AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Similar Messages

Error 403.7 - Forbidden: SSL client certificate is required

Hi people!
I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
_THE CODE_
package principal;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Security;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.axis.client.Call;
import org.apache.axis.client.Service;
import entidade.Certificado;
public class SSLClient {
private static final int PORT_NUMBER = 443;
private static final String HTTPS_ADDRESS = "10.200.140.117";
private static String strCabecalhoMsg = "";
private static String strDadosMsg = "";
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
System.setProperty("javax.net.ssl.keyStorePassword", "senha");
System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.debug","ssl,handshake,record");
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
Certificado.getArranjoCharSenhaCertificadoServidor());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ksT);
SSLContext sc = SSLContext.getInstance("SSLv3");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
SSLSocketFactory factory = sc.getSocketFactory();
try{
// method to load the values of the strings strCabecalhoMsg and strDadosMsg
carregarXMLCabecalhoDados();
SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
socket.startHandshake();
String [] arr = socket.getEnabledProtocols();
URL url = new URL("https://10.200.140.117/dirNotes");
HttpsURLConnection.setDefaultSSLSocketFactory(factory);
HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
urlc.setDoInput(true);
urlc.setUseCaches(false);
Object[] params = {strCabecalhoMsg, strDadosMsg};
Service service = new Service();
Call call = (Call) service.createCall();
call.setTargetEndpointAddress(url);
call.setOperationName("serviceName");
String ret = (String) call.invoke(params);
System.out.println("Result: " + ret);
catch (UnknownHostException uhe) {
uhe.printStackTrace();
System.err.println(uhe);
catch (Exception uhe) {
uhe.printStackTrace();
System.err.println(uhe);
private static void carregarXMLCabecalhoDados()
try
BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
String str;
while((str=input.readLine()) != null)
strCabecalhoMsg += str ;
System.out.println("Cabe�a: " + strCabecalhoMsg);
input = new BufferedReader( new FileReader("notas/nota.xml"));
while((str=input.readLine()) != null)
strDadosMsg += str ;
System.out.println("Nota: " + strDadosMsg);
catch (FileNotFoundException e)
// TODO Auto-generated catch block
e.printStackTrace();
catch (IOException e)
// TODO Auto-generated catch block
e.printStackTrace();
_THE TRACE_
adding as trusted cert:
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
*others trusted certs*
trigger seeding of SecureRandom
done seeding SecureRandom
export control - checking the cipher suites
export control - no cached value available...
export control - storing legal entry into cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 3953
*** ServerHello, TLSv1
RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V3
*many chains and related data*
Found trusted certificate:
Version: V3
Subject:
*many trusted certificates and related data*
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
CONNECTION KEYGEN:
Client Nonce:
0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
Server Nonce:
0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
Master Secret:
0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
Client MAC write Secret:
0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
Server MAC write Secret:
0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
Client write key:
0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
Server write key:
0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : Certificados/certificadoSondaMonitor.jks
keyStore type is : JKS
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: Certificados\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
adding as trusted cert:
* many certificates*
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
export control - checking the cipher suites
export control - found legal entry in cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 3953
*** ServerHello, TLSv1
RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
many chains again
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
CONNECTION KEYGEN:
Client Nonce:
0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
Server Nonce:
0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
Master Secret:
0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
Client MAC write Secret:
0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
Server MAC write Secret:
0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
Client write key:
0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
Server write key:
0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
%% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
main, setSoTimeout(600000) called
main, WRITE: TLSv1 Application Data, length = 282
main, WRITE: TLSv1 Application Data, length = 8208
main, WRITE: TLSv1 Application Data, length = 1102
main, READ: TLSv1 Application Data, length = 1830
main, received EOFException: ignored
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 18
main, called close()
main, called closeInternal(true)
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (404)Not Found
faultActor:
faultNode:
faultDetail:
     {}:return code: 404
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
     {http://xml.apache.org/axis/}HttpErrorCode:404
(404)Not Found
     at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
     at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
     at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
     at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
     at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
     at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
     at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
     at org.apache.axis.client.Call.invoke(Call.java:2767)
     at org.apache.axis.client.Call.invoke(Call.java:2443)
     at org.apache.axis.client.Call.invoke(Call.java:2366)
     at org.apache.axis.client.Call.invoke(Call.java:1812)
     at principal.SSLClient.main(SSLClient.java:86)
(404)Not Found
-----

I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
public class NFeClient {
     static{
          Security.addProvider(new BouncyCastleProvider());
     public static void main(final String[] args) throws Exception {
          final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
          final String keyStoreProvider = "BC";
          final String keyStoreType = "PKCS12";
          final String keyStore = "/home/mendes/certificados/cert.p12";
          final String keyStorePassword = "xxxx";
          System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
          System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
          System.setProperty("javax.net.ssl.keyStore",keyStore);
          System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
          System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
          final SSLContext context = SSLContext.getInstance("TLS");
          final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
          final KeyStore ks = KeyStore.getInstance(keyStoreType);
          ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
          kmf.init(ks, keyStorePassword.toCharArray());
          context.init(kmf.getKeyManagers(), null, null);
          final URL url = new URL(path);
          final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
          httpsConnection.setDoInput(true);
          httpsConnection.setRequestMethod("GET");
          httpsConnection.setRequestProperty("Host", "iis-server");
          httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
          httpsConnection.setSSLSocketFactory(context.getSocketFactory());
          try{
               final InputStream is = httpsConnection.getInputStream();
               final byte[] buff = new byte[1024];
               int readed;
               while((readed = is.read(buff)) > 0)
                    System.out.write(buff,0,readed);
          }catch(final IOException ioe){
               ioe.printStackTrace();
}and the response of the server is always the same:
java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
     at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
     at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM

How can you configure an Exchange Account in Mac OS X to use a SSL client certificate?

I'm trying to connect the Mail App of Mac OS X to my company's Exchange server. For security reasons you have provide a SSL client certificate to the server. You can convince Safari to use a client certificate by putting it into your keychain and configuring a suitable "identity preference" for the URL of the related site. But the Mail App seems not to use the keychain for this part of the SSL negotiations.
Since you can configure the client certificate usage for an Exchange Account for the iPhone with the Configuration Utility there should be a way for the desktop App, too. Has someone sorted this issue out already or does the Mail App actually lack of client certificate support?

I had a nice chat with the Apple end user support which revealed that this feature falls in the responsibility of the business support group. Since I have no appropriate support contract I could ask for help for about 480€ per issue -- nice try
After more research I found the Configuration Profile Reference, where you get information about Exchange accounts too. Starting with a working iOS-Profile I changed the Exchange account part according to this documentation for OS X. All you have to do is to replace PayloadType com.apple.eas.account by com.apple.ews.account.
After importing this profile I found the expected Exchange account within the Contacts.app. But the SSL client certificate was still not used and therefore my account not usable.
You could enable Mail, Calendar & Reminders and Notes within the System Preferences, but neither of these would work due to the missing client certificate support.
I came to the conclusion that the relevant applications in OS X have no proper SSL Client support build in. Since the underlying libraries and frameworks have everything in place that is really a shame.
Would be nice, if someone would enforce the developers to do their homework there.

3rd party Certificate and AAA Authentication

I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
In the connection profile i have set up that users should authenticate using both certificate and AAA.
Due to a high security requirement, the user certificate is issued from a 3rd party.
This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
Problem:
If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
I am happy for any help that could point me in the right direction on how to accomplish this.
Best regards,
Kenneth

I actually got a better idea, and i think this will work great!
One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
[123] LDAP Search:
        Base DN = [dc=Testlab,dc=local]
        Filter = [department=xxxx-xxxx-xxxxxxxxx]
        Scope   = [SUBTREE]
[123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
[138] LDAP Search:
        Base DN = [dc=Testlab,dc=local]
        Filter = [serialNumber=xxxx-xxxx-xxxxxxxxx]
        Scope   = [SUBTREE]
[138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
Worked like a charm!
I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
Thank you for the input Marcin

SSL client certificate problem with exchange owa

Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

Getting SSGD 4.41 to work with SSL + Client Certificate

Hello everybody.
I'm running SSGD 4.41.909 on SuSE Linux Enterprise Server 10+Sp2 (x86_32bit) and I configured it to perform KERBEROS authentication against a Windows 2003R2 server.
Everything worked fine so I decided to give SSL+Client Ceritifcate a try.
I configured the Win2003R2 server as per the manual and I also:
. imported the Active Directory root CA into SSGD trustore (/opt/tarantella/bin/jre/lib/security/cacerts)
. created a new key and a CSR using the keytool
. signed the above CSR with the Active Directory CA
. imported the just signed certificate info SSGD keystore (/opt/tarantella/var/info/certs/sslkeystore)
With the keytool I'm able to verify that the keystore does actually contains a valid CLIENT certificate:
/opt/tarantella/bin/jre/bin/keytool -list \
-keystore /opt/tarantella/var/info/certs/sslkeystore \
-keypass "$(cat /opt/tarantella/var/info/key)" \
-storepass "$(cat /opt/tarantella/var/info/key)"Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
testssgd, Dec 17, 2008, PrivateKeyEntry,
Certificate fingerprint (MD5): 33:3B:41:EC:A2:4C:FF:02:D7:0D:D8:2D:EB:B2:2A:2B
ssgd_client_cert, Dec 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): DE:6B:BA:28:39:6B:B2:7B:51:F5:F2:6B:41:6E:6B:C1
As you can see, the ssgd_client_cert is indeed available into the sslkeystore.
Next, I configured SSGD as follows:
Step4: LDAP Repository Details
Repository Type: (*) Active Directory
URLs: ad://zen.strhold.it
Connection Security: () Kerberos
(*) SSL
[x] Client Certificate Used
Active Directory Base Domain: zen.strhold.it
Active Directory Default Domain: zen.strhold.it
[Next]
I did not have any errors when I clicked over [Next] and the same went when I selected the [Finish] button.
I logged out of the Admin console, restarted the SSGD server and tried to login using an Active Directory VALID user but here's what I got:
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/17 17:16:36.246     (pid 18920)     server/ad/warningerror     #1229530596247
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
Global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the forest.
To help troubleshoot this warning,
- Verify that this global catalog is available on the network.
- Verify that SGD can resolve the global catalog's hostname via DNS.
- Verify that SGD can connect to port 3268 on the global catalog.
- Verify that this server is a global catalog for the forest.
I'm pretty sure I do have a client certificate into SSGD keystore (as demonstrated by the keytool utility).
Am I missing something or what?
Things I've already cheched:
. both the SSGD and Windows server clocks are in synch
. the DNS server (on Windows) is able to resolve the names of the boxes in both forward and reverse mode
. no firewall is operating between the boxes
Thanks,
Rob

Hi DD.
Thanks again for your time and patience!
Well, today I restarted the SSGD box (it's a virtual machine) and issued the:
    keytool -list -keystore sslkeystore -storepass "$(cat /opt/tarantella/var/info/key)" -keypass "$(cat /opt/tarantella/var/info/key)"command. Much to my surprise, this time I got the following output:
Your keystore contains 1 entry
+testssgd, Dec 19, 2008, trustedCertEntry,+
Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35
As you can see, now the certificate is recognized as "trustedCertEntry* instead of the previous PrivateKeyEntry. If you step back to my previous post, you should be able to tell that the MD5 is the same one I got for the PrivateKeyEntry.
+testssgd, Dec 19, 2008, PrivateKeyEntry,+
+Certificate fingerprint (MD5): 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
By issuing the suggested:
{code}keytool -v -list -keystore sslkeystore -alias testssgd{code}
command I got the following output (snipped):
+Alias name: testssgd+
+Creation date: Dec 19, 2008+
+Entry type: trustedCertEntry+
+Owner: CN=ssgd.zen.strhold.it, OU=Strhold Evolution Division, O=Strhold, L=Reggio Emilia, ST=Italy, C=IT+
+Issuer: CN=ADroot, DC=zen, DC=strhold, DC=it+
+Serial number: 1568abe4000000000006+
+Valid from: Fri Dec 19 17:45:52 CET 2008 until: Sun Dec 19 17:45:52 CET 2010+
+Certificate fingerprints:+
+     MD5: 37:0D:8B:17:71:95:E6:D1:19:ED:D4:93:DE:5E:E7:35+
+     SHA1: 00:8F:59:04:51:49:A6:73:8C:B5:6D:74:C6:90:30:32:24:DE:6D:EA+
+     Signature algorithm name: SHA1withRSA+
+     Version: 3+
As you can see, the Issuer is ADRoot (CN=ADroot, DC=zen, DC=strhold, DC=it).
The error messages did not change (
Attempted login for [email protected]
using disambiguation attributes {}.
2008/12/22 13:37:10.306     (pid 3764)     server/kerberos/info     #1229949430306
Kerberos attempting to log in rzini in to ZEN.STRHOLD.IT
2008/12/22 13:37:10.647     (pid 3764)     server/kerberos/moreinfo     #1229949430647
Kerberos succeeded in authenticating [email protected] to ZEN.STRHOLD.IT
2008/12/22 13:37:10.711     (pid 3764)     server/ldap/info     #1229949430711
LDAP config is: "ad://zen.strhold.it"
2008/12/22 13:37:10.716     (pid 3764)     server/ldap/info     #1229949430716
LDAP server user was changed for scope "forest" to ""
2008/12/22 13:37:10.796     (pid 3764)     server/ldap/moreinfo     #1229949430796
NSLookup succeeded: "win2003r2.zen.strhold.it." returned 192.168.68.1
2008/12/22 13:37:10.801     (pid 3764)     server/ldap/moreinfo     #1229949430801
Service lookup succeeded: "_gc._tcp.zen.strhold.it." returned 192.168.68.1:3268
2008/12/22 13:37:11.316     (pid 3764)     server/ad/warningerror     #1229949431315
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/22 13:37:11.321     (pid 3764)     server/ad/warningerror     #1229949431321
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
[snip]
Discovery results:
Looking up Global Catalog DNS name: _gc._tcp.zen.strhold.it. - HIT
Looking for GC on server: Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up - ERROR
The Active Directory login authority and LDAP generation will not work as
SGD could not find a contactable global catalog.
2008/12/22 13:37:11.329     (pid 3764)     server/ldap/error     #1229949431329
Sun Secure Global Desktop Software (4.41) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=ZEN,DC=STRHOLD,DC=IT") 587ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
A call to LDAP failed. This might mean LDAP users cannot log in.
I can provide you with the Java exception which was reported but I cannot include it with this message due to the restriction in size we have when posting.
Thanks again,
Rob

What is a client certificate and how do I use it?

I am trying to pay a traffic fine on a municipal website. I keep getting a drop-down box saying the site requires a client certificate to verify my identity. I am given a choice of two certificates, both of which are listed as valid. However, when I select one and click "continue," the same box comes up again (no matter which one i select). This happens repeatedly. I have triend this on both my iMac (less than a year old) and my macBook Air (less than two years old), and the same thing happens on both I just want to pay my traffic ticket! Why won't it accept my selected certificate? Do I need to create a new one, and if so, how do I do that? And what is a cient certificate anyway?

Same here. Does my solution help you, as well? However, in you case, I double-check with the site administrator if he uses client authentication intentionally at all.

SSL client certificates location

Anybody have an idea how to export the installed S/MIME private certificate from Firefox at Android? Is there something similar to "Preferences|Options" -> "Advanced" -> "Encryption" -> "View Certificates" -> "Your Certificates"?

hi
You describe exactly what I 've been trying and I have the same problem.
But, it seems to work if you use Netscape.
Internet Explorer 5.0 presents an empty client-certificate-box to choose from.
Internet Explorer 5.5 just shows an error page.
Have you found a solution yet?
tnx
-Jan.Vervecken(at)cronos.be

Client Certificate and EP 6.0

I'm would like to know if client certificate can be implemented on EP 6.0 SP2.
If some one has already done. what is the best way of going about it. Pointer to document would be help ful.
Thanks in advance,

Hello Nixon,
have a look at the Enterprise Portal 6.0 SP2 Security Guide:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/sap enterprise portal 6.0 sp2 - security guide
Regards
Gregor

WebVPN-Problem with Digital Certificate and AAA

Hello everyone,
I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
Here are details:
I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
Testing:
The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
Does anyone know and advise ?
Thanks
Khanh

Hi all,
Here are attach files for my issuse,
Khanh

AnyConnect SSL Client issue with Mac OS X

Hello this seems to be a very common issue with AnyConnect working on Mac OS X. A lot of random sites talk about this.
I have a Cisco 2801 running IOS 12.4(22)T (ADV ENT SRV) with AnyConnect 2.3 package installed.
From Windows I can connect without any issues.
From a Mac OS X after providing login credentials the AnyConnect log says its connecting... checking for updates... and then disconnects.
If this does work on Mac OS X what is needed (or needs to be configured) to get this to work properly on Mac OS X?
Thank you!

Hello All,
I recently experienced the same problem when my company upgraded to our entire company from the stone age to a VPN system using the Cisco AnyConnect. At first, I had the same problem as described above. Then my IT guy and I got on the phone with Cisco.
Here is the solution that worked for me. First, our IT department had to specifically load a MAC connection file into the VPN firewall to allow access for MacIntosh computers. Then I redownloaded the latest anyconnect files and updated whatever else through the vpn.yourcompany.com site. Finally, from www.citrix.com/download I downloaded (on the RH side under featured downloads) the appropriate Citrix ICA File.
Everything works fine now. I don't know if this will work for you, but it did the trick for us.

PIX 501 and AAA Radius Server

I am trying to change the radius server using PDM and I can not do it it give me an error sgtating that I need to change the server on the ACL.
PLease tell me whereelse do I have to go and remove the old radius server and add a new radius server.
Thank you
Cristian

Try this configuration guide,
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/index.htm may be you wll find it.

Howto use SSL-2 (https) and .pfx certificate in SOAP cc - padding error!

I'm working on a rfc to soap scenario in PI 7.1, and I must connect PI to some external web services through https.
We must use a two-sided SSL connection (SSL-2), we received a .pfx certificate to achieve this.
SAP Basis installed the certificate in the (java)nwa. In the SOAP communication channel i can choose the installed ceritifcate when i set the 'Configure Certificate Authentication'. Tried this, got the "error: iaik.security.ssl.SSLException: Padding length error: 106"
Other option tried is to set the 'Select security profile'and choose Web Services Security. Then in the receiver agreement i can set the certificate for the encryption and/or decryption. Various scenario's tried, not succesful. We've seen that the pfx certificate contains two certificates (private and public one). But in the receiver agreement there is no choice between those two, we can only select the .pfx
We also added a user with transaction EXTID_DN. Still got the same error.
Does somebody have a suggestion what to do? Must we split the .pfx certificate in two separate files/certificates? Do we use the incorrect DN/CN in the EXTID_DN?

Hi,
What is your requirement ? The "2-sides" concept of SSL, what is it exactly ? Or does it simply mean that you're going to connect to a SSL target providing a SSL client certificate ?
Usually, you import the SSL target's CA chain (ie Verisign CAs, etc) into the NWA key store, provide the CA chain for your own SSL client cerificate to the target and configure channels accordingly
Rgds
Chris

IOS4, apple-mobile-web-app-capable and client certificates

IOS4 (4.0 and 4.0.1) seems to have broken apple-mobile-web-app-capable. I have a webbapplication using client certificates to authenticate the user. This worked flawless on IOS3.x. However, after having upgraded my iPhone to IOS4, the application fails when started from the springboard with an error message telling a client certificate is required (I have one installed). When I start the application from within Safari it works OK. I tracked the error down to the following line in the HTML code:
<meta name="apple-mobile-web-app-capable" content="yes" />
When I remove this line, the application works again flawless when started from the springboard. However the native look and feel are gone. As soon as I add this line to the HTML, the application works when started from Safari, but fails when started from the springboard.
Does anyone have a glue or is this a bug on the apple-mobile-web-app-capable function of IOS4?

I have also experienced this problem on iOS 4.1. I want to authenticate access to a web-app using SSL client certificates but I get an error "Cannot Open ... requires a client certificate" when launching the app from the home screen. Very annoying!
Navigating to the page in Safafi prompts the user to choose which certificate to use and then loads the page successfully. Just as a side question, is there anyway to automatically associate a client certificate with a web site so that the user is never prompted to choose a certificate when accessing the site? I want an authentication process that is transparent to the user.

No client certificate available, sending empty certificate message

Dear Experts,
    I am trying to establish SSL client certificate connection to external partner. What puzzles me is that the certificate is not picked up by SAP PI. The intermediate and root CA for the partner are OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network and OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US, respectively. You will be able to spot them in the Accepted Certificate Authority list, yet PI insists on sending empty certificate.
    Below is trace gathered from J2EE default trace. Please help shed some light
Date : 11/16/2011
Time : 8:49:11:423
Message : additional info ssl_debug(9): Starting handshake (iSaSiLk 4.3)...
ssl_debug(9): Sending v3 client_hello message to preprod.connect.elemica.com:443, requesting version 3.2...
ssl_debug(9): Received v3 server_hello handshake message.
ssl_debug(9): Server selected SSL version 3.1.
ssl_debug(9): Server created new session 22:E7:C0:9E:C1:D2:78:83...
ssl_debug(9): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
ssl_debug(9): CompressionMethod selected by server: NULL
ssl_debug(9): Received certificate handshake message with server certificate.
ssl_debug(9): Server sent a 1024 bit RSA certificate, chain has 2 elements.
ssl_debug(9): ChainVerifier: No trusted certificate found, OK anyway.
ssl_debug(9): Received certificate_request handshake message.
ssl_debug(9): Accepted certificate types: RSA, DSA
ssl_debug(9): Accepted certificate authorities:
ssl_debug(9):   CN=QuoVadis Global SSL ICA,OU=www.quovadisglobal.com,O=QuoVadis Limited,C=BM
ssl_debug(9):   CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   CN=CSF - Classe III - Sign et Crypt,OU=Certification Professionnelle,O=Autorite Consulaire
ssl_debug(9):   CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
ssl_debug(9):   CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
ssl_debug(9):   CN=DPWN SSL CA I2 PS,OU=I2 PS,O=Deutsche Post World Net
ssl_debug(9):   CN=CSF,O=Autorite Consulaire
ssl_debug(9):   C=BE,O=GlobalSign nv-sa,OU=RootSign Partners CA,CN=GlobalSign RootSign Partners CA
ssl_debug(9):   CN=Dell Inc. Enterprise Utility CA1,O=Dell Inc.
ssl_debug(9):   EMAIL=premium-server(a)thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
ssl_debug(9):   CN=TC TrustCenter Class 2 L1 CA XI,OU=TC TrustCenter Class 2 L1 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   OU=VeriSign Trust Network,OU=(c) 1998 VeriSign, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=TC TrustCenter SSL CA I,OU=TC TrustCenter SSL CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=Meijer ipprod,OU=IT,OU=Merch,O=Meijer Stores Limited,L=Walker,ST=MI,C=US
ssl_debug(9):   CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
ssl_debug(9):   CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9):   CN=Deutsche Telekom CA 5,OU=Trust Center Deutsche Telekom,O=T-Systems Enterprise Services GmbH,C=DE
ssl_debug(9):   CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
ssl_debug(9):   CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA
ssl_debug(9):   CN=Bertschi CA,O=Bertschi AG (Schweiz),L=Duerrenaesch,ST=Switzerland,C=CH
ssl_debug(9):   CN=Cybertrust SureServer CA,O=GlobalSign Inc
ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   EMAIL=server-certs(a)thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
ssl_debug(9):   CN=Mark Van Hamme,O=Brain2 BVBA,L=Brussels,ST=Brabant,C=BE
ssl_debug(9):   CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
ssl_debug(9):   EMAIL=bis.at(a)siemens.com,CN=bis.siemens.at,OU=SBS ORS EDO,O=Siemens Business Services,L=Vienna,ST=Vienna,C=AT
ssl_debug(9):   CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=mail2.adr-logistics.hu,O=ADR Logistics Kft.,L=Gyu00E1l,ST=Pest,C=HU
ssl_debug(9):   EMAIL=brent.kemp(a)sscoop.com,CN=bacchusdevp.sscoop.com,OU=IS,O=Southern States Cooperative Inc,L=Richmond,ST=VA,C=US
ssl_debug(9):   CN=Cybertrust SureServer Standard Validation CA,O=Cybertrust Inc
ssl_debug(9):   OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US
ssl_debug(9):   CN=Certipost E-Trust Secondary Normalised CA for Legal Persons,O=Certipost s.a./n.v.,C=BE
ssl_debug(9):   EMAIL=cert(a)bit-serv.de,CN=BIT-SERV GmbH Root CA,O=BIT-SERV GmbH,C=DE
ssl_debug(9):   CN=SAP_elemica_tester
ssl_debug(9):   CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
ssl_debug(9):   OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=Montova Root CA,OU=Root CA,O=Montova,C=BE
ssl_debug(9):   CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
ssl_debug(9):   CN=Dell Inc. Enterprise CA,O=Dell Inc.
ssl_debug(9):   CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   EMAIL=support(a)tamgroup.com,OU=Engineering,O=Tamgroup,ST=California,L=San Anselmo,C=US,CN=Tamgroup
ssl_debug(9):   CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
ssl_debug(9):   CN=Certinomis AC 1 u00E9toile,OU=0002 433998903,O=Certinomis,C=FR
ssl_debug(9):   CN=GlobalSign ServerSign CA,OU=ServerSign CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
ssl_debug(9):   CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
ssl_debug(9):   CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
ssl_debug(9):   CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
ssl_debug(9):   CN=thawte Primary Root CA,OU=(c) 2006 thawte, Inc. - For authorized use only,OU=Certification Services Division,O=thawte, Inc.,C=US
ssl_debug(9):   CN=Certipost E-Trust Primary Normalised CA,O=Certipost s.a./n.v.,C=BE
ssl_debug(9):   CN=Thawte DV SSL CA,OU=Domain Validated SSL,O=Thawte, Inc.,C=US
ssl_debug(9):   OU=Equifax Secure Certificate Authority,O=Equifax,C=US
ssl_debug(9):   CN=preprod.connect.elemica.com,OU=CONNECTED SOLUTIONS,O=Elemica,L=Wayne,ST=Pennsylvania,C=US
ssl_debug(9):   CN=Certinomis - Autoritu00E9 Racine,OU=0002 433998903,O=Certinomis,C=FR
ssl_debug(9):   CN=DPWN Root CA R2 PS,OU=IT Services,O=Deutsche Post World Net,DC=com
ssl_debug(9):   CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA
ssl_debug(9):   OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
ssl_debug(9):   EMAIL=santiago.tolosa(a)eu.rhodia.com,CN=Rhodia Development CA,OU=ISF - WARTE,O=Rhodia,L=La Villette,ST=France,C=FR
ssl_debug(9):   CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
ssl_debug(9):   CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
ssl_debug(9):   CN=Groep H. Essers TEST (99805D6DA33FCC1700010002),O=Montova,C=BE
ssl_debug(9):   serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US
ssl_debug(9):   CN=VeriSign Class 3 Secure Server 1024-bit CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   serialNumber=10688435,CN=Starfield Secure Certification Authority,OU=http://certificates.starfieldtech.com/repository,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US
ssl_debug(9):   CN=Conextrade,OU=Swisscom IT,O=Swisscom AG,L=Zurich,ST=Zurich,C=CH,EMAIL=ccc.eTrade(a)swisscom.com
ssl_debug(9):   CN=b2bproto.basf-corp.com,OU=Corporate IS,O=BASF Corporation,L=Mount Olive,ST=New Jersey,C=US
ssl_debug(9):   CN=GlobalSign Domain Validation CA - G2,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
ssl_debug(9):   CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US
ssl_debug(9):   EMAIL=!sysadmin(a)elemica.com,CN=www.elemica.com,OU=Connected Solutions,O=Elemica, Inc,L=Wayne,ST=Pennsylvania,C=US
ssl_debug(9):   CN=GeoTrust SSL CA,O=GeoTrust, Inc.,C=US
ssl_debug(9):   CN=RapidSSL CA,O=GeoTrust, Inc.,C=US
ssl_debug(9):   CN=Entrust Certification Authority - L1E,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=EAS,O=COMPUDATA EDI Dienstleister,C=CH,EMAIL=helpdesk.dl(a)compudata.ch
ssl_debug(9):   CN=GlobalSign Domain Validation CA,O=GlobalSign nv-sa,OU=Domain Validation CA,C=BE
ssl_debug(9):   CN=GlobalSign Primary Secure Server CA,OU=Primary Secure Server CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
ssl_debug(9):   CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=Thawte SSL CA,O=Thawte, Inc.,C=US
ssl_debug(9):   CN=Entrust Certification Authority - L1C,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9):   EMAIL=vladimir.polak(a)esa.ch,CN=Vladimir Polak,O=Einkaufsorganisation des Schweizerischen Auto- und Motorfahrzeuggewerbes,C=CH
ssl_debug(9):   CN=IT Directions and Strategies,OU=ITDS EDI,ST=WI,C=US,L=Hartland,EMAIL=aklumpp(a)itdsllc.com,O=ITDS EDI
ssl_debug(9):   CN=Entrust Certification Authority - L1B,OU=(c) 2008 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY,OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE,O=Entrust, Inc.,C=US
ssl_debug(9):   CN=GlobalSign Organization Validation CA - G2,O=GlobalSign nv-sa,C=BE
ssl_debug(9):   CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=TeleSec ServerPass CA 1,OU=Trust Center Services,O=T-Systems International GmbH,C=DE
ssl_debug(9):   CN=TC TrustCenter Class 3 L1 CA V,OU=TC TrustCenter Class 3 L1 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9):   C=NL,ST=Zuid-Holland,L=Spijkenisse,O=De Rijke Transport,OU=ICT,CN=smtphost.derijke.com
ssl_debug(9):   CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9):   CN=Comodo Class 3 Security Services CA,OU=(c)2002 Comodo Limited,OU=Terms and Conditions of use: http://www.comodo.net/repository,OU=Comodo Trust Network,O=Comodo Limited,C=GB
ssl_debug(9):   CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9):   OU=Starfield Class 2 Certification Authority,O=Starfield Technologies, Inc.,C=US
ssl_debug(9):   EMAIL=ftp(a)csx.com,C=US,O=CSX Corporation Inc,CN=CSX_CORPORATION_AS2_02062009
ssl_debug(9):   CN=EssentialSSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9):   CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
ssl_debug(9):   CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): Received server_hello_done handshake message.
ssl_debug(9): No client certificate available, sending empty certificate message...
ssl_debug(9): Sending client_key_exchange handshake...
ssl_debug(9): Sending change_cipher_spec message...
ssl_debug(9): Sending finished message...
ssl_debug(9): Received alert message: Alert Fatal: bad certificate
ssl_debug(9): SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
ssl_debug(9): Shutting down SSL layer...
Severity : Error
Category : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
Location : com.sap.aii.messaging.net.HTTPClientConnection.call(Object)
Application : sap.com/com.sap.xi.rwb
Thread : SAPEngine_Application_Thread[impl:3]_0
Datasource : 7662250:E:\usr\sap\T37\DVEBMGS00\j2ee\cluster\server0\log\defaultTrace.trc
Message ID : 00505688007A006A0000005100001B8C0004B1CF78E9602A
Source Name : com.sap.aii.messaging.net.HTTPClientConnection
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : cc6d1cee0fec11e1c90200000074eaaa
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
Resource Bundlename :
Session : 365
Source : com.sap.aii.messaging.net.HTTPClientConnection
ThreadObject : SAPEngine_Application_Thread[impl:3]_0
Transaction :
User : CPWONG
Dsr Root Context ID :
Dsr Connection :
Dsr Counter : -1

Hi ,
Is the above problem solved , can you share the solution.
Thanks

AnyConnect SSL-client Certificate AND AAA RADIUS

Similar Messages

Maybe you are looking for