ACE as ssl client

Similar Messages

• ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client

  Hi
  Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
  Example:
  Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
  The "client" Server does not support SSL.
  Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
  Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
  Regards

  Hello Byron,
  Yes, the ACE can do it
  Here you have some of the flavors of SSL with the ACE.
  Here you have a sample about it:
  parameter-map type http CASE_PARAM
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  class-map match-all CLEAR_TEXT_VIP
    2 match virtual-address 172.20.120.19 tcp eq www
  policy-map multi-match JORGE-MULTIMATCH
    class CLEAR_TEXT_VIP
      loadbalance vip inservice
      loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
      loadbalance vip icmp-reply active
      appl-parameter http advanced-options CASE_PARAM
  policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
    class class-default
      serverfarm ENCRYPTED-SERVERFARM
      ssl-proxy client SSL-PROXY-JORGE
  ssl-proxy service SSL-PROXY-JORGE
    key TAC-key
    cert TAC-cert
  serverfarm host ENCRYPTED-SERVERFARM
    rserver JORGE-SERVER 443
      inservice
  Here you have some additional details under the configuration guide:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
  Here you have some additional samples:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
  Hope this helps for you and fix your issue
  Jorge

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• SSL Client example from dev2dev

  Bruce,
  I still have some questions unaswered.
  1. Is there any "default" list of trusted CA that is used during handshake?
  The SSLClient example does not have any references to trusted CA files. The
  weblogic.webservice.client.ssl.trustedcerts property returns null. What
  trusted CA is used in the SSLClient example? Considering the plural name of
  the property, should it contain only one file name, or it can contain
  several file names? Order? Delimiter?
  2. I copied the SSL setup code from SSLClient to my own web service client,
  but it does not work. My web service is made of stateless session bean, and
  wsdl is generated dynamically. Is it possible, that certain wsdl settings
  could affect handshake process? Maybe I need to copy certain wsdl tags from
  the example?
  3. What username/password should I use in IE when "Enter network password"
  dialog is presented? The combination used to start weblogic server does not
  work. The same combination works for non-SSL client. Why?
  Thanks,
  Michael J.
  "Bruce Stephens" <[email protected]> wrote in message
  news:[email protected]...
  Hi Michael,
  Thanks for the good feedback and this will be incorporated into a revised
  example.
  Concerning your questions toward the end, to set the list of trusted CA
  certificates, you need the CA certificate in a file and you need to setthis
  System property to the filename:
  weblogic.webservice.client.ssl.trustedcerts
  To turn off strict hostname checking during certificate validation, youneed to
  set this property to "false":
  weblogic.webservice.client.ssl.strictcertchecking
  Thanks again,
  Bruce
  Michael Jouravlev wrote:
  Bruce,
  here are some issues that I wish you could help me with.
  1) package.html from the simpleSSL example is outdated. The links posted
  here do not work. Considering "Please pay careful attention" phrase I am
  a
  little bit worried if I missed something in my SSL configuration.
  === cut here ===
  You must first setup and verify your WLS SSL configuration.
  1. Set up your development shell as described in Quick Start.
  2. Startup the WebLogic Server.
  3. Monitor the log file for any errors.
  4. Use the console and configure the WebLogic Service security asdescribed
  by:
  http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
  Please pay careful attention to this step, especially concerning theSSL
  protocol configuration:
  http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
  === cut here ===
  I use the following information:
  1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
  configure
  server-wide SSL setup
  2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
  configure web service-related SSL setup.
  2) In "Setup and verify the toUpper WebService" chapter the linksentitled
  http://localhost:7001/toUpper/toUpper and
  http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
  but
  maybe you would like to correct this.
  3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
  connect to https://localhost:7002/toUpper/toUpper , I receive the
  "Security
  Alert" dialog (I am using IE5) that there is a problem with security
  certificate: name of the certificate does not match the name of thesite. It
  is OK, because it is demo certificate. (Should I do "View
  Certificate/Install Certificate" to proceed successfully or just to say
  "Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
  proceed. In the next window is "Do you want to display nonsecure items?"I
  say "yes" and I am brought to the the test page. Now, when I try to testthe
  service, I click on "toUpper" link and am presented with sample text and
  "Invoke" button.
  And when I press "Invoke" I am presented with a dialog window "Enternetwork
  password" containing: Site: localhost, Realm: default, User name:
  <blank>, Password: <blank>. So, the first serious issue is: what username
  and password should I use? I tried username and password that I used to
  start the server in set WLS_USER=<username> and set WLS_PW=<password> in
  startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
  either. What should I submit??? I did not change any security setting inmy
  WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
  >>
  After "Enter network password" dialog fails to verify a user, I get apage
  with the following text: "Failed to retrieve WSDL from
  https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
  the
  protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
  >>
  Interesting enough, if I try to go directly to the link
  https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
  problem
  and without any password windows. What is happening here?
  4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
  order for it to be compiled. I changed super( _port,ToUpperPort.class );
  to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
  changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
  original code does not work on 7.0GA. I successfully did run both Mainand
  Main2 without username/password and with it. I also usedusername/password
  from startWebLogic.cmd file and they worked. Why they do not work when Itry
  to call test page from web browser?
  5) Finally I compiled and did run the SSLClient. It worked. But the
  questions here are:
  BEA_HOME environment variable is not defined, and WebLogic SSL
  implementation is used. How licence.bea was found while running theclient?
  When I tried to build my own client, I got a message that I license fileis
  needed. Or is it needed only if the client library webservices+ssl.jaris
  used?
  The most important question: What trusted CA is used by client and how
  client finds it? No certificates are in the SSLClient directory and no
  property settings telling where to find it. It is a puzzle for my why it
  works here and why my own client does not work when the CA is supplied.
  Thank you,
  Michael J.

  Hi Michael,
  I've asked our security folks to help answer your questions. The
  weblogic.webservice.client.ssl.trustedcertfile file (located on the client
  application computer) contains the certificates of CA (certificate authority).
  The CAs are trusted to issue WebLogic Server certificates. The file can also
  contain certificates that you trust directly. The file contains a collection of
  PEM-encoded certificates. See:
  http://e-docs.bea.com/wls/docs70/webserv/security.html#1056434
  There shouldn't be any WSDL changes/tags required.
  HTHs,
  Bruce
  Michael Jouravlev wrote:
  Bruce,
  I still have some questions unaswered.
  1. Is there any "default" list of trusted CA that is used during handshake?
  The SSLClient example does not have any references to trusted CA files. The
  weblogic.webservice.client.ssl.trustedcerts property returns null. What
  trusted CA is used in the SSLClient example? Considering the plural name of
  the property, should it contain only one file name, or it can contain
  several file names? Order? Delimiter?
  2. I copied the SSL setup code from SSLClient to my own web service client,
  but it does not work. My web service is made of stateless session bean, and
  wsdl is generated dynamically. Is it possible, that certain wsdl settings
  could affect handshake process? Maybe I need to copy certain wsdl tags from
  the example?
  3. What username/password should I use in IE when "Enter network password"
  dialog is presented? The combination used to start weblogic server does not
  work. The same combination works for non-SSL client. Why?
  Thanks,
  Michael J.
  "Bruce Stephens" <[email protected]> wrote in message
  news:[email protected]...
  Hi Michael,
  Thanks for the good feedback and this will be incorporated into a revised
  example.
  Concerning your questions toward the end, to set the list of trusted CA
  certificates, you need the CA certificate in a file and you need to setthis
  System property to the filename:
  weblogic.webservice.client.ssl.trustedcerts
  To turn off strict hostname checking during certificate validation, youneed to
  set this property to "false":
  weblogic.webservice.client.ssl.strictcertchecking
  Thanks again,
  Bruce
  Michael Jouravlev wrote:
  Bruce,
  here are some issues that I wish you could help me with.
  1) package.html from the simpleSSL example is outdated. The links posted
  here do not work. Considering "Please pay careful attention" phrase I am
  a
  little bit worried if I missed something in my SSL configuration.
  === cut here ===
  You must first setup and verify your WLS SSL configuration.
  1. Set up your development shell as described in Quick Start.
  2. Startup the WebLogic Server.
  3. Monitor the log file for any errors.
  4. Use the console and configure the WebLogic Service security asdescribed
  by:
  http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
  Please pay careful attention to this step, especially concerning theSSL
  protocol configuration:
  http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
  === cut here ===
  I use the following information:
  1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
  configure
  server-wide SSL setup
  2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
  configure web service-related SSL setup.
  2) In "Setup and verify the toUpper WebService" chapter the linksentitled
  http://localhost:7001/toUpper/toUpper and
  http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
  but
  maybe you would like to correct this.
  3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
  connect to https://localhost:7002/toUpper/toUpper , I receive the
  "Security
  Alert" dialog (I am using IE5) that there is a problem with security
  certificate: name of the certificate does not match the name of thesite. It
  is OK, because it is demo certificate. (Should I do "View
  Certificate/Install Certificate" to proceed successfully or just to say
  "Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
  proceed. In the next window is "Do you want to display nonsecure items?"I
  say "yes" and I am brought to the the test page. Now, when I try to testthe
  service, I click on "toUpper" link and am presented with sample text and
  "Invoke" button.
  And when I press "Invoke" I am presented with a dialog window "Enternetwork
  password" containing: Site: localhost, Realm: default, User name:
  <blank>, Password: <blank>. So, the first serious issue is: what username
  and password should I use? I tried username and password that I used to
  start the server in set WLS_USER=<username> and set WLS_PW=<password> in
  startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
  either. What should I submit??? I did not change any security setting inmy
  WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
  After "Enter network password" dialog fails to verify a user, I get apage
  with the following text: "Failed to retrieve WSDL from
  https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
  the
  protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
  Interesting enough, if I try to go directly to the link
  https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
  problem
  and without any password windows. What is happening here?
  4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
  order for it to be compiled. I changed super( _port,ToUpperPort.class );
  to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
  changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
  original code does not work on 7.0GA. I successfully did run both Mainand
  Main2 without username/password and with it. I also usedusername/password
  from startWebLogic.cmd file and they worked. Why they do not work when Itry
  to call test page from web browser?
  5) Finally I compiled and did run the SSLClient. It worked. But the
  questions here are:
  BEA_HOME environment variable is not defined, and WebLogic SSL
  implementation is used. How licence.bea was found while running theclient?
  When I tried to build my own client, I got a message that I license fileis
  needed. Or is it needed only if the client library webservices+ssl.jaris
  used?
  The most important question: What trusted CA is used by client and how
  client finds it? No certificates are in the SSLClient directory and no
  property settings telling where to find it. It is a puzzle for my why it
  works here and why my own client does not work when the CA is supplied.
  Thank you,
  Michael J.

• Using JSSE : "Invalid Netscape CertType extension for SSL client" Error

  Hi all,
  Im using the sample code given sun site for JSSE with Client Authentication. The sample as such it worked with the testkeys provided in that. But it didn't workout when I tried using other certificates.
  Both client and server certificates I generated from our internal Netscape Certificate Manager.
  Function of the server :
  The server will read a private key from the given keystore and starts listening on a port. This server will server only GET request.
  Function of the client :
  The Client sends a GET request to the server and gets the response back.
  I simply changed the key store name alone in the working sample code.
  It is not working.
  The Exception thrown on client side :
  D:\users\Jp\java\jssesamples\sockets\client\class>java SSLSocketClientWithClientAuth1 localhost 1089 /urls
  localhost
  1089
  /urls
  java.net.SocketException: Software caused connection abort: socket write error
  at java.net.SocketOutputStream.socketWrite0(Native Method)
  at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
  at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
  at com.sun.net.ssl.internal.ssl.OutputRecord.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
  at SSLSocketClientWithClientAuth1.main(SSLSocketClientWithClientAuth1.java:119)
  Exception thrown on server side :
  D:\users\Jp\java\jssesamples\sockets\server\class>java ClassFileServer 1089 . TLS true
  USAGE: java ClassFileServer port docroot [TLS [true]]
  If the third argument is TLS, it will start as
  a TLS/SSL file server, otherwise, it will be
  an ordinary file server.
  If the fourth argument is true,it will require
  client authentication as well.
  javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
  at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
  at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
  at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
  at java.io.InputStreamReader.read(InputStreamReader.java:167)
  at java.io.BufferedReader.fill(BufferedReader.java:136)
  at java.io.BufferedReader.readLine(BufferedReader.java:299)
  at java.io.BufferedReader.readLine(BufferedReader.java:362)
  at ClassServer.getPath(ClassServer.java:162)
  at ClassServer.run(ClassServer.java:109)
  at java.lang.Thread.run(Thread.java:536)
  Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
  ... 17 more
  error writing response: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExce
  ption: Invalid Netscape CertType extension for SSL client
  javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.Certificate
  Exception: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.e(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at java.io.DataOutputStream.writeBytes(DataOutputStream.java:256)
  at ClassServer.run(ClassServer.java:128)
  at java.lang.Thread.run(Thread.java:536)
  Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension
  for SSL client
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
  at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
  at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
  at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
  at java.io.InputStreamReader.read(InputStreamReader.java:167)
  at java.io.BufferedReader.fill(BufferedReader.java:136)
  at java.io.BufferedReader.readLine(BufferedReader.java:299)
  at java.io.BufferedReader.readLine(BufferedReader.java:362)
  at ClassServer.getPath(ClassServer.java:162)
  at ClassServer.run(ClassServer.java:109)
  ... 1 more
  Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
  ... 17 more
  The Client code :
  * @(#)SSLSocketClientWithClientAuth.java     1.5 01/05/10
  * Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
  * Redistribution and use in source and binary forms, with or
  * without modification, are permitted provided that the following
  * conditions are met:
  * -Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  * -Redistribution in binary form must reproduct the above copyright
  * notice, this list of conditions and the following disclaimer in
  * the documentation and/or other materials provided with the
  * distribution.
  * Neither the name of Sun Microsystems, Inc. or the names of
  * contributors may be used to endorse or promote products derived
  * from this software without specific prior written permission.
  * This software is provided "AS IS," without a warranty of any
  * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
  * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
  * EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
  * DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
  * RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
  * ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
  * FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
  * SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
  * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
  * THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  * You acknowledge that Software is not designed, licensed or
  * intended for use in the design, construction, operation or
  * maintenance of any nuclear facility.
  import java.net.*;
  import java.io.*;
  import javax.net.ssl.*;
  import javax.security.cert.X509Certificate;
  import java.security.KeyStore;
  * This example shows how to set up a key manager to do client
  * authentication if required by server.
  * This program assumes that the client is not inside a firewall.
  * The application can be modified to connect to a server outside
  * the firewall by following SSLSocketClientWithTunneling.java.
  public class SSLSocketClientWithClientAuth1 {
  public static void main(String[] args) throws Exception {
       String host = null;
       int port = -1;
       String path = null;
       for (int i = 0; i < args.length; i++)
       System.out.println(args);
       if (args.length < 3) {
       System.out.println(
            "USAGE: java SSLSocketClientWithClientAuth " +
            "host port requestedfilepath");
       System.exit(-1);
       try {
       host = args[0];
       port = Integer.parseInt(args[1]);
       path = args[2];
       } catch (IllegalArgumentException e) {
       System.out.println("USAGE: java SSLSocketClientWithClientAuth " +
            "host port requestedfilepath");
       System.exit(-1);
       try {
       * Set up a key manager for client authentication
       * if asked by the server. Use the implementation's
       * default TrustStore and secureRandom routines.
       SSLSocketFactory factory = null;
       try {
            SSLContext ctx;
            KeyManagerFactory kmf;
            KeyStore ks;
            char[] passphrase = "passphrase".toCharArray();
            ctx = SSLContext.getInstance("TLS");
            kmf = KeyManagerFactory.getInstance("SunX509");
            ks = KeyStore.getInstance("JKS");
  //          ks.load(new FileInputStream("testkeys"), passphrase);
            ks.load(new FileInputStream("clientkey"), passphrase);
            kmf.init(ks, passphrase);
            ctx.init(kmf.getKeyManagers(), null, null);
            factory = ctx.getSocketFactory();
       } catch (Exception e) {
            throw new IOException(e.getMessage());
       SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
       * send http request
       * See SSLSocketClient.java for more information about why
       * there is a forced handshake here when using PrintWriters.
       socket.startHandshake();
       PrintWriter out = new PrintWriter(
                      new BufferedWriter(
                      new OutputStreamWriter(
                      socket.getOutputStream())));
       out.println("GET " + path + " HTTP/1.1");
            /* Some internet sites throw bad request error for HTTP/1.1 req if hostname is not specified so the foll line */
            out.println("Host: " + host);
       out.println();
       out.flush();
       * Make sure there were no surprises
       if (out.checkError())
            System.out.println(
            "SSLSocketClient: java.io.PrintWriter error");
       /* read response */
       BufferedReader in = new BufferedReader(
                      new InputStreamReader(
                      socket.getInputStream()));
       String inputLine;
       while ((inputLine = in.readLine()) != null)
            System.out.println(inputLine);
       in.close();
       out.close();
       socket.close();
       } catch (Exception e) {
       e.printStackTrace();
  The Server code :
  * @(#)ClassFileServer.java     1.5 01/05/10
  * Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
  * Redistribution and use in source and binary forms, with or
  * without modification, are permitted provided that the following
  * conditions are met:
  * -Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  * -Redistribution in binary form must reproduct the above copyright
  * notice, this list of conditions and the following disclaimer in
  * the documentation and/or other materials provided with the
  * distribution.
  * Neither the name of Sun Microsystems, Inc. or the names of
  * contributors may be used to endorse or promote products derived
  * from this software without specific prior written permission.
  * This software is provided "AS IS," without a warranty of any
  * kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
  * WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
  * EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
  * DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
  * RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
  * ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
  * FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
  * SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
  * CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
  * THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  * You acknowledge that Software is not designed, licensed or
  * intended for use in the design, construction, operation or
  * maintenance of any nuclear facility.
  import java.io.*;
  import java.net.*;
  import java.security.KeyStore;
  import javax.net.*;
  import javax.net.ssl.*;
  import javax.security.cert.X509Certificate;
  /* ClassFileServer.java -- a simple file server that can server
  * Http get request in both clear and secure channel
  * The ClassFileServer implements a ClassServer that
  * reads files from the file system. See the
  * doc for the "Main" method for how to run this
  * server.
  public class ClassFileServer extends ClassServer {
  private String docroot;
  private static int DefaultServerPort = 2001;
  * Constructs a ClassFileServer.
  * @param path the path where the server locates files
  public ClassFileServer(ServerSocket ss, String docroot) throws IOException
       super(ss);
       this.docroot = docroot;
  * Returns an array of bytes containing the bytes for
  * the file represented by the argument <b>path</b>.
  * @return the bytes for the file
  * @exception FileNotFoundException if the file corresponding
  * to <b>path</b> could not be loaded.
  public byte[] getBytes(String path)
       throws IOException
       System.out.println("reading: " + path);
       File f = new File(docroot + File.separator + path);
       int length = (int)(f.length());
       if (length == 0) {
       throw new IOException("File length is zero: " + path);
       } else {
       FileInputStream fin = new FileInputStream(f);
       DataInputStream in = new DataInputStream(fin);
       byte[] bytecodes = new byte[length];
       in.readFully(bytecodes);
       return bytecodes;
  * Main method to create the class server that reads
  * files. This takes two command line arguments, the
  * port on which the server accepts requests and the
  * root of the path. To start up the server: <br><br>
  * <code> java ClassFileServer <port> <path>
  * </code><br><br>
  * <code> new ClassFileServer(port, docroot);
  * </code>
  public static void main(String args[])
       System.out.println(
       "USAGE: java ClassFileServer port docroot [TLS [true]]");
       System.out.println("");
       System.out.println(
       "If the third argument is TLS, it will start as\n" +
       "a TLS/SSL file server, otherwise, it will be\n" +
       "an ordinary file server. \n" +
       "If the fourth argument is true,it will require\n" +
       "client authentication as well.");
       int port = DefaultServerPort;
       String docroot = "";
       if (args.length >= 1) {
       port = Integer.parseInt(args[0]);
       if (args.length >= 2) {
       docroot = args[1];
       String type = "PlainSocket";
       if (args.length >= 3) {
       type = args[2];
       try {
       ServerSocketFactory ssf =
            ClassFileServer.getServerSocketFactory(type);
       ServerSocket ss = ssf.createServerSocket(port);
       if (args.length >= 4 && args[3].equals("true")) {
            ((SSLServerSocket)ss).setNeedClientAuth(true);
       new ClassFileServer(ss, docroot);
       } catch (IOException e) {
       System.out.println("Unable to start ClassServer: " +
                 e.getMessage());
       e.printStackTrace();
  private static ServerSocketFactory getServerSocketFactory(String type) {
       if (type.equals("TLS")) {
       SSLServerSocketFactory ssf = null;
       try {
            // set up key manager to do server authentication
            SSLContext ctx;
            KeyManagerFactory kmf;
            KeyStore ks;
            char[] passphrase = "passphrase".toCharArray();
            ctx = SSLContext.getInstance("TLS");
            kmf = KeyManagerFactory.getInstance("SunX509");
            ks = KeyStore.getInstance("JKS");
  //          ks.load(new FileInputStream("testkeys"), passphrase);
            ks.load(new FileInputStream("serverkey"), passphrase);
            kmf.init(ks, passphrase);
            ctx.init(kmf.getKeyManagers(), null, null);
            ssf = ctx.getServerSocketFactory();
            return ssf;
       } catch (Exception e) {
            e.printStackTrace();
       } else {
       return ServerSocketFactory.getDefault();
       return null;
  Could anyone help ?
  thanks in advance
  Jayaprakash

  The same thing.
  I have found the place where the exception throws.
  It is com.sun.net.ssl.internal.ssl.AVA class.
  It has a constructor AVA(StringReader)
  There is a check in this constructor of different certificate extensions
  (if-else). If it sees no familiar extension it throws exception and handshake fails.
  It is not difficult to fix this problem: just ignore unknown extension.
  Everything works fine with this "improved" class (under VA 3.5).
  But the problem is - the using of this class in applets.
  How can I say the browser to use my "improved" class and not the one it downloaded with java plug-in?

• A fatal error occurred while creating an SSL client credential. The internal error state is 10011.

  Need help.  I have my pilot lync 2013 pool up (in coexistence with 2010 production environment) and can log into Lync 2013 environment with a lync 2010 client but am not able to with a lync 2013 client.  It just prompts for password but will not
  take it. I'm sseeing this on my front end server multiple times:
  A fatal error occurred while creating an SSL client credential. The internal error state is 10011.
  Came across this http://www.logicspot.net/index.php?id=50 and tried disabling TLS 1.2, which I did and verified but yet the issue still exists.
  All my certs are good coming from internal CA.  My signin logs show below but keep in mind, this works just fine if using a 2010 lync client to my lync 2013 servers.  Issue only occurs when trying to connect using a lync 2013 client.
  1 Login: FAIL (hr = 0x1) 
  this request needs authentication, trying webticket from: https://domain.com/WebTicket/WebTicketService.svc
  1.1 Get-NewWebTicket: FAIL (hr = 0x1) 
  CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
  1.1.1 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000) 
  Executing wws method with windows auth auth, asyncContext=0A4FC348,
   context: WebRequest context@ :173931816
    MethodType:4
    ExecutionComplete? :1
    Callback@ :0A5A1864
    AsyncHResult:80f10041
    TargetUri:https://domain.com/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
   Error:
  There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
  The requested resource requires user authentication.
  1.1.2 ExecuteWithWindowsOrNoAuthInternal: PASS
  1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  Executing wws method with windows auth auth, asyncContext=0A4FC348,
   context: WebRequest context@ :173931816
    MethodType:4
    ExecutionComplete? :1
    Callback@ :0A5A1864
    AsyncHResult:80f10041
    TargetUri:https://domain.com/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
   Error:
  There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
  The requested resource requires user authentication.
  1.1.4 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  Discovery task(0A4FF830) sent to URL http://domain.com completed with hr=0x80f10045
  1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  Executing wws method with windows auth auth, asyncContext=0A4FC348,
   context: WebRequest context@ :173931816
    MethodType:4
    ExecutionComplete? :1
    Callback@ :0A5A1864
    AsyncHResult:80f10041
    TargetUri:https://domain.com/WebTicket/WebTicketService.svc
    OperationName:http://tempuri.org/:IWebTicketService
   Error:
  There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
  The requested resource requires user authentication.
  1.1.6 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000) 
  CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
  Rich

  Hi,
  Please check the server role and Web Services for Internet Information Services (IIS) are set correctly.
  For the detailed IIS configuration, please check:
  http://technet.microsoft.com/en-us/library/gg412871.aspx
  As Lync client 2013 attempt to query in order to perform autodiscover of the Lync registration server. First
  lyncdiscoverinternal.<sipdomain> Host (A) record and then
  lyncdiscover.<sipdomain> Host (A) record. If neither of these records are resolvable then the legacy DNS SRV and A record fall-back process is used. So make sure you have add the two A record in DNS server.
  More details:
  http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Error 403.7 - Forbidden: SSL client certificate is required

  Hi people!
  I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
  I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
  I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
  _THE CODE_
  package principal;
  import java.io.BufferedReader;
  import java.io.FileInputStream;
  import java.io.FileNotFoundException;
  import java.io.FileReader;
  import java.io.IOException;
  import java.net.URL;
  import java.net.UnknownHostException;
  import java.security.KeyStore;
  import java.security.Security;
  import javax.net.ssl.HttpsURLConnection;
  import javax.net.ssl.KeyManagerFactory;
  import javax.net.ssl.SSLContext;
  import javax.net.ssl.SSLSocket;
  import javax.net.ssl.SSLSocketFactory;
  import javax.net.ssl.TrustManagerFactory;
  import org.apache.axis.client.Call;
  import org.apache.axis.client.Service;
  import entidade.Certificado;
  public class SSLClient {
  private static final int PORT_NUMBER = 443;
  private static final String HTTPS_ADDRESS = "10.200.140.117";
  private static String strCabecalhoMsg = "";
  private static String strDadosMsg = "";
  public static void main(String[] args) throws Exception {
  System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
  System.setProperty("javax.net.ssl.keyStorePassword", "senha");
  System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  System.setProperty("javax.net.ssl.keyStoreType", "JKS");
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("javax.net.debug","ssl,handshake,record");
  KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
  ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
  Certificado.getArranjoCharSenhaCertificadoServidor());
  KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
  kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
  KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
  ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
  TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
  tmf.init(ksT);
  SSLContext sc = SSLContext.getInstance("SSLv3");
  sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
  SSLSocketFactory factory = sc.getSocketFactory();
  try{
  // method to load the values of the strings strCabecalhoMsg and strDadosMsg
  carregarXMLCabecalhoDados();
  SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
  socket.startHandshake();
  String [] arr = socket.getEnabledProtocols();
  URL url = new URL("https://10.200.140.117/dirNotes");
  HttpsURLConnection.setDefaultSSLSocketFactory(factory);
  HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
  urlc.setDoInput(true);
  urlc.setUseCaches(false);
  Object[] params = {strCabecalhoMsg, strDadosMsg};
  Service service = new Service();
  Call call = (Call) service.createCall();
  call.setTargetEndpointAddress(url);
  call.setOperationName("serviceName");
  String ret = (String) call.invoke(params);
  System.out.println("Result: " + ret);
  catch (UnknownHostException uhe) {
  uhe.printStackTrace();
  System.err.println(uhe);
  catch (Exception uhe) {
  uhe.printStackTrace();
  System.err.println(uhe);
  private static void carregarXMLCabecalhoDados()
  try
  BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
  String str;
  while((str=input.readLine()) != null)
  strCabecalhoMsg += str ;
  System.out.println("Cabe�a: " + strCabecalhoMsg);
  input = new BufferedReader( new FileReader("notas/nota.xml"));
  while((str=input.readLine()) != null)
  strDadosMsg += str ;
  System.out.println("Nota: " + strDadosMsg);
  catch (FileNotFoundException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  catch (IOException e)
  // TODO Auto-generated catch block
  e.printStackTrace();
  _THE TRACE_
  adding as trusted cert:
  Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
  *others trusted certs*
  trigger seeding of SecureRandom
  done seeding SecureRandom
  export control - checking the cipher suites
  export control - no cached value available...
  export control - storing legal entry into cache...
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 3953
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
  Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  Version: V3
  *many chains and related data*
  Found trusted certificate:
  Version: V3
  Subject:
  *many trusted certificates and related data*
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
  main, WRITE: TLSv1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
  0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
  0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
  0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
  Server Nonce:
  0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
  0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
  Master Secret:
  0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
  0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
  0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
  Client MAC write Secret:
  0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
  Server MAC write Secret:
  0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
  Client write key:
  0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
  Server write key:
  0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
  ... no IV for cipher
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
  main, WRITE: TLSv1 Handshake, length = 32
  main, READ: TLSv1 Change Cipher Spec, length = 1
  main, READ: TLSv1 Handshake, length = 32
  *** Finished
  verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
  %% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  setting up default SSLSocketFactory
  use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
  class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
  keyStore is : Certificados/certificadoSondaMonitor.jks
  keyStore type is : JKS
  keyStore provider is :
  init keystore
  init keymanager of type SunX509
  trustStore is: Certificados\cacerts
  trustStore type is : jks
  trustStore provider is :
  init truststore
  adding as trusted cert:
  Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
  Algorithm: RSA; Serial number: 0x1
  Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
  adding as trusted cert:
  * many certificates*
  init context
  trigger seeding of SecureRandom
  done seeding SecureRandom
  instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
  export control - checking the cipher suites
  export control - found legal entry in cache...
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 3953
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
  Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  many chains again
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
  main, WRITE: TLSv1 Handshake, length = 134
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
  0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
  0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
  0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
  Server Nonce:
  0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
  0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
  Master Secret:
  0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
  0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
  0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
  Client MAC write Secret:
  0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
  Server MAC write Secret:
  0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
  Client write key:
  0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
  Server write key:
  0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
  ... no IV for cipher
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
  main, WRITE: TLSv1 Handshake, length = 32
  main, READ: TLSv1 Change Cipher Spec, length = 1
  main, READ: TLSv1 Handshake, length = 32
  *** Finished
  verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
  %% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
  main, setSoTimeout(600000) called
  main, WRITE: TLSv1 Application Data, length = 282
  main, WRITE: TLSv1 Application Data, length = 8208
  main, WRITE: TLSv1 Application Data, length = 1102
  main, READ: TLSv1 Application Data, length = 1830
  main, received EOFException: ignored
  main, called closeInternal(false)
  main, SEND TLSv1 ALERT: warning, description = close_notify
  main, WRITE: TLSv1 Alert, length = 18
  main, called close()
  main, called closeInternal(true)
  AxisFault
  faultCode: {http://xml.apache.org/axis/}HTTP
  faultSubcode:
  faultString: (404)Not Found
  faultActor:
  faultNode:
  faultDetail:
       {}:return code: 404
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
  <HTML><HEAD><TITLE>The page cannot be found</TITLE>
  <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
  <STYLE type="text/css">
  BODY { font: 8pt/12pt verdana }
  H1 { font: 13pt/15pt verdana }
  H2 { font: 8pt/12pt verdana }
  A:link { color: red }
  A:visited { color: maroon }
  </STYLE>
  </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
  <h1>The page cannot be found</h1>
  The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
  <hr>
  <p>Please try the following:</p>
  <ul>
  <li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
  <li>If you reached this page by clicking a link, contact
  the Web site administrator to alert them that the link is incorrectly formatted.
  </li>
  <li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
  </ul>
  <h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
  <hr>
  <p>Technical Information (for support personnel)</p>
  <ul>
  <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
  <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
  and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
  </ul>
  </TD></TR></TABLE></BODY></HTML>
       {http://xml.apache.org/axis/}HttpErrorCode:404
  (404)Not Found
       at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
       at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
       at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
       at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
       at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
       at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
       at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
       at org.apache.axis.client.Call.invoke(Call.java:2767)
       at org.apache.axis.client.Call.invoke(Call.java:2443)
       at org.apache.axis.client.Call.invoke(Call.java:2366)
       at org.apache.axis.client.Call.invoke(Call.java:1812)
       at principal.SSLClient.main(SSLClient.java:86)
  (404)Not Found
  -----

  I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
  public class NFeClient {
       static{
            Security.addProvider(new BouncyCastleProvider());
       public static void main(final String[] args) throws Exception {
            final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
            final String keyStoreProvider = "BC";
            final String keyStoreType = "PKCS12";
            final String keyStore = "/home/mendes/certificados/cert.p12";
            final String keyStorePassword = "xxxx";
            System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
            System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
            System.setProperty("javax.net.ssl.keyStore",keyStore);
            System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
            System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
            final SSLContext context =  SSLContext.getInstance("TLS");
            final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            final KeyStore ks = KeyStore.getInstance(keyStoreType);
            ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
            kmf.init(ks, keyStorePassword.toCharArray());
            context.init(kmf.getKeyManagers(), null, null);
            final URL url = new URL(path);
            final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
            httpsConnection.setDoInput(true);
            httpsConnection.setRequestMethod("GET");
            httpsConnection.setRequestProperty("Host", "iis-server");
            httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
            httpsConnection.setSSLSocketFactory(context.getSocketFactory());
            try{
                 final InputStream is = httpsConnection.getInputStream();
                 final byte[] buff = new byte[1024];
                 int readed;
                 while((readed = is.read(buff)) > 0)
                      System.out.write(buff,0,readed);
            }catch(final IOException ioe){
                 ioe.printStackTrace();
  }and the response of the server is always the same:
  java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
       at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

• A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

  Hi All
  I am seeing the below event appearing in the system log on all our Exchange 2013 servers regularly. I am not seeing any connectivity issues between any clients and the servers and no other issues have been reported at this stage.
  Log Name:      System
  Source:        Schannel
  Date:          10/04/2015 9:21:17 AM
  Event ID:      36871
  Task Category: None
  Level:         Error
  Keywords:     
  User:          SYSTEM
  Computer:     
  Description:
  A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
  I am not sure if its related to the public certificate we are using or if its related to the one provided from the local CA.I have searched and found other links that suggest it could be related to SSL versions being disabled etc.
  All servers are running Windows 2012 R2 Datacenter. The Exchange CAS servers do also sit behind a pair of F5 BIG IP Load Balancers 
  Any suggestions on where to look?
  Thanks

  Hi,
  According to the event log, the issue is related to Schannel instead of Exchange.
  Please try the following steps:
  1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.
  2.In Local Security Settings, expand Local Policies, and then click Security Options.
  3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.
  4. Ran gpupdate /force
  If it doesn’t work, please go to C:\ProgramData\Microsoft\Crypto\RSA and grant "Network Services" Read permission to "MachineKeys" folder. Then restart server to have a try.
  Here is a similar thread for your reference:
  https://social.technet.microsoft.com/Forums/lync/en-US/e70a8dbc-6f48-4fde-a93b-783554344822/a-fatal-error-occurred-when-attempting-to-access-the-ssl-client-credential-private-key?forum=ocscertificates
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• How can I control the list of cipher suites offered in the SSL Client Hello message? I want to forbid MD5 and RC4.

  How can I control the list of cipher suites offered in the SSL Client Hello message?
  I want to limit my browser to negotiating strong cipher suites. I'd like to forbid DES, MD5 and RC4.

  Set the related SSL3 prefs to false on the about:config page (Filter: security.ssl3.).
  *http://kb.mozillazine.org/about:config

• AnyConnect SSL-client Certificate AND AAA RADIUS

  Hi All,
  I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
  I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
  Here are some relevant log messages I'm getting:
  Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
  Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
  Certificate chain was successfully validated with warning, revocation status was not checked.
  Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
  Device completed SSL handshake with client outside:72.91.xx.xx/42501
  Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
  Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
  Relevant Config:
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  authentication-server-group RADIUS
  default-group-policy GroupPolicy1
  tunnel-group SSLClientProfile webvpn-attributes
  authentication aaa certificate
  radius-reject-message
  pre-fill-username ssl-client
  group-alias SSLClientProfile enable
  group-url https://URL enable
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  wins-server none
  dns-server value <ip1> <ip2>
  vpn-tunnel-protocol ssl-client
  default-domain value xxxxxxxx
  address-pools value VPNPOOL
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.102.242
  key *****
  aaa-server RADIUS (inside) host 192.168.240.242
  key *****
  ASA version 8.4
  What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

  PRogress....
  I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

• SSL client default does not exist

  Hi,
  I had newly installed XI system on one of our server.
  when i am creating RFC destination INTEGRATION_DIRECTORY_HMI, i am getting the following error on logon /security tab.
  "<b>SSL client default does not exist"</b>
  and it is not even permitting to go furthur!
  any suggestions will be appreciated highly.
  Thanks,
  Ravi

  Hi Ravi
  Check if your SSL provider is running.
  Go to visual admin--instanceservernodeservices----SSL provider.Start the SSL service and check for the configuration.
  Follow the same steps for the dispatcher node.
  Go to visual admin--instancedispatchernodeservices----SSL provider

• What do these SSL error messages mean?  How do I fix this problem? (SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT) & (SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.)

  In my error log files for iPlanet Web server 4.1SP9 (running on Solaris) I am seeing the following errors sporadically dispersed seemingly at random throughout the day.
  Error receiving connection (SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT)
  Error receiving connection (SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.)
  Error receiving connection (Not connected)

  Hi,
  Are you trying to install a certificate in iWS.
  When did you get this error messages ?
  For more infomartion about error codes. Please look the below link.
  http://www.mozilla.org/projects/ security/pki/nss/ref/ssl/sslerr.html
  http://knowledgebase.iplanet.com/ikb/kb/ articles/4811.html
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• How can you configure an Exchange Account in Mac OS X to use a SSL client certificate?

  I'm trying to connect the Mail App of Mac OS X to my company's Exchange server. For security reasons you have provide a SSL client certificate to the server. You can convince Safari to use a client certificate by putting it into your keychain and configuring a suitable "identity preference" for the URL of the related site. But the Mail App seems not to use the keychain for this part of the SSL negotiations.
  Since you can configure the client certificate usage for an Exchange Account for the iPhone with the Configuration Utility there should be a way for the desktop App, too. Has someone sorted this issue out already or does the Mail App actually lack of client certificate support?

  I had a nice chat with the Apple end user support which revealed that this feature falls in the responsibility of the business support group. Since I have no appropriate support contract I could ask for help for about 480€ per issue -- nice try
  After more research I found the Configuration Profile Reference, where you get information about Exchange accounts too. Starting with a working iOS-Profile I changed the Exchange account part according to this documentation for OS X. All you have to do is to replace PayloadType com.apple.eas.account by com.apple.ews.account.
  After importing this profile I found the expected Exchange account within the Contacts.app. But the SSL client certificate was still not used and therefore my account not usable.
  You could enable Mail, Calendar & Reminders and Notes within the System Preferences, but neither of these would work due to the missing client certificate support.
  I came to the conclusion that the relevant applications in OS X have no proper SSL Client support build in. Since the underlying libraries and frameworks have everything in place that is really a shame.
  Would be nice, if someone would enforce the developers to do their homework there.

• ACE 4700 ssl probe failure

  We recently updated one of our servers to a new SSL certificate using the 4096 bit cipher key. Now the ACE probe to that server fails.
  We have SSL version set to any and SSL cipher set to any. Id there a problem with a ACE https probe not supporting cipher keyes longer then 1024 bit ?

  Hello DLance,
  The ACE supports ssl certs upto 2048bits..
  If you refer to the following guide, there is mention of the 2048 limit:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html
  HTH. Regards.

• Can't get WebVpn full SSL client to work

  Hello,
  I just get a new 1812 router and i wanna try the full SSL client. I upgrade IOS to 12.4.9T1, get last SDM and last vpn ssl package.
  I follow the wizard on SDM to configure a simple webvpn on my outside network.
  I can connect to the portal with my creditentials, and the ssl client install itself. It write warnings about certificates. But at last, i always got a message window "http return code error, contact your network admin". And on event viewer i have some errors with STCAgent (one is HTTP response code from the gateway is 401 , unautorized....).
  I try on 2 different PC's with XP PRO SP2.
  What else to try ??
  Thanks

  Hi,
  I am getting the exact same error. Below is my webvpn configuration:
  webvpn gateway guest
  ip address 10.100.1.254 port 443
  http-redirect port 80
  ssl trustpoint TP-self-signed-927014488
  inservice
  webvpn install svc flash:/webvpn/svc.pkg
  webvpn install csd flash:/webvpn/sdesktop.pkg
  webvpn context guest
  title-color #669999
  secondary-color white
  text-color black
  ssl authenticate verify all
  policy group fullclient
  functions svc-required
  hide-url-bar
  svc address-pool "vpn-pool"
  svc rekey method new-tunnel
  svc dns-server primary 10.100.2.8
  default-group-policy fullclient
  aaa authentication list default
  gateway guest
  inservice
  Have you solved your problem?
  //F