Rtorrent certificate permissions

Similar Messages

• Postgresql SSL Certificate Configuration

  I've installed PostgreSQL on Arch Linux & also self generated self signed certificates in /etc/ssl/ directory. My PostgreSQL 'data' directory is /var/lib/postgres/data & I've edited my postgresql.conf file to use SSL however I'm having permission / access problems starting my database using SSL. It can't access the certificates and errors out when I try and start the database engine:
  LOG: autovacuum launcher shutting down
  LOG: shutting down
  LOG: database system is shut down
  FATAL: could not load server certificate file "server.crt": No such file or directory
  FATAL: private key file "server.key" has group or world access
  DETAIL: Permissions should be u=rw (0600) or less.
  FATAL: could not access private key file "server.key": Permission denied
  FATAL: could not access private key file "server.key": Permission denied
  FATAL: could not access private key file "server.key": Permission denied
  FATAL: could not load private key file "server.key": Permission denied
  My /etc/ssl permissions are as follows:
  [root@ghost ssl]# ls -l
  total 28
  drwxr-xr-x 2 root root 4096 Apr 18 22:28 certs
  drwxr-xr-x 2 root root 4096 Feb 8 13:58 misc
  -rw-r--r-- 1 root root 10819 Feb 8 13:58 openssl.cnf
  drwxr-xr-x 2 root root 4096 Apr 18 22:28 private
  -rw-r--r-- 1 root root 1813 Apr 18 22:27 server.csr
  The individual certificate permissions are as follows:
  [root@ghost ssl]# ls -l certs/server.crt
  -rw-r--r-- 1 root root 2126 Apr 18 22:27 certs/server.crt
  [root@ghost ssl]# ls -l private/server.key
  -rw------- 1 root root 3311 Apr 18 22:25 private/server.key
  I don't know what I need to chown or chmod in order to get PostgreSQL to access my self signed certificates. If anyone could please help me out, I would greatly appreciate it.

  FATAL: could not load server certificate file "server.crt": No such file or directory
  FATAL: private key file "server.key" has group or world access
  DETAIL: Permissions should be u=rw (0600) or less.
  FATAL: could not access private key file "server.key": Permission denied
  FATAL: could not access private key file "server.key": Permission denied
  FATAL: could not access private key file "server.key": Permission denied
  FATAL: could not load private key file "server.key": Permission denied
  IME, postgres is hard-coded to look for server.{key,crt} in it's data directory, and it needs to be owned by the unpriv'ed user:
  /srv/pgData-8.4 # ll server*
  -rw------- 1 postgres postgres 1.5K Jul 13 2010 server.crt
  -rw------- 1 postgres postgres 887 Jul 13 2010 server.key
  -rw------- 1 postgres postgres 700 Jul 13 2010 server.req

• Deploying user certificates to all users

  I need to deploy user certificates to all my employees. It will save me from sending them an email to load up mmc, click on certificates and then go down to user>personal and right click and request user certificate.
  I checked the user certificate permissions and domain users has enroll and read as allowed. There is no auto enroll. I then created a group policy under user configuration>Windows Settings> Security Settings>Public Key Policies.
  Under public key policies, I enabled the certificate services celient - certificate enrollment policy and checked the box for active directory enrollment. I then clicked on Certificate services client - auto enrollment and enabled it check the boxes to update
  certificates that use cert templates and renew expired certificates.
  Next I applied the GPO on the root of the domain using authenticated users for security group on the GPO so all users get it. Since I have pushed it, when I check all system using MMC> certificates no one has a user certificate. Can someone explain why
  this is not working?

  Hi,
  >>I am using windows server 2008 R2. Should I see an autoenroll permission for this user template?
  As far as I know, to enable autoenrollment, users should be granted Read, Enroll, and Autoenroll permissions.
  Regarding how to configure certificate enrollment, the following articles can be referred to as reference.
  Configure Certificate Autoenrollment
  http://technet.microsoft.com/en-us/library/cc731522.aspx
  Issuing Certificates Based on Certificate Templates
  http://technet.microsoft.com/en-us/library/Cc753452.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Best Practice to troubleshoot a Crawler Issue after SQL Server restarts

  Hi Everyone
  I am after some general advice or a suggested place to start when troubleshooting crawler issues after an unplanned, out-of-sequence server restart.
  Specifically, the SQL Database in the SharePoint 2010 farm. Better yet, is there a standard practice way of resolving such issues?<o:p></o:p>
  So far articles I have found suggest options from reviewing the crawl logs, creating a new crawl component, right through to using fiddler to monitor the crawler.
  Are these sufficient places to start / methodologies to follow, what else should be considered?
  Any advice greatly appreciated.
  Thanks,
  Mike

  Well, as I said before, there are lots of different potential issues & resolutions for crawlers.  It really depends on the issue.  I would say that the base troubleshooting steps start the same no matter which service/feature you are looking
  at.  So, I'll try to keep this sort of generic, but beyond finding the details of the problem, the SOP or process will vary greatly based on what the error is.  I hope this helps, and sorry if it's not specific enough.
  1 - check the ULS logs
  2 - check the windows application logs
  3 - verify related services are running (get-spserviceinstance), possibly stop/start them to reprovision the instance on the affected server
  4 - clear the config cache (this alone will clear about 30% of your basic problems)
  6 - verify disk space & resource consumption on affected server (& SQL, SQL is always the potential to be the true "affected" server)
  7 - iisreset
  8 - verify connectivity between all servers in the farm and SP
  9 - verify requir3ed features activated
  10- check if any changes were made to environment recently (new hardware, updates to OS or apps, updates to GPOs, new solutions, etc)
  11- check if the issue is reproducible in another environment (only reliable if this is a similar environment, i.e. same patch level test farm or dr farm).  see if it occurs in other site collections within the web app, different web apps, different
  servers/browsers, etc, basically just try to nail down the scope of the problem
  There is a whole slew of thiings you could check from verifying certificates & perms, to rerunning psconfig, to checking registry keys, again I go back to it depends.  hopefully this can get you started though.  in the end ULS is where all
  the real info on the issue is going to be, so make sure you check there.  don't go in with tunnel vision either.  if you see other errors in ULS, check them out, they may or may not be related; SharePoint is an intricate product with way more moving
  parts than most systems.  fix the little quick ones that you know you can handle, this will help to keep the farm clean and healthy, as well as crossing them off the list of potential suspects for your root cause.
  Christopher Webb | MCM: SharePoint 2010 | MCSM: SharePoint Charter | MCT | http://christophermichaelwebb.com

• Is it any wireless provider without problems?

  Hello!
  I am currently developing some applications for cell phones and found out that there are a lot of forbiden things. I am not able to send an SMS message with T-Mobile + Samsung phone, or even connect to web site with Werizon + Motorola etc...
  Is it any wireless provider who allows developers to do that without $400 "certificate permissions"?
  If any of you writing codes for using bluetooth/Internet/SMS please tell me what provider you have or how you do it.
  Thank you!
  P.S. I do not need code, I know how to do it, I just tired deom SecurityExceptions... :(

  this is the problem. Signing MIDlets is not cheap. I do not have $400 for my own projects. And after all of that a lot of functionalities still locked. It is really depends from (wireless provedier) + (phone brand).
  I know about that:
  http://www.spindriftpages.net/pebble/dave/2005/06/20/1119275880301.html
  but is it all networks like that or only Cingular?

• Erreur OpenConnection : 0x80070005 - CCertView::OpenConnection: Access denied. 0x80070005 (WIN32: 5)

  Hi,
  I am trying to make a webservice work on my ADCS. The aim of the script is to automate revocation of a certificate (the CN of the certificate is given in parameter).
  I am facing the following error when call my webservice:
  Erreur OpenConnection : 0x80070005 -> CCertView::OpenConnection: Access denied. 0x80070005 (WIN32: 5)
  My guess is, here is the line that triggers the error:
  CertView.OpenConnection( strCAConf )
  The script is pubished through an ASP application in IIS. The application runs with a domain account. It is based on the following method:
  https://msdn.microsoft.com/en-us/library/windows/desktop/aa385432%28v=vs.85%29.aspx
  Do you know what kind of right and where it needs to be applied in order to make this piece of code work?
  Thank you so much.
  Regards,
  Alexandre

  Hi Alexandre,
  I am not sure about what permissions does the command OpenConnection require, you may need to refer to MSDN forums to get an accurate answer.
  Microsoft Developer Network Forums
  https://social.msdn.microsoft.com/Forums/en-US/home?category=vslanguages&filter=alltypes&sort=lastpostdesc
  However, revoking certificates requires Issue and Manage Certificates permissions. I suggest you assign Issue and Manage Certificates permissions to the domain account, then try to run the script. If it doesn’t work, try use a domain admin account to test.
  More information for you:
  Windows Server 2003 PKI and Role-Based Administration
  https://technet.microsoft.com/en-us/library/cc739182%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• "No certificate templates could be found. You do not have permissions to request a certificate from this CA..

  or an error occurred while accessing Active Directory."
  When I set up the subordinate CA where I am seeing this error message (when attempting to make a request via the web interface for a Linux client - Group Policy not possible here) I opted to not "Load Default Templates".
  Just FYI, PKI View shows "OK" for everything.
  Permissions on the template are Read and Enroll for Authenticated Users.
  Issuance Requirements are "CA certificate manager approval" (checked) - nothing else checked. "Same criteria for enrollment".
  Have I googled?
  That's just the problem. I've seen plenty of hits where people say "I've solved it this way and I've solved it that way".
  What is the (MS) recommended method to solve this problem?
  I'm concerned some solutions might be the equivalent of disabling CRL checks to resolve CRL problems - something where the solution is worse than the problem.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

  OK. This is the problem. When I duplicated the web server template, I had the choice of Windows Server 2003 or 2008 (Enterprise).
  I selected 2008 (OK, in the screenshot 2003 is selected - by default).
  Windows 2008 based templates (v3) do not work with web enrollment.
  https://technet.microsoft.com/en-us/library/cc732517(WS.10).aspx
  Absolutely none of the other solutions will help if you make this choice:
  - no adjustments of IE settings will help (if you thought it was "something" with your browser.
  - It does not matter if the Windows Authentication provider is set to NTLM or Negotiate first.
  - Application Pool identity can be ApplicationPoolIdentity or Network service.
  - You can enable or disable Anonymous Authentication.
  If you decide to select a v3 template, forget about using web enrollment.
  You will spend hours t-shooting.
  It will not work.
  IMPORTANT EDIT
  Having tried this on a second CA, it seems that you might have to change the NTLM and App Pool settings.
  I simply duplicated a template (2003) and thought I was all set.
  Not at all.
  I had to play with the Provider priority (put NTLM above negotiate) and use "Network Service" for the Default App Pool identity.
  Then it finally worked.
  Yes, an iisreset /noforce after each change.
  I'm not sure why this is so complicated.
  Maybe someone from Microsoft could explain what is going on here.
  This is documented nowhere. You have to proceed by trial and error until you get the right combination.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Permissions with problem when encrypting pdf with certificate

  I am using the following javascript code to encrypt a pdf using a certificate:
                      var thePermissions = {
                           allowAll: false,
                           allowAccessibility: false,
                           allowContentExtraction: false,
                           allowChanges: "none",
                           allowPrinting: "none"
                       var theCertificate = security.importFromFile(
                           "Certificate",
                           "/c/user.cer"
                       var theUserEntity = {
                           firstName: "The",
                           lastName: "User",
                           fullName: "The User",
                           certificates: theCertificate,
                           defaultEncryptCert: theCertificate
                       var theGroup = { userEntities: [ theUserEntity ], permissions: thePermissions };
                       encryptForRecipients( { oGroups: [ theGroup ] } );
                      saveAs("encrypted.pdf");
  The file "encrypted.pdf" resulting is in fact encrypted, but the permissions doesn't seem to be correct. For instance, the Document Properties show that there are no document restrictions (DocumentProperties.PNG), but when the details are shown, it seems that the correct restrictions apply (DocumentSecurity.PNG). As can be seen in the permissions variable, there should be no permissions to the pdf generated. Can someone possibly help me with this?
  Additional info: there should have no human interaction in the process, the certificate is not fixed (preventing using encryptUsingPolicy), and will be selected based on the file name of the original pdf.

  Hi Leonard,
  I see the same thing executing the script from the JavaScript console. There is a slight wrinkle in the steps to reproduce. Even if everything worked as it's supposed to, you would still need to close and then reopen the file in order to get the perm restrictions to take effect. This is because when you initially encrypt the file you are still the document owner, and thus none of the perms have yet taken effect. However, once you do close and then reopen the file (thus forcing an authentication), the file should open with the perms being enforced, but alas, they are not.
  Interestingly, if you go into the Document Properties and then select the Security tab (or just click the Permissions Details button in the DMB) you see that the Restriction Summary shows that everything is allowed, but when you click the Show Details button, which just displays the restrictions applicable to the encryption handler, it shows the correct settings. Of course the real bug isn't that the restriction summary is incorrect, but rather that it is correct and all of the supposedly restricted operations are allowable.
  I'll enter this as a bug against 10 along with the ER to add the encryption algorithm as an option to the encryptForRecipients JS function.
  Steve

• EFS: Access denied even with appropriate certificate and permissions

  I have imported the certificate from the server computer to the workstation computer several days ago. So far, every morning the workstation computer is unable to access the server encrypted file for a period of about 1 hour (saying "Unable to open
  this file. Access denied"). All the folders can be opened, moved and renamed. After persistently attempting to access it and after verifying the thumbprints match between file and certificate it is able to open the file. 
  There seems to be a delay between logging in to the workstation computer and the effectiveness of the certificate. 
  I am new to EFS and would love any help you can give me.

  Hi,
  Did this issue just occur on these EFS file or all file in the server? What's the result when you attempt to access the other file which is not encrypted.
  Meanwhile, please use Network Monitor to trace the network activity:
  Network Monitor
  http://technet.microsoft.com/en-us/library/cc938655.aspx
  Karen Hu
  TechNet Community Support

• Disable Certificate Check on https sites permant

  Hi,
  please help me with this. I need to disable all the certificate checks when opening a ssl/https site. Even when I'm allowing the sites and save the certificate information and stuff it still asks me after a few days again.
  (Please don't give me security adise, it's a special pc that has only access to internal websites which I'm trusting)
  Thanks!

  Which security software (firewall, anti-virus) do you have?
  Some firewalls monitor secure (https) connections and send their own certificate instead of the website's certificate.<br />
  If you have ESET then see:
  *[[/questions/790114]]
  *ESET setup -> advanced setup -> extend web and email tree -> SSL
  *SSL protocol: Do not scan SSL protocol
  You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
  * Click the link at the bottom of the error page: "I Understand the Risks"
  Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
  * Click the "View..." button and inspect the certificate and check who is the issuer.
  You can see more Details like intermediate certificates that are used in the Details pane.

• How to use one certificate for two directory servers?

  Hi,
  running Sun DSEE 6.3.1 on two servers, server 1 has name ds1.example.com, server 2 has name ds2.example.com. There is a round robin DNS record ds.example.com, which alternates between:
  ds1.example.com
  ds2.example.com
  and
  ds2.example.com
  ds1.example.com
  An LDAP client connects to one of the servers over SSL using the name ds.example.com. We want to generate a certificate using the name ds.example.com and use it on both directory servers.
  If we generate a CSR using DSCC on server 1 and get back a signed certificate, the certificate can be installed correctly on server 1. However, if we use the same signed certificate on server 2 it fails with error:
  Unable to find private key for this certificate.
  Failed to add the certificate.
  Error executing the operation. The error code is 11.
  What is the correct way to generate one CSR, have it signed by a CA and then implement this signed certificate on multiple servers?
  /rolf

  From one Directory Server (ds1) generate CSR with the name ds.example.com in the request. Once you get the signed cert import it into the same server you generated CSR with. Then from ds1.example.com :
  scp -p <slapd install/instance path>/alias/* <account>@ds2.example.com:<slapd install/instance path>/alias/
  to copy the contents of the alias path to the same location on the other Directory Server. Make sure file permissions are the same.

• SSTP VPN fails with Error 0x80092013 when certificate is issued by an Enterprise CA

  I have spent several days trying to configure an SSTP VPN in an environment with a 2008R2 Enterprise CA server without much luck. I have been using the example found at   http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx which
  works very well as long as you configure the CA Extensions tab with an http CRL Distribution point that is included in the CRLs and CDP extension of issued certificates and is available to the client prior to VPN connection.
  Basically my lab environment is as follows:
  Separate 2008R2 domain controller, Single 2008R2 Enterprise CA / RRAS server with one nic. I know the instructions that I mentioned above use an RRAS server with 2 nics but I don't want my RRAS server serving as a router. I have an external hardware firewall
  that port forwards port 443 to my single nic in my RRAS server and this entire configuration works fine as long as I am using a standard CA configuration. The RRAS was configured using the custom option and only VPN was chosen. Since my RRAS server is behind
  a NAT router, the dns name my external client uses to connect is different than the internal name of my RRAS server.
  In the example above, a Windows 2008R2 CA server is configured as a standalone non-enterprise root CA. As long as I stick with a standard CA, I have no problem and everything works.
  My problem is that if I configure my Windows Server 2008R2 Enterprise server as an Enterprise Root CA, My Windows 7 client always gets an "Error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline."
  I'm not certain, but I think the problem is with the way that I request the certificate for my RRAS server. When I configure a standalone standard root CA and use the web enrollment page and use an Advanced Certificate Request, I get a page that I can use
  to fill out the external dns name that I use to connect to SSTP, choose a Server Authentication Certificate,  choose to mark keys as exportable and submit my request. Once I install this key in the Certificates (local computer) / Personal / Certificates
  store, everything works and my client can connect as long as I have installed the root CA certificate on my client.
  When I install my CA as an Enterprise Root CA server, everything changes. I no longer have the same options to install a custom certificate. Instead of getting the same page as I do with a standard CA, I get my choice of Certificate Templates. Prior to this,
  I have duplicated the Computer template in the CA authority and configured the subject name to "supply in request" and configured my CA to issue it. I have tried issuing my RRAS SSTP certificate using the web enrollment and I have also tried using the certificates
  plugins in mmc to request custom certificates and tried using an alternative subject name, filling out the DNS option with my external dns name.
  When it is all said and done, I end up with an RRAS SSTP certificate that has CRL Distribution Points defined as URL=http://www.mywebsite/CertEnroll/myCA.crl and it is available to my client or anyone. I have compared the certificate issued by an Enterprise
  CA vs the Standard CA and I find little difference in the two. I also know that I can reach this RRAS SSTP certificate from my client by going to  https://myexternaladdress.mydomain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/and
  I can view the padlock in IE and view my internal RRAS certificate. The CRL Distribution point looks no different when I have a standard vs an Enterprise CA but my client always fails with the Error 0x80092013 when I have issued the RRAS SSTP certificate
  with the Enterprise CA.
  I have probably re-setup this lab about 20 times and am getting very familiar with getting it set up quickly and working with the standard CA but I want to use an Enterprise CA environment.
  What am I missing? How can I make this work with an Enterprise CA? How can I troubleshoot this?
  Thanks,
  Rod
  Rod Miller

  Thanks for  your reply. I did read the article and addressed that issue in the first part of my previous post. I don't think that the website where I am hosting my CRL has directory browsing permissions or that I have the ability to set them but the
  point of my question was everything works using that same public website when I use a standard CA to create my certificate but does NOT work when I create the certificate using an Enterprise CA.
  Rod
  Rod Miller

• Certificate request not working with web server v2 template on windows 2012 R2

  I have tried to generate a certificate request on my domain joined Windows 2012 R2. I have tried both online and offline requests. I am using the web server v2 template.
  Both Method fails with error message that the cryptographic algorithm is unknown. I am using these settings apart from the template:
  This is the error Message in online request:
  The error Message in the offline request is somewhat similar.
  An event error is also appearing in the application log:
  The CSPs from the template:
  I am wondering if a cryptographic service provider or several of them are missing? They are installed With Windows update are they not? The strange thing is that this supposedly have worked before with another user. Could it be that I do not have the
  correct permissions to request a certificate with this template, or has something happened with the server? 

  Hey dag 
  Thanks for posting ,
  If You try duplicate the web template for using it in version 4 - can You see any difference? 
  Also check the link below for certificate templates versions:
  http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx#Version_4_Certificate_Templates
  In previous operating system versions the configuration of CSPs and KSPs were on different tabs in the certificate properties. For version 2 certificate templates, CSPs were configured on the Request Handling tab. For version 3 certificate templates,
  KSPs were configured on the Cryptography tab. Starting in Windows Server 2012, the configuration of the providers is consolidated on the Cryptography tab. To learn more about the cryptographic provider options present in previous operating systems
  Notice later.
  I'd be glad to answer any question

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

• Cisco ASA 5505 and comodo SSL certificate

  Hey All,
  I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
  Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
  On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
  What am I missing here? I can post config if anyone needs it.
  (My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))

  It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
  ASA Version 9.0(2)
  hostname MyDomain-firewall-1
  domain-name MyDomain.com
  enable password omitted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd omitted
  names
  name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
  name 10.200.0.0 MyDomain_New_IP description MyDomain_New
  name 10.100.0.0 MyDomain-Old description Inside_Old
  name XXX.XXX.XX.XX Provider description Provider_Wireless
  name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
  name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
  ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
  ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address Cisco_ASA_5505 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address Provider 255.255.255.252
  boot system disk0:/asa902-k8.bin
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup inside
  dns server-group DefaultDNS
  name-server 10.0.3.21
  domain-name MyDomain.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network MyDomain-Employee
  subnet 192.168.208.0 255.255.255.0
  description MyDomain-Employee
  object-group network Inside-all
  description All Networks
  network-object MyDomain-Old 255.255.254.0
  network-object MyDomain_New_IP 255.255.192.0
  network-object host MyDomain-Inside
  access-list inside_access_in extended permit ip any4 any4
  access-list split-tunnel standard permit host 10.0.13.1
  pager lines 24
  logging enable
  logging buffered errors
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
  route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
  route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
  route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record "Network Access Policy Allow VPN"
  description "Must have the Network Access Policy Enabled to get VPN access"
  aaa-server LDAP_Group protocol ldap
  aaa-server LDAP_Group (inside) host 10.0.3.21
  ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *****
  ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
  server-type microsoft
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http MyDomain_New_IP 255.255.192.0 inside
  http redirect outside 80
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint LOCAL-CA-SERVER
  keypair LOCAL-CA-SERVER
  no validation-usage
  no accept-subordinates
  no id-cert-issuer
  crl configure
  crypto ca trustpoint VPN
  enrollment terminal
  fqdn vpn.mydomain.com
  subject-name CN=vpn.mydomain.com,OU=IT
  keypair vpn.mydomain.com
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpool policy
  crypto ca server
  shutdown
  crypto ca certificate chain LOCAL-CA-SERVER
  certificate ca 01
      omitted
    quit
  crypto ca certificate chain VPN
  certificate
      omitted
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca
      omitted
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint VPN
  telnet timeout 5
  ssh MyDomain_New_IP 255.255.192.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  dynamic-filter updater-client enable
  dynamic-filter use-database
  dynamic-filter enable
  ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
  ssl trust-point VPN outside
  webvpn
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
  anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
  anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
  anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy DfltGrpPolicy attributes
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value MyDomain.com
  group-policy MyDomain-Employee internal
  group-policy MyDomain-Employee attributes
  wins-server none
  dns-server value 10.0.3.21
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value MyDomain.com
  webvpn
    anyconnect profiles value MyDomain-employee type user
  username MyDomainadmin password omitted encrypted privilege 15
  tunnel-group MyDomain-Employee type remote-access
  tunnel-group MyDomain-Employee general-attributes
  address-pool MyDomain-Employee-Pool
  authentication-server-group LDAP_Group LOCAL
  default-group-policy MyDomain-Employee
  tunnel-group MyDomain-Employee webvpn-attributes
  group-alias MyDomain-Employee enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
  : end
  asdm image disk0:/asdm-712.bin
  asdm location MyDomain_New_IP 255.255.192.0 inside
  asdm location MyDomain-Inside 255.255.255.255 inside
  asdm location MyDomain-Old 255.255.254.0 inside
  no asdm history enable