Configuring IronPort to use TLS

We have never used TLS before and havent got ant certs/keys C650
Is there a checklist of everything needed to set up TLS between our company and a external company that requires it?
I know there is information in the Advanced user guide but I need a dummy guide!

Yeah, you probably don't to require/prefer all inbound connections to have to go through a TLS check as this can hamper performance.
A common method is to create a new Sendergroup(SG) and Mail flow policy(MFP) that either prefers or requires TLS to be established before transfer of information on a "as needed basis".
For example, call the new sendergroup, "TLS_Required" and position it above the Whitelist SG. Assign this new "TLS_Required" SG to the new MFP called "Accepted_TLS" for example. Then, add the IP, hostname, or partial hostnames (ie. .bankofamerica.com) to the new SG.
This is one way of doing it. How have other companies that put a lot of importantance on TLS receiving and delivery done it? Anyone?
Also, remember that HAT Overview/MFP are for receiving. In other words, when other incoming hosts connect to your Ironport appliance.
"Mail Policies > Destination Controls", is for when your Ironport appliance delivers mail to hosts on the Internet. You probably don't want to make TLS Prefer/Require as the default. Likewise, you should create corresponding destination host entries for the domains that need the connections to be secure. However, if you're a banking institution and it's vital that all transactions between you and the Internet be made securely, then you may need to enable it on the Default.
Hope that helps.
Thanks folks.
Do companies normally set their public listners to preffered for default MFP? Is there a perceived performance hit in activating for all?
If we create MFP for thoses companies who require TLS I presume this just generates NDR?
Thanks John.

Similar Messages

How to configure Ironport to Use an external Encrpytion server

Hi,
We would like to use an external encryption server to encrypt our emails.
The Ironport would still be the MX for our domain, and the encryption server would be in the same DMZ as the Ironport.
Here is the setup we would like to implement:
Incoming emails:
- Ironport check the connexion (senderbase)
- If encrypted (how to detect the mail as encrypted) the mail is not scan AV / SPAM
     - the is it goes to the decryption server
    - then back to Ironport to scan AV/spam
    - then goes to exchange
- If not encrypted the email is scanned AV/Spam
    - then goes to Exchange for delivery
Outgoing emails:
- Exchange to Ironport
- Scan AV/Spam
- If needs to be encrypted (with header detected)
     - then goes to encryption server
    - then back to ironport (no scan AV/Spam ) and delivery to Internet
-If does not need to be encrypted
      - then send to Internet
Is it possible to configure the Ironport to get this behaviour? and how? I still facing problems with the different flows....
Any idea would be very helpfull
Regards
RD

For incomig mails you can create a message filter like the following one:
route_pgp_smime_encrypted_data:
if (recv-listener == "your listener") AND (encrypted) AND (remote-ip != "IP of your encryption gw")
alt-mailhost ("IP of your encryption gw");
Greets
Jörg

Trying to configure a Win 2003 Server to use TLS server authentication . . .

I am trying to
configure a Win 2003 Server to use TLS server authentication following Method 2 in KB 895443 - see below:-
Method 2: By using the Certificate Request Wizard
The following steps describe how to obtain a certificate from a Windows Server 2003 Certification Authority. You can also request a certificate from a Windows 2000
Certification Authority. Additionally, you must have Read permissions and Enroll permissions on the certificate template file to successfully request a certificate. Use this method if one or more of the following conditions are true:
You want to request a certificate from an Enterprise Certification Authority.
You want to request a certificate that is based on a template where the subject name is generated by Windows.
You want to obtain a certificate that does not require administrator approval before the certificate is issued.
To obtain a certificate, follow these steps:
Click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in.
Click Add, click Certificates, and then click Add.
Click Computer account, and then click Next.
If you want to add a certificate to the local computer, click Local computer. If you want to add a certificate to a remote computer, click Another
computer, and then type the name of that remote computer in the Another computer box.
Click Finish.
In the Add Standalone Snap-in dialog box, click Close, and then click OK in the Add/Remove
Snap-in dialog box.
Under Console Root, click Certificates (Local Computer).
Note If you configured the Certificates MMC snap-in to manage a remote computer, click Certificates (servername)instead of Certificates (Local Computer).
On the View menu, click Options.
In the View Options dialog box, click Certificate purpose, and then click OK.
In the right pane, right-click Server Authentication, point to All Tasks, and then click Request New Certificate.
In the Certificate Request Wizard that starts, click Next.
In the Certificate types list, click Server Authentication, click to select the Advanced check box,
and then click Next.
In the Cryptographic Service Providers list, click Microsoft RSA SChannel Cryptographic Provider.
I get as far as step 11 and I get the error message:-
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the available CAs.
- The available CAs issue certificates for which you do not have permissions.
This is covered in KB 927066 – see below:-
To resolve the problem, follow these steps:
Verify that the CERTSVC_DCOM_ACCESS group exists in the domain that hosts the certification authority. This group is in the CN=Users container.
To do this, follow these steps:
Click Start, click Run,
type Dsa.msc, and then click OK.
In the left pane, click the Users container.
Verify that the CERTSVC_DCOM_ACCESS group is in the right
pane. If the CERTSVC_DCOM_ACCESS group is not in the right pane, go to step 4.
Verify that the CERTSVC_DCOM_ACCESS group includes the following member groups:
Domain Users
Domain Computers
If these member groups do not exist in the CERTSVC_DCOM_ACCESS group, go to step 4.
Note If users or computers in other domains need to enroll against the certification authority, you must also add those users and computers to the CERTSVC_DCOM_ACCESS group. If the current problem occurs on a domain
controller, you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group. By default, domain controllers are not members of the Domain Computers global group. Therefore, domain controllers
do not have sufficient DCOM permissions.
Verify that the CERTSVC_DCOM_ACCESS group has the appropriate DCOM Access permissions and DCOM Launch and Activation permissions on the computer that hosts the certification
authority.
Click Start, point to Program,
point to Administrative Tools, and then click Component Services.
Expand the Component Services node.
Expand the Computers node.
Right-click the My Computer node, and
then click Properties.
Click the COM Security tab.
Under Access Permission, click Edit
Limits.
Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow
Remote Access permissions, and then click Cancel.
Under Launch and Activation Permissions, click Edit
Limits.
Verify that the CERTSVC_DCOM_ACCESS group has Allow Local Activation and Allow
Remote Activationpermissions, and then click Cancel.
Click Cancel, and then close the Component
Services console.
Settings may be incorrect if any one of the following conditions is true:
The CERTSVC_DCOM_ACCESS group does not exist.
The default membership of the CERTSVC_DCOM_ACCESS group is incorrect.
The CERTSVC_DCOM_ACCESS group does not have the correct permissions.
If any one setting is incorrect, run the following commands at a command prompt. Press ENTER after each command.
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc
Repeat steps 1 through 3 to verify that all the settings are correct.
Note If the changes affect the group membership of the certification authority server, you must restart the server for the changes to take effect.
The only part of the above instructions which I have not been able to complete is:-
“you must also add the Enterprise Domain Controllers group to the CERTSVC_DCOM_ACCESS group”.
When I click on the CERTSVC_DCOM_ACCESS user then click the Members tab & go to add Enterprise Domain Controllers the option is not there.

Hi Nick,
Have you successfully set up an enterprise CA?
If yes, is the enterprise CA’s certificate located under the Trusted Root Certification Authorities store?
Best Regards,
Amy

How to configure Firefox to use OpenVPN?

summary: I'm running OpenVPN from a Debian client through a Debian jumpbox/server. After I [start the server, start the client] most IP-based applications (DNS, ping, ssh) seem to work from the client, but client's Firefox cannot connect to http://www.whatismyip.com/ (or any other URI). How to configure Firefox to use the VPN? or otherwise fix the problem? or further debug it?
details:
I have a laptop running debian_version==jessie/sid with Firefox version=33.0 which needs to access a compute cluster. The cluster formerly required only an SSL VPN (enabled by a Firefox plugin) to access, but now has several additional requirements, which I seek to satisfy by running the SSL VPN through a jumpbox running an OpenVPN server. The jumpbox is running a "vanilla" Debian 7.7.
I have been using the laptop successfully for a few years without network problems. Currently I have the laptop connected by wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on the laptop, I see:
* `ifconfig` shows no entry='tun0' (just "the usual" entries for 'eth0', 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
* I can `ping` my jumpbox/server using its real IP#, but cannot `ping 10.8.0.1`
* I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 10.8.0.1`
* `nslookup www.whatismyip.com` gives correct results
* browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown in `ifconfig`)
Both my client/laptop and server/jumpbox setups are quite generic OpenVPN-wise, and are almost exactly as described on the Debian wiki
https://wiki.debian.org/openvpn%20for%20server%20and%20client
me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
Sat Nov 8 16:49:00 EST 2014
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" # google public DNS
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
me@laptop:~$ date ; cat /etc/openvpn/client1.conf
Sat Nov 8 16:51:31 EST 2014
client
dev tun
proto udp
remote ser.ver.IP.num 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client1.crt
key /etc/openvpn/client1.key
ns-cert-type server
comp-lzo
verb 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:
me@jumpbox:~$ date ; sudo iptables -L
Sat Nov 8 16:42:06 EST 2014
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
After I start `openvpn` on first the server and then the client, I see no OpenVPN errors on either the server or the client:
me@jumpbox:~$ sudo openvpn --script-security 2 --config /etc/openvpn/server.conf &
Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013
Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Nov 8 17:48:25 2014 ROUTE default_gateway=ser.ver.gate.way
Sat Nov 8 17:48:25 2014 TUN/TAP device tun0 opened
Sat Nov 8 17:48:25 2014 TUN/TAP TX queue length set to 100
Sat Nov 8 17:48:25 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Nov 8 17:48:25 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sat Nov 8 17:48:25 2014 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sat Nov 8 17:48:25 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Nov 8 17:48:25 2014 GID set to nogroup
Sat Nov 8 17:48:25 2014 UID set to nobody
Sat Nov 8 17:48:25 2014 UDPv4 link local (bound): [undef]
Sat Nov 8 17:48:25 2014 UDPv4 link remote: [undef]
Sat Nov 8 17:48:25 2014 MULTI: multi_init called, r=256 v=256
Sat Nov 8 17:48:25 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sat Nov 8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', TODO: IPv6
Sat Nov 8 17:48:25 2014 succeeded -> ifconfig_pool_set()
Sat Nov 8 17:48:25 2014 IFCONFIG POOL LIST
Sat Nov 8 17:48:25 2014 TomRoche,10.8.0.4
Sat Nov 8 17:48:25 2014 Initialization Sequence Completed
me@laptop:~$ sudo openvpn --script-security 2 --config /etc/openvpn/client1.conf &
Sat Nov 8 17:49:12 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 8 17:49:12 2014 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Nov 8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Nov 8 17:49:12 2014 UDPv4 link local: [undef]
Sat Nov 8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194
Sat Nov 8 17:49:12 2014 TLS: Initial packet from [AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089
Sat Nov 8 17:49:13 2014 VERIFY OK: depth=1, <my config data/>
Sat Nov 8 17:49:13 2014 VERIFY OK: nsCertType=SERVER
Sat Nov 8 17:49:13 2014 VERIFY OK: depth=0, <my config data/>
Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Nov 8 17:49:14 2014 [TomRoche] Peer Connection Initiated with [AF_INET]jump.box.IP.num:1194
Sat Nov 8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' (status=1)
Sat Nov 8 17:49:16 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: route options modified
Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr
Sat Nov 8 17:49:16 2014 TUN/TAP device tun0 opened
Sat Nov 8 17:49:16 2014 TUN/TAP TX queue length set to 100
Sat Nov 8 17:49:16 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Nov 8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500
Sat Nov 8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Nov 8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.8.0.6 10.8.0.5 init
dhcp-option DNS 8.8.8.8
Sat Nov 8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via lap.top.gate.way
Sat Nov 8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Nov 8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Nov 8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sat Nov 8 17:49:16 2014 GID set to nogroup
Sat Nov 8 17:49:16 2014 UID set to nobody
Sat Nov 8 17:49:16 2014 Initialization Sequence Completed
I then see the following on my client:
* `ifconfig` shows a new entry=`tun0`, which looks correct
* I can `ping` the server using either its real IP# or `10.8.0.1`
* I can `ssh` to the server using either its real IP# or `10.8.0.1`
* `nslookup www.whatismyip.com` gives correct results
... but I get no connection if I open a new instance of Firefox and browse to http://www.whatismyip.com/ :-( "Looking up www.whatismyip.com..." succeeds quickly but the status line continues to display "Connecting to www.whatismyip.com..." until the attempt times out. I also get the same behavior (connection timeout) if I open a new instance of Chrome, or if I browse to http://www.whatismyip.com/ with a Firefox opened prior to starting OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) Google.
This is a major problem for me! For the SSL VPN to work, I need to start a Firefox and run it (since the SSL VPN's vendor only supports it on Linux via a Firefox plugin) to access a particular remote-access website. Furthermore I need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, sad story ...)
Is there something I must do to configure Firefox to use the VPN? Or is there some other way to fix this?
Alternatively, what should I do to further debug the problem? It just seems odd to me that the other services work (e.g., `nslookup`, `ssh`) but Firefox does not. That being said, both Firefox and Chrome fail in this usecase, so the problem might be generic to web browsers.
your assistance is appreciated, Tom Roche <[email protected]>

You're kidding. You have to go through that rigamarole just to put your bookmarks on your own server? Where's the simple FTP option?
Also, the above-linked article has a broken link. The link to the weaveserver (which is what you have to set up on your own server) is no good, and there is no obvious replacement. There are plenty of Weave-related repositories here:
http://hg.mozilla.org/labs
but it's not clear what you need.

Use TLS instead of SSL in Oracle AS WebCache 10g (10.1.2)

Hi,
We use Oracle AS Webcache as a reverse proxy for all our OAS/ADF web applications.
Our sysadmin blocked SSL v3 icw POODLE vulnerability. Is there any way we can use TLS (1.2) instead of SSL in the Oracle Webcache 10g?
Many thanks,
Abraham

We are having the same issue on production environment.
Since Thursday 20th november 2014, Google Chrome does not allow connections to websites using SSLv3. This is because the POODLE vulnerability as described here: https://www.us-cert.gov/ncas/alerts/TA14-290A
I've already followed the configuration on My Oracle Support (Doc ID 1936300.1) without success. But i didn't applied the Critical Patchs Updates yet as the presented note Doc ID 405972.1.
I'm wondering if you found any workarround for this problem or if we can help each other. I believe we are not alone.
Thanks,
Jeison.

LDAP setup with SSL - Can't use tls auth type

I'm trying to configure Solaris 10 to use ldap against my OpenLDAP server with SSL but whenever I try to set the authentication as tls:simple, it gives me an error :
# ldapclient mod -a authenticationMethod=tls:simple
Cannot specify LDAP port with tls
# ldapclient mod -a authenticationMethod=tls
Unable to set value: invalid authenticationMethod (tls)
Any ideas how to get this to work - I can do an ldapsearch if I supply a -H ldaps://ldapserver:636 so my certs in /var/ldap are good.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=srv_login,ou=LDAPusers,dc=unix_srv,dc=energy.ge.com
NS_LDAP_BINDPASSWD= {NS1}c53708877bc6
NS_LDAP_SERVERS= 10.10.1.14:636
NS_LDAP_SEARCH_BASEDN= dc=unix_srv,dc=energy.ge.com
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SERVER_PREF= 10.10.1.14:636
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=unix_srv,dc=energy.ge.com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=unix_srv,dc=energy.ge.com?one
Thanks,
Jay

When using TLS you have to specify the FQN for the LDAP server and the port is ALWAYS 636.
Also, you need to setup up your client to use FQN as well (/etc/hosts).

Ldap client in Solaris using TLS

I have installed an OpenLap server (version 2.2.13-2) in a Red Hat ES 4.
My LDAP clients are
- Linux (redhat and mandriva)
- Solaris 8 (with the last recommended path and 10893-62 path for ldapv2)
- Tru64 (5.1B)
If a use simple authentification all works fine (search in LDAP,
authentification and automount).
However, when I use TLS the Solaris LDAP client doesn't seem to work.
When I run the LDAP client the process freeze
With my Linux and Tru64 clients all work fine using LS.
I have downloaded the certificates from my LDAP server using Netscape browser.
I have copied cert7.db and key3.db in the "/var/ldap/directory" with a
"chmod 644" in this files.
I can do a "ldapsearch -x -ZZ objectclass=*" and this returns data.
The last logs of the ldap_cachemgr are:
Mon Nov 20 09:34:46.4425 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
If I do a truss when I launch the client the
result was this:
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
door_return(0x00000000, 0, 0x00000000, 0) (sleeping...)
lwp_cond_wait(0xFF0F34F0, 0xFF0F3500, 0xFF0ECD88) (sleeping...)
This is my ldap_client_file:
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= srvldap
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
NS_LDAP_PROFILE= tls_profile
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Users,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_home:
automountMapName=auto_home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:
automountMapName=auto_master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.home:
nisMapName=auto.home,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= auto.master:
nisMapName=auto.master,ou=Sun,ou=AutoFS,dc=example,dc=com?one
NS_LDAP_BIND_TIME= 10
I have launched ethereal so see network communications with my Solaris 8 client and the LDAP server.
And with this configuration the Solaris box only communicates with the LDAP server using LDAP port 389 and not LDAPS port 636.
I have done the same test with a linux and tru64 box and they use LDAPS port 636 to communicate with my LDAP server.
Does anyone have an idea on getting Solaris using TLS/SSL?
Thanks.

LDAP Setup and Configuration Guide
Solaris 8 2/04 Update Collection > LDAP Setup and Configuration Guide > 1. Overview > Solaris Name Services
[http://docs.sun.com/app/docs/doc/806-5580/6jej518ou?l=en&a=view&q=solaris+8+ldap]
Download this book in PDF (557 KB)
[http://dlc.sun.com/pdf/806-5580/806-5580.pdf]

Respooled emails do not use TLS

We have configured CF 9 Standard to use our smtp server on port 587 with tls. When new messages are created, we can clearly see the messages being sent successfully using TLS via wireshark.
However, when a message fails to send and gets put in the undelivered folder and we try to respool it, it does not try to use TLS again and since it doesn't never can be resent.
How can we get messages that are respooled to use TLS?

HI Mack,
The mail in the undelivered folder that gets respooled, is pointing to the exact same server configured in CF Administrator. However, it never start TLS when we respool it. I would expect to see something else in the server: or server-usetls or something since all the other information is in there, but it isn't.
type: text/plain; charset=UTF-8
server: smtptest.ucmerced.edu:587
server-username: xxxxxxx
server-password: xxxxxxxxxxxxx
from: xxxxxxxxxxxxxxxxxxxxxx
to: xxxxxxxxxxxxxxxxxx
cc: xxxxxxxxxxxxxxxxxxxxxxxx
subject: UA FreshEval Assignment
X-Mailer: ColdFusion 9 Application Server
body: Georgie,
body:          You have been assigned an application cpid 7005362 for Freshman Evaluation. You can review it
body:          by logging onto Online review tool using your UCM LoginID and password.
body:
body:          If you have any problems accessing the application or have technical questions, contact Administrator
body:          at [email protected]
body:
body:          Thank you,
body:          Undergraduate Admissions
body:

How to configure sendmail to use multiple LDAP servers ?

Hi everybody!
I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
NS_LDAP_BINDPASSWD= {NS1}*********************
NS_LDAP_SERVERS= 192.168.1.9
NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
The question is how can i configure sendmail to use both LDAP servers ?
The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
Thanks in advance =))

Hi!
To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
and can be configured to use LDAP e.g. for aliases etc.
Regards!
Rainer

I have set up our school ipads to be supervised by Apple Configurator and am using VPP to buy apps. I now find the supervised ipads do not allow the pupils to download photos or movies etc. Any suggestions would be great please.

I have set up our school ipads to be supervised by Apple Configurator and am using VPP to buy apps. I did this initially as our school internet connection was stopping us from being able to update the IOS and our County was offering a managed system, Lightspeed, which took control of every device in school which proved very expensive. I now find the supervised ipads do not allow the pupils to download photos or movies etc. As we frequently use the ipads as cameras this is causing us a problem. We have a school imac that I use to keep the devices updated with Apple Configurator (not connected to our network), and this doesn't seem to offer any solution to download them either. I was told there was a setting in Apple Configurator to allow other computers to download from supervised devices, but I can't see it anywhere. I am very new to this so any advice or help would be greatly appreciated please.

I assume you are wanting to take the photos and movies off the iPads?
Connect the iPad to a Apple computer. Open "Image Capture". Any photos or video can me imported to the desktop or other location on your computer.
I had this same problem last year and as we have no wifi I asked lots of people at Apple what I could do - no one provided this answer (a little unbelievable!). If you have wifi using something like dropbox would be an easier solution.
Hope this helps

RC-50004: Fatal: Error occurred in ApplyDatabase: Control file creation failed Cannot execute configure of database using RapidClone

dear associates,
linux version: red hat enterprise linux 4.0.
EBS version: 12.1.1
RC-50004: Fatal: Error occurred in ApplyDatabase:
Control file creation failed
Cannot execute configure of database using RapidClone
RW-50010: Error: - script has returned an error: 1
RW-50004: Error code received when running external process. Check log file for details.
Running Database Install Driver for VIS instance

dear associates,
can u please assist me how can over come this error or problem.
linux version: red hat enterprise linux 4.0.
EBS version: 12.1.1
RC-50004: Fatal: Error occurred in ApplyDatabase:
Control file creation failed
Cannot execute configure of database using RapidClone
RW-50010: Error: - script has returned an error: 1
RW-50004: Error code received when running external process. Check log file for details.
Running Database Install Driver for VIS instance

I got an ipad mini and when i try to switch it on and configure it to use it it says IP is temporarily blocked for security reasons..what do i do?

I got an ipad mini and when i try to switch it on and configure it to use it it says IP is temporarily blocked for security reasons..what do i do?

An odd message? Is this on your home network? Could try at a library.
Robert

Getting Error in setting configuration of iPod using OS X Server Profile Manager

We are getting error when we are trying to configure the iPods using Profile Manager. Please let me know what is causing for this kind of error. Please see in attachment.

We have device groups, once the device have been enrolled we then move to a pre-configured profile which sets up items such as wifi, e-mail and passcpde etc all in one go, this has had mixed results, I've now setup profile groups for each item to give us more control over only given the user what they need instead on forcing everything, this resolved my item above but more testing is needed, the main issue has been trying to pass a pre-owned device to a new user as it seems to remember the pervious user in some cases, this is why I asked about if it was possible to delete device history.

Configuring ODI to use Fusion Middleware OBIA 11.1.1.7.1 Installation

Hi,
I am trying to install OBIA 11.1.1.7.1 in Windows 2008.
All went well , upgraded weblogic to 10.3.6
When I run the following command create the wallet files,
The command used :
c:\Middleware\Oracle_BI1\common\bin\wlst.cmd
c:\Middleware\Oracle_BI1\bifoundation\install\createJPSArtifactsODI.py embedded --ADMIN_USER
_NAME weblogic --DOMAIN_HOSTNAME localhost --DOMAIN_PORT 7001 --DOMAIN_HOME_
PATH c:\Middleware\user_projects\domains\bifoundation_domain
The Error:
wls:/offline> C:\Middleware\Oracle_BI1\bifoundation\install\createJPSArtifactsOD
I.py embedded –ADMIN_USER_NAME weblogic –DOMAIN_HOSTNAME obia111171w64 –DOMAI
N_PORT 7001 –DOMAIN_HOME_PATH C:\Middleware\user_projects\domains\bifoundation_
domain
Traceback (innermost last):
(no code object) at line 0
File “”, line 1
C:\Middleware\Oracle_BI1\bifoundation\install\createJPSArtifactsODI.py e
mbedded –ADMIN_USER_NAME weblogic –DOMAIN_HOSTNAME obia111171w64 –DOMAIN_PORT
7001 –DOMAIN_HOME_PATH C:\Middleware\user_projects\domains\bifoundation_domain
^
SyntaxError: invalid syntax
wls:/offline>
I tried the following, still errors
java weblogic.WLST C:\Middleware\Oracle_BI1\bifoundation\install\createJPSArtifactsODI.py embedded -–ADMIN_USER_NAME weblogic -–DOMAIN_HOSTNAME obia111171w64 -–DOMAIN_PORT 7001 -–DOMAIN_HOME_PATH C:\Middleware\user_projects\domains\bifoundation_domain
from Command Prompt, I am getting this error
C:\Middleware\user_projects\domains\bifoundation_domain>java weblogic.WLST C:\Mi
ddleware\Oracle_BI1\bifoundation\install\createJPSArtifactsODI.py embedded –ADM
IN_USER_NAME weblogic –DOMAIN_HOSTNAME obia111171w64 –DOMAIN_PORT 7001 –DOMAI
N_HOME_PATH C:\Middleware\user_projects\domains\bifoundation_domain
Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
Problem invoking WLST – Traceback (innermost last):
File “C:\Middleware\Oracle_BI1\bifoundation\install\createJPSArtifactsODI.py”,
line 93, in ?
File “C:\Middleware\Oracle_BI1\bifoundation\install\apps_commonUtils.py”, line
107, in parseCommandlineArgs
File “C:\MIDDLE~1\WLSERV~1.3\common\wlst\modules\jython-modules.jar\Lib/getopt
$py.class”, line 74, in getopt
File “C:\MIDDLE~1\WLSERV~1.3\common\wlst\modules\jython-modules.jar\Lib/getopt
$py.class”, line 124, in do_shorts
File “C:\MIDDLE~1\WLSERV~1.3\common\wlst\modules\jython-modules.jar\Lib/getopt
$py.class”, line 139, in short_has_arg
UnicodeError: ascii encoding error: ordinal not in range(128)
Request:
Spent lot of time in trouble shooting, I rebuilt the image from scratch, reinstalled. Still the same error at this step. I am not able to go-forward with out completing this step.
If the issue is not resolvable, could you please give an alternate way of 'Configuring ODI to use Fusion Middleware'
Thank You in advance.
-Praveen Alamuru

got the issue resolved
Change the contents of C:\Middleware\utils\config\10.3\setHomeDirs.cmd
from:
set MW_HOME = @ MW_HOME
FOR%% i in ("% MW_HOME%") DO SET MW_HOME =%% ~ FSI
set WL_HOME = @ WL_HOME
FOR%% i in ("% WL_HOME%") DO SET WL_HOME =%% ~ FSI
to
set MW_HOME =% MW_HOME%
FOR%% i in ("% MW_HOME%") DO SET MW_HOME =%% ~ FSI
set WL_HOME =% WL_HOME%
FOR%% i in ("% WL_HOME%") DO SET WL_HOME =%% ~ FSI
Rerun the patch script to set the variables properly
cd c:\Middleware\Oracle_BI1\biapps\tools\bin
perl APPLY_PATCHES.pl apply_patches_import.txt
Then Go to
c:\Middleware\Oracle_BI1\common\bin\
Run the following command
wlst.cmd c:\Middleware\Oracle_BI1\bifoundation\install\createJPSArtifactsODI.py embedded --ADMIN_USER_NAME weblogic --DOMAIN_HOSTNAME ibmdemo --DOMAIN_PORT 7001 --DOMAIN_HOME_PATH c:\Middleware\user_projects\domains\bifoundation_domain
Hope this helps
-Praveen

Configure CRS2008 to using AD and Kerberos with Java application servers.

Hi All,
I have configure CRS2008 to using AD and Kerberos with Java application servers. Domain Controller is installed on W2K3 Server. In addition, CRS2008 is installed on another W2k3 Server.
I have create service account in domain controller: CMSACC
I have create two user account: CRuser1 and CRuser2
I have create domain group: CRSGroup
After I had run the setspn in domain controller,I got the message at below:
Registered ServicePrincipalNames for CN=CMSACC, OU=TEST, DC=BD, DC=com:
    BOBJCentralMS/BDMGTSRV.BD.com
CMC Setting:
AD Administration Name: BD\administrator
Default AD Domain: BD.com
Add AD Group(Domain\Group): secWinAD:CN=CRSGroup,OU=TEST,D=BD,DC=com
Service principal name:BOBJCentralMS/CMSACCatBD.com
I have create a WINNT folder in root directory.Moreover and save bcsLognin.conf and Krb5.ini at here.
bscLogin.conf:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
krb5.ini:
[libdefaults]
default_realm = BD.com
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
forwardable = true
BD.com = {
default_domain = BD.com
kdc = BDMGTSRV.BD.com
I have tested the Kerberos,using kinit CMSACCatBD.com password, and got error message at below:
Exception: krb_error 41 Message stream modified (41) Message stream modified
KrbException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
        at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:486)
     at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:444)
     at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
     at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
     at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
My problem is failed to logon CMC and infoview and got error message at below:
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserNameatDNS_DomainName, and then try again.
Actually, I am sucessful to logon Business View manager with CRuser1. However, I fail to logon CMC and infoview and got the above error. Have you any suggestion to solve this problem?
Ken.

if you can logon with client tools then that should be an indication that the service account running the CMS IS working! Good news.
So the problem is likely with the java portion (krb5/bsclogin or java options)
If the files are in c:\winnt\ (if not copy them there) and perform c:\program files\business objects\javasdk\bin\kinit username
then enter and password/enter again
Probably get the same message. To note in your krb5.ini all domain info must be in CAPS (the .com appears to be in lower case)
kinit works with just the krb5.ini, java SDK and AD (removing BO config and the service account from the picture). Once that works if your java options are specified properly you should be able to login to CMC/infoview.
also 1 last point. Add udp_preference_limit = 1 to the krb5 lib defaults section
libdefaults
default_realm = BD.com
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
Regards,
Tim

Configuring IronPort to use TLS

Similar Messages

Maybe you are looking for