CSS 11500 authenicate certificate using LDAP

Can the CSS 11500 authenticate a certificate by querying an LDAP Server on "the inside"?

no. This is not possible.
Gilles.

Similar Messages

CSS 11500 Certificate Signing Request (CSR)

Would any of you know if and how to configure / general a wildcard or multi-domain SSL certificate on a CSS 11500 appliance? The "SSL gencsr ..." command doesn't seem to allow me to add more than one domain name during the information gathering.
Any help or input would be greatly appreciated.
Thanks,

WildCard certs are supported on CSS.
The only thing that makes it a CSR for a wildcard certificate would be that the common name would be something like "*.yourdomain.com".
Since a wildcard certificate represents multiple domains, it can be re-used on the
multiple https content rules of different IPs.
The CSR procedure for a wildcard certificate on the CSS is not different than the CSR
procedure for a regular certificate (You just need to put something like "*.yourdomain.com" in front of common name):
CSS11506(config)# ssl gencsr app1key
Country Name (2 letter code) [US]US
State or Province (full name) [SomeState]CA
Locality Name (city) [SomeCity]San Jose
Organization Name (company name) [Acme Inc]Yourdomain Inc.
Organizational Unit Name (section) [Web Administration]SSL Admin
Common Name (your domain name) [www.acme.com]*.yourdomain.com
Syed

How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird?

How can I use LDAP searching from OSX Lion Server to Mozilla Thunderbird? We have a super awesome contacts server that works great for our Mac users. About 30% of our company are on PCs, and I would like to use the Mozilla Thunderbird mail client for them. I see that in Thunderbird I can set up LDAP searching, and would like to have this feature point to our contacts server. I've tried several different settings, and looked all over the web, but could not find the proper way to configure this. Does anyone know if this can be done, or if not, would have a better suggestion? Thank you for your time!!

try double clicking keychain acces should launch and ask if you want to install login, system, System roots
A dialog box will launch asking where to install the cert since your configuring a vpn I would put the certificate it in system.

Services with different IP address subnets over CSS 11500 series

Hi all folks!
I have two CSS 11500 series...
In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
So then the doubt i arises is:
Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
This would be so....
             ________________LAN to LAN_____________________
             |                                                                                |
             |                                                                                |
|------SITE A------|                                                        |------SITE B------|
     [Firewall] ===============IPSEC============= [Firewall]
           |                                                                                |
           |                                                                                |
[CSS-A]-[CSS-B]                                                            [SWITCH]
       |          |                                                                     |         |
     [SWITCH]                                                                    |         |
[srvA] [srvB] [srvC]                                                          [srvD] [srvE]
So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
This should be seen as well:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
ip route SITE B [IP FIREWALL]
!************************** SERVICE **************************
service srvA
ip address A.A.A.x
port 8080
service srvB
ip address A.A.A.x+1
port 8080
service srvC
ip address A.A.A.x+2
port 8080
service srvD
ip address B.B.B.y
port 8080
service srvE
ip address B.B.B.y+1
port 8080
I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
Within their experiences that they say? Will operate?
Thanks in advance!
Regards!
Esteban =)

Daniel!
Sorry by delay!
Thank you so much for you time for reply.
You have given me a great help to this doubt!
But..using "source group" let me know..
I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
and
this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
where the NAT is configured under a method different from the previous one..
So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
Thanks in advance again!!!
Have nice day!
Regards.
Esteban.

Import X.509 certificate via LDAP

Hello,
I have an iPad running iOS 5 and I'd like to know if it's possible to import people's X.509 certificates via LDAP. I have my corporate LDAP set up in Settings>Mail, Contacts and I can search for people fine. The LDAP also has X.509 certificates that I'd like to use for encryption when sending emails from the iPad.
regards,
Tex

I think if you select security profile in the channel then you can do sign and verify the certificate in the reciever agreement. THat is only for Security parameters. For just configure certificate authentication, you will not see anything in the receiver agreement.

CSS 11501 - wildcard certificate with subject alternative names

Hi,
I generated a wildcard certificate for my company type *. mycompany.com in a CSS 11501.
For the site sub-domain1.mycompany.com worked fine, for the site sub-domain2.sub-domain1.mycompany.com didn't worked.
I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
Thank you very much,
Cláudio Soares

Hi,
The CSS is indifferent to the Common Name in an SSL certificate used for SSL termination,
so using a wildcard certificate would be no different than using a standard certificate.
If using the CSS to generate the Certificate Signing Request, just enter the Common
Name with the leading asterisk for the subdomain portion of the hostname. Example:
Common Name (your domain name) [www.mycompany.com]*.domain.com
The only difference in configuring SSL termination would be that you could
reuse the SSL certificate (in the ssl-proxy-list) for all the different vips that the
subdomains resolve to without having to worry about pop-up warnings on client's browsers
(example attached). Or, if your subdomains resolve to the same vip, the CSS configuration
wouldn't be any different.
Regards,
Siva

Do CSS 11500 series allow remote SPAN?

Hi,
I found SPAN (Switch port analyzer) is available on CSS 11500 series, but could only found destination must be local. Is it possible to do remote SPAN and make the destination be in another remote switch?
And how many local span sessions are allowed?
Thanks,
Rgds
Jorge

Cisco WebNS Software Version 7.20 delivers support for a new Cisco CSS 11501 model and Cisco WebNS Software 7.20 supports SPAN the features.
Switched Port Analyzer (SPAN) or port mirroring is useful for network analysis?a copy of the packets received or transmitted by a source port is sent to a designated destination port.
Kindly go through these links to get detailed information:
http://www.provantage.com/cisco-systems-css11503-ac~7CSCO288.htm
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_release_note09186a008077c440

CSS 11500 sending RST

I recently replaced a Local Director with a CSS 11500 (v 8.2). I have an application that uses port 80 to send SOAP heartbeats at 1 minute intervals to a web server to maintain state. For some reason the CSS randomly decides to send RST to the client even though the backend service is active. In other words the the web server is not sending a RST. Is this an issue with flows? Load balancing schema? I did not have this issue with the Local Director.

no. This is not possible.
Gilles.

Connect using ldap

If my Sqlnet.ora file is set to using ldap file, is it possible to create connection in SqlDeveloper, or do I have to define all databases in local Tnsnames.ora file ?
Thanks.

To enable IDM application to use SSL enabled LDAP calls (LDAPS) to LDAP servers, the CA certificate that issued the certs to LDAP servers must be imported into application server keystore. I took the following steps on RH Linux AS 4.
[root@idmserver config]# cd /opt/SUNWappserver/domains/domain1/config
[root@idmserver config]# keytool -import -noprompt -trustcacerts -alias "acg_test_caas_ca" -file selfsigned_ca.crt -keystore cacerts.jks -storepass changeit
[root@idmserver config]# keytool -import -noprompt -trustcacerts -alias "acg_test_caas_ca" -file selfsigned_ca.crt -keystore keystore.jks -storepass changeit
In the above example, the file selfsigned_ca.crt is the self signed certificate of the test CA that issued certs to LDAP servers.

Error adding Certificates using JNDI

I am trying to add User into iPlanet Directory Server using JNDI.
I am getting the following Exception.
javax.naming.directory.InvalidAttributeValueException: Malforme
d 'userCertificate' attribute value; remaining name 'uid=testus
er99,ou=People,dc=eng,dc=it'
at com.sun.jndi.ldap.LdapClient.encodeAttribute(LdapCli
ent.java:953)
at com.sun.jndi.ldap.LdapClient.add(LdapClient.java:100
1)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:325)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:288)
at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(Com
ponentContext.java:590)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bin
d(PartialCompositeContext.java:177)
at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bin
d(PartialCompositeContext.java:167)
at javax.naming.InitialContext.bind(InitialContext.java
:353)
at it.eng.securitymanager.user.dao.iPDSUserDAO.insertUs
er(Unknown Source)
Following is the code I am using:
     public User(String dn, String ou, String userType, String password, String givenname, String sn, String cn, String email, String phone, String fax, String city, String country, java.security.cert.Certificate p12) throws Exception{
          Attributes myAttrs = new BasicAttributes(true);
          Attribute oc = new BasicAttribute("objectclass");
     oc.add("inetOrgPerson");
          oc.add("organizationalPerson");
          oc.add("person");
          oc.add("top");
          Attribute ouSet = new BasicAttribute("ou");
          ouSet.add(ou);
     myAttrs.put(oc);
          myAttrs.put(ouSet);
          myAttrs.put("givenname",givenname);
          myAttrs.put("sn",sn);
          myAttrs.put("cn",cn);
Attribute uc = new BasicAttribute("userCertificate");
uc.add(p12);
myAttrs.put(uc);
Any inputs how to insert certificates using JNDI?
Thank you

I am able to insert the certificate without error, but not able to view it.
Following is the code snipet. Any idea what could be wrong.
myAttrs = new BasicAttributes(true); // case ignore
Attribute oc = new BasicAttribute("objectclass");
oc.add("inetOrgPerson");
oc.add("organizationalPerson");
oc.add("person");
oc.add("top");
Attribute ouSet = new BasicAttribute("ou");
ouSet.add(ou);
myAttrs.put(oc);
myAttrs.put(ouSet);
if (p12 != null && (p12 instanceof java.security.cert.Certificate))
Attribute uc = new BasicAttribute("userPKCS12");
byte cert[];
java.io.ByteArrayOutputStream bop = new java.io.ByteArrayOutputStream();
java.io.ObjectOutputStream p = new java.io.ObjectOutputStream(bop);
p.writeObject(p12);
cert = bop.toByteArray();
p.flush();
p.close();
System.out.println("\n\nCertificate Bytes ...\n\n");
uc.add(cert);
myAttrs.put(uc);
}

CSS 11500 Responds for any Port

Hopefully this is an easy question but I am having a heck of a time finding an answer.
We have multiple CSS 11500 clusters. We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client. This happens regardless of whether there is something on that IP address or not.
Example:
Front Back
10.1.1.0/24 --- CSS --- 10.2.2.0/24
Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection. I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.
Is there any way to shut this off? This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.
Thanks for any input!

Thanks for your reply Marvin.
We actually use ACLs already - primarily for purposes of allowing backend servers to reach load-balanced services on the CSS they sit behind or for reverse proxy services.
I have tried specifically blocking access to backend IP addresses that are not used but oddly enough the CSS still replies and opens the initial TCP session just like any other.
I think I'm going to have to open a TAC case on this one. If they can't answer it, I may be forced to put all of these behind firewalls - which is doable but not ideal.

Java ftp server which can use LDAP, how to integrate with WLS' implementation of LDAP?

Howdy.
I'm setting up a java ftp server
(http://www.mycgiserver.com/~ranab/ftp/index.html) which is capable of using
LDAP for it's user security. I would like to integrate this ftp server with
wls' implementation of LDAP so I only have to admin one user list.
Does wls put it's user list in the LDAP or in it's own proprietary setup? I
tried playing around with it, but the users don't seem to appear in the JNDI
tree. Is this where the LDAP stuff is located? I thought it was in there?
If it's in it's own setup, is there a way to propagate the users to LDAP?
If these look like newbie Q&A, I guess they kind of are, I'm new to LDAP.
Thanks for any input you might have.

Peter,
If you are talking about using the embedded LDAP server in WLS 7.0 for this purpose
I think you are going done the wrong path.
Look at the following URL on how to use an external LDAP server for your custom
application
http://e-docs.bea.com/wls/docs70/secmanage/realm.html#1172008
Chuck Nelson
DRE
BEA Technical Support

How do I use LDAP with iMQ 2.0?

I am looking for an example to see how to use LDAP with iMQ 2.0.
I was able to set up the config settings to access a local LDAP,
but iMQ authentication still rejects valid logins.
Let me know if I can find more info someplace.

You can also find an example I put togther in the Sun One knowledge base.
If you go here:
http://knowledgebase.iplanet.com/NASApp/ikb/index.jsp
Search for article 7772
Alternatively here is the direct link
http://knowledgebase.iplanet.com/ikb/kb/articles/7772.html

Any issues with using LDAP on LINUX for GRC 5.2 UME?

Our company is converting our LDAP servers from AIX to LINUX. The DNS name used in our UME connection should not change. Are there any issues with using LDAP on LINUX? We are currently on GRC 5.2 SP9 (in the middle of upgrading to SP12).
Also, I have been trying to connect our test UME system to a test LDAP box that has already been converted to LINUX but keep getting a 'connection failed' error when I try to test it.
Do you have to reboot the server to test changing the LDAP connections? I've been trying it by going into UME, pulling up the LDAP tab, hitting the Modify button, entering the new userid and password for test LDAP, and hitting the Test Connection button. I've verified that this userid and password is correct for test LDAP.
Is there a way to get more information about why the connection failed?
Thanks.

I've been told by our LDAP Support group that none of the other configuration settings should have to be changed. I should only have to change the id and password to connect to a test version of LDAP instead of our regular connection to the production LDAP.
Can you test a connection for a different userid/password without having to reboot/restart the server? Do I need to change these two settings, save then, reboot/restart, and then do the Test Connection button?
Thanks.

Custom Realm using LDAP?

Hi,
has anyone implemented a custom realm using LDAP? I was suprised to learn that
ACLs are not supported in the LDAPRealm. Our corporate direction is to have a
central LDAP security store - including ACLs. Unfortunately the LDAP server is
MS SiteServer! Anyway, I assume this means I need to implement a custom realm
- unless there is an alternative.
-chris

You are correct - you'll need to write a custom
realm to do this.
-Tom
"Chris Jones" <[email protected]> wrote:
>
Hi,
has anyone implemented a custom realm using LDAP? I was suprised to
learn that
ACLs are not supported in the LDAPRealm. Our corporate direction is
to have a
central LDAP security store - including ACLs. Unfortunately the LDAP
server is
MS SiteServer! Anyway, I assume this means I need to implement a custom
realm
- unless there is an alternative.
-chris

CSS 11500 authenicate certificate using LDAP

Similar Messages

Maybe you are looking for