ACS SE 4.2, 802.1x and certificates for machine authentication

Similar Messages

• What is the option client certificate for user authentication used for?

  Hi All,
  I have to work on a FTPS - XI -SAP scenario.
  I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
  P.S: I went through sap help but couldnt quite understand.

  Thanks a lot Mark.
  So for a FTPS -> XI -> SAP scenario the following settings are required.
  1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
  2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
  the above 2 steps are mandatory.
  If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
  Will this certificate be used for encryption?
  To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
  The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

• My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.

  My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.

  Hmmmm... would appear that you need to be actually logged in to enable the additional menu features.
  Have you tried deletting the plists for MAS?
  This page might help you out...
  http://www.macobserver.com/tmo/answers/how_to_identify_and_fix_problems_with_the _mac_app_store
  Failing that, I will have to throw this back to the forum to see if anyone else can advise further.
  Let me know how you get on?
  Thanks.

• NLB Unicast and certificate for the machine

  Hello,
  I have set up a two node nlb cluster, in unicast.
  On the other hand, I have a GPO with which every computer in the network gets a
  certificate from the CA, through auto enrollment.
  I am new to NLB , but from what I gather, the CA machine won't be able to issue any certificate to any of the two NLB nodes, because the virtual ip replaces to the actual ips's of the two machines ?. I am a bit confused.
  Thanks in advance !!
  Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  It's the Mac addresses that are (sort of) replaced, not the IP addresses. The two nodes of an NLB cluster can make outbound connections to a CA and other machines, and using the nodes' individual IP addresses each of them can still be contacted from other
  machine (in addition to using the cluster IP address).
  The only thing that does not work is: With unicast the nodes cannot communicate with each other over the network that has the shared IP address but you could use an additional NIC if you need inter-node communication.
  With multicast on the other hand there is a chance you run into
  this issue described here for CISCO routers (just have observed this myself); this article also gives an overview on how NLB works at the Mac address level.
  Re CA and certificates: Note that autoenrolled certificates will contain the nodes' individual names retrieved from AD. If you need a certificate that includes the cluster name you have to issue this certificate manually.
  Elke

• How to use digital certificate for client authentication in PCK

  My sap jca adapter need support digital certificate on client authentication. how to implement it in j2ee or pck?
  Message was edited by: Spring Tang

  refer the following links
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
  please let me know if u dont find relevant information

• ISE and Microsoft AD machine authentication

  Hello Security masters,
  my goal is to perform a PEAP authentication against Microsoft AD with the machine credentials of the Windows PC.
  The question is, how my authorization policy looks like? From my understanding I have different possibilities to solve this:
  1.) Directly referencing to the AD group, where the computer objects are stored:
  If "Any" and <AD-NAME>:ExternalGroups equals <DOMAIN>/COMPUTERS then PermitAccess
  Drawback: If I have multiple subdomains or if the computer accounts are stored in different OUs or groups, I have to check all of them (multiple rules or compound conditions)
  2.) Username checking
  If "Any" and Network Access:UserName STARTS_WITH host\ then "PermitAccess"
  I'm checking if the username starts with "host\", which is normally an indicator for a machine/computer account
  3.) Attribute checking
  If "Any" and <AD-NAME>:servicePrincipalName STARTS_WITH host\ then "PermitAccess"
  I'm checking the value of the "servicePrincipalName" of the AD. Normally only computers have this attribute and the value is "host\<PC-NAME>
  Is one of these three approaches the right way to do it, or am I doing it completely wrong.
  Is there a best-practice approach to do this? How did you guys solve this?
  Best regards and thank you in advance
  Johannes

  Hi Neno,
  thank you for your answer.
  There are multiple domains in the forest and the computer / machine accounts are in multiple groups.
  So a trust relationship is not enough to reach the goal. In the ISE you have to add all these groups to the ISE search index in the External Identity Sources - AD settings. Plus you'll have to check for all these groups in the authorization policy (either manually or with a compound condition).
  Is that right?

• HP iPAQ 5450 with Windows Mobile 2003 802.1x and certificates.......

  This maybe a bit off topic but I am struggling trying to get some answers out of HP.
  We have some HP iPAQ 5450/5550's all running Windows Mobile 2003 - to use 802.1x Authentication with PEAP or TLS-EAP we need certificates installing on the PocketPCs. We have a Windows 2000 Active-Directory integrated Certificate Authority that publishes certificates to W2K machines OK - initially HP didn't include any way of importing Certificates but have released the SDK Certificate Enrolment Tool (enroll.exe). We have tried for several days to get a certificate but to no avail and we are struggling to find any information out. Has anyone on here managed this? If so how?
  Thanks
  Andy

  Obviously the WindowsCE devices can't be 'members' of the domain as they would need W2K to do that (create a computer account etc). The enrollment tool is available from HP's website (software & drivers etc). Once I installed the enroll.exe tool I modified the enroll.cfg file to request a 'computer' certificate from my CA, this is now installed and appears in 'Settings, System, Certificates'. I have yet to actually test this with a Cisco AP as I just can't get my hands on one.......
  Andy

• Connecting laptops to wireless APs using RADIUS 802.1x and certificates set-up questions

  I am working at a small school with 25 laptops for a mobile cart. We upgraded to new dual radio APs and I want to set up the laptops to connect to the APs and validate user credentials at logon. The person before me made a generic username "Student"
  on each laptop locally so they could start the laptop and then connect to the wireless with a password. This is less than ideal for many reasons. 
  I have configured NPS on the server and on the AP. When I login locally and then select the AP I am prompted for credentials and can log in. On NPS's eventlog I can see it granting full access. At that point I do not have internet access which is going to
  be a vendor call. I can ping 8.8.8.8 successfully but not the local.domain.org address, nor the server ip 192.168.25.5 which is also the DNS Server. I am thinking that there is a NAT issue there.
  When I try to login to the laptops with my AD credentials it is not connected to the AP yet and tells me there is no logon server available. 
  Is that where the certificates should be used at computer/machine level? 
  I want to get this setup correctly so anyone who has done this and has some advice for best practice would be greatly appreciated! 

  Hi,
  According your description, we can ping 8.8.8.8 successfully. It means that we have connected to the network.
  Due to we can't resolve the domain name, it should be a DNS issue. As you have mentioned, the DNS server is unavailable. Please check if there is something wrong with the DNS server.
  If we want client to connect to AP before implement AD authentication, we need to enable single sign on. For detailed information, please refer to the link below,
  http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx
  Best Regards.
  Steven Lee
  TechNet Community Support

• How to set up Windows with Reader and certificate for all users

  Good afternoon (GMT),
  we're dealing with a Win XP (SP3) system that is set up by an Administrator. One task is to set up the system in a way that all users (w/o admin rights) become able to read a certified-protected PDF. Currently we know a way to install the "public key" for this certificate only for one known user. But how to proceed when not all users are known? The users shall later on never be asked to confirm the certification installation/registration.
  If it helps, here is the software version:
  Acrobat 8.12 to encrypt the PDF via certification. In near future I will switch to Acrobat 9.x
  Reader 7.x and/or 8.x on customer PCs.
  Thank you for ideas and hints.
  BTW: Next time we want to provide a solution for Win7 systems, too.
  Carsten

  Check
  Time Zone Specification from http://docs.oracle.com/cd/E12844_01/doc/bip.1013/e12187/T421739T481157.htm#4535403
  just in case https://blogs.oracle.com/xmlpublisher/entry/how_to_keep_your_dates_from_go

• Multiple signatures (and certificates) for one user

  I’m using Adobe 8 Standard. 
  I need two signatures with the same name but with two separate and distinct companies (old and new).  Thus, I would two separate and distinct signatures to be associated with two certificates (old and new respectively).  I was able to create a second “new” signature and a second “new” certificate.  However, when I sign with the second “new” signature, the signature’s properties show the first “old” certificate. 
  Can this be fixed?*

  Couldn't see the forest for the trees ... select the appropriate certificate at the top of the Sign Document dialogue box ... duuhhh!!!!

• Replacing SSL keys and certificates for already defined services

  I have about 10 new 2048-bit keys and certs to replace existing 1024 bit keys and certs on my CSS11500 with SSL modules.
  I'm trying to figure out my options, now that I've got the files SFTP'ed to the CSS.
  I can create a new startup-config file for the CSS with the new files referenced by the SSL associate commands in the startup-config. This will require a reboot (not desired).
  I can come up with new associations for the new files, then suspend the ssl-proxy-list and edit it to use the new associations. This doesn't require a reboot but then I have to clear out the old associations before I can delete the old key/cert files.
  Is there any way to force the CSS to "overwrite" an existing SSL association without rebooting the CSS?

  "Clear file filename "password" commad will help you to clear SSL certificates and private keys from the CSS that are no longer valid.
  Please check if the below URL: could help:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/command/reference/CmdGenA.html#wp1030153

• How can i specify a specific certificate for client authentication

  hi all,
  i'm currently using a pkcs11 smartcard device to authenticate aigainst a directory server from java.
  everything works perfectly when using cards with the authentication certificate as the first in the keystore.
  unfortunately the cards i need to handle can have both auth or sign as first certificate.
  is there a way to select explicitely which certificate to present during the ssl handshake ?
  thanks a lot in advance

  Look into the following:
  -- page protect property of the repeating frame
  -- Maximum number of records per page property

• IMQ 2.0 and LDAP for user authentication

  Using the notes at http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html
  i set up an LDAP with iMQ. The LDAP works OK for storing topics,
  connection factories, etc from jmqadmin
  The LDAP also now contains the 2 users as outlined in article 7772 -
  admin and guest.
  The broker stats up OK, but
  when I try to use
  jmqcmd query bkr -b localhost:7844 -u admin -p admin
  this is what I get:
  ERROR [B3018]: Unable to run the service admin, the broker will no longer accept connections on this service:
  com.sun.messaging.jmq.jmsserver.util.BrokerException: [B4077]: Undefined authentication type basic
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.init(AccessController.java:99)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.loadProps(AccessController.java:251)
  at com.sun.messaging.jmq.jmsserver.auth.AccessController.getInstance(AccessController.java:206)
  at com.sun.messaging.jmq.jmsserver.service.Connection.<init>(Connection.java:144)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardConnection.<init>(StandardConnection.java:49)
  at com.sun.messaging.jmq.jmsserver.service.standard.StandardService.run(StandardService.java:547)
  at java.lang.Thread.run(Thread.java:484)

  It's likely caused by trailing space after 'basic' in configuration
  imq.authantication.type=basic
  This has been fixed in MQ 3.0.

• Glassfish 3.1.2 configuration Client Certificate for Mutual Authentication

  Hi
  I need help in configuring GF3.1.2 i have done following changes, please do let me know if i am missing anything important as after changes it is not working.
  my id is [email protected]
  I could not found any particular thread or answers in forum if any link is there will be helpful.
  if you have any document for this please forward.
  please do the needful
  App Web.xml
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/faces/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description/>
  <role-name>authorized</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <security-role>
  <description/>
  <role-name>authorized</role-name>
  </security-role>
  sun-web.xml
  <security-role-mapping>
  <role-name>authorized</role-name>
  <principal-name>admin</principal-name>     
  <group-name>authorized</group-name>
  </security-role-mapping>
  Domain.xml
  <security-service>
  <auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="admin-realm">
  <property name="file" value="${com.sun.aas.instanceRoot}/config/admin-keyfile"></property>
  <property name="jaas-context" value="fileRealm"></property>
  </auth-realm>
  <auth-realm classname="com.sun.enterprise.security.auth.realm.file.FileRealm" name="file">
  <property name="file" value="${com.sun.aas.instanceRoot}/config/keyfile"></property>
  <property name="jaas-context" value="fileRealm"></property>
  </auth-realm>
  <auth-realm classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm" name="certificate">
  <property name="assign-groups" value="authorized"></property>
  </auth-realm>

  Hi,
  May be below links will be helpful
  Check the following links.. you will get the information all about the securities...
  http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/content.htm
  Also read thru this link for message level security - https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Also find soeminformation in these links
  http://help.sap.com/saphelp_nw2004s/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  /people/aparna.chaganti2/blog/2007/01/23/how-xml-encryption-can-be-done-using-web-services-security-in-sap-netweaver-xi
  Step by step guide for SSL security
  step by step guide to implement SSL
  Please go through below link for referance (above information is from below link)
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/ff/7932e4e9c51c4fa596c69e21151c7d/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/13/4a3ad42ae78e4ca256861e078b4160/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/3a/7cddde33ff05cae10000000a128c20/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/0a/0a2e0fef6211d3a6510000e835363f/content.htm
  General guide
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a09f3d8e-d478-2910-9eb8-caa6516dd7d9
  Message level security
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/d024ca8e-e76e-2910-c183-8ea4ba681c51
  Regarding message level you can encrypt the message using certificates.
  For both of this basis team has to deploy the releavant certificates in XI ABAP Stack or Java stack.
  Generally if the scenarios are intra company we dont use any transport level or message level security since the network is already secured.
  Thanks
  Swarup

• Apache and WebDB for Linux - AUTHENTICATION PROBLEM

  I have WebDB on a Linux box (redhat 6) and I 'd like to run
  Apache as interface to an Oracle 8i (linux) database.
  I did all requested configuration tasks and it works, but it
  cannot connect to oracle database because it gets an
  authentication failure (it seems browser postes a NULL value in
  Userid and Password fields).
  Can anyone help me please ?
  thanks
  Fabrizio
  null

  We are testing webdb for linux and it's great !
  More stable than NT/2K.
  Install one DB Server, after it the webdb.
  Just download, rapdily read de install guide, and start to work.
  We are trying now 9iAS. It's more complete than WebDB, int truth
  Oracle Portal (old webdb) is now part of 9iAS.
  Start using it !
  Minoru.