ACE30 (A5(3.1a)) SSL Parameter map
Hi Guys,
We have a requirement to disable SSLv3 support and enable TLS1.0, 1.1 and 1.2 within our environment. Since having upgraded to A5(3.1a) we have available to us the ability to use TLS1.0, 1.1 and 1.2 according to the release notes, however in practice i've found that there is no ability to have only TLS1.0, 1.1 and 1.2, (not SSLv3) applied to a given VIP (via the ssl-proxy commands). From testing i've found that if I want to be specific about the versions of TLS, only one can be applied at a time: E.g.
parameter-map type ssl SSL-TLS1.0
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 3
cipher RSA_WITH_AES_256_CBC_SHA priority 2
version TLS1
ssl-proxy service SSL-NISTEST
key NISTEST-KEY.pem
cert NISTEST-CRT-RENEWED.pem
chaingroup SSL-AUSCERTS-SERVER-CHAIN
ssl advanced-options SSL-TLS1.0
I cannot apply TLS1.0, 1.1 and 1.2, to therefore support all browsers etc. I tried using "Up to TLS1.2" from the versions that were available, however this still includes SSLv3 which we do not want. Can Cisco confirm that my observations are correct and that I cannot add all 3 versions of TLS?
thanks
Sheldon
Hi Nithin,
Your stats looks OK to me. Looks like it is all good. Why do you think you are still using SSL3?
Also, did you specifically not want to use the TLS 1.1 and TLS 1.2?
Is there any reason you want to keep the MD5 cipher?
Cipher tlsv1_rsa_rc4_128_md5: 20
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 714
Cipher tlsv1_rsa_3des_ede_cbc_sha: 410321
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 411055
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
SSLv3 secured rehandshakes: 0
TLSv1 full handshakes: 411053
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
TLSv1 secured rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 2
TLSv1 failures during data phase: 0
Similar Messages
-
Input Parameter Mapping is not working in Sap HANA
Hi, We created on ANALYTICAL view(A) with Input Parameters, on top of Analytical view created one Calculation view(B) and mapped Calculation view input parameter with Analytical view input paramter and its working fine. Finally we created one more calculation view on top existing calculation view(B) and mapped with corresponding input parameters. Input parameter mapping is working fine in between A(analytical view) and --------> B (first Calc view) but input parameter mapping is not working properly in between B(first Calc View)-----------C(second Calc View). it is giving all data whatever is coming from Calc View B. Kindly help us to resolve this.
Hi,
Write c in small for Command,
theButton.mappingOfOnAction().addParameter("command","Save");
Regards,
Murtuza -
Oracle App Server 10.1.3.1 + Struts2 parameter map loss
hi,
I am facing an issue with oracle app server 10.1.3.1. With an application deployed in it, any .action hit seems to lose the parameter map. However, i m using Spring MVC with jasper reports for reporting purpose. So hitting a .report seems to go thru without the parameter map loss. I m using struts 2.0.11 in the application.
I have also tried the workaround related to struts.properties - (struts.dispatcher.parametersWorkaround = true). Did not help.
I wrote a CustomActionMapper which is an exact copy of DefaultActionMapper but for the addition of a few log statements to see the parameter map and uri.
I can notice the paramter map coming out empty even when data is posted or queryString with parameters sent.
Any leads on this truly appreciated.
Regardshi,
I am facing an issue with oracle app server 10.1.3.1. With an application deployed in it, any .action hit seems to lose the parameter map. However, i m using Spring MVC with jasper reports for reporting purpose. So hitting a .report seems to go thru without the parameter map loss. I m using struts 2.0.11 in the application.
I have also tried the workaround related to struts.properties - (struts.dispatcher.parametersWorkaround = true). Did not help.
I wrote a CustomActionMapper which is an exact copy of DefaultActionMapper but for the addition of a few log statements to see the parameter map and uri.
I can notice the paramter map coming out empty even when data is posted or queryString with parameters sent.
Any leads on this truly appreciated.
Regards -
Hi experts
can anybode tell me where the variable is defined when i use parameter mapping? thanks a million!Hi,
I think you want the details of these parameter mapping as documents.
Hope below link will help you:
[http://help.sap.com/saphelp_nw04/helpdata/en/8f/aa63688343bd40aafc537971aee068/frameset.htm]
If you see the UI elements details in this link you will find Event Parameter in Events section for each UI element.
And you can use these parameter mapping in wdModifyView().
thanks & regards,
Manoj
Edited by: Manoj Kumar on Jan 14, 2008 10:56 AM -
Problems with Parameter Mapping
Hi All,
I have problems with parameter-mapping. For me its a black box, sometimes it works sometimes not.
Lots of times my mappings doesnt work, and I dont know the reason.
For example: I want to map my Execution-CO to the Display-CO. For that I map the in the affected Action.
But it doesnt work, although I do have the same Context Structures, because its the same CO. The technical Name is also the same.
What could it be?
Thanks for answering me
Bye SteveHi Andre,
sorry for my late answer, but I'm writing my diploma thesis and wasnt at work since wednesday and so I dont have a access to our GP-System.
Hope I understood you right.
The Use Case of parameter mapping is that Users of further steps has the possibility to see the Input of previous steps.
When I dont map the parameter inside one action, it isnt possible. I tried it out with the SAP example "Time-off-process". I took the CO "Create Request" and add it in one Action (as Display & Execution). When I understand you right mapping inside an action is not necessary, to see the Inputs from further Actions --> But this way I cannot see the Inputs.
The mapping of my application works before I changed it.
I know never touch a running system, but It was necessary, we need a new Input and Output Parameter.
Cause I have 20 parameter the mapping was very time-consuming, to map every single parameter. I read a method to reduce the time: Adding a structure requires only mapping of the two structures. But now the Mapping doesnt work.
Hope you can help me
Bye Steve -
Same parameter-map used on 2 different classes
Greetings,
If the same parameter-map (type connection or http) is used on two different policy-map classes, will that create a conflict in how traffic for each of serverfarms uses persistence or inactivity timeout (script 1)?
Should we create a different instance of parameter-maps for each policy-map class (script 2)?
Script 1
parameter-map type connection inactivity_2000
set timeout inactivity 2000
parameter-map type http persistence-rebalance
persistence-rebalance
policy-map multi-match L4_POLICY
class L3-4_VIP_A
connection advanced-options inactivity_2000
appl-parameter http advanced-options persistence-rebalance
loadbalance policy L7_Serverfarm_A_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
class L3-4_VIP_B
connection advanced-options inactivity_2000
appl-parameter http advanced-options persistence-rebalance
loadbalance policy L7_Serverfarm_B_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
Script 2
parameter-map type connection L3-4_VIP_A_connection
set timeout inactivity 2000
parameter-map type connection L3-4_VIP_B_connection
set timeout inactivity 2000
parameter-map type http L3-4_VIP_A_http
persistence-rebalance
parameter-map type http L3-4_VIP_B_http
persistence-rebalance
policy-map multi-match L4_POLICY
class L3-4_VIP_A
connection advanced-options L3-4_VIP_A_connection
appl-parameter http advanced-options L3-4_VIP_A_http
loadbalance policy L7_Serverfarm_A_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
class L3-4_VIP_B
connection advanced-options L3-4_VIP_B_connection
appl-parameter http advanced-options L3-4_VIP_B_http
loadbalance policy L7_Serverfarm_B_Policy
loadbalance vip inservice
loadbalance vip icmp-reply active
Thanksyou can reuse the same parameter map.
Gilles. -
Parameter Mapping with RFC Callable Object not working
Hi Folks
Scenario
I have a process scenario like this
Interactive Form Callable Object A -triggers> Process [Interactive Form Callble Object B -> Interactive Form Callble Object C -> RFC Callable Object ]
All the forms A, B, C use same form template, different sections of it lets say i, j and k are filled by different guys.
Now my parameter mappings are as follows -
a) Page level meeting between B & C called P Map.
b) Process parameter mapping with Form A and appropriate section of P Map lets say section i
c) fields of Form C are mapped to RFC callable object fields
Problem
The data filled in Form A [section i] disappears when I open and see the Form B.
If I remove the mappings of fields of Form C with RFC callable objec fields, I am able to see it.
Has anyone faced it before!Hi,
This is a known issue on SP10 and it will be fixed in the next patch for SP10.
Hope this helps!
Best regards,
David -
Parameter mapping for an action
can anybody help me with this parameter mapping.
how we can pass a parameter for an action.
and how to use that parameter in the implemented coding.Hi sarbjeet,
Rajat has correctly explained your requirement.
Let me give you example.
say when the User opens your application it shows a page with one drop down which conatins some values and a button. So If you want to get the value selected by the user on click of the button, then you need to associate a action with the button(which you can define in action property of the button and it will automatically create the method and you can check it in the implementation tab). Now you can write the code for getting the value from drop down in this method. after getting the value you can do what ever logic you want to perform like inserting it into database etc.
Hope this will clearify logic. If you require the code then please let me know.
Regards
Narendra -
I am using sp12, and am wondering if something has changed with parameter mapping, because I am using the same method I used when I was on sp9, but am now getting compilation warnings about my parameter mapping.
I have an action with a string parameter. I bound the onAction property of several linkToAction elements to this action, and set up the mapping in the doModifyView method (retrieving each element by name, casting them to IWDLinkToAction objects, and calling addParameter to add the mapping). It builds and runs ok, but shows two warnings for each UI element I have mapped this way:
1) UIElementEventBinding onAction: Parameter <paramName>(string) cannot be supplied
2) LinkToAction <elementName> [onAction]: Action and event are not compatible
Any ideas on what I'm missing here?
Thanks,
-DaveThese warnings are meaningless, if you are unhappy with them, open an OSS message.
Armin -
ACE - need help implementing basic parameter map
Hi,
I'm trying to implement a connection parameter on an ACE module that sumply sets the TCP timeout to 0.
I can get this to work fine if I permit all TCP traffic in the class-map, but it doesn't work if I use an ACL;
>>Match all TCP;
parameter-map type connection TCP-Timeout
set timeout inactivity 0
class-map match-all TCP-Timeout-Out-Class
2 match port tcp any
class-map match-all TCP-Timeout-in-Class
2 match port tcp any
policy-map multi-match TCP-Timeout-Out-Policy
class TCP-Timeout-Out-Class
connection advanced-options TCP-Timeout
policy-map multi-match TCP-Timeout-in-Policy
class TCP-Timeout-in-Class
connection advanced-options TCP-Timeout
Interface vlan 920
service-policy input TCP-Timeout-in-Policy
Interface vlan 923
service-policy input TCP-Timeout-Out-Policy
>>Match ACL;
access-list TCP-Timeout-Group-Out line 10 extended permit ip 10.221.178.0 0.0.0.255 any
access-list TCP-Timeout-Group-in line 10 extended permit ip any 10.221.178.0 0.0.0.255
parameter-map type connection TCP-Timeout
set timeout inactivity 0
class-map match-all TCP-Timeout-Out-Class
match access-list TCP-Timeout-Group-Out
class-map match-all TCP-Timeout-in-Class
match access-list TCP-Timeout-Group-in
policy-map multi-match TCP-Timeout-Out-Policy
class TCP-Timeout-Out-Class
connection advanced-options TCP-Timeout
policy-map multi-match TCP-Timeout-in-Policy
class TCP-Timeout-in-Class
connection advanced-options TCP-Timeout
Interface vlan 320
service-policy input TCP-Timeout-in-Policy
Interface vlan 323
service-policy input TCP-Timeout-Out-Policy
Any ideas?
Many ThanksTry changing the class-map from "type match-all" to "type match-any". Match all implies both statments need to be true. The match-any is probably what you want. Either of the ACL statements can be true.
Also try to apply the policy globally instead of the interfaces, simplifying the config might help as well.
e.g.:
access-list TCP-Timeout-Group line 10 extended permit ip 10.221.178.0 0.0.0.255 any
access-list TCP-Timeout-Group line 20 extended permit ip any 10.221.178.0 0.0.0.255
class-map match-any TCP-Timeout-Class
match access-list TCP-Timeout-Group
parameter-map type connection TCP-Parameter-Map
set timeout inactivity 0
policy-map multi-match TCP-Timeout-Out-Policy
class TCP-Timeout-Out-Class
connection advanced-options TCP-Parameter-Map
service policy input TCP-Timeout-Out-Policy <- apply it globally
Hope it helps.
Roble -
How to apply parameter map?
Ok this may seem a bit of a dumb question but I just can't get a straight answer from Googling or from the IOS release 15.2 Security Config guide for ZFW. So,I am editing the parameter map that governs tcp queue length in the OoO (Out of Order) global parameter map:
Router(config)#parameter-map type ooo global
Once I've made my changes, do I need to add this to a policy map? Or does this just go into effect by default somehow?
Thank you.Hi Julio,
Well, I bought this ebok at Cisco Press ($14.99). I don't have a Kindle unfortunately. Normally I'd try bittorrents for this kind of thing but when it comes to business and work related material I like to keep it official.
The ebook is only 112 pages which is good since I already have the CCNA Security book from Cisco Press queued up for reading but I think this ebook will be a good starter and is probably more to the point with real world talk.
By the way, if you answer my question above, I can then Mark Correct Answer Since I have the OoO parameter map defined, do I now need to apply it? I know reading the book might give me an answer but just so I can get this particularthread off of my "to do" list I am hoping for the quick answer. I know how to apply a parameter map to a policy map, just wondering whether these global ones like the ooo one need that, or are they applied by default and so you just need to edit their configs to change how they work. -
CT5760 - virtual-host in parameter-map not used in webauth redirect
Hi all.
I'll try posting my issue here before I post a TAC on this:
Cisco CT5760 wireless controller running IOS-XE version 3.6.0.
This issue is related to web authentication on an SSID with external web portal. It seems that the statement "virtual-host" in "parameter-map type webauth global" is not used as intended. I'll try to explain:
When a user connects to an SSID with external web authentication enabled and the user opens a web browser, the user will get redirected to the external web portal for authentication. In this redirect URL we see the parameter "switch_url=http://1.2.3.4/login.html". The IP address 1.2.3.4 is, in this example, our virtual IP. But we have also configured "virtual-host" to be webauth.example.com. And in my opinion the "switch_url" parameter should be "switch_url=http://webauth.example.com/login.html". This is how it works on our old Cisco WiSM1 implementation.
The reason why this is a problem is that the clients web browser will not accept the certificate installed on "http://1.2.3.4" because it is not issued with that IP address, only the hostname webauth.example.com. I know that it is possible to get certificates issued with an IP address (as long as it's not an RFC1918 IP address), but rumors say that many Certificate Authorities will stop issuing these soon, even with "real IPs". Therefore it is important that the redirect URL gets corrected.
Does anyone disagree with me that this is a bug?Hi and thank you for your response.
I feel that I need to clarify a few things. Here is my parameter-map config (a bit edited):
parameter-map type webauth global
virtual-ip ipv4 1.1.1.1 virtual-host webauth.example.com
intercept-https-enable
parameter-map type webauth webauth_external
type webauth
redirect for-login https://webauth-external.example.com/v2/login.html
redirect portal ipv4 x.x.x.x
So the problem here is that a web browser of the client gets the following redirect URL:
https://webauth-external.example.com/v2/login.html?switch_url=https://1.1.1.1/login.html&redirect=http://www.cnn.com
Then after a successful login on the external portal, the user gets redirected back to https://1.1.1.1/login.html. Here is the core of my problem. I think that the parameter "switch_url" should be with the name webauth.example.com since I configured it as the "virtual-host". This is the behavior we see with our old Cisco WiSM1.
When the redirect goes to https://1.1.1.1/login.html the client complains about the certificate, because it is not issued to that IP address but to the hostname.
I can verify that the client does not complain about this if I manually edit the redirect URL on the client to the following:
https://webauth-external.example.com/v2/login.html?switch_url=https://webauth.example.com/login.html&redirect=http://www.cnn.com
Then the redirect after authentication goes to https://webauth.example.com/login.html and the client accepts the certificate and everything is peachy.
Do you see my problem? And yes, the virtual IP resolves to the name in DNS. -
HI ,
Can some one explain me what is parameter mapping and in what scenarios we need to use it??.<b>Hi
Web Dynpro ParameterMapping API - IWDParameterMapping
The parameter mapping is an instance of the UI element event. Therefore, it is defined at UI element level. You describe the parameter mapping for a UI element event using the wdDoModifyView method (see also Event Parameter and Parameter Mapping).
Since the parameter mapping is defined at UI element event level, each UI element event has a corresponding mapping information. Therefore, each UI element that can trigger events returns the mappingOf<UIElementEventName> method. This method returns an instance of the IWDParameterMapping interface. A button UI element with the onAction event provides the mappingOfOnAction that returns the current parameter mapping for the button instance.
Event Parameter and Parameter Mapping
http://help.sap.com/saphelp_nw04/helpdata/en/2f/55f35ceb9ca9458598ba61a4ca2fbb/frameset.htm
This url links to a short pdf describing the Webdynpro Java
Go To Section 7.4 Parameter Mapping
"Inside WebDynpro Java" Pdf File 2.50 MB</b>
http://searchsap.techtarget.com/searchSAP/downloads/SAPPRESS.pdf
<b>Regards
Chandran</b> -
Applying ACE connection parameter map?
How do I apply the connection parameter map in a configuration like this to the service policy int827? Do I need to define the traffic? Can I specify only one source destination flow to apply the set tcp half-closed TCP normalization against?
Any help would be appreciated.
Thank you all,
Jon
policy-map type loadbalance first-match wss-1100-l7slb
class class-default
sticky-serverfarm sticky-srcip-1100
policy-map type loadbalance first-match wss-1101-l7slb
class class-default
sticky-serverfarm sticky-srcip-1101
parameter-map type connection TCPIP_PARAM_MAP
set tcp timeout half-closed 180
policy-map multi-match int827
class wss-1100
loadbalance vip inservice
loadbalance policy wss-1100-l7slb
class wss-1101
loadbalance vip inservice
loadbalance policy wss-1101-l7slb
interface vlan 827
bridge-group 1
no normalization
access-group input etherany
access-group input ip-any-any
access-group output ip-any-any
service-policy input mgmt
service-policy input int827
no shutdown
interface vlan 828
bridge-group 1
no normalization
access-group input etherany
access-group input ip-any-any
access-group output ip-any-any
no shutdown
interface bvi 1
mac-address autogenerate
ip address x.x.x.6 255.255.255.0
peer ip address x.x.x.7 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.x.1Yes, you always need to define interesting traffic to apply the connection parameter-map. If you apply "tcp timeout half-closed" to any traffic then you need to define class-map with 0.0.0.0. If you want to apply the
"tcp timeout half-closed" to the current class-map, then you can assoicate it with a multi-match policy map as below :
The service policy always applies to the incoming interface.
parameter-map type connection TCPIP_PARAM_MAP
set tcp timeout half-closed 180
policy-map multi-match int827
class wss-1100
loadbalance vip inservice
loadbalance policy wss-1100-l7slb
connection advanced-options
class wss-1101
loadbalance vip inservice
loadbalance policy wss-1101-l7slb
connection advanced-options
Just one more side note for the timeout parameter. The timeout value (default or other wise) remains the same irrespective of normalization or no norm.
If you have a parameter map configured for timeout then it should still take in affect when you have normalization disabled.
The only difference is that with normalization enabled, ACE will send a reset back after the timeout expires and will silently drop it when no norm is configured.
regards
Andrew -
Parameter mapping in Dynamic approval process
Hi experts,
We have a webdynpro application where the user inputs certain data.
Then from this application we are triggering a GP process and also passing parameters to the GP process.
In GP my Approval callable object is webdynpro(GP interface) Co.
In the execute method, I am reading the input parameters
CurrentLevel=(executionContext.getInputStructure().getAttributeAsInt("I_CurrentLevel"))+ 1;
totalLevel=(executionContext.getInputStructure().getAttributeAsInt("I_TotalLevel"));
VendorNo=executionContext.getInputStructure().getAttributeAsString("I_VendorNo");
Now in complete method I am writing these values to the output parameters.
output.setAttributeValue("O_VendorNo",contextElement.getVendorNo());
output.setAttributeValue("O_TotalLevel",contextElement.getTotalLevel());output.setAttributeValue("O_CurrentLevel",contextElement.getCurrentLevel());
In the Gp I have a process under which I have a postcondition loop ,it has a loop decision action and Business logic Co (with two parameters current level and total level).
And next I have a sequential block with the approver Co.
I have certain doubt regarding the parameter mappings.
For the first time the input to the Approver Co is passed from my application (triggering and also passing parameters).
So we are able to see the input parameters on the GP screen.
When the first approver approves it, it checks the loop condition, but my problem is Always the input to the approver screen is same.
After first approval the output of it should become the input for the second approval.
At which level should I group the parameters in GP because i tried mapping them at process level and also at the postcondition block level .
Thanks,
SwethaPosted another thread on the same issue
Maybe you are looking for
-
An issue with the computer crashing.
My Macbook bought in 2007 recently has gone through some running issues. Every now and then when I am running a facebook program that uses an Adobe Flash application the laptop stops running and requires a restart. This is becoming almost a daily i
-
H264 stream is not encoded properly in AIR 3.2
Hi all, I'm running latest AIR runtime on my desktop: 3.2.0.2070 My air appliation is compiled with latest air sdk also: 3.2.0.2070 Platform is Windows XP. The application is aka Cirrus Video Phone Lab app, where streaming is done to another instance
-
One web page won't load in any browser
I have one site that all of a sudden, won't load in any stand-alone browser (have tried Firefox, Camino, Safari, Opera). I get a time-out error. The will load, however, if I use the AOL browser or a cloaking site. I checked with my ISP which says it
-
HP Printer goes offline after software update!@
I'm having trouble with printer going offline on two of my computers: (imac 9,1 & 2014 macbook air) Printer: HP officejet 8500a Plus I repaired the permissions on both hard drives to see if it was a cups/communication issue and deleted and reinstalle
-
Hi, I recently updated my iPhone 4 with the new OS 5. However, mid way now the laptop is not able to find the drivers for the iPhone. Please help