Content server certificate verification
Hello, everybody,
we would like to use the proxy server as an HTTP-to-HTTPS converter for around 30 URLs/destination servers in a configuration as follows:
clients (actually another proxy)
--->HTTP---> web proxy
--->HTTPS--> firewall
--->Internet
We added the forward (http-->https) and reverse (https-->http) mappings in the web proxy already, and they work.
I'd like to know which certificate/key file is for client requests (not used here, only HTTP), and which is for the outgoing HTTPS requests for content servers, and how exactly content server certificate checking can be manipulated.
There are:
(a) a key file in magnus.conf
(b) a cert database in magnus.conf
(c) a security setting (on/off) in magnus.conf
(d) a key file in the Init statement in the obj.conf
(e) a cert file in the Init statement in the obj.conf
(f) a security setting (on/off) in the Init statement in the obj.conf
...but which is for what?
The admin document (which I have read up and down) mentions "security" and "encryption", but IMHO fails to state whether the terms refer to incoming requests (which I assume), and which refer to outgoing requests.
So in more detail:
1) If I generate a key and put a corresponding certificate into a key file, what is the effect if I mention this file in (a) or (d) above, resp.? Do these entries have to be the same (i.e., do they have to mention the same file)?
2) In (1), for which connection does the certificate/key apply: to requests incoming from the clients (if HTTPS/SSL were used there), acting as a server certificate, or as client certificate for outgoing requests, or both?
3) The certificate database in (b) and (e), resp., is it for verifying the client certificates in incoming requests (which is often mentioned), for verifying the content server certificates in outgoing requests (which is hardly ever mentioned), or both? I need to verify the content server certificates, and some of them are issued by strange or own CAs, so I need to add a few CA certificates.
4) Do I have to add the CA certificates as chain certificates or as CA certificates? "CA certificates" would make sense to me (after all, they are CA certificates), but those are apparently only for client certificate verification, so I added them as chain certificates (a chain of a single element...). Strange that if I click "Do not trust", a certificate that was earlier trusted for client certs is now "only" valid as CA certificate -- as if one was somehow "less" than the other.
5) With an Equifax server certificate on a certain host, I get a message that the content server allegedly refuses to respond to the connection or may be highly loaded. Using openssl, I can connect from the same host to the content server without problems, in SSL2, SSL3, TLSv1. It makes no difference if the Equifax CA certificate is in the cert database or not, or if "Security" is on or off, or if "Initialize certs only" is checked. Using ssldump, I see that the proxy gives a "bad_certificate" fatal alert to the server. (The list of supported ciphers is a lot shorter with the proxy than with openssl, BTW.) Happens with at least two content servers, both of which can be contacted without problems via openssl, and the server certificates of which can be verified with their corresponding CA certificates I have available.
6) What does "Security on", "off" and "Initialize certs only" actually do? (...apart from putting a line into obj.conf...)."Security" is such a broad term used in (c) and (f), but does it refer to the client or the content server side? (Yes, I know that SSL provides authentication and encryption, I'm just not sure about how to configure what on the proxy software.) Guess I'm repeating myself here ;-)
7) I read that there is a tool "certadmin". Is it provided with some other Sun software? (I think with the portal server, right?) I would love to get hold of a tool for really looking into the cert databases (not using the admin server functionality). I also heard of another tool, but don't recall its exact name -- something like idscertutil, or some other *certutil. Does this ring a bell with anybody?
I'm using proxy 3.6 SP6.
Any insights are welcome.
Thanks for your help,
Stefan
Gerd,
Don't know which version of fetchmail comes with 10.3.x and 10.4.x respectively.
However, older versions would check for an SSL certificate in an opportunistic way and still go ahead if there wasn't one. More recent versions will interrupt comunications.
In other words, since you do not use SSL you must disable it in fetchmail. If I remember correctly (not 100% sure), you must add:
sslproto ''
to .fetchmailrc
Alex
Similar Messages
-
Fetchmail: Server certificate verification error
I'm using fetchmail to fetch our mails from our ISP. After upgrading my server from 10.3.9 to 10.4.8, fetchmail is logging the following four lines for each poll:
fetchmail[39]: Server CommonName mismatch: *.mail.my_isp.com != pop.my_domain.com\n
fetchmail[39]: Server certificate verification error: unable to get local issuer certificate\n
fetchmail[39]: Server certificate verification error: certificate not trusted\n
fetchmail[39]: Server certificate verification error: unable to verify the first certificate\n
Here is the syntax of my .fetchmailrc:
set syslog
set daemon 60
poll pop.my_domain.com timeout 900 proto pop3 user "user" with password "password" nokeep fetchall is localuser here
I'm not using SSL here, so why is fetchmail mocking?
Any help is welcome
Thanks, Gerd
XServe G4 Mac OS X (10.4.8)Gerd,
Don't know which version of fetchmail comes with 10.3.x and 10.4.x respectively.
However, older versions would check for an SSL certificate in an opportunistic way and still go ahead if there wasn't one. More recent versions will interrupt comunications.
In other words, since you do not use SSL you must disable it in fetchmail. If I remember correctly (not 100% sure), you must add:
sslproto ''
to .fetchmailrc
Alex -
Server certificate verification failed: issuer is not trusted
Tried to sign in to a couple of websites lately and got this message:
Server certificate verification failed: issuer is not trusted
What is going on and how do you fix?hello, unfortunately this is an issue caused by the website, which uses an intermediary certificate but doesn't properly [https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fphp.net%2F&hideResults=on implement a trusted path to the root certificate authority].
in order to work around that you'd have to manually install the missing certificate and trust it to verify websites in firefox: https://ssl-tools.net/certificates/a1e08f9a6a21691dc96bc3b9fa59a7cadd6d4cc4.pem -
Content Server, Certificates error
Hello.
I have an AS ABAP and Content Server.
On the certificates tab (t-code CSADMIN), clicked "Send Certificates" button error occured
Error message : HTTP error : 500 Internal Server Error
SsfCreateProfile error while creating
/sapdb/home/nhccs/security/Z_T_KIM.pse rc=24
Another questions :
Q1. Creating a repository, I might use IP address or hostname for HTTP Server?
Q2. (t-code CSADMIN)Setting tab, the first field "Content Storage Host". I want to user my content server to store contents so that I input the IP address instead of "localhost(default value)", is it right?
Thank you.Database and Web server is alive.
Please see the my error message above.
Error message : HTTP error : 500 Internal Server Error
SsfCreateProfile error while creating
/sapdb/home/nhccs/security/Z_T_KIM.pse rc=24
Also I hope someone answer to my other questions.
Another questions :
Q1. Creating a repository, I might use IP address or hostname for HTTP Server?
Q2. (t-code CSADMIN)Setting tab, the first field "Content Storage Host". I want to user my content server to store contents so that I input the IP address instead of "localhost(default value)", is it right?
Thank you in advance. -
PEAP: Enforce that client must verify server certificate
Hi,
I have PEAP setup with server certificate. The ACS server is used for radius authentication and cisco wireless access point 1240 series are used in WPA2/AES. In my setup, clients are working fine with or without server certificate verification. how could i enforce that client should verify the server certificate otherwise the wireless not authenticated..
RegardsYou could to that with an Active Directory policy or something like that. There isn't anything on the AP or Radius server that can be done.
-
Sap content server - error sending certificate - HTTPIO_PLG_NO_MPI_INIT
Hello all,
we have installed the SAP content server and created a new repository which has the status running.
Now when we go to OAC0 and the send certificate button, we get an error message:
Error in HTTP Access: IF_HTTP_CLIENT->RECEIVE 1 HTTPIO_PLG_NO_MPI_INIT
Message no. CMS166
Why can I not send the certificate?
Thanks
AnneWhat i mean is you need a user that has both local machine administration rights and local domain administration rights. This is due to the fact that it installs some web components that require domain admin. If you don't install with this, its likely you will be able to test connection fine but receive errors when trying to send the certificate. This issue cannot be resolved after the installation. i.e. if you install with the incorrect admin rights and then adjust these afterwards, it will still not work, and the only solution is to reinstall with the correct rights.
-
Reverse proxy server CMS certificate verification
Hi,
Is there a way to instruct the reverse proxy server (3.6 SP7) not to verify the CMS server certificate?
What we are trying to do is, setup a test CMS server with self signed certs installed on it, but don't want to install the CA cert for the same (above self signed cert) on the reverse proxy server.
thnx,
AlokSorry, but it's not very clear.
The CA cert for the self signed cert ??? -
Http content Server - putCert specification
Hello,
I am trying to develop a HTTP Content server for connection with SAP but I encounter difficulties while implementing security.
The methode putCert stores the certificate from SAP but it seems like it is a X509 v1 certificate and not a V3. like mentionned in the spec doc
Moreover SHA1 seem to be used and not MDS.
Is there any particular reason?
Thank youOk finally managed to implement security on the SAP Content Server.
this code snippet works:
Provider bc = new BouncyCastleProvider();
int i = Security.addProvider(bc);
byte[] message2Sign = "E25B5CECB6846E1F4F92C9E9058BC415FDrCN%3DC1120071026161701".getBytes();
String good = "MIIBlAYJKoZIhvcNAQcCoIIBhTCCAYECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAWAwggFcAgEBMBMwDjEMMAoGA1UEAxMDQzExAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzEwMjYxNDE3MDFaMCMGCSqGSIb3DQEJBDEWBBT/ObaVw5qhQRX5MTMnyVqptXhwnTCBpgYFKw4DAhswgZwCQQEi9Vy1IpGpgBwpby66sV16jIHOJkoJI/blRDbeogY2IS69a9JmlAfQEnttGqA3jv/QAf98zFtmFpsDwniO1AhUBQNzq3BaLZ3Vj2dGBB5HPZh5eBa0CQHsZv4pNumfHRNhmlbKK9TDgPQrDDnG7F51g1FhTAFvceltg20WjHE/dFaH8jkigzaJDkFIuV50yGPytGPYmekELzAtAhUBBudqwTj+JNfkpr6BausHDZpqMmUCFC9rWauPQhjYNp4tiHWPmpgw9NXl";
String bad = "MIIBlAYJKoZIhvcNAQcCoIIBhTCCAYECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAWAwggFcAgEBMBMwDjEMMAoGA1UEAxMDQzExAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzEwMTgxMTQxNTVaMCMGCSqGSIb3DQEJBDEWBBS2xHiqu4ZssgcURXnsqxhf5kTCBpgYFKw4DAhswgZwCQQEi9Vy1IpGpgBwpby66sV16jIHOJkoJI/blRDbeogY2IS69a9JmlAfQEnttGqA3jv/QAf98zFtmFpsDwniO1AhUBQNzq3BaLZ3Vj2dGBB5HPZh5eBa0CQHsZv4pNumfHRNhmlbKK9TDgPQrDDnG7F51g1FhTAFvceltg20WjHE/dFaH8jkigzaJDkFIuV50yGPytGPYmekELzAtAhUBOKbZGs22bNiMQ8UkPL4vaPewDwCFFof2Pv04DXMDPj2SnZ7wMcCKTfH";
BASE64Decoder b64 = new BASE64Decoder();
byte[] signature = b64.decodeBuffer(good);
// get public key from cert
File toto = new File("/tmp/toto.txt");
FileInputStream fis = new FileInputStream(toto);
PKCS7 test = new sun.security.pkcs.PKCS7(fis);
java.security.cert.X509Certificate[] certs = test.getCertificates();
//PublicKey pk = certs[0].getPublicKey();
// construct PKCS7 data object
CMSProcessable processable = new CMSProcessableByteArray(message2Sign);
CMSSignedData s = new CMSSignedData(processable, signature);
// get 1st signer infos
SignerInformationStore signers = s.getSignerInfos();
Collection c = signers.getSigners();
Iterator it = c.iterator();
SignerInformation signer = (SignerInformation) it.next();
// verification
boolean test2 = signer.verify(certs[0], "BC");
System.out.println("Ok = " + test2); -
Download file from SAP PLM or Content Server?
Hi all,
I learned that the VEG server download the originals from content server and then started the conversion process.
In my case, I have an error below, it is strange that the IP 153.95.192.93:443 is the ip of SAP PLM server, can anyone tell me is my configuraton right?
thanks
Job 42 (Workflow 'KPRO Retrieve') report
Startup Parameters
FilesPerTask = '5 '(Integer)
InputFilePath = '\ \ NBHXVEG02 \ DSShare \ Workspace \ JM_JOB41 \ KProRetrievalRequest.xml' (String)
OutputFilePath = '\ \ NBHXVEG02 \ DSShare \ Workspace \ JM_JOB41 \ KProRetrievalResponse.xml' (String)
Step 'validate input'
Completed Action 'enter a valid'
Step 'Download'
CompletedWithWarnings Action 'can not download all the files'
Info Message 'document retrieval tasks to be addressed: 1'
Warning Message 'first task failed to retrieve a file (of 1): Unknown error (warning)'
jmp_KproRetrieve (Task 39)
Warning Message 'file' A00021876_20130819.CATProduct 'unable to download: Unable to connect to the remote server: Since the connected party did not properly respond after a period of no response or a host connection, the connection attempt fails. 153.95.192.93:443 'HI Fergal.
I changed the IIS port to XX443(XX means instance number), the https service is also started in the ECC server.
but I got below errors:
Startup Parameters
FilesPerTask = '5 '(Integer)
InputFilePath = '\ \ NBHXVEG02 \ DSShare \ Workspace \ JM_JOB115 \ KProRetrievalRequest.xml' (String)
OutputFilePath = '\ \ NBHXVEG02 \ DSShare \ Workspace \ JM_JOB115 \ KProRetrievalResponse.xml' (String)
Step 'validate input'
Completed Action 'enter a valid'
Step 'Download'
CompletedWithWarnings Action 'can not download all the files'
Info Message 'document retrieval tasks to be addressed: 1'
Warning Message 'first task failed to retrieve a file (of 1): Unknown error (warning)'
jmp_KproRetrieve (Task 122)
Warning Message 'file' A00021876_20130819.CATProduct 'unable to download: The underlying connection was closed: Could not establish trust relationship for the SSL / TLS secure channel. : According to the verification process, the remote certificate is invalid. ' -
Problem with Content Server 4 keystore access on Ubuntu 8.04
Hello,
Setting up the Content Server I encounter this problem with the fulfillment server Status check-up:
exception
javax.servlet.ServletException: Servlet execution threw an exception
root cause
java.lang.Error: Problem reading key and certificate from keystore
com.adobe.adept.fulfillment.security.ServerConfig.init(ServerConfig.java:201)
com.adobe.adept.fulfillment.security.ServerConfig.getSigningURL(ServerConfig.java:48)
com.adobe.adept.fulfillment.servlet.FulfillmentServerStatus.getServers(FulfillmentServerStatus.java:34)
com.adobe.adept.common.servlet.Status.checkUp(Status.java:355)
com.adobe.adept.common.servlet.Status.doGet(Status.java:421)
javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
I've created operator.p12 according to the instructions in the Quickstart guide
and placed it in /etc where it is accessible by the server. I used OpenSSL 0.9.8k
for this.
I can use "openssl pkcs12 -in operator.p12 -out file.pem" to view the contents of
the file.
My Content Server fulfillment configuration is as follows:
com.adobe.adept.init1=com.adobe.adept.shared.util.SharedInitialization
com.adobe.adept.log.level=trace
com.adobe.adept.log.file=/var/log/fulfillment.log
com.adobe.adept.persist.sql.driverClass=com.mysql.jdbc.Driver
com.adobe.adept.persist.sql.connection=jdbc:mysql://127.0.0.1:3306/adept
com.adobe.adept.persist.sql.dialect=mysql
com.adobe.adept.persist.sql.user=ereading
com.adobe.adept.persist.sql.password=********
com.adobe.adept.fulfillment.security.licensesignURL=https://eusigningservice.adobe.com/licensesign
com.adobe.adept.fulfillment.security.keystore.user=operator
com.adobe.adept.fulfillment.security.keystore.password=********
com.adobe.adept.fulfillment.security.pkcs12.file=file:///etc/operator.p12
com.adobe.adept.serviceURL=http://******.dmz.******.org/fulfillment
Any ideas?
Best regards,
Teemufor solve this, change this
com.adobe.adept.fulfillment.security.pkcs12.file=file:///etc/operator.p12
for this
com.adobe.adept.fulfillment.security.pkcs12.file=/etc/operator.p12 -
How to add a certificate to IIS global "Server Certificates" list using PowerShell?
Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
list in IIS and POSH I would be super happy! :|
I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
Thanks for the help in advance guys, take care!
br4tt3Hi and thanks for the suggestions!
Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
loaded into that shell;
$certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
New-Object : Cannot load COM type IIS.CertObj
From an IIS perspective I have the following components installed;
[X] Web Server (IIS) Web-Server
[X] Web Server Web-WebServer
[ ] Common HTTP Features Web-Common-Http
[ ] Static Content Web-Static-Content
[ ] Default Document Web-Default-Doc
[ ] Directory Browsing Web-Dir-Browsing
[ ] HTTP Errors Web-Http-Errors
[ ] HTTP Redirection Web-Http-Redirect
[ ] WebDAV Publishing Web-DAV-Publishing
[X] Application Development Web-App-Dev
[ ] ASP.NET
Web-Asp-Net
[X] .NET Extensibility Web-Net-Ext
[ ] ASP
Web-ASP
[ ] CGI
Web-CGI
[ ] ISAPI Extensions Web-ISAPI-Ext
[ ] ISAPI Filters Web-ISAPI-Filter
[ ] Server Side Includes Web-Includes
[ ] Health and Diagnostics Web-Health
[ ] HTTP Logging Web-Http-Logging
[ ] Logging Tools Web-Log-Libraries
[ ] Request Monitor Web-Request-Monitor
[ ] Tracing
Web-Http-Tracing
[ ] Custom Logging Web-Custom-Logging
[ ] ODBC Logging Web-ODBC-Logging
[X] Security
Web-Security
[ ] Basic Authentication Web-Basic-Auth
[ ] Windows Authentication Web-Windows-Auth
[ ] Digest Authentication Web-Digest-Auth
[ ] Client Certificate Mapping Authentic... Web-Client-Auth
[ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
[ ] URL Authorization Web-Url-Auth
[X] Request Filtering Web-Filtering
[ ] IP and Domain Restrictions Web-IP-Security
[ ] Performance Web-Performance
[ ] Static Content Compression Web-Stat-Compression
[ ] Dynamic Content Compression Web-Dyn-Compression
[X] Management Tools Web-Mgmt-Tools
[X] IIS Management Console Web-Mgmt-Console
[X] IIS Management Scripts and Tools Web-Scripting-Tools
[ ] Management Service Web-Mgmt-Service
[ ] IIS 6 Management Compatibility Web-Mgmt-Compat
[ ] IIS 6 Metabase Compatibility Web-Metabase
[ ] IIS 6 WMI Compatibility Web-WMI
[ ] IIS 6 Scripting Tools Web-Lgcy-Scripting
[ ] IIS 6 Management Console Web-Lgcy-Mgmt-Console
[X] FTP Server Web-Ftp-Server
[X] FTP Service Web-Ftp-Service
[X] FTP Extensibility Web-Ftp-Ext
[ ] IIS Hostable Web Core Web-WHC
More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
able to reference the IIS.CertObj object.
Br4tt3 signing out...
br4tt3 -
Error while starting SAP Content server
Hi Experts,
I have installed content server, and from OAC0 i have imported certificate. The status is showing running. In details tab, when i enter on start button, I am getting below error.
HTTP error: 500 (Internal Server Error) "CreateTab ContentStorage, connect error SQLConnect failed, [SAP AG][SDBODBC DLL][SAP MaxDB] Commun
Message no. CMS025
Diagnosis
Error in accessing via HTTP
500 (Internal Server Error)
"CreateTab ContentStorage, connect error SQLConnect failed, [SAP AG][SDBODBC DLL][SAP MaxDB] Commun
Can any one suggest possible solution?
Regards
AdityaHi Aditya
Could you refer the SAP Notes
1764842 - Connection problem to SAP Content Server
582765 - SAP Content Server cannot address database
Br
SS -
Https access to Sap Content Server 620 with R/3 46C
We are trying to access the Sap Content Server 620 via Https.
We do not want to administer it via HTTPS, (as we know CSADMIN doesn't support Https in rel. 46C as for note 712332). We want to do in way that the users when do check-in/out of originals these go across the
network using Https instead Http.
According note 712330 it should be possible.
Anyone already did it ?
Any suggestions ?
NOte 506314 is not clear. We are in doubt how we applyed it.
What we did:
0)activate the SSL on the Sap COntent Server Web Site, requiring and installing a CA certificate.
1)On the R/3 server in tx OAC0 with %HTTPS filled up the
two boxes with "%HHTPS
required"
1)unpacked the Sap criptolibrary and copied all the files (including those in ntintel subdirectory created during the unpacking) under c:\Programmi\Sap\Frontend\Sapgui on a frontend PC.
2)set the env. variable SAPHTTP=c:\Programmi\Sap\Frontend\Sapgui on
Frontend PC
3) from c:\Programmi\Sap\Frontend\Sapgui we created both the SAPSSLC.pse and the SAPSSLS.pse file with the command :
3) from c:\Programmi\Sap\Frontend\Sapgui we created both the
SAPSSLC.pse and the SAPSSLS.pse file with the command :
sapgenpse get_pse -noreq -p C:\Programmi\SAP\FrontEnd\SAPgui\<PSE-NAME>
CN=localhost
4) we run the test: saphttp https://itmif069
from the frontend to the server where the Content Server is (itmif069). We recive the error:
trc file: "dev_http", trc level: 2, release: "620"
Fri Oct 08 12:26:46 2004
[2256] sccsid: @(#) $Id: //bas/620/src/krn/ftp/http.c#26 $ SAP
[2256] HTTP Start : argc - 2 a0 - saphttp
[2256] https//itmif069
[2256] SECUDIR=C:\Programmi\SAP\FrontEnd\SAPgui
<<- SapSSLSetTraceFile()==SAP_O_K
=================================================
= SSL Initialization
SapISSLComposeFilename(ssl_lib): using default "sapcrypto.dll"
SapISSLComposeFilename(server_pse): using default "SAPSSLS.pse"
SapISSLComposeFilename(client_pse): using default "SAPSSLC.pse"
SapISSLComposeFilename(anon_pse): using default "SAPSSLA.pse"
= found SAPCRYPTOLIB 5.5.5C pl16 (Jun 10 2004) MT-safe
= found SECUDIR environment variable
= using SECUDIR=C:\Programmi\SAP\FrontEnd\SAPgui
= secudessl_Create_SSL_CTX(): PSE "SAPSSLA.pse" not found,
= using PSE "SAPSSLC.pse" as fallback
= The Server SSL_CTX
= provides this ordered list of 9 ciphersuites:
= 1. SSL_RSA_WITH_RC4_128_SHA
= 2. SSL_RSA_WITH_RC4_128_MD5
= 3. SSL_RSA_WITH_3DES_EDE_CBC_SHA
= 4. SSL_RSA_WITH_DES_CBC_SHA
= 5. SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
= 6. SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
= 7. SSL_RSA_EXPORT_WITH_RC4_40_MD5
= 8. SSL_RSA_WITH_NULL_SHA
= 9. SSL_RSA_WITH_NULL_MD5
= Success -- SapCryptoLib SSL ready!
=================================================
<<- SapSSLInit(, read_profile=0)==SAP_O_K
ERROR => [2256] URI https//itmif069 [http.c 774]
ERROR => [2256] Connect to Host Port 443 error: NIECONN_REFUSED
[http.c 777]
We do not know if the criptolibrary ha to be instyalled to the R/3 server to.
We do not know if the CA certificate instalelled on the Sap COntent Server web site has to be installed on the R/3 server too.
Any suggestion ?
RegardsCaro Mauro,
I'm more or less in the same situation right now.
Taking into account that you ask for help on this subject last 2004 Oct. I suppose that you have probably solved the problem.
Please can you help me with the solution implemented.
Find below my current work e-mail adress
[email protected]
Thanks in advance,
Best regards, Xavier Grau. -
Error connecting to Content Server
Hello,
we are in the process of upgrading ERP6.0 EHP5 to EHP6 which is also an upgrade to NW702 to NW731. We made a system copy of the productive system and called it XXX and did all the post-systemcopy works that need to be done including creating the System PSE. We connected this XXX system to the Content Server and created new respositories and send the certificates to the CS. Everything was working fine. This wall still on NW702
After the upgrade we get errors like:
When trying to read/save a file, this error comes up:
X-ErrorDescription: "Security SsfVerify failed rc=5, lasterror=1, This key
type is not supported, PSE=\\?\E:\Program Files\SAP\Content Server\Security
\<REPOSITORYNAME>.pse,"
When accessing the CSADMIN via OAC0, the password windows opens and at the bottom the Error "http 401 (unauthorized) Permission denied: adminContRep&configGet" occurs.
I tried sending the certificate again-> still error
I tried to delete the .certs and .pse files in ContentServer\security as suggested in note 1800664-> still error
There was an old note saying that the CS needs to be patched because secude.dll is too old but even the latest patch only has the secude.dll from 2009 and there is no update. (At least I couldn't find any, probably because it is sapcrypto now)
We are using CS Patch 17. Since everything was working before, I do not see the reason to deploy a new patch.
The system PSE was created with algorithm RSA with SHA-1 and 2048 byte.
Does anyone have an idea what to try next?
Regards
AndreasHi Andreas,
Have you registered content server port number 1090. check in services if not registered
Please follow below steps.
1.In 'Administrative Tools' open 'Windows Firewall with Advanced Security'
2.Right click over 'Inbound Rules' and select 'New Rule...'
3.In the Rule Wizard select 'Port' and click on 'Next'.
4.Enter the port number you set for the Content Server, the default port is 1090,
and click 'Next'.
5. Select 'Allow the connection' and click 'Next'.
6. Select the Profile for your network and click on 'Next'.
7. Enter the name of rule, e.g. 'Content Server' and click on 'Finish'
Hope that maintained host file also.
Regrads,
chandu. -
Content Server Installed but doesnt respond
Hi,
I have installed the Content server on Win2K3 as given in the installation guide.I have installed for file storage on the file system.
After installation i got the message that everything is ok.But then when i execute the command
http://<server>:<port>/ContentServer/ContentServer.dll?serverInfo
I get the response as page cannot be displayed.I want to use the content server for DMS storage so that i can use KPro instead of the vault.
Same thing when i do
http://<server>:<port>/
I get a pop-up asking for the user-name and password but when i give the user name as administrator and password it doesnt allow access.
Please advise
Regards
Ankan MajumdarNote Number : 361123
Symptom
You want the SAP Content server to work properly.
Other terms
Signed URLs, AdminSecurity, SsfVerify failed
Reason and Prerequisites
The SAP Content Server was installed in accordance with the installation guide. For new installations, we recommend that you use the latest released version of the SAP Content Server, regardless of the SAP System release to which the SAP Content Server is connected.
Solution
This note provides additional information on different aspects of security when using the SAP Content Server.
Security against data loss
The SAP server content stores the contents of the confidential document either in an SAP-DB instance or in the file system. To avoid data loss, the usual measures for databases and file systems are taken. These are only mentioned briefly here: Redundant hardware (mirror disks, raid systems and so on), regular backup (log files, backup). When you back-up the Content Server, note that you also have to save the ContentServer.ini configuration file as well as the Security directory in addition to backing up the database instance or the directories of the file system used for document content.
Note 319332 describes backup strategies for a Content Server with database folders.
SAP does not have a tool for backing up file system folders. In this case it is the responsibility of the customer to select and convert the backup strategy. Here you should note that, for a complete and consistent backup of a file system folder, it may be necessary to shut down the Content Server for the duration of the backup.
Security against unauthorized accesses on filed contents
Before you access the content server, an authorization check usually occurs in the SAP system. However, the content server is usually accessed using a disclosed HTTP log. To make sure that only authorized accesses are possible, 'signed URLs' must be used. Signed URLs are URLs that were signed by the SAP system. You can recognize signed URLs because they are considerably longer than unsigned URLs and contain additional parameters. The signed URL, in particular, contains the additional parameters expiration (expiry time) and secKey (digital signature). A signed URL is only valid if the expiry time has not yet been exceeded and if it contains a valid signature. In order that the signature can be checked by the content server, the public key (certificate) of the SAP system must be stored on the content server and tagged for the corresponding repository. Transactions OAHT, OAC0 (as of 4.6C) and CSADMIN (as of 4.6C for SAP content server) are used to transfer the certificate. The certificate must be activated on the content server for the repository. Use CSADMIN to do this (for SAP Content server).
In order that the digital signature of the SAP system can be used properly, EVERY SAP system must have its own unique certificate. To ensure this, a 'PSE' must be generated once in every SAP system after this SAP system is developed. Use transaction PSEMAINT to do this (note 354819).
To protect the connection between the Content Server and its SAP-DB instance, the name and password of the database user can be changed and stored in encrypted format in the configuration of the content server. For details, see note 661852.
Access control for the administration
The content server is partly administered from within the SAP system, and partly from outside it. When it is administered from outside, you must ensure that only authorized persons have (administrative) access to the server on which the content server is running. The (administrative) access to the database (note 212394) must be restricted accordingly.
In order that administrative accesses from the SAP system are only possible for authorized persons, the parameter AdminSecurity must be set to 1 in the content server. You will find details on this in the installation documentation of the SAP Content Server.
Protection against server hardware outage
The Windows version of the SAP Content Server can also be installed in an MSCS environment (Microsoft Cluster Server). For more detailed information, see "SAP Content Server 6.20 in an MSCS Environment", dated March 4, 2003, in the "News" section on the SAP Service Marketplace (http://service.sap.com/ha
The duration of the non-availability of content servers, cache servers and alias servers can be reduced with the automated operator intervention described in note 484459.
Maybe you are looking for
-
What is the recommended way to connect my iMac to Fedora
Hello, Ever since the OSX 10.8.2, NFS has vanished so I can't connect to Fedora where I have an NFS server. So what is the best way to set up Fedora to connect to an iMac. I don't want to have to continue to connect by going to "Finder -> Connect t
-
Publish data model with designer
Hi, so far I used ERwin for data modelling. ERwin can generate HTML output consisting of the graphical data model plus hyperlinks on the tables. If you click on a table a report pops up with all details, e.g. table and column comments. I find this ve
-
Cancel PGI for outbound delivery
Hi experts, Any indicator or something else can be found in the document against PGI when cancelling PGI? E.g. Document named A is generated once PGI. Document named B is generated when cancelling PGI. How can I know Document A has been cancelled whe
-
Add web url to one frame of an animated gif?
I have created an animated gif in Photoshop CS5 and want to add a url to one of the 3 frames as this gif is going on a website as a banner advert. I've read that I can use the slice tool to do this (?), but if so, I need help in laymans language as t
-
1024x768 Resolution on a 16:9 Pioneer Plasma 4350
I am about to purchase a Dual Core Mac Mini. I currently have a 43" Pioneer Plasma TV, model 4350. The resolution is 1024x768. I want to ensure that the mini will work fine with the tv. I really would not like to play with overscan or underscan or me