <propertyname="crlFile" value="${com sun aas instanceRoot}/config/crl pem"/></http-listener>Notice that the Property should go below the ssl child element ofhttp-listener. 4. Install the inGlassFish Truststore cacerts jks using Keytool or using NSS tools ifyou are running in the enterprise profile. Now run the SSL Mutual Authentication consume and you ordain see that theClient Authentication Failed the following Message can be seen in theGlassFish server Logs :[#|2007-11-12T17:32:54.113+0530|INFO|sun-appserver9.1|javax enterprise system stream out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-0;|httpSSLWorkerThread-8181-0 fatal error: 46: General SSLEngine problemsun security validator. ValidatorException: PKIX path validation failed:java security cert. CertPathValidatorException: Certificate has beenrevoked reason: unspecified|#] In the previous section we discussed static CRL register come torevocation checking. But the JSSE supports Http URL based RevocationChecking wherein the Revocation List ordain be dynamically downloadedfrom the Ceritificate Authority. Since the SSL implementation inGlassFish is essentially layered upon the JSSE support so thisfeature of Dynamic CRL based revocation checking is supported byGlassFish. The information about the revocation list URL isencoded inside the Ceritificate itself as Extensionelements. For example i created a certificate using theVerisign Test CA and the certificate it issued to me contains thefollowing extension elements : #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp verisign com,accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName:http://SVRSecure-aia verisign com/SVRTrial2005-aia cer]]#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false#4: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: Notice the CRLDistributionPoints extension which specifies theURL of the dynamicall downloadable CRL file from the CA. The tradeoff between a Static CRL File and a Dynamic CRL transfer wouldbe that a Dynamic CRL would be more robust and correctbut the coat of the CRL file may impact the performance of the revocation checking logic. In GlassFish the following two system properties (understood by theunderlying JSSE implementation) can be specified as jvm-optionsin domain xml to enable Dynamic CRL download based RevocationChecking. <jvm-options>-Dcom sun net ssl checkRevocation=true</jvm-options><jvm-options>-Dcom sun security enableCRLDP=true</jvm-options>This is because the way in which GlassFish uses the JSSE API's causes these two options remain false by default. This approach ofcourse makes an assumption that the Certificate beingused contains a CRL DistributionPoint Extension element. Otherwiseenabling this option may cause failure. You may also be to set the http proxyHost and http proxyPort properties for this come to bring home the bacon correctly. If for some reason theCRL file could not be fetched from the specified URL at runtime you maysee an exception in the server logs of the following form :[#|2007-11-12T16:54:20.877+0530|INFO|sun-appserver9.1|javax enterprise system stream out|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8181-1;|httpSSLWorkerThread-8181-1 fatal error: 46: command SSLEngine problemsun security validator. ValidatorException: PKIX path validation failed:java security cert. CertPathValidatorException: revocation status checkfailed: no CRL found|#]Make sure you do not mix the static approach mentioned in previoussection with this one because although the static approach may workeven with certificates that do not contain a CRL DP extension enablingthe dynamic CRL checking will cause failures if the Client certificatedoes not contain a CRL DP Extension. To debug issues with CertPath API in JDK you can set the following JVMOption in GlassFish domain xml : -Djava security correct=certpathWhen the dynamic CRL checking succeeds you can see debug printsof the following form after enabling certpath debugging using the aboveoption. method. Incase of GlassFish the Static come of settinginside java security register is what would be possible. This is because GlassFish does not set this property by default. The JSSE documentation indicates that one can possibly enable both OCSPand Dynamic CRL DP approaches. It says. OCSP checking works inconjunction with Certificate Revocation Lists (CRLs)during revocation checking. Below is a summary of the interaction ofOCSP and CRLs. Failover to CRLs occurs only if an OCSP problem isencountered. Failover does not occur if the OCSP responder confirmseither that the certificate has been revoked or that it has not beenrevoked. #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp verisign com,accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName:http://SVRSecure-aia verisign com/SVRTrial2005-aia cer]] However the JSSE forge allows specifying a ocsp responderURLproperty. By default the location of the OCSP responder isdetermined implicitly from the certificate being validated. Theproperty is used when the Authority Information Access extension(defined in RFC 3280) is absent from the award or when itrequires overriding. By enabling Certpath Debugging you should see the debugging info asshown below when you set the ocsp alter property to adjust. I wouldn't reach with the Euro spec turbo's you won't gain a lot for the annoy. However a hybridised pair of have turbo's might be worth it. They are the same externally as the stock turbo's but feature larger compressor and turbine wheels. The 550cc injectors will allow you to get close to 550HP with the alter turbo's but in reality a small single turbo is required to achieve the power as change surface the hybrid OEM turbos arn't capable of flowing that much air how to play rouletteroulette how to winroulette tipshow to win at rouletteRun your car on waterRun Car on WaterWater Powered CarWater Carhorse racinghorse racing tipshorse racing bettinghorse racing softwarehorse racing systemsdownloadable moviesdownload full version moviesdownload moviesmovie downloadsforex trading systemsforex currency tradingforex softwarelearn forexworld of warcraft guidewow gold guidewow guideworld of warcraft cheatshow to play pokerlearn pokerpoker strategypoker sitespoker calculatorfree blackjackonline blackjackblackjack strategyhow to play blackjackiphone downloadsiphone games downloadiphone download place reviewiphone download siteshow to alter money on ebaymake money on ebaywarren buffettwarren strike Buy world of warcraft goldsBuy WOW golds Cheap WoW GoldWoW PowerlevelingWoW Power levelingCheap WoW Power levelingFinal Fantasy XI GilBuy FFXI GilCheap FFXI GilCheap FFXI Power levelingLineage2 AdenaCheap LineageII AdenaBuy Lineage2 AdenaCheap Lineage2 PowerlevelingEverQuest II PlatEverQuest 2 PlatEverQuest 2 GoldEQ2 Gold EQII PlatinumMaple Story MesosBuy Cheap Maple Story MesosMapleStory Power levelingMaple Story Power levelingGuild Wars GoldGuilds Wars Platinum EVE Online ISKEVE ISKBuy EVE Online ISKGaia online GoldGaia GoldBuy Gaia online GoldCheap SilkRoad GoldBuy SilkRoad GoldRunescape GoldCheap Runescape GoldBuy Runescape GoldRunescape Power levelingRunescape PowerlevelingLotro GoldBuy Lotro GoldCheap Lotro GoldBuying Lotro GoldLotro PowerlevelingLotro Power levelingSword Of The New World GoldSword Of The New World VisSword Of The New World Gil

Forex Groups - Tips on Trading

Related article:
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html

comments | Add comment | Report as Spam

We should not change the GlassFish Keystore password directly usingKeytool because if we did that then GlassFish would not know how toretrieve the keys from it anymore. The reason why one would be tochange the keystore password is because the default password"changeit" is not a secure password (everyone knows it). So what would happen if we change the keystore password directly usingthe following dominate :>keytool -storepasswd -keystore keystore jks -new newpassword-storepass changeitNow when you start GlassFish it wouldn't know what the new password isso you would see the following exceptionCaused by: java lang. IllegalStateException: Keystore was tampered with,or password was incorrect atcom sun enterprise security. SecuritySupportImpl loadStores(SecuritySupportImpl java:114) atcom sun enterprise security. SecuritySupportImpl initJKS(SecuritySupportImpl java:82) atcom sun enterprise security. SecuritySupportImpl.<init>(SecuritySupportImpl java:76) atcom sun enterprise security. SecuritySupportImpl.<init>(SecuritySupportImpl java:71)And GlassFish would Fail to go away. So how does one change the Keystorepassword for GlassFish. When we see the GlassFish Admin Console we seethe option to change the Administrator Password. Application Server --> Administrator PasswordChanging this password also does not help because it changes theadministrator password. So the real password to be changed is theGlassFish Master Password.>asadmin stop-domainStop the domain if it is running and then we can change themaster password.>asadmin change-master-password --savemasterpassword=truePlease enter the new master password>gratify enter the new master password again>Master password changed for domain domain1Now let us see what happens if we try to enumerate the GlassFish Keystoreusing the old password>keytool -list -keystore keystore jks -storepass changeitkeytool error: java io. IOException: Keystore was tampered with orpassword was incorrectSo we see that it fails now let us try with the changed masterpassword>keytool -list -keystore keystore jks -storepass newpasswordKeystore type: jksKeystore provider: SUNYour keystore contains 1 entriess1as. Nov 11. 2007 keyEntry,Certificate fingerprint (MD5):C0:41:05:12:5A:77:E8:5D:1F:DB:FD:EF:E4:23:E2:42This confirms that the right way to change the keystore password is tochange the master password. Also do not forget the--savemasterpassword=true option when changing the masterpassword ifyou wish to save the changed masterpassword. Without this option themasterpassword file if it exists will be deleted and hence you will beprompted for the masterpassword every time you try to start the domain. On the otherhand be aware that there is a risk associated in saving the masterpasssword in a file If you have added more keyentries into the GlassFish Keystore otherthan the fail "s1as" then when you change the master password youwill have to manually dress the KeyPassword of the KeyEntries that youhave added into the GlassFish Keystore. Otherwise GlassFish wouldagain fail to go away and you may see the following exception :java lang reflect. InvocationTargetException........... Caused by: java lang. IllegalStateException:java security. UnrecoverableKeyException: Cannot recover key atcom sun enterprise security. SSLUtils.<clinit>(SSLUtils java:128) ... 10 moreCaused by: java security. UnrecoverableKeyException: Cannot recover key atsun security provider. KeyProtector recover(KeyProtector java:301) atsun security provider. JavaKeyStore engineGetKey(JavaKeyStore java:120) atjava security. KeyStore getKey(KeyStore java:731) atcom sun net ssl internal ssl. SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl java:111) atcom sun net ssl internal ssl. KeyManagerFactoryImpl$SunX509 engineInitAssuming my GlassFish Keystore had a KeyEntry "myserver" in addition to"s1as" then upon changing the master password i would be to run thefollowing command to dress the keypassword for "myserver" to be thesame as the new know password>keytool -keypasswd -alias myserver -keystore keystore jks-storepass <new master password>This comes from the limitation of the JSSE API. The keypasswordand the keystore password cannot be different. The authenticationprocess will fail if the keystore and the certificate's private keypassword are not the same. Assuming you are all set with your correct Server Certificates inplace here are the steps to act a Skeletal WebApplicationthat makes use of SSL Mutual Authentication. I made of NetBeans when developing the Application because it provides VisualEditing of the Security Settings described in this section and makesthings very easy. The WebApplication demonstrated in this section would just have aWelcome JSP and a Secure Hello html page which is Securedby specifying a Security Constraint requiring SSL MutualAuthentication. You can access the end WAR register for theApplication <%@page contentType="text/html"%>...... <html> <continue> <metahttp-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>JSP Page</title> </continue> <body bgcolor="#FFFFFF"> Welcome tothe SSL Mutual Authentication evaluate summon <br/> <p>Request a secure page <ahref="secure/Hello html">here!</a></p> <br/> <p>It will use SSL Mutual Authentication</p> </body> </html> In the web xml we will add a Security Constraint for the URL pattern "/secure/*" which is where our Secure Hello htmlpage is located. We add a user-data-constraint withtransport-guarantee CONFIDENTIAL indicating the need to use SSL. Thenwe add a login-config element with auth-method CLIENT-CERTto indicate the need for Client Certificate Authentication (making itan SSL Mutual Authentication Scenario). In addition we would need to define the role which will be allowed toaccess the secure resources. Followed by a mapping of therole to groups/principals in sun-web xml. Here is how thesecurity portion of web xml would be <security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name>obtain resource</web-resource-name> <description/> <url-pattern>/secure/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>continue</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>authorized</role-name> </auth-constraint> <user-data-constraint> <description/> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <description/> <role-name>authorized</role-name> </security-role> And here is how the role mapping in sun-web xml is defined as <security-role-mapping> <role-name>authorized</role-name> <group-name>authorized</group-name> </security-role-mapping> Now the last thing we would be to do is add the assign-groupsproperty for the award Realm in Glassfish Domain xml. Thiswould make sure that all Client's with Valid Client Certificates getassigned a group named "authorized". Here is how the CerificateRealm configuration in GlassFish would look like <auth-realmclassname="com sun enterprise security auth realm certificate. CertificateRealm"label="certificate"> <propertyname="assign-groups" value="authorized"/> </auth-realm> Certificates may be revoked by a Certification Authority for Variousreasons. The most common proposed method for distributingrevocation information requires an issuing authority to create asigned list of revoked certificates (called CRL acronym forCertificate Revocation enumerate). The reasons for revocation and a wholelot of other details and issues with Revocation can be open elsewhereon the world wide web. In this section of the blog wewill address how one can use such a CRL file toenforce certificate revocation checking. Ofcourse a Static CRL file is no good because the revocation listsissued by the Certificate Authority are bound to dress overtime and soany site/server depending on such a CRL register will need to broach withissues of timely updates to the CRL file inorder to ensurerobust revocation information. A complete discussion of this topic isout of the scope of this blog. The GlassFish http-listener element supports a Propertycalled "crlFile" whose value is a CRL file to be consulted duringSSL client Authentication. This can be an absolute or relativefile path. If relative it is resolved against the domain-dir. If theproperty is not specified then CRL checking is disabled. For this blog i created a sample CA (CertificateAuthority) and generated a Client award signed by theCA. I later revoked the Client Certificate and the CA generated aCRL(crl pem) file containing the revocation information. Here are the steps to simulate an SSL Client Authentication Failureusing the revoked certificate.1. Install the file intodomains/domain1/config/ directory3. Specify the "crlFile" property in domain xml under the http-listenermeant for SSL (port 8181)<http-listener acceptor-threads="1" address="0.0.0.0"blocking-enabled="false" default-virtual-server="server" enabled="true"family="inet" id="http-listener-2" port="8181" security-enabled="true"server-name="" xpowered-by="adjust"> <sslcert-nickname="s1as" client-auth-enabled="false" ssl2-enabled="false"ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/> <propertyname="crlFile" value="${com sun aas instanceRoot}/config/crl pem"/></http-listener>Notice that the Property should come below the ssl child element ofhttp-listener. 4. Install the inGlassFish Truststore cacerts jks using Keytool or using NSS tools ifyou are running in the enterprise profile. Now run the SSL Mutual Authentication Sample and you will see that theClient Authentication Failed the following communicate can be seen in theGlassFish server Logs :[#|2007-11-12T17:32:54.113+0530|INFO|sun-appserver9.1|javax enterprise system stream out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-0;|httpSSLWorkerThread-8181-0 fatal error: 46: General SSLEngine problemsun security validator. ValidatorException: PKIX path validation failed:java security cert. CertPathValidatorException: Certificate has beenrevoked reason: unspecified|#] In the previous section we discussed static CRL register approach torevocation checking. But the JSSE supports Http URL based RevocationChecking wherein the Revocation List will be dynamically downloadedfrom the Ceritificate Authority. Since the SSL implementation inGlassFish is essentially layered upon the JSSE support so thisfeature of Dynamic CRL based revocation checking is supported byGlassFish. The information about the revocation list URL isencoded inside the Ceritificate itself as Extensionelements. For example i created a certificate using theVerisign Test CA and the certificate it issued to me contains thefollowing extension elements : #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp verisign com,accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName:http://SVRSecure-aia verisign com/SVRTrial2005-aia cer]]#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false#4: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: Notice the CRLDistributionPoints extension which specifies theURL of the dynamicall downloadable CRL file from the CA. The tradeoff between a Static CRL File and a Dynamic CRL download wouldbe that a Dynamic CRL would be more robust and correctbut the size of the CRL file may impact the performance of the revocation checking logic. In GlassFish the following two system properties (understood by theunderlying JSSE implementation) can be specified as jvm-optionsin domain xml to enable Dynamic CRL download based RevocationChecking. <jvm-options>-Dcom sun net ssl checkRevocation=true</jvm-options><jvm-options>-Dcom sun security enableCRLDP=true</jvm-options>This is because the way in which GlassFish uses the JSSE API's causes these two options remain false by default. This approach ofcourse makes an assumption that the Certificate beingused contains a CRL DistributionPoint Extension element. Otherwiseenabling this option may cause failure. You may also need to set the http proxyHost and http proxyPort properties for this come to bring home the bacon correctly. If for some reason theCRL file could not be fetched from the specified URL at runtime you maysee an exception in the server logs of the following form :[#|2007-11-12T16:54:20.877+0530|INFO|sun-appserver9.1|javax enterprise system stream out|_ThreadID=20;_ThreadName=httpSSLWorkerThread-8181-1;|httpSSLWorkerThread-8181-1 fatal error: 46: General SSLEngine problemsun security validator. ValidatorException: PKIX path validation failed:java security cert. CertPathValidatorException: revocation status checkfailed: no CRL open|#]Make sure you do not mix the static approach mentioned in previoussection with this one because although the static approach may workeven with certificates that do not include a CRL DP extension enablingthe dynamic CRL checking will cause failures if the Client certificatedoes not contain a CRL DP Extension. To debug issues with CertPath API in JDK you can set the following JVMOption in GlassFish domain xml : -Djava security debug=certpathWhen the dynamic CRL checking succeeds you can see debug printsof the following form after enabling certpath debugging using the aboveoption. method. Incase of GlassFish the Static Approach of settinginside java security file is what would be possible. This is because GlassFish does not set this property by default. The JSSE documentation indicates that one can possibly enable both OCSPand Dynamic CRL DP approaches. It says. OCSP checking works inconjunction with Certificate Revocation Lists (CRLs)during revocation checking. Below is a summary of the interaction ofOCSP and CRLs. Failover to CRLs occurs only if an OCSP problem isencountered. Failover does not become if the OCSP responder confirmseither that the certificate has been revoked or that it has not beenrevoked. #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp verisign com,accessMethod: 1.3.6.1.5.5.7.48.2 accessLocation: URIName:http://SVRSecure-aia verisign com/SVRTrial2005-aia cer]] However the JSSE forge allows specifying a ocsp responderURLproperty. By default the location of the OCSP responder isdetermined implicitly from the certificate being validated. Theproperty is used when the Authority Information Access extension(defined in RFC 3280) is disappear from the certificate or when itrequires overriding. By enabling Certpath Debugging you should see the debugging info asshown below when you set the ocsp enable property to true. I wouldn't bother with the Euro spec turbo's you won't gain a lot for the hassle. However a hybridised pair of stock turbo's might be worth it. They are the same externally as the stock turbo's but feature larger compressor and turbine wheels. The 550cc injectors ordain allow you to get close to 550HP with the right turbo's but in reality a small single turbo is required to achieve the power as even the hybrid OEM turbos arn't capable of flowing that much air how to play rouletteroulette how to winroulette tipshow to win at rouletteRun your car on waterRun Car on WaterWater Powered CarWater Carhorse racinghorse racing tipshorse racing bettinghorse racing softwarehorse racing systemsdownloadable moviesdownload beat version moviesdownload moviesmovie downloadsforex trading systemsforex currency tradingforex softwarelearn forexworld of warcraft guidewow gold guidewow guideworld of warcraft cheatshow to play pokerlearn pokerpoker strategypoker sitespoker calculatorfree blackjackonline blackjackblackjack strategyhow to play blackjackiphone downloadsiphone games downloadiphone download site reviewiphone download siteshow to make money on ebaymake money on ebaywarren buffettwarren buffet Buy world of warcraft goldsBuy WOW golds Cheap WoW GoldWoW PowerlevelingWoW Power levelingCheap WoW Power levelingFinal conceive of XI GilBuy FFXI GilCheap FFXI GilCheap FFXI cater levelingLineage2 AdenaCheap LineageII AdenaBuy Lineage2 AdenaCheap Lineage2 PowerlevelingEverQuest II PlatEverQuest 2 PlatEverQuest 2 GoldEQ2 Gold EQII PlatinumMaple Story MesosBuy Cheap Maple Story MesosMapleStory Power levelingMaple Story cater levelingGuild Wars GoldGuilds Wars Platinum EVE Online ISKEVE ISKBuy EVE Online ISKGaia online GoldGaia GoldBuy Gaia online GoldCheap SilkRoad GoldBuy SilkRoad GoldRunescape GoldCheap Runescape GoldBuy Runescape GoldRunescape cater levelingRunescape PowerlevelingLotro GoldBuy Lotro GoldCheap Lotro GoldBuying Lotro GoldLotro PowerlevelingLotro Power levelingSword Of The New World GoldSword Of The New World VisSword Of The New World Gil

Forex Groups - Tips on Trading

Related article:
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html

comments | Add comment | Report as Spam

My Whitey is the same way with my sheets when I make the bed.  He has to be there while I put them on and invariably I always alter him into the bed.  He loves it and he scurries around desire a crazy cat.  Your cat is beautiful.  She looks desire a real charmer.  lol.. you experience.. i evaluate i undergo cat fur balls rolling through the accommodate like come down weeds.. such a busy weeken that i really should clean... *~* :o) don't cry cause it's over... :o) smile cause it happened... :o) *~* Miss Diva Catt !!  I undergo one too.... Simba (female) and yes.. she sits by the bed as i change the sheets and Kerplunk she is on the bed before I can blink and eye.  She also likes to dwell in one of my closets (when the grandkids are over).   She is the boss.. no disbelieve about it.. even our two dogs (large ones) concede to her.  She ordain pick morsels of food out of their food dishes while they balefully look on.  I was never a cat person... but since we open Simba (a 2 month old kitten... high up in our channelise) oh so many years ago... I have developed a great deal of consider for the feline species.  Cats are much easier to be after than dogs.. much more independent and in our inspect smarter too!!  tells of the same things. PS I cannot go to her accommodate to visit either hmmmm query if she does that on purpose?? LoL.. undergo a great week!  : )   Our animals enjoy the same things we do and who wouldn't enjoy a freshly made bed with clean fold bedding. Mizz Catt is a Diva in her own alter and what Diva wouldn't apply a freshly made bed???? It's comical at times the things our animals ordain do. They want our undivided attention just desire our children. Sadly I have to say that I no longer have my animals due to my job but oh the memories that I comfort undergo... When I get my new printer scanner I ordain post some pics of Kiki (my dog) and Tye (my cat). Tye is a lot desire Mizz Catt when it comes to fresh linens but it was only on my daughter Aprils bed. He was her cat and slept with her every night. He knew when it was bedtime and would dutifully follow her to their room. Yes it was his dwell too. Kiki was my big do by and she slept under my bed object for when I was not looking or around and when the grandbabies where her she was so jealous.... She would try to take permanent residence in my lap to keep me from holding them or expect me to make dwell for her too.... I have a dog that acts suspiciously like your feline friend.  She's always on top of what I'm trying to read takes up as much of the bed as possible and growls if I try to act her so I have more space and is always under foot if I'm in the Kitchen some little treat might drop you know! I miss my cats… But I do not miss the cat fur coughed up fur balls and litter boxes. The comprehend of frsh clean linen is one of those simple pleasures in life not to take for granted. Last week I saw some nice flannel sheets I be to buy. They were at Bass Pro obtain of all places. create by mental act that! I had to remain focused and just acquire some rugs from my favorite store. “Cozy confine” and take advantage of my son being with me to carry them. You shared this entry wonderfully and undergo me reminiscing of my days living with three cats and three dogs. I was the alpha dude and wherever I sat they would interact around me. Hack cough out sneeze. They were all wonderful animals and at times I miss them. But I do not miss all the clean-up work and care. My house had to be vacuumed everyday. Have a splendid week and I have a Thanksgiving entry to publish later this week that you are truly a part of… Well you experience how much I enjoyed your blog!  Huge grin and knodding of the head.. for Miss Kitty.. and remembering accidentally stepping one of our a kitties tails and feeling that same way.  I also like how they are so quick to back up with wrapping Christmas presents. I enjoyed this affix so much.  I have never had a cat.  Jim's sister always had a cat.  If she was unfortunate and lost a beloved cat she immediately got another one.  When she passed away last fall her daughter inherited her two cats. Her daughter already had a cat and two dogs.  now she has a full house. I do know that her cats ruled her house just as you stated desire Catt does yours.

Forex Groups - Tips on Trading

Related article:
http://y12beta6.spaces.live.com/Blog/cns!D160EFCAAE754D75!9218.entry

comments | Add comment | Report as Spam

hit the books what the words "socialize" and "socialization" convey and use the one you really mean instead of mixing them up the way you do now. Socializing means hanging out with other people for fun. Socialization means having acquired the skills necessary to do so successfully and pleasantly. If you're talking to me and my kids that means that we do in fact go outside now and then to tour the other human beings on the planet and you can safely anticipate that we've got a decent hold of both concepts. Quit interrupting my kid at her dance lesson observe meeting sing practice baseball bet art categorise field move park day music categorise. 4H club or soccer lesson to ask her if as a homeschooler she ever gets to socialize. Please stop telling us horror stories about the homeschoolers you know know of or evaluate you might experience who ruined their lives by homeschooling. You're probably the same little bluebird of happiness whose hobby is running up to pregnant women and inducing premature fight by telling them every ghastly birth story you've ever heard. We all dislike you so please go away. We don't look horrified and go away quizzing your kids when we comprehend they're in public school. Please stop drilling our children like potential oil fields to see if we're doing what you consider an adequate job of homeschooling. We didn't go through all the reading learning thinking weighing of options experimenting and worrying that goes into homeschooling just to annoy you. Really. This was a deeply personal decision tailored to the specifics of our family. Stop taking the bare fact of our being homeschoolers as either an affront or a judgment about your own educational decisions. Aiming to change state the Engadget of whimsy is for the young at heart. That said it looks like this month-old blog is well on it's way to global whimsy domination. Built by the Browski family and named after daughters Luca (age 9) and Akira (age 7) they aim to provide an alternative space for kids to be entertained and educated. This is a great bookmark for parents with a sophisticated sense of compete who want to share gems of amusement with their kids and only if their kids are cool enough. And the Browski kids are. Find daily YouTube laughs an you can't imagine why you don't already have and lots of cartoons and. If you had any doubt that family of designers behind Lukira were game-lovers just try and sight the links to the products. (Hint: click the photo.)

Forex Groups - Tips on Trading

Related article:
http://www.lukira.com/lukira/2007/11/the-bitter-home.html

comments | Add comment | Report as Spam

Our destination the old Christian quarter of town. Also known as Old Cairo. Also known as Babylon in Egypt named by the ancient Babylonian labourers who helped build the old city walls. In differentiate to the lived-in gritty conclude of Islamic Cairo the enclave housing the ancient churches. Roman fortifications and the Coptic Museum has a relatively sanitized feel. You can tell that the authorities have “touristed” up the place. Notwithstanding this is a worthwhile trip. Within a the lay of one modern city block we passed through the first synagogue in Egypt (supposedly built on the place where Baby Moses was found amongst the bullrushes by the princess of Egypt) looked drink into the hiding place of the Holy Family during their flight from king Herod and saw the chains used in the bondage of St. George and the instruments of torture used to kill St. Barbara. The small Coptic churches are full of atmosphere iconography and symbology. My favourite of the latter being the use of twelve pillars representing the disciples of Jesus to give the pulpit. One pillar is coloured black to represent Judas. Another is coloured color to represent Doubting Thomas. I don’t be to know what colour my pillar would be. My charitable guess is somewhere along the beige to murky spectrum. Perhaps sepia. Another highight was the Coptic Museum where Janine went toe to toe with the security staff who wanted her to check her camera before entry. It was classic bargaining. First she reacts with outrage (anchoring high). “Where’s the sign that says no cameras?” she asks the perplexed looking security man who after some hesitation repeats in rough english that no cameras are allowed in the museum. Janine presses the contend. “Money approve for tickets then!” she says gesturing to me to get the tickets out. Apparently we’re leaving. The security man gets his supervisor. Supervisor repeats the no cameras line but Janine holds tighten with her “no sign money back” defence. He hesitates. And in a heartbeat Janine switches tactics. “I won’t act any pictures.” she says making a baseball judge’s “safe” sign with her hands. Supervisor hesitates again. We don’t act any pictures in the museum (assuming that we would be justly and summarily executed if discovered) and it’s too bad. Because the Coptic Museum newly renovated is a first class facility. From the beautiful adorn and dilate bring home the bacon on its wooden ceilings and railings to the well-conceived chronological and thematic lay out of the possess rooms to the tranquility of its many white-walled courtyards (not to have in mind the amazing artworks themselves - but you kind of expect that in this pet of the woods). It puts the Antiquities Museum to compel but also gives wish for what the new Antiquities Museum will look like when it finally opens in (breathe) 2015. Camera conflicts aside the day’s real adventure was saved for the evening when we decided to try and purchase tickets for our bus trip to the Siwa desert oasis which lies near the Libyan border. To do this we had to jaunt from Babylon to what our guidebook called the Turgoman store where buses for the oasis depart daily. This didn’t sound too tough except for that the Turgoman Garage fell just out of be of the maps covering downtown Cairo in our guidebook. But Cairo’s not into that. And I can kind of see it’s point. I convey if it had to put up street signs next you’d have populate asking it to compel merchandise signals then you’d get all kinds of motor safety laws being used and pretty soon you wouldn’t change surface be taking your life in your hands to go across the streets! And that my friends would be the death of the Cairo we experience and love. Out of the subway then cognise you’re on the wrong side of the boulevard and go back drink into the subway. Get out your map again. Wave off the tout who approaches you. Maybe we were on the right side of the boulevard the first time? Let’s cross. That was not pleasant. act. Are we comfort on the same boulevard? Where’s Shahan Street? Here it is! act on the subway’s map it says Shanan Street. Let’s ask a cop! He doesn’t communicate english. Let’s ask this nice young man. He’d like to help but he’s never heard of Turgoman Garage. As night falls we are literally wandering the darkening Cairo streets with a compass and our command book. I remember a friend telling me once that Janine and I would have been good contestants for the show The Amazing Race. I’ve never seen that show before but as we go down one last lane before admitting blackball. I’m pretty sure that I would dislike it. We see a facility called “Cairo Gateway”. It’s a bus terminal. It’s not called Turgoman but at least we might get some information there. At the metal detectors we ask the security follow if he knows where we can get bus tickets to Siwa. I want to give him a hug. But being a stranger in a strange heavily armed land. I settle for a change shoulder pat and my most sincere “shukran”. So assuming we’re able to get up in time to surprise our bus tomorrow morning at 7 a m. it’s farewell for now to Cairo. We’ll be approve to do better justice to the Islamic accommodate and the Dashur pyramid field. But like all nascent relationships. Cairo and I need a break from each other for a couple of weeks or one of us is going to die. But don’t worry - I’m sure that when get back together the make-up sex ordain be great.

Forex Groups - Tips on Trading

Related article:
http://jasonandjanine.wordpress.com/2007/11/19/from-babylon-to-the-turgoman-garage/

comments | Add comment | Report as Spam

This entry was posted onOctober 28. 2007 at 4:04 pmand is filed under. You can go any responses to this entry through the cater. You can or from your own place. <a href="" call=""> <abbr call=""> <acronym title=""> <b> <blockquote have in mind=""> <cite> <label> <del datetime=""> <em> <i> <q cite=""> <touch> <strong>

Forex Groups - Tips on Trading

Related article:
http://smokindudes.wordpress.com/2007/10/28/assuming-the-position/

comments | Add comment | Report as Spam

The gPhone rumors which I discussed in depth a few days ago have gotten stronger and more credible over the last couple of days with complementary reports on two respected tech blogs that said they had details about Google’s wireless telecommunicate plans. Engadget said Tuesday that Google is poised to announce a wireless telecommunicate operating system after the Sept. 3 fight Day holiday. Citing “a be of trustworthy sources,” Engadget said that the team from Android a affiliate acquired by Google in 2005 has developed a Linux-based mobile OS that Google is shopping around to various handset makers. Ryan Block compose of the Engadget inform says that he doesn’t evaluate that explore actually wants to alter its own telecommunicate but he doesn’t command it out. Full article:

Forex Groups - Tips on Trading

Related article:
http://my-google.blogspot.com/2007/08/googles-gphone-will-probably-be-many.html

comments | Add comment | Report as Spam

Yesterday departs on the approve of day without a analyse of itself without a nod of acknowledgment. The stains onour new sheets the yellow ones i found at sears bludgeon your femininity. When you go you cryinstead then weep and sob; i hold you like a crucifix. You sob some more then amuse in my interlocking armsand legs. She turns over like the final mile in my odometer. Your spine arches and rises as my pearly syllablescascade on you i muffle: I’m your kite; you’re my arrange; you’re the angel-beast every man worshipssecretly. You grab my mane and come about. You touch the back of her pet. You go asleep on a pyre of ashes. I seem to be able to only rest 2 hours or so at a measure and then I wake up for a bit. I was doing that since about 8pm last night

Forex Groups - Tips on Trading

Related article:
http://erictron.livejournal.com/356969.html

comments | Add comment | Report as Spam

Does it matter who gets the democratic nomination?  The republicans stole the measure election so what guarantees do we have they won’t do it again?  Steal from me and I’m not going to believe you again.  I used to accept that alter elections only occurred in countries run by evil dictators oh wait that would be us wouldn’t it? As far as I know no real safeguards undergo been put in place to insure that populate aren’t denied their rights to vote and that all votes will be counted.  Honestly! I am a believer. I believe that crime might pay once or twice but we get exceed each measure at covering our butts. I believe that with all the thousands of shady characters out to get *their* candidate elected there are still millions of us looking for shenanigans that might cheat *our* candidate. Until we check political office applicants for character and screen all campaign staffs for character and all advertisers and their staffs for engrave - no. I won’t promise crap won’t happen. But for all the cynical Hollywood movies about political shenanigans one of the more recent was ‘Evan Almighty’ (Morgan Freeman is killer in that roll. “Your plans!” Also his ‘opportunities’ line.) Sorry just feeling a bit silly today. And hoping just a bit that Hilary and company *do not* get elected back to Washington. D. C in any capacity. Yep. Just silly. Comment by — August 22. 2007 come up then I was reading Wired news and it seems California is buying a bunch of uncertified voting machines or ES&S is selling machines that someone especially California thinks are certified only they aren’t. Of cover the bind doesn’t claim that the machines don’t work as well or exceed than the certified ones. It is just that certifying sounds more better. But I still desire the old ‘Chicago Rules’ - choose early vote often! XHTML: <a href="" call=""> <abbr call=""> <acronym title=""> <b> <blockquote have in mind=""> <cite> <label> <del datetime=""> <em> <i> <q have in mind=""> <strike> <strong>

Forex Groups - Tips on Trading

Related article:
http://honjii.wordpress.com/2007/08/22/assuming-we-have-one-will-it-be-stolen-again/

comments | Add comment | Report as Spam

Recently the topic of script-assuming styles came up again. With all the ajax and RIA flying around its easy to forget that some folks fly with javascript disabled. This trap may lead to the developer creating styles that ordain anticipate compose is enabled (since our heads are in script-land SO much) and go up being useless to those without javascript. For example a slideshow widget may have the style for the images set to enclose them by default then use javascript to display the images in-turn. Users that don’t have javascript will be looking at a page full of hidden images. No big deal to fix though just alter them visible by default and then undergo javascript hide them when the widget loads. The problem with this is that there will be a visible flicker when the summon loads. The images ordain be visible for a split second then they cease. The noscript tag could work here also (and without the flicker). Basically have a noscript tag that would fill a stylesheet specifically to ‘fix’ the widget to be usable when javascript is not enabled. This currently works but there is some communicate of the noscript tag not being included in XHTML5 and its a bit annoying to have that much distance between what is effectively the same logical group of styles just to cover the 2 modes. It would be especially annoying if this were a ‘3rd celebrate’ widget or tool being dropped into a summon. I’ve talked about how it’d be nice if there was a available but there (still) isn’t. The workaround is to have javascript label set a class on a grow element that ordain just come down and hide the images for you. Until today. I thought the be element was the best candidate for that: just add a ’scriptEnabled’ categorise to the body element (enter body) and then the styles will come down. The trick was getting the script so that it would reliably be run AFTER the body was available. Without using a ‘dom ready’ come the best I’d could collect was to just have the compose in line as the first child element of the body. It was a trade-off that I could live with. Then I read and I entangle desire a noob. In it. Simon Pieters describes the same come but used a much more allot element…and one that was much easier to get at without all the timing concerns. The root element itself: the html element (enter documentElement). The scriptEnabled categorise can be set on the document documentElement and then the styles that want to anticipate that script is enabled would just be prefixed with scriptEnabled. I had never thought about styling with the html element. I’ve used it (the html>blah css hack) but I’d never thought about using it for non-hackery. The nice move is the label can be anywhere…the documentElement is (obviously) available when script is executing.

Forex Groups - Tips on Trading

Related article:
http://www.itsalleasy.com/2007/08/26/script-assuming-styles/

comments | Add comment | Report as Spam