10.1.3 WS-Security with certificates bug?

We've been using the 10.1.3 WS-Security wizard to secure some service clients generated from WSDL. Without security, all works fine.
When we enable security and use x509 certificates to sign the messages we start hitting problems. There seems to be a bug with how JDeveloper takes the certificates and puts the security tokens into the messages.
The BinarySecurityToken element values seem to be 'chunked' into 64 character blocks, which are then delimitated by a CR/LF sequence. This can easily be seen from a trace or tunnel. Since this is supposed to be a binary token, the CR/LF is messing this up and the tokens can not be validated by the service, causing a message validation error.
We've captured the envelope from a trace and then manually stripped out the CR/LF sequences. The service is then able to validate the message, it just don't like the signature value, but at least it recognises an attempt to sign the message has been made.
On a related note, anyone got any idea why Oracle puts 2 BinarySecurityToken's into the header when just signing is enabled? Other platforms WS-Security implementations (.NET, WebLogic) seem to get away with just the one.

Check the JDeveloper online help and search for "web services security".

Similar Messages

OC4J security with certificates

Hi,
I'm trying to develop OC4J (with JDeveloper 10g) application that has to use certificates X509 for authentication.
Can someone help me with links to demos or tutorials? Or some ideas how to build this?
Regards,
Niko

OK, I'll make an assumption. You see, you could want to do message-layer level security for web services. That is, use WS-Security. Since this thread started with SSL-enabling OC4J, I guess I should assume you want to just do transport-layer security. I got a little thrown off by your mention of optionally encrypting your SOAP message.
Anyway, it is a matter of obtaining certs, building and loading up the keystore with the appropriate certs and informing OC4J about the keystore and whether or not you will authenticate the client with a cert. You will need to modify server.xml, and modify your default-web-site.xml (or perhaps better, create a secure-web-site.xml from the default-web-site.xml base).
You know, Oracle has changed OC4J quite a bit from the Orion base. But you might try this out to see if it works.
http://www.orionserver.com/docs/ssl.html#configuring
If you try, please post back with your results.
regards,
tt

Permissions with problem when encrypting pdf with certificate

I am using the following javascript code to encrypt a pdf using a certificate:
                    var thePermissions = {
                         allowAll: false,
                         allowAccessibility: false,
                         allowContentExtraction: false,
                         allowChanges: "none",
                         allowPrinting: "none"
                     var theCertificate = security.importFromFile(
                         "Certificate",
                         "/c/user.cer"
                     var theUserEntity = {
                         firstName: "The",
                         lastName: "User",
                         fullName: "The User",
                         certificates: theCertificate,
                         defaultEncryptCert: theCertificate
                     var theGroup = { userEntities: [ theUserEntity ], permissions: thePermissions };
                     encryptForRecipients( { oGroups: [ theGroup ] } );
                    saveAs("encrypted.pdf");
The file "encrypted.pdf" resulting is in fact encrypted, but the permissions doesn't seem to be correct. For instance, the Document Properties show that there are no document restrictions (DocumentProperties.PNG), but when the details are shown, it seems that the correct restrictions apply (DocumentSecurity.PNG). As can be seen in the permissions variable, there should be no permissions to the pdf generated. Can someone possibly help me with this?
Additional info: there should have no human interaction in the process, the certificate is not fixed (preventing using encryptUsingPolicy), and will be selected based on the file name of the original pdf.

Hi Leonard,
I see the same thing executing the script from the JavaScript console. There is a slight wrinkle in the steps to reproduce. Even if everything worked as it's supposed to, you would still need to close and then reopen the file in order to get the perm restrictions to take effect. This is because when you initially encrypt the file you are still the document owner, and thus none of the perms have yet taken effect. However, once you do close and then reopen the file (thus forcing an authentication), the file should open with the perms being enforced, but alas, they are not.
Interestingly, if you go into the Document Properties and then select the Security tab (or just click the Permissions Details button in the DMB) you see that the Restriction Summary shows that everything is allowed, but when you click the Show Details button, which just displays the restrictions applicable to the encryption handler, it shows the correct settings. Of course the real bug isn't that the restriction summary is incorrect, but rather that it is correct and all of the supposedly restricted operations are allowable.
I'll enter this as a bug against 10 along with the ER to add the encryption algorithm as an option to the encryptForRecipients JS function.
Steve

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

Windows Server 2008 R2 with multiple Roles OS Rebuild, Need help with Certificates.

Hi,
I have rebuilt a Server for my client and I require help with certificates..
I am unsure exactly what to do to get this server working as it was.
Example, The Windows Server 2008 R2 has Microsoft Exchange, DNS, DHCP, ADDS, FileServices,Network Policy and access Services and Webservices roles installed on a single box.
Since the Server OS Rebuild I am getting 2 issues that pop up usually when Outlook in opened on a client Workstation,
I have not dont anything certificate wise to the server since OS Install, and the messages I get and best described here
I seen on a backdrive, a few certificate files I dont know if we can use these files for anything but we have the following files of drive E (Backup)
e:\server.xxxx.com.au\gd_iis_intermediates.p7b
e:\server.xxxx.com.au\server.xxxx.com.au.crt
e:\ssl\2013-2018.cer
1st Message is about a Proxy certificate I dont get this often but saw it today and my client clicked ok too quickly.
I have seen it and didnt see it again after trying to close outlook and reopen
I looked up google images and tried to find it...
It's like this, (There is a problem with the proxy server's security certificate.
The security certificate is not from a trusted certifying authority.)
2nd Message is about Security Alert, Autodiscover.xxxx.com.au Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
-X- The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificating authority
-TICK- The security certificate date is valid
-X- The name on the security certificate is invalid or does not match the name of the site
Do you want to preceed
[Yes][No][View Certificate ...]
3rd Message is very Close to the 2nd Message, is about Security Alert, xxxx-server.xxxx.local, Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
-X- The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificating authority
-TICK- The security certificate date is valid
-TICK- The name on the security certificate is invalid or does not match the name of the site
Do you want to preceded
[Yes][No][View Certificate ...]
If you can help guide me thou this as I'm very new to setting up certificates. I had a friend tell me about something in DNS.. but he has been super busy and I want to learn what to do.
Thank-You.

Hiya,
quite a lot has the same confusions as you do, so I've written a simple explanation on the subjet of certificates
http://jesperarnecke.wordpress.com/2014/03/22/certificates-simple-explanation/
Let me know if that helps you and if you need further assistance.

Error in authentication with ldap server with certificate

Hi,
i have a problem in authentication with ldap server with certificate.
here i am using java API to authenticate.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
I issued the new certificate which is having the up to 5 years valid time.
is java will authenticate up to one year only?
Can any body help on this issue...
Regards
Ranga

sorry i am gettting ythe same error
javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
here when i am using the old certificate and changing the system date means i can get the authentication.
can you tell where we can concentrate and solve the issue..
where is the issue
1. need to check with the ldap server only
2. problem in java code only.
thanks in advance

Office 2010 created PDF only bringing up Work with Certificates option with Signing

When creating PDF documents with Microsoft Word 2010, the only Sign option showing is Work With Certificates and is greyed, I Need To Sign and Get Others to Sign is missing. My previous PC with Windows 7/Office 2010 and Reader Xi was able to sign documents. I'm also able on my old XP machine to create a dummy pdf in Word 2010 and sign it in Reader, and on my Windows8/Office 2013/Reader Xi PC. Any idea as to where this might have been broken?
With the PDF file created in 2013, I Ctrl+D'd to get the security settings as it's commonly suggested that electronic signatures is failing because of a setting there, however I'm still able to sign it with Signing: Not Allowed and get the full signing menu instead of the Work With Certificates.

Hi,
If you meet any problems when using our products, you can post the question here. Please post one question in a single thread, and the question should be posted in the proper forum.
The current forum is for Office 2010 - Planning, Deployment, and Compatibility.
Just as Don mentioned, you may have multiple questions and some of them are not well placed, post them to the correct forum to get the specific support.
Regards,
Melon Chen
TechNet Community Support

WCF service setup with certificate authentication error

I have a WCF service setup and I need to use a certificate with it and are getting numerous errors when I attempt to browse it. The 1st error I get is "Security settings for this service require 'Anonymous' Authentication but it is not enabled for
the IIS application that hosts this service."
This sounds like a straightforward error message and setting the authentication method in IIS to anonymous resolves being able to browse the service. But I need to use a certificate and setting authentication to anonymous is obviously not right since we
only want those with the proper certificate to access the service. I have all authentication methods in IIS set to disabled when I get the above error message. I have the SSL settings in IIS for the service set to require a certificate as well. I am using
IIS 8.5 as well.
Here is my config file in hoping someone could point me in the correct direction. The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding. I have searched the web but no solution
is working. Any help is appreciated.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<section name="HEALookupProxy.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</sectionGroup>
</configSections>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication mode="None"></authentication>
</system.web>
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
<baseAddressPrefixFilters >
<add prefix="https"/>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<services>
<service name="HEALookupProxy.HEALookupService" behaviorConfiguration="HEALookupServiceBehavior">
<endpoint address="" binding="wsHttpBinding" contract="HEALookupProxy.IHEALookupService" bindingConfiguration="HEALookupConfig" />
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="HEALookupConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="HEALookupServiceBehavior">
<serviceMetadata httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" findValue="certnameremoved" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />

<directoryBrowse enabled="false" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="user1, user2" />
</authorization>
</security>
</system.webServer>
</configuration>

Hi spark29er,
>>The service should only work over HTTPS since we are using a certificate and I need the meta data exposed as well hence the mexHttpBinding.
For creating the HTTPS WCF service, first please change the mexHttpBinding to
mexHttpsBinding as following:
<endpoint contract="IMetadataExchange" binding="mexHttpsBinding" address="mex" />
For more information, please try to refer to:
#Seven simple steps to enable HTTPS on WCF WsHttp bindings:
http://www.codeproject.com/Articles/36705/simple-steps-to-enable-HTTPS-on-WCF-WsHttp-bindi .
Then please try to check the following article about how to do the certificate authentication on HTTPS WCF Service:
http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx .
Besides, setting the
includeExceptionDetailInFaults as false can give us more detailed error information.
Best Regards,
Amy Peng
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

WPA2 security with EAP-TLS user cert auth

I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth. The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer.
When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged. On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

Well Well
WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
Please make sure to rate correct answers

JavaScript to Encrypt with Certificate

I have been having touble debugging this code. It fails on "this.encryptForRecipients". Please help!! I have double (triple) checked my typing, and I can't seem to find anything incorrect, excepting that I have one item in 'oGroup', not an array.... I am currently trying to execute this from the console, before i create a folder level JS. I would prefer to use oEntity with out firstName, lastName, and fullName.
Thank you all for yout help!
var cerPath = "/C/Documents and Settings/rrh/Desktop/Sample/";
var cerFile = "01PCH004.cer";
var oCert = security.importFromFile("Certificate", cerPath + cerFile);
var oEntity = {firstName:"Fred", lastName:"Smith", fullName:"Fred Smith", certificates:oCert, defaultEncryptCert:oCert};
this.encryptForRecipients({oGroups:[{userEntities:oEntity, permissions:{allowPrinting:"highQuality"}}],
bMetaData : true});
InvalidArgsError: Invalid arguments.
Doc.encryptForRecipients:7:Console undefined:Exec
undefined
-rogge

The variable oEntity was not an array. Brackets were added to make the variable a one element array:
var oEntity = [{firstName:"Fred", lastName:"Smith", fullName:"Fred Smith", certificates:oCert, defaultEncryptCert:oCert}];

IKEv2 with certificates

Example provided is on 1941 ISR routers with 15.2(2)T1 software. One router has 15.3(1)T.
IKEv2 with pre-shared key comes up fine.
IKEv2 with certificates gives auth exchange fail error
IKEv1 with same certificates comes up fine.
The above were Microsoft CA certificates.
I tried with IOS CA certificates, still auth exchange fail error.
Same results with 3945 and 2911 routers on IOS 15.1(2)T

This is details of how I got it working.
sho   tech ipsec
------------------ show version ------------------
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 29-Feb-12 20:40 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
happy uptime is 30 minutes
System returned to ROM by power-on
System restarted at 20:26:58 UTC Fri Mar 1 2013
System image file is "flash0:c2900-universalk9-mz.SPA.152-2.T1.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1621AJFU
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device#      PID            SN
*0        CISCO2911/K9          FTX1621AJFU
Technology Package License Information for Module:'c2900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
uc            None          None           None
data          None          None           None
Configuration register is 0x2102
------------------ show running-config ------------------
Building configuration...
Current configuration : 6483 bytes
! Last configuration change at 20:56:07 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname happy
boot-start-marker
boot-end-marker
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 4 4Q5iiIH2YznVeGHA3p6Qjm8oBj4LWNDTHjsG21MxgXU
no aaa new-model
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip domain name csfc.com
ip name-server 192.168.1.3
no ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint dc-ca
enrollment terminal
subject-name cn=happy.csfc,c=us
revocation-check none
crypto pki certificate map CRT 10
issuer-name co csfc
crypto pki certificate chain dc-ca
certificate 3F51979A000000000012
3082038E 30820333 A0030201 02020A3F 51979A00 00000000 12300A06 082A8648
CE3D0403 02303B31 13301106 0A099226 8993F22C 64011916 03636F6D 31143012
060A0992 268993F2 2C640119 16046373 6663310E 300C0603 55040313 0564632D
6361301E 170D3133 30333031 31383532 35365A17 0D313530 33303131 38353235
365A3022 310B3009 06035504 06130275 73311330 11060355 0403130A 68617070
792E6373 66633059 30130607 2A8648CE 3D020106 082A8648 CE3D0301 07034200
0429D4D8 F89E295B F7AF826F 86A3F29D EF48FCFF D2374B0F D39CD393 620D3EFD
D484BFA4 3ED08E16 7FDF839D 0FF85690 26C0545C 1B56EC17 7A2E6C1D 5D1A6CD8
DDA38202 36308202 32300B06 03551D0F 04040302 06C0301D 0603551D 0E041604
142DCC8D 554A4853 C4C03B3D 2400E3EA 459406B5 AE301F06 03551D23 04183016
80142389 F56583FC B73D3F11 79A47EAB 96721E76 81AA3081 BB060355 1D1F0481
B33081B0 3081ADA0 81AAA081 A78681A4 6C646170 3A2F2F2F 434E3D64 632D6361
2C434E3D 44432C43 4E3D4344 502C434E 3D507562 6C696325 32304B65 79253230
53657276 69636573 2C434E3D 53657276 69636573 2C434E3D 436F6E66 69677572
6174696F 6E2C4443 3D637366 632C4443 3D636F6D 3F636572 74696669 63617465
5265766F 63617469 6F6E4C69 73743F62 6173653F 6F626A65 6374436C 6173733D
63524C44 69737472 69627574 696F6E50 6F696E74 3081B406 082B0601 05050701
010481A7 3081A430 81A10608 2B060105 05073002 8681946C 6461703A 2F2F2F43
4E3D6463 2D63612C 434E3D41 49412C43 4E3D5075 626C6963 2532304B 65792532
30536572 76696365 732C434E 3D536572 76696365 732C434E 3D436F6E 66696775
72617469 6F6E2C44 433D6373 66632C44 433D636F 6D3F6341 43657274 69666963
6174653F 62617365 3F6F626A 65637443 6C617373 3D636572 74696669 63617469
6F6E4175 74686F72 69747930 3C06092B 06010401 82371507 042F302D 06252B06
01040182 37150881 98D47A81 B6D74A87 A98B18DF C60887B8 D4794787 BCE00C86
9D892C02 01640201 11301306 03551D25 040C300A 06082B06 01050508 0202301B
06092B06 01040182 37150A04 0E300C30 0A06082B 06010505 08020230 0A06082A
8648CE3D 04030203 49003046 022100E7 E5814B90 CE6EABE2 B12C818A 6323160D
632C0551 B765DA29 0CA4BAAC 27325F02 2100E516 11985F3E CDB23FE7 BB91C836
74C457BB 5EA87ED6 3D9DCF41 AE4CDD40 A28F
      quit
certificate ca 2C8A76A7904BB4B341B3AAFA9ED387D3
308201DC 30820183 A0030201 0202102C 8A76A790 4BB4B341 B3AAFA9E D387D330
0A06082A 8648CE3D 04030230 3B311330 11060A09 92268993 F22C6401 19160363
6F6D3114 3012060A 09922689 93F22C64 01191604 63736663 310E300C 06035504
03130564 632D6361 301E170D 31333031 32333135 32383435 5A170D31 38303132
33313533 3834345A 303B3113 3011060A 09922689 93F22C64 01191603 636F6D31
14301206 0A099226 8993F22C 64011916 04637366 63310E30 0C060355 04031305
64632D63 61305930 1306072A 8648CE3D 02010608 2A8648CE 3D030107 03420004
EFA5B6B5 BC89C22A B91DDDBB 60034DB9 21655D71 3965177D 9D5956D0 8C45ABC9
38EB4175 44AA06DC 19B94DAB 368AC06C 35077B97 24BE5879 758256FA 03838F2F
A3693067 30130609 2B060104 01823714 0204061E 04004300 41300E06 03551D0F
0101FF04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 142389F5 6583FCB7 3D3F1179 A47EAB96 721E7681 AA301006 092B0601
04018237 15010403 02010030 0A06082A 8648CE3D 04030203 47003044 022010BD
C2ADC8B7 C2C05DB2 CFE2E78A B3A47E2E 8A3193CA 607E4AE3 EEF105F0 42CE0220
056C951C 45ECD966 DFA9BADB 9F1CC71E 8F029C12 F94593A6 21B50A49 C1E62581
      quit
license udi pid CISCO2911/K9 sn FTX1621AJFU
username csfc privilege 15 secret 4
username admin privilege 15 secret 4
username Happy privilege 15 secret 4
redundancy
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha256
group 19
crypto ikev2 policy policy1
proposal prop-1
crypto ikev2 profile default
match certificate CRT
identity local dn
authentication local ecdsa-sig
authentication remote rsa-sig
authentication remote ecdsa-sig
pki trustpoint dc-ca
no crypto ikev2 diagnose error
no crypto ikev2 http-url cert
crypto ikev2 certificate-cache 750
crypto ikev2 fragmentation mtu 1400
crypto logging ikev2
crypto ipsec transform-set SEC esp-aes esp-sha256-hmac
crypto ipsec profile default
set transform-set SEC
set ikev2-profile default
interface Tunnel0
no ip address
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.168.11.42
tunnel protection ipsec profile default
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.40 255.255.255.0
duplex full
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.41 255.255.255.252
duplex full
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 192.168.2.0 255.255.255.0 Tunnel1
no cdp advertise-v2
control-plane
banner login ^CCPLEEEESE!^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
sntp server 192.168.1.3 version 3
end
------------------ show crypto tech-support ------------------
------------------ show crypto isakmp sa count ------------------
Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0
------------------ show crypto ipsec sa count ------------------
IPsec SA total: 2, active: 2, rekeying: 0, unused: 0, invalid: 0
------------------ show crypto isakmp sa detail ------------------
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local           Remote          I-VRF Status Encr Hash   Auth DH Lifetime Cap.
IPv6 Crypto ISAKMP SA
------------------ show crypto ipsec sa detail ------------------
interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 192.168.11.41
   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.11.41/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.11.42/255.255.255.255/47/0)
   current_peer 192.168.11.42 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
    #pkts decaps: 275, #pkts decrypt: 275, #pkts verify: 275
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
     local crypto endpt.: 192.168.11.41, remote crypto endpt.: 192.168.11.42
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x1DF8CFFA(502845434)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xBF473CF2(3209116914)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4181836/3479)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x1DF8CFFA(502845434)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4181837/3479)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
     outbound ah sas:
     outbound pcp sas:
------------------ show crypto session summary ------------------
------------------ show crypto session detail ------------------
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel1
Uptime: 00:02:00
Session status: UP-ACTIVE
Peer: 192.168.11.42 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: cn=grumpy.csfc,c=us
      Desc: (none)
IKEv2 SA: local 192.168.11.41/500 remote 192.168.11.42/500 Active
          Capabilities:(none) connid:3 lifetime:23:58:00
IPSEC FLOW: permit 47 host 192.168.11.41 host 192.168.11.42
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 275 drop 0 life (KB/Sec) 4181836/3479
        Outbound: #pkts enc'ed 271 drop 0 life (KB/Sec) 4181837/3479
------------------ show crypto isakmp peers ------------------
------------------ show crypto ruleset detail ------------------
Mtree:
199 VRF 0 11 192.168.11.41/500 ANY Forward, Forward
299 VRF 0 11 192.168.11.41/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
6553700000000000101 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Encrypt
6553700000000000199 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Discard/notify
------------------ show processes memory | include Crypto IKMP ------------------
260   0       5432        880      18424          3          3 Crypto IKMP
------------------ show processes cpu | include Crypto IKMP ------------------
260           0           6          0 0.00% 0.00% 0.00%   0 Crypto IKMP
------------------ show crypto eli ------------------
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session :     0 active, 3200 max, 0 failed
------------------ show cry engine accelerator statistic ------------------
Device:   Onboard VPN
Location: Onboard: 0
    :Statistics for encryption device since the last clear
     of counters 1826 seconds ago
                  0 packets in                           0 packets out
                  0 bytes in                             0 bytes out
                  0 paks/sec in                          0 paks/sec out
                  0 Kbits/sec in                         0 Kbits/sec out
                  0 packets decrypted                    0 packets encrypted
                  0 bytes before decrypt                 0 bytes encrypted
                  0 bytes decrypted                      0 bytes after encrypt
                  0 packets decompressed                 0 packets compressed
                  0 bytes before decomp                  0 bytes before comp
                  0 bytes after decomp                   0 bytes after comp
                  0 packets bypass decompr               0 packets bypass compres
                  0 bytes bypass decompres               0 bytes bypass compressi
                  0 packets not decompress               0 packets not compressed
                  0 bytes not decompressed               0 bytes not compressed
                  1.0:1 compression ratio                1.0:1 overall
        Last 5 minutes:
                  0 packets in                           0 packets out
                  0 paks/sec in                          0 paks/sec out
                  0 bits/sec in                          0 bits/sec out
                  0 bytes decrypted                      0 bytes encrypted
                  0 Kbits/sec decrypted                  0 Kbits/sec encrypted
                  1.0:1 compression ratio                1.0:1 overall
------------------ show cry isakmp diagnose error ------------------
Exit Path Table - status: disable, current entry 0, deleted 0, max allow 10
------------------ show cry isakmp diagnose error count ------------------
Exit Trace counters
------------------ show crypto call admission statistics ------------------
               Crypto Call Admission Control Statistics
System Resource Limit:        0 Max IKE SAs:     0 Max in nego: 1000
Total IKE SA Count:           0 active:          0 negotiating:     0
Incoming IKE Requests:        0 accepted:        0 rejected:        0
Outgoing IKE Requests:        0 accepted:        0 rejected:        0
Rejected IKE Requests:        0 rsrc low:        0 Active SA limit: 0
                                                   In-neg SA limit: 0
IKE packets dropped at dispatch:        0
Max IPSEC SAs:     0
Total IPSEC SA Count:           0 active:          0 negotiating:     0
Incoming IPSEC Requests:        0 accepted:        0 rejected:        0
Outgoing IPSEC Requests:        0 accepted:        0 rejected:        0
Phase1.5 SAs under negotiation:         0
sho ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM administratively down down
GigabitEthernet0/0         192.168.1.40    YES NVRAM up                    up
GigabitEthernet0/1         192.168.11.41   YES NVRAM up                    up
GigabitEthernet0/2         unassigned      YES NVRAM administratively down down
Tunnel0                    unassigned      YES unset up                    down
Tunnel1                    192.168.100.1   YES NVRAM up                    up
happy#
happy#sho crypto pki cert verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3F51979A000000000012
Certificate Usage: Signature
Issuer:
    cn=dc-ca
    dc=csfc
    dc=com
Subject:
    Name: happy.csfc
    cn=happy.csfc
    c=us
CRL Distribution Points:
    ldap:///CN=dc-ca,CN=DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=csfc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
    start date: 18:52:56 UTC Mar 1 2013
    end   date: 18:52:56 UTC Mar 1 2015
Subject Key Info:
    Public Key Algorithm: rsaEncryption
    EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: BF234623 9E7F2C73 EBE07B0A 9E89FC76
Fingerprint SHA1: DB8A8D50 23D9E2DD AC2ED2DC 5A857569 279F44D5
X509v3 extensions:
    X509v3 Key Usage: C0000000
      Digital Signature
      Non Repudiation
    X509v3 Subject Key ID: 2DCC8D55 4A4853C4 C03B3D24 00E3EA45 9406B5AE
    X509v3 Authority Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
    Authority Info Access:
    Extended Key Usage:
        1.3.6.1.5.5.8.2.2
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#12.cer
Key Label: happy.csfc.com
Key storage device: private config
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2C8A76A7904BB4B341B3AAFA9ED387D3
Certificate Usage: Signature
Issuer:
    cn=dc-ca
    dc=csfc
    dc=com
Subject:
    cn=dc-ca
    dc=csfc
    dc=com
Validity Date:
    start date: 15:28:45 UTC Jan 23 2013
    end   date: 15:38:44 UTC Jan 23 2018
--More--           Subject Key Info:
    Public Key Algorithm: rsaEncryption
    EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: 1F937411 4DB57036 73D54124 E50E83FC
Fingerprint SHA1: E78FE0BF DF5F168A 67860C48 78EC427C 66FE551A
X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
    X509v3 Basic Constraints:
        CA: TRUE
    Authority Info Access:
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#87D3CA.cer
happy#sho crypt key mypubkey all
% Key pair was generated at: 18:44:07 UTC Mar 1 2013
Key name: eckey
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 4200049A 28E9709A
2F81DEE9 9ED27787 B790D3B4 487B3F2D DBA06E95 43298A54 19A3B0B7 E9107223
5CB9F3CD 9D8BD0E9 9AB9FFC4 698C1912 CBADC469 9E7CD6D3 46E5A2
% Key pair was generated at: 18:49:21 UTC Mar 1 2013
Key name: happy.csfc.com
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 42000429 D4D8F89E
295BF7AF 826F86A3 F29DEF48 FCFFD237 4B0FD39C D393620D 3EFDD484 BFA43ED0
8E167FDF 839D0FF8 569026C0 545C1B56 EC177A2E 6C1D5D1A 6CD8DD
happy# sho crypto ike2 v2 session detail
IPv4 Crypto IKEv2 Session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         192.168.11.41/500     192.168.11.42/500     none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
      Life/Active Time: 86400/339 sec
      CE id: 1084, Session-id: 1
      Status Description: Negotiation done
      Local spi: 239BE9D173BFD509       Remote spi: C7A295975E26147B
      Local id: cn=happy.csfc,c=us
      Remote id: cn=grumpy.csfc,c=us
      Local req msg id: 0              Remote req msg id: 2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued: 0              Remote req queued: 2
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
Child sa: local selector 192.168.11.41/0 - 192.168.11.41/65535
          remote selector 192.168.11.42/0 - 192.168.11.42/65535
          ESP spi in/out: 0xBF473CF2/0x1DF8CFFA
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 128, esp_hmac: SHA256
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
IPv6 Crypto IKEv2 Session
happy#sho crypto ikev2 session sa detail
IPv4 Crypto IKEv2 SA
Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         192.168.11.41/500     192.168.11.42/500     none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
      Life/Active Time: 86400/386 sec
      CE id: 1084, Session-id: 1
      Status Description: Negotiation done
      Local spi: 239BE9D173BFD509       Remote spi: C7A295975E26147B
      Local id: cn=happy.csfc,c=us
      Remote id: cn=grumpy.csfc,c=us
      Local req msg id: 0              Remote req msg id: 2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued: 0              Remote req queued: 2
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
IPv6 Crypto IKEv2 SA
happy#sho crypto ikev2 sa detail         stats
                          Crypto IKEv2 SA Statistics
System Resource Limit:   0        Max IKEv2 SAs: 0        Max in nego: 1000
Total IKEv2 SA Count:    1        active:        1        negotiating: 0
Incoming IKEv2 Requests: 34       accepted:      34       rejected:    0
Outgoing IKEv2 Requests: 50       accepted:      50       rejected:    0
Rejected IKEv2 Requests: 0        rsrc low:      0        SA limit:    0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
    accepted: 0        rejected: 0        rejected no cookie: 0
happy#exit

Servlet security with SSL

Hello All,
I am fairly knew to Java and Tomcat etc as I came from a non Java\Tomcat previous role but have inherited a project which is a Java servlet (Java 1.6.0.29) running on Windows with Tomcat (Tomcat 7) as the container. The servlet communicates with both an Oracle database on a Unix server and a SQL server database on a Windows server. I now require to secure the communication with the SQL Server database using SSL (Two way communication) and would really like some straight forward guidance on how to do this, i.e. what exactly do I do?
I ask this because there is a lot of information on the Tomcat website and other web sites but I find it becomes very ambiguous and confusing. They mostly talk about setting up a Keystore for the root certificate on the server and then say nothing about the "client". In my servlets situation the server hosting the SQL server is the "server" and the server hosting the servlet is the "client". The server hosting the servlet ("the client") already has a keystore set up on it to handle the encryption to the Oracle database and a entry to suit in the Tomcat server.xml file.
Any assistance would be greatly appreciated. I am really stuck with this
Thank you in advance
Alanjo

On 01/14/2014 06:11 AM, Alan Farroll wrote:
> Hi all,
>
> I could not find a more appropriate forum in Eclipse for this question
> so have placed it in newcomers as I am still quite new to Java\Eclipse
>
> We are working on a Java servlet application that involves security with
> SSL to allow the servlet to run from a server outside our firewall and
> interrogate databases inside our firewall. It runs on Tomcat 7 and built
> on Java 1.6.0.29
>
> We have had no problems running the servlet on the Test server within
> the firewall but when running on the Live server outside the firewall
> the SoapUI request returns nothing and the current Tomcat log error is
> "java.lang.RuntimeException: Could not generate dummy secret"
>
> The problems seem to be with the jce.jar and the sunJCE_provider.jar.
>
> Has anybody any assistance they could provide please.
>
> Thanks in advance
>
> AJF
The live server doesn't have access to the right JARs? Maybe this will help?
http://www.javahotchocolate.com/notes/jce-policy.html

Why unable to sign PDF with certificate after applying Nitro PDF password protection? (despite it explicitly allowing signing with certificates)

I used Adobe Reader XI to sign PDFs with certificate, which worked perfectly. Except that the PDF could still be edited by other programs (for example, Nitro PDF) after the signing (but not the fill out fields and the signature). To apply password protection makes sense to avoid changes in the PDF being made after it has been signed. So I applied password protection via Nitro PDF that allows only enter fill-out fields and signing. But when I open it with Adobe Reader, the filling out works fine, but the signing part is not available to click on it (all of the buttons under "Sign" tab are grey). When I go on the Security properties with Adobe Reader, I can explicitly see that signing of this PDF is allowed and yet the option is not open to use for me anymore.
Any ideas on why it is the case and what I could do about that?
Many thanks!
O.

Actually yes, I just asked my colleague to assist me with this, he password-protected the PDF with Acrobat 8, explicitly allowing for signing and fill-out functions, it also appears in Adobe Reader under security properties as "allowed", but it is not open to use in the Reader for me anymore (grey buttons).

How to authenticate with certificate?

I wanna try to build a more secure LAN. I want every client (wired/wireless) to connect the network used a certificate not a user/password pair.
But now, as i am a newbie, I don't know what to choose between TACACS+ and RADIUS. Because I have a Mac mini, maybe RADIUS is more suitable, but i don't know how to establish the CA.
Any help or suggestion will be appreciated!

We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.
It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.
On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.
You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more ;) ).
Have a look at this Youtube video for an example of setting up certificate authentication on ACS:
https://www.youtube.com/watch?v=U7qWJ7bIMHA

White Paper: End-to-End Client/Server Security with the Adobe Flash Platform

Today we released a sorely needed white paper on end-to-end client/server security with the Adobe Flash Platform. This information is directly applicable to the Adobe LiveCycle family as well as Flash RIAs.
http://www.slinnbooks.com/books/enterprise/securityWhitePaper.shtml
Thank you,
Mike
Michael Slinn
http://micronauticsresearch.com
http://slinnbooks.com

Hai,
Delete the certificate in the ABAP system and try importing the new certificate from the EP instance(ADS) and export into the ABAP and check...
Thanks and Regards,

10.1.3 WS-Security with certificates bug?

Similar Messages

Maybe you are looking for