ASA SSL digital Certificates
I have a single URL which will direct users to one of four ASA5520 devices, can I export a single certificate onto all four devices or do I require four individual certificates?
You can export ceriticate use use the crypto ca export command. If a security appliance has trustpoints that share the same CA, only one of the trustpoints sharing the CA can be used to validate user certificates.
Similar Messages
-
Adding an SSL digial certificate ".cer" file using STRUST
Dears,
Could someome please guide to the steps of adding an SSL digital certificate (a file with extension ".cer") using transaction STRUST
Thanks
RedaDear Agasthuri,
Thank you for your reply.
The point is : whenever the https is installed on a SAP system, after issuing transaction STRUST, we find in the left pane three main nodes / folders : System PSE, SSL server Standard, SSL client SSL Client (Standar.
We also find a cuboid shaped icon named : File.
Whenever we right click on any of the three mentioned nodes / folders we get a pull down menu containing either two or three options : Replace, Delete or Change, Replace , Delete.
Whenever we right click on the cuboid shaped icon named : File, we get a pull down menu containing only one option : Create.
None of the above - mentioned options lead to creating a new main node / folder in the left pane.
Kindly advise.
Thanks.
Reda -
What is the cost of a digital certificate?
Is it free, or is there a cost to get a digital certificate?
I am planning to distribute my application using Webstart JAWS.
thanks,
Anilthanks for the detailed info! I am checking out CACert. Verisign is $695/yr and Thawte is $150/yr.
Anil
As others have told you can create one yourself, but
I believe if you buy one from Verisign or Thawte
Webstart doesn't pop-up the dialog to accept the
certificate and does it automatically. At least
that's what I understood but I might be mistaken.
Anyway, some links:
- Verisign:
http://www.verisign.com/products-services/security-ser
vices/code-signing/digital-ids-code-signing/index.html
- Thawte:
http://www.thawte.com/ssl-digital-certificates/code-si
gning/index.html
- CACert: http://www.cacert.org/ They have free
certificates but I'm not sure they're trusted
automatically by JWS.
N. -
Which digital certificate (SSL) is used when a proxy client is created
Dears,
Could someone please guide if there are more than one digital certificate (SSL) added to the SAP system, and we create a proxy client using the 'URL' (https://....) option, than which digital certificate will be used in the check done.
Thanks.
RedaThe names that go on the certificate must match the names you planned when you did the CAS namespace design.
Some details here:http://blogs.technet.com/b/exchange/archive/2014/02/28/namespace-planning-in-exchange-2013.aspx
So in your case if the cert does not match the name, then this will prompt users with errors. They need to match. As long as all your internal devices trust the issuer of the internal CA then you can use that. Installing an
enterprise CA will automatically publish it's root CA public cert into AD so it works easily.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Asa ssh/vnc plugins digital certificates expired
Hi,
we've got our new asa set up now (more or less). But what gets us is that the Cisco ssh/vnc plugins and the java applet for port forwarding all come up with "digital certificate expired". Now this is not going to instill confidence in our users.
We are running 8.0(4)3 and asdm 6.1(3) and the plugins are the latest available from Cisco's software download page
(ssh-plugin.08030, vnc-plugin.080130).
Are newer ones available?
Thanks
DorotheaBTW this could be of help:
http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp241924
You probably want to install a code signer certificate.
While this seems to be what you're looking for, I have never managed to generate a bundle such that Java doesn't complain at all anymore... -
WebVPN-Problem with Digital Certificate and AAA
Hello everyone,
I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
Here are details:
I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
Testing:
The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
Does anyone know and advise ?
Thanks
KhanhHi all,
Here are attach files for my issuse,
Khanh -
A lot of NSS-related jargon is defined on mozilla.org, including the different PKCS standards:
http://mozilla.org/docs/jargon.html#PKCS5
To summarize (and simplify), PKCS #7 is a standard for digital certificates while PKCS #11 is a standard for communicating with cryptographic devices (e.g. SSL hardware accelerators). -
CIDX Adopter Digital Certificates
Guys,
Here is the scenario..
We are getting the HTTPS message from external system to XI.
We are using CIDX Adopter to read external message and validate the digital certificates and map to ORDERS05 Idoc. As soon I trigger the message from external system (HTTPS message), I am seeing message in XI RWB adopter engine, when CIDX adopter is trying the validate the digital signatures somehow it is pointing to J2EE_GUSET user. And it is giving error as below mention.
<b>ERROR</b>
"Signature verification failed, alerted;Error when accessing keystore:service_ssl
Signature verification failed, alerted
Unexpected error while packing the CIDX message -
null
Message Processing caused Failure. -
BTD handler indicated processing error
Error encountered while receiving inbound action; See nested exception for detailed error message -
Message Processing caused Failure. -
Message Processing caused Failure. -
BTD handler indicated processing error
Delivery of the message to the application using connection CIDXAdapter failed, due to: Error encountered while receiving inbound action; See nested exception for detailed error message. "
<b>Regarding Digital Certificates</b>
We got the digital certificates from my external party and installed and
created the Key stores in XI Visual Administration tool.
We configured in sender agreement by selecting those key stores..
Can any one help me on how to resolve the issue, is there any problem in Visual Admin Toll, while installing the certificates..
Thanks
Murali
Message was edited by:
Murali Babu PallabothulaHI,
See the below links
HTTP* Errors /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
also see the below links may be useful..
See the below links
/people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
SAP Java Cryptographic Toolkit
http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/45/341a2176b74002e10000000a155369/frameset.htm
Also see the below threads.
how to deal with digital signatures when converting messages?
Certificates Vs Digital Signatures
Security Issues: SSL on SOAP Adapter and Digital Signature in BPM
message level security: difference digital signature and certificate
Loading Invoice XML IDoc with digital signature via XI into R/3
Regards
CHilla -
Best practices for buying a digital certificate for Exchange 2013
Good dayfriends,
Could you indicateme which are the bestpractices when buying
a public digital certificatefor use onExchangeServer 2013.
I'd be interested in knowing your opinion about
using wildcardor SAN certificates.
Likewise what are the best recommendations
to include names and why they should or
should not include the internal FQDN
of my servers.
Currently I have an infrastructure that has two
MailBox servers,two CAS servers and an EDGE
2010 server, but I'm planning update it to Exchange 2013.
I searched what are the best
practices according to Microsoft but
have found little information.
I would appreciate
if you can post links like
Microsoft KBs and other technical documents that
discuss the above mentioned.
Thanking your
invaluable support.
Greetings.Hi,
Personal suggestion, we can use two namespaces for your Exchange 2013:
Autodiscover.domain.com (Used for autodiscover service)
Mail.domain.com (used for all Exchange services external and internal URLs)
Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
Digital Certificates Best Practices part in the following technet article:
http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
Additionally, here are some other scenarios about certificate planning in Exchange 2013:
http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
Regards,
Winnie Liang
TechNet Community Support -
VPN error when using Microsoft digital certificates.
Hi,
I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.
Cisco ASA config:
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 2.2.2.2
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto ca trustpoint winca
enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
trust-point winca
On router:
crypto ca trustpoint winca
enrollment mode ra
enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll
crypto isakmp policy 19
encr 3des
group 2
authentication rsa-sig
crypto isakmp key cisco address 1.1.1.1
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto ipsec transform-set myset esp-3des esp-sha-hmac
Debug output on ASA
CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!
Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
CorpASA#
CorpASA#
CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry
Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry
Debug out put on router:
R2#ping 10.1.1.10 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console
Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)
Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500
Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20
Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success
Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange
Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0
Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...
Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy
Nov 15 02:21:02.711: ISAKMP: encryption 3DES-CBC
Nov 15 02:21:02.711: ISAKMP: hash SHA
Nov 15 02:21:02.711: ISAKMP: default group 2
Nov 15 02:21:02.711: ISAKMP.: auth RSA sig
Nov 15 02:21:02.711: ISAKMP: life type in seconds
Nov 15 02:21:02.711: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0
Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated
Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0
Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert
Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer
Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch
Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact
Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID
Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN
Nov 15 02:21:03.067: ISAKMP (0:1): ID payload
next-payload : 6
type : 2
FQDN name : R2.cisco.com
protocol : 17
port : 500
length : 20
Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20
Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com
Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072
Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign
Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...
Success rate is 0 percent (0/5)
R2#
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
PLease assist me in sorting this issue, i need to implement on my live network.
Thanks a lot in advance.
Regards,
Mohan.DHI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad. -
SSL implementation - Certificate Authority
Hi,
We are planning to implement SSL in the portal using digital certificate. Version of portal is EP7 SP11(2004s). We are planning to have a clustered environment. Please let me know which all certificates are supported by portal and how many certificate licence we need in this scenario?
regards,
SujeshHi ,
1) Login to the visual administrator using admin userid and pwd
2) Goto server >services>keystore
3) Select the service_ssl and create new entry with name ssl_credentials
Click on create button and generated one new entry with name: ssl_credentilas
4) After generating new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
now select the new entry and click on generate CSR request button and send the c
ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
5) Select the Trusted CAs and click on import from other button
6) Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
7) ssl-credentials will be added into the Trusted CAs
8)Goto SSL provider and select the dispatcher
9)Select the new sockets radio button and select server identity tab and click on Add button.
10) Select the (new entry created just now) ssl-credential and click on ok.
11) Add the same for Active sockets and reboot the sun 128 displatcher.
Result: Https is working for sun 128 server . -
"Choose a digital certificate" pop up when save Excel spreadsheet in IE
One reporting page in our SSL application will generate an Excel spreadsheet. User will be prompted to either Save it to harddrive or Open it within the IE.
If user chooses to Open it inside IE, then go "File --> Save as", this "Choose a digital certificate" dialog box will pop up, but there's nothing to choose. User has to click on OK/Cancel for about 12 times before it actually allows user the save...
to create this spread sheet from jsp page i haved used
<%@ page language="java" contentType="application/vnd.ms-excel; charset=ISO-8859-1"
pageEncoding="ISO-8859-1" %>I don't think this has nothing to do with Excel.
Go to Tools - Internet Options - Security Tab and click on the "Custom Level" button. Then find the option: "Don't prompt for client certificate selection when no certificate or only one certificate exists" and set it to "enable" -
Applying Digital certificates on EP 7
Hi SDN,
Currently we are running EP 7 in which we have applied SSL. We want to apply digital certificates for the transaction happening between the end user and the portal. Kindly share SAP document to implement the same.
Let me know if digital certificates can be applied on a user specific mode...
Thanks & Regards,
p188071.
Edited by: p188071 on Apr 1, 2009 7:44 AMHello Amit,
The portal runs on the J2EE Engine, so you have to configure the use of client certificates there. There is a step-by-step procedure in the documentation. See: http://help.sap.com/saphelp_nw70/helpdata/en/62/881e3e3986f701e10000000a114084/frameset.htm
If you have questions, just let us know.
Greetings,
Elizabeth Winker -
Fraudulent digital certificates issued for high-value websites, iOS patch ?
http://www.zdnet.com/blog/security/microsoft-warns-fraudulent-digital-certificat es-issued-for-high-value-websites/8488?tag=nl.e589
http://www.h-online.com/security/news/item/SSL-meltdown-forces-browser-developer s-to-update-1213358.html
this obviously means that iOS could be vulnerable. Mozilla has patched Firefox (all versions), MS just pushed an update, Google patched Chrome already a few days ago, how about Safari and iOS?
edit: does iOS use OSCP validation?I see Safari desktop supports OCSP checking - if manually activated - but does Safari mobile too? as there's hardly any setting available for Safari on idevices it's hard to know...
-
Coldfusion secure FTP & digital certificates
Hello !
I am currently in the process of developing a corporate CF intranet site that is behind a corporate firewall and part of the application will need to send a data file (FTP put) to a remote FTP server using secured FTP (FTPS). I have never used Coldfusion before for either secured or unsecured FTP. I am planning on using the CFFTP tag to open the connection and send the data file but I have a number of other questions regarding the use & installation of the digital certificates.:
Current development environment setup:
CF version 9 standard edition running on Windows Server 2008 R2
Microsoft IIS 7
Current production environment setup:
CF version 9 enterprise edition running on Windows Server 2008 R2
Microsoft IIS 7
1. The data file that is being created must be sent to a finanacial institution and they will be providing a digital certificate (p12 format) to me. What do I do with that certificate once I get it ? I have installed SSL certificates before on http web sites with IIS without any issues but I am not sure what to do with the certificate for secured FTP. Do I import the certificate into IIS using the MMC snap on or does the certificate need to be integrated into Coldfusion in some other way and if so, what needs to be done ?
2. What other steps need to be prior to being able to use the CFFTP tag for a secured FTP send ?
I would appreciate as much help as possible as I haven't used CF for FTP before.
Thank you.Dave,
Thank you for answering.
1. I have imported the certificate into the cacerts file by using the following command:
keytool -import -keystore ../lib/security/cacerts -alias x -file c:\downloads\y
where x was the alias name I assigned and y was the certificate name (extension of 'der').
I tried importing a p12 and p7b certificate but neither of those worked. I received the message 'Not a valid X.509 Certificate' from the command. I then successfully imported a Base64 certificate (der). I believe the certificate has been successfully imported because I ran the following and it shows the MD5 fingerprint:
keytool -list -alias x -keystore ../lib/security/cacerts
where x is my alias name I assigned in the original import
2. I then ran the following CFM command replacing the '*'s with the appropriate server name, user name, and password
<cfftp action="open" connection="conn1" secure="yes" server="********" username="******" password="*****" port="21"
</cfftp>
I am getting the CF error
An error occurred while establishing an sFTP connection.
Verify your connection attributes: username, password, server, fingerprint, port, key, connection, proxyServer, and secure (as applicable). Error: User Authentication failed.
Any suggestions or help would be appreciated.
Thank you.
Maybe you are looking for
-
Cannot print specific websites to HP printers
Trying to print a specific website http://www.desert-alchemy.com/info/article/decision-making/ to an HP LaserJet 400 M451 and LaserJet Pro 300 m375nw using iMac OS X 10.9.3, MacBook 10.9.3 and an older MacBook 10.6.8 in Safari, Chrome and Firefox. Th
-
Workflow on long project - is it possible to link sequences across project files?
I'm starting a long form project. Obviously, I'll need to break it down into sections. I'm editing a documentary, and the bulk of the film is interveiws with five different characters. They are all shot with multiple cameras. I understand how to u
-
Additional Data tab missing from PO items
Hi Experts, The Additional Data tab for items is missing when I try creating a PO. I have compared the screen layout, with the system where it is working fine, and found no difference in the configuration. Please suggest, how can I enable the "Additi
-
Firefox is replacing fonts with a handwriting scribble font
today, I have opened up firefox and some sites I am building (using georgia as font) look odd. Firefox is replacing all instances with a terrible scribble hand drawn font. This is only happening on this machine and only in firefox. Safari on this sam
-
Connection für 6.1 (7.1) Recievers? (self answered now
I read a dozen of topics, and then more i read, then less i know. First off all I switched to a new mainboard, and left behind my good old nVidia soundstorm. I connected my PC with my Denon 380 receiver with one simple cinch-chinch cable, and had sou