Hi James, Mark and Others
I am exploring the suggestions and trying to sterilize the info so I
can post more info... But I think James may have set me on the right
direction

More in a bit..

Art "Thanks to all for support" Bahrs


Art Bahrs, CISSP
Security Engineer
Providence Health & Services
Arthur.Bahrs@Providence.org
Phone: 503-216-2722

-----Original Message-----
From: HP-3000 Systems Discussion [mailto:HP3000-L@RAVEN.UTC.EDU] On
Behalf Of James B. Byrne
Sent: Thursday, September 25, 2008 8:41 AM
To: HP3000-L@RAVEN.UTC.EDU
Subject: Re: OT: TomCat WebCerts and Linux?

On Thu, 25 Sep 2008 09:43:15 -0400, James B. Byrne

wrote:


>This is likely caused by using a self-signed PKI certificate for the
>service or using a certificate signed by a private certificate
authority...

Upon reflection it occurs to me that the problem could also be caused by
an expired/revoked certificate; either the server certificate or the
issuing CA certificate might now be invalid.

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


DISCLAIMER:
This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

> I am exploring the suggestions and trying to sterilize the info so I
> can post more info... But I think James may have set me on the right
> direction

James has most certainly hit the nail on the head. Most people don't go out
and buy an SSL cert when they're playing with new technology. I'm sure you
have a self-signed cert.

In our case, we didn't mind the certificate warning when it was employees
who were getting it but soon we'll be having customers and suppliers
accessing our online systems. So pay attention to James's advice when you do
go a get an SSL cert and think about the number of domains and/or IP
addresses and use the subjectAltName feature in your request. We didn't and
it required some extra work.

Mark W.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

Hi Mark
Thanks, I reviewed all replies ... Especially James and yours as
there was some really good information there!

This is a case of "internal self-signed certificate with a internal
CA" so James' info was very much in the 'pipe' for targeting...

Unfortunately, our workaround of using FireFox will have to bide us
for a while longer... The SysAdmins and the Cert Admin are pondering
this ... And our BlueCoat conversion project just got re-prioritized
waaaayyy above the cert situation since we have a workaround for the
cert situation.

Stay tuned... I will be back to it in a while

Art "knee-deep in the hoopla" Bahrs

P.s. Since we are watching "It' a Wonderful Life" in the real life...
Does that mean life is just a movie? Hehehe

Or as another fun late night ponderance (based on a Robin Williams
routine) goes:
Life is but a Dream,
Reality is what we call Life,
Q.E.D. Reality is a Dream....


Art Bahrs, CISSP
Security Engineer
Providence Health & Services
Arthur.Bahrs@Providence.org
Phone: 503-216-2722

-----Original Message-----
From: Mark Wonsil [mailto:wonsil@4m-ent.com]
Sent: Friday, September 26, 2008 3:51 AM
To: Bahrs, Art; HP3000-L@RAVEN.UTC.EDU
Subject: RE: [HP3000-L] OT: TomCat WebCerts and Linux?

> I am exploring the suggestions and trying to sterilize the info so
> I can post more info... But I think James may have set me on the right

> direction

James has most certainly hit the nail on the head. Most people don't go
out and buy an SSL cert when they're playing with new technology. I'm
sure you have a self-signed cert.

In our case, we didn't mind the certificate warning when it was
employees who were getting it but soon we'll be having customers and
suppliers accessing our online systems. So pay attention to James's
advice when you do go a get an SSL cert and think about the number of
domains and/or IP addresses and use the subjectAltName feature in your
request. We didn't and it required some extra work.

Mark W.



DISCLAIMER:
This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *