Rtorrent certificate permissions
Dear Archers,
I need your knowledge and your help :
I changed my torrent client from Transmission (GUI) to rtorrent (CLI) and I have a problem with the certificate (/etc/ssl/certs/) permission access by rtorrent.
With the same tracker (requesting https/ssl connection) I had no problem with Transmission.
But when running rtorrent as user, I get this error :
Tracker : Problem with the SSL CA cert (path? access rights?
So atm I run rtorrent as root and everything is fine.
I tried chmod 777 /etc/ssl/certs
I didn't work.
Have anyone of you encountered this problem ?
How can I solve it ?
Thank you for your time.
Regards,
~ktr
Last edited by Kooothor (2010-10-22 15:59:52)
check this:
https://wiki.archlinux.org/index.php/Rt … ional_Tips
Similar Messages
-
Postgresql SSL Certificate Configuration
I've installed PostgreSQL on Arch Linux & also self generated self signed certificates in /etc/ssl/ directory. My PostgreSQL 'data' directory is /var/lib/postgres/data & I've edited my postgresql.conf file to use SSL however I'm having permission / access problems starting my database using SSL. It can't access the certificates and errors out when I try and start the database engine:
LOG: autovacuum launcher shutting down
LOG: shutting down
LOG: database system is shut down
FATAL: could not load server certificate file "server.crt": No such file or directory
FATAL: private key file "server.key" has group or world access
DETAIL: Permissions should be u=rw (0600) or less.
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not load private key file "server.key": Permission denied
My /etc/ssl permissions are as follows:
[root@ghost ssl]# ls -l
total 28
drwxr-xr-x 2 root root 4096 Apr 18 22:28 certs
drwxr-xr-x 2 root root 4096 Feb 8 13:58 misc
-rw-r--r-- 1 root root 10819 Feb 8 13:58 openssl.cnf
drwxr-xr-x 2 root root 4096 Apr 18 22:28 private
-rw-r--r-- 1 root root 1813 Apr 18 22:27 server.csr
The individual certificate permissions are as follows:
[root@ghost ssl]# ls -l certs/server.crt
-rw-r--r-- 1 root root 2126 Apr 18 22:27 certs/server.crt
[root@ghost ssl]# ls -l private/server.key
-rw------- 1 root root 3311 Apr 18 22:25 private/server.key
I don't know what I need to chown or chmod in order to get PostgreSQL to access my self signed certificates. If anyone could please help me out, I would greatly appreciate it.FATAL: could not load server certificate file "server.crt": No such file or directory
FATAL: private key file "server.key" has group or world access
DETAIL: Permissions should be u=rw (0600) or less.
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not access private key file "server.key": Permission denied
FATAL: could not load private key file "server.key": Permission denied
IME, postgres is hard-coded to look for server.{key,crt} in it's data directory, and it needs to be owned by the unpriv'ed user:
/srv/pgData-8.4 # ll server*
-rw------- 1 postgres postgres 1.5K Jul 13 2010 server.crt
-rw------- 1 postgres postgres 887 Jul 13 2010 server.key
-rw------- 1 postgres postgres 700 Jul 13 2010 server.req -
Deploying user certificates to all users
I need to deploy user certificates to all my employees. It will save me from sending them an email to load up mmc, click on certificates and then go down to user>personal and right click and request user certificate.
I checked the user certificate permissions and domain users has enroll and read as allowed. There is no auto enroll. I then created a group policy under user configuration>Windows Settings> Security Settings>Public Key Policies.
Under public key policies, I enabled the certificate services celient - certificate enrollment policy and checked the box for active directory enrollment. I then clicked on Certificate services client - auto enrollment and enabled it check the boxes to update
certificates that use cert templates and renew expired certificates.
Next I applied the GPO on the root of the domain using authenticated users for security group on the GPO so all users get it. Since I have pushed it, when I check all system using MMC> certificates no one has a user certificate. Can someone explain why
this is not working?Hi,
>>I am using windows server 2008 R2. Should I see an autoenroll permission for this user template?
As far as I know, to enable autoenrollment, users should be granted Read, Enroll, and Autoenroll permissions.
Regarding how to configure certificate enrollment, the following articles can be referred to as reference.
Configure Certificate Autoenrollment
http://technet.microsoft.com/en-us/library/cc731522.aspx
Issuing Certificates Based on Certificate Templates
http://technet.microsoft.com/en-us/library/Cc753452.aspx
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Best Practice to troubleshoot a Crawler Issue after SQL Server restarts
Hi Everyone
I am after some general advice or a suggested place to start when troubleshooting crawler issues after an unplanned, out-of-sequence server restart.
Specifically, the SQL Database in the SharePoint 2010 farm. Better yet, is there a standard practice way of resolving such issues?<o:p></o:p>
So far articles I have found suggest options from reviewing the crawl logs, creating a new crawl component, right through to using fiddler to monitor the crawler.
Are these sufficient places to start / methodologies to follow, what else should be considered?
Any advice greatly appreciated.
Thanks,
MikeWell, as I said before, there are lots of different potential issues & resolutions for crawlers. It really depends on the issue. I would say that the base troubleshooting steps start the same no matter which service/feature you are looking
at. So, I'll try to keep this sort of generic, but beyond finding the details of the problem, the SOP or process will vary greatly based on what the error is. I hope this helps, and sorry if it's not specific enough.
1 - check the ULS logs
2 - check the windows application logs
3 - verify related services are running (get-spserviceinstance), possibly stop/start them to reprovision the instance on the affected server
4 - clear the config cache (this alone will clear about 30% of your basic problems)
6 - verify disk space & resource consumption on affected server (& SQL, SQL is always the potential to be the true "affected" server)
7 - iisreset
8 - verify connectivity between all servers in the farm and SP
9 - verify requir3ed features activated
10- check if any changes were made to environment recently (new hardware, updates to OS or apps, updates to GPOs, new solutions, etc)
11- check if the issue is reproducible in another environment (only reliable if this is a similar environment, i.e. same patch level test farm or dr farm). see if it occurs in other site collections within the web app, different web apps, different
servers/browsers, etc, basically just try to nail down the scope of the problem
There is a whole slew of thiings you could check from verifying certificates & perms, to rerunning psconfig, to checking registry keys, again I go back to it depends. hopefully this can get you started though. in the end ULS is where all
the real info on the issue is going to be, so make sure you check there. don't go in with tunnel vision either. if you see other errors in ULS, check them out, they may or may not be related; SharePoint is an intricate product with way more moving
parts than most systems. fix the little quick ones that you know you can handle, this will help to keep the farm clean and healthy, as well as crossing them off the list of potential suspects for your root cause.
Christopher Webb | MCM: SharePoint 2010 | MCSM: SharePoint Charter | MCT | http://christophermichaelwebb.com -
Is it any wireless provider without problems?
Hello!
I am currently developing some applications for cell phones and found out that there are a lot of forbiden things. I am not able to send an SMS message with T-Mobile + Samsung phone, or even connect to web site with Werizon + Motorola etc...
Is it any wireless provider who allows developers to do that without $400 "certificate permissions"?
If any of you writing codes for using bluetooth/Internet/SMS please tell me what provider you have or how you do it.
Thank you!
P.S. I do not need code, I know how to do it, I just tired deom SecurityExceptions... :(this is the problem. Signing MIDlets is not cheap. I do not have $400 for my own projects. And after all of that a lot of functionalities still locked. It is really depends from (wireless provedier) + (phone brand).
I know about that:
http://www.spindriftpages.net/pebble/dave/2005/06/20/1119275880301.html
but is it all networks like that or only Cingular? -
Hi,
I am trying to make a webservice work on my ADCS. The aim of the script is to automate revocation of a certificate (the CN of the certificate is given in parameter).
I am facing the following error when call my webservice:
Erreur OpenConnection : 0x80070005 -> CCertView::OpenConnection: Access denied. 0x80070005 (WIN32: 5)
My guess is, here is the line that triggers the error:
CertView.OpenConnection( strCAConf )
The script is pubished through an ASP application in IIS. The application runs with a domain account. It is based on the following method:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa385432%28v=vs.85%29.aspx
Do you know what kind of right and where it needs to be applied in order to make this piece of code work?
Thank you so much.
Regards,
AlexandreHi Alexandre,
I am not sure about what permissions does the command OpenConnection require, you may need to refer to MSDN forums to get an accurate answer.
Microsoft Developer Network Forums
https://social.msdn.microsoft.com/Forums/en-US/home?category=vslanguages&filter=alltypes&sort=lastpostdesc
However, revoking certificates requires Issue and Manage Certificates permissions. I suggest you assign Issue and Manage Certificates permissions to the domain account, then try to run the script. If it doesn’t work, try use a domain admin account to test.
More information for you:
Windows Server 2003 PKI and Role-Based Administration
https://technet.microsoft.com/en-us/library/cc739182%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] -
or an error occurred while accessing Active Directory."
When I set up the subordinate CA where I am seeing this error message (when attempting to make a request via the web interface for a Linux client - Group Policy not possible here) I opted to not "Load Default Templates".
Just FYI, PKI View shows "OK" for everything.
Permissions on the template are Read and Enroll for Authenticated Users.
Issuance Requirements are "CA certificate manager approval" (checked) - nothing else checked. "Same criteria for enrollment".
Have I googled?
That's just the problem. I've seen plenty of hits where people say "I've solved it this way and I've solved it that way".
What is the (MS) recommended method to solve this problem?
I'm concerned some solutions might be the equivalent of disabling CRL checks to resolve CRL problems - something where the solution is worse than the problem.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.OK. This is the problem. When I duplicated the web server template, I had the choice of Windows Server 2003 or 2008 (Enterprise).
I selected 2008 (OK, in the screenshot 2003 is selected - by default).
Windows 2008 based templates (v3) do not work with web enrollment.
https://technet.microsoft.com/en-us/library/cc732517(WS.10).aspx
Absolutely none of the other solutions will help if you make this choice:
- no adjustments of IE settings will help (if you thought it was "something" with your browser.
- It does not matter if the Windows Authentication provider is set to NTLM or Negotiate first.
- Application Pool identity can be ApplicationPoolIdentity or Network service.
- You can enable or disable Anonymous Authentication.
If you decide to select a v3 template, forget about using web enrollment.
You will spend hours t-shooting.
It will not work.
IMPORTANT EDIT
Having tried this on a second CA, it seems that you might have to change the NTLM and App Pool settings.
I simply duplicated a template (2003) and thought I was all set.
Not at all.
I had to play with the Provider priority (put NTLM above negotiate) and use "Network Service" for the Default App Pool identity.
Then it finally worked.
Yes, an iisreset /noforce after each change.
I'm not sure why this is so complicated.
Maybe someone from Microsoft could explain what is going on here.
This is documented nowhere. You have to proceed by trial and error until you get the right combination.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. -
Permissions with problem when encrypting pdf with certificate
I am using the following javascript code to encrypt a pdf using a certificate:
var thePermissions = {
allowAll: false,
allowAccessibility: false,
allowContentExtraction: false,
allowChanges: "none",
allowPrinting: "none"
var theCertificate = security.importFromFile(
"Certificate",
"/c/user.cer"
var theUserEntity = {
firstName: "The",
lastName: "User",
fullName: "The User",
certificates: theCertificate,
defaultEncryptCert: theCertificate
var theGroup = { userEntities: [ theUserEntity ], permissions: thePermissions };
encryptForRecipients( { oGroups: [ theGroup ] } );
saveAs("encrypted.pdf");
The file "encrypted.pdf" resulting is in fact encrypted, but the permissions doesn't seem to be correct. For instance, the Document Properties show that there are no document restrictions (DocumentProperties.PNG), but when the details are shown, it seems that the correct restrictions apply (DocumentSecurity.PNG). As can be seen in the permissions variable, there should be no permissions to the pdf generated. Can someone possibly help me with this?
Additional info: there should have no human interaction in the process, the certificate is not fixed (preventing using encryptUsingPolicy), and will be selected based on the file name of the original pdf.Hi Leonard,
I see the same thing executing the script from the JavaScript console. There is a slight wrinkle in the steps to reproduce. Even if everything worked as it's supposed to, you would still need to close and then reopen the file in order to get the perm restrictions to take effect. This is because when you initially encrypt the file you are still the document owner, and thus none of the perms have yet taken effect. However, once you do close and then reopen the file (thus forcing an authentication), the file should open with the perms being enforced, but alas, they are not.
Interestingly, if you go into the Document Properties and then select the Security tab (or just click the Permissions Details button in the DMB) you see that the Restriction Summary shows that everything is allowed, but when you click the Show Details button, which just displays the restrictions applicable to the encryption handler, it shows the correct settings. Of course the real bug isn't that the restriction summary is incorrect, but rather that it is correct and all of the supposedly restricted operations are allowable.
I'll enter this as a bug against 10 along with the ER to add the encryption algorithm as an option to the encryptForRecipients JS function.
Steve -
EFS: Access denied even with appropriate certificate and permissions
I have imported the certificate from the server computer to the workstation computer several days ago. So far, every morning the workstation computer is unable to access the server encrypted file for a period of about 1 hour (saying "Unable to open
this file. Access denied"). All the folders can be opened, moved and renamed. After persistently attempting to access it and after verifying the thumbprints match between file and certificate it is able to open the file.
There seems to be a delay between logging in to the workstation computer and the effectiveness of the certificate.
I am new to EFS and would love any help you can give me.Hi,
Did this issue just occur on these EFS file or all file in the server? What's the result when you attempt to access the other file which is not encrypted.
Meanwhile, please use Network Monitor to trace the network activity:
Network Monitor
http://technet.microsoft.com/en-us/library/cc938655.aspx
Karen Hu
TechNet Community Support -
Disable Certificate Check on https sites permant
Hi,
please help me with this. I need to disable all the certificate checks when opening a ssl/https site. Even when I'm allowing the sites and save the certificate information and stuff it still asks me after a few days again.
(Please don't give me security adise, it's a special pc that has only access to internal websites which I'm trusting)
Thanks!Which security software (firewall, anti-virus) do you have?
Some firewalls monitor secure (https) connections and send their own certificate instead of the website's certificate.<br />
If you have ESET then see:
*[[/questions/790114]]
*ESET setup -> advanced setup -> extend web and email tree -> SSL
*SSL protocol: Do not scan SSL protocol
You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
* Click the link at the bottom of the error page: "I Understand the Risks"
Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
* Click the "View..." button and inspect the certificate and check who is the issuer.
You can see more Details like intermediate certificates that are used in the Details pane. -
How to use one certificate for two directory servers?
Hi,
running Sun DSEE 6.3.1 on two servers, server 1 has name ds1.example.com, server 2 has name ds2.example.com. There is a round robin DNS record ds.example.com, which alternates between:
ds1.example.com
ds2.example.com
and
ds2.example.com
ds1.example.com
An LDAP client connects to one of the servers over SSL using the name ds.example.com. We want to generate a certificate using the name ds.example.com and use it on both directory servers.
If we generate a CSR using DSCC on server 1 and get back a signed certificate, the certificate can be installed correctly on server 1. However, if we use the same signed certificate on server 2 it fails with error:
Unable to find private key for this certificate.
Failed to add the certificate.
Error executing the operation. The error code is 11.
What is the correct way to generate one CSR, have it signed by a CA and then implement this signed certificate on multiple servers?
/rolfFrom one Directory Server (ds1) generate CSR with the name ds.example.com in the request. Once you get the signed cert import it into the same server you generated CSR with. Then from ds1.example.com :
scp -p <slapd install/instance path>/alias/* <account>@ds2.example.com:<slapd install/instance path>/alias/
to copy the contents of the alias path to the same location on the other Directory Server. Make sure file permissions are the same. -
SSTP VPN fails with Error 0x80092013 when certificate is issued by an Enterprise CA
I have spent several days trying to configure an SSTP VPN in an environment with a 2008R2 Enterprise CA server without much luck. I have been using the example found at http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx which
works very well as long as you configure the CA Extensions tab with an http CRL Distribution point that is included in the CRLs and CDP extension of issued certificates and is available to the client prior to VPN connection.
Basically my lab environment is as follows:
Separate 2008R2 domain controller, Single 2008R2 Enterprise CA / RRAS server with one nic. I know the instructions that I mentioned above use an RRAS server with 2 nics but I don't want my RRAS server serving as a router. I have an external hardware firewall
that port forwards port 443 to my single nic in my RRAS server and this entire configuration works fine as long as I am using a standard CA configuration. The RRAS was configured using the custom option and only VPN was chosen. Since my RRAS server is behind
a NAT router, the dns name my external client uses to connect is different than the internal name of my RRAS server.
In the example above, a Windows 2008R2 CA server is configured as a standalone non-enterprise root CA. As long as I stick with a standard CA, I have no problem and everything works.
My problem is that if I configure my Windows Server 2008R2 Enterprise server as an Enterprise Root CA, My Windows 7 client always gets an "Error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline."
I'm not certain, but I think the problem is with the way that I request the certificate for my RRAS server. When I configure a standalone standard root CA and use the web enrollment page and use an Advanced Certificate Request, I get a page that I can use
to fill out the external dns name that I use to connect to SSTP, choose a Server Authentication Certificate, choose to mark keys as exportable and submit my request. Once I install this key in the Certificates (local computer) / Personal / Certificates
store, everything works and my client can connect as long as I have installed the root CA certificate on my client.
When I install my CA as an Enterprise Root CA server, everything changes. I no longer have the same options to install a custom certificate. Instead of getting the same page as I do with a standard CA, I get my choice of Certificate Templates. Prior to this,
I have duplicated the Computer template in the CA authority and configured the subject name to "supply in request" and configured my CA to issue it. I have tried issuing my RRAS SSTP certificate using the web enrollment and I have also tried using the certificates
plugins in mmc to request custom certificates and tried using an alternative subject name, filling out the DNS option with my external dns name.
When it is all said and done, I end up with an RRAS SSTP certificate that has CRL Distribution Points defined as URL=http://www.mywebsite/CertEnroll/myCA.crl and it is available to my client or anyone. I have compared the certificate issued by an Enterprise
CA vs the Standard CA and I find little difference in the two. I also know that I can reach this RRAS SSTP certificate from my client by going to https://myexternaladdress.mydomain.com/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/and
I can view the padlock in IE and view my internal RRAS certificate. The CRL Distribution point looks no different when I have a standard vs an Enterprise CA but my client always fails with the Error 0x80092013 when I have issued the RRAS SSTP certificate
with the Enterprise CA.
I have probably re-setup this lab about 20 times and am getting very familiar with getting it set up quickly and working with the standard CA but I want to use an Enterprise CA environment.
What am I missing? How can I make this work with an Enterprise CA? How can I troubleshoot this?
Thanks,
Rod
Rod MillerThanks for your reply. I did read the article and addressed that issue in the first part of my previous post. I don't think that the website where I am hosting my CRL has directory browsing permissions or that I have the ability to set them but the
point of my question was everything works using that same public website when I use a standard CA to create my certificate but does NOT work when I create the certificate using an Enterprise CA.
Rod
Rod Miller -
Certificate request not working with web server v2 template on windows 2012 R2
I have tried to generate a certificate request on my domain joined Windows 2012 R2. I have tried both online and offline requests. I am using the web server v2 template.
Both Method fails with error message that the cryptographic algorithm is unknown. I am using these settings apart from the template:
This is the error Message in online request:
The error Message in the offline request is somewhat similar.
An event error is also appearing in the application log:
The CSPs from the template:
I am wondering if a cryptographic service provider or several of them are missing? They are installed With Windows update are they not? The strange thing is that this supposedly have worked before with another user. Could it be that I do not have the
correct permissions to request a certificate with this template, or has something happened with the server?Hey dag
Thanks for posting ,
If You try duplicate the web template for using it in version 4 - can You see any difference?
Also check the link below for certificate templates versions:
http://social.technet.microsoft.com/wiki/contents/articles/13303.windows-server-2012-certificate-template-versions-and-options.aspx#Version_4_Certificate_Templates
In previous operating system versions the configuration of CSPs and KSPs were on different tabs in the certificate properties. For version 2 certificate templates, CSPs were configured on the Request Handling tab. For version 3 certificate templates,
KSPs were configured on the Cryptography tab. Starting in Windows Server 2012, the configuration of the providers is consolidated on the Cryptography tab. To learn more about the cryptographic provider options present in previous operating systems
Notice later.
I'd be glad to answer any question -
New server and/or CA certificate for connection from custom authentication
We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
Relevant things I've tried so far:
Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
Import the IPS CA into the web server cert8 style db via the web admin server.
The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
Part of the stack:
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
[28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
The relevent bit of code from the SecureURL.retrieve looks as follows:
URL u = new URL(url);
if (!u.getProtocol().equals("https"))
throw new IOException("only 'https' URLs are valid for this method");
URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");
r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
String line;
StringBuffer buf = new StringBuffer();
while ((line = r.readLine()) != null)
buf.append(line + "\n");
return buf.toString();
} finally { ...
The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
Thank you very much for any insights and help,
EthanI thought since this has had a fair number of views I would give an update.
I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
certutil: certificate is valid
root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
certutil: certificate is invalid: Certificate type not approved for application.
root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
FSU Wildcard Certificate : Certificate type not approved for application.
So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil. -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable
Maybe you are looking for
-
HP Touchsmart 600 - 1050 PC Recovery Disc or Media NEEDED as soon as possible
1/10/15 I am praying for FAVOR with HP (Supervisor) and that you can HELP me! I MISS my desktop, I am typing from my old HP compaq laptop, running Windows XP. I have a out of warranty - HP Touchsmart 600 PC (600-1050) Windows 7 Home Premium 64 bits.
-
Missing / blank images in galleries - PLEASE HELP
Someone else asked this earlier this year, with no real satisfactory answer. Consistently, when I create galleries in Aperture, about 10 percent of the images end up as blank thumbnails and larger images. This is maddening and unusable. (I'm sending
-
Very Urgent !!!! Regarding OAMCM.
Hi all, I have installed OAMCM successfully and able to work with all the functionalities. But, i have a scenario as below. First i will take a snapshot of my environment(In my case it's AD). Now i have demoted that AD and reinstalled AD once again w
-
Better off with ADSL???????
I have posted on here before about speed issues with my Infinity service, and thought I'd have another 'say' about the service. Original speed estimate was 35 Meg which was never even achievable according to Openreach Engineer (Chris.......... cheers
-
I am learning InDesign CS4. Why don't the documents in my Book Panel show up in my Pages Panel. I am trying to create a book and need to several create chapters. All the tutorials I watch show how to do it in the Pages Panel, so I am a little lost! T