Configure verisign digital certificate

Hi,
I am not sure if this question is for this forum, any help would be apreciated.
I have installed Sun Java Portal Server (2005Q4) with Sun Java Web Sever as a container.
I have purchased a verisign digital certificate, installed successfully in webserver
container.
What I need is to configure a webserver site or alias to hide /portal/dt url string, just typing
https://midominio.com/ authentication page should appear.
How can I configure this in Sun Java Webserver?
Thanks in advance.
Carlos.

Sinan,
We are experiencing the same exact problem. How did you fix this issue??
Regards,
Vinay

Similar Messages

Safari - Configuration Profile - Digital Certificate

Hi folks!
I'm currently working on huge project on mobile banking on iPhones. My duty is to provide secure transfer and storage of end user certificates. I managed to do that using third party MDM and custom configuration profile that contain end user digital certificate.
I wonder how this certificate can be used (if possible) by iOS standard ways in iPhone, preferrably via Safari as the customer wants to have their mobile banking running on iPhone in Safari window.
If this is not possible caould you please give the hint on how to use config profiles in custom iPhone applications?
Many thanks in advance! Hope to get an answer from this community.
Mike

Hi and welcome......
If this is not possible caould you please give the hint on how to use config profiles in custom iPhone applications?
This forum is for Safari for the Mac OS X.
Try posting in the iPhone forum here.
http://discussions.apple.com/category.jspa?categoryID=201
Might be some help here for you also.
http://developer.apple.com/devcenter/ios/index.action
Try here too. http://developer.apple.com/devcenter/safari/index.action
Carolyn

Digital Certificate of SAP AG from VeriSign expired on 26.02.2005 ?

Hi,
When we open BEx, Security Warning screen of office 2003 appears. Although SAP note says that "click 'Always trust macros from this publisher'", this check is grayed out.It is because Validity of Digital Certificate is 26.02.2005.
Question is ;
is there a newer version of *.xla with new Digital certificate? or any other comment which we don't encounter this screen everytime we start BEx without lowering the security settings?
Thanks &B Regards

Sinan,
We are experiencing the same exact problem. How did you fix this issue??
Regards,
Vinay

Installation of the VeriSign digital certification in Oracle HTTP Server

I am not obtaining to generate to the pair of keys and the CSR in Oracle HTTP Server, will have some tip I is thankful.
Thanks
Leandro

Hi Leandro,
Here are some steps to setup digital certificates into Oracle HTTP Server for Unix.
1. The temporary working directory is /u01/tmp/myssl.
2. The contents of <9iAS_HOME>/Apache/open_ssl/bin have been copied to the
temporary working directory created in Assumption #1.
3. SSL file names are priv.key (private key), certreq.csr (certificate request),
and cert.crt (SSL certificate). The actual SSL certificate file could be
named other than 'cert.crt'.
4. By default, SSL is configured using port 443, which requires ROOT access to
start the web listener.
If you want to change this from the default port, you will need to change
the following two parameters in the httpd.conf file to an unused port number:
Listen 443
<VirtualHost default:443>
5. All necessary UNIX environment variables are set correctly for your Oracle
product before implementing these procedures.
6. User must be familiar with UNIX concepts like shell navigation, UNIX
environments, file manipulation/search, file copy/backups, etc.
How to Request and Configure an SSL Certificate for Oracle9i Application Server
Step-by-Step Instructions:
1. Change your present working directory to the temporary working directory, e.g.,
/u01/tmp/myssl. Ensure the contents of <9iAS_HOME>/Apache/open_ssl/bin have
been copied into this temporary working directory.
2. Copy 5 large files, each at least 250KB, into your temporary working directory.
Suggest looking in any /bin directory for large sized binary files. Execute
the following command to generate the random character file:
     % openssl md5 * > rand.rnd
3. Execute the following command to generate the private key (priv.key):
% openssl genrsa -rand rand.rnd -des3 1024 > priv.key
     - when prompted, enter a "PEM pass phrase" password
     - re-enter password when prompted to verify password
     -- remember the pass phrase password you entered
     - this command generates the priv.key file and associated pass phrase
     - set permissions on the priv.key file to prevent unauthorized editing
     % chmod 400 priv.key
     - backup the priv.key file to a secure location
NOTE
The PEM pass phrase must be at least 4 characters in length. Remember this
pass phrase, you will be prompted to enter it in the next step and each
time you start up the Oracle HTTP Server (OHS) in SSL mode.
Optionally, you can unencrypt the value of the private key, so that you
will not be prompted for the PEM pass phrase every time you start up OHS
in SSL mode.
To unencrypt the private key, execute the following two commands (Note:
ensure file permissions set to r+w):
     % cp priv.key priv.key.bak
     % openssl rsa -in priv.key.bak -out priv.key
- the demo certificate shipped with Oracle9iAS does not require a pass
phrase to start OHS in SSL mode.
- on UNIX, to generate the certificate request and start OHS in SSL mode,
the pass phrase must be entered, unless you executed the above steps
to unencrypt.
- on Windows NT/2000, if a certificate is used that has a pass phrase,
the OHS will hang; therefore, on Windows NT/2000, you must execute
the steps to unencrypt.
4. Execute the following command to generate an SSL certificate request
(certreq.csr) based on your private key.
     % openssl req -new -key priv.key -out certreq.csr -config openssl.cnf
     - when prompted, enter the "PEM pass phrase" set when the private key
was created.
     - when prompted, enter the requested fields that make up the
Distinguished Name.
     -- each entry must be valid information, i.e., email, state, location, etc.
     - when prompted for the "Common Name", you MUST enter the fully
qualified name which will be accessed via client browsers; e.g.,
if clients will use:
https://mysite.domain.com
     -- then, you must enter mysite.domain.com as the "Common Name"
     - the requested 'extra' attributes, i.e., "challenge password" and
"optional company name", are OPTIONAL; just hit ENTER to use NULL values.
5. You should now have the private key and certificate request files (priv.key
and certreq.csr) in your temporary working directory.
NOTE
At this point, you can use your certificate request file 'certreq.csr' to
order a valid SSL certificate from any CA-vendor, e.g., Verisign.
After you receive your SSL certificate, skip to Step #6 for instructions
on how to deploy your SSL files.
OPTIONAL
You can start 9iAS in SSL mode (see Step #12) and test the pre-installed demo
certificate and private key included for testing purposes.
It is a good idea to test to be sure the Oracle HTTP Server SSL mode works
successfully before deploying your new SSL certificate. To try these demo
files, access the 9iAS index page in a browser using the HTTPS protocol and
the appropriate SSL Listen port. URL format:
https://myhost.domain.com:<ssl_port>
The user will see a Security Alert (IE), or New Site Certificate (Netscape)
warning message, click Continue/Next to accept.
OPTIONAL
To create a self-signed certificate, execute the following commands:
(csh) % setenv RANDFILE rand.rnd
<sh or ksh> % export RANDFILE=rand.rnd
% openssl x509 -req -days 30 -in certreq.csr -signkey priv.key > tempcert.crt
- when prompted, enter the "PEM pass phrase" set when the private key was created.
- this command generates a temporary self-signed certificate file 'tempcert.crt'
valid for 30 days, which can be used while awaiting a valid SSL certificate
purchased from an authorized CA-vendor.
- if this option is used, after generating the 'tempcert.crt' file, skip to
Step #6 for instructions on how to deploy your SSL files.
OPTIONAL
These steps are specifically for requesting a TRIAL certificate from the
CA-vendor Verisign.
- Go to www.verisign.com and click on "Free Guides and Trials" link and
follow instructions to request a "Free Trial SSL ID". During this process,
you will be asked to provide certificate request information.
- Open the 'certreq.csr' file using your text editor of choice.
- Starting with "-----BEGIN NEW CERTIFICATE REQUEST-----" copy all lines
including the BEGIN and END of certificate lines.
- Paste this copied data into the Verisign page where requested and continue.
- You will see the Verisign web site decode your certificate request
information. This decoded information is presented to you to verify it is
correct. If it is, then continue with the process.
- You will be presented with another set of questions from Verisign. Be sure
to answer with the correct email address, as this address will be used to
send your SSL certificate.
- After you answer all these questions, you will be sent a TRIAL 14-day
SSL certificate via email.
- WARNING! You must follow this step carefully, you cannot copy and paste
information from an email to a new text file. After you get your TRIAL
certificate, save the entire email message to a text file. Open this file
using your text editor of choice. You will see the email address header
information and the line:
-----BEGIN CERTIFICATE-----
- Delete all text that appears before the -----BEGIN CERTIFICATE----- line.
The modified file should contain only certificate information. After you
delete the email header, save this text file inside your temporary directory
with the filename 'trialcert.crt'.
6. Now you are ready to configure Oracle9i Application Server (9iAS) with your
SSL certificate files.
7. Back up your existing <9iAS_HOME>/Apache/Apache/conf/httpd.conf file.
8. Open the httpd.conf file with your text editor of choice.
9. Edit the following httpd.conf directives to use your generated private key
and SSL certificate file, which could be the filename for either the
temporary self-signed certificate, the TRIAL test certificate, or the
purchased valid certificate. The information following the # symbol are
comments.
NOTE
The directory of the SSL files (private key and certificate file)
can reside in any location you choose. The temporary working
directory will continue to be referenced in these procedure steps.
# use the appropriate (i.e., valid, temporary, or trial) certificate filename
SSLCertificateFile /u01/tmp/myssl/tempcert.crt
#private key from Step #4 above:
SSLCertificateKeyFile /u01/tmp/myssl/priv.key
10. Save your modified httpd.conf and exit the text editor.
11. Log in as authorized user (if default ports 80 and 443 are used, ROOT user
must execute commands in next step).
12. Execute the following command to stop, then start Apache in SSL mode
(ensure proper UNIX environments are set; else, execute command from
<9iAS_HOME>/Apache/Apache/bin.)
For Oracle8iAS 1.x:
% httpdsctl stop
% httpdsctl startssl
For Oracle9iAS 1.0.2.x:
% apachectl stop
% apachectl startssl
- when prompted, enter the "pass phrase" created in Step #3.
-- not required if you unencrypted the private key file
- when the Oracle HTTP Server starts successfully in SSL mode, access the
9iAS index page in a browser using the HTTPS protocol and the appropriate
SSL Listen port. URL format:
https://myhost.domain.com:<ssl_port>
- if using a temporary self-signed or TRIAL test certificate, the user will
see a Security Alert (IE), or New Site Certificate (Netscape) warning message,
click Continue/Next to accept.
====================
I hope this help !!
Ilan Salviano

Using a digital certificate to send an encrypted email.

I want to send an e-mail through my i-pad using a digital certificate, that i have already configurated in my e-mail account. This e-mail i want to send also encrypted. Do i need to have a public certificate code from the person i´m sending the e-mail to? Like outlook express works?
thanks for the answer in advance

Hello,
Your best option will be to use an encoder for feedback in your system. If you use an encoder then at the end of the move, the controller will compare your trajectory position with the position the encoder reads (the actual position) and make the necessary adjustments. Also, this is all handled transparently so you won't have to worry about any complicated programming issues.
Regards,
Andy Bell
Applications Engineer
National Instruments

CIDX Adopter Digital Certificates

Guys,
Here is the scenario..
We are getting the HTTPS message from external system to XI.
We are using CIDX Adopter to read external message and validate the digital certificates and map to ORDERS05 Idoc. As soon I trigger the message from external system (HTTPS message), I am seeing message in XI RWB adopter engine, when CIDX adopter is trying the validate the digital signatures somehow it is pointing to J2EE_GUSET user. And it is giving error as below mention.
<b>ERROR</b>
"Signature verification failed, alerted;Error when accessing keystore:service_ssl
Signature verification failed, alerted
Unexpected error while packing the CIDX message -
null
Message Processing caused Failure. -
BTD handler indicated processing error
Error encountered while receiving inbound action; See nested exception for detailed error message -
Message Processing caused Failure. -
Message Processing caused Failure. -
BTD handler indicated processing error
Delivery of the message to the application using connection CIDXAdapter failed, due to: Error encountered while receiving inbound action; See nested exception for detailed error message. "
<b>Regarding Digital Certificates</b>
      We got the digital certificates from my external party and installed and
       created the Key stores in XI Visual Administration tool.
       We configured in sender agreement by selecting those key stores..
Can any one help me on how to resolve the issue, is there any problem in Visual Admin Toll, while installing the certificates..
Thanks
Murali
Message was edited by:
        Murali Babu Pallabothula

HI,
See the below links
HTTP* Errors /people/krishna.moorthyp/blog/2006/07/23/http-errors-in-xi
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
also see the below links may be useful..
See the below links
/people/sap.user72/blog/2005/06/16/using-digital-signatures-in-xi
SAP Java Cryptographic Toolkit
http://help.sap.com/saphelp_nw04/helpdata/en/8d/cb71b8046e6e469bf3dd283104e65b/content.htm
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/55ba9790-0201-0010-aa98-ce8f51ea93cd
http://help.sap.com/saphelp_nw04/helpdata/en/fb/322f41d606ef23e10000000a155106/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/45/341a2176b74002e10000000a155369/frameset.htm
Also see the below threads.
how to deal with digital signatures when converting messages?
Certificates Vs Digital Signatures
Security Issues: SSL on SOAP Adapter and Digital Signature in BPM
message level security: difference digital signature and certificate
Loading Invoice XML IDoc with digital signature via XI into R/3
Regards
CHilla

VPN error when using Microsoft digital certificates.

Hi,
I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.
Cisco ASA config:
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mymap 1 match address 100
crypto map mymap 1 set peer 2.2.2.2
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto ca trustpoint winca
enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
trust-point winca
On router:
crypto ca trustpoint winca
enrollment mode ra
enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll
crypto isakmp policy 19
encr 3des
group 2
authentication rsa-sig
crypto isakmp key cisco address 1.1.1.1
crypto map mymap 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto ipsec transform-set myset esp-3des esp-sha-hmac
Debug output on ASA
CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!
Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
CorpASA#
CorpASA#
CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry
Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!
Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry
Debug out put on router:
R2#ping 10.1.1.10 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console
Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)
Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500
Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20
Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success
Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID
Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID
Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange
Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2
Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0
Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...
Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy
Nov 15 02:21:02.711: ISAKMP:      encryption 3DES-CBC
Nov 15 02:21:02.711: ISAKMP:      hash SHA
Nov 15 02:21:02.711: ISAKMP:      default group 2
Nov 15 02:21:02.711: ISAKMP.:      auth RSA sig
Nov 15 02:21:02.711: ISAKMP:      life type in seconds
Nov 15 02:21:02.711: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch
Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2
Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3
Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4
Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0
Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated
Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0
Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert
Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com
Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer
Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch
Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!
Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload
Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch
Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4
Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact
Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!
Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID
Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN
Nov 15 02:21:03.067: ISAKMP (0:1): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R2.cisco.com
        protocol     : 17
        port         : 500
        length       : 20
Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20
Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com
Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072
Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign
Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...
Success rate is 0 percent (0/5)
R2#
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)
Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE
Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
R2#
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH
Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
PLease assist me in sorting this issue, i need to implement on my live network.
Thanks a lot in advance.
Regards,
Mohan.D

HI Mate ,
your ASA is sending the ASA certificate :
but after that we are recieving an isakmp notify message which tears down the connection ?
somehow the remote peer didn't like the ASA certificate
do you have access to that peer ? is it a CISCO ASA?
is the time synchronized with that side ?
it the CA certificate installed on that peer?
HTH
Mohammad.

A site is telling me that i have no digital certificate installed....

Hi. Trying to access a page on the Spanish version of the IRS, to file a tax document here. I can't get access to the page (or any of their secure pages), and I get this message, which has been Google translated:
''The error "403 byrule" is a mistaken identity. Occurs when you try to access an option that requires electronic certificate and the browser does not detect that one is installed or not properly selected. If the choice of the certificate you get a page that says "page can not be displayed" or similar error is possible that the certificate is damaged, changes or problems in the operating system or other causes. If possible, you should try to reinstall a valid copy of your certificate.
This error in Firefox indicates that there is no digital certificate installed. Go to "Tools" "Options" ("Firefox", "Preferences" Mac "Edit" "Preferences" in Linux), "Advanced" and select the "Encryption". Click on the "View Certificates" and verify that your certificate is installed correctly. If no certificate on the tab "Your Certificates" will have to import a valid copy of the browser. If necessary, also refer to the instructions on importing certificates from our "Help" and the links that we propose below. Once the certificate is installed also make sure that Mozilla Firefox is configured correctly. This may refer to the "Installation, configuration and management of electronic certificates for Mozilla Firefox.''
Under "view certificates" in preferences/encryption, "Your Certificates" is blank. And I don't see anything in "Authorities" that seems to relate to this website. In 'Servers" there were some exceptions I created (reluctantly) when the site asked for it. I deleted them, still not working."
I've tried with both "Select one automatically" and "Ask me every time"
Click on the page below, click on any of the links with a lock to see the resulting error.
Thanks in advance.

Thanks. You are very much on the right track, and I can't thank you enough. The page you sent me to is has the right link. But I can't just download the certificate, as you proposed. It's actually part of a significant security system. I went to the webpage that accompanied the link. I have to fill out a form, from that get a code... then go to a local gov't office, show my ID, get another code, then come back, input that, and get my personalized certificate. I'll let you know how it goes. But without you I have no idea how I'd even have gotten onto the right path. Thanks again.

Digital Certificates - Getting kicked out of MS Outlook Web Access

Hi,
I've just upgraded my 3GS to iOS 4.0 and most things work Ok. I can't seem to work out the new Birthday calendar but that's not my real concern. My bigger worry is that I cannot access my office email which is in MS Outlook Web Access. When I go to log in it just kicks me straight out of the browser.
It may be due to the fact that we are using a local digital certificate i.e. not a Verisign cert. but it is good enough for us, for now. Does Safari require a globally signed trusted Cert?
thanks in advance,

Solution (found by searching forum for "Safari Crashes"):
Settings > Safari > Autofill > Names & Passwords "Set to OFF".
Then choose "Continue" the next time. You've lost your password fill-in but at least you can log in.

Do you have to deal with a CA to get digital certificates?

Hi,
I'm investigating the use of digital certificates for communication
between our WLS internally. I would like to be able to generate my own
certificates and keys for our testing purposes. I'm under the impression
that the only way to do this is to deal with a Verisign or somethin like
that and to buy a license. Am I correct? Or is there another way to do
this?
Thanks,
L
Laurent Duperval <mailto:[email protected]>
Je suis le plus fort! ... Je suis encore plus fort que tout à l'heure! ...
Tiens... pour me définir, le mot fort ne l'est plus assez!
-Léonard le génie

thanks everyone, helped alot, cant wait to buy one of these

What is the cost of a digital certificate?

Is it free, or is there a cost to get a digital certificate?
I am planning to distribute my application using Webstart JAWS.
thanks,
Anil

thanks for the detailed info! I am checking out CACert. Verisign is $695/yr and Thawte is $150/yr.
Anil
As others have told you can create one yourself, but
I believe if you buy one from Verisign or Thawte
Webstart doesn't pop-up the dialog to accept the
certificate and does it automatically. At least
that's what I understood but I might be mistaken.
Anyway, some links:
- Verisign:
http://www.verisign.com/products-services/security-ser
vices/code-signing/digital-ids-code-signing/index.html
- Thawte:
http://www.thawte.com/ssl-digital-certificates/code-si
gning/index.html
- CACert: http://www.cacert.org/ They have free
certificates but I'm not sure they're trusted
automatically by JWS.
N.

Applying Digital certificates on EP 7

Hi SDN,
Currently we are running EP 7 in which we have applied SSL. We want to apply digital certificates for the transaction happening between the end user and the portal. Kindly share SAP document to implement the same.
Let me know if digital certificates can be applied on a user specific mode...
Thanks & Regards,
p188071.
Edited by: p188071 on Apr 1, 2009 7:44 AM

Hello Amit,
The portal runs on the J2EE Engine, so you have to configure the use of client certificates there. There is a step-by-step procedure in the documentation. See: http://help.sap.com/saphelp_nw70/helpdata/en/62/881e3e3986f701e10000000a114084/frameset.htm
If you have questions, just let us know.
Greetings,
Elizabeth Winker

Digital certificate

Does anyone know how I can go about creating my own digital certificates for use by my clients to access my server.

Well this has officially turned into a personal
interest investment. Not going to implement it this
way for my companys app.For a production server, you're much better off paying for a server-cert from one of the recognized CAs - Verisign, Thawte, et. al.
I am still interested though but I wonder if I need
access to a web server to install openSSL and run a
CA. For development purposes, could I install this on
my home computer and set up a CA that way?You don't need a webserver to be a CA, nor to sign a certificate - I do everything from the command-line. The web-server is the thing that's going to use the resulting cert - it's not needed to issue one.
Grant

WebVPN-Problem with Digital Certificate and AAA

Hello everyone,
I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
Here are details:
I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
Testing:
The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
Does anyone know and advise ?
Thanks
Khanh

Hi all,
Here are attach files for my issuse,
Khanh

Purchasing a digital certificate for SCOM usage

I am having problems with certificiates for SCOM (based on our infrastructure I believe not SCOM) and have asked some questions on it below -
Digital certificate issues
However I would like to break out one question and that is if I dont want to (read cant) use an internal CA at the moment where can I purchase two certificates for SCOM MS and gateway? When I look on the obvious sites such as Entrust and Thawte for instance
it seems easy to order a web SSL certificate for instance but how would I go about ordering the type I need and what sort of information would I need to provide?
Many thanks

Hi,
This can be a public CA such as VeriSign. Please check if the following post is helpful.
http://social.technet.microsoft.com/Forums/systemcenter/en-US/7e8dde55-6e55-4109-8da5-85a93fa64ea0/using-a-thirdparty-for-ssl-cert-for-scom-gateway?forum=operationsmanagerdeployment
Niki Han
TechNet Community Support

Configure verisign digital certificate

Similar Messages

Maybe you are looking for