ASA SSL digital Certificates

Similar Messages

• Adding an SSL digial certificate ".cer" file using STRUST

  Dears,
  Could someome please guide to the steps of adding an SSL digital certificate (a file with extension ".cer") using transaction STRUST
  Thanks
  Reda

  Dear Agasthuri,
  Thank you for your reply.
  The point is : whenever the https is installed on a SAP system, after issuing transaction STRUST, we find in the left pane three main nodes / folders : System PSE, SSL server Standard, SSL client SSL Client (Standar.
  We also find a cuboid shaped icon named : File.
  Whenever we right click on any of the three mentioned nodes / folders we get a pull down menu containing either two or three options : Replace, Delete  or Change, Replace , Delete.
  Whenever we right click on the cuboid shaped icon named : File, we get a pull down menu containing only one option : Create.
  None of the above - mentioned options lead to creating a new main node / folder in the left pane.
  Kindly advise.
  Thanks.
  Reda

• What is the cost of a digital certificate?

  Is it free, or is there a cost to get a digital certificate?
  I am planning to distribute my application using Webstart JAWS.
  thanks,
  Anil

  thanks for the detailed info! I am checking out CACert. Verisign is $695/yr and Thawte is $150/yr.
  Anil
  As others have told you can create one yourself, but
  I believe if you buy one from Verisign or Thawte
  Webstart doesn't pop-up the dialog to accept the
  certificate and does it automatically. At least
  that's what I understood but I might be mistaken.
  Anyway, some links:
  - Verisign:
  http://www.verisign.com/products-services/security-ser
  vices/code-signing/digital-ids-code-signing/index.html
  - Thawte:
  http://www.thawte.com/ssl-digital-certificates/code-si
  gning/index.html
  - CACert: http://www.cacert.org/ They have free
  certificates but I'm not sure they're trusted
  automatically by JWS.
  N.

• Which digital certificate (SSL) is used when a proxy client is created

  Dears,
  Could someone please guide if there are more than one digital certificate (SSL) added to the SAP system, and we create a proxy client using the 'URL' (https://....) option, than which digital certificate will be used in the check done.
  Thanks.
  Reda

  The names that go on the certificate must match the names you planned when you did the CAS namespace design.
  Some details here:http://blogs.technet.com/b/exchange/archive/2014/02/28/namespace-planning-in-exchange-2013.aspx
  So in your case if the cert does not match the name, then this will prompt users with errors.   They need to match.  As long as all your internal devices trust the issuer of the internal CA then you can use that.   Installing an
  enterprise CA will automatically publish it's root CA  public cert into AD so it works easily.
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Asa ssh/vnc plugins digital certificates expired

  Hi,
  we've got our new asa set up now (more or less). But what gets us is that the Cisco ssh/vnc plugins and the java applet for port forwarding all come up with "digital certificate expired". Now this is not going to instill confidence in our users.
  We are running 8.0(4)3 and asdm 6.1(3) and the plugins are the latest available from Cisco's software download page
  (ssh-plugin.08030, vnc-plugin.080130).
  Are newer ones available?
  Thanks
  Dorothea

  BTW this could be of help:
  http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp241924
  You probably want to install a code signer certificate.
  While this seems to be what you're looking for, I have never managed to generate a bundle such that Java doesn't complain at all anymore...

• WebVPN-Problem with Digital Certificate and AAA

  Hello everyone,
  I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
  Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
  But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
  Here are details:
  I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
  Testing:
  The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
  Does anyone know and advise ?
  Thanks
  Khanh

  Hi all,
  Here are attach files for my issuse,
  Khanh

• What is the difference between a pki digital certificate received in pkcs7 format and what iplanet refers to as a pkcs#11 module?

   

  A lot of NSS-related jargon is defined on mozilla.org, including the different PKCS standards:
  http://mozilla.org/docs/jargon.html#PKCS5
  To summarize (and simplify), PKCS #7 is a standard for digital certificates while PKCS #11 is a standard for communicating with cryptographic devices (e.g. SSL hardware accelerators).

• CIDX Adopter Digital Certificates

  Guys,
  Here is the scenario..
  We are getting the HTTPS message from external system to XI.
  We are using CIDX Adopter to read external message and validate the digital certificates and map to ORDERS05 Idoc. As soon I trigger the message from external system (HTTPS message), I am seeing message in XI RWB adopter engine, when CIDX adopter is trying the validate the digital signatures somehow it is pointing to J2EE_GUSET user. And it is giving error as below mention.
  <b>ERROR</b>
  "Signature verification failed, alerted;Error when accessing keystore:service_ssl
  Signature verification failed, alerted
  Unexpected error while packing the CIDX message -
  null
  Message Processing caused Failure. -
  BTD handler indicated processing error
  Error encountered while receiving inbound action; See nested exception for detailed error message -
  Message Processing caused Failure. -
  Message Processing caused Failure. -
  BTD handler indicated processing error
  Delivery of the message to the application using connection CIDXAdapter failed, due to: Error encountered while receiving inbound action; See nested exception for detailed error message. "
  <b>Regarding Digital Certificates</b>
        We got the digital certificates from my external party and installed and
         created the Key stores in XI Visual Administration tool.
         We configured in sender agreement by selecting those key stores..
  Can any one help me on how to resolve the issue, is there any problem in Visual Admin Toll, while installing the certificates..
  Thanks
  Murali
  Message was edited by:
          Murali Babu Pallabothula

  HI,
  See the below links
  HTTP* Errors /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
  also see the below links may be useful..
  See the below links
  /people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
  SAP Java Cryptographic Toolkit
  http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
  http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/45/341a2176b74002e10000000a155369/frameset.htm
  Also see the below threads.
  how to deal with digital signatures when converting messages?
  Certificates Vs Digital Signatures
  Security Issues: SSL on SOAP Adapter and Digital Signature in BPM
  message level security: difference digital signature and certificate
  Loading Invoice XML IDoc with digital signature via XI into R/3
  Regards
  CHilla

• Best practices for buying a digital certificate for Exchange 2013

  Good dayfriends,
  Could you indicateme which are the bestpractices when buying
  a public digital certificatefor use onExchangeServer 2013.
  I'd be interested in knowing your opinion about
  using wildcardor SAN certificates.
  Likewise what are the best recommendations
  to include names and why they should or
  should not include the internal FQDN
  of my servers.
  Currently I have an infrastructure that has two
  MailBox servers,two CAS servers and an EDGE
  2010 server, but I'm planning update it to Exchange 2013.
  I searched what are the best
  practices according to Microsoft but
  have found little information.
  I would appreciate
  if you can post links like
  Microsoft KBs and other technical documents that
  discuss the above mentioned.
  Thanking your
  invaluable support.
  Greetings.

  Hi,
  Personal suggestion, we can use two namespaces for your Exchange 2013:
  Autodiscover.domain.com (Used for autodiscover service)
  Mail.domain.com (used for all Exchange services external and internal URLs)
  Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
  For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
  Digital Certificates Best Practices part in the following technet article:
  http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
  Additionally, here are some other scenarios about certificate planning in Exchange 2013:
  http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
  Regards,
  Winnie Liang
  TechNet Community Support

• VPN error when using Microsoft digital certificates.

  Hi,
  I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.
  Cisco ASA config:
  access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
  nat (inside) 0 access-list 100
  static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255
  route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  crypto map mymap 1 match address 100
  crypto map mymap 1 set peer 2.2.2.2
  crypto map mymap 1 set transform-set myset
  crypto map mymap interface outside
  crypto ca trustpoint winca
  enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll
  crl configure
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
  trust-point winca
  On router:
  crypto ca trustpoint winca
  enrollment mode ra
  enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll
  crypto isakmp policy 19
  encr 3des
  group 2
  authentication rsa-sig
  crypto isakmp key cisco address 1.1.1.1
  crypto map mymap 10 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set myset
  match address 100
  access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  crypto ipsec transform-set myset esp-3des esp-sha-hmac
  Debug output on ASA
  CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!
  Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
  CorpASA#
  CorpASA#
  CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!
  Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry
  Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!
  Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry
  Debug out put on router:
  R2#ping 10.1.1.10 source 192.168.1.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
  Packet sent with a source address of 192.168.1.1
  Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console
  Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)
  Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)
  Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500
  Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE
  Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20
  Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
  Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success
  Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1
  Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID
  Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID
  Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID
  Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1
  Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange
  Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
  Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
  Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2
  Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0
  Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
  Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...
  Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy
  Nov 15 02:21:02.711: ISAKMP:      encryption 3DES-CBC
  Nov 15 02:21:02.711: ISAKMP:      hash SHA
  Nov 15 02:21:02.711: ISAKMP:      default group 2
  Nov 15 02:21:02.711: ISAKMP.:      auth RSA sig
  Nov 15 02:21:02.711: ISAKMP:      life type in seconds
  Nov 15 02:21:02.711: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0
  Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
  Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2
  Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
  Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
  Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3
  Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
  Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4
  Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0
  Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0
  Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated
  Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0
  Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert
  Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
  Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer
  Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity
  Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch
  Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH
  Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!
  Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
  Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch
  Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4
  Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact
  Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
  Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID
  Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN
  Nov 15 02:21:03.067: ISAKMP (0:1): ID payload
          next-payload : 6
          type         : 2
          FQDN name    : R2.cisco.com
          protocol     : 17
          port         : 500
          length       : 20
  Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20
  Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com
  Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072
  Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign
  Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5
  Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE
  Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
  Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...
  Success rate is 0 percent (0/5)
  R2#
  Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
  Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  R2#
  Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
  Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  R2#
  Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)
  Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE
  Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
  Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
  Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  R2#
  Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
  Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
  Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
  Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  PLease assist me in sorting this issue, i need to implement on my live network.
  Thanks a lot in advance.
  Regards,
  Mohan.D

  HI Mate ,
  your ASA is sending the ASA certificate :
  but after that we are recieving an isakmp notify message which tears down the connection ?
  somehow the remote peer didn't like the ASA certificate
  do you have access to that peer ? is it a CISCO ASA?
  is the time synchronized with that side ?
  it the CA certificate installed on that peer?
  HTH
  Mohammad.

• SSL implementation - Certificate Authority

  Hi,
  We are planning to implement SSL in the portal using digital certificate. Version of portal is EP7 SP11(2004s). We are planning to have a clustered environment. Please let me know which all certificates are supported by portal and how many certificate licence we need in this scenario?
  regards,
  Sujesh

  Hi ,
  1)     Login to the visual administrator using admin userid and pwd
  2)     Goto server >services>keystore
  3)     Select the service_ssl and create new entry with name ssl_credentials
  Click on create button and generated one new entry with name:  ssl_credentilas
  4)     After generating  new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
  now select the new entry and click on generate CSR request button and send the c
  ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
  5)     Select the Trusted CAs and click on import from other button
  6)     Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
  7)     ssl-credentials will be added into the Trusted CAs
  8)Goto SSL provider and  select the  dispatcher
  9)Select the new sockets radio button and select server identity tab and click on Add button.
  10)     Select the (new entry created just now)  ssl-credential and click on ok.
  11)     Add the same for Active sockets and reboot the sun 128 displatcher.
  Result:  Https is working for sun 128 server .

• "Choose a digital certificate" pop up when save Excel spreadsheet in IE

  One reporting page in our SSL application will generate an Excel spreadsheet. User will be prompted to either Save it to harddrive or Open it within the IE.
  If user chooses to Open it inside IE, then go "File --> Save as", this "Choose a digital certificate" dialog box will pop up, but there's nothing to choose. User has to click on OK/Cancel for about 12 times before it actually allows user the save...
  to create this spread sheet from jsp page i haved used
  <%@ page language="java" contentType="application/vnd.ms-excel; charset=ISO-8859-1"
       pageEncoding="ISO-8859-1" %>

  I don't think this has nothing to do with Excel.
  Go to Tools - Internet Options - Security Tab and click on the "Custom Level" button. Then find the option: "Don't prompt for client certificate selection when no certificate or only one certificate exists" and set it to "enable"

• Applying Digital certificates on EP 7

  Hi SDN,
  Currently we are running EP 7 in which we have applied SSL. We want to apply digital certificates for the transaction happening between the end user and the portal. Kindly share SAP document to implement the same.
  Let me know if digital certificates can be applied on a user specific mode...
  Thanks & Regards,
  p188071.
  Edited by: p188071 on Apr 1, 2009 7:44 AM

  Hello Amit,
  The portal runs on the J2EE Engine, so you have to configure the use of client certificates there. There is a step-by-step procedure in the documentation. See: http://help.sap.com/saphelp_nw70/helpdata/en/62/881e3e3986f701e10000000a114084/frameset.htm
  If you have questions, just let us know.
  Greetings,
  Elizabeth Winker

• Fraudulent digital certificates issued for high-value websites, iOS patch ?

  http://www.zdnet.com/blog/security/microsoft-warns-fraudulent-digital-certificat es-issued-for-high-value-websites/8488?tag=nl.e589
  http://www.h-online.com/security/news/item/SSL-meltdown-forces-browser-developer s-to-update-1213358.html
  this obviously means that iOS could be vulnerable. Mozilla has patched Firefox (all versions), MS just pushed an update, Google patched Chrome already a few days ago, how about Safari and iOS?
  edit: does iOS use OSCP validation?

  I see Safari desktop supports OCSP checking - if manually activated - but does Safari mobile too? as there's hardly any setting available for Safari on idevices it's hard to know...

• Coldfusion secure FTP & digital certificates

  Hello !
  I am currently in the process of developing a corporate CF intranet site that is behind a corporate firewall and part of the application will need to send a data file (FTP put) to a remote FTP server using secured FTP (FTPS). I have never used Coldfusion before for either secured or unsecured FTP.  I am planning on using the CFFTP tag to open the connection and send the data file but I have a number of other questions regarding the use & installation of the digital certificates.:
  Current development environment setup:
  CF version 9 standard edition running on Windows Server 2008 R2
  Microsoft IIS 7
  Current production environment setup:
  CF version 9  enterprise edition running on Windows Server 2008 R2
  Microsoft IIS 7
  1.  The data file that is being created must be sent to a finanacial institution and they will be providing a digital certificate (p12 format) to me.  What do I do with that certificate once I get it ?  I have installed SSL certificates before on http web sites with IIS without any issues but I am not sure what to do with the certificate for secured FTP.  Do I import the certificate into IIS using the MMC snap on or does the certificate need to be integrated into Coldfusion in some other way and if so, what needs to be done ?
  2.  What other steps need to be prior to being able to use the CFFTP tag for a secured FTP send ?
  I would appreciate as much help as possible as I haven't used CF for FTP before.
  Thank you.

  Dave,
  Thank you for answering.
  1.  I have imported the certificate into the cacerts file by using the following command:
       keytool -import -keystore ../lib/security/cacerts -alias x  -file c:\downloads\y
       where x was the alias name I assigned and y was the certificate name (extension of 'der').
  I tried importing a p12 and p7b certificate but neither of those worked.  I received the message 'Not a valid X.509 Certificate' from the command.  I then successfully imported a Base64 certificate (der).  I believe the certificate has been successfully imported because I ran the following and it shows the MD5 fingerprint:
       keytool -list -alias x -keystore ../lib/security/cacerts
       where x is my alias name I assigned in the original import
  2.  I then ran the following CFM command replacing the '*'s with the appropriate server name, user name, and password
       <cfftp action="open" connection="conn1" secure="yes" server="********" username="******" password="*****" port="21"
       </cfftp>
       I am getting the CF error
  An error occurred while establishing an sFTP connection.
  Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: User Authentication failed.
  Any suggestions or help would be appreciated.
  Thank you.