Certificate renewed, clients offered expired cert

Renewed our cert with GoDaddy, went into Server Admin and added the new one per instructions. Removed old cert and checked that all services are now using the new one.  So far, so good.
Here's the fun part - the server is showing a two-year-old expired cert to OD users.  This manifests itself as a dialog when launching iCal: "iCal can't verify the identity of the server example.com"
I seem to recall stumbling across a post somewhere regarding OD / LDAP where there were a few terminal commands required to complete the cert update.
Any clues?
Thanks!

UPDATE:
It appears to be some kind of Apache / Apache2 problem....  still digging.
Oddly, /etc/certificates now contains another group of 4 .pem files, which are directly referenced by servermgr_web_apache2_config.plist
These files were not here yesterday, and based on their date stamp, these are the expired cert files.  I cannot assign the new cert in Server Admin, and I cannot edit the .plist manually.  More precisely, I can edit the plist, but something keeps re-writing the old value back into the file.  Server Admin will let me select the new cert, but when I attempt to save the change, I get this error:
More to come, I'm sure.
;o)

Similar Messages

  • SSL certificates renewal

    Hello,
    We have two loadbalanced messaging servers and SSL enabled for POP3/IMAP and SMTP. Our certificates are about to expire and need a renewal. I havent found a renewal procedure in the official sun documentation for this particular case. As far as I have learned, the CSR needs to be generated again (from one of the two physical servers) for both the popimap and Server-Cert certificates. Only two certificates are needed (popimap and Server-Cert) and not a certificate per physical server. The new certificates should be imported to one of the servers and the certificate database copied to the other one (with -A option to the certutil command). Could you please confirm this? Please advise.
    Thank you and
    BR,
    Senka

    senka wrote:
    We have two loadbalanced messaging servers and SSL enabled for POP3/IMAP and SMTP.What version of Messaging Server are you running (./imsimta version)?
    Our certificates are about to expire and need a renewal. I havent found a renewal procedure in the official sun documentation for this particular case.
    As far as I have learned, the CSR needs to be generated again (from one of the two physical servers) for both the popimap and Server-Cert certificates.Why are you using two certificates?
    Only two certificates are needed (popimap and Server-Cert) and not a certificate per physical server.A certificate is needed for each "host" that the client will see. So if the client connects to "mail.mydomain.com" which translates the load-balanced front-end IP address, then you will need a certificate for "mail.mydomain.com".
    The new certificates should be imported to one of the servers and the certificate database copied to the other one.I suggest you use the same process to keep the certificate database files in sync that you used to install the certificates in the first place.
    Regards,
    Shane.

  • Cisco ISE Admin and EAP certificate renewal

    Hi board,
    maybe I'm asking a rather dumb question here, but anyway :)
    I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
    Here's the thing I do, when I initially install an ISE node
    1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
    2.) Sign CSR and bind certificate on ISE node - done
    Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
    CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
    So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
    How do you guys do this in your deployments?
    Thanks in advance and sorry again if this is a silly question.
    Johannes

    you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
    Certificate Renewal on Cisco Identity Services Engine Configuration Guide
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

  • Saml2 error validateArtifactRequester: certificate from client is null

    Hi,
    I got this error ArtifactResolutionService.validateArtifactRequester: certificate from client is null, authentication is failed.>
    If you see the log then you can see the handshaking between assertion and indentity works but somehow the assertion refuses the response of the identity
    assertion provider
    ####<12-sep-2009 17:30:24 uur CEST><SAML2Filter: Processing request on URI '/appB/faces/aut/restricted.jspx'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is '/appB/faces/aut/restricted.jspx'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is not a service URI>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): returning service type 'SPinitiator'>
    ####<12-sep-2009 17:30:24 uur CEST><SP initiating authn request: processing>
    ####<12-sep-2009 17:30:24 uur CEST><SP initiating authn request: partner id is null>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
    ####<12-sep-2009 17:30:24 uur CEST><SP initiating authn request: use partner binding HTTP/Artifact>
    ####<12-sep-2009 17:30:24 uur CEST><store saml object org.opensaml.saml2.core.impl.AuthnRequestImpl@168c85b, BASE64 encoded artifact is AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH/NaPWjnhgmqYEpXMWX2STBHg=>
    ####<12-sep-2009 17:30:24 uur CEST><post artifact: false>
    ####<12-sep-2009 17:30:24 uur CEST><local ARS binding location: http://laptopedwin.wh.lan:8001/saml2/idp/sso/artifact>
    ####<12-sep-2009 17:30:24 uur CEST><post form template url: null>
    ####<12-sep-2009 17:30:24 uur CEST><URL encoded artifact: AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH%2FNaPWjnhgmqYEpXMWX2STBHg%3D>
    ####<12-sep-2009 17:30:24 uur CEST><URL encoded relay state: null>
    ####<12-sep-2009 17:30:24 uur CEST><artifact is sent in http url:http://laptopedwin.wh.lan:8001/saml2/idp/sso/artifact?SAMLart=AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH%2FNaPWjnhgmqYEpXMWX2STBHg%3D>
    ####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Processing request on URI '/saml2/sp/ars/soap'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is '/saml2/sp/ars/soap'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): service URI is '/sp/ars/soap'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): returning service type 'ARS'>
    ####<12-sep-2009 17:30:24 uur CEST><ArtifactResolutionService.process: get SoapHttpBindingReceiver as receiver and SoapHttpBindingSender as sender.>
    ####<12-sep-2009 17:30:24 uur CEST><ArtifactResolutionService.validateArtifactRequester: certificate from client is null, authentication is failed.>
    ####<12-sep-2009 17:30:24 uur CEST> <Warning> <Security> <LAPTOPEDWIN> <DefaultServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1252769424812> <BEA-000000> <[Security:096565]Artifact requester authentication failed.>
    ####<12-sep-2009 17:30:24 uur CEST><SoapHttpBindingSender.sendResponse: Set HTTP headers to prevent HTTP proxies cache SAML protocol messages.>
    ####<12-sep-2009 17:30:24 uur CEST><SoapHttpBindingSender.send: the SOAP envelope to be sent is :
    >
    ####<12-sep-2009 17:30:24 uur CEST> <<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xf34d9596cf9f8d37715fdf3529266b40" InResponseTo="_0xe219b059e77568bc835736caa94d6855" IssueInstant="2009-09-12T15:30:24.812Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">jdev_wls</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096565]Artifact requester authentication failed.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse></soap11:Body></soap11:Envelope>>
    ####<12-sep-2009 17:35:24 uur CEST> <authn_request - item: _0x9061f430c89cd074398250c710c83045 expired.>
    identity provider
    ####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Initialized logger service>
    ####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Initialized SAML2 service>
    ####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: setConfigKey called with key 'default'>
    ####<12-sep-2009 17:30:24 uur CEST><SAML2Servlet: Processing request on URI '/saml2/idp/sso/artifact'>
    ####<12-sep-2009 17:30:24 uur CEST><Redirect URI cache updated.>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): request URI is '/saml2/idp/sso/artifact'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): service URI is '/idp/sso/artifact'>
    ####<12-sep-2009 17:30:24 uur CEST><getServiceTypeFromURI(): returning service type 'SSO'>
    ####<12-sep-2009 17:30:24 uur CEST><Request URI: /saml2/idp/sso/artifact>
    ####<12-sep-2009 17:30:24 uur CEST><Method: GET>
    ####<12-sep-2009 17:30:24 uur CEST><Query string: SAMLart=AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH%2FNaPWjnhgmqYEpXMWX2STBHg%3D>
    ####<12-sep-2009 17:30:24 uur CEST><     Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*>
    ####<12-sep-2009 17:30:24 uur CEST><     Referer: http://127.0.0.1:7101/appB/faces/appBStart.jspx;jsessionid=TtbvKr5Myy7hC5y2j9YVZMLp2dxvYlGP3nV8KnJPtnB5svv4cnDL!-453074333?_adf.ctrl-state=m6b65gdxq_4>
    ####<12-sep-2009 17:30:24 uur CEST><     Accept-Language: nl>
    ####<12-sep-2009 17:30:24 uur CEST><     User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)>
    ####<12-sep-2009 17:30:24 uur CEST><     Host: laptopedwin.wh.lan:8001>
    ####<12-sep-2009 17:30:24 uur CEST><     Accept-Encoding: gzip, deflate>
    ####<12-sep-2009 17:30:24 uur CEST><     Connection: Keep-Alive>
    ####<12-sep-2009 17:30:24 uur CEST><     Cache-Control: no-cache>
    ####<12-sep-2009 17:30:24 uur CEST><weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
    ####<12-sep-2009 17:30:24 uur CEST><ssl client key:Sun RSA private CRT key, 1024 bits
    modulus: 135256530343776309493378499238723474761809537383354856443783031405724842963590896515127253614442774833330163469306346998433606124817086312759138932710087080464501074410925139095622741276531270633324573257815772267862467588496928149465417098076218732040047455958122894583653703895415828491462423303970267662119
    public exponent: 65537
    private exponent: 70314326087743699962454879977162652930937500017561071746336998641882377889887267410323718367396514008446506086626901479113065301623787031382331559843030136237857866934906267741351110674239213829006129063775109788707087302538026535943257466578949319062480441789214176315827916248430287133081293921721804088033
    prime p: 11974625102832097583118096114610793613205242504983701060834332690026001982375077665162762308523793650653350947197100038932023730202787298553029195261347327
    prime q: 11295262205059515784067784104204404656057034968759802138195417174670025481580489505249455835611140503620524999898446032906677280702668039750528726228078297
    prime exponent p: 10636051419212951957075964614303506523311875298802298281157626077164099690190818102244374273181234298154969131746805474255337189050985724645168110919912251
    prime exponent q: 9180707495599589343206474566470241653094376286920321960074362300079694178141042692915879784722129977674567430529173188898986608915112396683265394948155617
    crt coefficient: 3999529359604887198322520465212803445668432210961019729502103914530388247742016641237995952808703712482862506414062073383339683451433625683775233168415551, ssl client cert chain:[Ljava.security.cert.Certificate;@767c0d>
    ####<12-sep-2009 17:30:24 uur CEST><get BASE64 encoded artifact from http request, value is:AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH/NaPWjnhgmqYEpXMWX2STBHg=>
    ####<12-sep-2009 17:30:24 uur CEST><ArtifactResolver: sha-1 hash value of remote partner id is '0xc46d956aa4de6f55a95df24aeeea8c9706a34f0f'>
    ####<12-sep-2009 17:30:24 uur CEST><ArtifactResolver: found remote partner 'jdev' with entity ID 'jdev_wls'>
    ####<12-sep-2009 17:30:24 uur CEST><ArtifactResolver: returning partner: [email protected]779>
    ####<12-sep-2009 17:30:24 uur CEST><partner entityid isjdev_wls, end point index is:0>
    ####<12-sep-2009 17:30:24 uur CEST><find end point:[email protected]2a7, binding location is:http://laptopedwin.wh.lan:7101/saml2/sp/ars/soap>
    ####<12-sep-2009 17:30:24 uur CEST><<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xe219b059e77568bc835736caa94d6855" IssueInstant="2009-09-12T15:30:24.671Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">soa</saml:Issuer><samlp:Artifact>AAQAAMRtlWqk3m9VqV3ySu7qjJcGo08PSwH/NaPWjnhgmqYEpXMWX2STBHg=</samlp:Artifact></samlp:ArtifactResolve>>
    ####<12-sep-2009 17:30:24 uur CEST><open connection to send samlp:ArtifactResolve. partner id:jdev_wls, endpoint url:http://laptopedwin.wh.lan:7101/saml2/sp/ars/soap>
    ####<12-sep-2009 17:30:24 uur CEST><isClientPasswordSet:false>
    ####<12-sep-2009 17:30:24 uur CEST><connect to remote ARS.>
    ####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: begin to send SAMLObject to server.>
    ####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: sending completed, now waiting for server response.>
    ####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: response code from server is: 200>
    ####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: get a HTTP_OK response, now receive a SOAP envelope message.>
    ####<12-sep-2009 17:30:24 uur CEST><SoapSynchronousBindingClient.sendAndReceive: found XMLObject in envelope, return it.>
    ####<12-sep-2009 17:30:24 uur CEST><http url connection disconnect.>
    ####<12-sep-2009 17:30:24 uur CEST><<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xf34d9596cf9f8d37715fdf3529266b40" InResponseTo="_0xe219b059e77568bc835736caa94d6855" IssueInstant="2009-09-12T15:30:24.812Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">jdev_wls</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096565]Artifact requester authentication failed.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse>>
    ####<12-sep-2009 17:30:24 uur CEST><get samlp:ArtifactResponse and verify it.>
    ####<12-sep-2009 17:30:24 uur CEST><saml version:2.0>
    ####<12-sep-2009 17:30:24 uur CEST><inResponseTo:_0xe219b059e77568bc835736caa94d6855>
    ####<12-sep-2009 17:30:24 uur CEST><status code: urn:oasis:names:tc:SAML:2.0:status:Success>
    ####<12-sep-2009 17:30:24 uur CEST><status message: [Security:096565]Artifact requester authentication failed.>
    ####<12-sep-2009 17:30:24 uur CEST><[Security:096577]Failed to receive AuthnRequest document from the requester.>
    ####<12-sep-2009 17:30:24 uur CEST><Caused by: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.>
    ####<12-sep-2009 17:30:24 uur CEST><exception info
    com.bea.security.saml2.service.SAML2Exception: [Security:096577]Failed to receive AuthnRequest document from the requester.
         at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:301)
         at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
         at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
         at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
         at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
         at $Proxy26.process(Unknown Source)
         at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    com.bea.security.saml2.binding.BindingHandlerException: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.
         at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.getSamlMsg(AbstractArtifactResolver.java:459)
         at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.resolve(AbstractArtifactResolver.java:304)
         at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.resolve(ArtifactBindingReceiver.java:77)
         at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.receiveRequest(ArtifactBindingReceiver.java:40)
         at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:295)
         at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
         at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
         at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
         at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
         at $Proxy26.process(Unknown Source)
         at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >

    Tony,
    Refer SAP Note: 730870. Q16.
    Fyr from SAP Note:
    Q 16: While sending a message to the RfcAdapter the error "... functiontemplate from repository was <null>" is shown. Which reasons are possible?
                  A: After receiving a message from the Adapter Engine, the RfcAdapter extracts the payload from the message. Normally this should be an XML document in the RFC-XML format. In this format the root element of the XML document represents the name of the function module and is enclosed in the fixed RFC namespace 'urn:sap-com:document:sap:rfc:functions'. But this only will be checked at a later point, when the conversion from XML to native RFC is done. As prerequisite of this conversion the structures and types of the function module parameters has to be known. This is also called metadata or function template. To get this function template the name of the function module is extracted from the root element of the XML document and is queried against the metadata repository of the communication channel. If the metadata repository doesn't have a function module with this name, the exception named above is thrown. Possible reasons are
    The XML document, which was send to the RfcAdapter, is not a RFC-XML document. So the root element name of this document is not the name of a function module and thus can't be found in the metadata repository.
    The metadata repository doesn't contain an entry for this function module name. Normally the metadata repository will be an R/3 system and it's function module repository can be searched with transaction code SE37.
    raj.

  • Automatic Smart Card Certificate Renewal

    We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
    Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
    There are two errors in the event log -
    Event ID:      16
    Description:
    Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
    Event ID:      6
    Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
    The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
    Thanks in advance.

    This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
    during enrollment for smart card templates.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Exchange 2007 Webmail certificate Renewal

    Hi,
    If any one knows more details about how to renew the webmail certificate in Exchange 2007, Webmail certificate is ging to expire soon ...EventID 12018

    You can use powershell cmdlet Import-ExchangeCertificate to renew the certificate.
    To enable the certificate, execute Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP -Thumbprint <cert-thumbprint-here>
    For more info, visit
    https://www.digicert.com/ssl-certificate-renewal-exchange-2007.htm

  • Expired Certs for Apache

    Hi All,
    Groupwise web access will not load any more giving:
    HTTP Status 404 -
    type Status report
    message
    description The requested resource () is not available.
    Apache Tomcat/5.5.27
    In digging around I found the cert had expired. I tried renewing it in
    iManager/Novell certificate Server but no joy. When I view the
    certificate, it still says "Expires on: 04/23/2010".
    This has always been my bug-a-boo. What is the TID that covers this?
    Server:
    cat /etc/novell-release
    Novell Open Enterprise Server 2.0.2 (i586)
    VERSION = 2.0.2
    PATCHLEVEL = 2
    BUILD = FCS
    cat /etc/SuSE-release
    SUSE Linux Enterprise Server 10 (i586)
    VERSION = 10
    PATCHLEVEL = 3
    Groupwise 7.0.3
    Thanks
    Bob Crandell

    On Thu, 20 Oct 2011 21:10:56 +0000, Craig Johnson wrote:
    > In article <lZYnq.119$[email protected]>, Bob Crandell
    > wrote:
    >> In digging around I found the cert had expired. I tried renewing it in
    >> iManager/Novell certificate Server but no joy. When I view the
    >> certificate, it still says "Expires on: 04/23/2010".
    >>
    > Did you restart apache or the server after renewing the certificates?
    >
    > Craig Johnson
    > Novell Support Connection SysOp
    I restarted Apache but not the server.
    etc/init.d/apache2 stop
    /etc/init.d/novell-httpstkd stop
    /etc/init.d/novell-tomcat5 stop
    and
    /etc/init.d/novell-tomcat5 start
    /etc/init.d/novell-httpstkd start
    /etc/init.d/apache2 start
    So I should restart the server?
    Thanks

  • Customizing Certificate Renewal

    We are developing system that makes use of Certificate Server. But, only our system is visible form the Internet,
    CS is hidden behind the firewall.
    We've developed a solution, that makes it possible to request for certificate from our system, then forwards the request to CS, and vice versa, we fetch the page which installs the certificate and forwards it to end-user.
    But, when talking about renewal, we have a problem.
    CS interface for certificate renewal expects, that user legitimates with its expiring (or expired) certificate and then
    CS regenerates new certificate (with validity customized via console) and installs it on client browser.
    We expected similar functionality as with requesting for certificate. User fills out the request, sends it to CS, and admin after checking issues the certificate. More, the admin is responsible for renewing the certificate, not the user, as in previous scenario.
    Also, authenticating with client certificate makes it impossible to forward the request and response by us (we cannot fetch the certificate from the user browser to use it for communication with CS)...
    Maybe some of You have solution that satisfies our needs?
    Maybe CS has another interface, which we didn't explore, allowing certificate renewal without presenting user certificate.
    Or you developed your own, custom solution, that can be suitable for us...
    Thanks for help!
    Michal Szklanowski
    Java Architecte
    empolis Poland

    You have to create certificate request(CSR) from the same instance on which you are trying to install the certificate.
    You need to copy the production server's *.dbs in <ws-install-dir>/https-<instance>/config and run a pull-config --force command to pull the changes into Admin Server.
    If you use WS7.0 Admin Server for certificate renewal, AFAIK a new set of private and public key is generated.

  • Dealing with Expired Certs in Mixed-Mode

    I have done a fair amount of research on this topic and while I have deployed mixed-mode clusters, I haven't had a situation quite like the one I need to contend with in the next couple of weeks. I am trying to be as prepared as possible and am looking for feedback on some procedures I am drafting.
    The situation:
    (4) node cluster (clustering over the WAN)
    TFTP is enabled on all nodes (that is going to change as a result of our assessment findings)
    Cluster is running in mixed-mode
    Most certificates on the Publisher node are expired
    tomcat cert
    ipsec cert
    host-name ipsec-trust cert
    call manager cert (callmanager.pem)
    CAPF cert
    CAPF trust cert
    One of the subscriber nodes is in the same boat as the Publisher node (they were deployed at the same time and were the first nodes in this cluster)
    The other two nodes (in a DR datacenter) have valid certificates  (until 2016) except for the publisher node server cert (which has expired)
    The publisher node and the subscriber node that has the expired certs were also installed without DNS being enabled (no domain and no DNS resolvers specified - therefore, I expect that DNS client was not enabled during install)
    It is worth noting the following:
    Customer enabled mixed-mode because one of the security folks got hot and heavy on encryption. However, they limited the scope to phones only. So, IP Phone to IP Phone == authenticated/encrypted. They have a Unity Connection system with secure ports and that is it. Gateways: no encryption. CCX, etc. == no encryption
    During discovery we also found that LSC distribution is fubar. Only a percentage of the phones are using LSC. Likely due to a flaw in the provisioning process. That will be addressed later.
    The version they are running is 6.1(3)  (base, no service releases)
    The goal: Get the present solution into a VMware environment running CUCM 9.1(2). Planning on doing the Jump Upgrade procedure (interim hop to 6.1.4).
    We found out about the certificate issues during our discovery phase. We have built in time to remediate the certificate issue.
    The plan (well, thus far). I am still pulling together my notes and trying to come up with a way to test an implementation plan off line so that I can avoid bricking the phones (they are spread all over north america).
    Here is the 10,000 foot view of the plan (obviously, the actually plan will be more detailed):
    Use BAT to disable phone security and uninstall LSC
    Security Profile mod
    Certificate Ops
    Reset phones
    DRS Back up
    Download/backup current certs
    Configure DNS
    set DNS domain name
    set DNS resolver (primary and secondary)
    Pub node:
    regenerate tomcat cert
    restart tomcat service
    regenerate ipsec.pem
    regenerate callmanager.pem
    regenerate capf.pem
    Sub node (repeat above)
    ?should we update the Subs not affected by the cert issue?
    Run the CTL client and update CTL
    Reboot servers
    Pub then Subs
    Phones will reset as a result of this process
    The customer has said that they are actually fine with the idea of going back to square one and start over with provisioning a secured (mixed-mode) cluster after the 9.1 upgrade. That would be great except that if I uninstall LSCs, change phones to non-secure, and use CTL client to change back to standard-mode, I still have the CTLs left on the phones. No way to bulk delete them in UCM. I am considering using something like UnfiedFX to help me get back to square 1. Right now, I consider this a plan B. Unless feedback to this thread and other research suggests a different tact.
    Thanks in advance for any assist.
    -Bill

    Hi William,
    You have a quite a few requirements here. Just to clear things up, there are two type of certificates, first is called "certificate trust", and the other is called "Certificate".  For the trust certificates such as Callmanager_trust you can just click on the certificate, make sure that it is expired, and then delete it. this has no impact on the phones. The other type of certificate is called "Certs", you will need to regenerate those certificates, This will regenerate the certificate and also recreates the new "CAPF-trust" or "CallManager-trust" certificates with new date/time ranges.
    Doing the above will not impact the phones are the services, however after regenerating the certificates, you will need to restart all the services related to this certificate, for example if you regenerate the tftp certificate, you will need to restart the tftp service on all the servers in the cluster. Same for the Callmanager and the Tomcat.
    Please note that whenever you regenerate the Call manager certificate, you will need to run the CTL client with the same Token you used when the server was changed to mixed mode.
    In General the below is the procedure to regenerate the certificate
    - log into the "Cisco Unified OS Administration" page of the publisher
    - choose Security>Certificate Management
    - click the link for the expiring certificate
    - click "Regenerate"
    - restart the service that uses the certificate
    That will regenerate the certificate on the publisher. Within the next
    10-15 minutes, the updated certificate will  be propagated
    to the subscribers.
    For more details you could refer to :
    http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/6_1_1/cucos/iptpch6.html#wp1040760
    http://www.cisco.com/en/US/prod/collateral/voicesw/direct_upgrade_procedure_for_cisco_unified_communications_manager_releases_6.1_2.pdf
    Hope this Helps!
    Regards,
    Karthik Sivaram

  • ADFS with SharePoint 2013 RP: What to do when Token Signing Certificate is about to expire?

    Hello,
    I have an ADFS with a SharePoint 2013 Relying Party.
    I’ve assigned a primary token signing certificate to the ADFS environment. I had to run this command to be able to add the token signing certificate and “Set as Primary”:
    Set-ADFSProperties -AutoCertificateRollover $false
    The certificate is valid until one more year and I am concern what happens after the certificate expires. I assume I need to update SharePoint’s SPTrustedIdentityTokenIssuer.
    Is there any guideline explains how to update the Token Signing Certificate after it expires?
    Thank you,

    Hi Allan,
    If certificate is due to expire, you could choose to renew the certificate by importing certificate. However, ADFS could generate certificate itself. if you use ADFS to generate the new token signing certificate, you could use the Set-ADFSProperties cmdlet
    to modify the CertificateDuration property to increase the validity period.
    For more information:
    http://www.benjaminathawes.com/2013/07/31/how-to-renew-your-adfs-2-0-token-signing-certificate-in-sharepoint/
    Regards,
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .
    Rebecca Tu
    TechNet Community Support

  • Why do i have more than one "Sites" cert after updateing and expired cert.Can i delete the expired cert?????

    Hi After getting the below message i updated my cert but now have 3 of the same certs? Can i delete the expired cert?????
    There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of SERVER.domainname.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the
    FQDN of SERVER.domainname.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.
    I used "Get-ExchangeCertificate | Select CertificateDomains,Thumbprint,Status,Services | fl"
    to see which cert was expired
    I used "Get-ExchangeCertificate –Thumbprint 91D4C277BE4DF5FA15FC76D936375B7766ABCC23 | New-ExchangeCertificate" to replace the expired cert
    I re-ran "Get-ExchangeCertificate | Select CertificateDomains,Thumbprint,Status,Services | fl"
    to see if it had worked
    but now i have two certs one expired the other not. Can i delete the expired cert?????

    Hi 
    Yes you can delete the expired certificate which are showing  as it is not functional anymore and they remain as stale entries 
    You can use  below command
    Remove-ExchangeCertificate -Thumbprint "specify the value "
    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com

  • Build 9879. Can't ignore expired certs in IE 11

    The site for the VPN at my employer has an expired cert. Previously I was able to "Continue to this website (not recommended)" and continue on to the site to get VPN access.
    However, in the latest build of Windows 10 and IE 11, this option is gone. If you hit a site w/ an expired cert your only option is to close the page. This is unacceptable.
    Please let me know if there is a workaround, or provide a way to continue to the site in the very near future.
    B
    http://about.me/bc3tech

    Hi,
    I have confirmed this matter, the latest Windows 10 Technical Preview 9879 really has this phenomenon. But untill now, I doesn't find any solution or workaround method to access a website that restricted by cerficate problem.
    In my opinion, it's should a security improvement of IE 11, it would be better to renew the cert to access the website.
    Roger Lu
    TechNet Community Support
    Renewing the cert isn't an option for end users. Warn them, don't inhibit their experience. The warning that was in place before was perfect sufficient, as is the same thing
    all other browsers do.
    http://bc3te.ch/brandonh

  • Urgent - Updates no longer working after certificate renewal (production app)

    Hi,
    Updates pushed for our production AIR application are failing after a renewal of our expired code signing certificate, and performing the certificate migration procedure as outlined here:
    http://help.adobe.com/en_US/AIR/1.5/devappsflex/WS13ACB483-1711-43c0-9049-0A7251630A7D.htm l
    The error message appears as: "This application cannot be installed because this installer has been mis-configured. "
    The AIR app installer log indicates the source of the problem:
    "The certificate of the installed app fails to match either the signature or migration signature of the AIR file"
    However, the migration procedure has been executed exactly as described, using the correct certificates. The Adobe AIR 2.0.2 runtime (and adt) has been used.
    We need to push an important update asap, and advising our end users to reinstall is not feasible.
    I am willing to provide anything necessary to resolve this as quickly as possible. Please advise.

    Happy to report that we found the source of the issue ourselves:
    There is apparently a problem with ADT (at least in the AIR 2.0 SDK) where it will appear to perform a certificate migration succesfully, but in actual fact will silently fail and not update the .AIR file at all. This happens when the output filename is equal to the input filename, so this problem arises if you follow the example in the documentation:
    http://help.adobe.com/en_US/AIR/1.5/devappsflex/WS13ACB483-1711-43c0-9049-0A7251630A7D.htm l
    A simple workaround is to choose a different output filename. In any case, be wary that ADT does not provide feedback whether a migration actually was performed. Check the file timestamp and size to be sure.

  • Certificate-Based Client authentication slowness (DSEE 6.3.1)?

    I seem to be seeing very slow operations involving certain certificate-based client interactions.
    I have a user with an application that connects via LDAPS (port 636), does an anonymous bind, and then binds as a specific user. This application is written using .Net (System.DirectoryServices.Protocols library) and housed on an IIS web server that has a certificate signed by Equifax.
    The application performs relatively quickly (operations take an elapsed time of less than 1 second) if:
    1. "Client Authentication" is set to "Allow Certificate-Based Client authentication" and there is no Equifax CA cert in the list of CA Certificates.
    or 2. "Client Authentication" is set to "Do Not Allow Certificate-BAsed Client authentication".
    If I have "Allow Certificate-Based Client authentication" and the Equifax CA cert installed, all operations by the application succeed but show an elapsed time of about 13-14 seconds.
    The Equifax CA cert should be trusted (certutil shows flags: CT,, )
    Has anyone seen anything like this? I've not been able to successfully figure out how to get additional logging RE: the certificate exchange other than grabbing the raw data from ssltap (which I'm not sure I correctly understand). I turned up the infolog levels to include connection managment and packets, but that didn't provide what I was looking for.
    Additional troubleshooting info:
    dsadm -V[dsadm]
    dsadm : 6.3.1 B2008.1121.0308 NAT
    [slapd 32-bit]
    Sun Microsystems, Inc.
    Sun-Java(tm)-System-Directory/6.3.1_RME_6915746 B2010.0112.1626 32-bit
    ns-slapd : 6.3.1 B2008.1121.0308 NAT
    Slapd Library : 6.3.1_RME_6915746 B2010.0112.1626
    Front-End Library : 6.3.1 B2008.1121.0308
    [slapd 64-bit]
    Sun Microsystems, Inc.
    Sun-Java(tm)-System-Directory/6.3.1_RME_6915746 B2010.0112.1631 64-bit
    ns-slapd : 6.3.1 B2008.1121.0308 NAT
    Slapd Library : 6.3.1_RME_6915746 B2010.0112.1631
    Front-End Library : 6.3.1 B2008.1121.0308

    The only thing I can think of off the top of my head is if the server is doing a callout to an external site for something like a CRL. Even though the traffic is encrypted, you should be able to see something like that in a packet trace even so.

  • System PSE certificate is going to expire

    Dear All,
    I am getting the warning in my R3 system ie  " Validity of certificate from list with PSE type >SystemPSE< ends in 13 days ". In STRUST certification list, i see that this certificate having CN = <sid> of my portal system is going to expire.
    I am new to this so can anyone tell me that what the certificate is doing & how i can get this certificate renew.
    Regards,
    Ankit Gupta

    HIi Ankit .
    Perhaps u have missed this blog in my previous rply.
    What's small and useful, but often doesn't last as long as you want?
    Thanks.
    If u have any querry pls revert back.

Maybe you are looking for

  • Solution Manager Upgrade ST-PI and ST-A/PI

    System Details: SAP ERP 6.0 (BASIS 700) / SQL SERVER 2005 Windows Hi We are planning to upgrade our ST-PI from  2005_1_700(0006) to      2008_1_700(0000) in our ERP System and BW System. Similarly we are also planning to upgrade ST-A/PI from 01K_ECC6

  • I'm getting the following error

    I keep receiving this error as a pop up & cannot connect to the Internet. another device on your network is using your computers ip address

  • Problem with data Service  - DSP

    Hi, i´m in trouble using DSP on unix machine. DSP-config failed to start. this is the error message: <Jan 1, 2009 9:53:36 PM BRST> <Error> <Deployer> <BEA-149205> <Failed to initialize the application 'dsp_config' due to error weblogic.management.Dep

  • CC01 Change type is in hide mode for Change master

    Dear All, Our requirement is to get the list of Change type in the CC01 T-code when we click the change master. When we select ECR then we are getting the change list of change type. But, when we select the change master as type, then change type is

  • Recording using SHDB

    Is recording possible for transaction 'LSMW'.when i am performing recording it gets commited after i give project name,subproject and object name and press any other key(execute ,create or continue).