Installing wildcard and intermediate SSL certificates on JBoss

| No Comments


When a wildcard certificate is included in a keystore, JBoss will present the wildcard certificate to the client requesting it. The client will then need to verify the certificate with a trusted CA Root Authority. If the certificate is not present, most browsers with the "Certificate Request" feature, will keep requesting the intermediate certificates until the identity is verified with the trusted Authority. This can be a problem for basic browsers, or browsers that do not support "Certificate Request" as the certificate is never verified and appears invalid. This issue is even more specifically found on Android devices and can be found using an SSL Verifier.


  • Download and install OpenSSL on the server.
  • Download the issued wildcard certificate (PFX), the password file, as well as the following certificates from the GoDaddy Repository
    • valicert_class2_root.crt
    • gd_cross_intermediate.crt
    • gd_intermediate.crt

You will want to copy the .PFX and the .CRT files to a folder, and then copy this folder to the OpenSSL \bin folder to execute the following commands. The complete path should resemble "C:\OpenSSL-Win32\bin\Certs".


You now need to open a command prompt and navigate to the OpenSSL\bin to use these commands:

Export and decrypt the .PFX

  • openssl pkcs12 -in ".\Certs\wildcardcert1.pfx" -out ".\Certs\wildcard2.pem" -nodes

Copy the password from the password file to complete.

Now export and decrypt the certificate from the .PFX

  • openssl pkcs12 -in ".\Certs\wildcardcert1.pfx" -out ".\Certs\wildcert3.pem" -nodes -clcerts

Again, copy the password from the password file to complete.

Now we need to verify the conversion of the exported certificate.

  • openssl x509 -in ".\Certs\wildcert3.pem" -out ".\Certs\newwildcert4.cer" -outform DER


We now need to open wildcard2.pem in Notepad and append the certificate chain in the correct order.

Open gd_intermediate.crt in Notepad and copy the entire content of the file including the "----- BEGIN CERTIFICATE -----" and "----- END CERTIFICATE -----" tags and paste the text at the end of the wildcard2.pem file.

Repeat the previous step with gd_cross_intermediate.crt, appending it to the last copied certificate.

Once again, we repeat the previous step with valicert_class2_root.crt appending it again to the last copied certificate.


We can now save the new completed certificate. The next step is to reconvert it to .PFX and encrypt it again. We can achieve this with the following command (the name can be anything short, using only ASCII characters):

  • openssl pkcs12 -export -in ".\Certs\wildcard2.pem" -out ".\Certs\newwildcardcert.pfx" -name "root"

You now need to generate a new password, and the file is complete.


You can now copy the newwildcardcert.pfx file to the server \conf folder "C:\Adobe\Adobe LiveCycle ES3\jboss\server\lc_turnkey\conf".

Now we need to navigate to the server.xml found at "C:\Adobe\Adobe LiveCycle ES3\jboss\server\lc_turnkey\deploy\jbossweb.sar" and open the server.xml file in Notepad. We can then modify the SSL connector with the following:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore -->

      <Connector protocol="HTTP/1.1" SSLEnabled="true"

               port="443" address="${jboss.bind.address}" URIEncoding="UTF-8"

               scheme="https" secure="true" clientAuth="false"

               sslProtocol = "TLS"



               keystoreType="PKCS12"  />


Save the file and give the JBoss server a restart. Keep an eye on the log, and verify that everything deploys correctly.


After everything is done, we can verify all of our hard work with this handy SSL Verifier.


Adobe has made an important announcement on what appears to be the misuse of an Adobe code signing certificate. Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products.

This revocation does not impact LiveCycle, but the following links contain details and answers to common questions:


The Security Advisory and details on revoked certificates can be found here:

A new version of Adobe Reader for Mobile (10.2) was released on April 10, 2012 that contains a some new functionality on mobile platforms. 


The following links provides detailed information about it:

Minimum Permissions for LiveCycle Launchpad Users

| No Comments

Some extra permissions are required in order for a LiveCycle Launchpad user to successfully log in and use it.   

Depending on what you will be using in Launchpad, here are the permissions required:

• Application Administrator
• Services User
• Document Upload Application User


3 more roles required, based on usage:

• PDFG user
• LiveCycle Rights Management End User
• LiveCycle Rights Management Policy Set Administrator.

The Future of LiveCycle

| No Comments

Adobe has posted the following blog regarding the future of LiveCycle. It indicates a promising future for the product:




Header subform appearing on previous page

| No Comments

Depending on your renderer version you might run into an issue where a page header is being bumped back to the bottom of the previous page. This is a known issue with version 2.6 of the XFA specification which was fixed in version 2.7. The tricky part is there's no Target Version for version 2.7. If you aren't familiar with Target Version, click on File then open Form Properties and check the Defaults tab.

The easiest solution is simply setting your Target Version to Acro/Reader 9.0 (which uses XFA version 2.8), but this will cause problems for people still running Reader 8.

We did some digging and found an easy way to trick the form into using XFA 2.7 to render the form. Open the XML view of the document and find the following line:


And change it to this:

<?originalXFAVersion v2.7-layout:0?>

After that you'll want to make sure Keep With is set to Next in the headers pagination settings.

Microsoft Office Rights Management plugin

| No Comments

If you're currently having difficulties running Office after installing the Rights Management plugin there's a very good chance you also have the Microsoft Office Live plugin installed as well.

These two plugins simply do not work together and you'll need to remove one of them until either Microsoft or Adobe fix the conflict.

Rich text formatting lost when bound to a floating field

| No Comments

We recently encountered an issue when merging XML data into a form.  Specifically, rich text was being properly displayed in the form fields, but we noticed that any floating fields placed in those text fields displayed their value in plain text.

This can be resolved by manually changing the embedMode tag in the forms XML. Click on the object containing the floating field then open the XML Source view. Inside the object you'll be looking for this:

We recently encountered an issue when merging XML data into a form.  Specifically, rich text was being properly displayed in the form fields, but we noticed that any floating fields placed in those text fields displayed their value in plain text.

This can be resolved by manually changing the embedMode tag in the forms XML. Click on the object containing the floating field then open the XML Source view. Inside the object you'll be looking for this:


You'll want to change it to:


As always, if you run into any problems be sure to give us a call!

Moved. Call me The Builder!

| No Comments
I've decided to move my blogs due to a campaign / work persona I decided to start up. I am now The Builder of Tomorrow! And can be found at and @buildrof2morrow on the Twitter. Follow me there! 

Custom tabbing on large forms

| No Comments

A common issue when designing large forms is getting the Custom Tab Order tool to behave properly. There comes a point where it becomes completely unusable.

My recommended workaround is to redesign the form for use with Automatic Tabbing. Take the following example:

View image

Automatic tabbing always goes top/down, left/right. So in order to get the tabbing to work its way down each client section, we just need to wrap them inside their own subforms:

View image

When the Automatic tabbing system encounters a subform it will resolve all items in that subform before continuing.

Now this works for most forms, but what if you wanted the tabbing to go from Client1 to Client3? The answer is more subforms ! Selecting the subforms for Client1 and Client3 I wrap them both into yet another subform, I then wrap Client2 and Client4 into their own subform. The result is this:

View image

If you've done all this and you notice your tabbing is still acting oddly, the most common pitfall is accidently wrapping a cosmetic item (line, rectangle, etc) into one of your field subforms. This can be resolved by placing any cosmetic items into their own subform.

If you have any questions be sure to give us a call or drop us an e-mail !

Multi-threaded conversions with PDF Generator ES2

| No Comments

 We've dealt with a variety of issues relating to multi-threaded conversions and the root cause always seems to be the same: the users were added through the configuration manager. A bug has been logged with Adobe, so this should be gone by the time ADEP releases later this year.

In the meantime we have a simple workaround: add your users through the adminUI instead (

Reader e-mail submit not working with Outlook 2010 64bit

| No Comments

We've received a few reports of Reader not being able to submit e-mail requests to the new Outlook2010 64bit. We did some research and found that this is a known with Microsoft that is affecting any application that makes 32bit MAPI requests to the suite.

There is no word on a fix yet, but we do have a workaround you can use in the meantime. It tricks Outlook into using the 32bit MAPI driver already included with the software:

  1. Browse to [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail]
  2. Create a new key called Outlook64Bridge
  3. Right-click Outlook64Bridge and create two keys under it: DLLPath and DLLPathEx
  4. Find the 32 bit version of the file MAPI32.dll and assign the whole qualified pathname to each key, mine were:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Outlook64Bridge\DLLPath - "D:\WINDOWS\system32\mapi32.dll"
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Outlook64Bridge\DLLPathEx - "D:\WINDOWS\system32\mapi32.dll"
  5. Lastly, return to [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail] and change the (Default) value to "Outlook64Bridge" (this sets the default mail client).
  6. Reboot and you're done!
As always, if you have any questions or need help be sure to give us a call or drop us an e-mail !

Taylor's Software and UX Design Lexicon, Volume I

| No Comments
When communicating complex information, simple metaphors can go a long way.

This past week, my lovely wife pointed out that when I talk about complex subjects, I often resort to metaphors and analogies from unrelated areas of life. She said that it serves me well as a communicator because it can simplify otherwise difficult concepts ...and since she is my wife, I must of course agree.

The way I see it, when dealing with a sometimes obscure or confusing subject like software design and development, appealing to abstract, common sense ideas helps highlight the important bits while avoiding getting bogged down in details. There's no reason why I shouldn't be able to explain key software concepts to competent, non-technical people. They might be bored to tears but they should at least be able to understand what I'm talking about. In fact, as a consultant, I consider it a fundamental skill of the trade: if I can't explain to people (i.e. clients) what they're paying for, then why on earth should they be buying it in the first place?

What follows is a very incomplete list of some of the homegrown expressions I use most often when discussing software design. I've long been planning on writing entire articles for some of these (and most likely will at some point) but with my work schedule being as full as it is, here they are for now in a more concise form:

Form Conversion at Off-Shore Rates

| No Comments
It's been a busy couple of weeks at 4Point with the launch of a new offshoot company, FormDriven. We decided to launch FormDriven to handle the quality conversion of forms for our customers at a really competitive rate. 

Off-shore form conversion has often won the day with the customers, with reason. Many of our customers can have thousands of forms to convert and the process is daunting enough without adding the cost of conversion into the mix. Paying our expert consultants to convert forms doesn't make sense. 

Not to mention that our experts are form experts. We need them to be working on complex forms, dynamic and interactive, that require scripting and back-end integration. Not on basic form conversion. 

But our experience (and by extension our customer's experience) with off-shore conversion has not been smooth. Time lags and language barriers are only part of the problem. The other problem is that when converting forms you can run into "line crossing" moments. Where a form may or may not cross the line into complex. Experience and best practices matter at those moments.

As well, forms have to be built with the big picture in mind. What are they being used for? Are they going to be passed over the wall for further integration to a company like 4Point that will be posting them online or adding additional functionality? In those cases a form needs to be built with a big picture vision. Again, something that experience and best practices can give.

To address these issues and ensure the smooth conversion and long-term functionality of our customer's forms we've introduced FormDriven. It'll handle the the basic form conversion under the watchful eye of 4Point experts. If they hit a wall, have a question, or need some insight into best practices, the 4Point team is but a phone call away. 

Our goal is to give our customer's a great experience. And we believe that FormDriven will help with that. Our customer's can get great rates for form conversion confident that it's all taking place under the umbrella of the 4Point team. 

Check out the FormDriven site to get a sense of the company and what forms they will be converting. We're proud of our "little sister" company. Welcome FormDriven! 

New Name for Adobe LiveCycle Enterprise Software and CRX

| No Comments

Adobe LiveCycle and CRX's name will be changed to Adobe Digital Enterprise Platform for the next release of the product. 

More here:

The following is an FAQ that may have some answers to your questions:

The Science of New Marketing - Really

| No Comments
I wrote a new blog posting. I did. But it was "stolen" by an Adobe gremlin and posted on their site. So here's the link: The Science of New Marketing. Enjoy.

Configuring Acrobat, after PDF Generator is installed

| No Comments

If you have PDF Generator already installed without Acrobat, and you decide to install Acrobat at a later date, you will need to install Acrobat on the LiveCycle server, and then run the following steps in order to configure it to run with PDF Generator:


1.  Run the PDFG configuration utility that comes with the LiveCycle installation. You'll find it at:

 [LC Install Folder]\pdfg_config\Acrobat_for_PDFG_Configuration.bat
2.  Double check to see if the Acrobat Environment variable were actually added (the batch file should have added them).
3.  Once all of this was done re-run the config manager, but only select the option to configure the installed LiveCycle components and you would not select Content Services if you do not wish to have it on there.


At this point Acrobat should be fully configured with PDF Generator.

Cold Marketing has a certain allure, but.....

| No Comments
Your customers want you to turn up the heat. 

What is "cold marketing"? That's the new fixation on analytics and targeted marketing. Not that there's anything wrong with that. It's great to be able to pull analytics, review what your customers are looking at, what they've bought, what they're interested in. And then use that to offer up dynamic and targeted messages. I personally love analytics and have a slight addiction to tracking pages, content, time on the site, etc. So I'm all about that. BUT....

We can't forget the beauty and joy behind basic human interactions and finding something unexpected and new. And as marketers we have to remember to offer these things to our customers as well. We have to remember to do warm marketing....

LiveCycle ES2 Performance Tuning Guide

| No Comments
Tuning the performance of Adobe LiveCycle can be a daunting task. Adobe's Joel Lucuik has published a guide here.

Delays when retrieving documents or opening rights enabled documents

| No Comments

There are of course many things that could cause this issue, but I would like to bring up an interesting case I encountered. The system was running ES2 on Jboss/MySQL. The issue presented itself as rights enabled documents taking 30-40 seconds to open. Upon examining the logs we found several recurring errors, the following being the most noteworthy:

WARN  [org.jboss.resource.connectionmanager.TxConnectionManager] Connection error occured: org.jboss.resource.connectionmanager.TxConnectionManager$TxConnectionEventListener@178c7cf[state=NORMAL mc=org.jboss.resource.adapter.jdbc.local.LocalManagedConnection@1b9c3be handles=0 .....

The last packet successfully received from the server was XXXXX milliseconds ago.  The last packet sent successfully to the server was 0 milliseconds ago.


When we restarted the server, the logs were clean for 10 minutes or so when connection errors started appearing at increasing rates. This of course pointed to a database connectivity issue, but the connectors appeared to be in good order, and more importantly, we were able to login to the adminUI with no delays. We then disabled security software, reviewed permissions and redeployed all components to Jboss yet the issue persisted.

Upon closer inspection of the clients MySQL installation I found that several .ini files were missing.  How these files went missing aside, my expectation is that MySQL would fail to start in such a scenario (which would have generated very different errors). Based on this, it would be safe to assume that this error could also be caused by damaged/corrupted .ini files.

From there it was just a matter of backing up the clients tables through the command prompt, reinstalling, and then restoring the tables.

Workbench unable to open XDC files

| No Comments
We recently discovered that Workbench 9.5 was shipped with a faulty XDC editor. The issue has been addressed and a hotfix is now available for Workbench.

If you're experiencing this issue and on 4Point Support be sure to give us a call and we'll make the hotfix available to you.

We have a new hotfix available from Adobe. This one addresses an issue when running a query against a database using the JDBC component in Workbench/Livecycle 9.5. If any of the returned values are null the component will return a null pointer exception  (java.lang.NullPointerException) instead of simply returning blank values. The hotfix installs easily into Workbench 9.5.

If you're currently experiencing this issue (and on a maintenance and support plan) just give us a call and we'll make the hotfix available to you.

Unable to add PDFG user accounts

| No Comments

When attempting to add a new user in :  adminui -> services -> LiveCycle PDF Generator ES2 -> User Accounts, it results in the following error:

ALC-PDG-030-003-User account information for user pdfg1 is not valid for the machine......

 The system.log shows this:


ERROR [STDERROR] : sorry, you must have a TTY to run sudo

The reason for this is an update along the way with sudo locked it down further by adding the below line to /etc/sudoers configuration file:

1 Defaults requiretty

To allow a remote script to login and run a command via sudo simply comment out that line as shown below:

1 # Commented out so remote script can login and run a command without a tty
2 # Defaults requiretty

1. Create a new keystore using the same name and password as the existing one running on the system (note: CN, the user's first and last name, must be the URL for which the keystore is being created):


keytool -genkey -keyalg RSA -alias tomcat -keystore <keystore_name>.keystore


2. Create a certificate request (CSR):


keytool -certreq -alias tomcat -keyalg RSA -file <cert_request_name>.csr -keystore <keystore_name>.keystore


3. Send the CSR to a CA and in return you will receive the CA's root cert path and the cert for your URL.


4. Import into the keystore the CA's root cert (for the certification path):


keytool -import -file <CA_cert>.crt -keystore <keystore_name>.keystore


5. Import into the keystore the cert that the CA generated in response to the CSR:


keytool -import -alias tomcat -trustcacerts -file <new_cert_from_CA>.crt -keystore <keystore_name>.keystore


6. Copy the resulting keystore into jboss/server/all/conf


7. Modify the server.xml by adding the name of and password for the keystore.   In your server.xml file, the keystore and keystorePass should look something like the following:


keystoreFile="${jboss.server.home.dir}/conf/lces-ssl.jks"      keystorePass="password"



8. Restart JBoss.

Adobe has announced that effective November 30th 2011 they will be discontinuing the free migration that enables Adobe Central Pro Output Server clients (the product was formerly called JetForm Central Pro) to migrate their licenses to Adobe LiveCycle Output ES2.

Clients using Central Pro should contact us at if they have any questions about the migration.  There are also lots of resources on the web that discuss the migration, including;

Social Media is Not a New Form of Marketing Collateral

| No Comments
Just finished reading some articles on Rocketfish's recent Liminal report. I'm about to read through the report itself (and I'm sure I'll have something to say about that too), but for now, I've got something to say about the coverage and a long-standing opinion of mine. 

In particular, MediaPost's article entitled: "Razorfish: Facebook, Twitter Don't Make Customers Feel Valued" starts off with the sentence: "While marketers have flocked to social platforms like Facebook and Twitter, consumers still don't view them as important ways to engage with the brand...." and goes on to state that most people still prefer to engage via email, word-of-mouth, or websites. Stating that the reason for that is because that's where the value is.

Great. I agree. Customers want value. So what's the big irritation for me? That we're surprised (as marketers, as businesses) when we treat social media as a big piece of collateral and then don't get results. Hello? When has yet another piece of collateral ever delivered results? That social media EVER was seen as a piece of marketing collateral is frustrating but perhaps not so surprising. 

Collateral has become king in organizations as a way of communicating what a company offers, static websites continued this trend as they are also just one big brochure.

But social media and online interactions have changed the game. And we've taken an old response (marketing collateral) and used it to address a new medium (it worked for  

But, as Ben Watson's post "Consumers don't want to engage with brands on Facebook and Twitter" points out: 
My take on this is that social media engagement itself has to have a reason....
No kidding. It's not a touchpoint in a campaign, it is not another piece of collateral. Watson goes on to state:

Treating it as an experiment or side project makes it even harder to integrate down the road. We need to accept and embrace that we live in a multi-channel world and a multi-screen universe and that each one has strengths and weaknesses, but more importantly that each one needs to be able to 'see' the other.

Yeah Watson! Exactly again. We've got options here: interactivity, multi-channel chaos. It's fun. Finally being online is not a static store it's the body and soul of your store. This is good news. Embrace it. 

Social media is part of who you are as a business. It is a way for your customers to know you and you to help them when and if they need it. It is no different from a customer opening up your door and walking in to your bricks and mortar store. You say hello. You ask them how you can help. Do they want information? Find it for them (and please let it be as clear and simple as possible). Do they need help? Help them. If they say they're just looking. You let them look. AND you let them leave when they want. You never just shove marketing collateral at them over and over again. Over time you'll get to know the regulars, what they like, what they need. You'll reward your loyal customers. Maybe kick a couple to the curb. That's business.

We've let marketing collateral and a static relationship become how online businesses communicate with customers. But times have changed. It's no longer a face-less static relationship. Technology has opened the door. 

We're back to the beginnings. Where people walked into our stores and talked to us. We've got to stop being afraid of talking back.

Override Submit Buttons In LC Workspace

| No Comments
Let's say you have a PDF form in LC ES2 Workspace that is part of some process. When opening the form in Workspace, there is automatic scripting in the form (FormBridge) that places the Submit buttons inside the wrapper of the form and outside of your forms control. Now let's say you wanted to have control over these buttons? 

Sony Hearts Robots, Boosts Android

| No Comments
If software makes a platform, Sony has just raised the fortunes of Android with the announcement of the PlayStation Suite.

The internet is abuzz over Sony's announcement that they are bringing a whole new PlayStation-branded gaming store to the Android platform. This new functionality will be branded the "Playstation Suite" and will be available to phones running Android 2.3 (aka "Gingerbread"). The Suite will include emulated PlayStation One games to start and will eventually feature new titles built expressly for the platform.

As you may be aware, recently, the hype meter has been cranked up to overload over the anticipated release of the PlayStation phone, this unforeseen announcement is arguably even bigger news than expected. While Sony-Ericsson will indeed be launching an Experia-branded "gaming" Android phone that includes a D-pad, etc., thanks to the PS Suite, every Android 2.3 phone can now in effect be considered a "PlayStation Phone".

Now that's news.

What about us "serious" developers?

Before I answer that question, let's take a little history lesson.

Why We Do The Things We Do

| No Comments
Clients commonly ask support why they need to confirm things like their application version or a wide variety of other environmental details whenever  case is opened.  I can understand why someone might be frustrated when they open a case with support and are requested to provide information that they had provided just a few weeks before when opening their last case, so why do we ask?

There is a very straightforward reason we ask for this information each time someone opens a case, and that is to ensure everyone is on the same page.  A great deal can change in a few weeks, or even a few days, and heading down the wrong path because a support consultant is out of sync with a client's environment is in nobody's best interest.  We want to ensure that when a support case is opened it is resolved as quickly as possible.  Making sure that everyone has a clear understanding of the application and environment is an important first step.
This week we ran into an issue with a client who is using Safari on a MAC running OS X 10.6 as his desktop client when accessing Adobe LiveCycle.  This particular issue resulted in the client not being able to properly render dynamic interactive forms as part of a process. 

As it turns out there are some limitations when using either Adobe LiveCycle ES or ES2 in Safari.  In particular you must run Safari 3.x or 4.x in 32-bit mode when using LiveCycle WorkSpace.  To change Safari to 32-bit mode perform the following steps;
  1. Open the application folder
  2. Select the 'Safari' icon
  3. Select 'Get Info'
  4. Check 'Open in 32-bit mode'