CGI.Client_Cert_Encoded Variable Problem / PKI Certificates

Hello,
I have a developer on my team who has been tasked with
upgrading our ColdFusion Server from 5.0 to 7.0. The problem we are
having is that the client_cert_encoded cgi variable is not showing
up or getting set even though we have a valid client certificate.
The cert_issuer and cert_subject variables are being set and I can
display them fine.
Does anyone have any ideas or solutions to this problem?
Sincerely,
Robert Eberhart

It appears Adobe has dropped support for that variable.
Take a look at the comments at the bottom:
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/Expressions5.htm

Similar Messages

CGI.Client_Cert_Encoded Variable Problems

Hello,
I have a developer on my team who has been tasked with
upgrading our ColdFusion Server from 5.0 to 7.0. The problem we are
having is that the client_cert_encoded cgi variable is not showing
up or getting set even though we have a valid client certificate.
The cert_issuer and cert_subject variables are being set and I can
display them fine.
Does anyone have any ideas or solutions to this problem?
Sincerely,
Robert Eberhart

It appears Adobe has dropped support for that variable.
Take a look at the comments at the bottom:
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/Expressions5.htm

CGI.Client_Cert_Encoded Variable Problem

Hello,
I have a developer on my team who has been tasked with
upgrading our ColdFusion Server from 5.0 to 7.0. The problem we are
having is that the client_cert_encoded cgi variable is not showing
up or getting set even though we have a valid client certificate.
The cert_issuer and cert_subject variables are being set and I can
display them fine.
Does anyone have any ideas or solutions to this problem?
Sincerely,
Robert Eberhart

It appears Adobe has dropped support for that variable.
Take a look at the comments at the bottom:
http://livedocs.adobe.com/coldfusion/6/CFML_Reference/Expressions5.htm

Not able to get SSL related CGI Environment Variables?

We are currently using APEX 3.2.0.x, OHS 10.1.3.x, and 11gR1 on linux. The APEX application we've been developing will be accessed via SSL and x509 certificates such that a client certificate is passed from a user's browser to the OHS, the information will be read from the certificate, and if the user's cert information exists in a user table associated with the application, they will have the role they've been assigned as an existing user within the application. Otherwise, the user will be a guest and have a minimum role accessing the application.
We are certainly not guru's when it has come to setting up and configuring SSL and certs, but we have gotten to the point where we have all of the required certs created and installed, and the client cert passes it's information successfully to the OHS to get to the "home" page of the application via the Rewrite statement in the httpd.conf/ssl.conf that points to the appropriate https url. We are now at the point where we need the APEX application page to read the cert information, and this is where we are having problems.
We have created an "On Load - Before Header" process and temporary item on the "home" page to display CGI environment variables to see what we're getting. It's a PLSQL Anonymous block like this:
DECLARE
lUserName VARCHAR2(100);
BEGIN
SELECT NVL(owa_util.get_cgi_env('REMOTE_USER'),'NOT POPULATED') INTO lUserName FROM DUAL;
:P1_REMOTE_USERNAME := lUserName;
END;
We can grab any of the cgi environment variables that are listed in the OHS mod_plsql User's Guide. We cannot seem to be able to get any of the SSL CGI environment variables though. We are adding the SSL variables to the dads.conf via the PlsqlCGIEnvironmentList parameter (ex: PlsqlCGIEnvironmentList SSL_CLIENT_S_DN_CN) and bouncing the OHS as needed. Unfortunately, we have not been successful in getting any of them to show up in the item on the APEX page.
As far as we can tell, we have the SSL/OHS/Certs configured, but may be there is another SSL directive or some other configuration item that we've missed that needs to be set in order for SSL CGI environment variables to be available to the owa_util.get_cgi_env function. If anyone can tell us what we may have missed, it would be appreciated.
thanks
bob

Hey John,
what we have found that we were not sure of is that we need to use Rewrite rules and conditions in the ssl.conf to grab the ssl cgi environment variables and "put" them into the request header to hold them like this:
RewriteCond %{SSL:SSL_SERVER_S_DN} (.*)
RewriteRule .* - [E=SSLS_DN:%1]
RequestHeader add X-SSL-SERVER-S-DN %{SSLS_DN}e
Then in the dads.conf put the request header reference in there with the plsqlcgienvironmentlist parameter like this:
PlsqlCGIEnvironmentList HTTP_X_SSL_SERVER_S_DN
Restart the OHS, and then grab the HTTP_X_SSL_SERVER_S_DN variable(s) via the owa_util.get_cgi_env in the APEX page to pull the value out with an anonymous block in an On Load - Before Header process like this:
DECLARE
lUserName VARCHAR2(100);
BEGIN
SELECT NVL(owa_util.get_cgi_env('HTTP_X_SSL_SERVER_S_DN'),'NOTHING HERE') INTO lUserName FROM DUAL;
END;
It's the Rewrite rules and putting them into the request header that we were not totally sure about as far as how and where you put the environment variables to make them accessible to the dads.conf with the PlsqlCGIEnvironmentList parameter that in turn makes them accessible to APEX. We're still not 100% sure this is the correct method, but it's working. We don't recall reading in any of the APEX docs, APEX forum threads, or other documentation about needing Rewrite rules and conditions to put the cgi environment variables into the request header to make them accessible to APEX. So, that seems to be our missing piece of the puzzle here.
Anyway, I think we're okay for the moment, and may be this thread will help someone else out in the future. Thanks for your help John, and will give you a helpful plug on the forum for this thread. BTW, I do have your book, so it was nice to see someone as advanced with APEX as yourself reply to the posting.
Thanks
Bob

Using PKI Certificate Logon

Currently our users need a valid PKI certicate to access our
site, but we need to find a way to validate them and log them in
based purely on their PKI certificate without using a login name
and password? Does anyone know a way to identify a user in
coldfusion with just his submitted certificate, or is there a 3rd
party solution that would work?
Thanks

Hi I am also facing the same problem.
If you get any feasable solution with only using Java .please provide here.
Thanks,
Msr.

Get CGI env variables in a database procedure using new APEX Listener

I already posted this question in the Apex Listener forum and still no replies after one week. The original post is here:
Get CGI environment from APEX Listener within database procedure
So please forgive me for posting in this forum as well, but there is a lot more activity here.
I'd like to know how I can get the CGI environment from the APEX Listener. For example, if I want to write a procedure that inserts into a table the originating IP Address of the client making the web request, how do I get it?
I am familiar with the Oracle Http Server and mod_plsql, and I know how to call OWA_UTIL.GET_CGI_ENV to get this sort of information. How do I do it using the APEX Listener?
In particular, how do I do this when calling a custom procedure (not in an Apex workspace)? When I try it now, I get an error from owa_util. The cgi env seems to be empty or not initiated (owa.num_cgi_vars is null or zero).
Specific set-up:
I have a web server running the latest JDK, Glassfish, and 1.1.4 Apex Listener. It connects to another server running the latest 11.2 database. Apex is installed and running, but I am not really developing a traditional Apex application in a workspace. I mainly use it like you would use mod_plsql. In other words, I have custom pl/sql packages that are called directly via URL. The requests are forwarded by the listener to the database, and the DB executes the procedure and returns output using htp.p to send text back to the browser. And it works just fine for this purpose. But if I want to call GET_CGI_ENV to get information like the IP Address, web browser making the request, etc. I can't seem to get it with the OWA packages.
Can anyone shed some light on this? If Apex Listener is not designed to do this, is there some kind of workaround I can use to forward this sort of information to the database for each request?

I have not tried owa_util.print_cgi_env from SQL Workshop yet, as I have not created an APEX workspace. I have had no need for a workspace because of the way I am using APEX as a method for calling custom packages and stored procedures. In other words, I am using APEX strictly for the mod_plsql functionality. I just use it to forward requests to the database to execute pl/sql code, but I don't develop anything in APEX. My application is a web service with no screens and no direct user interface, which is why I did not need to create APEX forms. The front end is a mobile app that makes calls to the web service.
But I have tried calling owa_util.print_cgi_env in one of my stored procedures and it returns no data, even when calling it from the web front-end.
So I am beginning to believe that if the OWA toolkit works with APEX, then it must only be enabled when invoked within a workspace. Stand-alone procedures can be called via APEX, but apparently doing so does not initiate the CGI env variables. This set-up used to work under the OHS with mod_plsql. The embedded pl/sql gateway also works this way.
Is there a procedure call that APEX is making to set the environment before each SQL Workshop request?
My security model currently blocks access to all packages and procedures except for my custom packages. I am using the APEX Listener configuration to allow only the packages listed by name in a white list. But I thought I allowed all access when I first tried calling the OWA packages. I'll have to try that again.

Provide steps to send Root CA certificate to the Lync client, getting error" There was a problem verifying certificate from the server"

Hi,
I Build an Lync 2013 set up with FEpool, Director pool and Exchange server is integrated. I have windows 8 client machine, with Lync client installed. When I try to login to the lync client, I am getting error like"There was a problem verifying
certificate from the server".
When I installed ROOT CA cert manually on client machine I am able to login to the lync client. similarly if I add my client machine in my domain, I am able to login to the Lync client.
Now is there any other way to send the certificate automatically to the client machine (Which are NOT part of the DOMAIN) from the server, instead of manual installation process.
Please help me troubleshoot this problem

Agree with S Guna, there is no easy way to push a certificate automatically to a client that you don't control other than building an installer package and asking them to run it. In this situation, if there are a lot of non-domain joined machines
a third party certificate is the way you need to go.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

Usage of CGI environment variables SERVER_NAME and HTTP_HOST by APEX

Hi,
I have a question about the usage of the CGI environment variables SERVER_NAME/SERVER_PORT and HTTP_HOST by APEX.
When does it use which CGI environment variables when it is generating absolute URLs.
Based on the following thread about the online help (Re: Help does not show content it seems to use SERVER_NAME/SERVER_PORT. At least for the online help.
But based on my own tests some time ago about the flash charting at the following thread (Re: APEX Charts - Error XML Loading falied I investigated that at least flash charting is using HTTP_HOST to generate an absolute URL.
My question now is what is the logical difference between HTTP_HOST and SERVER_NAME and which of the URLs should be used when I want to generate absolute URLs in my application?
I would tend to use HTTP_HOST because it seems to be more logically. I would see SERVER_NAME more as just the name of the web-server, which doesn't have to be the URL the user enters in case a reverse proxy is used.
Thanks
Patrick
My APEX Blog: http://inside-apex.blogspot.com
The ApexLib Framework: http://apexlib.sourceforge.net
The APEX Builder Plugin: http://sourceforge.net/projects/apexplugin/

We use HTTP_HOST in most cases from what I can see. You may have also noted that HTTP_HOST may have :<port> appended to the hostname as well.
Scott

Bad Bind Variable Problem

Hi
I am trying to create a trigger and facing Bad Bind Variable problem.
Plz let me know, what's the problem in this trigger.
CREATE OR REPLACE TRIGGER Tender_tax_update AFTER
INSERT
OR UPDATE
OR DELETE OF ITEM_QTY,ITEM_RATE,TENDER_ACC_QTY ON TENDER_ENQUIRY_ITEM_D REFERENCING OLD AS OLD NEW AS NEW FOR EACH ROW
Declare
     v_amt TENDER_VENDOR_TAX_D.TAX_AMOUNT%TYPE;
     v_tax_ty TENDER_VENDOR_TAX_D.TAX_TYPE%TYPE;
     v_tax_cd TENDER_VENDOR_TAX_D.TAX_CODE%TYPE;
     v_ven_cd TENDER_VENDOR_TAX_D.VENDOR_CODE%TYPE;
     v_item_cd TENDER_VENDOR_TAX_D.item_cd%TYPE;
     v_tenno TENDER_VENDOR_TAX_D.tender_enquiry_no%TYPE;
Begin
     if inserting then
          v_tax_ty:=:new.TAX_TYPE;
          v_tax_cd:=:new.TAX_CODE;
          v_ven_cd:=:new.vendor_code;
          v_item_cd:=:new.item_cd;
          v_tenno:=:new.tender_enquiry_no;
select TAX_AMOUNT into v_amt from TENDER_TAX_DETAILS where tender_enquiry_no=v_tenno and TAX_CODE=v_tax_cd and TAX_TYPE=v_tax_ty and item_cd=v_item_cd and vendor_code=v_ven_cd;
update TENDER_VENDOR_TAX_D set TAX_AMOUNT=v_amt where tender_enquiry_no=v_tenno and TAX_CODE=v_tax_cd and TAX_TYPE=v_tax_ty and item_cd=v_item_cd and vendor_code=v_ven_cd;
     end if;
End Tender_tax_update;
Database deails are as follows:
TENDER_VENDOR_TAX_D
Name Null? Type
TENDER_ENQUIRY_NO NOT NULL VARCHAR2(8)
VENDOR_CODE NOT NULL VARCHAR2(4)
TAX_CODE NOT NULL VARCHAR2(4)
PERCENTAGE NUMBER(5,2)
TAX_AMOUNT NUMBER(15,2)
ITEM_CD NOT NULL VARCHAR2(10)
TAX_FLAG VARCHAR2(1)
TAX_TYPE CHAR(3)
TENDER_TAX_DETAILS
Name Null? Type
TENDER_ENQUIRY_NO NOT NULL VARCHAR2(8)
VENDOR_CODE VARCHAR2(4)
ITEM_CD VARCHAR2(10)
TAX_CODE NOT NULL VARCHAR2(4)
TAX_TYPE CHAR(3)
TAX_AMOUNT NUMBER
Message was edited by:
user648065

facing Band Bind Variable problem.Doesn't the error message tell you which bind variable is the problem?

Accessing User Name in a JAVA application from a PKI certificate

Our JAVA application needs to verify the username from a PKI certificate. Is there any way to access this information. We are developing using Oracle JDeveloper, Oracle App Server and db.
Thanks,

I don't know if it is possible to run the main method from another Java app by simply calling it...
But you could just copy and paste the stuff from your main method into a new static method called something like runDBQuery and have all the execution run from there.
How does that sound? Is it possible?
What I'm suggeting is:
Original
public class DBQuery{
public static void methodA(){
public static void doQuery(){
methodA();
public static void main(String[] args){
// Your method calls
//Your initializing
doQuery();
}Revised:
public class DBQuery{
public static void methodA(){
public static void doQuery(){
methodA();
public static void doMyQuery(){
// Your method calls
//Your initializing
doQuery();
// No main needed!!
//public static void main(String[] args){
// Your method calls
//doQuery();
//}

Hangman: variable problem

Good evening. I am in the final stages of finishing up my hangman project but I have encountered a variable problem on 3 lines of code. The compiler doesn't seem to like this line of code "r = in.readLine();" or "word = in.readLine();" obviously it doesn't like this way of reading in. I am seeking any help possible. It would be very much appreciated. Thanks!
here's the code:
package hangman;
* Title: 
* Description: 
* Copyright: Copyright (c) 2005
* Company: 
* @author unascribed
* @version 1.0
import java.io.*;
import java.text.*;
public class Hangman {
 public static void main(String[] args)throws IOException
 char[] theWord;
 char[] guesses;
 boolean[] correctGuesses;
 int maxWrong = 6; // We'll give them 6 incorrect
 int numWrong = 0;
 boolean badGuess;
 char guess;
 int numGuesses = 0;
 // Get the word
 theWord = getWord();
 // Initialize correctGuesses
 correctGuesses = new boolean[theWord.length];
 for(int i = 0; i < correctGuesses.length; i++) {
 correctGuesses[i] = false;
 // initialize guesses
 guesses = new char[theWord.length + maxWrong];
 // Keep going until they have guessed everything
while(!gameOver(correctGuesses) && numWrong < maxWrong) {
 // Print out the current state
 System.out.println("-----");
 // Print out the status
 System.out.print("Status: ");
 for(int i = 0; i < theWord.length; i++)
 if(correctGuesses)
System.out.print(theWord[i]);
else
System.out.print('_');
System.out.println();
// Print out what has been guessed so far
System.out.print("Guessed: ");
for(int i = 0; i < numGuesses; i++)
System.out.print(guesses[i]);
System.out.println();
System.out.println((maxWrong - numWrong) + " incorrect guesses remaining");
System.out.println("*****");
// Get the guess
guess = getGuess(guesses, numGuesses);
// Record it
guesses[numGuesses] = guess;
numGuesses++;
// See if it is in the word
badGuess = true;
for(int i = 0; i < theWord.length; i++) {
if(guess == theWord[i]) {
correctGuesses[i] = true;
badGuess = false;
if(!badGuess) {
System.out.println("Good guess!");
} else {
System.out.println("Bad guess!");
// If the guess wasn't in the word, increment
numWrong++;
if(numWrong == maxWrong)
System.out.println("Game Over: Sorry you entered too many bad guesses - better luck next time!");
else
System.out.println("Good Job - you win!");
// Get the word
public static char[] getWord() {
String word;
// Get a word
System.out.print("Please enter a word: ");
word = in.readLine();
// And return it as a char array
return word.toCharArray();
// See if the game is finished (all the letters guessed)
public static boolean gameOver(boolean[] g) {
boolean allGuessed = true;
// if any element of the array is false
// then they haven't guessed everything yet
// and the game is not over
for(int i = 0; i < g.length; i++)
if(g[i] == false)
allGuessed = false;
return allGuessed;
// Get a guess
public static char getGuess(char[] guesses, int numGuesses) {
char r = 'a';
boolean done = false;
// Get a character
while(!done) {
// Read and discard the previous newline
while(r != '\n')
r = in.readLine();
System.out.print("Your guess: ");
r = in.readLine();
// See if they already guessed this letter
done = true;
for(int i = 0; i < numGuesses; i++) {
if(r == guesses[i]) {
System.out.println("You already guessed that letter. Please try again.");
done = false;
// return the guess
return r;

THANKS! i just added a bufferedreader however, the same problem with the variable persists. if anyone can fix it i'd appreciate it dearly!
code with bufferedreader:
package hangman;
* Title: 
* Description: 
* Copyright: Copyright (c) 2005
* Company: 
* @author unascribed
* @version 1.0
import java.io.*;
import java.text.*;
public class Hangman {
 public static void main(String[] args)throws IOException
 char[] theWord;
 char[] guesses;
 boolean[] correctGuesses;
 int maxWrong = 6; // We'll give them 6 incorrect
 int numWrong = 0;
 boolean badGuess;
 char guess;
 int numGuesses = 0;
 BufferedReader in;
 in = new BufferedReader(new InputStreamReader(System.in));
 // Get the word
 theWord = getWord();
 // Initialize correctGuesses
 correctGuesses = new boolean[theWord.length];
 for(int i = 0; i < correctGuesses.length; i++) {
 correctGuesses[i] = false;
 // initialize guesses
 guesses = new char[theWord.length + maxWrong];
 // Keep going until they have guessed everything
while(!gameOver(correctGuesses) && numWrong < maxWrong) {
 // Print out the current state
 System.out.println("-----");
 // Print out the status
 System.out.print("Status: ");
 for(int i = 0; i < theWord.length; i++)
 if(correctGuesses)
System.out.print(theWord[i]);
else
System.out.print('_');
System.out.println();
// Print out what has been guessed so far
System.out.print("Guessed: ");
for(int i = 0; i < numGuesses; i++)
System.out.print(guesses[i]);
System.out.println();
System.out.println((maxWrong - numWrong) + " incorrect guesses remaining");
System.out.println("*****");
// Get the guess
guess = getGuess(guesses, numGuesses);
// Record it
guesses[numGuesses] = guess;
numGuesses++;
// See if it is in the word
badGuess = true;
for(int i = 0; i < theWord.length; i++) {
if(guess == theWord[i]) {
correctGuesses[i] = true;
badGuess = false;
if(!badGuess) {
System.out.println("Good guess!");
} else {
System.out.println("Bad guess!");
// If the guess wasn't in the word, increment
numWrong++;
if(numWrong == maxWrong)
System.out.println("Game Over: Sorry you entered too many bad guesses - better luck next time!");
else
System.out.println("Good Job - you win!");
// Get the word
public static char[] getWord() {
String word;
// Get a word
System.out.print("Please enter a word: ");
word = in.readLine();
// And return it as a char array
return word.toCharArray();
// See if the game is finished (all the letters guessed)
public static boolean gameOver(boolean[] g) {
boolean allGuessed = true;
// if any element of the array is false
// then they haven't guessed everything yet
// and the game is not over
for(int i = 0; i < g.length; i++)
if(g[i] == false)
allGuessed = false;
return allGuessed;
// Get a guess
public static char getGuess(char[] guesses, int numGuesses) {
char r = 'a';
boolean done = false;
// Get a character
while(!done) {
// Read and discard the previous newline
while(r != '\n')
r = in.readLine();
System.out.print("Your guess: ");
r = in.readLine();
// See if they already guessed this letter
done = true;
for(int i = 0; i < numGuesses; i++) {
if(r == guesses[i]) {
System.out.println("You already guessed that letter. Please try again.");
done = false;
// return the guess
return r;

HT1679 How do you add a PKI certificate to "My Certificates?"

I read the Apple KB article about getting certain individual certificate-requiring websites connected with PKI certificates, but it assumes the necessary certificates are already visible in the "My Certificates" category of the Keychain Access app. What if I have a certificate from my work computer that shows up in the "Certificates" category but not the "My Certificates" category? Is there any way to get them transferred into the "My Certificates" category so that Safari will recognize them?
Brian Green

I think its the same process as adding an itunes card just go to redeem and type in the code.

Can't sign adobe html5 extension - problem with certificate

1. I want to package my html extension for photoshop CC.
2. I have tried to use ZXPSignCmd to build and sign extension package.
3. For self-signed certificate it works.
4. Now we bought root signed certificate from GlobalSign but ZXPSignCmd fails when we try to use it:
Output from ZXPSignCmd:
Unable to build a valid certificate chain. Please make sure that all certificates are included in the certificate file.
We are sure that our certificate & password are correct (inside .p12 file we have 3 certs - root, intermediate and ours).
We tried to use Adobe packaging tools: Configurator / Packager and each of them returns error that there is a problem with certificate. On the other side I was able to use ucf.jar to package another plugin with our certificate - so certificate is correct I guess.
How we can package HTML5 Extension with manifest.xml and sign it with our certificate for Photoshop CC?
We are trying to solve this for few hours so far but nothing seems to work...
Please help.

I know this is a late reply, but I thought I would chime in as I was getting the same "Unable to build a valid certificate chain. Please make sure that all certificates are included in the certificate file." error with our new Comodo code signing certificate.
I originally received the code-signing certificate from Comodo as a .p7s file by downloading it from Comodo using Safari on Mac OS X Mavericks. I then imported it into Keychain Access (KA) by double-clicking the .p7s file after it was downloaded. From KA, I selected all of the certificates in the chain (by command-clicking each cert) and then exported them as single .p12 file.
When using this the KA generated .p12 file I got the "certificate chain" error when using the ZXPSignCmd or ucf.jar tool. After way too many hours of head scratching, I decided to import the .p12 file created from KA into FireFox on Mac (v33.0.2) and re-export it from there. To import the .p12 into FireFox go to the import dialog: FireFox > Preferences > Advanced > Certificates Tab > View Certificates Button > Your Certificates Tab > Import Button. Once imported, export it back out as a .p12 file using the "Backup" button in the same dialog box. Yes, you are importing the .p12 just to re-export it as a .p12!
Using the FireFox created .p12 works without error when using ZXPSignCmd and ucf.jar. I don't know if this a Keychain Access issue or if Adobe is just picky about how the .p12 file is created, but having FireFox do the .p12 creation worked for me.
I hope this helps!
-- Jim Birkenseer
www.premediasystems.com

Govt PKI Certificates

Are there any known issues of using portal with Govt generated PKI Certifcates. I get the following error when I try to access my homepage.
[31/08/2001 10:24:32:687 EDT] page/JNI: Exception when trying to connect in 0.
[31/08/2001 10:24:32:687 EDT] page/ContentFetcher Exception, name=content-fetcher2
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
When I access the portal with URLs that don't use /pls/portal30, they work just fine.
Thanks,
Robert Gann

Robert,
we had the same problem at our site. It turns out that the instructions provided by the certificate authority for the chain cetificate did not work for Apache and the certificate was not chained correctly.
To fix the problem we went back to the issuing authority's website and selected the option to display the entire chain certificate. We then copied the entire text including comments, and pasted into the certificate chain on our server.
Apparently, the method given in the authority's instructions was not including the original certificate in the chain.
This may be clear as mud since it has been awhile so let me know if you need further clarification and I will go back to the site and retrace my steps.
<BLOCKQUOTE>quote:<HR>Originally posted by Robert Gann ([email protected]):
Are there any known issues of using portal with Govt generated PKI Certifcates. I get the following error when I try to access my homepage.
[31/08/2001 10:24:32:687 EDT] page/JNI: Exception when trying to connect in 0.
[31/08/2001 10:24:32:687 EDT] page/ContentFetcher Exception, name=content-fetcher2
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
When I access the portal with URLs that don't use /pls/portal30, they work just fine.
Thanks,
Robert Gann<HR></BLOCKQUOTE>
null

Monitor pki certificate status via snmp

I recently discovered that a number of our remote sites could not connect to each other via dmvpn due to various certificate problems.
They could all connect to our hubs due to pre shared keys, so the problem was never discovered before a colleague discovered MM_KEY_EXCH states on some of the routers.
I therefore want to monitor the state of the certificates, preferably via snmp.
I found a nice looking mib,CISCO-PKI-PARTICIPATION-MIB, on http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.505
but none of our routers seem to support it, and when you click on "view supporting images", it also specifies: "There is no supporting images available for
CISCO-PKI-PARTICIPATION-MIB"
Do you have any experience on how to monitor certificate status on your Cisco routers?

No real solution. I found that they all needed to connect to one specific router, so I fire off "show crypto isakmp sa | inc MM_KEY_EXCH" on that specific router via our management platform, and receive a mail with the output on a daily basis.

CGI.Client_Cert_Encoded Variable Problem / PKI Certificates

Similar Messages

Maybe you are looking for