ASA-SSM-10 with IME: certificate expiration
ASDM and IDM work fine with my SSM. I'm attempting to add my SSM as a new device into (just installed) IME 7.0.1. Dialog box says:
IOException when try to get certificate: java.security.cert.CertificateExpired Exception: NotAfter: Tue Jul 28 04:44:51 EDT 2009
What is the issue here, and how do I fix it?
Thanks in advance,
-- Bill
Found answer to this, via Cisco Service Request. Used CLI on AIP-SSM:
sensor# tls generate-key
Then I refreshed sensor details in IME, tried adding a new device and all worked fine. IME has the AIP-SSM reporting I was after, so - good deal.
Similar Messages
-
Asa ssh/vnc plugins digital certificates expired
Hi,
we've got our new asa set up now (more or less). But what gets us is that the Cisco ssh/vnc plugins and the java applet for port forwarding all come up with "digital certificate expired". Now this is not going to instill confidence in our users.
We are running 8.0(4)3 and asdm 6.1(3) and the plugins are the latest available from Cisco's software download page
(ssh-plugin.08030, vnc-plugin.080130).
Are newer ones available?
Thanks
DorotheaBTW this could be of help:
http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp241924
You probably want to install a code signer certificate.
While this seems to be what you're looking for, I have never managed to generate a bundle such that Java doesn't complain at all anymore... -
Problems with auto-enroll with the certificate expiration
Hello,
we have routers that work with certificates. We have problems with the auto-enroll when the certificates go to expire.
?Can somebody help?
I can send mor debug o configurations.
We attach a debug.
Very thanksHello,
I attach the debug.
Very thanks -
My program turn on with a Certificate expirated.
My aplication (RMISSLSecuritySocket), it�s switched on with a expirate certificate.
Why?hello,
May be explication here:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57436-1
i have a question too :
i'm a old developpers java but actually i begin works on java mobility and i don't know how can i do to sign application?
i use apdu connection for communication with sim card i open sucefully application with the slot card but when i try to enter pin or operateur pin wit "exchange command" i have an exception security.
After long research i conclud that the middlet must be signing but i don't know how to proced.
I must buy signing digital id from "verisign" or there are other ways to do this?
Thanks -
Licese Expire on ASA Platform:ASA-SSM-20
Dear Sir/Mada,
Currently i have Cisco ASA 5520 with ( Platform: ASA-SSM-20) and the license expire on next month.
Could you let me know the P/N should i order to renewal?
Best Regards,
Rechard.Have you renewed your IPS license yet? Not sure what question you are asking, however you can renew your IPS smartnet through your vendor or directly with Cisco. You just need to provide you contract number or your Serial number of your IPS device. While you are in the process of renewing your contract, you can get a temporary license from cisco
https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y
Let us know if you still need any assistance with this. -
2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
problems.
What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com -
FNPLicensingService.exe associated with Acrobat 9 Standard - unverified ... certificate expired
Why is this?Thanks. That worked! Back in the sunshine again
The message is as seen below : "signature is timestamped but TS has expired"
I am assuming this is the right message. If not, do respond. -
SSL Re-encryption with Portal and Web Dispatcher: certificate expired
Hello,
I am trying to set up HTTPS connection to the Portal through SAP Web Dispatcher. We are using SSL Re-encryption. I think I got everything set up correctly. When trying to access through a Web browser the web dispatcher trace file shows error message 'certificate expired'. Looking at the Portal (Visual admin - Keystore) I am pretty sure it is the service-ssl with localhost. It is expired. Two questions:
- is it correct that it uses localhost or am I missing anything?
- How would I recreate the certificate? (I am sure it is somewhere in the Online documentation, but haven't found it yet). Can I do this while the Portal is productive without breaking the normal access (http) to the Portal. This is our Production portal.
Thanks,
IngridHi,
Go thru the contents of SAP Note,
685306 -Enabling SSL and renewing the J2EE certificate
And also the help contents in,
http://help.sap.com/saphelp_nw04/helpdata/en/65/6a563cef658a06e10000000a11405a/content.htm
These might of some help to you !
Regards
Srinivasan T -
Preorderin​g game with reward certificat​e set to expire
Hello,
Thanks for all the help with the other questions so far. I have a reward certificate that is set to expire. Am I allowed to apply that certificate to a pre-order even though the game releases after the certificate expires?
Thank youHey again Kyle5575,
Good question! When placing an order on BestBuy.com, funds aren't normally collected until the requested items have been shipped or picked up at one of our U.S. retail stores. Any portion of the order total paid for using gift cards or reward certificates, however, is collected when the order is submitted. These payment types do not follow the same authorization process as traditional debit or credit cards and are instantly redeemed when used.
In other words: no need to worry! Your certificate will be automatically applied to your order as soon as it's been placed.
Let me know if you have any other questions.
Aaron|Social Media Specialist | Best Buy® Corporate
Private Message -
Failed auto update on ASA-SSM-20 The host is not trusted. Add the host to the system's trusted TLS certificates.
errorMessage: WebSession::sessionTask TLS connection exception: handshake incomplete.
Messages, like this one, in the category - TLS connection failure - were logged 1464 times in the last 21461 seconds. name=errTransportSam,
See the other post in the list talking about your problem, "host not trusted".
I had the same problem and the fix was to upgrade the IPS to 7.1(9)E4 .
Mike -
Portal Certificate Expired with NO VA running!!!
Hi All,
I got one issue about Portal certificate expiration, for which SSO is not working b/w Portal and R3.
As working on Solaris, required to re-generate the Keystore Certificate via Visual Admin, but WHAT!!!
I am not able to run it, it says that JAVA_HOME needs to be set.
Done (Set) but still am not able to see that VA screen. Tried thru root and SIDADM (recommended) also, but couldnt... which is turning my head 360 degrees.
Well request you all to share your good experiences thru which i may be able to resolve the issue which is pending past 2 days and no proceedings since...
And i guess there is no way out to increase the validity of certificate without VA. OR is there any????
Thanks
Piyushhi Anil,
i got,
/usr/java
we ran the command "./go" to start visual admin, which inturn shows the error as below
4/7/10 12:09 PM com.sap.engine.tools.launcher.Launcher Error : console output st
ream will not be logged into a file; there was an error opening the log file
java.io.FileNotFoundException: /usr/sap/EPD/JC01/j2ee/admin/log/console_logs/out
put.log (Permission denied)
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
at com.sap.engine.tools.launcher.Launcher.initLogs(Launcher.java:636)
at com.sap.engine.tools.launcher.Launcher.init(Launcher.java:198)
at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:113)
4/7/10 12:09 PM com.sap.engine.tools.launcher.Launcher Error : unable to invoke
main class com.sap.engine.services.adminadapter.gui.AdminFrameView
Exception in thread "main" com.sap.engine.tools.launcher.LauncherException
at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:340)
at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
caused by -
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:336)
at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
Caused by: java.lang.InternalError: Can't connect to X11 window server using ':0
.0' as the value of the DISPLAY variable.
at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
at sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:1
34)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:141)
at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvi
ronment.java:62)
at java.awt.Window.init(Window.java:231)
at java.awt.Window.<init>(Window.java:275)
at java.awt.Frame.<init>(Frame.java:401)
at java.awt.Frame.<init>(Frame.java:366)
at javax.swing.SwingUtilities$1.<init>(SwingUtilities.java:1641)
at javax.swing.SwingUtilities.getSharedOwnerFrame(SwingUtilities.java:16
37)
at javax.swing.JWindow.<init>(JWindow.java:160)
at javax.swing.JWindow.<init>(JWindow.java:112)
at com.sap.engine.services.adminadapter.gui.AboutWindow.<init>(AboutWind
ow.java:12)
at com.sap.engine.services.adminadapter.gui.AdminFrameView.main(AdminFra
meView.java:234)
... 6 more
caused by -
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.tools.launcher.Launcher.launch(Launcher.java:336)
at com.sap.engine.tools.launcher.Launcher.main(Launcher.java:114)
Caused by: java.lang.InternalError: Can't connect to X11 window server using ':0
.0' as the value of the DISPLAY variable.
at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
at sun.awt.X11GraphicsEnvironment.<clinit>(X11GraphicsEnvironment.java:1
34)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:141)
at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvi
ronment.java:62)
at java.awt.Window.init(Window.java:231)
at java.awt.Window.<init>(Window.java:275)
at java.awt.Frame.<init>(Frame.java:401)
at java.awt.Frame.<init>(Frame.java:366)
at javax.swing.SwingUtilities$1.<init>(SwingUtilities.java:1641)
at javax.swing.SwingUtilities.getSharedOwnerFrame(SwingUtilities.java:16
37)
at javax.swing.JWindow.<init>(JWindow.java:160)
at javax.swing.JWindow.<init>(JWindow.java:112)
at com.sap.engine.services.adminadapter.gui.AboutWindow.<init>(AboutWind
ow.java:12)
at com.sap.engine.services.adminadapter.gui.AdminFrameView.main(AdminFra
meView.java:234)
... 6 more
Regards
Piyush -
How to do a factory reset ASA-SSM-10?
Hi.
I forgot the user for management a IPS SSM-10, when i follow the procedure to reset the password for cisco user, i can get into the module, i change the password and every thing is OK, but when i tried to configure y don´t have rights to do anything.
if i see the privileges for the user cisco this is the result
EDGE-IPS2# sh user
CLI ID User Privilege
* 4143 cisco viewer
Application Partition:
Cisco Intrusion Prevention System, Version 6.1(1)E2
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S364.0 2008-10-24
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: ASA-SSM-10
Serial Number: JAF1208BNPP
License expired: 20-Jun-2009 UTC
Sensor up-time is 1:09.
Using 657850368 out of 1032495104 bytes of available memory (63% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
application-data is using 41.5M out of 166.8M bytes of available disk space (26% usage)
boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
MainApp M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500 Running
AnalysisEngine ME-2008_JUN_05_18_26 (Release) 2008-06-05T18:55:02-0500 Running
CLI M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500
Upgrade History:
* IPS-K9-6.1-1-E2 22:40:50 UTC Tue Feb 26 2013
IPS-sig-S364-req-E2.pkg 18:43:20 UTC Wed Nov 12 2008
Recovery Partition Version 1.1 - 6.1(1)E2
Host Certificate Valid from: 17-Nov-2008 to 18-Nov-2010
What can i do in this case?
IPS Info
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Serial Number: JAF1208BNPP
Firmware version: 1.0(11)4
Software version: 6.1(1)E2
MAC Address Range: 001e.f710.5b6c to 001e.f710.5b6c
App. name: IPS
App. Status: Up
App. Status Desc:
App. version: 6.1(1)E2
Data plane Status: Up
Status: Up
Mgmt IP addr: X.X.X.X
Mgmt web ports: 443
Mgmt TLS enabled:The process will normally use the following command:
hw-module module 1 password-reset
It will reload the ASA and when loggin back the "Cisco" username will have admin rights.
If this is not your case, a re-image of the unit will be the next step, keep in mind that this will remove all the custom config. -
ErrSystemError-ct-sensorApp.463 not responding on ASA-SSM-10
Hello,
I got following error message when login into IPS over IDM, after error is displayed IDM is closing.
errSystemError-ct-sensorApp.463 not responding, please check system processes
- The connect to the specified Io::ClientPipe failed.
SSH login works, when using CLI following health statistics are available:
sensor# show health
Overall Health Status Red
Health Status for Failed Applications Red
Health Status for Signature Updates Yellow
Health Status for License Key Expiration Green
Health Status for Running in Bypass Mode Red
Health Status for Interfaces Being Down Green
Health Status for the Inspection Load Green
Health Status for the Time Since Last Event Retrieval Green
Health Status for the Number of Missed Packets Green
Health Status for the Memory Usage Not Enabled
Health Status for Global Correlation Green
Health Status for Network Participation Not Enabled
Security Status for Virtual Sensor sensor-int Green
Security Status for Virtual Sensor vs0 Green
Do you have any idea why IPS crashed ?
ASA-SSM-10 is installed into ASA 5510.Hello,
I have the sem problem since sveral days, I found the following workaround on our environement. Working since 5hours.
Hope it helps.
Regards.
IDSM-2 Sensor Module - errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed.
Symptom:
When attempting to access an IDSM-2 sensor via its GUI (IDM) or via IME (IPS Manager Express), an error such as the following is encountered:
"errSystemError -ct-sensorApp.XXX not responding, please check system processes - The connect to the specified Io::ClientPipe failed."
Additionally, review of the 'show version' command output indicates the AnalysisEngine (sensorApp process) to be "Not Running".
Conditions:
IDSM-2 sensor module running 7.0(x) software release. Global Correlation Inspection feature enabled (On). A 'show tech' command output includes a sensorApp process core containing lines similar to the following:
cat /usr/cids/idsRoot/core/sensorApp/core.txt
/usr/cids/idsRoot/bin/sensorApp(_ZN3Cid3Rep9RepIpData13ApplyIpUpdateEPKcPNS0_8RepScoreE+)
Solution:
This problem is tracked as defect CSCti79423. It can be encountered on the IDSM-2 platform when a Global Correlation Update occurs. A fix for this is currently planned for inclusion in the next 7.0 release (7.0(6)).
In the interim, the only workaround to ensure that the sensor does not re-encounter this defect is to disable Global Correlation Inspection (Updates) as such:
sensor# conf t
sensor(config)# service global-correlation
sensor(config-glo)# global-correlation-inspection off
sensor(config-glo)# exit
Apply Changes?[yes]: yes
After making the above configuration change, a reboot of the affected IDSM-2 sensor module should restore it to service:
sensor# reset -
Need assistance to configure ASA-SSM-10
Hello All,
Can someone assist me on setting up the IPS ASA-SSM-10 module in ASA 5520 firewall . I have just licensed the box. It would be great if someone can help me with relevant videos\docs to configure the SSM module to enable all the required IPS features for the box to run. I am running ASDM 6.4 and if anyone has the configs to enable via ASDM\CLI whichever is feasible is fine . Kindly assist .Below is the module details.
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Firmware version: 1.0(11)5
Software version: 7.1(8)E4
App. name: IPS
App. Status: Up
App. Status Desc: Normal Operation
App. version: 7.1(8)E4
Data plane Status: Up
Status: Up
Regards,
KarthikDo you need the syslogs to be sent or the Events.
IPS sensors do not support syslog forwarding. Syslog is fairly
restrictive in size of messages and is not secure or reliable.
sensor does support sending of events using SNMP
(again with the same sets of restrictions: not full data, clear text,
not reliable).
There is a physical ability to send events as traps. It isn't
recommended for many reasons (or lets say it isn't recommended in the
same way that monitoring using SDEE is). SNMP trap receivers generally
aren't built to handle, say 200 events per second per device. The
sensor isn't capable of sending at the same event rate as it is with
SDEE. The traps are in clear text and are not reliably sent. They
don't contain the same amount of info as an SDEE event, and can't.
If you need the events to be sent to a database you can run cisco IME which can collect all the events generated by the IPS.
Hope this helps.
Sachin -
Configure ASA-SSM-10 for Syslog
How to configure syslog on the following IPS module ?
I need to send logs from this sensor
Platform: ASA-SSM-10
Build Version: 7.0(4)E4
Os Version: 2.4.30-IDS-smp-bigphys
Can anybody advise me on this.
Regards,
RohitDo you need the syslogs to be sent or the Events.
IPS sensors do not support syslog forwarding. Syslog is fairly
restrictive in size of messages and is not secure or reliable.
sensor does support sending of events using SNMP
(again with the same sets of restrictions: not full data, clear text,
not reliable).
There is a physical ability to send events as traps. It isn't
recommended for many reasons (or lets say it isn't recommended in the
same way that monitoring using SDEE is). SNMP trap receivers generally
aren't built to handle, say 200 events per second per device. The
sensor isn't capable of sending at the same event rate as it is with
SDEE. The traps are in clear text and are not reliably sent. They
don't contain the same amount of info as an SDEE event, and can't.
If you need the events to be sent to a database you can run cisco IME which can collect all the events generated by the IPS.
Hope this helps.
Sachin
Maybe you are looking for
-
Why exchange email will not work on my ipod touch, but ok on iphone
Why will microsoft exchange email not work on my ipod touch, but with the exact same settings, it works fine on my iphone? What is the reason for this?
-
Planned update has been changed from 2.3.4 to 2.3.5
As the 2.3.4 beta ended over a month ago, they began the 2.3.5 Gingerbread beta tests, which was leaked earlier within a week this time unlike previous leaks. (keep in mind you receive no updates during the phases on leaks, take risks and void warre
-
Abort issue with installation CS6 (payloads)
Dear all, Since I wanted to find out if CS6 products would pay out I wanted to install the trial version of the CS6 (MC) but got the below mentioned error messages during insallation process of PremierPro, Aftereffects, Indesign, Illustrator. I thoug
-
How is oracle 10g configured to use only one cpu
Today a customer informed me that their instance of 10g was configured to run on only one of four cpu's in a Solaris server. How did they do this ? George
-
I have a T40p, and my daughter has a T42. The T42 system software has advantages including: 1 The rescue and recovery partion (type 0X12) is visible to backup and partitioning programs, so it can be backed up, and reinstalled, for example, on a new